latticesql 3.0.0 → 3.2.0

package/dist/index.js

@@ -41438,7 +41438,68 @@ function cleanupEntityContexts(outputDir, entityContexts, currentSlugsByTable, m
   return result;
 }
 
+// src/render/progress.ts
+var THROTTLE_WINDOW_MS = 200;
+var ProgressThrottle = class {
+  cb;
+  windowMs;
+  /**
+   * Last passthrough time, keyed per table (`event.table`, or `''` for the
+   * table-less `done`/`error` lifecycle events). Per-table — not a single shared
+   * clock — so when tables render CONCURRENTLY each one keeps its own ~5/sec
+   * budget: a fast table can't consume the window and starve a slow table's
+   * progress. `force` (table-start) resets only that table's budget.
+   */
+  lastEmit = /* @__PURE__ */ new Map();
+  constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
+    this.cb = cb;
+    this.windowMs = windowMs;
+  }
+  /**
+   * Emit a `table-progress` event, but only if the window since this table's
+   * last passthrough has elapsed. Dropped events are simply not delivered — the
+   * next one that survives carries the latest running count.
+   */
+  tick(event) {
+    if (!this.cb) return;
+    const key = event.table ?? "";
+    const now = Date.now();
+    if (now - (this.lastEmit.get(key) ?? 0) < this.windowMs) return;
+    this.lastEmit.set(key, now);
+    this.cb(event);
+  }
+  /**
+   * Emit a lifecycle event immediately and reset this table's throttle window.
+   * Use for `table-start`, `table-done`, `done`, and `error` — none of which
+   * should ever be dropped. Resetting on `table-start` gives each table a clean
+   * budget.
+   */
+  force(event) {
+    if (!this.cb) return;
+    this.lastEmit.set(event.table ?? "", Date.now());
+    this.cb(event);
+  }
+};
+
+// src/concurrency.ts
+async function mapWithConcurrency(items, limit, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  const workerCount = Math.max(1, Math.min(limit, items.length));
+  const workers = Array.from({ length: workerCount }, async () => {
+    for (; ; ) {
+      const i6 = next++;
+      if (i6 >= items.length) break;
+      results[i6] = await fn(items[i6], i6);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
+
 // src/render/engine.ts
+var YIELD_EVERY_ENTITIES = 200;
+var RENDER_TABLE_CONCURRENCY = 4;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -41452,11 +41513,14 @@ var RenderEngine = class {
     this._getTaskContext = getTaskContext ?? (() => "");
     this._skipEmpty = options?.skipEmpty ?? false;
   }
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const start = Date.now();
     const filesWritten = [];
     const counters = { skipped: 0 };
+    const signal = opts.signal;
+    const throttle = new ProgressThrottle(opts.onProgress);
     for (const [name, def] of this._schema.getTables()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       if (this._skipEmpty && def.render === NOOP_RENDER) continue;
       let rows = await this._schema.queryTable(this._adapter, name);
       if (def.relevanceFilter) {
@@ -41498,8 +41562,18 @@ var RenderEngine = class {
       } else {
         counters.skipped++;
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: rows.length,
+        entitiesTotal: rows.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
-    for (const [, def] of this._schema.getMultis()) {
+    for (const [name, def] of this._schema.getMultis()) {
+      if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
       const keys = await def.keys();
       const tables = {};
       if (def.tables) {
@@ -41516,12 +41590,26 @@ var RenderEngine = class {
           counters.skipped++;
         }
       }
+      throttle.force({
+        kind: "table-done",
+        table: name,
+        entitiesRendered: keys.length,
+        entitiesTotal: keys.length,
+        tableIndex: 0,
+        tableCount: 0,
+        pct: 100
+      });
     }
     const entityContextManifest = await this._renderEntityContexts(
       outputDir,
       filesWritten,
-      counters
+      counters,
+      throttle,
+      signal
     );
+    if (entityContextManifest === null) {
+      return this._abortedResult(filesWritten, counters, start);
+    }
     if (this._schema.getEntityContexts().size > 0) {
       writeManifest(outputDir, {
         version: 2,
@@ -41529,6 +41617,29 @@ var RenderEngine = class {
         entityContexts: entityContextManifest
       });
     }
+    const result = {
+      filesWritten,
+      filesSkipped: counters.skipped,
+      durationMs: Date.now() - start
+    };
+    throttle.force({
+      kind: "done",
+      table: null,
+      entitiesRendered: 0,
+      entitiesTotal: 0,
+      tableIndex: 0,
+      tableCount: 0,
+      pct: 100,
+      durationMs: result.durationMs
+    });
+    return result;
+  }
+  /**
+   * Build the partial RenderResult to return when a render is aborted. No
+   * `done` event is emitted — the caller treats abort as "discard the partial
+   * tree", not as a successful completion.
+   */
+  _abortedResult(filesWritten, counters, start) {
     return {
       filesWritten,
       filesSkipped: counters.skipped,
@@ -41564,127 +41675,181 @@ var RenderEngine = class {
   /**
    * Render all entity context definitions.
    * Mutates `filesWritten` and `counters` in place.
-   * Returns manifest data for the entity contexts rendered this cycle.
+   * Returns manifest data for the entity contexts rendered this cycle, or
+   * `null` if the render was aborted mid-flight (the caller discards the
+   * partial tree). Progress is reported through `throttle`; abort is observed
+   * via `signal`.
