latticesql 3.0.0 → 3.1.0

package/dist/index.d.cts

@@ -1731,6 +1731,89 @@ declare function openUnderSource(ciphertext: string, sourceId: string, store: So
  */
 declare function shredSource(sourceId: string, store: SourceKeyStore): void;
 
+/**
+ * Progress reporting for the render engine.
+ *
+ * A render walks every table and every per-entity context file; for a large
+ * database this can take a while. These types let a caller observe progress
+ * (per-table %, which table is in flight) and cancel a render in progress via
+ * an `AbortSignal`. All of it is optional: a render with no `onProgress` and no
+ * `signal` behaves exactly as it did before — zero overhead, identical output.
+ */
+/** The kind of progress event the render engine emits. */
+type RenderProgressKind = 'table-start' | 'table-progress' | 'table-done' | 'done' | 'error';
+/**
+ * A single progress event. Fields beyond `kind` describe the table currently
+ * being rendered (`table`, `tableIndex`, `tableCount`) and how far along it is
+ * (`entitiesRendered`, `entitiesTotal`, `pct`). `durationMs` is set on the
+ * terminal `done` event; `message` carries human-readable detail (e.g. the
+ * error text on an `error` event).
+ */
+interface RenderProgress {
+    /** Discriminator: what stage of the render this event reports. */
+    kind: RenderProgressKind;
+    /** The table being rendered, or null for non-table events (`done`/`error`). */
+    table: string | null;
+    /** Entities rendered so far within `table` (per-table running count). */
+    entitiesRendered: number;
+    /** Total entities in `table` — the denominator for the per-table %. */
+    entitiesTotal: number;
+    /** Zero-based index of `table` among the entity-context tables. */
+    tableIndex: number;
+    /** Total number of entity-context tables in this render. */
+    tableCount: number;
+    /** Per-table completion percentage, 0–100, exact (`rendered/total`). */
+    pct: number;
+    /** Wall-clock duration of the whole render, set on the `done` event. */
+    durationMs?: number;
+    /** Human-readable detail; the error text on an `error` event. */
+    message?: string;
+}
+/** Sink the render engine pushes {@link RenderProgress} events into. */
+type RenderProgressCallback = (event: RenderProgress) => void;
+/**
+ * Optional knobs for a render. Both are opt-in:
+ * - `onProgress` — observe per-table render progress.
+ * - `signal` — cancel a render in flight; the engine bails between entities and
+ *   returns the partial manifest (which the caller is expected to discard).
+ */
+interface RenderOptions {
+    onProgress?: RenderProgressCallback;
+    signal?: AbortSignal;
+}
+/**
+ * Coalesces high-frequency `table-progress` events down to ≤ ~5/sec per table,
+ * while always passing through the lifecycle events (`table-start`,
+ * `table-done`, `done`, `error`) immediately.
+ *
+ * A render over a 6,760-row table would otherwise emit thousands of
+ * `table-progress` events; this caps it at a few dozen. The throttle lives in
+ * the engine so every consumer benefits and no per-entity object crosses the
+ * progress boundary more than ~5×/sec.
+ *
+ * The 200 ms window is reset on every `table-start` (via {@link force}), so each
+ * table gets its own fresh budget and the first progress tick of a new table is
+ * not suppressed by the previous table's last tick.
+ */
+declare class ProgressThrottle {
+    private readonly cb;
+    private readonly windowMs;
+    private lastEmit;
+    constructor(cb: RenderProgressCallback | undefined, windowMs?: number);
+    /**
+     * Emit a `table-progress` event, but only if the window since the last
+     * passthrough has elapsed. Dropped events are simply not delivered — the next
+     * one that survives carries the latest running count.
+     */
+    tick(event: RenderProgress): void;
+    /**
+     * Emit a lifecycle event immediately and reset the throttle window. Use for
+     * `table-start`, `table-done`, `done`, and `error` — none of which should
+     * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+     */
+    force(event: RenderProgress): void;
+}
+
 /**
  * Initialise Lattice from a YAML config file instead of an explicit path.
