npm - latticesql - Versions diffs - 3.0.0 → 3.1.0 - Mend

latticesql 3.0.0 → 3.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/dist/index.js CHANGED Viewed

@@ -41438,7 +41438,42 @@ function cleanupEntityContexts(outputDir, entityContexts, currentSlugsByTable, m
   return result;
 }
+// src/render/progress.ts
+var THROTTLE_WINDOW_MS = 200;
+var ProgressThrottle = class {
+  cb;
+  windowMs;
+  lastEmit = 0;
+  constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
+    this.cb = cb;
+    this.windowMs = windowMs;
+  }
+  /**
+   * Emit a `table-progress` event, but only if the window since the last
+   * passthrough has elapsed. Dropped events are simply not delivered — the next
+   * one that survives carries the latest running count.
+   */
+  tick(event) {
+    if (!this.cb) return;
+    const now = Date.now();
+    if (now - this.lastEmit < this.windowMs) return;
+    this.lastEmit = now;
+    this.cb(event);
+  }
+  /**
+   * Emit a lifecycle event immediately and reset the throttle window. Use for
+   * `table-start`, `table-done`, `done`, and `error` — none of which should
+   * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+   */
+  force(event) {
+    if (!this.cb) return;
+    this.lastEmit = Date.now();
+    this.cb(event);
+  }
+};
 // src/render/engine.ts
+var YIELD_EVERY_ENTITIES = 200;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -41452,11 +41487,14 @@ var RenderEngine = class {
     this._getTaskContext = getTaskContext ?? (() => "");
     this._skipEmpty = options?.skipEmpty ?? false;
   }
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const start = Date.now();
     const filesWritten = [];
     const counters = { skipped: 0 };
+    const signal = opts.signal;
+    const throttle = new ProgressThrottle(opts.onProgress);
     for (const [name, def] of this._schema.getTables()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       if (this._skipEmpty && def.render === NOOP_RENDER) continue;
       let rows = await this._schema.queryTable(this._adapter, name);
       if (def.relevanceFilter) {
@@ -41498,8 +41536,18 @@ var RenderEngine = class {
       } else {
         counters.skipped++;
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: rows.length,
+        entitiesTotal: rows.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
-    for (const [, def] of this._schema.getMultis()) {
+    for (const [name, def] of this._schema.getMultis()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       const keys = await def.keys();
       const tables = {};
       if (def.tables) {
@@ -41516,12 +41564,26 @@ var RenderEngine = class {
           counters.skipped++;
         }
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: keys.length,
+        entitiesTotal: keys.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
     const entityContextManifest = await this._renderEntityContexts(
       outputDir,
       filesWritten,
-      counters
+      counters,
+      throttle,
+      signal
     );
+    if (entityContextManifest === null) {
+      return this._abortedResult(filesWritten, counters, start);
+    }
     if (this._schema.getEntityContexts().size > 0) {
       writeManifest(outputDir, {
         version: 2,
@@ -41529,6 +41591,29 @@ var RenderEngine = class {
         entityContexts: entityContextManifest
       });
     }
+    const result = {
+      filesWritten,
+      filesSkipped: counters.skipped,
+      durationMs: Date.now() - start
+    };
+    throttle.force({
+      kind: "done",
+      table: null,
+      entitiesRendered: 0,
+      entitiesTotal: 0,
+      tableIndex: 0,
+      tableCount: 0,
+      pct: 100,
+      durationMs: result.durationMs
+    });
+    return result;
+  }
+  /**
+   * Build the partial RenderResult to return when a render is aborted. No
+   * `done` event is emitted — the caller treats abort as "discard the partial
+   * tree", not as a successful completion.
+   */
+  _abortedResult(filesWritten, counters, start) {
     return {
       filesWritten,
       filesSkipped: counters.skipped,
@@ -41564,18 +41649,35 @@ var RenderEngine = class {
   /**
    * Render all entity context definitions.
    * Mutates `filesWritten` and `counters` in place.
-   * Returns manifest data for the entity contexts rendered this cycle.