    */
-  async _renderEntityContexts(outputDir, filesWritten, counters) {
-    const manifestData = {};
+  async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
-    for (const [table, def] of this._schema.getEntityContexts()) {
-      const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
-      const allRows = await this._schema.queryTable(this._adapter, table);
-      const directoryRoot = def.directoryRoot ?? table;
-      const manifestEntry = {
-        directoryRoot,
-        ...def.index ? { indexFile: def.index.outputFile } : {},
-        declaredFiles: Object.keys(def.files),
-        protectedFiles: def.protectedFiles ?? [],
-        entities: {}
-      };
-      if (def.index) {
-        const indexPath = join4(outputDir, def.index.outputFile);
-        if (atomicWrite(indexPath, def.index.render(allRows))) {
-          filesWritten.push(indexPath);
-        } else {
-          counters.skipped++;
-        }
-      }
-      for (const entityRow of allRows) {
-        const rawSlug = def.slug(entityRow);
-        const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
-        if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
-          throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
-        }
-        const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
-        const resolvedDir = resolve(entityDir);
-        const resolvedBase = resolve(outputDir);
-        if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
-          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+    const entityTables = [...this._schema.getEntityContexts()];
+    const tableCount = entityTables.length;
+    if (signal?.aborted) return null;
+    const renderedEntries = await mapWithConcurrency(
+      entityTables,
+      RENDER_TABLE_CONCURRENCY,
+      async ([table, def], tableIndex) => {
+        if (signal?.aborted) return null;
+        const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
+        const allRows = await this._schema.queryTable(this._adapter, table);
+        const directoryRoot = def.directoryRoot ?? table;
+        const entitiesTotal = allRows.length;
+        throttle.force({
+          kind: "table-start",
+          table,
+          entitiesRendered: 0,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: 0
+        });
+        const manifestEntry = {
+          directoryRoot,
+          ...def.index ? { indexFile: def.index.outputFile } : {},
+          declaredFiles: Object.keys(def.files),
+          protectedFiles: def.protectedFiles ?? [],
+          entities: {}
+        };
+        if (def.index) {
+          const indexPath = join4(outputDir, def.index.outputFile);
+          if (atomicWrite(indexPath, def.index.render(allRows))) {
+            filesWritten.push(indexPath);
+          } else {
+            counters.skipped++;
+          }
         }
-        mkdirSync2(entityDir, { recursive: true });
-        if (def.attachFileColumn) {
-          const filePath = entityRow[def.attachFileColumn];
-          if (filePath && typeof filePath === "string" && filePath.length > 0) {
-            if (def.attachFileMode === "reference") {
-              const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
-              try {
-                atomicWrite(refPath, `# Reference
+        for (let i6 = 0; i6 < allRows.length; i6++) {
+          const entityRow = allRows[i6];
+          if (signal?.aborted) return null;
+          if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+            await new Promise((r6) => setImmediate(r6));
+          }
+          const rawSlug = def.slug(entityRow);
+          const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
+          if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
+            throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
+          }
+          const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
+          const resolvedDir = resolve(entityDir);
+          const resolvedBase = resolve(outputDir);
+          if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
+            throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+          }
+          mkdirSync2(entityDir, { recursive: true });
+          if (def.attachFileColumn) {
+            const filePath = entityRow[def.attachFileColumn];
+            if (filePath && typeof filePath === "string" && filePath.length > 0) {
+              if (def.attachFileMode === "reference") {
+                const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
+                try {
+                  atomicWrite(refPath, `# Reference
 
 - **location:** ${filePath}
 `);
-                filesWritten.push(refPath);
-              } catch {
-              }
-            } else {
-              const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
-              if (existsSync4(absPath)) {
-                const destPath = join4(entityDir, basename(absPath));
-                if (!existsSync4(destPath)) {
-                  try {
-                    copyFileSync2(absPath, destPath);
-                    filesWritten.push(destPath);
-                  } catch {
+                  filesWritten.push(refPath);
+                } catch {
+                }
+              } else {
+                const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
+                if (existsSync4(absPath)) {
+                  const destPath = join4(entityDir, basename(absPath));
+                  if (!existsSync4(destPath)) {
+                    try {
+                      copyFileSync2(absPath, destPath);
+                      filesWritten.push(destPath);
+                    } catch {
+                    }
                   }
                 }
               }
             }
           }
-        }
-        const renderedFiles = /* @__PURE__ */ new Map();
-        const entityFileHashes = {};
-        const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
-        for (const [filename, spec] of Object.entries(def.files)) {
-          const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
-          const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
-          const rows = await resolveEntitySource(
-            source,
-            entityRow,
-            entityPk,
-            this._adapter,
-            protection
-          );
-          if (spec.omitIfEmpty && rows.length === 0) continue;
-          const renderFn = compileEntityRender(spec.render);
-          const content = truncateContent(renderFn(rows), spec.budget);
-          renderedFiles.set(filename, content);
-          entityFileHashes[filename] = { hash: contentHash(content) };
-          const filePath = join4(entityDir, filename);
-          if (atomicWrite(filePath, content)) {
-            filesWritten.push(filePath);
-          } else {
-            counters.skipped++;
-          }
-        }
-        const fileKeys = Object.keys(def.files);
-        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
-          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          { outputFile: fileKeys[0] }
-        ) : void 0);
-        if (effectiveCombined && renderedFiles.size > 0) {
-          const excluded = new Set(effectiveCombined.exclude ?? []);
-          const parts = [];
-          for (const filename of Object.keys(def.files)) {
-            if (!excluded.has(filename) && renderedFiles.has(filename)) {
-              parts.push(renderedFiles.get(filename) ?? "");
-            }
-          }
-          if (parts.length > 0) {
-            const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join4(entityDir, effectiveCombined.outputFile);
-            if (atomicWrite(combinedPath, combinedContent)) {
-              filesWritten.push(combinedPath);