  *
@@ -1994,6 +2077,34 @@ declare class Lattice {
      */
     private _assertIdent;
     insert(table: string, row: Row, provenance?: ChangeProvenance): Promise<string>;
+    /**
+     * Insert a row while atomically forcing its cloud row-visibility, regardless of
+     * the table's `default_row_visibility`. The per-table insert trigger reads a
+     * transaction-local GUC (`lattice.force_row_visibility`); we set it and run the
+     * INSERT inside a single transaction, so the row is stamped at `visibility` the
+     * instant it exists — it is never momentarily visible at the table default, and
+     * the change-feed `NOTIFY` (delivered only at COMMIT) fires when the row already
+     * carries this visibility. This closes the create-then-demote window that a
+     * plain `insert()` + `setRowVisibility()` would leave open.
+     *
+     * Postgres-only: SQLite is single-user (no cross-viewer leak) and has no trigger
+     * to read the GUC, so it degrades to a plain {@link insert}. A `never_share`
+     * table still wins — its rows are forced private even if `visibility` is
+     * `'everyone'` (the trigger enforces that precedence).
+     *
+     * @since 3.1.0
+     */
+    insertForcingVisibility(table: string, row: Row, visibility: 'private' | 'everyone', provenance?: ChangeProvenance): Promise<string>;
+    /**
+     * Build the INSERT statement + canonical pk for a row (sanitize → schema-filter →
+     * auto-pk → encrypt). Shared by {@link insert} and {@link insertForcingVisibility}
+     * so both produce byte-identical writes; the latter only differs in running it
+     * inside a GUC-scoped transaction.
+     */
+    private _prepareInsert;
+    /** Post-insert side effects (changelog, audit, write hooks, embedding sync),
+     *  identical for the plain and force-visibility insert paths. */
+    private _afterInsert;
     /**
      * Insert a row and return the full inserted row (including auto-generated
      * fields and defaults). Equivalent to `insert()` followed by `get()`.
@@ -2120,7 +2231,22 @@ declare class Lattice {
     search(table: string, query: string, opts?: SearchOptions): Promise<SearchResult[]>;
     query(table: string, opts?: QueryOptions): Promise<Row[]>;
     count(table: string, opts?: CountOptions): Promise<number>;
-    render(outputDir: string): Promise<RenderResult>;
+    render(outputDir: string, opts?: RenderOptions): Promise<RenderResult>;
+    /**
+     * Render into `outputDir` through the shared single-flight guard, intended to
+     * be called fire-and-forget (e.g. the GUI's instant-open background render).
+     *
+     * The guard ({@link _renderGuarded}) holds {@link _autoRenderInFlight} for the
+     * render's duration, so a data mutation that lands while this render is in
+     * flight is deferred by {@link _runAutoRender} and coalesced — when this
+     * render settles, `finally` clears the flag and re-arms exactly one follow-up
+     * render via {@link _rearmAutoRenderIfPending}. Net invariant: at most one
+     * render to a given dir at a time.
+     *
+     * Errors propagate to the caller (the GUI surfaces them, never silently swallowed); they are
+     * not swallowed here.
+     */
+    renderInBackground(outputDir: string, opts?: RenderOptions): Promise<RenderResult>;
     sync(outputDir: string): Promise<SyncResult>;
     /**
      * Recover rows from rendered files into empty database tables.
@@ -2236,6 +2362,17 @@ declare class Lattice {
     /** Turn off automatic rendering and cancel any pending render. */
     disableAutoRender(): this;
     private _scheduleAutoRender;
+    /**
+     * Shared single-flight render path used by {@link renderInBackground}.
+     *
+     * Holds {@link _autoRenderInFlight} for the render's duration so the
+     * mutation-driven {@link _runAutoRender} defers while this render runs (it
+     * sees the flag and marks itself pending instead of starting a second,
+     * overlapping render). On settle, `finally` clears the flag and re-arms a
+     * single coalesced follow-up render if any mutation arrived mid-flight.
+     * Errors propagate to the caller; the flag is always cleared.
+     */
+    private _renderGuarded;
     private _runAutoRender;
     private _rearmAutoRenderIfPending;
     /**
@@ -3904,10 +4041,10 @@ declare function isPostgresUrl(url: string): boolean;
  * `CREATE OR REPLACE FUNCTION`). Multi-statement — Postgres-only, so it never hits
  * the single-statement SQLite migration path.