+   * Returns manifest data for the entity contexts rendered this cycle, or
+   * `null` if the render was aborted mid-flight (the caller discards the
+   * partial tree). Progress is reported through `throttle`; abort is observed
+   * via `signal`.
    */
-  async _renderEntityContexts(outputDir, filesWritten, counters) {
+  async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
     const manifestData = {};
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
-    for (const [table, def] of this._schema.getEntityContexts()) {
+    const entityTables = [...this._schema.getEntityContexts()];
+    const tableCount = entityTables.length;
+    for (let tableIndex = 0; tableIndex < tableCount; tableIndex++) {
+      if (signal?.aborted) return null;
+      const [table, def] = entityTables[tableIndex];
       const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
       const allRows = await this._schema.queryTable(this._adapter, table);
       const directoryRoot = def.directoryRoot ?? table;
+      const entitiesTotal = allRows.length;
+      throttle.force({
+        kind: "table-start",
+        table,
+        entitiesRendered: 0,
+        entitiesTotal,
+        tableIndex,
+        tableCount,
+        pct: 0
+      });
       const manifestEntry = {
         directoryRoot,
         ...def.index ? { indexFile: def.index.outputFile } : {},
@@ -41591,7 +41693,12 @@ var RenderEngine = class {
           counters.skipped++;
         }
       }
-      for (const entityRow of allRows) {
+      for (let i6 = 0; i6 < allRows.length; i6++) {
+        const entityRow = allRows[i6];
+        if (signal?.aborted) return null;
+        if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+          await new Promise((r6) => setImmediate(r6));
+        }
         const rawSlug = def.slug(entityRow);
         const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
         if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
@@ -41636,6 +41743,7 @@ var RenderEngine = class {
         const entityFileHashes = {};
         const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
         for (const [filename, spec] of Object.entries(def.files)) {
+          if (signal?.aborted) return null;
           const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
           const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
           const rows = await resolveEntitySource(
@@ -41683,8 +41791,27 @@ var RenderEngine = class {
           }
         }
         manifestEntry.entities[slug] = entityFileHashes;
+        const entitiesRendered = i6 + 1;
+        throttle.tick({
+          kind: "table-progress",
+          table,
+          entitiesRendered,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+        });
       }
       manifestData[table] = manifestEntry;
+      throttle.force({
+        kind: "table-done",
+        table,
+        entitiesRendered: entitiesTotal,
+        entitiesTotal,
+        tableIndex,
+        tableCount,
+        pct: 100
+      });
     }
     return manifestData;
   }
@@ -44291,6 +44418,54 @@ var Lattice = class _Lattice {
   async insert(table, row, provenance) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await runAsyncOrSync(this._adapter, sql, values);
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Insert a row while atomically forcing its cloud row-visibility, regardless of
+   * the table's `default_row_visibility`. The per-table insert trigger reads a
+   * transaction-local GUC (`lattice.force_row_visibility`); we set it and run the
+   * INSERT inside a single transaction, so the row is stamped at `visibility` the
+   * instant it exists — it is never momentarily visible at the table default, and
+   * the change-feed `NOTIFY` (delivered only at COMMIT) fires when the row already
+   * carries this visibility. This closes the create-then-demote window that a
+   * plain `insert()` + `setRowVisibility()` would leave open.
+   *
+   * Postgres-only: SQLite is single-user (no cross-viewer leak) and has no trigger
+   * to read the GUC, so it degrades to a plain {@link insert}. A `never_share`
+   * table still wins — its rows are forced private even if `visibility` is
+   * `'everyone'` (the trigger enforces that precedence).
+   *
+   * @since 3.1.0
+   */
+  async insertForcingVisibility(table, row, visibility, provenance) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    const vis = visibility;
+    if (vis !== "private" && vis !== "everyone") {
+      throw new Error(`lattice: invalid forced visibility "${vis}"`);
+    }
+    const withClient = this._adapter.withClient?.bind(this._adapter);
+    if (this.getDialect() !== "postgres" || !withClient) {
+      return this.insert(table, row, provenance);
+    }
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await withClient(async (tx) => {
+      await tx.run(`SELECT set_config('lattice.force_row_visibility', ?, true)`, [visibility]);
+      await tx.run(sql, values);
+    });
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Build the INSERT statement + canonical pk for a row (sanitize → schema-filter →
+   * auto-pk → encrypt). Shared by {@link insert} and {@link insertForcingVisibility}
+   * so both produce byte-identical writes; the latter only differs in running it
+   * inside a GUC-scoped transaction.