+          const renderedFiles = /* @__PURE__ */ new Map();
+          const entityFileHashes = {};
+          const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
+          for (const [filename, spec] of Object.entries(def.files)) {
+            if (signal?.aborted) return null;
+            const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
+            const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
+            const rows = await resolveEntitySource(
+              source,
+              entityRow,
+              entityPk,
+              this._adapter,
+              protection
+            );
+            if (spec.omitIfEmpty && rows.length === 0) continue;
+            const renderFn = compileEntityRender(spec.render);
+            const content = truncateContent(renderFn(rows), spec.budget);
+            renderedFiles.set(filename, content);
+            entityFileHashes[filename] = { hash: contentHash(content) };
+            const filePath = join4(entityDir, filename);
+            if (atomicWrite(filePath, content)) {
+              filesWritten.push(filePath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
-            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
+          const fileKeys = Object.keys(def.files);
+          const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            { outputFile: fileKeys[0] }
+          ) : void 0);
+          if (effectiveCombined && renderedFiles.size > 0) {
+            const excluded = new Set(effectiveCombined.exclude ?? []);
+            const parts = [];
+            for (const filename of Object.keys(def.files)) {
+              if (!excluded.has(filename) && renderedFiles.has(filename)) {
+                parts.push(renderedFiles.get(filename) ?? "");
+              }
+            }
+            if (parts.length > 0) {
+              const combinedContent = parts.join("\n\n---\n\n");
+              const combinedPath = join4(entityDir, effectiveCombined.outputFile);
+              if (atomicWrite(combinedPath, combinedContent)) {
+                filesWritten.push(combinedPath);
+              } else {
+                counters.skipped++;
+              }
+              renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+              entityFileHashes[effectiveCombined.outputFile] = {
+                hash: contentHash(combinedContent)
+              };
+            }
+          }
+          manifestEntry.entities[slug] = entityFileHashes;
+          const entitiesRendered = i6 + 1;
+          throttle.tick({
+            kind: "table-progress",
+            table,
+            entitiesRendered,
+            entitiesTotal,
+            tableIndex,
+            tableCount,
+            pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          });
         }
-        manifestEntry.entities[slug] = entityFileHashes;
+        throttle.force({
+          kind: "table-done",
+          table,
+          entitiesRendered: entitiesTotal,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: 100
+        });
+        return manifestEntry;
       }
-      manifestData[table] = manifestEntry;
+    );
+    if (signal?.aborted) return null;
+    const manifestData = {};
+    for (let i6 = 0; i6 < renderedEntries.length; i6++) {
+      const entry = renderedEntries[i6];
+      if (entry == null) return null;
+      manifestData[entityTables[i6][0]] = entry;
     }
     return manifestData;
   }
@@ -42944,14 +43109,27 @@ function buildParsedConfig(raw, sourceName, configDir2) {
   const entityContexts = parseEntityContexts(config.entityContexts);
   return name !== void 0 ? { dbPath, name, tables, entityContexts } : { dbPath, tables, entityContexts };
 }
+function isDbRefShaped(raw) {
+  return /^\s*\$\{LATTICE_DB:/.test(raw);
+}
+function parseDbRef(raw) {
+  const m4 = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
+  return m4 ? { label: m4[1] ?? "" } : null;
+}
 function resolveDbPath(raw, configDir2) {
-  const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
-  if (labelMatch) {
-    const label = labelMatch[1] ?? "";
-    const url = getDbCredential(label);
+  if (isDbRefShaped(raw)) {
+    const ref = parseDbRef(raw);
+    if (!ref) {
+      throw new Error(
+        `Lattice: malformed \${LATTICE_DB:\u2026} reference ${JSON.stringify(
+          raw.trim()
+        )} \u2014 the label may contain only [A-Za-z0-9._-] (no spaces). This usually means a workspace was created with an unsanitized name.`
+      );
+    }
+    const url = getDbCredential(ref.label);
     if (!url) {
       throw new Error(
-        `Lattice: config references \${LATTICE_DB:${label}} but no credential is saved for "${label}". Save one via the GUI's Database panel or set LATTICE_DB_${label}.`
+        `Lattice: config references \${LATTICE_DB:${ref.label}} but no credential is saved for "${ref.label}". Save one via the GUI's Database panel or set LATTICE_DB_${ref.label}.`
       );
     }
     return url;
@@ -42959,6 +43137,13 @@ function resolveDbPath(raw, configDir2) {
   if (/^postgres(ql)?:\/\//i.test(raw) || raw.startsWith("file:") || raw === ":memory:") {
     return raw;
   }
+  if (raw.includes("${")) {
+    throw new Error(
+      `Lattice: refusing to treat ${JSON.stringify(
+        raw.trim()
+      )} as a database path \u2014 it looks like a malformed variable reference, not a file path.`
+    );
+  }
   return resolve2(configDir2, raw);
 }
 var warnedDeprecatedRefs = /* @__PURE__ */ new Set();
@@ -44291,6 +44476,54 @@ var Lattice = class _Lattice {
   async insert(table, row, provenance) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await runAsyncOrSync(this._adapter, sql, values);
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Insert a row while atomically forcing its cloud row-visibility, regardless of
+   * the table's `default_row_visibility`. The per-table insert trigger reads a
+   * transaction-local GUC (`lattice.force_row_visibility`); we set it and run the
+   * INSERT inside a single transaction, so the row is stamped at `visibility` the
+   * instant it exists — it is never momentarily visible at the table default, and
+   * the change-feed `NOTIFY` (delivered only at COMMIT) fires when the row already
+   * carries this visibility. This closes the create-then-demote window that a
+   * plain `insert()` + `setRowVisibility()` would leave open.
+   *
+   * Postgres-only: SQLite is single-user (no cross-viewer leak) and has no trigger
+   * to read the GUC, so it degrades to a plain {@link insert}. A `never_share`
+   * table still wins — its rows are forced private even if `visibility` is
+   * `'everyone'` (the trigger enforces that precedence).
+   *
+   * @since 3.1.0
+   */
+  async insertForcingVisibility(table, row, visibility, provenance) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    const vis = visibility;
+    if (vis !== "private" && vis !== "everyone") {
+      throw new Error(`lattice: invalid forced visibility "${vis}"`);
+    }
+    const withClient = this._adapter.withClient?.bind(this._adapter);
+    if (this.getDialect() !== "postgres" || !withClient) {
+      return this.insert(table, row, provenance);
+    }
+    const { sql, values, pkValue, rowWithPk } = this._prepareInsert(table, row);
+    await withClient(async (tx) => {
+      await tx.run(`SELECT set_config('lattice.force_row_visibility', ?, true)`, [visibility]);
+      await tx.run(sql, values);
+    });
+    await this._afterInsert(table, pkValue, rowWithPk, provenance);
+    return pkValue;
+  }
+  /**
+   * Build the INSERT statement + canonical pk for a row (sanitize → schema-filter →
+   * auto-pk → encrypt). Shared by {@link insert} and {@link insertForcingVisibility}
+   * so both produce byte-identical writes; the latter only differs in running it
+   * inside a GUC-scoped transaction.