  *
- * NOTE (follow-up): the `SECURITY DEFINER` helpers below should pin `search_path`
- * to the cloud schema to fully close the definer-search_path class of issue. Today
- * members are `NOSUPERUSER` without CREATE on the schema, so they cannot plant a
- * shadowing object; the pin is hardening, tracked for the schema-awareness pass.
+ * Every `SECURITY DEFINER` helper below gets `search_path` pinned at install time
+ * via {@link pinDefinerSearchPath} (see its doc for the threat it closes). The pin
+ * is applied in {@link installCloudRls}, not baked into the literal here, because
+ * the cloud's schema name is only known at runtime (`current_schema()`).
  */
 /**
  * Group role every cloud member inherits. Table privileges are granted to the
@@ -3923,14 +4060,31 @@ declare function installCloudRls(db: Lattice): Promise<void>;
  * only what they're allowed to: a DERIVED observation only when it can reach
  * EVERY source it was derived from (so a hidden enrichment never reaches the
  * member — existence-hiding is structural), and a ground-truth / audit entry
- * only for a row that is itself visible to the member. Both predicates route
- * through the `session_user`-keyed SECURITY DEFINER helpers, so they bind to the
- * real member. `FORCE ROW LEVEL SECURITY` applies the policy even to the table
- * owner. No-op on SQLite (single-user; no cross-viewer leak to guard). Run after
- * the change-log table exists (`Lattice.ensureObservationSubstrate`).
+ * only when the member OWNS the row it records. Both predicates route through the
+ * `session_user`-keyed SECURITY DEFINER helpers, so they bind to the real member.
+ * `FORCE ROW LEVEL SECURITY` applies the policy even to the table owner. No-op on
+ * SQLite (single-user; no cross-viewer leak to guard). Run after the change-log
+ * table exists (`Lattice.ensureObservationSubstrate`).
+ *
+ * Ground-truth entries are OWNER-ONLY (v2), not merely "row is visible". A
+ * changelog row carries the full `changes`/`previous` JSON of the underlying row —
+ * EVERY column in cleartext, including ones the `<table>_v` mask hides from a
+ * non-owner (an `owner`-audience secret column, a role-gated column). If a member
+ * who was merely granted the row could read its history, those masked columns
+ * would leak in cleartext, bypassing column masking. The row's full mutation
+ * history is an owner/audit artifact; a non-owner sees the row only through the
+ * masked view, never its raw history. (The derived-observation branch is the
+ * per-viewer enrichment path and is unaffected — it carries enrichment, not the
+ * base row's masked columns.)
  */
 declare function enableChangelogRls(db: Lattice): Promise<void>;
-/** Enable RLS on one shared table. No-op on SQLite. Idempotent via a per-table version key. */
+/**
+ * Enable RLS on one shared table. No-op on SQLite. Idempotent via a per-table
+ * version key. v3 bumps the key so existing clouds re-install the policy-aware
+ * insert trigger (which now stamps the per-table `default_row_visibility` / forces
+ * private under `never_share`) and pick up the `search_path` pin on the trigger
+ * function — neither of which a v2-stamped clone would otherwise get.
+ */
 declare function enableRlsForTable(db: Lattice, table: string, pkCols: readonly string[]): Promise<void>;
 /**
  * Stamp the current role as owner of every row that already exists in a table —
@@ -4008,6 +4162,11 @@ interface DiscoveredTable {
  */
 declare function discoverCloudTables(db: Lattice): Promise<DiscoveredTable[]>;
 
+/** Row context the `owner` clause needs (the table literal + pk SQL expression). */
+interface AudienceRowCtx {
+    tableLit: string;
+    pkExpr: string;
+}
 /** True when this audience means "no mask" (visible to whoever can see the row). */
 declare function isRowAudience(audience: string | undefined): boolean;
 /**
@@ -4015,7 +4174,7 @@ declare function isRowAudience(audience: string | undefined): boolean;
  * functions. Returns `'true'` for the row-audience / everyone case. Throws on an
  * unknown or malformed clause.