+   */
+  _prepareInsert(table, row) {
     this._assertIdent(table);
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const pkCols = this._schema.getPrimaryKey(table);
@@ -44306,12 +44481,17 @@ var Lattice = class _Lattice {
     const cols = Object.keys(encrypted).map((c6) => `"${c6}"`).join(", ");
     const placeholders = Object.keys(encrypted).map(() => "?").join(", ");
     const values = Object.values(encrypted);
-    await runAsyncOrSync(
-      this._adapter,
-      `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
-      values
-    );
     const pkValue = this._serializeRowPk(table, rowWithPk);
+    return {
+      sql: `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
+      values,
+      pkValue,
+      rowWithPk
+    };
+  }
+  /** Post-insert side effects (changelog, audit, write hooks, embedding sync),
+   *  identical for the plain and force-visibility insert paths. */
+  async _afterInsert(table, pkValue, rowWithPk, provenance) {
     await this._appendChangelog(
       table,
       pkValue,
@@ -44325,7 +44505,6 @@ var Lattice = class _Lattice {
     this._sanitizer.emitAudit(table, "insert", pkValue);
     await this._fireWriteHooks(table, "insert", rowWithPk, pkValue);
     this._syncEmbedding(table, "insert", rowWithPk, pkValue);
-    return pkValue;
   }
   /**
    * Insert a row and return the full inserted row (including auto-generated
@@ -44392,6 +44571,7 @@ var Lattice = class _Lattice {
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const encrypted = this._encryptRow(table, sanitized);
     const setCols = Object.keys(encrypted).map((c6) => `"${c6}" = ?`).join(", ");
+    if (setCols === "") return;
     const { clause, params: pkParams } = this._pkWhere(table, id);
     let previousValues = null;
     if (this._changelogTables.has(table)) {
@@ -45008,13 +45188,32 @@ var Lattice = class _Lattice {
   // -------------------------------------------------------------------------
   // Sync
   // -------------------------------------------------------------------------
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
-    const result = await this._render.render(outputDir);
+    const result = await this._render.render(outputDir, opts);
     for (const h6 of this._renderHandlers) h6(result);
     return result;
   }
+  /**
+   * Render into `outputDir` through the shared single-flight guard, intended to
+   * be called fire-and-forget (e.g. the GUI's instant-open background render).
+   *
+   * The guard ({@link _renderGuarded}) holds {@link _autoRenderInFlight} for the
+   * render's duration, so a data mutation that lands while this render is in
+   * flight is deferred by {@link _runAutoRender} and coalesced — when this
+   * render settles, `finally` clears the flag and re-arms exactly one follow-up
+   * render via {@link _rearmAutoRenderIfPending}. Net invariant: at most one
+   * render to a given dir at a time.
+   *
+   * Errors propagate to the caller (the GUI surfaces them, never silently swallowed); they are
+   * not swallowed here.
+   */
+  async renderInBackground(outputDir, opts = {}) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    return this._renderGuarded(outputDir, opts);
+  }
   async sync(outputDir) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
@@ -45356,6 +45555,30 @@ var Lattice = class _Lattice {
     }, this._autoRenderDebounceMs);
     this._autoRenderTimer.unref();
   }
+  /**
+   * Shared single-flight render path used by {@link renderInBackground}.
+   *
+   * Holds {@link _autoRenderInFlight} for the render's duration so the
+   * mutation-driven {@link _runAutoRender} defers while this render runs (it
+   * sees the flag and marks itself pending instead of starting a second,
+   * overlapping render). On settle, `finally` clears the flag and re-arms a
+   * single coalesced follow-up render if any mutation arrived mid-flight.