+   */
+  _prepareInsert(table, row) {
     this._assertIdent(table);
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const pkCols = this._schema.getPrimaryKey(table);
@@ -44306,12 +44539,17 @@ var Lattice = class _Lattice {
     const cols = Object.keys(encrypted).map((c6) => `"${c6}"`).join(", ");
     const placeholders = Object.keys(encrypted).map(() => "?").join(", ");
     const values = Object.values(encrypted);
-    await runAsyncOrSync(
-      this._adapter,
-      `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
-      values
-    );
     const pkValue = this._serializeRowPk(table, rowWithPk);
+    return {
+      sql: `INSERT INTO "${table}" (${cols}) VALUES (${placeholders})`,
+      values,
+      pkValue,
+      rowWithPk
+    };
+  }
+  /** Post-insert side effects (changelog, audit, write hooks, embedding sync),
+   *  identical for the plain and force-visibility insert paths. */
+  async _afterInsert(table, pkValue, rowWithPk, provenance) {
     await this._appendChangelog(
       table,
       pkValue,
@@ -44325,7 +44563,6 @@ var Lattice = class _Lattice {
     this._sanitizer.emitAudit(table, "insert", pkValue);
     await this._fireWriteHooks(table, "insert", rowWithPk, pkValue);
     this._syncEmbedding(table, "insert", rowWithPk, pkValue);
-    return pkValue;
   }
   /**
    * Insert a row and return the full inserted row (including auto-generated
@@ -44392,6 +44629,7 @@ var Lattice = class _Lattice {
     const sanitized = this._filterToSchemaColumns(table, this._sanitizer.sanitizeRow(row));
     const encrypted = this._encryptRow(table, sanitized);
     const setCols = Object.keys(encrypted).map((c6) => `"${c6}" = ?`).join(", ");
+    if (setCols === "") return;
     const { clause, params: pkParams } = this._pkWhere(table, id);
     let previousValues = null;
     if (this._changelogTables.has(table)) {
@@ -45008,13 +45246,32 @@ var Lattice = class _Lattice {
   // -------------------------------------------------------------------------
   // Sync
   // -------------------------------------------------------------------------
-  async render(outputDir) {
+  async render(outputDir, opts = {}) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
-    const result = await this._render.render(outputDir);
+    const result = await this._render.render(outputDir, opts);
     for (const h6 of this._renderHandlers) h6(result);
     return result;
   }
+  /**
+   * Render into `outputDir` through the shared single-flight guard, intended to
+   * be called fire-and-forget (e.g. the GUI's instant-open background render).
+   *
+   * The guard ({@link _renderGuarded}) holds {@link _autoRenderInFlight} for the
+   * render's duration, so a data mutation that lands while this render is in
+   * flight is deferred by {@link _runAutoRender} and coalesced — when this
+   * render settles, `finally` clears the flag and re-arms exactly one follow-up
+   * render via {@link _rearmAutoRenderIfPending}. Net invariant: at most one
+   * render to a given dir at a time.
+   *
+   * Errors propagate to the caller (the GUI surfaces them, never silently swallowed); they are
+   * not swallowed here.
+   */
+  async renderInBackground(outputDir, opts = {}) {
+    const notInit = this._notInitError();
+    if (notInit) return notInit;
+    return this._renderGuarded(outputDir, opts);
+  }
   async sync(outputDir) {
     const notInit = this._notInitError();
     if (notInit) return notInit;
@@ -45356,6 +45613,30 @@ var Lattice = class _Lattice {
     }, this._autoRenderDebounceMs);
     this._autoRenderTimer.unref();
   }
+  /**
+   * Shared single-flight render path used by {@link renderInBackground}.
+   *
+   * Holds {@link _autoRenderInFlight} for the render's duration so the
+   * mutation-driven {@link _runAutoRender} defers while this render runs (it
+   * sees the flag and marks itself pending instead of starting a second,
+   * overlapping render). On settle, `finally` clears the flag and re-arms a
+   * single coalesced follow-up render if any mutation arrived mid-flight.
+   * Errors propagate to the caller; the flag is always cleared.
+   */
+  async _renderGuarded(outputDir, opts) {
+    while (this._autoRenderInFlight) {
+      await new Promise((r6) => setImmediate(r6));
+    }
+    this._autoRenderInFlight = true;
+    try {
+      const result = await this._render.render(outputDir, opts);
+      for (const h6 of this._renderHandlers) h6(result);
+      return result;
+    } finally {
+      this._autoRenderInFlight = false;
+      this._rearmAutoRenderIfPending();
+    }
+  }
   async _runAutoRender() {
     const dir = this._autoRenderDir;
     if (!dir || !this._initialized) return;
@@ -46916,7 +47197,7 @@ function archiveLocalSqlite(dbPath) {
 async function cloudRlsInstalled(probe) {
   const row = await getAsyncOrSync(
     probe.adapter,
-    `SELECT to_regclass('public.__lattice_owners') AS reg`
+    `SELECT to_regclass('__lattice_owners') AS reg`
   );
   return !!row && row.reg != null;
 }
@@ -46973,6 +47254,19 @@ function isPostgresUrl(url) {
 }
 
 // src/cloud/rls.ts
+async function runCloudBootstrapSql(db, sql) {
+  const adapter = db.adapter;
+  if (adapter.withClient) {
+    await adapter.withClient(async (tx) => {
+      await tx.run("SELECT pg_advisory_xact_lock($1::bigint)", [
+        LATTICE_MIGRATION_LOCK_ID.toString()
+      ]);
+      await tx.run(sql);
+    });
+  } else {
+    await runAsyncOrSync(adapter, sql);
+  }
+}
 function isPg(db) {
   return db.getDialect() === "postgres";
 }
@@ -46983,6 +47277,31 @@ function pkSqlExpr(pkCols, prefix) {
   return pkCols.map((c6) => `CAST(${prefix}"${c6}" AS TEXT)`).join(` || chr(9) || `);
 }
 var MEMBER_GROUP = "lattice_members";
+function pinDefinerSearchPath(sql, schema) {
+  const safe = schema.replace(/"/g, '""');
+  return sql.replace(
+    /SECURITY DEFINER AS/g,
+    `SECURITY DEFINER SET search_path = "${safe}", pg_temp AS`
+  );
+}
+async function cloudSchema(db) {
+  const row = await getAsyncOrSync(db.adapter, `SELECT current_schema() AS schema`);
+  const s2 = row?.schema;
+  if (typeof s2 !== "string" || s2.length === 0) {
+    throw new Error("cloud RLS: could not resolve current_schema() for search_path pinning");
+  }
+  return s2;
+}
+function revokeSchemaCreateSql(schema) {
+  const lit = `'${schema.replace(/'/g, "''")}'`;
+  return `
+DO $LATTICE_REVOKE$ BEGIN
+  EXECUTE format('REVOKE CREATE ON SCHEMA %I FROM PUBLIC', ${lit});
+EXCEPTION WHEN OTHERS THEN
+  NULL; -- not the schema owner, or already revoked
+END $LATTICE_REVOKE$;
+`;
+}
 var CLOUD_RLS_BOOTSTRAP_SQL = `
 -- Member group (NOLOGIN). Members inherit schema/connect/table privileges from it;
 -- RLS filters per the individual member's login role, so the group never widens
@@ -47042,6 +47361,82 @@ CREATE TABLE IF NOT EXISTS "__lattice_cell_grants" (
   PRIMARY KEY ("table_name", "pk", "column_name", "grantee_role")
 );
 
+-- Per-table policy: the owner-controlled defaults that govern a whole table.
+-- default_row_visibility is the visibility NEW rows are stamped with (the insert
+-- trigger reads it); never_share is a hard exclusion \u2014 the share/grant functions
+-- refuse to elevate such a table and the trigger forces its rows private. Owner-
+-- managed; members have no grant (it never appears in their data API).