  */
-declare function audiencePredicate(audience: string): string;
+declare function audiencePredicate(audience: string, ctx?: AudienceRowCtx): string;
 /** Whether a table needs a masking view at all (any column has a real audience). */
 declare function tableNeedsAudienceView(columnAudience: Record<string, string>): boolean;
 /**
@@ -4047,6 +4206,54 @@ declare function audienceViewSql(table: string, columns: readonly string[], pkCo
  * visibility helper and revokes the base SELECT that enableRlsForTable granted).
  */
 declare function enableAudienceView(db: Lattice, table: string, columns: readonly string[], pkCols: readonly string[], columnAudience: Record<string, string>): Promise<void>;
+/** Read a table's canonical column->audience map from __lattice_column_policy. */
+declare function loadColumnPolicy(db: Lattice, table: string): Promise<Record<string, string>>;
+/** Seed a table's YAML-declared audiences into __lattice_column_policy — ONE TIME
+ *  per table, the migration from the legacy on-disk spec to the DB-canonical store.
+ *  A marker in __lattice_migrations gates it: after the first run we never seed from
+ *  YAML again, because a later secureCloud would otherwise re-insert a policy row
+ *  for a column the owner has since CLEARED through the DB (a cleared column has no
+ *  row, so ON CONFLICT DO NOTHING would NOT protect it) — silently re-masking a
+ *  column the owner deliberately un-masked. Once seeded, the DB is canonical and
+ *  the only path to change a column's audience is setColumnAudience. */
+declare function seedColumnPolicyFromYaml(db: Lattice, table: string, yamlAudience: Record<string, string>): Promise<void>;
+/** Regenerate a table's cell-masking view FROM the DB column-policy (not YAML). If
+ *  the table now has no audience columns, drop the view and restore base SELECT to
+ *  members; otherwise (re)create the masked view and revoke base SELECT. Runs the
+ *  DDL directly (not via db.migrate) so it always reflects the current spec. */
+declare function regenerateAudienceViewFromDb(db: Lattice, table: string, columns: readonly string[], pkCols: readonly string[]): Promise<void>;
+/** Owner-only: set (or clear, with an empty spec) a column's audience in the DB and
+ *  regenerate the table's mask view from the DB. The owner gate is enforced inside
+ *  lattice_set_column_audience (raises for a non-owner). */
+declare function setColumnAudience(db: Lattice, table: string, column: string, audience: string, columns: readonly string[], pkCols: readonly string[]): Promise<void>;
+
+/**
+ * Per-table cloud policy (owner-controlled, Postgres-stored + enforced):
+ *  - `defaultRowVisibility` — the visibility NEW rows in this table are stamped
+ *    with (the per-table insert trigger reads `__lattice_table_policy`); default
+ *    `private` ⇒ unchanged behavior.
+ *  - `neverShare` — a hard exclusion (Secrets/Messages-class): the share/grant
+ *    SECURITY DEFINER functions raise for the table and the trigger forces its rows
+ *    private. Set at the data-model level, so a direct `psql` connection obeys it.
+ *
+ * These are thin wrappers over the owner-gated SQL functions in the RLS bootstrap
+ * (`lattice_set_table_default_visibility` / `lattice_set_table_never_share`), which
+ * raise unless the caller can create roles. No-op / safe defaults on SQLite.
+ */
+type RowVisibilityDefault = 'private' | 'everyone';
+interface TablePolicy {
+    defaultRowVisibility: RowVisibilityDefault;
+    neverShare: boolean;
+}
+/** Read a table's policy. Returns the safe default (private, shareable) on SQLite
+ *  or when no policy row exists. */
+declare function getTablePolicy(db: Lattice, table: string): Promise<TablePolicy>;
+/** Owner-only: set the visibility NEW rows in `table` are created with. Raises (via
+ *  the SQL function) for a non-owner or for `everyone` on a never-share table. */
+declare function setTableDefaultVisibility(db: Lattice, table: string, visibility: RowVisibilityDefault): Promise<void>;
+/** Owner-only: mark (or unmark) a table never-shareable. When on, the share/grant
+ *  functions refuse it and its new rows are forced private. */
+declare function setTableNeverShare(db: Lattice, table: string, on: boolean): Promise<void>;
 
 /**
  * The per-viewer fold (the "local compile" of the per-viewer enrichment model).