+   * Errors propagate to the caller; the flag is always cleared.
+   */
+  async _renderGuarded(outputDir, opts) {
+    while (this._autoRenderInFlight) {
+      await new Promise((r6) => setImmediate(r6));
+    }
+    this._autoRenderInFlight = true;
+    try {
+      const result = await this._render.render(outputDir, opts);
+      for (const h6 of this._renderHandlers) h6(result);
+      return result;
+    } finally {
+      this._autoRenderInFlight = false;
+      this._rearmAutoRenderIfPending();
+    }
+  }
   async _runAutoRender() {
     const dir = this._autoRenderDir;
     if (!dir || !this._initialized) return;
@@ -46983,6 +47206,31 @@ function pkSqlExpr(pkCols, prefix) {
   return pkCols.map((c6) => `CAST(${prefix}"${c6}" AS TEXT)`).join(` || chr(9) || `);
 }
 var MEMBER_GROUP = "lattice_members";
+function pinDefinerSearchPath(sql, schema) {
+  const safe = schema.replace(/"/g, '""');
+  return sql.replace(
+    /SECURITY DEFINER AS/g,
+    `SECURITY DEFINER SET search_path = "${safe}", pg_temp AS`
+  );
+}
+async function cloudSchema(db) {
+  const row = await getAsyncOrSync(db.adapter, `SELECT current_schema() AS schema`);
+  const s2 = row?.schema;
+  if (typeof s2 !== "string" || s2.length === 0) {
+    throw new Error("cloud RLS: could not resolve current_schema() for search_path pinning");
+  }
+  return s2;
+}
+function revokeSchemaCreateSql(schema) {
+  const lit = `'${schema.replace(/'/g, "''")}'`;
+  return `
+DO $LATTICE_REVOKE$ BEGIN
+  EXECUTE format('REVOKE CREATE ON SCHEMA %I FROM PUBLIC', ${lit});
+EXCEPTION WHEN OTHERS THEN
+  NULL; -- not the schema owner, or already revoked
+END $LATTICE_REVOKE$;
+`;
+}
 var CLOUD_RLS_BOOTSTRAP_SQL = `
 -- Member group (NOLOGIN). Members inherit schema/connect/table privileges from it;
 -- RLS filters per the individual member's login role, so the group never widens
@@ -47042,6 +47290,52 @@ CREATE TABLE IF NOT EXISTS "__lattice_cell_grants" (
   PRIMARY KEY ("table_name", "pk", "column_name", "grantee_role")
 );
+-- Per-table policy: the owner-controlled defaults that govern a whole table.
+-- default_row_visibility is the visibility NEW rows are stamped with (the insert
+-- trigger reads it); never_share is a hard exclusion \u2014 the share/grant functions
+-- refuse to elevate such a table and the trigger forces its rows private. Owner-
+-- managed; members have no grant (it never appears in their data API).
+CREATE TABLE IF NOT EXISTS "__lattice_table_policy" (
+  "table_name"             text PRIMARY KEY,
+  "default_row_visibility" text NOT NULL DEFAULT 'private'
+    CHECK ("default_row_visibility" IN ('private','everyone')),
+  "never_share"            boolean NOT NULL DEFAULT false,
+  "updated_by"             text NOT NULL DEFAULT session_user,
+  "updated_at"             timestamptz NOT NULL DEFAULT now()
+);
+-- Per-column audience policy: the CANONICAL store of which column carries which
+-- audience spec (role: / subject: / source: / owner / everyone). Previously the
+-- spec lived only in the owner's on-disk YAML and was compiled into the mask view
+-- once at init; storing it here makes it cloud-canonical and member-consistent.
+-- The generated <table>_v mask view is regenerated from THIS table on change.
+-- Owner-managed; members have no grant.
+CREATE TABLE IF NOT EXISTS "__lattice_column_policy" (
+  "table_name"  text NOT NULL,
+  "column_name" text NOT NULL,
+  "audience"    text NOT NULL,
+  "updated_by"  text NOT NULL DEFAULT session_user,
+  "updated_at"  timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "column_name")
+);
+-- Owner-only audit of issued member invites: which scoped role was minted for
+-- which email (HASHED \u2014 the plaintext email is never stored), when it expires,
+-- and whether it was redeemed/revoked. No plaintext password is ever stored
+-- (the credential lives only inside the email-bound token the owner delivers).