+CREATE TABLE IF NOT EXISTS "__lattice_table_policy" (
+  "table_name"             text PRIMARY KEY,
+  "default_row_visibility" text NOT NULL DEFAULT 'private'
+    CHECK ("default_row_visibility" IN ('private','everyone')),
+  "never_share"            boolean NOT NULL DEFAULT false,
+  "updated_by"             text NOT NULL DEFAULT session_user,
+  "updated_at"             timestamptz NOT NULL DEFAULT now()
+);
+
+-- Per-column audience policy: the CANONICAL store of which column carries which
+-- audience spec (role: / subject: / source: / owner / everyone). Previously the
+-- spec lived only in the owner's on-disk YAML and was compiled into the mask view
+-- once at init; storing it here makes it cloud-canonical and member-consistent.
+-- The generated <table>_v mask view is regenerated from THIS table on change.
+-- Owner-managed; members have no grant.
+CREATE TABLE IF NOT EXISTS "__lattice_column_policy" (
+  "table_name"  text NOT NULL,
+  "column_name" text NOT NULL,
+  "audience"    text NOT NULL,
+  "updated_by"  text NOT NULL DEFAULT session_user,
+  "updated_at"  timestamptz NOT NULL DEFAULT now(),
+  PRIMARY KEY ("table_name", "column_name")
+);
+
+-- Owner-only audit of issued member invites: which scoped role was minted for
+-- which email (HASHED \u2014 the plaintext email is never stored), when it expires,
+-- and whether it was redeemed/revoked. No plaintext password is ever stored
+-- (the credential lives only inside the email-bound token the owner delivers).
+-- Owner-managed; members have no grant. Named distinctly from any legacy
+-- team-model invitations table so a pre-existing cloud never collides.
+CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
+  "id"          text PRIMARY KEY,
+  "role"        text NOT NULL,
+  "email_hash"  text NOT NULL,
+  "email"       text,
+  "created_by"  text NOT NULL DEFAULT session_user,
+  "created_at"  timestamptz NOT NULL DEFAULT now(),
+  "expires_at"  timestamptz NOT NULL,
+  "redeemed_at" timestamptz,
+  "revoked_at"  timestamptz
+);
+-- Plaintext invitee email (owner-only table; members have no grant) so the
+-- owner's Members list can show who each member is. Added via ALTER so clouds
+-- created before this column converge to it on the owner's next open (the
+-- bootstrap is now run directly + idempotently, not version-gated).
+ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
+
+-- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
+-- the cloud with their minted credential, the join path calls this to CLAIM the
+-- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
+-- an invite for the CALLING role (session_user) is still pending: not already
+-- redeemed (one-time-use), not revoked, and not expired. A replayed redeem of a
+-- leaked token, a revoked invite, or an expired one returns false, so the caller
+-- rejects the join. Members have no direct grant on the owner-only
+-- __lattice_member_invites table \u2014 this SECURITY DEFINER function is the only
+-- path, and it can claim ONLY the caller's own invite (keyed on session_user,
+-- never a caller-supplied parameter, so one member can't burn another's invite).
+CREATE OR REPLACE FUNCTION lattice_claim_invite()
+RETURNS boolean LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_ok boolean;
+BEGIN
+  UPDATE "__lattice_member_invites"
+     SET "redeemed_at" = now()
+   WHERE "role" = session_user
+     AND "redeemed_at" IS NULL
+     AND "revoked_at" IS NULL
+     AND "expires_at" > now()
+  RETURNING true INTO v_ok;
+  RETURN COALESCE(v_ok, false);
+END $fn$;
+
 -- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
 -- keyed on session_user (the member's login role). A row with no ownership record
 -- is visible to nobody.
@@ -47067,6 +47462,10 @@ BEGIN
   IF p_visibility NOT IN ('private','everyone','custom') THEN
     RAISE EXCEPTION 'lattice: invalid visibility %', p_visibility;
   END IF;
+  IF p_visibility <> 'private'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
@@ -47080,6 +47479,9 @@ CREATE OR REPLACE FUNCTION lattice_grant_row(p_table text, p_pk text, p_grantee
 RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
 DECLARE v_owner text;
 BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL THEN RAISE EXCEPTION 'lattice: no ownership record for %/%', p_table, p_pk; END IF;
@@ -47169,6 +47571,9 @@ CREATE OR REPLACE FUNCTION lattice_grant_cell(p_table text, p_pk text, p_column
 RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
 DECLARE v_owner text;
 BEGIN
+  IF COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table and cannot be shared', p_table;
+  END IF;
   SELECT o."owner_role" INTO v_owner FROM "__lattice_owners" o
     WHERE o."table_name" = p_table AND o."pk" = p_pk;
   IF v_owner IS NULL OR v_owner <> session_user THEN
@@ -47201,6 +47606,87 @@ RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
   SELECT lattice_row_visible('files', p_source_ref)
 $fn$;
 
+-- Is the connected member the OWNER of this row? Used by the "owner" column
+-- audience (a secret column reveals only to the row owner). SECURITY DEFINER +
+-- session_user, like the other predicates.
+CREATE OR REPLACE FUNCTION lattice_is_owner(p_table text, p_pk text)
+RETURNS boolean LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT EXISTS (
+    SELECT 1 FROM "__lattice_owners" o
+     WHERE o."table_name" = p_table AND o."pk" = p_pk AND o."owner_role" = session_user
+  )
+$fn$;
+
+-- Owner-only: set a table's default row visibility for NEW rows. Raises unless the
+-- caller can create roles (a cloud owner / DBA), like lattice_assign_role. Rejects
+-- 'everyone' on a never-share table.
+CREATE OR REPLACE FUNCTION lattice_set_table_default_visibility(p_table text, p_visibility text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a table''s default visibility';
+  END IF;
+  IF p_visibility NOT IN ('private','everyone') THEN
+    RAISE EXCEPTION 'lattice: invalid default visibility %', p_visibility;
+  END IF;
+  IF p_visibility = 'everyone'
+     AND COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = p_table), false) THEN
+    RAISE EXCEPTION 'lattice: "%" is a private-only table; its rows cannot default to everyone', p_table;
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_visibility, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "default_row_visibility" = EXCLUDED."default_row_visibility",
+          "updated_by" = session_user, "updated_at" = now();
+END $fn$;
+
+-- Owner-only: mark a table never-shareable (Secrets/Messages-class). When true the
+-- share/grant functions raise and the insert trigger forces new rows private; the
+-- default visibility is also forced private. Turning it ON also RETROACTIVELY
+-- privatizes the table: any row currently shared ('everyone'/'custom') is reset to
+-- 'private' and every existing row/cell grant on the table is dropped \u2014 otherwise
+-- flagging a table never-share would leave already-leaked rows visible, defeating
+-- the point. Idempotent: re-running with already-private rows updates nothing.