@@ -4476,4 +4683,4 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
-export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, setActiveWorkspace, setCloudSetting, setRowVisibility, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };
+export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };

package/dist/index.d.ts

@@ -1731,6 +1731,89 @@ declare function openUnderSource(ciphertext: string, sourceId: string, store: So
  */
 declare function shredSource(sourceId: string, store: SourceKeyStore): void;
 
+/**
+ * Progress reporting for the render engine.
+ *
+ * A render walks every table and every per-entity context file; for a large
+ * database this can take a while. These types let a caller observe progress
+ * (per-table %, which table is in flight) and cancel a render in progress via
+ * an `AbortSignal`. All of it is optional: a render with no `onProgress` and no
+ * `signal` behaves exactly as it did before — zero overhead, identical output.
+ */
+/** The kind of progress event the render engine emits. */
+type RenderProgressKind = 'table-start' | 'table-progress' | 'table-done' | 'done' | 'error';
+/**
+ * A single progress event. Fields beyond `kind` describe the table currently
+ * being rendered (`table`, `tableIndex`, `tableCount`) and how far along it is
+ * (`entitiesRendered`, `entitiesTotal`, `pct`). `durationMs` is set on the
+ * terminal `done` event; `message` carries human-readable detail (e.g. the
+ * error text on an `error` event).
+ */
+interface RenderProgress {
+    /** Discriminator: what stage of the render this event reports. */
+    kind: RenderProgressKind;
+    /** The table being rendered, or null for non-table events (`done`/`error`). */
+    table: string | null;
+    /** Entities rendered so far within `table` (per-table running count). */
+    entitiesRendered: number;
+    /** Total entities in `table` — the denominator for the per-table %. */
+    entitiesTotal: number;
+    /** Zero-based index of `table` among the entity-context tables. */
+    tableIndex: number;
+    /** Total number of entity-context tables in this render. */
+    tableCount: number;
+    /** Per-table completion percentage, 0–100, exact (`rendered/total`). */
+    pct: number;
+    /** Wall-clock duration of the whole render, set on the `done` event. */
+    durationMs?: number;
+    /** Human-readable detail; the error text on an `error` event. */
+    message?: string;
+}
+/** Sink the render engine pushes {@link RenderProgress} events into. */
+type RenderProgressCallback = (event: RenderProgress) => void;
+/**
+ * Optional knobs for a render. Both are opt-in:
+ * - `onProgress` — observe per-table render progress.
+ * - `signal` — cancel a render in flight; the engine bails between entities and
+ *   returns the partial manifest (which the caller is expected to discard).
+ */
+interface RenderOptions {
+    onProgress?: RenderProgressCallback;
+    signal?: AbortSignal;
+}
+/**
+ * Coalesces high-frequency `table-progress` events down to ≤ ~5/sec per table,
+ * while always passing through the lifecycle events (`table-start`,
+ * `table-done`, `done`, `error`) immediately.
+ *
+ * A render over a 6,760-row table would otherwise emit thousands of
+ * `table-progress` events; this caps it at a few dozen. The throttle lives in
+ * the engine so every consumer benefits and no per-entity object crosses the
+ * progress boundary more than ~5×/sec.
+ *
+ * The 200 ms window is reset on every `table-start` (via {@link force}), so each
+ * table gets its own fresh budget and the first progress tick of a new table is
+ * not suppressed by the previous table's last tick.
+ */
+declare class ProgressThrottle {
+    private readonly cb;
+    private readonly windowMs;
+    private lastEmit;
+    constructor(cb: RenderProgressCallback | undefined, windowMs?: number);
+    /**
+     * Emit a `table-progress` event, but only if the window since the last
+     * passthrough has elapsed. Dropped events are simply not delivered — the next
+     * one that survives carries the latest running count.
+     */
+    tick(event: RenderProgress): void;
+    /**
+     * Emit a lifecycle event immediately and reset the throttle window. Use for
+     * `table-start`, `table-done`, `done`, and `error` — none of which should
+     * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+     */
+    force(event: RenderProgress): void;
+}
+
 /**
  * Initialise Lattice from a YAML config file instead of an explicit path.