+-- Owner-managed; members have no grant. Named distinctly from any legacy
+-- team-model invitations table so a pre-existing cloud never collides.
+CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
+  "id"          text PRIMARY KEY,
+  "role"        text NOT NULL,
+  "email_hash"  text NOT NULL,
+  "created_by"  text NOT NULL DEFAULT session_user,
+  "created_at"  timestamptz NOT NULL DEFAULT now(),
+  "expires_at"  timestamptz NOT NULL,
+  "redeemed_at" timestamptz,
+  "revoked_at"  timestamptz
+);
 -- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
 -- keyed on session_user (the member's login role). A row with no ownership record
 -- is visible to nobody.
@@ -47067,6 +47361,10 @@ BEGIN
   IF p_visibility NOT IN ('private','everyone','custom') THEN
     RAISE EXCEPTION 'lattice: invalid visibility %', p_visibility;
   END IF;
+  IF p_visibility <> 'private'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
@@ -47080,6 +47378,9 @@ CREATE OR REPLACE FUNCTION lattice_grant_row(p_table text, p_pk text, p_grantee
 RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
 DECLARE v_owner text;
 BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
@@ -47169,6 +47470,9 @@ CREATE OR REPLACE FUNCTION lattice_grant_cell(p_table text, p_pk text, p_column
 RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
 DECLARE v_owner text;
 BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL OR v_owner <> session_user THEN
@@ -47201,6 +47505,87 @@ RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
   SELECT lattice_row_visible('files', p_source_ref)
 $fn$;
+-- Is the connected member the OWNER of this row? Used by the "owner" column
+-- audience (a secret column reveals only to the row owner). SECURITY DEFINER +
+-- session_user, like the other predicates.
+CREATE OR REPLACE FUNCTION lattice_is_owner(p_table text, p_pk text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_owners" o
+     WHERE o."table_name" = p_table AND o."pk" = p_pk AND o."owner_role" = session_user
+  )
+$fn$;
+-- Owner-only: set a table's default row visibility for NEW rows. Raises unless the
+-- caller can create roles (a cloud owner / DBA), like lattice_assign_role. Rejects
+-- 'everyone' on a never-share table.
+CREATE OR REPLACE FUNCTION lattice_set_table_default_visibility(p_table text, p_visibility text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a table''s default visibility';
+  END IF;
+  IF p_visibility NOT IN ('private','everyone') THEN
+    RAISE EXCEPTION 'lattice: invalid default visibility %', p_visibility;
+  END IF;
+  IF p_visibility = 'everyone'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table; its rows cannot default to everyone', p_table;
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_visibility, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "default_row_visibility" = EXCLUDED."default_row_visibility",
+          "updated_by" = session_user, "updated_at" = now();
+END $fn$;
+-- Owner-only: mark a table never-shareable (Secrets/Messages-class). When true the
+-- share/grant functions raise and the insert trigger forces new rows private; the
+-- default visibility is also forced private. Turning it ON also RETROACTIVELY
+-- privatizes the table: any row currently shared ('everyone'/'custom') is reset to
+-- 'private' and every existing row/cell grant on the table is dropped \u2014 otherwise
+-- flagging a table never-share would leave already-leaked rows visible, defeating
+-- the point. Idempotent: re-running with already-private rows updates nothing.
+CREATE OR REPLACE FUNCTION lattice_set_table_never_share(p_table text, p_on boolean)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may change a table''s never-share flag';
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","never_share","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_on, CASE WHEN p_on THEN 'private' ELSE 'private' END, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "never_share" = EXCLUDED."never_share",
+          "default_row_visibility" = CASE WHEN EXCLUDED."never_share"
+                                          THEN 'private' ELSE "__lattice_table_policy"."default_row_visibility" END,
+          "updated_by" = session_user, "updated_at" = now();
+  IF p_on THEN
+    UPDATE "__lattice_owners" SET "visibility" = 'private', "updated_at" = now()
+      WHERE "table_name" = p_table AND "visibility" <> 'private';
+    DELETE FROM "__lattice_row_grants"  WHERE "table_name" = p_table;
+    DELETE FROM "__lattice_cell_grants" WHERE "table_name" = p_table;
+  END IF;
+END $fn$;
+-- Owner-only: set (or clear) a column's audience spec in the canonical DB store.