+CREATE OR REPLACE FUNCTION lattice_set_table_never_share(p_table text, p_on boolean)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may change a table''s never-share flag';
+  END IF;
+  INSERT INTO "__lattice_table_policy" ("table_name","never_share","default_row_visibility","updated_by","updated_at")
+    VALUES (p_table, p_on, CASE WHEN p_on THEN 'private' ELSE 'private' END, session_user, now())
+    ON CONFLICT ("table_name") DO UPDATE
+      SET "never_share" = EXCLUDED."never_share",
+          "default_row_visibility" = CASE WHEN EXCLUDED."never_share"
+                                          THEN 'private' ELSE "__lattice_table_policy"."default_row_visibility" END,
+          "updated_by" = session_user, "updated_at" = now();
+  IF p_on THEN
+    UPDATE "__lattice_owners" SET "visibility" = 'private', "updated_at" = now()
+      WHERE "table_name" = p_table AND "visibility" <> 'private';
+    DELETE FROM "__lattice_row_grants"  WHERE "table_name" = p_table;
+    DELETE FROM "__lattice_cell_grants" WHERE "table_name" = p_table;
+  END IF;
+END $fn$;
+
+-- Owner-only: set (or clear) a column's audience spec in the canonical DB store.
+-- An empty/null spec removes the policy row (column becomes unmasked). The GUI/lib
+-- regenerates the table's mask view from this store after calling this.
+CREATE OR REPLACE FUNCTION lattice_set_column_audience(p_table text, p_column text, p_audience text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may set a column audience';
+  END IF;
+  IF p_audience IS NULL OR btrim(p_audience) = '' THEN
+    DELETE FROM "__lattice_column_policy" WHERE "table_name" = p_table AND "column_name" = p_column;
+  ELSE
+    INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience","updated_by","updated_at")
+      VALUES (p_table, p_column, p_audience, session_user, now())
+      ON CONFLICT ("table_name","column_name") DO UPDATE
+        SET "audience" = EXCLUDED."audience", "updated_by" = session_user, "updated_at" = now();
+  END IF;
+END $fn$;
+
 -- Append-only change feed. The per-table ownership trigger records one row per
 -- INSERT/UPDATE/DELETE; the AFTER INSERT trigger here fires pg_notify so a
 -- connected member's realtime broker refreshes. Members get no direct access \u2014
@@ -47232,6 +47718,62 @@ END $fn$;
 DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
 CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
   FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
+
+-- #4.4 \u2014 seq-based catch-up after a realtime gap. NOTIFY is fire-and-forget, so a
+-- broker that drops its LISTEN (network blip, laptop sleep) misses every change
+-- during the gap. The broker tracks the highest seq it delivered and, on
+-- reconnect, replays what it missed via this function. Members have NO direct
+-- grant on __lattice_changes (reading it raw would leak every change on the
+-- cloud), so this SECURITY DEFINER function is the only path and it returns ONLY
+-- the rows the CALLING role can see: keyed on session_user via lattice_row_visible
+-- (same gate as live fan-out, #4.3). Deletes are excluded \u2014 the ownership record
+-- is gone post-delete so visibility can't be verified, and replaying them would
+-- leak deleted-row pks (the client reconciles deletes on its reconnect refetch).
+-- Bounded (LIMIT clamped \u2264 1000) so a long gap can't stream the whole table (Rule:
+-- bounded reads on a hot path).
+CREATE OR REPLACE FUNCTION lattice_changes_since(p_seq bigint, p_limit int)
+RETURNS TABLE(seq bigint, table_name text, pk text, op text, owner_role text, created_at timestamptz)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT c."seq", c."table_name", c."pk", c."op", c."owner_role", c."created_at"
+    FROM "__lattice_changes" c
+   WHERE c."seq" > p_seq
+     AND c."op" = 'upsert'
+     AND lattice_row_visible(c."table_name", c."pk")
+   ORDER BY c."seq" ASC
+   LIMIT GREATEST(0, LEAST(COALESCE(p_limit, 500), 1000));
+$fn$;
+
+-- #2.1 \u2014 per-row access summary for the connecting role. The GUI attaches this as
+-- each row's _access so the sharing affordance renders, but __lattice_owners is
+-- owner-only bookkeeping (members have no grant), so a member reading it directly
+-- got "permission denied". This SECURITY DEFINER function returns visibility +
+-- whether the CALLER owns the row, ONLY for the rows the caller can actually see
+-- (lattice_row_visible, keyed on session_user) \u2014 so a member learns nothing about
+-- rows hidden from it. Member-callable; the owner gets the same view of its rows.
+CREATE OR REPLACE FUNCTION lattice_rows_access(p_table text, p_pks text[])
+RETURNS TABLE(pk text, visibility text, owned boolean)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT o."pk", o."visibility", (o."owner_role" = session_user) AS owned
+    FROM "__lattice_owners" o
+   WHERE o."table_name" = p_table
+     AND o."pk" = ANY(p_pks)
+     AND lattice_row_visible(o."table_name", o."pk");
+$fn$;
+
+-- #2.1 \u2014 grantees of a CALLER-OWNED custom-shared row (who you shared YOUR row
+-- with). Only the row owner sees this (the WHERE pins owner_role = session_user),
+-- so a member can't enumerate another owner's grants. __lattice_row_grants is
+-- member-ungranted, so this SECURITY DEFINER function is the member-safe path.
+CREATE OR REPLACE FUNCTION lattice_row_grantees(p_table text, p_pks text[])
+RETURNS TABLE(pk text, grantee_role text)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT g."pk", g."grantee_role"
+    FROM "__lattice_row_grants" g
+    JOIN "__lattice_owners" o ON o."table_name" = g."table_name" AND o."pk" = g."pk"
+   WHERE g."table_name" = p_table
+     AND g."pk" = ANY(p_pks)
+     AND o."owner_role" = session_user;
+$fn$;
 `;
 function tableRlsSql(table, pkCols) {
   const q3 = `"${table.replace(/"/g, '""')}"`;
@@ -47245,7 +47787,20 @@ CREATE OR REPLACE FUNCTION "${trg}"() RETURNS trigger LANGUAGE plpgsql SECURITY
 BEGIN
   IF TG_OP = 'INSERT' THEN
     INSERT INTO "__lattice_owners" ("table_name","pk","owner_role","visibility")
-      VALUES (${lit}, ${pkNew}, session_user, 'private')
+      VALUES (${lit}, ${pkNew}, session_user,
+        CASE
+          -- never-share always wins: such a table's rows are private, full stop.
+          WHEN COALESCE((SELECT "never_share" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), false)
+            THEN 'private'
+          -- per-INSERT override: a caller forcing visibility for THIS write (e.g.
+          -- chat "private mode") sets the transaction-local lattice.force_row_visibility
+          -- GUC, so the row is stamped atomically at insert \u2014 never momentarily at
+          -- the table default, and the change-feed NOTIFY (deferred to COMMIT) only
+          -- fires once the row already carries this visibility.
+          WHEN NULLIF(current_setting('lattice.force_row_visibility', true), '') IN ('private','everyone')
+            THEN current_setting('lattice.force_row_visibility', true)
+          ELSE COALESCE((SELECT "default_row_visibility" FROM "__lattice_table_policy" WHERE "table_name" = ${lit}), 'private')
+        END)
       ON CONFLICT ("table_name","pk") DO NOTHING;
     INSERT INTO "__lattice_changes" ("table_name","pk","op","owner_role")
       VALUES (${lit}, ${pkNew}, 'upsert', session_user);
@@ -47285,20 +47840,15 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
 }
 async function installCloudRls(db) {
   if (!isPg(db)) return;
-  const migration = {
-    // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell).
-    // The bootstrap is fully idempotent (CREATE OR REPLACE / IF NOT EXISTS).
-    version: "internal:cloud-rls:bootstrap:v5",
-    sql: CLOUD_RLS_BOOTSTRAP_SQL
-  };
-  await db.migrate([migration]);
+  const schema = await cloudSchema(db);
+  const sql = pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema);
+  await runCloudBootstrapSql(db, sql);
 }
 async function enableChangelogRls(db) {
   if (!isPg(db)) return;
-  const migration = {
-    version: "internal:cloud-rls:changelog:v1",
-    sql: `
+  await runCloudBootstrapSql(
+    db,
+    `
 ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
 GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
@@ -47308,24 +47858,25 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
   CASE
     WHEN "change_kind" = 'derived' THEN
       "source_ref" IS NOT NULL
+      AND jsonb_array_length("source_ref"::jsonb) > 0
       AND NOT EXISTS (
         SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
          WHERE NOT lattice_source_visible(src.sid)
       )
-    ELSE lattice_row_visible("table_name", "row_id")
+    ELSE lattice_is_owner("table_name", "row_id")
   END
 );
 DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
 CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
 `
-  };
-  await db.migrate([migration]);
+  );
 }
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
+  const schema = await cloudSchema(db);
   const migration = {
-    version: `internal:cloud-rls:table:${table}:v2`,
-    sql: tableRlsSql(table, pkCols)
+    version: `internal:cloud-rls:table:${table}:v3`,
+    sql: pinDefinerSearchPath(tableRlsSql(table, pkCols), schema)
   };
   await db.migrate([migration]);
 }
@@ -47372,7 +47923,12 @@ async function provisionMemberRole(db, role, password) {
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
          CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
        ELSE
-         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+         -- Re-invite of an EXISTING role: set ONLY what changed (login + password).
+         -- Restating NOSUPERUSER/superuser-class attrs trips Supabase supautils
+         -- ("only superuser may alter the SUPERUSER attribute", 42501) since the
+         -- owner 'postgres' isn't a true superuser. The role was already created
+         -- NOSUPERUSER NOCREATEDB NOCREATEROLE, so there is nothing to restate.
+         ALTER ROLE "${role}" WITH LOGIN PASSWORD '${password}';
        END IF;
      END $LATTICE$`
   );
@@ -47411,9 +47967,28 @@ async function revokeCell(db, table, pk, column, grantee) {
 async function revokeMemberRole(db, role) {
   assertPg(db);
   if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
-  await runAsyncOrSync(db.adapter, `DROP OWNED BY "${role}"`).catch(() => void 0);
+  const exists = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS x FROM pg_roles WHERE rolname = ?`,
+    [role]
+  );
+  if (!exists) return;
+  for (const stmt of [`REASSIGN OWNED BY "${role}" TO CURRENT_USER`, `DROP OWNED BY "${role}"`]) {
+    try {
+      await runAsyncOrSync(db.adapter, stmt);
+    } catch (e6) {
+      if (!isInsufficientPrivilege(e6)) throw e6;
+      console.warn(
+        `[cloud] "${stmt.split(" ").slice(0, 2).join(" ")} \u2026" skipped (insufficient privilege; a scoped member owns no objects): ${e6.message}`
+      );
+    }
+  }
   await runAsyncOrSync(db.adapter, `DROP ROLE IF EXISTS "${role}"`);
 }
+function isInsufficientPrivilege(e6) {
+  const err = e6 ?? {};
+  return err.code === "42501" || /permission denied/i.test(err.message ?? "");
+}
 
 // src/cloud/discover.ts
 async function discoverCloudTables(db) {
@@ -47455,12 +48030,17 @@ function isRowAudience(audience) {
   const a6 = (audience ?? "").trim();
   return a6 === "" || a6 === "everyone" || a6 === "row-audience";
 }
-function audiencePredicate(audience) {
+function audiencePredicate(audience, ctx) {
   if (isRowAudience(audience)) return "true";
   const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
   const parts = [];
   for (const clause of clauses) {
     if (clause === "everyone" || clause === "row-audience") return "true";
+    if (clause === "owner") {
+      if (!ctx) throw new Error('lattice: the "owner" audience needs a row context');
+      parts.push(`lattice_is_owner(${ctx.tableLit}, ${ctx.pkExpr})`);
+      continue;
+    }
     const idx = clause.indexOf(":");
     const kind = idx === -1 ? clause : clause.slice(0, idx);
     const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
@@ -47495,7 +48075,7 @@ function audienceViewSql(table, columns, pkCols, columnAudience) {
   const selectCols = columns.map((col) => {
     const aud = columnAudience[col] ?? "";
     if (isRowAudience(aud)) return quoteIdent(col);
-    const pred = audiencePredicate(aud);
+    const pred = audiencePredicate(aud, { tableLit: lit, pkExpr });
     if (pred === "true") return quoteIdent(col);
     const colLit = `'${col.replace(/'/g, "''")}'`;
     const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
@@ -47530,6 +48110,92 @@ async function enableAudienceView(db, table, columns, pkCols, columnAudience) {
   };
   await db.migrate([migration]);
 }
+async function loadColumnPolicy(db, table) {
+  if (db.getDialect() !== "postgres") return {};
+  const rows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "column_name", "audience" FROM "__lattice_column_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  const out = {};
+  for (const r6 of rows) out[r6.column_name] = r6.audience;
+  return out;
+}
+async function seedColumnPolicyFromYaml(db, table, yamlAudience) {
+  if (db.getDialect() !== "postgres") return;
+  const marker = `internal:cloud-column-seed:${table}:v1`;
+  const already = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS one FROM "__lattice_migrations" WHERE "version" = ?`,
+    [marker]
+  );
+  if (already) return;
+  for (const [col, aud] of Object.entries(yamlAudience)) {
+    if (isRowAudience(aud)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience")
+         VALUES (?, ?, ?) ON CONFLICT ("table_name","column_name") DO NOTHING`,
+      [table, col, aud]
+    );
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_migrations" ("version","applied_at") VALUES (?, ?)