  *
@@ -1994,6 +2077,34 @@ declare class Lattice {
      */
     private _assertIdent;
     insert(table: string, row: Row, provenance?: ChangeProvenance): Promise<string>;
+    /**
+     * Insert a row while atomically forcing its cloud row-visibility, regardless of
+     * the table's `default_row_visibility`. The per-table insert trigger reads a
+     * transaction-local GUC (`lattice.force_row_visibility`); we set it and run the
+     * INSERT inside a single transaction, so the row is stamped at `visibility` the
+     * instant it exists — it is never momentarily visible at the table default, and
+     * the change-feed `NOTIFY` (delivered only at COMMIT) fires when the row already
+     * carries this visibility. This closes the create-then-demote window that a
+     * plain `insert()` + `setRowVisibility()` would leave open.
+     *
+     * Postgres-only: SQLite is single-user (no cross-viewer leak) and has no trigger
+     * to read the GUC, so it degrades to a plain {@link insert}. A `never_share`
+     * table still wins — its rows are forced private even if `visibility` is
+     * `'everyone'` (the trigger enforces that precedence).
+     *
+     * @since 3.1.0
+     */
+    insertForcingVisibility(table: string, row: Row, visibility: 'private' | 'everyone', provenance?: ChangeProvenance): Promise<string>;
+    /**
+     * Build the INSERT statement + canonical pk for a row (sanitize → schema-filter →
+     * auto-pk → encrypt). Shared by {@link insert} and {@link insertForcingVisibility}
+     * so both produce byte-identical writes; the latter only differs in running it
+     * inside a GUC-scoped transaction.
+     */
+    private _prepareInsert;
+    /** Post-insert side effects (changelog, audit, write hooks, embedding sync),
+     *  identical for the plain and force-visibility insert paths. */
+    private _afterInsert;
     /**
      * Insert a row and return the full inserted row (including auto-generated
      * fields and defaults). Equivalent to `insert()` followed by `get()`.
@@ -2120,7 +2231,22 @@ declare class Lattice {
     search(table: string, query: string, opts?: SearchOptions): Promise<SearchResult[]>;
     query(table: string, opts?: QueryOptions): Promise<Row[]>;
     count(table: string, opts?: CountOptions): Promise<number>;
-    render(outputDir: string): Promise<RenderResult>;
+    render(outputDir: string, opts?: RenderOptions): Promise<RenderResult>;
+    /**
+     * Render into `outputDir` through the shared single-flight guard, intended to
+     * be called fire-and-forget (e.g. the GUI's instant-open background render).
+     *
+     * The guard ({@link _renderGuarded}) holds {@link _autoRenderInFlight} for the
+     * render's duration, so a data mutation that lands while this render is in
+     * flight is deferred by {@link _runAutoRender} and coalesced — when this
+     * render settles, `finally` clears the flag and re-arms exactly one follow-up
+     * render via {@link _rearmAutoRenderIfPending}. Net invariant: at most one
+     * render to a given dir at a time.
+     *
+     * Errors propagate to the caller (the GUI surfaces them, never silently swallowed); they are
+     * not swallowed here.
+     */
+    renderInBackground(outputDir: string, opts?: RenderOptions): Promise<RenderResult>;
     sync(outputDir: string): Promise<SyncResult>;
     /**
      * Recover rows from rendered files into empty database tables.
@@ -2236,6 +2362,17 @@ declare class Lattice {
     /** Turn off automatic rendering and cancel any pending render. */
     disableAutoRender(): this;
     private _scheduleAutoRender;
+    /**
+     * Shared single-flight render path used by {@link renderInBackground}.
+     *
+     * Holds {@link _autoRenderInFlight} for the render's duration so the
+     * mutation-driven {@link _runAutoRender} defers while this render runs (it
+     * sees the flag and marks itself pending instead of starting a second,
+     * overlapping render). On settle, `finally` clears the flag and re-arms a
+     * single coalesced follow-up render if any mutation arrived mid-flight.
+     * Errors propagate to the caller; the flag is always cleared.
+     */
+    private _renderGuarded;
     private _runAutoRender;
     private _rearmAutoRenderIfPending;
     /**
@@ -3904,10 +4041,10 @@ declare function isPostgresUrl(url: string): boolean;
  * `CREATE OR REPLACE FUNCTION`). Multi-statement — Postgres-only, so it never hits
  * the single-statement SQLite migration path.