+-- An empty/null spec removes the policy row (column becomes unmasked). The GUI/lib
+-- regenerates the table's mask view from this store after calling this.
+CREATE OR REPLACE FUNCTION lattice_set_column_audience(p_table text, p_column text, p_audience text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a column audience';
+  END IF;
+  IF p_audience IS NULL OR btrim(p_audience) = '' THEN
+    DELETE FROM "__lattice_column_policy" WHERE "table_name" = p_table AND "column_name" = p_column;
+  ELSE
+    INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience","updated_by","updated_at")
+      VALUES (p_table, p_column, p_audience, session_user, now())
+      ON CONFLICT ("table_name","column_name") DO UPDATE
+        SET "audience" = EXCLUDED."audience", "updated_by" = session_user, "updated_at" = now();
+  END IF;
+END $fn$;
 -- Append-only change feed. The per-table ownership trigger records one row per
 -- INSERT/UPDATE/DELETE; the AFTER INSERT trigger here fires pg_notify so a
 -- connected member's realtime broker refreshes. Members get no direct access \u2014
@@ -47245,7 +47630,20 @@ CREATE OR REPLACE FUNCTION "${trg}"() RETURNS trigger LANGUAGE plpgsql SECURITY
 BEGIN
   IF TG_OP = 'INSERT' THEN
     INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
-      VALUES (${lit}, ${pkNew}, session_user, 'private')
+      VALUES (${lit}, ${pkNew}, session_user,
+        CASE
+          -- never-share always wins: such a table's rows are private, full stop.
+          WHEN COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), false)
+            THEN 'private'
+          -- per-INSERT override: a caller forcing visibility for THIS write (e.g.
+          -- chat "private mode") sets the transaction-local lattice.force_row_visibility
+          -- GUC, so the row is stamped atomically at insert \u2014 never momentarily at
+          -- the table default, and the change-feed NOTIFY (deferred to COMMIT) only
+          -- fires once the row already carries this visibility.
+          WHEN NULLIF(current_setting('lattice.force_row_visibility', true), '') IN ('private','everyone')
+            THEN current_setting('lattice.force_row_visibility', true)
+          ELSE COALESCE((SELECT "default_row_visibility" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), 'private')
+        END)
       ON CONFLICT ("table_name","pk") DO NOTHING;
     INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
       VALUES (${lit}, ${pkNew}, 'upsert', session_user);
@@ -47285,19 +47683,28 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
 }
 async function installCloudRls(db) {
   if (!isPg(db)) return;
+  const schema = await cloudSchema(db);
   const migration = {
     // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell).
-    // The bootstrap is fully idempotent (CREATE OR REPLACE / IF NOT EXISTS).
-    version: "internal:cloud-rls:bootstrap:v5",
-    sql: CLOUD_RLS_BOOTSTRAP_SQL
+    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell);
+    // v6 added per-table policy (__lattice_table_policy: default_row_visibility +
+    // never_share, enforced in the insert trigger + share/grant guards), the
+    // canonical column-audience store (__lattice_column_policy), lattice_is_owner,
+    // and the owner-only setters; v7 pins search_path on every SECURITY DEFINER
+    // helper (closes the pg_temp-shadow RLS bypass) + revokes schema CREATE from
+    // PUBLIC. The bootstrap is fully idempotent.
+    version: "internal:cloud-rls:bootstrap:v7",
+    sql: pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema)
   };
   await db.migrate([migration]);
 }
 async function enableChangelogRls(db) {
   if (!isPg(db)) return;
   const migration = {
-    version: "internal:cloud-rls:changelog:v1",
+    // v2: ground-truth/audit entries are owner-only (was lattice_row_visible),
+    // closing the masked-column-via-history leak. Bump re-installs the policy on
+    // existing clouds.