+       ON CONFLICT ("version") DO NOTHING`,
+    [marker, (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+async function regenerateAudienceViewFromDb(db, table, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  if (pkCols.length === 0) return;
+  const spec = await loadColumnPolicy(db, table);
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  if (!tableNeedsAudienceView(spec)) {
+    await runAsyncOrSync(
+      db.adapter,
+      `DROP VIEW IF EXISTS ${view};
+GRANT SELECT ON ${base} TO ${MEMBER_GROUP};`
+    );
+    return;
+  }
+  await runAsyncOrSync(db.adapter, audienceViewSql(table, columns, pkCols, spec));
+}
+async function setColumnAudience(db, table, column, audience, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_column_audience(?, ?, ?)`, [
+    table,
+    column,
+    audience
+  ]);
+  await regenerateAudienceViewFromDb(db, table, columns, pkCols);
+}
+
+// src/cloud/table-policy.ts
+async function getTablePolicy(db, table) {
+  if (db.getDialect() !== "postgres") return { defaultRowVisibility: "private", neverShare: false };
+  const row = await getAsyncOrSync(
+    db.adapter,
+    `SELECT "default_row_visibility", "never_share" FROM "__lattice_table_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  return {
+    defaultRowVisibility: row?.default_row_visibility === "everyone" ? "everyone" : "private",
+    neverShare: row?.never_share === true
+  };
+}
+async function setTableDefaultVisibility(db, table, visibility) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_default_visibility(?, ?)`, [
+    table,
+    visibility
+  ]);
+}
+async function setTableNeverShare(db, table, on) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share(?, ?)`, [table, on]);
+}
 
 // src/cloud/fold-cache.ts
 function viewerSignature(viewer) {
@@ -47566,6 +48232,7 @@ var FoldCache = class {
 };
 
 // src/cloud/settings.ts
+import { createHash as createHash8, randomBytes as randomBytes6 } from "crypto";
 var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
 var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
 -- Owner-controlled, cloud-wide key/value settings. No grant to the member group,
@@ -47604,11 +48271,8 @@ END $fn$;
 `;
 async function installCloudSettings(db) {
   if (db.getDialect() !== "postgres") return;
-  const migration = {
-    version: "internal:cloud-settings:v1",
-    sql: CLOUD_SETTINGS_BOOTSTRAP_SQL
-  };
-  await db.migrate([migration]);
+  const schema = await cloudSchema(db);
+  await runCloudBootstrapSql(db, pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema));
 }
 async function getCloudSetting(db, key) {
   if (db.getDialect() !== "postgres") return null;
@@ -47627,23 +48291,39 @@ async function setCloudSetting(db, key, value) {
 }
 
 // src/cloud/setup.ts
+async function secureNewCloudTable(db, table, pk) {
+  if (db.getDialect() !== "postgres") return;
+  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
+  if (pk.length === 0) return;
+  await backfillOwnership(db, table, pk);
+  await enableRlsForTable(db, table, pk);
+  const cols = db.getRegisteredColumns(table);
+  if (cols) {
+    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+}
 async function secureCloud(db) {
   if (db.getDialect() !== "postgres") return;
   await installCloudRls(db);
   await installCloudSettings(db);
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
-  for (const table of db.getRegisteredTableNames()) {
-    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
-    const pk = db.getPrimaryKey(table);
-    if (pk.length === 0) continue;
-    await backfillOwnership(db, table, pk);
-    await enableRlsForTable(db, table, pk);
-    const cols = db.getRegisteredColumns(table);
-    if (cols) {
-      await enableAudienceView(db, table, Object.keys(cols), pk, db.getColumnAudience(table));
-    }
+  const registered = db.getRegisteredTableNames();
+  for (const table of registered) {
+    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
+  }
+  if (registered.includes("secrets")) {
+    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
   }
+  await runAsyncOrSync(
+    db.adapter,
+    `DO $LATTICE$ BEGIN
+       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
+         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
+       END IF;
+     END $LATTICE$`
+  );
 }
 
 // src/ai/llm-client.ts
@@ -48237,6 +48917,7 @@ export {
   NATIVE_ENTITY_NAMES,
   NATIVE_REGISTRY_TABLE,
   PostgresAdapter,
+  ProgressThrottle,
   READ_ONLY_HEADER,
   ROOT_DIRNAME,
   ReferenceUnavailableError,
@@ -48300,6 +48981,7 @@ export {
   getCloudSetting,
   getDbCredential,
   getOrCreateMasterKey,
+  getTablePolicy,
   getWorkspace,
   grantCell,
   hasFtsIndex,
@@ -48317,6 +48999,7 @@ export {
   listNativeBindings,
   listTokens,
   listWorkspaces,
+  loadColumnPolicy,
   manifestPath,
   markdownTable,
   memberRoleName,
@@ -48344,6 +49027,7 @@ export {
   readToken,
   referenceLocalFile,
   referenceUrl,
+  regenerateAudienceViewFromDb,
   registerNativeEntities,
   registryPath,
   resolveActiveS3Config,
@@ -48358,9 +49042,13 @@ export {
   saveDbCredentialForTeam,
   sealUnderSource,
   secureCloud,
+  seedColumnPolicyFromYaml,
   setActiveWorkspace,
   setCloudSetting,
+  setColumnAudience,
   setRowVisibility,
+  setTableDefaultVisibility,
+  setTableNeverShare,
   shredSource,
   slugify,
   summarizeText,