  *
- * NOTE (follow-up): the `SECURITY DEFINER` helpers below should pin `search_path`
- * to the cloud schema to fully close the definer-search_path class of issue. Today
- * members are `NOSUPERUSER` without CREATE on the schema, so they cannot plant a
- * shadowing object; the pin is hardening, tracked for the schema-awareness pass.
+ * Every `SECURITY DEFINER` helper below gets `search_path` pinned at install time
+ * via {@link pinDefinerSearchPath} (see its doc for the threat it closes). The pin
+ * is applied in {@link installCloudRls}, not baked into the literal here, because
+ * the cloud's schema name is only known at runtime (`current_schema()`).
  */
 /**
  * Group role every cloud member inherits. Table privileges are granted to the
@@ -3923,14 +4060,31 @@ declare function installCloudRls(db: Lattice): Promise<void>;
  * only what they're allowed to: a DERIVED observation only when it can reach
  * EVERY source it was derived from (so a hidden enrichment never reaches the
  * member — existence-hiding is structural), and a ground-truth / audit entry
- * only for a row that is itself visible to the member. Both predicates route
- * through the `session_user`-keyed SECURITY DEFINER helpers, so they bind to the
- * real member. `FORCE ROW LEVEL SECURITY` applies the policy even to the table
- * owner. No-op on SQLite (single-user; no cross-viewer leak to guard). Run after
- * the change-log table exists (`Lattice.ensureObservationSubstrate`).
+ * only when the member OWNS the row it records. Both predicates route through the
+ * `session_user`-keyed SECURITY DEFINER helpers, so they bind to the real member.
+ * `FORCE ROW LEVEL SECURITY` applies the policy even to the table owner. No-op on
+ * SQLite (single-user; no cross-viewer leak to guard). Run after the change-log
+ * table exists (`Lattice.ensureObservationSubstrate`).
+ *
+ * Ground-truth entries are OWNER-ONLY (v2), not merely "row is visible". A
+ * changelog row carries the full `changes`/`previous` JSON of the underlying row —
+ * EVERY column in cleartext, including ones the `<table>_v` mask hides from a
+ * non-owner (an `owner`-audience secret column, a role-gated column). If a member
+ * who was merely granted the row could read its history, those masked columns
+ * would leak in cleartext, bypassing column masking. The row's full mutation
+ * history is an owner/audit artifact; a non-owner sees the row only through the
+ * masked view, never its raw history. (The derived-observation branch is the
+ * per-viewer enrichment path and is unaffected — it carries enrichment, not the
+ * base row's masked columns.)
  */
 declare function enableChangelogRls(db: Lattice): Promise<void>;
-/** Enable RLS on one shared table. No-op on SQLite. Idempotent via a per-table version key. */
+/**
+ * Enable RLS on one shared table. No-op on SQLite. Idempotent via a per-table
+ * version key. v3 bumps the key so existing clouds re-install the policy-aware
+ * insert trigger (which now stamps the per-table `default_row_visibility` / forces
+ * private under `never_share`) and pick up the `search_path` pin on the trigger
+ * function — neither of which a v2-stamped clone would otherwise get.
+ */
 declare function enableRlsForTable(db: Lattice, table: string, pkCols: readonly string[]): Promise<void>;
 /**
  * Stamp the current role as owner of every row that already exists in a table —
@@ -4008,6 +4162,11 @@ interface DiscoveredTable {
  */
 declare function discoverCloudTables(db: Lattice): Promise<DiscoveredTable[]>;
 
+/** Row context the `owner` clause needs (the table literal + pk SQL expression). */
+interface AudienceRowCtx {
+    tableLit: string;
+    pkExpr: string;
+}
 /** True when this audience means "no mask" (visible to whoever can see the row). */
 declare function isRowAudience(audience: string | undefined): boolean;
 /**
@@ -4015,7 +4174,7 @@ declare function isRowAudience(audience: string | undefined): boolean;
  * functions. Returns `'true'` for the row-audience / everyone case. Throws on an
  * unknown or malformed clause.