+    version: "internal:cloud-rls:changelog:v2",
     sql: `
 ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
@@ -47312,7 +47719,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
         SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
          WHERE NOT lattice_source_visible(src.sid)
       )
-    ELSE lattice_row_visible("table_name", "row_id")
+    ELSE lattice_is_owner("table_name", "row_id")
   END
 );
 DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
@@ -47323,9 +47730,10 @@ CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH C
 }
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
+  const schema = await cloudSchema(db);
   const migration = {
-    version: `internal:cloud-rls:table:${table}:v2`,
-    sql: tableRlsSql(table, pkCols)
+    version: `internal:cloud-rls:table:${table}:v3`,
+    sql: pinDefinerSearchPath(tableRlsSql(table, pkCols), schema)
   };
   await db.migrate([migration]);
 }
@@ -47455,12 +47863,17 @@ function isRowAudience(audience) {
   const a6 = (audience ?? "").trim();
   return a6 === "" || a6 === "everyone" || a6 === "row-audience";
 }
-function audiencePredicate(audience) {
+function audiencePredicate(audience, ctx) {
   if (isRowAudience(audience)) return "true";
   const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
   const parts = [];
   for (const clause of clauses) {
     if (clause === "everyone" || clause === "row-audience") return "true";
+    if (clause === "owner") {
+      if (!ctx) throw new Error('lattice: the "owner" audience needs a row context');
+      parts.push(`lattice_is_owner(${ctx.tableLit}, ${ctx.pkExpr})`);
+      continue;
+    }
     const idx = clause.indexOf(":");
     const kind = idx === -1 ? clause : clause.slice(0, idx);
     const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
@@ -47495,7 +47908,7 @@ function audienceViewSql(table, columns, pkCols, columnAudience) {
   const selectCols = columns.map((col) => {
     const aud = columnAudience[col] ?? "";
     if (isRowAudience(aud)) return quoteIdent(col);
-    const pred = audiencePredicate(aud);
+    const pred = audiencePredicate(aud, { tableLit: lit, pkExpr });
     if (pred === "true") return quoteIdent(col);
     const colLit = `'${col.replace(/'/g, "''")}'`;
     const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
@@ -47530,6 +47943,92 @@ async function enableAudienceView(db, table, columns, pkCols, columnAudience) {
   };
   await db.migrate([migration]);
 }
+async function loadColumnPolicy(db, table) {
+  if (db.getDialect() !== "postgres") return {};
+  const rows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "column_name", "audience" FROM "__lattice_column_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  const out = {};
+  for (const r6 of rows) out[r6.column_name] = r6.audience;
+  return out;
+}
+async function seedColumnPolicyFromYaml(db, table, yamlAudience) {
+  if (db.getDialect() !== "postgres") return;
+  const marker = `internal:cloud-column-seed:${table}:v1`;
+  const already = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS one FROM "__lattice_migrations" WHERE "version" = ?`,
+    [marker]
+  );
+  if (already) return;
+  for (const [col, aud] of Object.entries(yamlAudience)) {
+    if (isRowAudience(aud)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience")
+         VALUES (?, ?, ?) ON CONFLICT ("table_name","column_name") DO NOTHING`,
+      [table, col, aud]
+    );
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_migrations" ("version","applied_at") VALUES (?, ?)
+       ON CONFLICT ("version") DO NOTHING`,
+    [marker, (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+async function regenerateAudienceViewFromDb(db, table, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  if (pkCols.length === 0) return;
+  const spec = await loadColumnPolicy(db, table);
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  if (!tableNeedsAudienceView(spec)) {
+    await runAsyncOrSync(
+      db.adapter,
+      `DROP VIEW IF EXISTS ${view};
+GRANT SELECT ON ${base} TO ${MEMBER_GROUP};`
+    );
+    return;
+  }
+  await runAsyncOrSync(db.adapter, audienceViewSql(table, columns, pkCols, spec));
+}
+async function setColumnAudience(db, table, column, audience, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_column_audience(?, ?, ?)`, [
+    table,
+    column,
+    audience
+  ]);
+  await regenerateAudienceViewFromDb(db, table, columns, pkCols);
+}
+// src/cloud/table-policy.ts
+async function getTablePolicy(db, table) {
+  if (db.getDialect() !== "postgres") return { defaultRowVisibility: "private", neverShare: false };
+  const row = await getAsyncOrSync(
+    db.adapter,
+    `SELECT "default_row_visibility", "never_share" FROM "__lattice_table_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  return {
+    defaultRowVisibility: row?.default_row_visibility === "everyone" ? "everyone" : "private",
+    neverShare: row?.never_share === true
+  };
+}
+async function setTableDefaultVisibility(db, table, visibility) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_default_visibility(?, ?)`, [
+    table,
+    visibility
+  ]);
+}
+async function setTableNeverShare(db, table, on) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share(?, ?)`, [table, on]);
+}
 // src/cloud/fold-cache.ts
 function viewerSignature(viewer) {
@@ -47604,9 +48103,12 @@ END $fn$;
 `;
 async function installCloudSettings(db) {
   if (db.getDialect() !== "postgres") return;
+  const schema = await cloudSchema(db);
   const migration = {
-    version: "internal:cloud-settings:v1",
-    sql: CLOUD_SETTINGS_BOOTSTRAP_SQL
+    // v2 pins search_path on the two SECURITY DEFINER helpers (closes the
+    // pg_temp-shadow class of bypass on the settings getter/setter).
+    version: "internal:cloud-settings:v2",
+    sql: pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema)
   };
   await db.migrate([migration]);
 }
@@ -47633,7 +48135,8 @@ async function secureCloud(db) {
   await installCloudSettings(db);
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
-  for (const table of db.getRegisteredTableNames()) {
+  const registered = db.getRegisteredTableNames();
+  for (const table of registered) {
     if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
     const pk = db.getPrimaryKey(table);
     if (pk.length === 0) continue;
@@ -47641,9 +48144,21 @@ async function secureCloud(db) {
     await enableRlsForTable(db, table, pk);
     const cols = db.getRegisteredColumns(table);
     if (cols) {
-      await enableAudienceView(db, table, Object.keys(cols), pk, db.getColumnAudience(table));
+      await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+      await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
     }
   }
+  if (registered.includes("secrets")) {
+    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `DO $LATTICE$ BEGIN
+       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
+         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
+       END IF;
+     END $LATTICE$`
+  );
 }
 // src/ai/llm-client.ts
@@ -48237,6 +48752,7 @@ export {
   NATIVE_ENTITY_NAMES,
   NATIVE_REGISTRY_TABLE,
   PostgresAdapter,
+  ProgressThrottle,
   READ_ONLY_HEADER,
   ROOT_DIRNAME,
   ReferenceUnavailableError,
@@ -48300,6 +48816,7 @@ export {
   getCloudSetting,
   getDbCredential,
   getOrCreateMasterKey,
+  getTablePolicy,
   getWorkspace,
   grantCell,
   hasFtsIndex,
@@ -48317,6 +48834,7 @@ export {
   listNativeBindings,
   listTokens,
   listWorkspaces,
+  loadColumnPolicy,
   manifestPath,
   markdownTable,
   memberRoleName,
@@ -48344,6 +48862,7 @@ export {
   readToken,
   referenceLocalFile,
   referenceUrl,
+  regenerateAudienceViewFromDb,
   registerNativeEntities,
   registryPath,
   resolveActiveS3Config,
@@ -48358,9 +48877,13 @@ export {
   saveDbCredentialForTeam,
   sealUnderSource,
   secureCloud,
+  seedColumnPolicyFromYaml,
   setActiveWorkspace,
   setCloudSetting,
+  setColumnAudience,
   setRowVisibility,
+  setTableDefaultVisibility,
+  setTableNeverShare,
   shredSource,
   slugify,
   summarizeText,