  */
-declare function audiencePredicate(audience: string): string;
+declare function audiencePredicate(audience: string, ctx?: AudienceRowCtx): string;
 /** Whether a table needs a masking view at all (any column has a real audience). */
 declare function tableNeedsAudienceView(columnAudience: Record<string, string>): boolean;
 /**
@@ -4047,6 +4206,54 @@ declare function audienceViewSql(table: string, columns: readonly string[], pkCo
  * visibility helper and revokes the base SELECT that enableRlsForTable granted).
  */
 declare function enableAudienceView(db: Lattice, table: string, columns: readonly string[], pkCols: readonly string[], columnAudience: Record<string, string>): Promise<void>;
+/** Read a table's canonical column->audience map from __lattice_column_policy. */
+declare function loadColumnPolicy(db: Lattice, table: string): Promise<Record<string, string>>;
+/** Seed a table's YAML-declared audiences into __lattice_column_policy — ONE TIME
+ *  per table, the migration from the legacy on-disk spec to the DB-canonical store.
+ *  A marker in __lattice_migrations gates it: after the first run we never seed from
+ *  YAML again, because a later secureCloud would otherwise re-insert a policy row
+ *  for a column the owner has since CLEARED through the DB (a cleared column has no
+ *  row, so ON CONFLICT DO NOTHING would NOT protect it) — silently re-masking a
+ *  column the owner deliberately un-masked. Once seeded, the DB is canonical and
+ *  the only path to change a column's audience is setColumnAudience. */
+declare function seedColumnPolicyFromYaml(db: Lattice, table: string, yamlAudience: Record<string, string>): Promise<void>;
+/** Regenerate a table's cell-masking view FROM the DB column-policy (not YAML). If
+ *  the table now has no audience columns, drop the view and restore base SELECT to
+ *  members; otherwise (re)create the masked view and revoke base SELECT. Runs the
+ *  DDL directly (not via db.migrate) so it always reflects the current spec. */
+declare function regenerateAudienceViewFromDb(db: Lattice, table: string, columns: readonly string[], pkCols: readonly string[]): Promise<void>;
+/** Owner-only: set (or clear, with an empty spec) a column's audience in the DB and
+ *  regenerate the table's mask view from the DB. The owner gate is enforced inside
+ *  lattice_set_column_audience (raises for a non-owner). */
+declare function setColumnAudience(db: Lattice, table: string, column: string, audience: string, columns: readonly string[], pkCols: readonly string[]): Promise<void>;
+
+/**
+ * Per-table cloud policy (owner-controlled, Postgres-stored + enforced):
+ *  - `defaultRowVisibility` — the visibility NEW rows in this table are stamped
+ *    with (the per-table insert trigger reads `__lattice_table_policy`); default
+ *    `private` ⇒ unchanged behavior.
+ *  - `neverShare` — a hard exclusion (Secrets/Messages-class): the share/grant
+ *    SECURITY DEFINER functions raise for the table and the trigger forces its rows
+ *    private. Set at the data-model level, so a direct `psql` connection obeys it.
+ *
+ * These are thin wrappers over the owner-gated SQL functions in the RLS bootstrap
+ * (`lattice_set_table_default_visibility` / `lattice_set_table_never_share`), which
+ * raise unless the caller can create roles. No-op / safe defaults on SQLite.
+ */
+type RowVisibilityDefault = 'private' | 'everyone';
+interface TablePolicy {
+    defaultRowVisibility: RowVisibilityDefault;
+    neverShare: boolean;
+}
+/** Read a table's policy. Returns the safe default (private, shareable) on SQLite
+ *  or when no policy row exists. */
+declare function getTablePolicy(db: Lattice, table: string): Promise<TablePolicy>;
+/** Owner-only: set the visibility NEW rows in `table` are created with. Raises (via
+ *  the SQL function) for a non-owner or for `everyone` on a never-share table. */
+declare function setTableDefaultVisibility(db: Lattice, table: string, visibility: RowVisibilityDefault): Promise<void>;
+/** Owner-only: mark (or unmark) a table never-shareable. When on, the share/grant
+ *  functions refuse it and its new rows are forced private. */
+declare function setTableNeverShare(db: Lattice, table: string, on: boolean): Promise<void>;
 
 /**
  * The per-viewer fold (the "local compile" of the per-viewer enrichment model).
@@ -4476,4 +4683,4 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
-export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, setActiveWorkspace, setCloudSetting, setRowVisibility, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };
+export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };