latticesql 3.1.0 → 3.2.0

package/dist/cli.js

@@ -3549,8 +3549,8 @@ var init_types = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getHomeDir.js
-import { homedir as homedir4 } from "os";
-import { sep as sep4 } from "path";
+import { homedir as homedir3 } from "os";
+import { sep as sep3 } from "path";
 var homeDirCache, getHomeDirCacheKey, getHomeDir;
 var init_getHomeDir = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getHomeDir.js"() {
@@ -3563,7 +3563,7 @@ var init_getHomeDir = __esm({
       return "DEFAULT";
     };
     getHomeDir = () => {
-      const { HOME, USERPROFILE, HOMEPATH, HOMEDRIVE = `C:${sep4}` } = process.env;
+      const { HOME, USERPROFILE, HOMEPATH, HOMEDRIVE = `C:${sep3}` } = process.env;
       if (HOME)
         return HOME;
       if (USERPROFILE)
@@ -3572,7 +3572,7 @@ var init_getHomeDir = __esm({
         return `${HOMEDRIVE}${HOMEPATH}`;
       const homeDirCacheKey = getHomeDirCacheKey();
       if (!homeDirCache[homeDirCacheKey])
-        homeDirCache[homeDirCacheKey] = homedir4();
+        homeDirCache[homeDirCacheKey] = homedir3();
       return homeDirCache[homeDirCacheKey];
     };
   }
@@ -3590,17 +3590,17 @@ var init_getProfileName = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getSSOTokenFilepath.js
-import { createHash as createHash3 } from "crypto";
-import { join as join17 } from "path";
+import { createHash as createHash4 } from "crypto";
+import { join as join14 } from "path";
 var getSSOTokenFilepath;
 var init_getSSOTokenFilepath = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getSSOTokenFilepath.js"() {
     "use strict";
     init_getHomeDir();
     getSSOTokenFilepath = (id) => {
-      const hasher = createHash3("sha1");
+      const hasher = createHash4("sha1");
       const cacheName = hasher.update(id).digest("hex");
-      return join17(getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
+      return join14(getHomeDir(), ".aws", "sso", "cache", `${cacheName}.json`);
     };
   }
 });
@@ -3658,26 +3658,26 @@ var init_getConfigData = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getConfigFilepath.js
-import { join as join18 } from "path";
+import { join as join15 } from "path";
 var ENV_CONFIG_PATH, getConfigFilepath;
 var init_getConfigFilepath = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getConfigFilepath.js"() {
     "use strict";
     init_getHomeDir();
     ENV_CONFIG_PATH = "AWS_CONFIG_FILE";
-    getConfigFilepath = () => process.env[ENV_CONFIG_PATH] || join18(getHomeDir(), ".aws", "config");
+    getConfigFilepath = () => process.env[ENV_CONFIG_PATH] || join15(getHomeDir(), ".aws", "config");
   }
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getCredentialsFilepath.js
-import { join as join19 } from "path";
+import { join as join16 } from "path";
 var ENV_CREDENTIALS_PATH, getCredentialsFilepath;
 var init_getCredentialsFilepath = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/getCredentialsFilepath.js"() {
     "use strict";
     init_getHomeDir();
     ENV_CREDENTIALS_PATH = "AWS_SHARED_CREDENTIALS_FILE";
-    getCredentialsFilepath = () => process.env[ENV_CREDENTIALS_PATH] || join19(getHomeDir(), ".aws", "credentials");
+    getCredentialsFilepath = () => process.env[ENV_CREDENTIALS_PATH] || join16(getHomeDir(), ".aws", "credentials");
   }
 });
 
@@ -3759,7 +3759,7 @@ var init_readFile = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/loadSharedConfigFiles.js
-import { join as join20 } from "path";
+import { join as join17 } from "path";
 var swallowError, loadSharedConfigFiles;
 var init_loadSharedConfigFiles = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/shared-ini-file-loader/loadSharedConfigFiles.js"() {
@@ -3778,11 +3778,11 @@ var init_loadSharedConfigFiles = __esm({
       const relativeHomeDirPrefix = "~/";
       let resolvedFilepath = filepath;
       if (filepath.startsWith(relativeHomeDirPrefix)) {
-        resolvedFilepath = join20(homeDir, filepath.slice(2));
+        resolvedFilepath = join17(homeDir, filepath.slice(2));
       }
       let resolvedConfigFilepath = configFilepath;
       if (configFilepath.startsWith(relativeHomeDirPrefix)) {
-        resolvedConfigFilepath = join20(homeDir, configFilepath.slice(2));
+        resolvedConfigFilepath = join17(homeDir, configFilepath.slice(2));
       }
       const parsedFiles = await Promise.all([
         readFile2(resolvedConfigFilepath, {
@@ -3903,13 +3903,13 @@ var init_getSelectorName = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/config/node-config-provider/fromEnv.js
-var fromEnv2;
+var fromEnv;
 var init_fromEnv = __esm({
   "node_modules/@smithy/core/dist-es/submodules/config/node-config-provider/fromEnv.js"() {
     "use strict";
     init_CredentialsProviderError();
     init_getSelectorName();
-    fromEnv2 = (envVarSelector, options) => async () => {
+    fromEnv = (envVarSelector, options) => async () => {
       try {
         const config = envVarSelector(process.env, options);
         if (config === void 0) {
@@ -3976,7 +3976,7 @@ var init_configLoader = __esm({
     loadConfig = ({ environmentVariableSelector, configFileSelector, default: defaultValue }, configuration = {}) => {
       const { signingName, logger: logger2 } = configuration;
       const envOptions = { signingName, logger: logger2 };
-      return memoize(chain(fromEnv2(environmentVariableSelector, envOptions), fromSharedConfigFiles(configFileSelector, configuration), fromStatic(defaultValue)));
+      return memoize(chain(fromEnv(environmentVariableSelector, envOptions), fromSharedConfigFiles(configFileSelector, configuration), fromStatic(defaultValue)));
     };
   }
 });
@@ -5374,7 +5374,7 @@ var init_endpoints2 = __esm({
 });
 
 // node_modules/@smithy/core/dist-es/submodules/serde/hash-node/hash-node.js
-import { createHash as createHash4, createHmac } from "crypto";
+import { createHash as createHash5, createHmac } from "crypto";
 function castSourceData(toCast, encoding) {
   if (Buffer.isBuffer(toCast)) {
     return toCast;
@@ -5409,7 +5409,7 @@ var init_hash_node = __esm({
         return Promise.resolve(this.hash.digest());
       }
       reset() {
-        this.hash = this.secret ? createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : createHash4(this.algorithmIdentifier);
+        this.hash = this.secret ? createHmac(this.algorithmIdentifier, castSourceData(this.secret)) : createHash5(this.algorithmIdentifier);
       }
     };
   }
@@ -10493,20 +10493,20 @@ var init_getRuntimeUserAgentPair = __esm({
 });
 
 // node_modules/@aws-sdk/core/dist-es/submodules/client/util-user-agent-node/getNodeModulesParentDirs.js
-import { normalize, sep as sep5 } from "path";
+import { normalize, sep as sep4 } from "path";
 var getNodeModulesParentDirs;
 var init_getNodeModulesParentDirs = __esm({
   "node_modules/@aws-sdk/core/dist-es/submodules/client/util-user-agent-node/getNodeModulesParentDirs.js"() {
     "use strict";
-    getNodeModulesParentDirs = (dirname13) => {
+    getNodeModulesParentDirs = (dirname14) => {
       const cwd = process.cwd();
-      if (!dirname13) {
+      if (!dirname14) {
         return [cwd];
       }
-      const normalizedPath = normalize(dirname13);
-      const parts = normalizedPath.split(sep5);
+      const normalizedPath = normalize(dirname14);
+      const parts = normalizedPath.split(sep4);
       const nodeModulesIndex = parts.indexOf("node_modules");
-      const parentDir = nodeModulesIndex !== -1 ? parts.slice(0, nodeModulesIndex).join(sep5) : normalizedPath;
+      const parentDir = nodeModulesIndex !== -1 ? parts.slice(0, nodeModulesIndex).join(sep4) : normalizedPath;
       if (cwd === parentDir) {
         return [cwd];
       }
@@ -10556,7 +10556,7 @@ var init_getSanitizedDevTypeScriptVersion = __esm({
 
 // node_modules/@aws-sdk/core/dist-es/submodules/client/util-user-agent-node/getTypeScriptUserAgentPair.js
 import { readFile as readFile3 } from "fs/promises";
-import { join as join21 } from "path";
+import { join as join18 } from "path";
 var tscVersion, TS_PACKAGE_JSON, getTypeScriptUserAgentPair;
 var init_getTypeScriptUserAgentPair = __esm({
   "node_modules/@aws-sdk/core/dist-es/submodules/client/util-user-agent-node/getTypeScriptUserAgentPair.js"() {
@@ -10565,7 +10565,7 @@ var init_getTypeScriptUserAgentPair = __esm({
     init_getNodeModulesParentDirs();
     init_getSanitizedDevTypeScriptVersion();
     init_getSanitizedTypeScriptVersion();
-    TS_PACKAGE_JSON = join21("node_modules", "typescript", "package.json");
+    TS_PACKAGE_JSON = join18("node_modules", "typescript", "package.json");
     getTypeScriptUserAgentPair = async () => {
       if (tscVersion === null) {
         return void 0;
@@ -10581,12 +10581,12 @@ var init_getTypeScriptUserAgentPair = __esm({
         tscVersion = null;
         return void 0;
       }
-      const dirname13 = typeof __dirname !== "undefined" ? __dirname : void 0;
-      const nodeModulesParentDirs = getNodeModulesParentDirs(dirname13);
+      const dirname14 = typeof __dirname !== "undefined" ? __dirname : void 0;
+      const nodeModulesParentDirs = getNodeModulesParentDirs(dirname14);
       let versionFromApp;
       for (const nodeModulesParentDir of nodeModulesParentDirs) {
         try {
-          const appPackageJsonPath = join21(nodeModulesParentDir, "package.json");
+          const appPackageJsonPath = join18(nodeModulesParentDir, "package.json");
           const packageJson = await readFile3(appPackageJsonPath, "utf-8");
           const { dependencies, devDependencies } = JSON.parse(packageJson);
           const version = devDependencies?.typescript ?? dependencies?.typescript;
@@ -10605,7 +10605,7 @@ var init_getTypeScriptUserAgentPair = __esm({
       let versionFromNodeModules;
       for (const nodeModulesParentDir of nodeModulesParentDirs) {
         try {
-          const tsPackageJsonPath = join21(nodeModulesParentDir, TS_PACKAGE_JSON);
+          const tsPackageJsonPath = join18(nodeModulesParentDir, TS_PACKAGE_JSON);
           const packageJson = await readFile3(tsPackageJsonPath, "utf-8");
           const { version } = JSON.parse(packageJson);
           const sanitizedVersion2 = getSanitizedTypeScriptVersion(version);
@@ -28345,7 +28345,7 @@ var init_package = __esm({
 });
 
 // node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js
-var ENV_KEY, ENV_SECRET, ENV_SESSION, ENV_EXPIRATION, ENV_CREDENTIAL_SCOPE, ENV_ACCOUNT_ID, fromEnv3;
+var ENV_KEY, ENV_SECRET, ENV_SESSION, ENV_EXPIRATION, ENV_CREDENTIAL_SCOPE, ENV_ACCOUNT_ID, fromEnv2;
 var init_fromEnv2 = __esm({
   "node_modules/@aws-sdk/credential-provider-env/dist-es/fromEnv.js"() {
     "use strict";
@@ -28357,7 +28357,7 @@ var init_fromEnv2 = __esm({
     ENV_EXPIRATION = "AWS_CREDENTIAL_EXPIRATION";
     ENV_CREDENTIAL_SCOPE = "AWS_CREDENTIAL_SCOPE";
     ENV_ACCOUNT_ID = "AWS_ACCOUNT_ID";
-    fromEnv3 = (init) => async () => {
+    fromEnv2 = (init) => async () => {
       init?.logger?.debug("@aws-sdk/credential-provider-env - fromEnv");
       const accessKeyId = process.env[ENV_KEY];
       const secretAccessKey = process.env[ENV_SECRET];
@@ -28391,7 +28391,7 @@ __export(dist_es_exports, {
   ENV_KEY: () => ENV_KEY,
   ENV_SECRET: () => ENV_SECRET,
   ENV_SESSION: () => ENV_SESSION,
-  fromEnv: () => fromEnv3
+  fromEnv: () => fromEnv2
 });
 var init_dist_es11 = __esm({
   "node_modules/@aws-sdk/credential-provider-env/dist-es/index.js"() {
@@ -34053,10 +34053,10 @@ var init_signin = __esm({
 });
 
 // node_modules/@aws-sdk/credential-provider-login/dist-es/LoginCredentialsFetcher.js
-import { createHash as createHash5, createPrivateKey, createPublicKey, sign } from "crypto";
+import { createHash as createHash6, createPrivateKey, createPublicKey, sign } from "crypto";
 import { promises as fs2 } from "fs";
-import { homedir as homedir5 } from "os";
-import { dirname as dirname10, join as join22 } from "path";
+import { homedir as homedir4 } from "os";
+import { dirname as dirname7, join as join19 } from "path";
 var LoginCredentialsFetcher;
 var init_LoginCredentialsFetcher = __esm({
   "node_modules/@aws-sdk/credential-provider-login/dist-es/LoginCredentialsFetcher.js"() {
@@ -34210,7 +34210,7 @@ var init_LoginCredentialsFetcher = __esm({
       }
       async saveToken(token) {
         const tokenFilePath = this.getTokenFilePath();
-        const directory = dirname10(tokenFilePath);
+        const directory = dirname7(tokenFilePath);
         try {
           await fs2.mkdir(directory, { recursive: true });
         } catch (error) {
@@ -34218,10 +34218,10 @@ var init_LoginCredentialsFetcher = __esm({
         await fs2.writeFile(tokenFilePath, JSON.stringify(token, null, 2), "utf8");
       }
       getTokenFilePath() {
-        const directory = process.env.AWS_LOGIN_CACHE_DIRECTORY ?? join22(homedir5(), ".aws", "login", "cache");
+        const directory = process.env.AWS_LOGIN_CACHE_DIRECTORY ?? join19(homedir4(), ".aws", "login", "cache");
         const loginSessionBytes = Buffer.from(this.loginSession, "utf8");
-        const loginSessionSha256 = createHash5("sha256").update(loginSessionBytes).digest("hex");
-        return join22(directory, `${loginSessionSha256}.json`);
+        const loginSessionSha256 = createHash6("sha256").update(loginSessionBytes).digest("hex");
+        return join19(directory, `${loginSessionSha256}.json`);
       }
       derToRawSignature(derSignature) {
         let offset = 2;
@@ -34578,7 +34578,7 @@ var init_fromWebToken = __esm({
 });
 
 // node_modules/@aws-sdk/credential-provider-web-identity/dist-es/fromTokenFile.js
-import { readFileSync as readFileSync15 } from "fs";
+import { readFileSync as readFileSync12 } from "fs";
 var ENV_TOKEN_FILE, ENV_ROLE_ARN, ENV_ROLE_SESSION_NAME, fromTokenFile;
 var init_fromTokenFile = __esm({
   "node_modules/@aws-sdk/credential-provider-web-identity/dist-es/fromTokenFile.js"() {
@@ -34601,7 +34601,7 @@ var init_fromTokenFile = __esm({
       }
       const credentials = await fromWebToken({
         ...init,
-        webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ?? readFileSync15(webIdentityTokenFile, { encoding: "ascii" }),
+        webIdentityToken: externalDataInterceptor?.getTokenRecord?.()[webIdentityTokenFile] ?? readFileSync12(webIdentityTokenFile, { encoding: "ascii" }),
         roleArn,
         roleSessionName
       })(awsIdentityProperties);
@@ -34752,7 +34752,7 @@ var init_defaultProvider = __esm({
           });
         }
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromEnv");
-        return fromEnv3(init)();
+        return fromEnv2(init)();
       },
       async (awsIdentityProperties) => {
         init.logger?.debug("@aws-sdk/credential-provider-node - defaultProvider::fromSSO");
@@ -39368,8 +39368,8 @@ var init_dist_es22 = __esm({
 });
 
 // src/cli.ts
-import { resolve as resolve10, dirname as dirname12 } from "path";
-import { readFileSync as readFileSync17 } from "fs";
+import { resolve as resolve10, dirname as dirname13 } from "path";
+import { readFileSync as readFileSync18 } from "fs";
 import { execSync } from "child_process";
 import { parse as parse3 } from "yaml";
 
@@ -39826,14 +39826,27 @@ function buildParsedConfig(raw, sourceName, configDir2) {
   const entityContexts = parseEntityContexts(config.entityContexts);
   return name !== void 0 ? { dbPath, name, tables, entityContexts } : { dbPath, tables, entityContexts };
 }
+function isDbRefShaped(raw) {
+  return /^\s*\$\{LATTICE_DB:/.test(raw);
+}
+function parseDbRef(raw) {
+  const m4 = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
+  return m4 ? { label: m4[1] ?? "" } : null;
+}
 function resolveDbPath(raw, configDir2) {
-  const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
-  if (labelMatch) {
-    const label = labelMatch[1] ?? "";
-    const url = getDbCredential(label);
+  if (isDbRefShaped(raw)) {
+    const ref = parseDbRef(raw);
+    if (!ref) {
+      throw new Error(
+        `Lattice: malformed \${LATTICE_DB:\u2026} reference ${JSON.stringify(
+          raw.trim()
+        )} \u2014 the label may contain only [A-Za-z0-9._-] (no spaces). This usually means a workspace was created with an unsanitized name.`
+      );
+    }
+    const url = getDbCredential(ref.label);
     if (!url) {
       throw new Error(
-        `Lattice: config references \${LATTICE_DB:${label}} but no credential is saved for "${label}". Save one via the GUI's Database panel or set LATTICE_DB_${label}.`
+        `Lattice: config references \${LATTICE_DB:${ref.label}} but no credential is saved for "${ref.label}". Save one via the GUI's Database panel or set LATTICE_DB_${ref.label}.`
       );
     }
     return url;
@@ -39841,6 +39854,13 @@ function resolveDbPath(raw, configDir2) {
   if (/^postgres(ql)?:\/\//i.test(raw) || raw.startsWith("file:") || raw === ":memory:") {
     return raw;
   }
+  if (raw.includes("${")) {
+    throw new Error(
+      `Lattice: refusing to treat ${JSON.stringify(
+        raw.trim()
+      )} as a database path \u2014 it looks like a malformed variable reference, not a file path.`
+    );
+  }
   return resolve(configDir2, raw);
 }
 var warnedDeprecatedRefs = /* @__PURE__ */ new Set();
@@ -42128,37 +42148,63 @@ var THROTTLE_WINDOW_MS = 200;
 var ProgressThrottle = class {
   cb;
   windowMs;
-  lastEmit = 0;
+  /**
+   * Last passthrough time, keyed per table (`event.table`, or `''` for the
+   * table-less `done`/`error` lifecycle events). Per-table — not a single shared
+   * clock — so when tables render CONCURRENTLY each one keeps its own ~5/sec
+   * budget: a fast table can't consume the window and starve a slow table's
+   * progress. `force` (table-start) resets only that table's budget.
+   */
+  lastEmit = /* @__PURE__ */ new Map();
   constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
     this.cb = cb;
     this.windowMs = windowMs;
   }
   /**
-   * Emit a `table-progress` event, but only if the window since the last
-   * passthrough has elapsed. Dropped events are simply not delivered — the next
-   * one that survives carries the latest running count.
+   * Emit a `table-progress` event, but only if the window since this table's
+   * last passthrough has elapsed. Dropped events are simply not delivered — the
+   * next one that survives carries the latest running count.
    */
   tick(event) {
     if (!this.cb) return;
+    const key = event.table ?? "";
     const now = Date.now();
-    if (now - this.lastEmit < this.windowMs) return;
-    this.lastEmit = now;
+    if (now - (this.lastEmit.get(key) ?? 0) < this.windowMs) return;
+    this.lastEmit.set(key, now);
     this.cb(event);
   }
   /**
-   * Emit a lifecycle event immediately and reset the throttle window. Use for
-   * `table-start`, `table-done`, `done`, and `error` — none of which should
-   * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+   * Emit a lifecycle event immediately and reset this table's throttle window.
+   * Use for `table-start`, `table-done`, `done`, and `error` — none of which
+   * should ever be dropped. Resetting on `table-start` gives each table a clean
+   * budget.
    */
   force(event) {
     if (!this.cb) return;
-    this.lastEmit = Date.now();
+    this.lastEmit.set(event.table ?? "", Date.now());
     this.cb(event);
   }
 };
 
+// src/concurrency.ts
+async function mapWithConcurrency(items, limit, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  const workerCount = Math.max(1, Math.min(limit, items.length));
+  const workers = Array.from({ length: workerCount }, async () => {
+    for (; ; ) {
+      const i6 = next++;
+      if (i6 >= items.length) break;
+      results[i6] = await fn(items[i6], i6);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
+
 // src/render/engine.ts
 var YIELD_EVERY_ENTITIES = 200;
+var RENDER_TABLE_CONCURRENCY = 4;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -42340,163 +42386,175 @@ var RenderEngine = class {
    * via `signal`.
    */
   async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
-    const manifestData = {};
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
     const entityTables = [...this._schema.getEntityContexts()];
     const tableCount = entityTables.length;
-    for (let tableIndex = 0; tableIndex < tableCount; tableIndex++) {
-      if (signal?.aborted) return null;
-      const [table, def] = entityTables[tableIndex];
-      const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
-      const allRows = await this._schema.queryTable(this._adapter, table);
-      const directoryRoot = def.directoryRoot ?? table;
-      const entitiesTotal = allRows.length;
-      throttle.force({
-        kind: "table-start",
-        table,
-        entitiesRendered: 0,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 0
-      });
-      const manifestEntry = {
-        directoryRoot,
-        ...def.index ? { indexFile: def.index.outputFile } : {},
-        declaredFiles: Object.keys(def.files),
-        protectedFiles: def.protectedFiles ?? [],
-        entities: {}
-      };
-      if (def.index) {
-        const indexPath = join7(outputDir, def.index.outputFile);
-        if (atomicWrite(indexPath, def.index.render(allRows))) {
-          filesWritten.push(indexPath);
-        } else {
-          counters.skipped++;
-        }
-      }
-      for (let i6 = 0; i6 < allRows.length; i6++) {
-        const entityRow = allRows[i6];
+    if (signal?.aborted) return null;
+    const renderedEntries = await mapWithConcurrency(
+      entityTables,
+      RENDER_TABLE_CONCURRENCY,
+      async ([table, def], tableIndex) => {
         if (signal?.aborted) return null;
-        if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
-          await new Promise((r6) => setImmediate(r6));
-        }
-        const rawSlug = def.slug(entityRow);
-        const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
-        if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
-          throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
-        }
-        const entityDir = def.directory ? join7(outputDir, def.directory(entityRow)) : join7(outputDir, directoryRoot, slug);
-        const resolvedDir = resolve3(entityDir);
-        const resolvedBase = resolve3(outputDir);
-        if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
-          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
-        }
-        mkdirSync5(entityDir, { recursive: true });
-        if (def.attachFileColumn) {
-          const filePath = entityRow[def.attachFileColumn];
-          if (filePath && typeof filePath === "string" && filePath.length > 0) {
-            if (def.attachFileMode === "reference") {
-              const refPath = join7(entityDir, `${basename(filePath)}.ref.md`);
-              try {
-                atomicWrite(refPath, `# Reference
+        const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
+        const allRows = await this._schema.queryTable(this._adapter, table);
+        const directoryRoot = def.directoryRoot ?? table;
+        const entitiesTotal = allRows.length;
+        throttle.force({
+          kind: "table-start",
+          table,
+          entitiesRendered: 0,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: 0
+        });
+        const manifestEntry = {
+          directoryRoot,
+          ...def.index ? { indexFile: def.index.outputFile } : {},
+          declaredFiles: Object.keys(def.files),
+          protectedFiles: def.protectedFiles ?? [],
+          entities: {}
+        };
+        if (def.index) {
+          const indexPath = join7(outputDir, def.index.outputFile);
+          if (atomicWrite(indexPath, def.index.render(allRows))) {
+            filesWritten.push(indexPath);
+          } else {
+            counters.skipped++;
+          }
+        }
+        for (let i6 = 0; i6 < allRows.length; i6++) {
+          const entityRow = allRows[i6];
+          if (signal?.aborted) return null;
+          if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+            await new Promise((r6) => setImmediate(r6));
+          }
+          const rawSlug = def.slug(entityRow);
+          const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
+          if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
+            throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
+          }
+          const entityDir = def.directory ? join7(outputDir, def.directory(entityRow)) : join7(outputDir, directoryRoot, slug);
+          const resolvedDir = resolve3(entityDir);
+          const resolvedBase = resolve3(outputDir);
+          if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
+            throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+          }
+          mkdirSync5(entityDir, { recursive: true });
+          if (def.attachFileColumn) {
+            const filePath = entityRow[def.attachFileColumn];
+            if (filePath && typeof filePath === "string" && filePath.length > 0) {
+              if (def.attachFileMode === "reference") {
+                const refPath = join7(entityDir, `${basename(filePath)}.ref.md`);
+                try {
+                  atomicWrite(refPath, `# Reference
 
 - **location:** ${filePath}
 `);
-                filesWritten.push(refPath);
-              } catch {
-              }
-            } else {
-              const absPath = isAbsolute(filePath) ? filePath : resolve3(outputDir, filePath);
-              if (existsSync7(absPath)) {
-                const destPath = join7(entityDir, basename(absPath));
-                if (!existsSync7(destPath)) {
-                  try {
-                    copyFileSync2(absPath, destPath);
-                    filesWritten.push(destPath);
-                  } catch {
+                  filesWritten.push(refPath);
+                } catch {
+                }
+              } else {
+                const absPath = isAbsolute(filePath) ? filePath : resolve3(outputDir, filePath);
+                if (existsSync7(absPath)) {
+                  const destPath = join7(entityDir, basename(absPath));
+                  if (!existsSync7(destPath)) {
+                    try {
+                      copyFileSync2(absPath, destPath);
+                      filesWritten.push(destPath);
+                    } catch {
+                    }
                   }
                 }
               }
             }
           }
-        }
-        const renderedFiles = /* @__PURE__ */ new Map();
-        const entityFileHashes = {};
-        const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
-        for (const [filename, spec] of Object.entries(def.files)) {
-          if (signal?.aborted) return null;
-          const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
-          const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
-          const rows = await resolveEntitySource(
-            source,
-            entityRow,
-            entityPk,
-            this._adapter,
-            protection
-          );
-          if (spec.omitIfEmpty && rows.length === 0) continue;
-          const renderFn = compileEntityRender(spec.render);
-          const content = truncateContent(renderFn(rows), spec.budget);
-          renderedFiles.set(filename, content);
-          entityFileHashes[filename] = { hash: contentHash(content) };
-          const filePath = join7(entityDir, filename);
-          if (atomicWrite(filePath, content)) {
-            filesWritten.push(filePath);
-          } else {
-            counters.skipped++;
-          }
-        }
-        const fileKeys = Object.keys(def.files);
-        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
-          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          { outputFile: fileKeys[0] }
-        ) : void 0);
-        if (effectiveCombined && renderedFiles.size > 0) {
-          const excluded = new Set(effectiveCombined.exclude ?? []);
-          const parts = [];
-          for (const filename of Object.keys(def.files)) {
-            if (!excluded.has(filename) && renderedFiles.has(filename)) {
-              parts.push(renderedFiles.get(filename) ?? "");
-            }
-          }
-          if (parts.length > 0) {
-            const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join7(entityDir, effectiveCombined.outputFile);
-            if (atomicWrite(combinedPath, combinedContent)) {
-              filesWritten.push(combinedPath);
+          const renderedFiles = /* @__PURE__ */ new Map();
+          const entityFileHashes = {};
+          const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
+          for (const [filename, spec] of Object.entries(def.files)) {
+            if (signal?.aborted) return null;
+            const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
+            const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
+            const rows = await resolveEntitySource(
+              source,
+              entityRow,
+              entityPk,
+              this._adapter,
+              protection
+            );
+            if (spec.omitIfEmpty && rows.length === 0) continue;
+            const renderFn = compileEntityRender(spec.render);
+            const content = truncateContent(renderFn(rows), spec.budget);
+            renderedFiles.set(filename, content);
+            entityFileHashes[filename] = { hash: contentHash(content) };
+            const filePath = join7(entityDir, filename);
+            if (atomicWrite(filePath, content)) {
+              filesWritten.push(filePath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
-            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
+          const fileKeys = Object.keys(def.files);
+          const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            { outputFile: fileKeys[0] }
+          ) : void 0);
+          if (effectiveCombined && renderedFiles.size > 0) {
+            const excluded = new Set(effectiveCombined.exclude ?? []);
+            const parts = [];
+            for (const filename of Object.keys(def.files)) {
+              if (!excluded.has(filename) && renderedFiles.has(filename)) {
+                parts.push(renderedFiles.get(filename) ?? "");
+              }
+            }
+            if (parts.length > 0) {
+              const combinedContent = parts.join("\n\n---\n\n");
+              const combinedPath = join7(entityDir, effectiveCombined.outputFile);
+              if (atomicWrite(combinedPath, combinedContent)) {
+                filesWritten.push(combinedPath);
+              } else {
+                counters.skipped++;
+              }
+              renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+              entityFileHashes[effectiveCombined.outputFile] = {
+                hash: contentHash(combinedContent)
+              };
+            }
+          }
+          manifestEntry.entities[slug] = entityFileHashes;
+          const entitiesRendered = i6 + 1;
+          throttle.tick({
+            kind: "table-progress",
+            table,
+            entitiesRendered,
+            entitiesTotal,
+            tableIndex,
+            tableCount,
+            pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          });
         }
-        manifestEntry.entities[slug] = entityFileHashes;
-        const entitiesRendered = i6 + 1;
-        throttle.tick({
-          kind: "table-progress",
+        throttle.force({
+          kind: "table-done",
           table,
-          entitiesRendered,
+          entitiesRendered: entitiesTotal,
           entitiesTotal,
           tableIndex,
           tableCount,
-          pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          pct: 100
         });
+        return manifestEntry;
       }
-      manifestData[table] = manifestEntry;
-      throttle.force({
-        kind: "table-done",
-        table,
-        entitiesRendered: entitiesTotal,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 100
-      });
+    );
+    if (signal?.aborted) return null;
+    const manifestData = {};
+    for (let i6 = 0; i6 < renderedEntries.length; i6++) {
+      const entry = renderedEntries[i6];
+      if (entry == null) return null;
+      manifestData[entityTables[i6][0]] = entry;
     }
     return manifestData;
   }
@@ -46025,15 +46083,15 @@ async function checkForUpdate(pkgName, currentVersion) {
 import { createServer } from "http";
 import { spawn as spawn2 } from "child_process";
 import {
-  existsSync as existsSync21,
+  existsSync as existsSync22,
   mkdirSync as mkdirSync10,
-  readFileSync as readFileSync16,
-  readdirSync as readdirSync7,
+  readFileSync as readFileSync17,
+  readdirSync as readdirSync8,
   rmSync,
   unlinkSync as unlinkSync5,
   writeFileSync as writeFileSync8
 } from "fs";
-import { basename as basename11, dirname as dirname11, join as join26, resolve as resolve9, sep as sep6 } from "path";
+import { basename as basename11, dirname as dirname12, join as join27, resolve as resolve9, sep as sep6 } from "path";
 import { parseDocument as parseDocument3 } from "yaml";
 
 // src/gui/http.ts
@@ -46064,11 +46122,14 @@ function readJson(req, opts = {}) {
     req.on("error", reject);
   });
 }
-async function tryHandler(res, fn) {
+async function tryHandler(res, fn, label = "request") {
   try {
     await fn();
   } catch (e6) {
-    sendJson(res, { error: e6.message }, 500);
+    const err = e6;
+    console.error(`[gui] ${label} failed: ${err.message}
+${err.stack ?? ""}`);
+    sendJson(res, { error: err.message }, 500);
   }
 }
 
@@ -46714,6 +46775,11 @@ var css = `
     /* \u2500\u2500 Top bar \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
     header.topbar {
       display: flex; align-items: center; gap: 12px;
+      /* The topbar's backdrop-filter creates a stacking context; without an
+         explicit z-index it (and its dropdowns like .db-menu) get painted under
+         the main content. 100 keeps dropdowns above the dashboard cards while
+         staying below drawers (120/130), modals (1000), and toasts (2000). */
+      position: relative; z-index: 100;
       min-height: 56px; padding: 8px 20px;
       background: var(--glass);
       -webkit-backdrop-filter: var(--blur); backdrop-filter: var(--blur);
@@ -47871,6 +47937,9 @@ var css = `
       margin-top: 6px; font-size: 12px; color: var(--text-muted); cursor: pointer;
     }
     .rail-composer .composer-private input { cursor: pointer; }
+    /* On a local workspace the toggle is a checked, read-only indicator. */
+    .rail-composer .composer-private.is-disabled { opacity: 0.6; cursor: default; }
+    .rail-composer .composer-private.is-disabled input { cursor: not-allowed; }
     .rail-composer .composer-private-hint { color: var(--text-muted); opacity: 0.8; font-size: 11px; }
     .rail-composer .composer-mic {
       flex: 0 0 auto; height: 38px; width: 38px; font-size: 15px;
@@ -47961,7 +48030,35 @@ var appJs = `
       columnMeta: {},
       systemTables: [],
       preferences: { show_system_tables: false, analytics: true },
-    };
+      // Server-resolved analytics consent (stored pref AND env opt-outs). Drives
+      // window.LatticeGA. False until loaded \u2192 no tracking before consent is known.
+      analyticsEffective: false,
+      // Whether the GUI may "Open in Finder" (LATTICE_LOCAL_OPEN, default on).
+      localOpen: true,
+    };
+
+    // Anonymous analytics passthrough \u2014 a no-op unless window.LatticeGA exists and
+    // consent is on. Params are sanitized to coarse enums/bools/numbers by
+    // LatticeGA.track (never table names, ids, queries, or PII).
+    function gaTrack(name, params) {
+      if (window.LatticeGA) window.LatticeGA.track(name, params || {});
+    }
+    // Coarse route TYPE from the hash \u2014 the prefix segment(s) ONLY, never the
+    // table / row-id / db segments that follow (those would be identifying).
+    // Fed to LatticeGA.pageView (which itself never sends the raw hash).
+    function routeType(hash) {
+      var h = String(hash || '#/');
+      if (h === '#/' || h === '') return 'dashboard';
+      var parts = h.replace(/^#/, '').split('/').filter(Boolean);
+      var top = (parts[0] || 'other').toLowerCase();
+      if (!/^[a-z0-9_-]+$/.test(top)) return 'other';
+      if (top === 'settings') {
+        var sub = (parts[1] || 'root').toLowerCase();
+        return /^[a-z0-9_-]+$/.test(sub) ? 'settings_' + sub : 'settings_root';
+      }
+      if (top === 'fs' || top === 'objects' || top === 'system') return top;
+      return 'other';
+    }
 
     function isSecretColumn(tableName, colName) {
       var t = state.columnMeta[tableName];
@@ -47979,10 +48076,43 @@ var appJs = `
     function displayFor(name) {
       var override = state.iconOverrides[name];
       var base = DISPLAY[name];
-      var icon = (override && override.icon) || (base && base.icon) || DEFAULT_ICON;
+      var icon = (override && override.icon) || (base && base.icon) || autoEmojiFor(name) || DEFAULT_ICON;
       var label = (base && base.label) || titleCase(name);
       return { label: label, icon: icon };
     }
+    // Pick an apt emoji from an entity's NAME when the user hasn't set one and it
+    // isn't in the built-in DISPLAY map. Keyword match against the de-underscored,
+    // lower-cased name; returns null when nothing fits so displayFor falls back to
+    // DEFAULT_ICON ("only if an emoji is apt"). Purely presentational \u2014 no persistence.
+    var AUTO_EMOJI = [
+      [/\\b(meetings?|calendar|events?|appointments?|schedule)\\b/, '\u{1F4C5}'],
+      [/\\b(people|person|contacts?|users?|members?|staff|teams?|customers?|clients?|leads?|attendees?)\\b/, '\u{1F465}'],
+      [/\\b(messages?|emails?|mail|inbox|chats?|conversations?|communications?|comms?)\\b/, '\u2709\uFE0F'],
+      [/\\b(projects?)\\b/, '\u{1F680}'],
+      [/\\b(files?|documents?|docs?|attachments?)\\b/, '\u{1F4C4}'],
+      [/\\b(repos?|repositor(?:y|ies)|commits?|branches?)\\b/, '\u{1F4BF}'],
+      [/\\b(invoices?|payments?|billing|transactions?|expenses?|orders?|purchases?)\\b/, '\u{1F9FE}'],
+      [/\\b(revenue|budgets?|salar(?:y|ies)|prices?|pricing|costs?|finances?|financial)\\b/, '\u{1F4B0}'],
+      [/\\b(companies|company|orgs?|organizations?|accounts?|businesses|business|vendors?|firms?|suppliers?)\\b/, '\u{1F3E2}'],
+      [/\\b(tasks?|todos?|tickets?|issues?|jobs?|bugs?)\\b/, '\u2705'],
+      [/\\b(policies|policy|insurance|claims?|coverage)\\b/, '\u{1F6E1}\uFE0F'],
+      [/\\b(secrets?|credentials?|keys?|tokens?|passwords?)\\b/, '\u{1F510}'],
+      [/\\b(notes?|memos?)\\b/, '\u{1F4DD}'],
+      [/\\b(products?|items?|inventory|skus?)\\b/, '\u{1F4E6}'],
+      [/\\b(reports?|analytics|metrics?|stats?|dashboards?)\\b/, '\u{1F4CA}'],
+      [/\\b(contracts?|agreements?|legal|ndas?)\\b/, '\u{1F4DC}'],
+      [/\\b(certificates?|certs?|licen[cs]es?)\\b/, '\u{1F393}'],
+      [/\\b(properties|property|buildings?|estate|addresses|address|locations?|places?)\\b/, '\u{1F3E0}'],
+      [/\\b(agents?|bots?|assistants?)\\b/, '\u{1F916}'],
+      [/\\b(aliases|alias|tags?|labels?|categor(?:y|ies)|types?)\\b/, '\u{1F3F7}\uFE0F'],
+    ];
+    function autoEmojiFor(name) {
+      var s = String(name || '').replace(/_/g, ' ').toLowerCase();
+      for (var i = 0; i < AUTO_EMOJI.length; i++) {
+        if (AUTO_EMOJI[i][0].test(s)) return AUTO_EMOJI[i][1];
+      }
+      return null;
+    }
     function titleCase(s) {
       return s.replace(/_/g, ' ').replace(/\\b\\w/g, function (c) { return c.toUpperCase(); });
     }
@@ -48175,6 +48305,14 @@ var appJs = `
         state.columnMeta = results[2] || {};
         state.systemTables = (results[3] && results[3].tables) || [];
         state.preferences = results[4] || { show_system_tables: false, analytics: true };
+        state.analyticsEffective = !!(results[4] && results[4].analytics_effective);
+        // local_open defaults true (the server defaults it on) \u2014 drives whether the
+        // file view offers "Open in Finder". Treat a missing field as enabled.
+        state.localOpen = !results[4] || results[4].local_open !== false;
+        // Boot analytics with the resolved consent (no network contact when off),
+        // then record the session open. advanced_mode is a boolean \u2014 safe to send.
+        if (window.LatticeGA) window.LatticeGA.init(state.analyticsEffective);
+        gaTrack('app_open', { advanced_mode: advancedMode() });
         document.body.classList.toggle('advanced-mode', advancedMode());
         wireSettingsDrawer();
         renderWsSwitcher(results[5]);
@@ -48226,6 +48364,21 @@ var appJs = `
       var m = /^#\\/objects\\/([^/]+)/.exec(hash);
       return m ? m[1] : null;
     }
+    // The record the user is currently viewing \u2014 the deepest table/id pair in the
+    // route (a file/row detail). Returned to the chat as activeContext so "this
+    // file"/"this row" resolves to it. null when just browsing a list / dashboard.
+    function activeElement() {
+      var hash = location.hash || '#/';
+      var segs = (typeof fsParse === 'function') ? fsParse(hash) : null;
+      if (segs && segs.length >= 2) {
+        // segments alternate table,id,table,id\u2026 \u2014 take the last complete pair.
+        var lastId = (segs.length % 2 === 0) ? segs.length - 1 : segs.length - 2;
+        if (lastId >= 1) return { table: segs[lastId - 1], id: segs[lastId] };
+      }
+      var m = /^#\\/objects\\/([^/]+)\\/([^/]+)/.exec(hash);
+      if (m) return { table: decodeURIComponent(m[1]), id: decodeURIComponent(m[2]) };
+      return null;
+    }
     // Briefly highlight a row that just changed (data-id === pk) in the view.
     function flashRow(pk) {
       var content = document.getElementById('content');
@@ -48275,9 +48428,12 @@ var appJs = `
     // current view (no badge) so we don't bother suppressing the self-echo.
     function onRealtimeChange(p) {
       if (!p || !p.table_name || !p.pk) return;
+      // The NOTIFY envelope carries owner_role (the editor's login role) +
+      // created_at \u2014 NOT owner_user_id / client_ts (which were never emitted, so
+      // "last edited by" always showed nothing). #4.2
       lastEditedByPk[leKey(p.table_name, p.pk)] = {
-        userId: p.owner_user_id || null,
-        at: p.client_ts || p.created_at || '',
+        userId: p.owner_role || null,
+        at: p.created_at || '',
       };
       if (!isRowDataOp(p.op)) return;
       if (p.table_name === currentViewTable()) flashRow(p.pk);
@@ -48394,6 +48550,10 @@ var appJs = `
      * IndexedDB and replayed on reconnect; returns { queued: true }.
      */
     function rowWrite(method, path, body) {
+      // Coarse, anonymized analytics \u2014 the verb only, never the path/table/ids.
+      var gaEvent =
+        method === 'POST' ? 'row_create' : method === 'PUT' ? 'row_update' : method === 'DELETE' ? 'row_delete' : '';
+      if (gaEvent) gaTrack(gaEvent, {});
       var editId = newEditId();
       var clientTs = new Date().toISOString();
       var item = { editId: editId, method: method, path: path, body: body || null, clientTs: clientTs, status: 'pending', attempts: 0 };
@@ -48454,15 +48614,19 @@ var appJs = `
             body: it.body != null ? JSON.stringify(it.body) : undefined,
           }).then(function (r) {
             if (r.ok) return idbDelete(it.editId);
-            if (r.status === 409) {
-              // Unshared / stale schema \u2014 can't replay; mark failed (kept for
-              // inspection, surfaced) rather than silently dropped.
+            // #4.5 \u2014 ANY 4xx is permanent for a replay: 409 (unshared / stale
+            // schema / row gone), 403 (RLS owner-only), 404 (row not visible),
+            // 400 (bad edit). Mark the edit failed + surface it (dead-letter)
+            // instead of retrying it forever; only 5xx / network errors are
+            // transient and left pending for the next drain. Previously only 409
+            // was caught, so an RLS-rejected edit retried endlessly, unseen.
+            if (r.status >= 400 && r.status < 500) {
               it.status = 'failed';
               return idbPut(it).then(function () {
-                showToast('An offline edit could not sync (the object changed). See pending edits.', {});
+                showToast('An offline edit could not sync (the object changed or you lack access). See pending edits.', {});
               });
             }
-            // Other server error \u2014 leave pending, retry on the next drain.
+            // Transient server error (5xx) \u2014 leave pending, retry on the next drain.
             return Promise.resolve();
           }).then(function () { return step(i + 1); },
           function () { return Promise.resolve(); /* network error \u2014 stop draining */ });
@@ -48578,7 +48742,7 @@ var appJs = `
       var fill = card.querySelector('.card-render-fill');
       if (fill) fill.style.width = clamped + '%';
       var pctEl = card.querySelector('.card-render-pct');
-      if (pctEl) pctEl.textContent = clamped + '%';
+      if (pctEl) pctEl.textContent = 'Rendering ' + clamped + '%...';
     }
     // Clear the overlay for a finished/aborted table.
     function clearCardProgress(table) {
@@ -48767,7 +48931,7 @@ var appJs = `
         else if (e.key === 'Enter') {
           e.preventDefault();
           var q = input.value.trim();
-          if (q) askAssistant(q);
+          if (q) { gaTrack('search', {}); askAssistant(q); } // event only \u2014 never the query text
         }
       });
     }
@@ -48853,6 +49017,7 @@ var appJs = `
 
     /** Standard undo: hit /api/history/undo and refresh views. */
     function undoLast() {
+      gaTrack('history_action', { action: 'undo' });
       return fetchJson('/api/history/undo', { method: 'POST' })
         .then(afterMutation)
         .catch(function (err) { showToast('Undo failed: ' + err.message, {}); });
@@ -48863,12 +49028,14 @@ var appJs = `
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
     function wireHistoryControls() {
       document.getElementById('undo-btn').addEventListener('click', function () {
+        gaTrack('history_action', { action: 'undo' });
         fetchJson('/api/history/undo', { method: 'POST' })
           .then(function () { return afterMutation(); })
           .then(function () { showToast('Last change undone', {}); })
           .catch(function (err) { showToast('Undo failed: ' + err.message, {}); });
       });
       document.getElementById('redo-btn').addEventListener('click', function () {
+        gaTrack('history_action', { action: 'redo' });
         fetchJson('/api/history/redo', { method: 'POST' })
           .then(function () { return afterMutation(); })
           .then(function () { showToast('Redone', {}); })
@@ -48916,6 +49083,18 @@ var appJs = `
         state.systemTables = (results[3] && results[3].tables) || [];
         renderWsSwitcher(results[4]);
         renderSidebar();
+        // renderWsSwitcher set cloudMode from the new workspace's kind; re-render
+        // the composer so the Private-mode toggle reflects local vs cloud (it is
+        // forced checked+disabled on local). See #7.
+        renderComposer();
+        // #G \u2014 the chat rail is per-workspace (chat_threads/chat_messages live in
+        // the workspace DB), so a switch/create must reset it to the NEW
+        // workspace's conversation instead of stranding the previous one on screen.
+        // (Reset inline rather than via newChat() so it doesn't fire the
+        // assistant_thread_new analytics event on every switch.)
+        currentThreadId = null;
+        clearChat();
+        refreshThreadList(true);
         if (location.hash !== '#/') location.hash = '#/';
         else renderRoute();
         loadedTables = {};
@@ -49019,6 +49198,7 @@ var appJs = `
           b.addEventListener('click', function () {
             var id = b.getAttribute('data-id');
             if (id === currentId) { menu.hidden = true; return; }
+            gaTrack('workspace_switch', {}); // event only \u2014 never the workspace id/name
             // Surface "switching" on the stable header button for the WHOLE
             // switch (POST + reloadEverything), independent of the ephemeral
             // menu-item withBusy spinner \u2014 the menu can close/rebuild mid-switch.
@@ -49099,6 +49279,10 @@ var appJs = `
       var ul = document.getElementById('object-nav');
       var prefix = advancedMode() ? '#/objects/' : '#/fs/';
       var firstClass = state.entities.tables.filter(function (t) { return !isJunction(t); });
+      // Objects list is ordered alphabetically by display label (case-insensitive).
+      firstClass.sort(function (a, b) {
+        return displayFor(a.name).label.toLowerCase().localeCompare(displayFor(b.name).label.toLowerCase());
+      });
       ul.innerHTML = firstClass.map(function (t) {
         var d = displayFor(t.name);
         var unseen = unseenByTable[t.name] || 0;
@@ -49143,6 +49327,7 @@ var appJs = `
       highlightActive();
       var content = document.getElementById('content');
       var hash = location.hash || '#/';
+      if (window.LatticeGA) window.LatticeGA.pageView(routeType(hash));
 
       if (hash === '#/' || hash === '') { renderDashboard(content); return; }
 
@@ -49240,7 +49425,7 @@ var appJs = `
           // bottom-edge bar (width = %); the pill is the \u27F3 <pct>% corner badge.
           '<div class="card-render" aria-hidden="true">' +
             '<div class="card-render-fill"></div>' +
-            '<span class="card-render-pill"><span class="spinner" aria-hidden="true"></span><span class="card-render-pct">0%</span></span>' +
+            '<span class="card-render-pill"><span class="spinner" aria-hidden="true"></span><span class="card-render-pct">Rendering 0%...</span></span>' +
           '</div>' +
           '</a>';
       }).join('');
@@ -49728,19 +49913,42 @@ var appJs = `
     // Bytes are viewable when there's a local copy OR an S3-backed cloud_ref \u2014 the
     // /blob route resolves local-or-S3 transparently, so the browser just hits it.
     function hasViewableFile(row) {
-      return hasLocalFile(row) ||
-        (row.ref_kind === 'cloud_ref' && row.ref_provider === 's3' && (row.ref_uri || row.blob_path));
+      return hasLocalFile(row) || isS3File(row);
+    }
+    // The file's bytes live in S3 (cloud). Download (not Open in Finder) applies.
+    function isS3File(row) {
+      return row.ref_kind === 'cloud_ref' && row.ref_provider === 's3' && !!(row.ref_uri || row.blob_path);
+    }
+    // True when the row's bytes are reachable on THIS machine's disk (so "Open in
+    // Finder" is meaningful). Mirrors the server's localPathOf: a legacy path, a
+    // local_ref, or a blob/cloud_ref whose blob_path was kept locally.
+    function hasLocalBytes(row) {
+      return !!(
+        row.path ||
+        (row.ref_kind === 'local_ref' && row.ref_uri) ||
+        ((row.ref_kind === 'blob' || row.ref_kind === 'cloud_ref') && row.blob_path)
+      );
+    }
+    var IMAGE_EXTS = ['png','jpg','jpeg','gif','webp','bmp','svg','avif','heic','heif','ico','tif','tiff'];
+    function isImageFile(row) {
+      // Detect by mime, FALLING BACK to the filename extension \u2014 an upload that
+      // didn't record a mime still previews (the inline image was silently missing).
+      if (String(row.mime || '').indexOf('image/') === 0) return true;
+      var name = String(row.original_name || '').toLowerCase();
+      var dot = name.lastIndexOf('.');
+      return dot >= 0 && IMAGE_EXTS.indexOf(name.slice(dot + 1)) >= 0;
     }
     function renderFilePreview(row) {
       var host = document.getElementById('file-preview'); if (!host || !row) return;
       var id = row.id;
       var mime = row.mime || '';
       var blobUrl = '/api/files/' + encodeURIComponent(id) + '/blob';
+      var viewable = hasViewableFile(row);
       var html = '';
       if (row.description) html += '<div class="file-desc">' + escapeHtml(row.description) + '</div>';
-      if (mime.indexOf('image/') === 0 && hasViewableFile(row)) {
+      if (isImageFile(row) && viewable) {
         html += '<img src="' + blobUrl + '" alt="' + escapeHtml(row.original_name || 'image') + '">';
-      } else if (mime === 'application/pdf' && hasViewableFile(row)) {
+      } else if (mime === 'application/pdf' && viewable) {
         html += '<iframe src="' + blobUrl + '" title="PDF preview"></iframe>';
       } else if (row.extracted_text && MD_MIMES.indexOf(mime) >= 0) {
         html += '<div class="md-body">' + mdToHtml(String(row.extracted_text).slice(0, 40000)) + '</div>';
@@ -49750,10 +49958,15 @@ var appJs = `
         html += '<div class="file-unsupported">No inline preview for this file type' +
           (mime ? ' (' + escapeHtml(mime) + ')' : '') + '.</div>';
       }
-      if (hasViewableFile(row)) {
+      // Open in Finder vs Download are MUTUALLY EXCLUSIVE: a file on this machine's
+      // disk opens locally (when LATTICE_LOCAL_OPEN is on); a cloud (S3) file with
+      // no local copy is downloaded. Never both \u2014 there's only ever one source.
+      var canOpen = hasLocalBytes(row) && state.localOpen;
+      var canDownload = isS3File(row) && !hasLocalBytes(row);
+      if (canOpen || canDownload) {
         html += '<div class="file-actions">' +
-          (hasLocalFile(row) ? '<button class="btn" id="file-open">Open in Finder</button>' : '') +
-          '<a class="btn" href="' + blobUrl + '" download="' + escapeHtml(row.original_name || 'file') + '">Download</a>' +
+          (canOpen ? '<button class="btn" id="file-open">Open in Finder</button>' : '') +
+          (canDownload ? '<a class="btn" href="' + blobUrl + '" download="' + escapeHtml(row.original_name || 'file') + '">Download</a>' : '') +
         '</div>';
       }
       host.innerHTML = html;
@@ -50105,6 +50318,7 @@ var appJs = `
       return window.localStorage.getItem(FS_KEYS.advanced) === '1';
     }
     function setAdvancedMode(on) {
+      gaTrack('setting_change', { setting: 'advanced_mode', value: !!on }); // coarse enum + bool
       window.localStorage.setItem(FS_KEYS.advanced, on ? '1' : '0');
       document.body.classList.toggle('advanced-mode', on);
       // Preserve context: map the current location between the file-system
@@ -50607,7 +50821,6 @@ var appJs = `
       var body = document.getElementById('drawer-body');
       if (!body) return;
       if (tab === 'database') renderDatabaseSettings(body);
-      else if (tab === 'chat') renderChatSettings(body);
       else if (tab === 'lattice') renderLatticeSettings(body);
       else renderUserConfig(body);
     }
@@ -50683,7 +50896,8 @@ var appJs = `
     function renderHistory(content) {
       var firstClass = state.entities.tables
         .filter(function (t) { return !isJunction(t); })
-        .map(function (t) { return t.name; });
+        .map(function (t) { return t.name; })
+        .sort(function (a, b) { return displayFor(a).label.toLowerCase().localeCompare(displayFor(b).label.toLowerCase()); });
       var options = '<option value="">All entities</option>' +
         firstClass.map(function (n) {
           var sel = n === historyFilterTable ? ' selected' : '';
@@ -50723,6 +50937,7 @@ var appJs = `
         mount.querySelectorAll('button.history-revert').forEach(function (btn) {
           btn.addEventListener('click', function () {
             var id = btn.getAttribute('data-id');
+            gaTrack('history_action', { action: 'revert' });
             fetchJson('/api/history/revert/' + encodeURIComponent(id), { method: 'POST' })
               .then(afterMutation)
               .then(function () {
@@ -51288,6 +51503,7 @@ var appJs = `
               headers: { 'content-type': 'application/json' },
               body: JSON.stringify({ name: name, icon: icon || undefined }),
             }).then(function () {
+              gaTrack('table_create', {}); // event only \u2014 never the table name
               // New node not in the current graph \u2192 rebuild it (in place, no
               // route change so the drawer scroll is preserved).
               return dmRefreshPanel(name, true);
@@ -51406,6 +51622,8 @@ var appJs = `
       dmLinks.forEach(function (lk) { linkedTargets[lk.other] = 1; });
       var linkTargets = ((state.entities && state.entities.tables) || []).filter(function (rt) {
         return !isJunction(rt) && rt.name !== tableName && !linkedTargets[rt.name];
+      }).sort(function (a, b) {
+        return displayFor(a.name).label.toLowerCase().localeCompare(displayFor(b.name).label.toLowerCase());
       });
       var addLinkHtml = linkTargets.length
         ? '<div class="dm-row-inline" style="margin-top:8px">' +
@@ -51424,22 +51642,30 @@ var appJs = `
       // tables, show no sharing control.
       var canShare = !!(t && t.ownedByMe === true);
       var isShared = !!(t && t.shared);
-      var shareRow = canShare
-        ? '<label>Cloud sharing</label>' +
-          '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
-            '<button class="btn' + (isShared ? '' : ' primary') + '" id="dm-share-btn">' +
-              (isShared ? 'Make private' : 'Share with workspace') +
-            '</button>' +
-            '<span style="font-size:12px;color:var(--text-muted)">' +
-              (isShared ? 'Visible to everyone on this cloud workspace.' : 'Private to you. Share to make it visible to everyone on this cloud workspace.') +
-            '</span>' +
-          '</div>'
-        : '';
+      var neverShare = !!(t && t.neverShare);
+      // A never-share table (e.g. secrets) can NEVER be shared \u2014 its rows are a
+      // hard-private floor \u2014 so the "Share with workspace" button must not exist
+      // for it; show a static note instead.
+      var shareRow = !canShare
+        ? ''
+        : neverShare
+          ? '<label>Cloud sharing</label>' +
+            '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
+              '<span style="font-size:12px;color:var(--text-muted)">\u{1F512} Private to you \u2014 this table is never shared.</span>' +
+            '</div>'
+          : '<label>Cloud sharing</label>' +
+            '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
+              '<button class="btn' + (isShared ? '' : ' primary') + '" id="dm-share-btn">' +
+                (isShared ? 'Make private' : 'Share with workspace') +
+              '</button>' +
+              '<span style="font-size:12px;color:var(--text-muted)">' +
+                (isShared ? 'Visible to everyone on this cloud workspace.' : 'Private to you. Share to make it visible to everyone on this cloud workspace.') +
+              '</span>' +
+            '</div>';
       // Owner-only "new rows default to" control, shown for a shared table.
       // A never-share table's rows are always private, so the default-visibility
       // select is disabled while never-share is on.
       var defaultVis = (t && t.defaultRowVisibility) || 'private';
-      var neverShare = !!(t && t.neverShare);
       var defaultVisRow = canShare && isShared
         ? '<label>New rows default to</label>' +
           '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap">' +
@@ -51515,11 +51741,18 @@ var appJs = `
       wireEntityEditPanel(panel, tableName);
       var shareBtn = panel.querySelector('#dm-share-btn');
       if (shareBtn) shareBtn.addEventListener('click', function () {
+        // "Shared" maps to the table's default row visibility = everyone (vs
+        // owner-private) under the 3.1 RLS model, so the toggle drives the
+        // existing default-row-visibility endpoint. (The old /share endpoint was
+        // removed in the RLS rewrite \u2014 calling it 404'd, which is why the control
+        // appeared dead.)
+        var nextVis = isShared ? 'private' : 'everyone';
+        gaTrack('data_model_share', { visibility: nextVis }); // coarse enum only, no table name
         withBusy(shareBtn, function () {
-          return fetchJson('/api/schema/entities/' + encodeURIComponent(tableName) + '/share', {
+          return fetchJson('/api/schema/entities/' + encodeURIComponent(tableName) + '/default-row-visibility', {
             method: 'POST',
             headers: { 'content-type': 'application/json' },
-            body: JSON.stringify({ share: !isShared }),
+            body: JSON.stringify({ visibility: nextVis }),
           }).then(function () {
             // Rebuild the graph (not just the panel) so the node's share-status
             // colour (gnode-shared/gnode-private) recolours immediately from the
@@ -51851,6 +52084,7 @@ var appJs = `
             return fetchJson('/api/schema/entities/' + encodeURIComponent(tableName), {
               method: 'DELETE',
             }).then(function () {
+              gaTrack('table_delete', {}); // event only \u2014 never the table name
               return dmRefreshPanel(null, true);
             }).then(function () {
               showToast('Table "' + tableName + '" deleted', {});
@@ -52182,6 +52416,7 @@ var appJs = `
         }
 
         function submitLocal() {
+          gaTrack('workspace_create', { kind: 'local' }); // coarse enum only, no name
           // Create + activate a new local workspace in the registry (the single
           // source of truth). The friendly name is the workspace display name \u2014
           // no separate slug/config-file/rename dance.
@@ -52202,6 +52437,7 @@ var appJs = `
           // is no per-table sharing at creation time.
           var fields = parsePostgresUrl(wizState.cloudUrl.trim(), wizState.name.trim());
           if (!fields) return Promise.reject(new Error('Cloud URL must be a valid postgres:// connection string.'));
+          gaTrack('workspace_create', { kind: 'cloud' }); // coarse enum only, no name/URL
           return fetchJson('/api/workspaces/create', {
             method: 'POST',
             headers: { 'content-type': 'application/json' },
@@ -52465,8 +52701,11 @@ var appJs = `
             '<span>Send anonymous analytics</span>' +
           '</label>' +
           '<p class="lead" style="margin:8px 0 0;font-size:12px;color:var(--text-muted)">' +
-            'Anonymous analytics will be shared with Lattice using ' +
-            '<a href="https://scarf.sh" target="_blank" rel="noopener">Scarf</a>.' +
+            'Anonymous usage analytics \u2014 via ' +
+            '<a href="https://scarf.sh" target="_blank" rel="noopener">Scarf</a> for installs and ' +
+            'Google Analytics inside the app \u2014 help us improve Lattice. No table or column names, ' +
+            'row data, queries, file names, or personal info are ever sent: only coarse, anonymized ' +
+            'events. Respects Do-Not-Track.' +
           '</p>' +
           '<div id="pref-msg" style="margin-top:8px;font-size:12px;color:var(--text-muted)"></div>' +
         '</div>';
@@ -52487,7 +52726,18 @@ var appJs = `
           .catch(function (e) { msg.textContent = 'Failed: ' + e.message; });
       }
       host.querySelector('#pref-analytics').addEventListener('change', function (e) {
-        savePref({ analytics: !!e.target.checked });
+        var on = !!e.target.checked;
+        // Apply browser-analytics consent immediately. Record the opt-in AFTER
+        // enabling (track needs consent) and the opt-out BEFORE disabling.
+        if (on) {
+          if (window.LatticeGA) window.LatticeGA.setConsent(true);
+          gaTrack('analytics_opt_in', {});
+        } else {
+          gaTrack('analytics_opt_out', {});
+          if (window.LatticeGA) window.LatticeGA.setConsent(false);
+        }
+        state.analyticsEffective = on;
+        savePref({ analytics: on });
       });
     }
 
@@ -52542,11 +52792,15 @@ var appJs = `
           '<h2>Workspace Settings</h2>' +
           '<div id="db-name-host"><div class="placeholder" style="padding:14px">Loading workspace name\u2026</div></div>' +
           '<div id="dbconfig-host"><div class="placeholder" style="padding:18px">Loading database configuration\u2026</div></div>' +
+          // System Prompt subsection \u2014 directly beneath Database connection,
+          // owner-only (the panel renders nothing for members / local).
+          '<div id="system-prompt-host"></div>' +
           '<div id="data-model-host"><div class="placeholder" style="padding:18px">Loading data model\u2026</div></div>' +
           '<div id="db-danger-host"></div>' +
         '</div>';
       renderDatabaseNamePanel(document.getElementById('db-name-host'));
       renderDatabasePanel(document.getElementById('dbconfig-host'));
+      renderSystemPromptPanel(document.getElementById('system-prompt-host'));
       renderDataModelInto(document.getElementById('data-model-host'));
       renderDatabaseDangerZone(document.getElementById('db-danger-host'));
     }
@@ -52788,6 +53042,7 @@ var appJs = `
         host.querySelectorAll('tr.ws-row[data-switch-id]').forEach(function (row) {
           row.addEventListener('click', function () {
             var id = row.getAttribute('data-switch-id');
+            gaTrack('workspace_switch', {}); // event only \u2014 never the workspace id/name
             // Switch the workspace AND close the settings drawer at the same time \u2014
             // close immediately (concurrent with the switch) so it isn't left open.
             closeSettingsDrawer();
@@ -52925,12 +53180,34 @@ var appJs = `
         if (info.state === 'cloud-member') {
           membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">You are a member of this cloud.</div>';
         } else {
-          membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">Loading members\u2026</div>';
-          fetchJson('/api/cloud/members').then(function (data) {
-            membersHost.innerHTML = renderMembersList((data && data.members) || []);
-          }).catch(function (e) {
-            membersHost.innerHTML = '<div style="font-size:12px;color:var(--warn)">Could not load members: ' + escapeHtml(e.message) + '</div>';
-          });
+          var loadMembers = function () {
+            membersHost.innerHTML = '<div style="font-size:12px;color:var(--text-muted)">Loading members\u2026</div>';
+            fetchJson('/api/cloud/members').then(function (data) {
+              membersHost.innerHTML = renderMembersList((data && data.members) || [], isOwner);
+              membersHost.querySelectorAll('[data-kick]').forEach(function (btn) {
+                btn.addEventListener('click', function () {
+                  var role = btn.getAttribute('data-kick');
+                  if (!role) return;
+                  if (!window.confirm('Remove this member? They lose access immediately.')) return;
+                  withBusy(btn, function () {
+                    return fetchJson('/api/cloud/remove-member', {
+                      method: 'POST',
+                      headers: { 'content-type': 'application/json' },
+                      body: JSON.stringify({ role: role }),
+                    }).then(function () {
+                      showToast('Member removed', {});
+                      loadMembers();
+                    }).catch(function (e) {
+                      showToast('Could not remove member: ' + (e && e.message ? e.message : e), {});
+                    });
+                  });
+                });
+              });
+            }).catch(function (e) {
+              membersHost.innerHTML = '<div style="font-size:12px;color:var(--warn)">Could not load members: ' + escapeHtml(e.message) + '</div>';
+            });
+          };
+          loadMembers();
         }
       }
       void isOwner;
@@ -52938,18 +53215,27 @@ var appJs = `
 
     /** Members list (owner + member roles), recovered from latticesql 1.14.0
      *  (commit 2862959), adapted to the RLS-cloud member model. */
-    function renderMembersList(members) {
+    function renderMembersList(members, canManage) {
       if (!members.length) {
         return '<div class="members-list"><h4>Members</h4>' +
           '<div style="font-size:12px;color:var(--text-muted)">Just you.</div></div>';
       }
       var rows = members.map(function (m) {
-        var pill = m.isOwner ? 'Owner' : 'Member';
+        var isOwner = m.status === 'owner';
+        var pill = isOwner ? 'Owner' : (m.status === 'invited' ? 'Invited' : 'Member');
+        // Show a human name (display name, else the email's local part, else the
+        // role) + the email \u2014 NOT the bare Postgres role as the primary label.
+        var label = (m.name && String(m.name).trim()) || m.role;
+        var kick = canManage && !m.isYou && !isOwner
+          ? '<button class="btn destructive" data-kick="' + escapeHtml(m.role) + '">Kick</button>'
+          : '';
         return '<div class="member-row" data-role="' + escapeHtml(m.role) + '">' +
-          '<span><code>' + escapeHtml(m.role) + '</code>' +
+          '<span>' + escapeHtml(label) +
             (m.isYou ? ' <span style="color:var(--accent);font-size:11px">(you)</span>' : '') +
-            ' <span class="role-tag' + (m.isOwner ? '' : ' role-member') + '">' + pill + '</span>' +
+            (m.email ? ' <span style="color:var(--text-muted);font-size:11px">' + escapeHtml(m.email) + '</span>' : '') +
+            ' <span class="role-tag' + (isOwner ? '' : ' role-member') + '">' + pill + '</span>' +
           '</span>' +
+          kick +
         '</div>';
       }).join('');
       return '<div class="members-list"><h4>Members</h4>' + rows + '</div>';
@@ -53113,36 +53399,29 @@ var appJs = `
     // Chat settings (drawer tab): the cloud chat system prompt, edited INLINE
     // with a Save button \u2014 no overlay. Owner-only (the GET returns the text only
     // to an owner); members / local workspaces see a short note instead.
-    function renderChatSettings(content) {
-      content.innerHTML =
-        '<div class="teams-page">' +
-          '<h2>Chat</h2>' +
-          '<div id="chat-settings-host"><div class="placeholder" style="padding:18px">Loading\u2026</div></div>' +
-        '</div>';
-      var host = document.getElementById('chat-settings-host');
+    // The cloud chat System Prompt editor \u2014 a subsection of Settings \u2192 Workspace,
+    // beneath Database connection. Owner-only: renders nothing for a member or a
+    // local workspace (the GET reports supported=false / canEdit=false there), so
+    // the subsection simply doesn't appear for them.
+    function renderSystemPromptPanel(host) {
+      if (!host) return;
+      host.innerHTML = '';
       fetchJson('/api/cloud/system-prompt').then(function (cfg) {
-        var panelOpen =
-          '<div class="dbconfig-panel" style="padding:14px;border:1px solid var(--border);border-radius:8px;background:var(--surface)">' +
-            '<h3 style="margin:0 0 8px">Chat system prompt</h3>';
-        if (!cfg || cfg.canEdit !== true) {
-          host.innerHTML = panelOpen +
-            '<p style="font-size:12px;color:var(--text-muted);margin:0">' +
-            'The chat system prompt is owner-only and applies to a cloud workspace. ' +
-            'Nothing to edit here for this workspace.</p></div>';
-          return;
-        }
+        if (!cfg || cfg.supported !== true || cfg.canEdit !== true) return; // owner+cloud only
         var current = typeof cfg.prompt === 'string' ? cfg.prompt : '';
-        host.innerHTML = panelOpen +
-          '<p style="font-size:12px;color:var(--text-muted);margin:0 0 10px">' +
-            'Added to every member chat in this cloud. Members cannot see or edit it \u2014 only you, the owner, can.</p>' +
-          '<textarea id="chat-system-prompt" rows="10" style="width:100%;font-family:inherit;resize:vertical" ' +
-            'placeholder="e.g. Always answer in a formal tone. Our fiscal year starts in July.">' +
-            escapeHtml(current) + '</textarea>' +
-          '<div style="margin-top:10px;display:flex;align-items:center;gap:10px">' +
-            '<button class="btn primary" id="chat-prompt-save">Save</button>' +
-            '<span id="chat-prompt-msg" style="font-size:12px;color:var(--text-muted)"></span>' +
-          '</div>' +
-        '</div>';
+        host.innerHTML =
+          '<div class="dbconfig-panel" style="margin-bottom:18px;padding:14px;border:1px solid var(--border);border-radius:8px;background:var(--surface)">' +
+            '<h3 style="margin:0 0 8px">System Prompt</h3>' +
+            '<p style="font-size:12px;color:var(--text-muted);margin:0 0 10px">' +
+              'Added to every member chat in this cloud workspace. Members cannot see or edit it \u2014 only you, the owner, can.</p>' +
+            '<textarea id="chat-system-prompt" rows="10" style="width:100%;font-family:inherit;resize:vertical" ' +
+              'placeholder="e.g. Always answer in a formal tone. Our fiscal year starts in July.">' +
+              escapeHtml(current) + '</textarea>' +
+            '<div style="margin-top:10px;display:flex;align-items:center;gap:10px">' +
+              '<button class="btn primary" id="chat-prompt-save">Save</button>' +
+              '<span id="chat-prompt-msg" style="font-size:12px;color:var(--text-muted)"></span>' +
+            '</div>' +
+          '</div>';
         var saveBtn = document.getElementById('chat-prompt-save');
         var msg = document.getElementById('chat-prompt-msg');
         if (saveBtn) saveBtn.addEventListener('click', function () {
@@ -53159,9 +53438,8 @@ var appJs = `
             if (msg) msg.textContent = 'Failed: ' + (e && e.message ? e.message : String(e));
           });
         });
-      }).catch(function (err) {
-        host.innerHTML = '<div class="placeholder">Could not load: ' +
-          escapeHtml(err && err.message ? err.message : String(err)) + '</div>';
+      }).catch(function () {
+        // Not a cloud / not the owner / probe failed \u2014 leave the subsection empty.
       });
     }
 
@@ -53188,6 +53466,7 @@ var appJs = `
             headers: { 'content-type': 'application/json' },
             body: JSON.stringify({ email: data.email }),
           }).then(function (res) {
+            gaTrack('member_invite', {}); // event only \u2014 never the invitee email
             showInviteTokenModal(res || {});
           });
         },
@@ -53249,6 +53528,7 @@ var appJs = `
       'added-link':     ['Added', 'link', 'links'],
       'deleted-link':   ['Deleted', 'link', 'links'],
       'created-link':   ['Created', 'link table', 'link tables'],
+      'linked-rel':     ['Linked', 'relationship', 'relationships'],
     };
     function schemaAction(summary) {
       var s = String(summary || '');
@@ -53256,10 +53536,18 @@ var appJs = `
       if (/^Created table/.test(s)) return 'created-table';
       if (/^Deleted table/.test(s)) return 'deleted-table';
       if (/^Renamed table/.test(s)) return 'renamed-table';
-      if (/^Added a column/.test(s)) return 'added-column';
+      // Two emitters: the generic "Added a column to X" and the specific
+      // "Added column(s) a, b to X" (ingest auto-creates columns). Both group.
+      if (/^Added (a )?column/.test(s)) return 'added-column';
       if (/^Renamed a column/.test(s)) return 'renamed-column';
       if (/^Added a link/.test(s)) return 'added-link';
       if (/^Deleted a link/.test(s)) return 'deleted-link';
+      // Junction-materialization summaries ("Linked files \u2194 project",
+      // "Linked authors \u2194 books") from materializeJunction \u2014 these arrive as a
+      // schema op but matched no rule above, so they used to return null and
+      // spam one ungrouped pill per link. Collapse a run into "Linked N
+      // relationships".
+      if (/^Linked .+ \u2194 /.test(s)) return 'linked-rel';
       return null; // unknown schema op: keep it ungrouped (stay honest)
     }
     // Group identical-TYPE events into one counted pill regardless of which
@@ -53567,6 +53855,7 @@ var appJs = `
       feedGroups = {};
     }
     function newChat() {
+      gaTrack('assistant_thread_new', {});
       currentThreadId = null;
       clearChat();
       var sel = document.getElementById('rail-threads');
@@ -53730,6 +54019,8 @@ var appJs = `
     function sendChat(text) {
       if (chatBusy || !text) return;
       chatBusy = true;
+      gaTrack('assistant_message', {}); // no message text \u2014 just the event
+
       // Open a fresh turn scope: this turn's activity cards group together (no
       // window expiry) and their timers measure from now.
       feedTurnId += 1;
@@ -53751,7 +54042,8 @@ var appJs = `
       var privateMode = !!(privEl && privEl.checked);
       fetch('/api/chat', {
         method: 'POST', headers: { 'content-type': 'application/json' },
-        body: JSON.stringify({ message: text, history: historyToSend, threadId: currentThreadId, privateMode: privateMode })
+        // activeContext: the record on screen, so "this file"/"this row" resolves.
+        body: JSON.stringify({ message: text, history: historyToSend, threadId: currentThreadId, privateMode: privateMode, activeContext: activeElement() })
       }).then(function (r) {
         if (!r.ok || !r.body) {
           return r.json().then(function (j) { throw new Error(j.error || ('HTTP ' + r.status)); });
@@ -53960,6 +54252,7 @@ var appJs = `
     }
     function uploadFiles(files) {
       if (!files) return;
+      gaTrack('file_ingest', { count: files.length }); // count only \u2014 never file names
       for (var i = 0; i < files.length; i++) uploadFile(files[i]);
     }
     // Mobile: tapping the handle expands/collapses the bottom drawer.
@@ -54019,9 +54312,14 @@ var appJs = `
             '</div>' +
             // Private mode \u2014 when checked, items the assistant adds on this send
             // stay private to me (passed as privateMode in the /api/chat body).
-            '<label class="composer-private">' +
-              '<input type="checkbox" id="chat-private" /> Private mode ' +
-              '<span class="composer-private-hint">New items I add stay private to you</span>' +
+            // Local workspaces are inherently single-user/private, so on local we
+            // force the box checked + disabled as a read-only indicator (cloudMode
+            // is set from the workspace kind before the composer renders).
+            '<label class="composer-private' + (cloudMode ? '' : ' is-disabled') + '">' +
+              '<input type="checkbox" id="chat-private"' + (cloudMode ? '' : ' checked disabled') + ' /> Private mode ' +
+              '<span class="composer-private-hint">' +
+                (cloudMode ? 'New items I add stay private to you' : 'Local workspaces are always private') +
+              '</span>' +
             '</label>' +
             '<input type="file" id="chat-file" multiple style="display:none">';
           var input = document.getElementById('chat-input');
@@ -54080,6 +54378,90 @@ var appJs = `
   })();
   `;
 
+// src/gui/app/analytics.ts
+var analyticsJs = `
+(function () {
+  var MEASUREMENT_ID = 'G-3M1RPJ4ZB3';
+  var DISABLE_FLAG = 'ga-disable-' + MEASUREMENT_ID;
+  var loaded = false;
+  var consent = false;
+
+  window.dataLayer = window.dataLayer || [];
+  function gtag() { window.dataLayer.push(arguments); }
+
+  function doNotTrack() {
+    var dnt = navigator.doNotTrack || window.doNotTrack || navigator.msDoNotTrack;
+    return dnt === '1' || dnt === 'yes' || dnt === true;
+  }
+
+  // Inject gtag.js exactly once, and only when called (i.e. only with consent).
+  function load() {
+    if (loaded) return;
+    loaded = true;
+    var s = document.createElement('script');
+    s.async = true;
+    s.src = 'https://www.googletagmanager.com/gtag/js?id=' + MEASUREMENT_ID;
+    document.head.appendChild(s);
+    gtag('js', new Date());
+    gtag('config', MEASUREMENT_ID, {
+      send_page_view: false,
+      allow_google_signals: false,
+      allow_ad_personalization_signals: false,
+      anonymize_ip: true,
+    });
+  }
+
+  // Allow only a small, safe set of value types. Strings must be short enum-like
+  // tokens; anything free-form (a table name, email, path, query, row content)
+  // is DROPPED, not sent.
+  function sanitize(params) {
+    var out = {};
+    if (!params || typeof params !== 'object') return out;
+    Object.keys(params).forEach(function (k) {
+      var v = params[k];
+      if (typeof v === 'boolean') out[k] = v;
+      else if (typeof v === 'number' && isFinite(v)) out[k] = v;
+      else if (typeof v === 'string' && /^[a-z0-9_.-]{1,40}$/.test(v)) out[k] = v;
+    });
+    return out;
+  }
+
+  window.LatticeGA = {
+    MEASUREMENT_ID: MEASUREMENT_ID,
+    // Called once at boot with the resolved consent. Loads gtag.js only if
+    // consented (and DNT off); otherwise no network contact happens at all.
+    init: function (enabled) {
+      consent = !!enabled;
+      window[DISABLE_FLAG] = !consent;
+      if (consent && !doNotTrack()) load();
+    },
+    // Toggle consent at runtime (the preferences checkbox). Turning it on lazily
+    // loads gtag.js; turning it off sets GA's own kill switch.
+    setConsent: function (enabled) {
+      consent = !!enabled;
+      window[DISABLE_FLAG] = !consent;
+      if (consent && !doNotTrack()) load();
+    },
+    track: function (name, params) {
+      if (!consent || !loaded) return;
+      if (typeof name !== 'string' || !/^[a-z0-9_]{1,40}$/.test(name)) return;
+      gtag('event', name, sanitize(params));
+    },
+    // A synthetic, non-identifying page_view: only the coarse route TYPE, never
+    // the real hash (which embeds table names / row ids / db names).
+    pageView: function (routeType) {
+      if (!consent || !loaded) return;
+      var t =
+        typeof routeType === 'string' && /^[a-z0-9_-]{1,40}$/.test(routeType) ? routeType : 'unknown';
+      gtag('event', 'page_view', {
+        page_location: 'https://app.lattice.local/' + t,
+        page_title: t,
+      });
+    },
+  };
+})();
+`;
+
 // src/gui/app.ts
 var guiAppHtml = `<!doctype html>
 <html lang="en">
@@ -54171,13 +54553,13 @@ var guiAppHtml = `<!doctype html>
     </div>
     <div class="drawer-tabs" id="drawer-tabs">
       <button class="drawer-tab" data-tab="database">Workspace</button>
-      <button class="drawer-tab" data-tab="chat">Chat</button>
       <button class="drawer-tab" data-tab="lattice">Lattice</button>
       <button class="drawer-tab" data-tab="user">User</button>
     </div>
     <div class="drawer-body" id="drawer-body"></div>
   </aside>
 
+  <script>${analyticsJs}</script>
   <script>${appJs}</script>
 </body>
 </html>`;
@@ -54211,6 +54593,7 @@ function loadPg() {
 }
 var CHANNEL = "lattice_changes";
 var BACKOFF_MS = [1e3, 2e3, 5e3, 1e4];
+var CATCHUP_LIMIT = 500;
 var RealtimeBroker = class {
   url;
   emitter = new EventEmitter();
@@ -54219,6 +54602,11 @@ var RealtimeBroker = class {
   reconnectTimer = null;
   reconnectAttempt = 0;
   stopped = false;
+  /** Highest change seq delivered so far — the catch-up cursor (#4.4). */
+  lastSeq = 0;
+  /** True once an initial connection has succeeded, so a later open is a RECONNECT
+   *  (and should catch up the gap) rather than the first connect (REST seeds it). */
+  hasConnected = false;
   constructor(connectionUrl) {
     if (!isPostgresUrl(connectionUrl)) {
       throw new Error(`RealtimeBroker: connectionUrl must be a postgres:// URL`);
@@ -54248,7 +54636,7 @@ var RealtimeBroker = class {
     client.on("notification", (msg) => {
       if (msg.channel !== CHANNEL) return;
       const payload = parsePayload(msg.payload);
-      if (payload) this.emitter.emit("payload", payload);
+      if (payload) this.deliver(payload);
     });
     try {
       await client.connect();
@@ -54256,6 +54644,8 @@ var RealtimeBroker = class {
       this.client = client;
       this.reconnectAttempt = 0;
       this.setState("connected");
+      if (this.hasConnected) await this.catchUp(client);
+      this.hasConnected = true;
     } catch (err) {
       console.warn("[realtime] LISTEN connect failed:", err.message);
       try {
@@ -54265,6 +54655,42 @@ var RealtimeBroker = class {
       this.scheduleReconnect();
     }
   }
+  /** Emit a payload to subscribers and advance the catch-up cursor (#4.4). */
+  deliver(payload) {
+    if (payload.seq > this.lastSeq) this.lastSeq = payload.seq;
+    this.emitter.emit("payload", payload);
+  }
+  /**
+   * Replay the changes missed during a LISTEN gap (#4.4). Reads them through the
+   * SECURITY DEFINER `lattice_changes_since(cursor, limit)`, which returns ONLY
+   * the rows the connecting role may see (same visibility gate as live fan-out)
+   * and is bounded. Each replayed change is delivered like a live one (advancing
+   * the cursor). Best-effort: any error is logged + skipped (never throws into the
+   * connect path). No-op until we've seen at least one change (cursor at 0 means
+   * the REST load already has the current state — nothing to catch up to).
+   */
+  async catchUp(client) {
+    if (this.lastSeq <= 0) return;
+    try {
+      const r6 = await client.query(
+        `SELECT seq, table_name, pk, op, owner_role, created_at FROM lattice_changes_since($1, $2)`,
+        [this.lastSeq, CATCHUP_LIMIT]
+      );
+      for (const row of r6.rows) {
+        const created = row.created_at;
+        this.deliver({
+          seq: Number(row.seq),
+          table_name: typeof row.table_name === "string" ? row.table_name : null,
+          pk: typeof row.pk === "string" ? row.pk : null,
+          op: typeof row.op === "string" ? row.op : "upsert",
+          owner_role: typeof row.owner_role === "string" ? row.owner_role : null,
+          created_at: created instanceof Date ? created.toISOString() : typeof created === "string" ? created : ""
+        });
+      }
+    } catch (e6) {
+      console.warn("[realtime] catch-up replay failed (skipping):", e6.message);
+    }
+  }
   handleClientError(err) {
     console.warn("[realtime] pg client error:", err.message);
   }
@@ -54321,6 +54747,11 @@ var RealtimeBroker = class {
     this.emitter.removeAllListeners();
   }
 };
+function feedOpForChange(op) {
+  if (op === "upsert" || op === "INSERT" || op === "UPDATE") return "update";
+  if (op === "delete" || op === "DELETE") return "delete";
+  return null;
+}
 function parsePayload(raw) {
   if (!raw) return null;
   try {
@@ -54328,13 +54759,11 @@ function parsePayload(raw) {
     if (typeof obj2.seq !== "number" || typeof obj2.op !== "string") return null;
     return {
       seq: obj2.seq,
-      team_id: typeof obj2.team_id === "string" ? obj2.team_id : "",
       table_name: typeof obj2.table_name === "string" ? obj2.table_name : null,
       pk: typeof obj2.pk === "string" ? obj2.pk : null,
       op: obj2.op,
-      owner_user_id: typeof obj2.owner_user_id === "string" ? obj2.owner_user_id : null,
-      created_at: typeof obj2.created_at === "string" ? obj2.created_at : "",
-      client_ts: typeof obj2.client_ts === "string" ? obj2.client_ts : null
+      owner_role: typeof obj2.owner_role === "string" ? obj2.owner_role : null,
+      created_at: typeof obj2.created_at === "string" ? obj2.created_at : ""
     };
   } catch {
     return null;
@@ -54345,7 +54774,7 @@ function parsePayload(raw) {
 async function cloudRlsInstalled(probe) {
   const row = await getAsyncOrSync(
     probe.adapter,
-    `SELECT to_regclass('public.__lattice_owners') AS reg`
+    `SELECT to_regclass('__lattice_owners') AS reg`
   );
   return !!row && row.reg != null;
 }
@@ -54395,6 +54824,25 @@ async function probeCloud(targetUrl) {
     }
   }
 }
+async function claimMemberInvite(targetUrl) {
+  let conn = null;
+  try {
+    conn = new Lattice(targetUrl);
+    await conn.init({ introspectOnly: true });
+    const row = await getAsyncOrSync(conn.adapter, `SELECT lattice_claim_invite() AS ok`);
+    const ok = row?.ok;
+    return { claimed: ok === true || ok === "t" || ok === 1 };
+  } catch (e6) {
+    return { claimed: false, error: e6.message };
+  } finally {
+    if (conn) {
+      try {
+        conn.close();
+      } catch {
+      }
+    }
+  }
+}
 
 // src/cloud/discover.ts
 async function discoverCloudTables(db) {
@@ -54429,10 +54877,20 @@ async function discoverCloudTables(db) {
   return out;
 }
 
-// src/cloud/members.ts
-import { randomBytes as randomBytes5 } from "crypto";
-
 // src/cloud/rls.ts
+async function runCloudBootstrapSql(db, sql) {
+  const adapter = db.adapter;
+  if (adapter.withClient) {
+    await adapter.withClient(async (tx) => {
+      await tx.run("SELECT pg_advisory_xact_lock($1::bigint)", [
+        LATTICE_MIGRATION_LOCK_ID.toString()
+      ]);
+      await tx.run(sql);
+    });
+  } else {
+    await runAsyncOrSync(adapter, sql);
+  }
+}
 function isPg(db) {
   return db.getDialect() === "postgres";
 }
@@ -54566,12 +55024,42 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
   "id"          text PRIMARY KEY,
   "role"        text NOT NULL,
   "email_hash"  text NOT NULL,
+  "email"       text,
   "created_by"  text NOT NULL DEFAULT session_user,
   "created_at"  timestamptz NOT NULL DEFAULT now(),
   "expires_at"  timestamptz NOT NULL,
   "redeemed_at" timestamptz,
   "revoked_at"  timestamptz
 );
+-- Plaintext invitee email (owner-only table; members have no grant) so the
+-- owner's Members list can show who each member is. Added via ALTER so clouds
+-- created before this column converge to it on the owner's next open (the
+-- bootstrap is now run directly + idempotently, not version-gated).
+ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
+
+-- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
+-- the cloud with their minted credential, the join path calls this to CLAIM the
+-- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
+-- an invite for the CALLING role (session_user) is still pending: not already
+-- redeemed (one-time-use), not revoked, and not expired. A replayed redeem of a
+-- leaked token, a revoked invite, or an expired one returns false, so the caller
+-- rejects the join. Members have no direct grant on the owner-only
+-- __lattice_member_invites table \u2014 this SECURITY DEFINER function is the only
+-- path, and it can claim ONLY the caller's own invite (keyed on session_user,
+-- never a caller-supplied parameter, so one member can't burn another's invite).
+CREATE OR REPLACE FUNCTION lattice_claim_invite()
+RETURNS boolean LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_ok boolean;
+BEGIN
+  UPDATE "__lattice_member_invites"
+     SET "redeemed_at" = now()
+   WHERE "role" = session_user
+     AND "redeemed_at" IS NULL
+     AND "revoked_at" IS NULL
+     AND "expires_at" > now()
+  RETURNING true INTO v_ok;
+  RETURN COALESCE(v_ok, false);
+END $fn$;
 
 -- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
 -- keyed on session_user (the member's login role). A row with no ownership record
@@ -54854,6 +55342,62 @@ END $fn$;
 DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
 CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
   FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
+
+-- #4.4 \u2014 seq-based catch-up after a realtime gap. NOTIFY is fire-and-forget, so a
+-- broker that drops its LISTEN (network blip, laptop sleep) misses every change
+-- during the gap. The broker tracks the highest seq it delivered and, on
+-- reconnect, replays what it missed via this function. Members have NO direct
+-- grant on __lattice_changes (reading it raw would leak every change on the
+-- cloud), so this SECURITY DEFINER function is the only path and it returns ONLY
+-- the rows the CALLING role can see: keyed on session_user via lattice_row_visible
+-- (same gate as live fan-out, #4.3). Deletes are excluded \u2014 the ownership record
+-- is gone post-delete so visibility can't be verified, and replaying them would
+-- leak deleted-row pks (the client reconciles deletes on its reconnect refetch).
+-- Bounded (LIMIT clamped \u2264 1000) so a long gap can't stream the whole table (Rule:
+-- bounded reads on a hot path).
+CREATE OR REPLACE FUNCTION lattice_changes_since(p_seq bigint, p_limit int)
+RETURNS TABLE(seq bigint, table_name text, pk text, op text, owner_role text, created_at timestamptz)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT c."seq", c."table_name", c."pk", c."op", c."owner_role", c."created_at"
+    FROM "__lattice_changes" c
+   WHERE c."seq" > p_seq
+     AND c."op" = 'upsert'
+     AND lattice_row_visible(c."table_name", c."pk")
+   ORDER BY c."seq" ASC
+   LIMIT GREATEST(0, LEAST(COALESCE(p_limit, 500), 1000));
+$fn$;
+
+-- #2.1 \u2014 per-row access summary for the connecting role. The GUI attaches this as
+-- each row's _access so the sharing affordance renders, but __lattice_owners is
+-- owner-only bookkeeping (members have no grant), so a member reading it directly
+-- got "permission denied". This SECURITY DEFINER function returns visibility +
+-- whether the CALLER owns the row, ONLY for the rows the caller can actually see
+-- (lattice_row_visible, keyed on session_user) \u2014 so a member learns nothing about
+-- rows hidden from it. Member-callable; the owner gets the same view of its rows.
+CREATE OR REPLACE FUNCTION lattice_rows_access(p_table text, p_pks text[])
+RETURNS TABLE(pk text, visibility text, owned boolean)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT o."pk", o."visibility", (o."owner_role" = session_user) AS owned
+    FROM "__lattice_owners" o
+   WHERE o."table_name" = p_table
+     AND o."pk" = ANY(p_pks)
+     AND lattice_row_visible(o."table_name", o."pk");
+$fn$;
+
+-- #2.1 \u2014 grantees of a CALLER-OWNED custom-shared row (who you shared YOUR row
+-- with). Only the row owner sees this (the WHERE pins owner_role = session_user),
+-- so a member can't enumerate another owner's grants. __lattice_row_grants is
+-- member-ungranted, so this SECURITY DEFINER function is the member-safe path.
+CREATE OR REPLACE FUNCTION lattice_row_grantees(p_table text, p_pks text[])
+RETURNS TABLE(pk text, grantee_role text)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT g."pk", g."grantee_role"
+    FROM "__lattice_row_grants" g
+    JOIN "__lattice_owners" o ON o."table_name" = g."table_name" AND o."pk" = g."pk"
+   WHERE g."table_name" = p_table
+     AND g."pk" = ANY(p_pks)
+     AND o."owner_role" = session_user;
+$fn$;
 `;
 function tableRlsSql(table, pkCols) {
   const q3 = `"${table.replace(/"/g, '""')}"`;
@@ -54921,28 +55465,14 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
-  const migration = {
-    // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell);
-    // v6 added per-table policy (__lattice_table_policy: default_row_visibility +
-    // never_share, enforced in the insert trigger + share/grant guards), the
-    // canonical column-audience store (__lattice_column_policy), lattice_is_owner,
-    // and the owner-only setters; v7 pins search_path on every SECURITY DEFINER
-    // helper (closes the pg_temp-shadow RLS bypass) + revokes schema CREATE from
-    // PUBLIC. The bootstrap is fully idempotent.
-    version: "internal:cloud-rls:bootstrap:v7",
-    sql: pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema)
-  };
-  await db.migrate([migration]);
+  const sql = pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema);
+  await runCloudBootstrapSql(db, sql);
 }
 async function enableChangelogRls(db) {
   if (!isPg(db)) return;
-  const migration = {
-    // v2: ground-truth/audit entries are owner-only (was lattice_row_visible),
-    // closing the masked-column-via-history leak. Bump re-installs the policy on
-    // existing clouds.
-    version: "internal:cloud-rls:changelog:v2",
-    sql: `
+  await runCloudBootstrapSql(
+    db,
+    `
 ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
 GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
@@ -54952,6 +55482,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
   CASE
     WHEN "change_kind" = 'derived' THEN
       "source_ref" IS NOT NULL
+      AND jsonb_array_length("source_ref"::jsonb) > 0
       AND NOT EXISTS (
         SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
          WHERE NOT lattice_source_visible(src.sid)
@@ -54962,8 +55493,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
 DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
 CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
 `
-  };
-  await db.migrate([migration]);
+  );
 }
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
@@ -54987,7 +55517,87 @@ async function backfillOwnership(db, table, pkCols) {
   );
 }
 
+// src/cloud/settings.ts
+import { createHash as createHash2, randomBytes as randomBytes5 } from "crypto";
+var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
+var CLOUD_SETTING_INVITE_SALT = "invite_email_salt";
+async function getOrCreateInviteSalt(db) {
+  const existing = await getCloudSettingStrict(db, CLOUD_SETTING_INVITE_SALT);
+  if (existing) return existing;
+  const salt = randomBytes5(16).toString("hex");
+  await setCloudSetting(db, CLOUD_SETTING_INVITE_SALT, salt);
+  return salt;
+}
+function hashInviteEmail(salt, email) {
+  return createHash2("sha256").update(`${salt}
+${email.trim().toLowerCase()}`).digest("hex");
+}
+var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
+-- Owner-controlled, cloud-wide key/value settings. No grant to the member group,
+-- so a member's SELECT is denied (the VALUE is unreadable \u2014 the catalog may still
+-- reveal the table exists, like every other __lattice_* table); the SECURITY
+-- DEFINER getter below is the only member-reachable read path.
+CREATE TABLE IF NOT EXISTS "__lattice_cloud_settings" (
+  "key"        text PRIMARY KEY,
+  "value"      text,
+  "updated_by" text NOT NULL DEFAULT session_user,
+  "updated_at" timestamptz NOT NULL DEFAULT now()
+);
+
+-- Read a setting. SECURITY DEFINER so a scoped member (no direct grant on the
+-- table) can still read it to inject into their own chat. App-mediated ceiling:
+-- this returns the value to whoever calls it, so the secrecy is at the product
+-- surface (UI + API), not against a member's own SQL session.
+CREATE OR REPLACE FUNCTION lattice_get_cloud_setting(p_key text)
+RETURNS text LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT "value" FROM "__lattice_cloud_settings" WHERE "key" = p_key LIMIT 1
+$fn$;
+
+-- Owner-only write. Raises unless the caller can create roles (a cloud owner /
+-- DBA) \u2014 members get no write path even though the function is callable.
+CREATE OR REPLACE FUNCTION lattice_set_cloud_setting(p_key text, p_value text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+BEGIN
+  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
+    RAISE EXCEPTION 'lattice: only a cloud owner may change workspace settings';
+  END IF;
+  INSERT INTO "__lattice_cloud_settings" ("key", "value", "updated_by", "updated_at")
+    VALUES (p_key, p_value, session_user, now())
+    ON CONFLICT ("key") DO UPDATE
+      SET "value" = EXCLUDED."value", "updated_by" = session_user, "updated_at" = now();
+END $fn$;
+`;
+async function installCloudSettings(db) {
+  if (db.getDialect() !== "postgres") return;
+  const schema = await cloudSchema(db);
+  await runCloudBootstrapSql(db, pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema));
+}
+async function getCloudSetting(db, key) {
+  if (db.getDialect() !== "postgres") return null;
+  try {
+    const row = await getAsyncOrSync(db.adapter, `SELECT lattice_get_cloud_setting(?) AS value`, [
+      key
+    ]);
+    const v2 = row?.value;
+    return typeof v2 === "string" && v2.length > 0 ? v2 : null;
+  } catch {
+    return null;
+  }
+}
+async function getCloudSettingStrict(db, key) {
+  if (db.getDialect() !== "postgres") return null;
+  const row = await getAsyncOrSync(db.adapter, `SELECT lattice_get_cloud_setting(?) AS value`, [
+    key
+  ]);
+  const v2 = row?.value;
+  return typeof v2 === "string" && v2.length > 0 ? v2 : null;
+}
+async function setCloudSetting(db, key, value) {
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_cloud_setting(?, ?)`, [key, value]);
+}
+
 // src/cloud/members.ts
+import { randomBytes as randomBytes6 } from "crypto";
 var ROLE_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
 var HEX_PW_RE = /^[0-9a-f]{16,}$/;
 function assertPg(db) {
@@ -54998,11 +55608,11 @@ function assertPg(db) {
   }
 }
 function generateMemberPassword() {
-  return randomBytes5(24).toString("hex");
+  return randomBytes6(24).toString("hex");
 }
 function memberRoleName(label) {
   const base = label.toLowerCase().replace(/[^a-z0-9]+/g, "_").replace(/^_+|_+$/g, "").slice(0, 48) || "member";
-  return `lm_${base}_${randomBytes5(3).toString("hex")}`.slice(0, 63);
+  return `lm_${base}_${randomBytes6(3).toString("hex")}`.slice(0, 63);
 }
 async function provisionMemberRole(db, role, password) {
   assertPg(db);
@@ -55016,7 +55626,12 @@ async function provisionMemberRole(db, role, password) {
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
          CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
        ELSE
-         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+         -- Re-invite of an EXISTING role: set ONLY what changed (login + password).
+         -- Restating NOSUPERUSER/superuser-class attrs trips Supabase supautils
+         -- ("only superuser may alter the SUPERUSER attribute", 42501) since the
+         -- owner 'postgres' isn't a true superuser. The role was already created
+         -- NOSUPERUSER NOCREATEDB NOCREATEROLE, so there is nothing to restate.
+         ALTER ROLE "${role}" WITH LOGIN PASSWORD '${password}';
        END IF;
      END $LATTICE$`
   );
@@ -55038,13 +55653,10 @@ async function rowAccessSummaries(db, table, pks) {
   const out = /* @__PURE__ */ new Map();
   if (db.getDialect() !== "postgres" || pks.length === 0) return out;
   if (!await cloudRlsInstalled(db)) return out;
-  const placeholders = pks.map(() => "?").join(", ");
   const owners = await allAsyncOrSync(
     db.adapter,
-    `SELECT "pk", "visibility", ("owner_role" = session_user) AS owned
-       FROM "__lattice_owners"
-      WHERE "table_name" = ? AND "pk" IN (${placeholders})`,
-    [table, ...pks]
+    `SELECT "pk", "visibility", "owned" FROM lattice_rows_access(?, ?)`,
+    [table, [...pks]]
   );
   for (const o3 of owners) {
     out.set(o3.pk, {
@@ -55054,12 +55666,10 @@ async function rowAccessSummaries(db, table, pks) {
   }
   const customPks = owners.filter((o3) => o3.visibility === "custom").map((o3) => o3.pk);
   if (customPks.length > 0) {
-    const cph = customPks.map(() => "?").join(", ");
     const grants = await allAsyncOrSync(
       db.adapter,
-      `SELECT "pk", "grantee_role" FROM "__lattice_row_grants"
-         WHERE "table_name" = ? AND "pk" IN (${cph})`,
-      [table, ...customPks]
+      `SELECT "pk", "grantee_role" FROM lattice_row_grantees(?, ?)`,
+      [table, customPks]
     );
     for (const g6 of grants) {
       const a6 = out.get(g6.pk);
@@ -55103,6 +55713,31 @@ async function revokeCell(db, table, pk, column, grantee) {
     grantee
   ]);
 }
+async function revokeMemberRole(db, role) {
+  assertPg(db);
+  if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
+  const exists = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS x FROM pg_roles WHERE rolname = ?`,
+    [role]
+  );
+  if (!exists) return;
+  for (const stmt of [`REASSIGN OWNED BY "${role}" TO CURRENT_USER`, `DROP OWNED BY "${role}"`]) {
+    try {
+      await runAsyncOrSync(db.adapter, stmt);
+    } catch (e6) {
+      if (!isInsufficientPrivilege(e6)) throw e6;
+      console.warn(
+        `[cloud] "${stmt.split(" ").slice(0, 2).join(" ")} \u2026" skipped (insufficient privilege; a scoped member owns no objects): ${e6.message}`
+      );
+    }
+  }
+  await runAsyncOrSync(db.adapter, `DROP ROLE IF EXISTS "${role}"`);
+}
+function isInsufficientPrivilege(e6) {
+  const err = e6 ?? {};
+  return err.code === "42501" || /permission denied/i.test(err.message ?? "");
+}
 
 // src/gui/feed.ts
 import { EventEmitter as EventEmitter2 } from "events";
@@ -55155,6 +55790,9 @@ var FeedBus = class {
   }
 };
 
+// src/gui/mutations.ts
+import { createHash as createHash3 } from "crypto";
+
 // src/cloud/audience.ts
 var ROLE_NAME_RE = /^[A-Za-z0-9_-]{1,63}$/;
 var COL_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
@@ -55341,7 +55979,7 @@ function sessionUndoneFilters(undone, sessionId) {
   if (sessionId) filters.push({ col: "session_id", op: "eq", val: sessionId });
   return filters;
 }
-async function appendAudit(db, feed, table, rowId, op, before, after, source = "gui", sessionId) {
+async function appendAudit(db, feed, table, rowId, op, before, after, source = "gui", sessionId, editTs) {
   const undone = await db.query("_lattice_gui_audit", {
     filters: sessionUndoneFilters(1, sessionId)
   });
@@ -55350,9 +55988,10 @@ async function appendAudit(db, feed, table, rowId, op, before, after, source = "
     id: crypto.randomUUID(),
     // Set ts explicitly (don't rely on the column DEFAULT — it uses the
     // SQLite-only `strftime(...)`, which doesn't yield a parseable ISO string
-    // on Postgres, so cloud history rendered "Invalid Date"). Mirrors the
-    // explicit `client_ts` below; adapter-agnostic.
-    ts: (/* @__PURE__ */ new Date()).toISOString(),
+    // on Postgres, so cloud history rendered "Invalid Date"). #4.6 — honor the
+    // originating client's validated edit time when present (an offline edit
+    // replayed later records when it was MADE, not when it synced), else now().
+    ts: sanitizeEditTs(editTs) ?? (/* @__PURE__ */ new Date()).toISOString(),
     table_name: table,
     row_id: rowId,
     operation: op,
@@ -55394,6 +56033,16 @@ async function recordSchemaAudit(db, feed, table, operation2, before, after, sum
   });
   feed.publish({ table, op: "schema", rowId: null, source, summary });
 }
+function sanitizeEditTs(raw) {
+  if (!raw) return null;
+  const t8 = Date.parse(raw);
+  if (Number.isNaN(t8)) return null;
+  if (t8 > Date.now() + 5 * 60 * 1e3) return null;
+  return new Date(t8).toISOString();
+}
+function writeConflict(message) {
+  return Object.assign(new Error(message), { code: "row_write_conflict" });
+}
 function inferColumnType(v2) {
   if (typeof v2 === "number") return Number.isInteger(v2) ? "INTEGER" : "REAL";
   if (typeof v2 === "boolean") return "INTEGER";
@@ -55428,13 +56077,38 @@ async function announceAddedColumns(ctx, table, added) {
     ctx.sessionId
   );
 }
-async function createRow(ctx, table, values, forceVisibility) {
-  const addedCols = await ensureColumns(ctx.db, table, values);
+function deriveRowIdFromEditId(editId) {
+  return createHash3("sha256").update(editId).digest("hex").slice(0, 32);
+}
+async function createRow(ctx, table, values, forceVisibility, editId) {
+  const pk = ctx.db.getPrimaryKey(table);
+  const isDefaultPk = pk.length === 1 && pk[0] === "id";
+  let toInsert = values;
+  if (editId && isDefaultPk) {
+    const provided = values.id;
+    const hasId = typeof provided === "string" || typeof provided === "number";
+    const targetId = hasId ? String(provided) : deriveRowIdFromEditId(editId);
+    if (!hasId) toInsert = { ...values, id: targetId };
+    const existing = await ctx.db.get(table, targetId);
+    if (existing !== null) return { id: targetId, row: existing, idempotent: true };
+  }
+  const addedCols = await ensureColumns(ctx.db, table, toInsert);
   await announceAddedColumns(ctx, table, addedCols);
-  const id = forceVisibility !== void 0 ? await ctx.db.insertForcingVisibility(table, values, forceVisibility) : await ctx.db.insert(table, values);
+  const id = forceVisibility !== void 0 ? await ctx.db.insertForcingVisibility(table, toInsert, forceVisibility) : await ctx.db.insert(table, toInsert);
   const row = await ctx.db.get(table, id);
-  await appendAudit(ctx.db, ctx.feed, table, id, "insert", null, row, ctx.source, ctx.sessionId);
-  return { id, row };
+  await appendAudit(
+    ctx.db,
+    ctx.feed,
+    table,
+    id,
+    "insert",
+    null,
+    row,
+    ctx.source,
+    ctx.sessionId,
+    ctx.clientTs
+  );
+  return { id, row, idempotent: false };
 }
 function storedValueMatches(stored, requested) {
   if (stored === requested) return true;
@@ -55453,7 +56127,7 @@ function rowsEqual(a6, b6) {
 async function updateRow(ctx, table, id, values) {
   const before = await ctx.db.get(table, id);
   if (before === null) {
-    throw new Error(`Cannot update "${table}": no row with id "${id}"`);
+    throw writeConflict(`Cannot update "${table}": no row with id "${id}"`);
   }
   const addedCols = await ensureColumns(ctx.db, table, values);
   await announceAddedColumns(ctx, table, addedCols);
@@ -55464,7 +56138,7 @@ async function updateRow(ctx, table, id, values) {
       (k6) => !storedValueMatches(before[k6], values[k6])
     );
     if (wantedChange && rowsEqual(before, after)) {
-      throw new Error("Row update did not persist \u2014 the data source may be read-only");
+      throw writeConflict("Row update did not persist \u2014 the data source may be read-only");
     }
   }
   await appendAudit(
@@ -55476,14 +56150,15 @@ async function updateRow(ctx, table, id, values) {
     before,
     after,
     ctx.source,
-    ctx.sessionId
+    ctx.sessionId,
+    ctx.clientTs
   );
   return { row: after };
 }
 async function deleteRow(ctx, table, id, hard) {
   const before = await ctx.db.get(table, id);
   if (before === null) {
-    throw new Error(`Cannot delete from "${table}": no row with id "${id}"`);
+    throw writeConflict(`Cannot delete from "${table}": no row with id "${id}"`);
   }
   if (!hard && ctx.softDeletable.has(table)) {
     await ctx.db.update(table, id, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
@@ -55497,7 +56172,8 @@ async function deleteRow(ctx, table, id, hard) {
       before,
       after,
       ctx.source,
-      ctx.sessionId
+      ctx.sessionId,
+      ctx.clientTs
     );
   } else {
     await ctx.db.delete(table, id);
@@ -55510,7 +56186,8 @@ async function deleteRow(ctx, table, id, hard) {
       before,
       null,
       ctx.source,
-      ctx.sessionId
+      ctx.sessionId,
+      ctx.clientTs
     );
   }
 }
@@ -55669,7 +56346,49 @@ function saveConfigDoc(configPath, doc) {
   writeFileSync6(configPath, doc.toString(), "utf8");
 }
 
+// src/cloud/setup.ts
+async function secureNewCloudTable(db, table, pk) {
+  if (db.getDialect() !== "postgres") return;
+  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
+  if (pk.length === 0) return;
+  await backfillOwnership(db, table, pk);
+  await enableRlsForTable(db, table, pk);
+  const cols = db.getRegisteredColumns(table);
+  if (cols) {
+    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+}
+async function secureCloud(db) {
+  if (db.getDialect() !== "postgres") return;
+  await installCloudRls(db);
+  await installCloudSettings(db);
+  await db.ensureObservationSubstrate();
+  await enableChangelogRls(db);
+  const registered = db.getRegisteredTableNames();
+  for (const table of registered) {
+    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
+  }
+  if (registered.includes("secrets")) {
+    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `DO $LATTICE$ BEGIN
+       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
+         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
+       END IF;
+     END $LATTICE$`
+  );
+}
+
 // src/gui/schema-ops.ts
+async function secureRuntimeTableIfCloud(active, name, pk) {
+  const db = active.db;
+  if (db.getDialect() !== "postgres") return;
+  if (!(await cloudRlsInstalled(db) && await canManageRoles(db))) return;
+  await secureNewCloudTable(db, name, pk);
+}
 async function listPhysicalUserTables(active) {
   const adapter = active.db._adapter;
   if (!adapter.allAsync) return active.db.getRegisteredTableNames();
@@ -55739,6 +56458,7 @@ async function materializeJunction(active, jName, colA, refA, colB, refB, summar
   active.validTables.add(jName);
   active.junctionTables.add(jName);
   syncCanonicalContexts(active);
+  await secureRuntimeTableIfCloud(active, jName, ["id"]);
   await recordSchemaOp(
     active,
     "schema.create_junction",
@@ -55831,6 +56551,7 @@ async function createUserEntity(active, name, columns, sessionId, opts) {
   active.validTables.add(entity);
   active.softDeletable.add(entity);
   syncCanonicalContexts(active);
+  await secureRuntimeTableIfCloud(active, entity, ["id"]);
   await recordSchemaOp(
     active,
     "schema.create_entity",
@@ -55964,8 +56685,280 @@ async function aiDeleteEntity(active, name, resolution, sessionId) {
 }
 
 // src/gui/userconfig-routes.ts
-import { existsSync as existsSync15, readdirSync as readdirSync5 } from "fs";
-import { basename as basename4, dirname as dirname7, join as join14 } from "path";
+import { existsSync as existsSync16, readdirSync as readdirSync5 } from "fs";
+import { basename as basename4, dirname as dirname8, join as join21 } from "path";
+
+// src/gui/files-routes.ts
+import { createReadStream, statSync as statSync5 } from "fs";
+import { isAbsolute as isAbsolute2, join as join20 } from "path";
+import { spawn } from "child_process";
+
+// src/framework/s3-store.ts
+var S3UnavailableError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "S3UnavailableError";
+  }
+};
+function s3Key(prefix, sha256) {
+  const p3 = prefix.replace(/^\/+|\/+$/g, "");
+  return p3 ? `${p3}/${sha256}` : sha256;
+}
+async function createS3Store(cfg) {
+  let mod;
+  try {
+    mod = await Promise.resolve().then(() => (init_dist_es22(), dist_es_exports8));
+  } catch {
+    throw new S3UnavailableError(
+      'S3 file storage requires the optional "@aws-sdk/client-s3" dependency, which is not installed'
+    );
+  }
+  const { S3Client: S3Client2, PutObjectCommand: PutObjectCommand2, GetObjectCommand: GetObjectCommand2, HeadObjectCommand: HeadObjectCommand2 } = mod;
+  const client = new S3Client2({
+    region: cfg.region,
+    // forcePathStyle is required for S3-compatible endpoints (R2 / MinIO /
+    // LocalStack) which don't support virtual-hosted-style bucket subdomains.
+    ...cfg.endpoint ? { endpoint: cfg.endpoint, forcePathStyle: true } : {},
+    ...cfg.credentials ? { credentials: cfg.credentials } : {}
+  });
+  return {
+    async put(key, body, opts) {
+      await client.send(
+        new PutObjectCommand2({
+          Bucket: cfg.bucket,
+          Key: key,
+          Body: body,
+          ...opts?.contentType ? { ContentType: opts.contentType } : {}
+        })
+      );
+    },
+    async get(key) {
+      const out = await client.send(new GetObjectCommand2({ Bucket: cfg.bucket, Key: key }));
+      const body = out.Body;
+      if (!body) throw new Error(`S3: object "${key}" has no body`);
+      return body;
+    },
+    async exists(key) {
+      try {
+        await client.send(new HeadObjectCommand2({ Bucket: cfg.bucket, Key: key }));
+        return true;
+      } catch (e6) {
+        const err = e6;
+        if (err.name === "NotFound" || err.$metadata?.httpStatusCode === 404) return false;
+        throw e6;
+      }
+    }
+  };
+}
+
+// src/framework/s3-config.ts
+import { readFileSync as readFileSync13, existsSync as existsSync15 } from "fs";
+var DEFAULT_PREFIX = "blobs";
+function activeWorkspaceLabel(configPath) {
+  if (!existsSync15(configPath)) return null;
+  try {
+    const text = readFileSync13(configPath, "utf8");
+    const m4 = /^\s*db:\s*\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}\s*$/m.exec(text);
+    return m4 ? m4[1] ?? null : null;
+  } catch {
+    return null;
+  }
+}
+function mergeS3ConfigForSave(prev, body) {
+  const str2 = (v2) => typeof v2 === "string" ? v2 : void 0;
+  const pick = (b6, p3, trim) => {
+    const bv = trim ? str2(b6)?.trim() : str2(b6);
+    if (bv) return bv;
+    const pv = str2(p3);
+    if (pv) return pv;
+    return void 0;
+  };
+  const prefix = pick(body.prefix, prev.prefix, true);
+  const endpoint = pick(body.endpoint, prev.endpoint, true);
+  const accessKeyId = pick(body.accessKeyId, prev.accessKeyId, false);
+  const secretAccessKey = pick(body.secretAccessKey, prev.secretAccessKey, false);
+  return {
+    enabled: body.enabled === true,
+    bucket: str2(body.bucket)?.trim() ?? "",
+    region: str2(body.region)?.trim() ?? "",
+    ...prefix ? { prefix } : {},
+    ...endpoint ? { endpoint } : {},
+    ...accessKeyId ? { accessKeyId } : {},
+    ...secretAccessKey ? { secretAccessKey } : {}
+  };
+}
+function coerce(raw) {
+  if (!raw) return null;
+  const enabled = raw.enabled === true;
+  const bucket = typeof raw.bucket === "string" ? raw.bucket : "";
+  const region = typeof raw.region === "string" ? raw.region : "";
+  if (!enabled || !bucket || !region) return null;
+  const prefix = typeof raw.prefix === "string" && raw.prefix ? raw.prefix : DEFAULT_PREFIX;
+  const endpoint = typeof raw.endpoint === "string" && raw.endpoint ? raw.endpoint : void 0;
+  const accessKeyId = typeof raw.accessKeyId === "string" ? raw.accessKeyId : "";
+  const secretAccessKey = typeof raw.secretAccessKey === "string" ? raw.secretAccessKey : "";
+  if (accessKeyId && !secretAccessKey || !accessKeyId && secretAccessKey) {
+    console.warn(
+      "[s3-config] only one of accessKeyId/secretAccessKey is set; ignoring the partial credential and using the default AWS credential chain. Supply both, or neither."
+    );
+  }
+  return {
+    enabled: true,
+    bucket,
+    region,
+    prefix,
+    ...endpoint ? { endpoint } : {},
+    ...accessKeyId && secretAccessKey ? { credentials: { accessKeyId, secretAccessKey } } : {}
+  };
+}
+function fromEnv3() {
+  const bucket = process.env.LATTICE_S3_BUCKET;
+  const region = process.env.LATTICE_S3_REGION ?? process.env.AWS_REGION;
+  if (!bucket || !region) return null;
+  const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
+  const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
+  return {
+    enabled: true,
+    bucket,
+    region,
+    prefix: process.env.LATTICE_S3_PREFIX ?? DEFAULT_PREFIX,
+    ...process.env.LATTICE_S3_ENDPOINT ? { endpoint: process.env.LATTICE_S3_ENDPOINT } : {},
+    ...accessKeyId && secretAccessKey ? { credentials: { accessKeyId, secretAccessKey } } : {}
+  };
+}
+function resolveActiveS3Config(configPath) {
+  if (configPath) {
+    const label = activeWorkspaceLabel(configPath);
+    if (label) {
+      const stored = coerce(getS3ConfigRaw(label));
+      if (stored) return stored;
+    }
+  }
+  return fromEnv3();
+}
+
+// src/gui/files-routes.ts
+function localFileOpenEnabled() {
+  return process.env.LATTICE_LOCAL_OPEN !== "0";
+}
+function localPathOf(row, latticeRoot) {
+  if (typeof row.path === "string" && row.path) return row.path;
+  if (row.ref_kind === "local_ref" && typeof row.ref_uri === "string" && row.ref_uri) {
+    return row.ref_uri;
+  }
+  if ((row.ref_kind === "blob" || row.ref_kind === "cloud_ref") && typeof row.blob_path === "string" && row.blob_path) {
+    return isAbsolute2(row.blob_path) ? row.blob_path : latticeRoot ? join20(latticeRoot, row.blob_path) : null;
+  }
+  return null;
+}
+function s3RefOf(row) {
+  if (row.ref_kind !== "cloud_ref" || row.ref_provider !== "s3") return null;
+  if (typeof row.source_json === "string" && row.source_json) {
+    try {
+      const j6 = JSON.parse(row.source_json);
+      if (typeof j6.bucket === "string" && typeof j6.key === "string") {
+        return { bucket: j6.bucket, key: j6.key };
+      }
+    } catch {
+    }
+  }
+  if (typeof row.ref_uri === "string") {
+    const m4 = /^s3:\/\/([^/]+)\/(.+)$/.exec(row.ref_uri);
+    if (m4) return { bucket: m4[1] ?? "", key: m4[2] ?? "" };
+  }
+  return null;
+}
+function localFileExists(loc) {
+  if (!loc) return false;
+  try {
+    return statSync5(loc).isFile();
+  } catch {
+    return false;
+  }
+}
+function sanitizeFilename(name) {
+  return name.replace(/[\r\n"\\]/g, "_");
+}
+function blobResponseHeaders(contentType, name) {
+  return {
+    "content-type": contentType,
+    "content-disposition": `inline; filename="${name}"`,
+    "cache-control": "no-store",
+    "x-content-type-options": "nosniff",
+    "content-security-policy": "default-src 'none'; sandbox"
+  };
+}
+var BLOB_RE = /^\/api\/files\/([^/]+)\/blob$/;
+var OPEN_RE = /^\/api\/files\/([^/]+)\/open-in-finder$/;
+async function dispatchFilesRoute(req, res, ctx) {
+  const blobMatch = BLOB_RE.exec(ctx.pathname);
+  if (blobMatch && ctx.method === "GET") {
+    const id = decodeURIComponent(blobMatch[1] ?? "");
+    const row = await ctx.db.get("files", id);
+    if (!row || row.deleted_at) {
+      sendJson(res, { error: "file not found" }, 404);
+      return true;
+    }
+    const name = sanitizeFilename(row.original_name ?? "file");
+    const contentType = typeof row.mime === "string" && row.mime ? row.mime : "application/octet-stream";
+    const loc = localPathOf(row, ctx.latticeRoot);
+    if (localFileExists(loc)) {
+      res.writeHead(200, blobResponseHeaders(contentType, name));
+      const stream = createReadStream(loc);
+      stream.on("error", () => res.destroy());
+      stream.pipe(res);
+      return true;
+    }
+    const s3 = s3RefOf(row);
+    const s3cfg = s3 ? resolveActiveS3Config(ctx.configPath) : null;
+    if (s3 && s3cfg) {
+      try {
+        const store = await createS3Store(s3cfg);
+        const stream = await store.get(s3.key);
+        res.writeHead(200, blobResponseHeaders(contentType, name));
+        stream.on("error", () => res.destroy());
+        stream.pipe(res);
+      } catch (e6) {
+        sendJson(res, { error: `file bytes unavailable from S3: ${e6.message}` }, 502);
+      }
+      return true;
+    }
+    sendJson(
+      res,
+      { error: "this file has no underlying blob here (text-only ingest, or S3 not configured)" },
+      404
+    );
+    return true;
+  }
+  const openMatch = OPEN_RE.exec(ctx.pathname);
+  if (openMatch && ctx.method === "POST") {
+    if (!localFileOpenEnabled()) {
+      sendJson(res, { enabled: false });
+      return true;
+    }
+    const id = decodeURIComponent(openMatch[1] ?? "");
+    const row = await ctx.db.get("files", id);
+    const loc = row ? localPathOf(row, ctx.latticeRoot) : null;
+    if (!loc) {
+      sendJson(res, { error: "file has no local path" }, 404);
+      return true;
+    }
+    const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "explorer" : "xdg-open";
+    try {
+      const child = spawn(opener, [loc], { detached: true, stdio: "ignore" });
+      child.on("error", () => {
+      });
+      child.unref();
+      sendJson(res, { enabled: true, opened: true });
+    } catch (e6) {
+      sendJson(res, { enabled: true, opened: false, error: e6.message }, 500);
+    }
+    return true;
+  }
+  return false;
+}
+
+// src/gui/userconfig-routes.ts
 async function upsertIdentityRow(db, identity) {
   const existing = await db.get("__lattice_user_identity", "singleton");
   const updated_at = (/* @__PURE__ */ new Date()).toISOString();
@@ -55985,12 +56978,12 @@ async function upsertIdentityRow(db, identity) {
   }
 }
 function listProjectConfigs(activeConfigPath) {
-  const dir = dirname7(activeConfigPath);
+  const dir = dirname8(activeConfigPath);
   const out = [];
-  if (!existsSync15(dir)) return out;
+  if (!existsSync16(dir)) return out;
   for (const fname of readdirSync5(dir)) {
     if (!fname.endsWith(".yml") && !fname.endsWith(".yaml")) continue;
-    const full = join14(dir, fname);
+    const full = join21(dir, fname);
     try {
       const parsed = parseConfigFile(full);
       out.push({
@@ -56026,7 +57019,11 @@ async function dispatchUserConfigRoute(req, res, ctx) {
   }
   if (pathname === "/api/userconfig/preferences" && method === "GET") {
     await tryHandler(res, () => {
-      sendJson(res, readPreferences());
+      sendJson(res, {
+        ...readPreferences(),
+        analytics_effective: analyticsEnabled(),
+        local_open: localFileOpenEnabled()
+      });
       return Promise.resolve();
     });
     return true;
@@ -56078,203 +57075,12 @@ async function dispatchUserConfigRoute(req, res, ctx) {
 }
 
 // src/gui/dbconfig-routes.ts
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync7 } from "fs";
-import { basename as basename6, dirname as dirname9, isAbsolute as isAbsolute2, relative as relative2, resolve as resolve7, sep as sep3 } from "path";
+import { readFileSync as readFileSync15, writeFileSync as writeFileSync7 } from "fs";
+import { basename as basename6, dirname as dirname10, isAbsolute as isAbsolute3, relative as relative2, resolve as resolve7, sep as sep5 } from "path";
 import { parseDocument as parseDocument2 } from "yaml";
 
-// src/framework/s3-config.ts
-import { readFileSync as readFileSync12, existsSync as existsSync16 } from "fs";
-var DEFAULT_PREFIX = "blobs";
-function activeWorkspaceLabel(configPath) {
-  if (!existsSync16(configPath)) return null;
-  try {
-    const text = readFileSync12(configPath, "utf8");
-    const m4 = /^\s*db:\s*\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}\s*$/m.exec(text);
-    return m4 ? m4[1] ?? null : null;
-  } catch {
-    return null;
-  }
-}
-function mergeS3ConfigForSave(prev, body) {
-  const str2 = (v2) => typeof v2 === "string" ? v2 : void 0;
-  const pick = (b6, p3, trim) => {
-    const bv = trim ? str2(b6)?.trim() : str2(b6);
-    if (bv) return bv;
-    const pv = str2(p3);
-    if (pv) return pv;
-    return void 0;
-  };
-  const prefix = pick(body.prefix, prev.prefix, true);
-  const endpoint = pick(body.endpoint, prev.endpoint, true);
-  const accessKeyId = pick(body.accessKeyId, prev.accessKeyId, false);
-  const secretAccessKey = pick(body.secretAccessKey, prev.secretAccessKey, false);
-  return {
-    enabled: body.enabled === true,
-    bucket: str2(body.bucket)?.trim() ?? "",
-    region: str2(body.region)?.trim() ?? "",
-    ...prefix ? { prefix } : {},
-    ...endpoint ? { endpoint } : {},
-    ...accessKeyId ? { accessKeyId } : {},
-    ...secretAccessKey ? { secretAccessKey } : {}
-  };
-}
-function coerce(raw) {
-  if (!raw) return null;
-  const enabled = raw.enabled === true;
-  const bucket = typeof raw.bucket === "string" ? raw.bucket : "";
-  const region = typeof raw.region === "string" ? raw.region : "";
-  if (!enabled || !bucket || !region) return null;
-  const prefix = typeof raw.prefix === "string" && raw.prefix ? raw.prefix : DEFAULT_PREFIX;
-  const endpoint = typeof raw.endpoint === "string" && raw.endpoint ? raw.endpoint : void 0;
-  const accessKeyId = typeof raw.accessKeyId === "string" ? raw.accessKeyId : "";
-  const secretAccessKey = typeof raw.secretAccessKey === "string" ? raw.secretAccessKey : "";
-  if (accessKeyId && !secretAccessKey || !accessKeyId && secretAccessKey) {
-    console.warn(
-      "[s3-config] only one of accessKeyId/secretAccessKey is set; ignoring the partial credential and using the default AWS credential chain. Supply both, or neither."
-    );
-  }
-  return {
-    enabled: true,
-    bucket,
-    region,
-    prefix,
-    ...endpoint ? { endpoint } : {},
-    ...accessKeyId && secretAccessKey ? { credentials: { accessKeyId, secretAccessKey } } : {}
-  };
-}
-function fromEnv() {
-  const bucket = process.env.LATTICE_S3_BUCKET;
-  const region = process.env.LATTICE_S3_REGION ?? process.env.AWS_REGION;
-  if (!bucket || !region) return null;
-  const accessKeyId = process.env.AWS_ACCESS_KEY_ID;
-  const secretAccessKey = process.env.AWS_SECRET_ACCESS_KEY;
-  return {
-    enabled: true,
-    bucket,
-    region,
-    prefix: process.env.LATTICE_S3_PREFIX ?? DEFAULT_PREFIX,
-    ...process.env.LATTICE_S3_ENDPOINT ? { endpoint: process.env.LATTICE_S3_ENDPOINT } : {},
-    ...accessKeyId && secretAccessKey ? { credentials: { accessKeyId, secretAccessKey } } : {}
-  };
-}
-function resolveActiveS3Config(configPath) {
-  if (configPath) {
-    const label = activeWorkspaceLabel(configPath);
-    if (label) {
-      const stored = coerce(getS3ConfigRaw(label));
-      if (stored) return stored;
-    }
-  }
-  return fromEnv();
-}
-
-// src/cloud/settings.ts
-var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
-var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
--- Owner-controlled, cloud-wide key/value settings. No grant to the member group,
--- so a member's SELECT is denied (the VALUE is unreadable \u2014 the catalog may still
--- reveal the table exists, like every other __lattice_* table); the SECURITY
--- DEFINER getter below is the only member-reachable read path.
-CREATE TABLE IF NOT EXISTS "__lattice_cloud_settings" (
-  "key"        text PRIMARY KEY,
-  "value"      text,
-  "updated_by" text NOT NULL DEFAULT session_user,
-  "updated_at" timestamptz NOT NULL DEFAULT now()
-);
-
--- Read a setting. SECURITY DEFINER so a scoped member (no direct grant on the
--- table) can still read it to inject into their own chat. App-mediated ceiling:
--- this returns the value to whoever calls it, so the secrecy is at the product
--- surface (UI + API), not against a member's own SQL session.
-CREATE OR REPLACE FUNCTION lattice_get_cloud_setting(p_key text)
-RETURNS text LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
-  SELECT "value" FROM "__lattice_cloud_settings" WHERE "key" = p_key LIMIT 1
-$fn$;
-
--- Owner-only write. Raises unless the caller can create roles (a cloud owner /
--- DBA) \u2014 members get no write path even though the function is callable.
-CREATE OR REPLACE FUNCTION lattice_set_cloud_setting(p_key text, p_value text)
-RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
-BEGIN
-  IF NOT (SELECT rolcreaterole FROM pg_roles WHERE rolname = session_user) THEN
-    RAISE EXCEPTION 'lattice: only a cloud owner may change workspace settings';
-  END IF;
-  INSERT INTO "__lattice_cloud_settings" ("key", "value", "updated_by", "updated_at")
-    VALUES (p_key, p_value, session_user, now())
-    ON CONFLICT ("key") DO UPDATE
-      SET "value" = EXCLUDED."value", "updated_by" = session_user, "updated_at" = now();
-END $fn$;
-`;
-async function installCloudSettings(db) {
-  if (db.getDialect() !== "postgres") return;
-  const schema = await cloudSchema(db);
-  const migration = {
-    // v2 pins search_path on the two SECURITY DEFINER helpers (closes the
-    // pg_temp-shadow class of bypass on the settings getter/setter).
-    version: "internal:cloud-settings:v2",
-    sql: pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema)
-  };
-  await db.migrate([migration]);
-}
-async function getCloudSetting(db, key) {
-  if (db.getDialect() !== "postgres") return null;
-  try {
-    const row = await getAsyncOrSync(db.adapter, `SELECT lattice_get_cloud_setting(?) AS value`, [
-      key
-    ]);
-    const v2 = row?.value;
-    return typeof v2 === "string" && v2.length > 0 ? v2 : null;
-  } catch {
-    return null;
-  }
-}
-async function getCloudSettingStrict(db, key) {
-  if (db.getDialect() !== "postgres") return null;
-  const row = await getAsyncOrSync(db.adapter, `SELECT lattice_get_cloud_setting(?) AS value`, [
-    key
-  ]);
-  const v2 = row?.value;
-  return typeof v2 === "string" && v2.length > 0 ? v2 : null;
-}
-async function setCloudSetting(db, key, value) {
-  await runAsyncOrSync(db.adapter, `SELECT lattice_set_cloud_setting(?, ?)`, [key, value]);
-}
-
-// src/cloud/setup.ts
-async function secureCloud(db) {
-  if (db.getDialect() !== "postgres") return;
-  await installCloudRls(db);
-  await installCloudSettings(db);
-  await db.ensureObservationSubstrate();
-  await enableChangelogRls(db);
-  const registered = db.getRegisteredTableNames();
-  for (const table of registered) {
-    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
-    const pk = db.getPrimaryKey(table);
-    if (pk.length === 0) continue;
-    await backfillOwnership(db, table, pk);
-    await enableRlsForTable(db, table, pk);
-    const cols = db.getRegisteredColumns(table);
-    if (cols) {
-      await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
-      await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
-    }
-  }
-  if (registered.includes("secrets")) {
-    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
-  }
-  await runAsyncOrSync(
-    db.adapter,
-    `DO $LATTICE$ BEGIN
-       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
-         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
-       END IF;
-     END $LATTICE$`
-  );
-}
-
 // src/cloud/invite.ts
-import { randomBytes as randomBytes6, scryptSync as scryptSync2, hkdfSync, createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2 } from "crypto";
+import { randomBytes as randomBytes7, scryptSync as scryptSync2, hkdfSync, createCipheriv as createCipheriv2, createDecipheriv as createDecipheriv2 } from "crypto";
 var VERSION = 1;
 var SALT_LEN = 16;
 var SECRET_LEN = 32;
@@ -56298,9 +57104,9 @@ function deriveKey2(tokenSecret, email, salt) {
 function mintInviteToken(input) {
   const email = normalizeEmail(input.email);
   if (!email) throw new Error("lattice: an invite must be bound to an email");
-  const salt = randomBytes6(SALT_LEN);
-  const tokenSecret = randomBytes6(SECRET_LEN);
-  const nonce = randomBytes6(NONCE_LEN);
+  const salt = randomBytes7(SALT_LEN);
+  const tokenSecret = randomBytes7(SECRET_LEN);
+  const nonce = randomBytes7(NONCE_LEN);
   const key = deriveKey2(tokenSecret, email, salt);
   const payload = {
     v: 1,
@@ -56311,7 +57117,8 @@ function mintInviteToken(input) {
     password: input.password,
     role: input.role,
     email,
-    expires_at: input.expiresAt.toISOString()
+    expires_at: input.expiresAt.toISOString(),
+    ...input.workspaceName?.trim() ? { workspace_name: input.workspaceName.trim() } : {}
   };
   const cipher = createCipheriv2("aes-256-gcm", key, nonce);
   cipher.setAAD(Buffer.from(email, "utf8"));
@@ -56361,7 +57168,7 @@ function redeemInviteToken(email, token) {
 }
 
 // src/gui/dbconfig-routes.ts
-import { createHash as createHash2, randomUUID } from "crypto";
+import { randomUUID } from "crypto";
 
 // src/framework/cloud-migration.ts
 import { existsSync as existsSync17, renameSync as renameSync3, unlinkSync as unlinkSync4 } from "fs";
@@ -56442,14 +57249,14 @@ function archiveLocalSqlite(dbPath) {
 }
 
 // src/framework/gui-bootstrap.ts
-import { existsSync as existsSync19, readFileSync as readFileSync13, readdirSync as readdirSync6 } from "fs";
-import { basename as basename5, dirname as dirname8, join as join16, resolve as resolve6 } from "path";
+import { existsSync as existsSync19, readFileSync as readFileSync14, readdirSync as readdirSync6 } from "fs";
+import { basename as basename5, dirname as dirname9, join as join23, resolve as resolve6 } from "path";
 import { parse as parseYaml } from "yaml";
 
 // src/framework/migrate-to-root.ts
 import { cpSync, existsSync as existsSync18, mkdirSync as mkdirSync8 } from "fs";
-import { homedir as homedir3 } from "os";
-import { join as join15 } from "path";
+import { homedir as homedir5 } from "os";
+import { join as join22 } from "path";
 var LEGACY_ENTRIES = [
   "master.key",
   "identity.json",
@@ -56458,16 +57265,16 @@ var LEGACY_ENTRIES = [
   "keys"
 ];
 function importLegacyUserConfig(root6) {
-  const legacy = process.env.LATTICE_CONFIG_DIR ?? join15(homedir3(), ".lattice");
+  const legacy = process.env.LATTICE_CONFIG_DIR ?? join22(homedir5(), ".lattice");
   const dest = rootConfigDir(root6);
   const copied = [];
-  if (!existsSync18(join15(legacy, "master.key"))) return { migrated: false, copied };
-  if (existsSync18(join15(dest, "master.key"))) return { migrated: false, copied };
+  if (!existsSync18(join22(legacy, "master.key"))) return { migrated: false, copied };
+  if (existsSync18(join22(dest, "master.key"))) return { migrated: false, copied };
   mkdirSync8(dest, { recursive: true });
   for (const entry of LEGACY_ENTRIES) {
-    const src = join15(legacy, entry);
+    const src = join22(legacy, entry);
     if (existsSync18(src)) {
-      cpSync(src, join15(dest, entry), { recursive: true });
+      cpSync(src, join22(dest, entry), { recursive: true });
       copied.push(entry);
     }
   }
@@ -56476,17 +57283,17 @@ function importLegacyUserConfig(root6) {
 
 // src/framework/gui-bootstrap.ts
 function resolveContextDirForConfig(configPath) {
-  const base = dirname8(resolve6(configPath));
+  const base = dirname9(resolve6(configPath));
   for (const dir of ["context", ".", "generated"]) {
     const abs = resolve6(base, dir);
-    if (existsSync19(join16(abs, ".lattice", "manifest.json"))) return abs;
+    if (existsSync19(join23(abs, ".lattice", "manifest.json"))) return abs;
   }
   return resolve6(base, "context");
 }
 function readConfigMeta(absPath) {
   let raw;
   try {
-    raw = readFileSync13(absPath, "utf8");
+    raw = readFileSync14(absPath, "utf8");
   } catch {
     return null;
   }
@@ -56532,7 +57339,7 @@ function reconcileWorkspaceRegistry(root6, scanDirs) {
     }
     for (const fname of entries) {
       if (!fname.endsWith(".yml") && !fname.endsWith(".yaml")) continue;
-      const full = join16(abs, fname);
+      const full = join23(abs, fname);
       if (findWorkspaceByConfigPath(root6, full)) continue;
       adoptConfigAsWorkspace(root6, full, { makeActive: false });
     }
@@ -56542,10 +57349,10 @@ function ensureRootForGui(opts) {
   const configAbs = resolve6(opts.configPath);
   const hasConfigFile = existsSync19(configAbs);
   let root6 = findLatticeRoot(opts.startDir);
-  if (!root6 && hasConfigFile) root6 = findLatticeRoot(dirname8(configAbs));
+  if (!root6 && hasConfigFile) root6 = findLatticeRoot(dirname9(configAbs));
   let freshRoot = false;
   if (!root6) {
-    root6 = ensureLatticeRoot(hasConfigFile ? dirname8(configAbs) : opts.startDir);
+    root6 = ensureLatticeRoot(hasConfigFile ? dirname9(configAbs) : opts.startDir);
     freshRoot = true;
   }
   importLegacyUserConfig(root6);
@@ -56555,7 +57362,7 @@ function ensureRootForGui(opts) {
       ...opts.displayName !== void 0 ? { displayName: opts.displayName } : {}
     });
   }
-  reconcileWorkspaceRegistry(root6, [dirname8(configAbs), dirname8(root6)]);
+  reconcileWorkspaceRegistry(root6, [dirname9(configAbs), dirname9(root6)]);
   const ws = getActiveWorkspace(root6) ?? addWorkspace(root6, { displayName: opts.displayName ?? "My Workspace" });
   const paths = resolveWorkspacePaths(root6, ws);
   return {
@@ -56569,14 +57376,17 @@ function ensureRootForGui(opts) {
 
 // src/gui/dbconfig-routes.ts
 var MAX_SYSTEM_PROMPT_CHARS = 1e5;
-function updateActiveWorkspaceToCloud(configPath, label) {
-  const root6 = findLatticeRoot(dirname9(configPath));
+function updateActiveWorkspaceToCloud(configPath, displayName, key) {
+  const root6 = findLatticeRoot(dirname10(configPath));
   if (!root6) return;
   registerOrUpdateCloudWorkspace(root6, {
     configPath,
     contextDir: resolveContextDirForConfig(configPath),
-    displayName: label,
-    db: "${LATTICE_DB:" + label + "}",
+    displayName,
+    // The credential key + ${LATTICE_DB:…} reference must be a SANITIZED,
+    // space-free label (resolveDbPath rejects anything else); the human
+    // displayName is separate.
+    db: "${LATTICE_DB:" + key + "}",
     makeActive: true
   });
 }
@@ -56605,7 +57415,7 @@ async function computeState(db) {
   return await canManageRoles(db) ? "cloud-owner" : "cloud-member";
 }
 async function describeCurrent(configPath, db) {
-  const rawYaml = readFileSync14(configPath, "utf8");
+  const rawYaml = readFileSync15(configPath, "utf8");
   const doc = parseDocument2(rawYaml);
   const rawDb = doc.get("db");
   const dbLine = typeof rawDb === "string" ? rawDb.trim() : "";
@@ -56646,7 +57456,7 @@ async function describeCurrent(configPath, db) {
   };
 }
 function rewriteDbLine(configPath, newValue) {
-  const doc = parseDocument2(readFileSync14(configPath, "utf8"));
+  const doc = parseDocument2(readFileSync15(configPath, "utf8"));
   doc.set("db", newValue);
   writeFileSync7(configPath, doc.toString(), "utf8");
 }
@@ -56671,9 +57481,27 @@ function parseSaveBody(body) {
   return null;
 }
 function resolveRelativeToConfig(configPath, candidate) {
-  return isAbsolute2(candidate) ? candidate : resolve7(configPath, "..", candidate);
+  return isAbsolute3(candidate) ? candidate : resolve7(configPath, "..", candidate);
 }
-async function joinCloudAsMember(ctx, res, fields, label) {
+async function reclaimStaleInviteRoles(db, emailHash) {
+  const stale = await allAsyncOrSync(
+    db.adapter,
+    `SELECT DISTINCT "role" FROM "__lattice_member_invites"
+       WHERE "redeemed_at" IS NULL AND "revoked_at" IS NULL
+         AND ("email_hash" = ? OR "expires_at" <= now())`,
+    [emailHash]
+  );
+  for (const { role } of stale) {
+    await revokeMemberRole(db, role);
+    await runAsyncOrSync(
+      db.adapter,
+      `UPDATE "__lattice_member_invites" SET "revoked_at" = now()
+         WHERE "role" = ? AND "revoked_at" IS NULL`,
+      [role]
+    );
+  }
+}
+async function joinCloudAsMember(ctx, res, fields, label, opts = {}) {
   const url = buildPostgresUrl(fields);
   const probe = await probeCloud(url);
   if (!probe.reachable) {
@@ -56691,11 +57519,27 @@ async function joinCloudAsMember(ctx, res, fields, label) {
     );
     return;
   }
-  saveDbCredential(label, url);
-  rewriteDbLine(ctx.configPath, "${LATTICE_DB:" + label + "}");
-  updateActiveWorkspaceToCloud(ctx.configPath, label);
-  await ctx.swap();
-  sendJson(res, { ok: true, label, isCloud: true });
+  if (opts.claimInvite) {
+    const claim = await claimMemberInvite(url);
+    if (!claim.claimed) {
+      sendJson(
+        res,
+        {
+          ok: false,
+          error: claim.error ?? "This invite has already been used, was revoked, or has expired. Ask the owner for a new one."
+        },
+        403
+      );
+      return;
+    }
+  }
+  const key = slugify(label) || "cloud";
+  try {
+    const workspaceId = await ctx.createCloudWorkspace(label, key, url);
+    sendJson(res, { ok: true, label, isCloud: true, workspaceId });
+  } catch (e6) {
+    sendJson(res, { ok: false, error: e6.message }, 500);
+  }
 }
 async function dispatchDbConfigRoute(req, res, ctx) {
   const { pathname, method } = ctx;
@@ -56729,7 +57573,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
       }
       const abs = resolveRelativeToConfig(ctx.configPath, parsed.path);
       const rel = relative2(resolve7(ctx.configPath, ".."), abs);
-      const dbLine = rel.startsWith("..") ? abs : "./" + rel.split(sep3).join("/");
+      const dbLine = rel.startsWith("..") ? abs : "./" + rel.split(sep5).join("/");
       rewriteDbLine(ctx.configPath, dbLine);
       sendJson(res, { ok: true, type: "sqlite", path: dbLine });
     });
@@ -56841,7 +57685,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         const backupPath = archiveLocalSqlite(sourceDbPath);
         saveDbCredential(parsed.label, url);
         rewriteDbLine(ctx.configPath, "${LATTICE_DB:" + parsed.label + "}");
-        updateActiveWorkspaceToCloud(ctx.configPath, parsed.label);
+        updateActiveWorkspaceToCloud(ctx.configPath, parsed.label, parsed.label);
         await ctx.swap();
         sendJson(res, {
           ok: true,
@@ -56895,9 +57739,26 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         return;
       }
       const me = await getAsyncOrSync(ctx.db.adapter, `SELECT session_user AS u`);
-      const owner = me?.u ?? "";
+      const ownerRole = me?.u ?? "";
+      const idRow = await getAsyncOrSync(
+        ctx.db.adapter,
+        `SELECT display_name, email FROM "__lattice_user_identity" WHERE id = 'singleton'`
+      ).catch(() => void 0);
+      const trimmedOwnerName = idRow?.display_name?.trim() ?? "";
+      const ownerName = trimmedOwnerName.length > 0 ? trimmedOwnerName : ownerRole;
+      const ownerEmail = idRow?.email ?? "";
       if (!await canManageRoles(ctx.db)) {
-        sendJson(res, { members: owner ? [{ role: owner, isOwner: false, isYou: true }] : [] });
+        sendJson(res, {
+          members: ownerRole ? [
+            {
+              role: ownerRole,
+              name: ownerName,
+              email: ownerEmail,
+              status: "member",
+              isYou: true
+            }
+          ] : []
+        });
         return;
       }
       const rows = await allAsyncOrSync(
@@ -56906,12 +57767,27 @@ async function dispatchDbConfigRoute(req, res, ctx) {
            FROM pg_auth_members am
            JOIN pg_roles g ON g.oid = am.roleid AND g.rolname = ?
            JOIN pg_roles m ON m.oid = am.member
+          WHERE m.rolname <> ?
           ORDER BY m.rolname`,
-        [MEMBER_GROUP]
+        [MEMBER_GROUP, ownerRole]
       );
+      const invites = await allAsyncOrSync(
+        ctx.db.adapter,
+        `SELECT DISTINCT ON ("role") "role", "email", "redeemed_at"
+           FROM "__lattice_member_invites"
+          WHERE "revoked_at" IS NULL
+          ORDER BY "role", "created_at" DESC`
+      ).catch(() => []);
+      const inviteByRole = new Map(invites.map((r6) => [r6.role, r6]));
       const members = [
-        ...owner ? [{ role: owner, isOwner: true, isYou: true }] : [],
-        ...rows.map((r6) => ({ role: r6.role, isOwner: false, isYou: r6.role === owner }))
+        { role: ownerRole, name: ownerName, email: ownerEmail, status: "owner", isYou: true },
+        ...rows.map((r6) => {
+          const inv = inviteByRole.get(r6.role);
+          const email = inv?.email ?? "";
+          const name = email ? email.split("@")[0] ?? r6.role : r6.role;
+          const status = inv && inv.redeemed_at == null ? "invited" : "member";
+          return { role: r6.role, name, email, status, isYou: false };
+        })
       ];
       sendJson(res, { members });
     });
@@ -56938,22 +57814,37 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         sendJson(res, { error: "Could not resolve the cloud connection coordinates" }, 500);
         return;
       }
+      const emailHash = hashInviteEmail(await getOrCreateInviteSalt(ctx.db), email);
+      await reclaimStaleInviteRoles(ctx.db, emailHash);
       const role = memberRoleName(email);
       const password = generateMemberPassword();
       await provisionMemberRole(ctx.db, role, password);
       await assertScopedMemberRole(ctx.db, role);
-      const me = await getAsyncOrSync(ctx.db.adapter, `SELECT session_user AS u`);
-      const user = poolerAwareUser(coords.host, role, me?.u ?? "");
+      const user = poolerAwareUser(coords.host, role, coords.user);
       const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1e3);
-      const token = mintInviteToken({ coords, user, password, role, email, expiresAt });
+      const inviteRoot = findLatticeRoot(dirname10(ctx.configPath));
+      const ownerWs = inviteRoot ? getActiveWorkspace(inviteRoot) : null;
+      const token = mintInviteToken({
+        coords,
+        user,
+        password,
+        role,
+        email,
+        expiresAt,
+        ...ownerWs?.displayName ? { workspaceName: ownerWs.displayName } : {}
+      });
       await runAsyncOrSync(
         ctx.db.adapter,
-        `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","expires_at")
-           VALUES (?, ?, ?, ?)`,
+        `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
+           VALUES (?, ?, ?, ?, ?)`,
         [
           randomUUID(),
           role,
-          createHash2("sha256").update(email.trim().toLowerCase()).digest("hex"),
+          emailHash,
+          // Plaintext email stored ONLY in this owner-only table so the owner's
+          // Members list can show who each member is (the hash above stays for
+          // tamper-evident audit; the password is still never stored anywhere).
+          email.trim().toLowerCase(),
           expiresAt.toISOString()
         ]
       );
@@ -56961,6 +57852,39 @@ async function dispatchDbConfigRoute(req, res, ctx) {
     });
     return true;
   }
+  if (pathname === "/api/cloud/remove-member" && method === "POST") {
+    await tryHandler(res, async () => {
+      if (ctx.db.getDialect() !== "postgres" || !await cloudRlsInstalled(ctx.db)) {
+        sendJson(res, { error: "The active database is not a Lattice cloud" }, 400);
+        return;
+      }
+      if (!await canManageRoles(ctx.db)) {
+        sendJson(res, { error: "Only a cloud owner can remove members" }, 403);
+        return;
+      }
+      const body = await readJson(req);
+      const role = typeof body.role === "string" ? body.role : "";
+      if (!role) {
+        sendJson(res, { error: "A member role is required" }, 400);
+        return;
+      }
+      const me = await getAsyncOrSync(ctx.db.adapter, `SELECT session_user AS u`);
+      if (role === (me?.u ?? "")) {
+        sendJson(res, { error: "You cannot remove yourself (the owner)" }, 400);
+        return;
+      }
+      await revokeMemberRole(ctx.db, role);
+      await runAsyncOrSync(
+        ctx.db.adapter,
+        `UPDATE "__lattice_member_invites" SET "revoked_at" = now() WHERE "role" = ? AND "revoked_at" IS NULL`,
+        [role]
+      ).catch((e6) => {
+        console.error("[cloud] mark invite revoked failed:", e6.message);
+      });
+      sendJson(res, { ok: true, role });
+    });
+    return true;
+  }
   if (pathname === "/api/cloud/redeem-invite" && method === "POST") {
     await tryHandler(res, async () => {
       const body = await readJson(req);
@@ -56981,7 +57905,9 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         sendJson(res, { ok: false, error: e6.message }, 400);
         return;
       }
-      const label = typeof body.label === "string" && body.label.trim() ? body.label.trim() : "Cloud workspace";
+      const fromCloud = payload.workspace_name?.trim() ?? "";
+      const fromBody = typeof body.label === "string" ? body.label.trim() : "";
+      const label = fromCloud.length > 0 ? fromCloud : fromBody.length > 0 ? fromBody : "Cloud workspace";
       await joinCloudAsMember(
         ctx,
         res,
@@ -56992,7 +57918,9 @@ async function dispatchDbConfigRoute(req, res, ctx) {
           user: payload.user,
           password: payload.password
         },
-        label
+        label,
+        { claimInvite: true }
+        // #3.1 — enforce one-time-use + revocation on redeem
       );
     });
     return true;
@@ -57157,10 +58085,10 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         sendJson(res, { error: "name must be 200 characters or fewer" }, 400);
         return;
       }
-      const doc = parseDocument2(readFileSync14(ctx.configPath, "utf8"));
+      const doc = parseDocument2(readFileSync15(ctx.configPath, "utf8"));
       doc.set("name", name);
       writeFileSync7(ctx.configPath, doc.toString(), "utf8");
-      const root6 = findLatticeRoot(dirname9(ctx.configPath));
+      const root6 = findLatticeRoot(dirname10(ctx.configPath));
       if (root6) renameWorkspaceByConfigPath(root6, ctx.configPath, name);
       const info = await describeCurrent(ctx.configPath, ctx.db);
       sendJson(res, { ok: true, kind: info.isCloud ? "cloud" : "local", name });
@@ -57170,195 +58098,14 @@ async function dispatchDbConfigRoute(req, res, ctx) {
   return false;
 }
 function activeCloudCoords(configPath) {
-  const doc = parseDocument2(readFileSync14(configPath, "utf8"));
+  const doc = parseDocument2(readFileSync15(configPath, "utf8"));
   const rawDb = doc.get("db");
   const dbLine = typeof rawDb === "string" ? rawDb.trim() : "";
   const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(dbLine);
   const url = labelMatch ? getDbCredential(labelMatch[1] ?? "") : dbLine;
   if (!url) return null;
   const parsed = parsePostgresUrl(url);
-  return parsed ? { host: parsed.host, port: parsed.port, dbname: parsed.dbname } : null;
-}
-
-// src/gui/files-routes.ts
-import { createReadStream, statSync as statSync5 } from "fs";
-import { isAbsolute as isAbsolute3, join as join23 } from "path";
-import { spawn } from "child_process";
-
-// src/framework/s3-store.ts
-var S3UnavailableError = class extends Error {
-  constructor(message) {
-    super(message);
-    this.name = "S3UnavailableError";
-  }
-};
-function s3Key(prefix, sha256) {
-  const p3 = prefix.replace(/^\/+|\/+$/g, "");
-  return p3 ? `${p3}/${sha256}` : sha256;
-}
-async function createS3Store(cfg) {
-  let mod;
-  try {
-    mod = await Promise.resolve().then(() => (init_dist_es22(), dist_es_exports8));
-  } catch {
-    throw new S3UnavailableError(
-      'S3 file storage requires the optional "@aws-sdk/client-s3" dependency, which is not installed'
-    );
-  }
-  const { S3Client: S3Client2, PutObjectCommand: PutObjectCommand2, GetObjectCommand: GetObjectCommand2, HeadObjectCommand: HeadObjectCommand2 } = mod;
-  const client = new S3Client2({
-    region: cfg.region,
-    // forcePathStyle is required for S3-compatible endpoints (R2 / MinIO /
-    // LocalStack) which don't support virtual-hosted-style bucket subdomains.
-    ...cfg.endpoint ? { endpoint: cfg.endpoint, forcePathStyle: true } : {},
-    ...cfg.credentials ? { credentials: cfg.credentials } : {}
-  });
-  return {
-    async put(key, body, opts) {
-      await client.send(
-        new PutObjectCommand2({
-          Bucket: cfg.bucket,
-          Key: key,
-          Body: body,
-          ...opts?.contentType ? { ContentType: opts.contentType } : {}
-        })
-      );
-    },
-    async get(key) {
-      const out = await client.send(new GetObjectCommand2({ Bucket: cfg.bucket, Key: key }));
-      const body = out.Body;
-      if (!body) throw new Error(`S3: object "${key}" has no body`);
-      return body;
-    },
-    async exists(key) {
-      try {
-        await client.send(new HeadObjectCommand2({ Bucket: cfg.bucket, Key: key }));
-        return true;
-      } catch (e6) {
-        const err = e6;
-        if (err.name === "NotFound" || err.$metadata?.httpStatusCode === 404) return false;
-        throw e6;
-      }
-    }
-  };
-}
-
-// src/gui/files-routes.ts
-function localPathOf(row, latticeRoot) {
-  if (typeof row.path === "string" && row.path) return row.path;
-  if (row.ref_kind === "local_ref" && typeof row.ref_uri === "string" && row.ref_uri) {
-    return row.ref_uri;
-  }
-  if ((row.ref_kind === "blob" || row.ref_kind === "cloud_ref") && typeof row.blob_path === "string" && row.blob_path) {
-    return isAbsolute3(row.blob_path) ? row.blob_path : latticeRoot ? join23(latticeRoot, row.blob_path) : null;
-  }
-  return null;
-}
-function s3RefOf(row) {
-  if (row.ref_kind !== "cloud_ref" || row.ref_provider !== "s3") return null;
-  if (typeof row.source_json === "string" && row.source_json) {
-    try {
-      const j6 = JSON.parse(row.source_json);
-      if (typeof j6.bucket === "string" && typeof j6.key === "string") {
-        return { bucket: j6.bucket, key: j6.key };
-      }
-    } catch {
-    }
-  }
-  if (typeof row.ref_uri === "string") {
-    const m4 = /^s3:\/\/([^/]+)\/(.+)$/.exec(row.ref_uri);
-    if (m4) return { bucket: m4[1] ?? "", key: m4[2] ?? "" };
-  }
-  return null;
-}
-function localFileExists(loc) {
-  if (!loc) return false;
-  try {
-    return statSync5(loc).isFile();
-  } catch {
-    return false;
-  }
-}
-function sanitizeFilename(name) {
-  return name.replace(/[\r\n"\\]/g, "_");
-}
-function blobResponseHeaders(contentType, name) {
-  return {
-    "content-type": contentType,
-    "content-disposition": `inline; filename="${name}"`,
-    "cache-control": "no-store",
-    "x-content-type-options": "nosniff",
-    "content-security-policy": "default-src 'none'; sandbox"
-  };
-}
-var BLOB_RE = /^\/api\/files\/([^/]+)\/blob$/;
-var OPEN_RE = /^\/api\/files\/([^/]+)\/open-in-finder$/;
-async function dispatchFilesRoute(req, res, ctx) {
-  const blobMatch = BLOB_RE.exec(ctx.pathname);
-  if (blobMatch && ctx.method === "GET") {
-    const id = decodeURIComponent(blobMatch[1] ?? "");
-    const row = await ctx.db.get("files", id);
-    if (!row || row.deleted_at) {
-      sendJson(res, { error: "file not found" }, 404);
-      return true;
-    }
-    const name = sanitizeFilename(row.original_name ?? "file");
-    const contentType = typeof row.mime === "string" && row.mime ? row.mime : "application/octet-stream";
-    const loc = localPathOf(row, ctx.latticeRoot);
-    if (localFileExists(loc)) {
-      res.writeHead(200, blobResponseHeaders(contentType, name));
-      const stream = createReadStream(loc);
-      stream.on("error", () => res.destroy());
-      stream.pipe(res);
-      return true;
-    }
-    const s3 = s3RefOf(row);
-    const s3cfg = s3 ? resolveActiveS3Config(ctx.configPath) : null;
-    if (s3 && s3cfg) {
-      try {
-        const store = await createS3Store(s3cfg);
-        const stream = await store.get(s3.key);
-        res.writeHead(200, blobResponseHeaders(contentType, name));
-        stream.on("error", () => res.destroy());
-        stream.pipe(res);
-      } catch (e6) {
-        sendJson(res, { error: `file bytes unavailable from S3: ${e6.message}` }, 502);
-      }
-      return true;
-    }
-    sendJson(
-      res,
-      { error: "this file has no underlying blob here (text-only ingest, or S3 not configured)" },
-      404
-    );
-    return true;
-  }
-  const openMatch = OPEN_RE.exec(ctx.pathname);
-  if (openMatch && ctx.method === "POST") {
-    if (process.env.LATTICE_LOCAL_OPEN !== "1") {
-      sendJson(res, { enabled: false });
-      return true;
-    }
-    const id = decodeURIComponent(openMatch[1] ?? "");
-    const row = await ctx.db.get("files", id);
-    const loc = row ? localPathOf(row, ctx.latticeRoot) : null;
-    if (!loc) {
-      sendJson(res, { error: "file has no local path" }, 404);
-      return true;
-    }
-    const opener = process.platform === "darwin" ? "open" : process.platform === "win32" ? "explorer" : "xdg-open";
-    try {
-      const child = spawn(opener, [loc], { detached: true, stdio: "ignore" });
-      child.on("error", () => {
-      });
-      child.unref();
-      sendJson(res, { enabled: true, opened: true });
-    } catch (e6) {
-      sendJson(res, { enabled: true, opened: false, error: e6.message }, 500);
-    }
-    return true;
-  }
-  return false;
+  return parsed ? { host: parsed.host, port: parsed.port, dbname: parsed.dbname, user: parsed.user } : null;
 }
 
 // src/gui/ai/transcribe.ts
@@ -57396,7 +58143,7 @@ async function transcribe(opts) {
 }
 
 // src/gui/ai/oauth.ts
-import { createHash as createHash6, randomBytes as randomBytes7 } from "crypto";
+import { createHash as createHash7, randomBytes as randomBytes8 } from "crypto";
 function readOAuthConfig(env2 = process.env) {
   const authorizeUrl = env2.ANTHROPIC_OAUTH_AUTHORIZE_URL;
   const tokenUrl = env2.ANTHROPIC_OAUTH_TOKEN_URL;
@@ -57410,13 +58157,13 @@ function oauthConfigured(env2 = process.env) {
   return readOAuthConfig(env2) !== null;
 }
 function generatePkceVerifier() {
-  return randomBytes7(48).toString("base64url");
+  return randomBytes8(48).toString("base64url");
 }
 function pkceChallengeFor(verifier) {
-  return createHash6("sha256").update(verifier).digest("base64url");
+  return createHash7("sha256").update(verifier).digest("base64url");
 }
 function generateState() {
-  return randomBytes7(24).toString("base64url");
+  return randomBytes8(24).toString("base64url");
 }
 function buildAuthorizeUrl(cfg, state2, codeChallenge) {
   const params = new URLSearchParams({
@@ -57837,15 +58584,37 @@ var REGISTRY = [
     category: "read",
     args: obj({})
   },
+  {
+    name: "lattice_help",
+    description: "Look up how LATTICE ITSELF works in its documentation \u2014 features and usage (private mode, row/table sharing & visibility, cloud workspaces & members & invites, files/ingest, the data model, the assistant, history/undo, secrets, analytics). Use this whenever the user asks what a Lattice feature is or how to do something IN Lattice \u2014 NOT for questions about their own data. Returns the most relevant documentation sections.",
+    mutates: false,
+    category: "read",
+    args: obj(
+      {
+        query: str(
+          'What about Lattice to look up, e.g. "what is private mode" or "how do I invite a member".'
+        )
+      },
+      ["query"]
+    )
+  },
   {
     name: "list_rows",
-    description: "List rows in a table. Omits soft-deleted rows unless includeDeleted is true.",
+    description: "List rows in a table (paginated, max 200/page). For a large table, page through it with limit + successive offsets instead of trying to read it all at once. Omits soft-deleted rows unless includeDeleted is true.",
     mutates: false,
     category: "read",
     args: obj(
       {
         table: str("Table name to list rows from."),
-        includeDeleted: { type: "boolean", description: "Include soft-deleted rows." }
+        includeDeleted: { type: "boolean", description: "Include soft-deleted rows." },
+        limit: {
+          type: "number",
+          description: "Max rows to return (1\u2013200, default 200). Use a smaller page for big tables."
+        },
+        offset: {
+          type: "number",
+          description: "Rows to skip from the start \u2014 combine with limit to page through a table."
+        }
       },
       ["table"]
     )
@@ -58134,12 +58903,120 @@ function getFunction(name) {
   return BY_NAME.get(name);
 }
 
+// src/gui/ai/lattice-docs.ts
+import { readFileSync as readFileSync16, readdirSync as readdirSync7, existsSync as existsSync20 } from "fs";
+import { dirname as dirname11, join as join24 } from "path";
+import { fileURLToPath as fileURLToPath2 } from "url";
+var _docsDir;
+function findDocsDir() {
+  if (_docsDir !== void 0) return _docsDir;
+  let dir;
+  try {
+    dir = dirname11(fileURLToPath2(import.meta.url));
+  } catch {
+    dir = process.cwd();
+  }
+  for (let i6 = 0; i6 < 8; i6++) {
+    const candidate = join24(dir, "docs");
+    if (existsSync20(join24(candidate, "cloud.md"))) {
+      _docsDir = candidate;
+      return _docsDir;
+    }
+    const parent = dirname11(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  _docsDir = null;
+  return _docsDir;
+}
+var MAX_SECTION_CHARS = 2400;
+var _cache = /* @__PURE__ */ new Map();
+function sectionsOf(file, md) {
+  const lines = md.split("\n");
+  const out = [];
+  let heading = file.replace(/\.md$/, "");
+  let buf = [];
+  const flush2 = () => {
+    const text = buf.join("\n").trim();
+    if (text) out.push({ file, heading, text: text.slice(0, MAX_SECTION_CHARS) });
+    buf = [];
+  };
+  for (const line of lines) {
+    const m4 = /^#{1,3}\s+(.+)$/.exec(line);
+    if (m4) {
+      flush2();
+      heading = (m4[1] ?? heading).trim();
+    }
+    buf.push(line);
+  }
+  flush2();
+  return out;
+}
+function allSections() {
+  const dir = findDocsDir();
+  if (!dir) return [];
+  const key = dir;
+  const cached = _cache.get(key);
+  if (cached) return cached;
+  const out = [];
+  let files = [];
+  try {
+    files = readdirSync7(dir).filter((f6) => f6.endsWith(".md"));
+  } catch {
+    files = [];
+  }
+  for (const f6 of files) {
+    try {
+      out.push(...sectionsOf(f6, readFileSync16(join24(dir, f6), "utf8")));
+    } catch {
+    }
+  }
+  _cache.set(key, out);
+  return out;
+}
+function searchLatticeDocs(query, limit = 4) {
+  const sections = allSections();
+  if (sections.length === 0) {
+    return {
+      sections: [],
+      note: "Lattice documentation is not bundled with this build; answer only from what you reliably know about Lattice, and say if you are unsure."
+    };
+  }
+  const q3 = query.toLowerCase().trim();
+  const terms = q3.split(/[^a-z0-9]+/).filter((w2) => w2.length > 2);
+  if (terms.length === 0) {
+    return { sections: [], available: [...new Set(sections.map((s2) => s2.heading))].slice(0, 40) };
+  }
+  const scored = sections.map((s2) => {
+    const head = s2.heading.toLowerCase();
+    const body = s2.text.toLowerCase();
+    let score = 0;
+    if (body.includes(q3)) score += 4;
+    for (const t8 of terms) {
+      if (head.includes(t8)) score += 3;
+      if (body.includes(t8)) score += 1;
+    }
+    return { s: s2, score };
+  }).filter((x2) => x2.score > 0).sort((a6, b6) => b6.score - a6.score);
+  if (scored.length === 0) {
+    return { sections: [], available: [...new Set(sections.map((s2) => s2.heading))].slice(0, 40) };
+  }
+  return {
+    sections: scored.slice(0, limit).map((x2) => ({
+      source: x2.s.file,
+      heading: x2.s.heading,
+      text: x2.s.text
+    }))
+  };
+}
+
 // src/gui/ai/dispatch.ts
 var DISPATCHABLE = /* @__PURE__ */ new Set([
   "list_entities",
   "list_rows",
   "get_row",
   "search",
+  "lattice_help",
   "get_history",
   "create_row",
   "update_row",
@@ -58215,7 +59092,13 @@ async function executeFunction(ctx, name, args) {
         const includeDeleted = args.includeDeleted === true;
         const cols = ctx.db.getRegisteredColumns(table);
         const orderBy = cols && "created_at" in cols ? "created_at" : ctx.db.getPrimaryKey(table)[0] ?? "id";
-        const opts = { limit: 200, orderBy, orderDir: "asc" };
+        const limit = Math.min(
+          200,
+          Math.max(1, typeof args.limit === "number" ? Math.floor(args.limit) : 200)
+        );
+        const offset = Math.max(0, typeof args.offset === "number" ? Math.floor(args.offset) : 0);
+        const opts = { limit, orderBy, orderDir: "asc" };
+        if (offset > 0) opts.offset = offset;
         if (ctx.softDeletable.has(table) && !includeDeleted) {
           opts.filters = [{ col: "deleted_at", op: "isNull" }];
         }
@@ -58230,6 +59113,10 @@ async function executeFunction(ctx, name, args) {
         if (row === null) return { ok: false, error: "Row not found" };
         return { ok: true, result: redactRow(row, await secretColumnsFor(ctx.db, table)) };
       }
+      case "lattice_help": {
+        const query = requireString(args.query, "query");
+        return { ok: true, result: searchLatticeDocs(query) };
+      }
       case "search": {
         const query = requireString(args.query, "query");
         let tables = [...ctx.validTables];
@@ -58400,6 +59287,32 @@ function capToolResult(s2) {
 function capToolInput(input) {
   return JSON.stringify(input).length > MAX_TOOL_INPUT_CHARS ? { _truncated: true } : input;
 }
+var LIVE_TOOL_RESULT_CHARS = 16e3;
+function capLiveToolResult(s2) {
+  if (s2.length <= LIVE_TOOL_RESULT_CHARS) return s2;
+  return s2.slice(0, LIVE_TOOL_RESULT_CHARS) + `
+\u2026[truncated ${String(
+    s2.length - LIVE_TOOL_RESULT_CHARS
+  )} chars \u2014 this result was too large to include in full. Read it in smaller pieces: list_rows with a smaller limit + offset, or a narrower filter.]`;
+}
+var MAX_CONTEXT_RECOVERY_TRIMS = 8;
+var TRIMMED_PLACEHOLDER = "[earlier tool result omitted to fit the context window]";
+function isContextLengthError(e6) {
+  const msg = (e6 instanceof Error ? e6.message : String(e6)).toLowerCase();
+  return msg.includes("prompt is too long") || msg.includes("context length") || msg.includes("context_length") || msg.includes("context window") || msg.includes("too many tokens") || msg.includes("maximum") && msg.includes("token");
+}
+function trimOldestToolResult(messages) {
+  for (const m4 of messages) {
+    if (m4.role !== "user" || !Array.isArray(m4.content)) continue;
+    for (const b6 of m4.content) {
+      if (b6.type === "tool_result" && typeof b6.content === "string" && b6.content.length > TRIMMED_PLACEHOLDER.length && b6.content !== TRIMMED_PLACEHOLDER) {
+        b6.content = TRIMMED_PLACEHOLDER;
+        return true;
+      }
+    }
+  }
+  return false;
+}
 var BASE_SYSTEM_PROMPT = [
   "You are the assistant inside a Lattice database GUI. Help the user inspect and edit their data by calling the provided tools.",
   "",
@@ -58408,8 +59321,10 @@ var BASE_SYSTEM_PROMPT = [
   "- To relate two tables (link their rows), call create_relationship(table_a, table_b) to get a junction + its two foreign-key columns, then `link` each pair using those columns. If the junction already exists, just `link`.",
   "- Use the exact table names from the schema (or one you just created) \u2014 never guess a name for a table that should already exist.",
   "- Prefer reading (list_rows, get_row) before writing.",
+  '- Work in small batches on large tables. NEVER try to load an entire big table at once \u2014 page through it with list_rows using `limit` + successive `offset` values, and process bulk edits a page at a time. If a tool result says it was truncated, do NOT re-request the whole thing; narrow it (a filter, or a smaller limit/offset) and continue. Use the row counts under "Current database" to decide how many pages you need.',
   '- When you point the user at a specific row/object \u2014 especially if they ask you to "link", "open", or "show" it \u2014 make it clickable with an INLINE link in this exact form: [short label](lattice://<table>/<id>), using the real table name and the row id from your tool results (e.g. [the offer contract](lattice://contracts/9b7c60f0-fbc2-4f87-a550-c59e3c5d761f)). It renders as a pill that opens that object in the GUI. Only link ids you actually retrieved \u2014 never invent one \u2014 and prefer the user-facing record (the contract/person/etc. row) over an internal `files` id.',
   "- Attached files are rows in the `files` table; a file's full text content (CSV, document, etc.) is in its `extracted_text` column. To work from an attached file, read the relevant `files` row(s) and parse `extracted_text` \u2014 never guess a file's contents.",
+  `- When the user asks about LATTICE ITSELF \u2014 what a feature is or how to use it (e.g. "what is private mode", "how does sharing work", "how do I invite someone") \u2014 call lattice_help with their question and answer from what it returns. Do NOT answer such questions from memory, and do NOT search the user's data for them.`,
   '- A tool result that contains "error" means the call FAILED. Do NOT claim success or proceed as if it returned data \u2014 read the error, correct your arguments, and retry.',
   "- For bulk work, emit several tool calls in one turn instead of one at a time. Every change is recorded in version history and can be undone.",
   "- When you change data, briefly confirm what you did. Be concise."
@@ -58435,7 +59350,7 @@ async function buildSchemaContext(d6) {
   }
   return lines.join("\n");
 }
-function buildSystemPrompt(schema, operatorName, cloudSystemPrompt) {
+function buildSystemPrompt(schema, operatorName, cloudSystemPrompt, activeContext) {
   const who = operatorName && operatorName.trim().length > 0 ? `
 
 # Who you are assisting
@@ -58444,7 +59359,11 @@ You are assisting ${operatorName.trim()}. When the user says "me" / "my", they m
 
 # Workspace instructions
 ${cloudSystemPrompt.trim()}` : "";
-  return `${BASE_SYSTEM_PROMPT}${who}${workspace}
+  const view = activeContext?.table && activeContext.id ? `
+
+# What the user is viewing
+The user is currently viewing the "${activeContext.table}" record with id "${activeContext.id}". When they say "this", "this file", "this row", "this record", "it", or similar without naming a specific record, they mean THAT one \u2014 operate on it directly (read it with get_row, change or delete it by that id) rather than asking which record they mean.` : "";
+  return `${BASE_SYSTEM_PROMPT}${who}${workspace}${view}
 
 # Current database
 ${schema}`;
@@ -58462,21 +59381,34 @@ async function* runChat(opts) {
   const system = buildSystemPrompt(
     await buildSchemaContext(opts.dispatch),
     opts.operatorName,
-    opts.cloudSystemPrompt
+    opts.cloudSystemPrompt,
+    opts.activeContext
   );
   let loop = 0;
   try {
     for (; loop < MAX_TOOL_LOOPS; loop++) {
       const deltas = [];
       yield { type: "assistant_message_start", id: `m${String(loop)}` };
-      const turn = await opts.client.runTurn({
-        model,
-        system,
-        messages,
-        tools,
-        ...opts.temperature !== void 0 ? { temperature: opts.temperature } : {},
-        onText: (d6) => deltas.push(d6)
-      });
+      let turn;
+      for (let trims = 0; ; trims++) {
+        deltas.length = 0;
+        try {
+          turn = await opts.client.runTurn({
+            model,
+            system,
+            messages,
+            tools,
+            ...opts.temperature !== void 0 ? { temperature: opts.temperature } : {},
+            onText: (d6) => deltas.push(d6)
+          });
+          break;
+        } catch (e6) {
+          if (trims < MAX_CONTEXT_RECOVERY_TRIMS && isContextLengthError(e6) && trimOldestToolResult(messages)) {
+            continue;
+          }
+          throw e6;
+        }
+      }
       for (const d6 of deltas) yield { type: "text_delta", delta: d6 };
       yield { type: "assistant_message_end" };
       const assistantBlocks = [];
@@ -58491,7 +59423,8 @@ async function* runChat(opts) {
         yield { type: "tool_use", id: tu.id, name: tu.name };
         const res = await executeFunction(opts.dispatch, tu.name, tu.input);
         yield { type: "tool_result", toolUseId: tu.id, isError: !res.ok };
-        const content = JSON.stringify(res.ok ? res.result : { error: res.error });
+        const rawContent = JSON.stringify(res.ok ? res.result : { error: res.error });
+        const content = capLiveToolResult(rawContent);
         resultBlocks.push({
           type: "tool_result",
           tool_use_id: tu.id,
@@ -58502,7 +59435,7 @@ async function* runChat(opts) {
           id: tu.id,
           name: tu.name,
           input: capToolInput(tu.input),
-          content: capToolResult(content),
+          content: capToolResult(rawContent),
           isError: !res.ok
         });
       }
@@ -58515,7 +59448,10 @@ async function* runChat(opts) {
       };
     }
   } catch (e6) {
-    yield { type: "error", message: e6.message };
+    const raw = e6 instanceof Error ? e6.message : String(e6);
+    console.error("[chat] turn failed:", raw);
+    const message = isContextLengthError(e6) ? "That request was too large for me to process in one step, even after trimming older context. Try narrowing it, or start a new chat \u2014 your data is safe." : raw;
+    yield { type: "error", message };
   }
   yield { type: "done" };
 }
@@ -58796,6 +59732,16 @@ function readJson3(req) {
     req.on("error", reject);
   });
 }
+function parseActiveContext(raw, validTables) {
+  if (!raw || typeof raw !== "object") return void 0;
+  const table = raw.table;
+  const id = raw.id;
+  if (typeof table !== "string" || typeof id !== "string") return void 0;
+  if (!validTables.has(table)) return void 0;
+  const trimmedId = id.trim();
+  if (trimmedId.length === 0 || trimmedId.length > 256) return void 0;
+  return { table, id: trimmedId };
+}
 function mapHistory(raw) {
   if (!Array.isArray(raw)) return [];
   const out = [];
@@ -59014,6 +59960,7 @@ async function dispatchChatRoute(req, res, ctx) {
     return true;
   }
   const requestedThread = typeof body.threadId === "string" ? body.threadId : null;
+  const activeContext = parseActiveContext(body.activeContext, ctx.validTables);
   const history = await rehydrateHistory(ctx.db, requestedThread, mapHistory(body.history), null);
   let threadId = "";
   try {
@@ -59071,6 +60018,7 @@ async function dispatchChatRoute(req, res, ctx) {
       // resolves "me"/"my" without asking for a name it already has.
       operatorName: readIdentity().display_name,
       ...cloudSystemPrompt ? { cloudSystemPrompt } : {},
+      ...activeContext ? { activeContext } : {},
       // Capture each executed tool call (capped) for cross-turn replay memory.
       onToolRecord: (rec) => {
         turns[turns.length - 1]?.toolCalls.push(rec);
@@ -59149,7 +60097,7 @@ async function dispatchChatRoute(req, res, ctx) {
 import { statSync as statSync7 } from "fs";
 import { writeFile as writeFile2, rm } from "fs/promises";
 import { tmpdir as tmpdir2 } from "os";
-import { basename as basename10, extname as extname2, resolve as resolve8, join as join25 } from "path";
+import { basename as basename10, extname as extname2, resolve as resolve8, join as join26 } from "path";
 
 // src/gui/ai/extract.ts
 import { readFile as readFile5 } from "fs/promises";
@@ -60100,12 +61048,12 @@ async function renderViaPlaywright(url, timeoutMs) {
 }
 
 // src/framework/blob-store.ts
-import { createHash as createHash7 } from "crypto";
-import { createReadStream as createReadStream2, existsSync as existsSync20, mkdirSync as mkdirSync9, statSync as statSync6, copyFileSync as copyFileSync3 } from "fs";
-import { basename as basename9, join as join24 } from "path";
+import { createHash as createHash8 } from "crypto";
+import { createReadStream as createReadStream2, existsSync as existsSync21, mkdirSync as mkdirSync9, statSync as statSync6, copyFileSync as copyFileSync3 } from "fs";
+import { basename as basename9, join as join25 } from "path";
 async function hashFile(srcPath) {
   return new Promise((resolve11, reject) => {
-    const hash = createHash7("sha256");
+    const hash = createHash8("sha256");
     const stream = createReadStream2(srcPath);
     stream.on("data", (chunk) => hash.update(chunk));
     stream.on("error", reject);
@@ -60120,10 +61068,10 @@ async function attachBlob(srcPath, latticeRoot) {
     throw new Error(`attachBlob: ${srcPath} is not a regular file`);
   }
   const sha256 = await hashFile(srcPath);
-  const blobDir = join24(latticeRoot, "data", "blobs");
+  const blobDir = join25(latticeRoot, "data", "blobs");
   mkdirSync9(blobDir, { recursive: true });
-  const destAbs = join24(blobDir, sha256);
-  if (!existsSync20(destAbs)) {
+  const destAbs = join25(blobDir, sha256);
+  if (!existsSync21(destAbs)) {
     copyFileSync3(srcPath, destAbs);
   }
   return {
@@ -60137,7 +61085,7 @@ async function attachBlob(srcPath, latticeRoot) {
 }
 
 // src/gui/ingest-routes.ts
-import { createHash as createHash8 } from "crypto";
+import { createHash as createHash9 } from "crypto";
 function fileSlug(name, id) {
   const base = slugify(name.replace(/\.[^./\\]+$/, "")) || "file";
   return `${base}-${id.slice(0, 8)}`;
@@ -60287,11 +61235,23 @@ function buildSchema(db) {
 async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptions, createJunction, aggressiveness = DEFAULT_AGGRESSIVENESS, createEntity) {
   if (!text.trim()) return [];
   const auth = await resolveClaudeAuth(db);
-  if (!auth) return [];
+  if (!auth) {
+    console.warn("[ingest] auto-link skipped \u2014 no AI credentials configured");
+    return [];
+  }
   let client;
   try {
     client = createAnthropicClient(auth);
-  } catch {
+  } catch (e6) {
+    const msg = e6.message;
+    console.error("[ingest] auto-link unavailable \u2014 Anthropic client init failed:", msg);
+    mctx.feed.publish({
+      table: "files",
+      op: "update",
+      rowId: fileId,
+      source: "ingest",
+      summary: `Couldn't auto-link "${name}": AI client unavailable`
+    });
     return [];
   }
   const temperature = aggressivenessToTemperature(aggressiveness);
@@ -60322,10 +61282,15 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
             created = true;
           }
         } catch (e6) {
-          console.warn(
-            `[ingest] auto-create junction files\u2194${m4.table} failed:`,
-            e6.message
-          );
+          const msg = e6.message;
+          console.error(`[ingest] auto-create junction files\u2194${m4.table} failed:`, msg);
+          mctx.feed.publish({
+            table: "files",
+            op: "update",
+            rowId: fileId,
+            source: "ingest",
+            summary: `Couldn't create link table files \u2194 ${m4.table}: ${msg}`
+          });
         }
       }
       if (jx) {
@@ -60346,7 +61311,15 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
             });
           }
         } catch (e6) {
-          console.warn(`[ingest] auto-link to ${m4.table} failed:`, e6.message);
+          const msg = e6.message;
+          console.error(`[ingest] auto-link to ${m4.table} failed:`, msg);
+          mctx.feed.publish({
+            table: "files",
+            op: "update",
+            rowId: fileId,
+            source: "ingest",
+            summary: `Couldn't auto-link "${name}" to ${m4.table}: ${msg}`
+          });
         }
       } else {
         mctx.feed.publish({
@@ -60420,7 +61393,15 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
     }
     return matches;
   } catch (e6) {
-    console.warn("[ingest] classify failed:", e6.message);
+    const msg = e6.message;
+    console.error("[ingest] classify failed:", msg);
+    mctx.feed.publish({
+      table: "files",
+      op: "update",
+      rowId: fileId,
+      source: "ingest",
+      summary: `Couldn't auto-link "${name}": ${msg}`
+    });
     return [];
   }
 }
@@ -60536,7 +61517,7 @@ async function dispatchIngestRoute(req, res, ctx) {
       sendJson4(res, { error: "empty upload" }, 400);
       return true;
     }
-    const tmp = join25(tmpdir2(), `lattice-ingest-${crypto.randomUUID()}${extname2(name2)}`);
+    const tmp = join26(tmpdir2(), `lattice-ingest-${crypto.randomUUID()}${extname2(name2)}`);
     let result;
     let blob = null;
     try {
@@ -60557,7 +61538,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     let s3Status = null;
     const s3cfg = resolveActiveS3Config(ctx.configPath);
     if (s3cfg) {
-      const sha256 = blob?.sha256 ?? createHash8("sha256").update(buf).digest("hex");
+      const sha256 = blob?.sha256 ?? createHash9("sha256").update(buf).digest("hex");
       const key = s3Key(s3cfg.prefix, sha256);
       try {
         const store = await createS3Store(s3cfg);
@@ -60969,6 +61950,8 @@ async function entitiesWithCounts(db, configPath, outputDir) {
       const policy = policies[t8.name];
       t8.defaultRowVisibility = policy?.defaultRowVisibility ?? "private";
       t8.neverShare = policy?.neverShare ?? false;
+      t8.ownedByMe = true;
+      t8.shared = t8.defaultRowVisibility === "everyone";
     }
   }
   return { ...payload, tables: enrichedTables };
@@ -61027,6 +62010,22 @@ var CONTEXT_PATH = /^\/api\/tables\/([^/]+)\/rows\/([^/]+)\/context$/;
 var ROW_HISTORY_PATH = /^\/api\/tables\/([^/]+)\/rows\/([^/]+)\/history$/;
 var LAST_EDITED_PATH = /^\/api\/tables\/([^/]+)\/last-edited$/;
 var LINK_PATH = /^\/api\/tables\/([^/]+)\/(link|unlink)$/;
+function headerValue(req, name) {
+  const raw = req.headers[name.toLowerCase()];
+  const v2 = Array.isArray(raw) ? raw[0] : raw;
+  const trimmed = typeof v2 === "string" ? v2.trim() : "";
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+var MAX_ROWS_PAGE = 1e3;
+var DEFAULT_ROWS_PAGE = 500;
+function parsePageParam(raw, kind) {
+  if (raw === null) return kind === "limit" ? DEFAULT_ROWS_PAGE : 0;
+  if (!/^\d+$/.test(raw.trim())) return "invalid";
+  const n3 = Number(raw);
+  if (!Number.isFinite(n3)) return "invalid";
+  if (kind === "limit") return Math.min(Math.max(1, n3), MAX_ROWS_PAGE);
+  return Math.max(0, n3);
+}
 function deriveSlugFromManifest(row, knownSlugs) {
   const candidateFields = ["slug", "id", "name"];
   for (const field of candidateFields) {
@@ -61064,10 +62063,10 @@ function readRowContext(outputDir, locator, secretCols) {
     throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
   }
   return fileNames.map((filename) => {
-    const absPath = join26(entityDir, filename);
+    const absPath = join27(entityDir, filename);
     const relPath = [directoryRoot, slug, filename].join("/");
-    if (!existsSync21(absPath)) return { name: filename, path: relPath, content: "" };
-    let content = readFileSync16(absPath, "utf8");
+    if (!existsSync22(absPath)) return { name: filename, path: relPath, content: "" };
+    let content = readFileSync17(absPath, "utf8");
     for (const col of secretCols) {
       const re = new RegExp(`^(${col}):.*$`, "gm");
       content = content.replace(re, `$1: \u2022\u2022\u2022\u2022\u2022\u2022\u2022\u2022`);
@@ -61076,17 +62075,17 @@ function readRowContext(outputDir, locator, secretCols) {
   });
 }
 function resolveOutputDirForConfig(configPath) {
-  const base = dirname11(resolve9(configPath));
+  const base = dirname12(resolve9(configPath));
   for (const dir of ["context", ".", "generated"]) {
     const abs = resolve9(base, dir);
-    if (existsSync21(join26(abs, ".lattice", "manifest.json"))) return abs;
+    if (existsSync22(join27(abs, ".lattice", "manifest.json"))) return abs;
   }
   return resolve9(base, "context");
 }
 async function openConfig(configPath, outputDir, autoRender = false) {
   const parsed = parseConfigFile(configPath);
   if (!/^postgres(ql)?:\/\//i.test(parsed.dbPath) && !parsed.dbPath.startsWith("file:") && parsed.dbPath !== ":memory:") {
-    mkdirSync10(dirname11(parsed.dbPath), { recursive: true });
+    mkdirSync10(dirname12(parsed.dbPath), { recursive: true });
   }
   const encryptionKey = getOrCreateMasterKey();
   const db = new Lattice({ config: configPath }, { encryptionKey });
@@ -61159,6 +62158,7 @@ async function openConfig(configPath, outputDir, autoRender = false) {
     }
   }
   let memberOpen = false;
+  const maskedReadViews = /* @__PURE__ */ new Map();
   if (db.getDialect() === "postgres") {
     const peek = new Lattice({ config: configPath }, { encryptionKey });
     try {
@@ -61167,7 +62167,9 @@ async function openConfig(configPath, outputDir, autoRender = false) {
         memberOpen = !await canManageRoles(peek);
         if (memberOpen) {
           const declared = new Set(db.getRegisteredTableNames());
-          for (const t8 of await discoverCloudTables(peek)) {
+          const discovered = await discoverCloudTables(peek);
+          const knownTables = /* @__PURE__ */ new Set([...declared, ...discovered.map((t8) => t8.name)]);
+          for (const t8 of discovered) {
             if (declared.has(t8.name)) continue;
             db.define(t8.name, {
               columns: Object.fromEntries(t8.columns.map((c6) => [c6, "TEXT"])),
@@ -61176,6 +62178,15 @@ async function openConfig(configPath, outputDir, autoRender = false) {
               outputFile: `${t8.name}/.lattice/${t8.name}.md`
             });
           }
+          const views = await allAsyncOrSync(
+            peek.adapter,
+            `SELECT table_name AS name FROM information_schema.views
+               WHERE table_schema = current_schema() AND table_name LIKE '%\\_v' ESCAPE '\\'`
+          );
+          for (const { name } of views) {
+            const base = name.slice(0, -2);
+            if (knownTables.has(base)) maskedReadViews.set(base, name);
+          }
         }
       }
     } catch {
@@ -61185,8 +62196,22 @@ async function openConfig(configPath, outputDir, autoRender = false) {
   }
   await db.init(memberOpen ? { introspectOnly: true } : {});
   await syncUserIdentityRow(db);
-  await adoptNativeEntities(db);
-  await retireLegacyPreferenceSecrets(db);
+  if (!memberOpen) {
+    await adoptNativeEntities(db);
+    await retireLegacyPreferenceSecrets(db);
+  }
+  if (db.getDialect() === "postgres" && !memberOpen) {
+    try {
+      if (await cloudRlsInstalled(db) && await canManageRoles(db)) {
+        await installCloudRls(db);
+        await installCloudSettings(db);
+        await db.ensureObservationSubstrate();
+        await enableChangelogRls(db);
+      }
+    } catch (e6) {
+      console.error("[openConfig] cloud bootstrap converge failed:", e6.message);
+    }
+  }
   const validTables = new Set(parsed.tables.map((t8) => t8.name));
   for (const name of db.getRegisteredTableNames()) {
     if (name.startsWith("__lattice_") || name.startsWith("_lattice_")) continue;
@@ -61222,7 +62247,7 @@ async function openConfig(configPath, outputDir, autoRender = false) {
   }
   if (autoRender) {
     db.enableAutoRender(outputDir);
-    if (!existsSync21(manifestPath(outputDir))) {
+    if (!existsSync22(manifestPath(outputDir))) {
       writeManifest(outputDir, {
         version: 2,
         generated_at: (/* @__PURE__ */ new Date()).toISOString(),
@@ -61245,7 +62270,8 @@ async function openConfig(configPath, outputDir, autoRender = false) {
     autoRender,
     renderProgress: new RenderProgressBus(),
     renderAbort: new AbortController(),
-    renderState: { phase: "idle", tables: {} }
+    renderState: { phase: "idle", tables: {} },
+    maskedReadViews
   };
 }
 function friendlyConfigName(parsedName, configPath) {
@@ -61253,11 +62279,11 @@ function friendlyConfigName(parsedName, configPath) {
   return basename11(configPath).replace(/\.(ya?ml)$/, "");
 }
 function listConfigs(activeConfigPath) {
-  const dir = dirname11(activeConfigPath);
+  const dir = dirname12(activeConfigPath);
   const entries = [];
-  for (const fname of readdirSync7(dir)) {
+  for (const fname of readdirSync8(dir)) {
     if (!fname.endsWith(".yml") && !fname.endsWith(".yaml")) continue;
-    const full = join26(dir, fname);
+    const full = join27(dir, fname);
     try {
       const parsed = parseConfigFile(full);
       entries.push({
@@ -61282,37 +62308,37 @@ function listConfigs(activeConfigPath) {
   return entries.sort((a6, b6) => a6.label.localeCompare(b6.label));
 }
 function createBlankConfig(activeConfigPath, dbName) {
-  const dir = dirname11(activeConfigPath);
+  const dir = dirname12(activeConfigPath);
   const slug = dbName.toLowerCase().replace(/[^a-z0-9_-]+/g, "-").replace(/^-+|-+$/g, "");
   if (!slug) throw new Error("Workspace name must contain at least one alphanumeric character");
-  const configPath = join26(dir, `${slug}.config.yml`);
-  if (existsSync21(configPath)) throw new Error(`Config already exists: ${slug}.config.yml`);
+  const configPath = join27(dir, `${slug}.config.yml`);
+  if (existsSync22(configPath)) throw new Error(`Config already exists: ${slug}.config.yml`);
   const yaml = `db: ./data/${slug}.db
 
 entities: {}
 `;
   writeFileSync8(configPath, yaml, "utf8");
-  mkdirSync10(join26(dir, "data"), { recursive: true });
+  mkdirSync10(join27(dir, "data"), { recursive: true });
   return configPath;
 }
 function sqliteFileForConfig(configPath) {
-  const dbVal = parseDocument3(readFileSync16(configPath, "utf8")).get("db");
+  const dbVal = parseDocument3(readFileSync17(configPath, "utf8")).get("db");
   const raw = (typeof dbVal === "string" ? dbVal : "").trim();
   if (!raw) return null;
   if (isPostgresUrl(raw) || raw.startsWith("${LATTICE_DB:")) return null;
   if (raw === ":memory:" || raw.startsWith("file:")) return null;
-  return resolve9(dirname11(configPath), raw);
+  return resolve9(dirname12(configPath), raw);
 }
 function deleteDatabaseFiles(targetConfigPath) {
   const sqliteFile = sqliteFileForConfig(targetConfigPath);
   unlinkSync5(targetConfigPath);
   let deletedDbFile = null;
-  if (sqliteFile && existsSync21(sqliteFile)) {
+  if (sqliteFile && existsSync22(sqliteFile)) {
     unlinkSync5(sqliteFile);
     deletedDbFile = sqliteFile;
     for (const suffix of ["-wal", "-shm", "-journal"]) {
       const sidecar = sqliteFile + suffix;
-      if (existsSync21(sidecar)) unlinkSync5(sidecar);
+      if (existsSync22(sidecar)) unlinkSync5(sidecar);
     }
   }
   return { deletedConfig: basename11(targetConfigPath), deletedDbFile };
@@ -61371,6 +62397,27 @@ function startBackgroundRender(active) {
     }
   );
 }
+async function changeVisibleToActiveRole(db, payload) {
+  if (db.getDialect() !== "postgres") return true;
+  if (payload.op === "delete" || payload.op === "DELETE") return true;
+  if (!payload.table_name || !payload.pk) return false;
+  try {
+    const row = await getAsyncOrSync(db.adapter, `SELECT lattice_row_visible(?, ?) AS v`, [
+      payload.table_name,
+      payload.pk
+    ]);
+    return row?.v === true || row?.v === "t" || row?.v === 1;
+  } catch (e6) {
+    console.warn("[realtime] visibility probe failed (dropping change):", e6.message);
+    return false;
+  }
+}
+function isDeleteOp(op) {
+  return op === "delete" || op === "DELETE";
+}
+function readRelationFor(active, table) {
+  return active.maskedReadViews.get(table) ?? table;
+}
 async function attachRowAccess(db, table, rows) {
   if (rows.length === 0) return;
   const pkCols = db.getPrimaryKey(table);
@@ -61409,20 +62456,24 @@ async function reopenSameConfig(active, autoRender) {
 }
 async function syncUserIdentityRow(db) {
   const identity = readIdentity();
-  const existing = await db.get("__lattice_user_identity", "singleton");
-  if (existing) {
-    await db.update("__lattice_user_identity", "singleton", {
-      display_name: identity.display_name,
-      email: identity.email,
-      updated_at: (/* @__PURE__ */ new Date()).toISOString()
-    });
-  } else {
-    await db.insert("__lattice_user_identity", {
-      id: "singleton",
-      display_name: identity.display_name,
-      email: identity.email,
-      updated_at: (/* @__PURE__ */ new Date()).toISOString()
-    });
+  try {
+    const existing = await db.get("__lattice_user_identity", "singleton");
+    if (existing) {
+      await db.update("__lattice_user_identity", "singleton", {
+        display_name: identity.display_name,
+        email: identity.email,
+        updated_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    } else {
+      await db.insert("__lattice_user_identity", {
+        id: "singleton",
+        display_name: identity.display_name,
+        email: identity.email,
+        updated_at: (/* @__PURE__ */ new Date()).toISOString()
+      });
+    }
+  } catch (e6) {
+    console.warn("[openConfig] skipped user-identity mirror:", e6.message);
   }
 }
 async function applySchemaConfig(active, entry, direction, autoRender) {
@@ -61536,7 +62587,7 @@ async function startGuiServer(options) {
   const autoRender = options.autoRender ?? false;
   const sessionId = crypto.randomUUID();
   let active = await openConfig(configPath, outputDir, autoRender);
-  const latticeRoot = findLatticeRoot(dirname11(configPath));
+  const latticeRoot = findLatticeRoot(dirname12(configPath));
   let currentWorkspaceId = null;
   if (latticeRoot) {
     const launched = listWorkspaces(latticeRoot).find(
@@ -61601,7 +62652,11 @@ data: ${JSON.stringify(data)}
             writeEvent("state", { mode: "cloud", state: state2 });
           });
           const offPayload = broker?.subscribePayload((payload) => {
-            writeEvent("change", payload);
+            void changeVisibleToActiveRole(active.db, payload).then((visible) => {
+              if (!visible) return;
+              const out = isDeleteOp(payload.op) ? { ...payload, owner_role: null } : payload;
+              writeEvent("change", out);
+            });
           });
           const cleanup = () => {
             clearInterval(keepalive);
@@ -61637,24 +62692,31 @@ data: ${JSON.stringify(data)}
             }
           }, 25e3);
           const recentSelf = /* @__PURE__ */ new Map();
+          const isFeedHiddenTable = (t8) => t8.startsWith("_lattice") || t8.startsWith("__lattice") || isInternalNativeEntity(t8);
           const offFeed = active.feed.subscribe((e6) => {
+            if (e6.table && isFeedHiddenTable(e6.table)) return;
             recentSelf.set(`${e6.table ?? ""}:${e6.rowId ?? ""}:${e6.op}`, Date.now());
             writeFeed(e6);
           });
           const offBroker = active.realtime?.subscribePayload((p3) => {
-            const op = p3.op === "INSERT" ? "insert" : p3.op === "UPDATE" ? "update" : p3.op === "DELETE" ? "delete" : null;
-            if (!op || !p3.table_name || p3.table_name.startsWith("_lattice")) return;
-            const key = `${p3.table_name}:${p3.pk ?? ""}:${op}`;
+            const op = feedOpForChange(p3.op);
+            if (!op || !p3.table_name || isFeedHiddenTable(p3.table_name)) return;
+            const tableName = p3.table_name;
+            const key = `${tableName}:${p3.pk ?? ""}:${op}`;
             const seen = recentSelf.get(key);
             if (seen && Date.now() - seen < 5e3) return;
-            writeFeed({
-              seq: p3.seq,
-              table: p3.table_name,
-              op,
-              rowId: p3.pk,
-              source: "cli",
-              ts: p3.created_at || (/* @__PURE__ */ new Date()).toISOString(),
-              summary: `${op} on ${p3.table_name} (another client)`
+            void changeVisibleToActiveRole(active.db, p3).then((visible) => {
+              if (!visible) return;
+              writeFeed({
+                seq: p3.seq,
+                table: tableName,
+                op,
+                rowId: p3.pk,
+                source: "cli",
+                actor: isDeleteOp(p3.op) ? void 0 : p3.owner_role ?? void 0,
+                ts: p3.created_at || (/* @__PURE__ */ new Date()).toISOString(),
+                summary: `${op} on ${tableName} (another client)`
+              });
             });
           });
           const cleanup = () => {
@@ -62739,7 +63801,7 @@ data: ${JSON.stringify(data)}
             if (!ws.configPath && ws.kind === "local") {
               rmSync(workspaceDir(latticeRoot, ws.dir), { recursive: true, force: true });
             } else if (ws.kind === "cloud") {
-              if (ws.configPath && existsSync21(ws.configPath)) {
+              if (ws.configPath && existsSync22(ws.configPath)) {
                 rmSync(ws.configPath, { force: true });
               }
               const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
@@ -62789,7 +63851,7 @@ data: ${JSON.stringify(data)}
             return;
           }
           const newPath = resolve9(body.path);
-          if (!existsSync21(newPath)) {
+          if (!existsSync22(newPath)) {
             sendJson(res, { error: `Config not found: ${newPath}` }, 400);
             return;
           }
@@ -62998,12 +64060,19 @@ data: ${JSON.stringify(data)}
             feed: active.feed,
             softDeletable: active.softDeletable,
             source: "gui",
-            sessionId
+            sessionId,
+            // #4.6 — the originating client's true edit time, honored for the
+            // audit timestamp so an offline edit shows when it was made.
+            clientTs: headerValue(req, "x-lattice-client-ts")
           };
           if (id === null) {
             if (method === "GET") {
-              const limit = Number(url2.searchParams.get("limit") ?? "500");
-              const offset = Number(url2.searchParams.get("offset") ?? "0");
+              const limit = parsePageParam(url2.searchParams.get("limit"), "limit");
+              const offset = parsePageParam(url2.searchParams.get("offset"), "offset");
+              if (limit === "invalid" || offset === "invalid") {
+                sendJson(res, { error: "limit and offset must be non-negative integers" }, 400);
+                return;
+              }
               const deletedMode = url2.searchParams.get("deleted");
               const queryOpts = { limit, offset };
               if (active.softDeletable.has(table) && deletedMode !== "any") {
@@ -63011,20 +64080,29 @@ data: ${JSON.stringify(data)}
                   { col: "deleted_at", op: deletedMode === "only" ? "isNotNull" : "isNull" }
                 ];
               }
-              const rows = await active.db.query(table, queryOpts);
+              const rows = await active.db.query(readRelationFor(active, table), queryOpts);
               await attachRowAccess(active.db, table, rows);
               sendJson(res, { rows });
               return;
             }
             if (method === "POST") {
               const body = await readJson(req);
-              const { id: newId } = await createRow(mctx, table, body);
-              sendJson(res, { id: newId }, 201);
+              const editId = headerValue(req, "x-lattice-edit-id");
+              const created = await createRow(mctx, table, body, void 0, editId);
+              sendJson(res, { id: created.id }, created.idempotent ? 200 : 201);
               return;
             }
           } else {
             if (method === "GET") {
-              const row = await active.db.get(table, id);
+              const readRel = readRelationFor(active, table);
+              let row;
+              if (readRel === table) {
+                row = await active.db.get(table, id);
+              } else {
+                const pkCol = active.db.getPrimaryKey(table)[0] ?? "id";
+                const found = await active.db.query(readRel, { where: { [pkCol]: id }, limit: 1 });
+                row = found[0] ?? null;
+              }
               if (row === null) {
                 sendJson(res, { error: "Row not found" }, 404);
                 return;
@@ -63123,7 +64201,7 @@ data: ${JSON.stringify(data)}
             createJunction: (otherTable) => createFileJunction(active, otherTable, sessionId),
             createEntity: (entity, columns) => createUserEntity(active, entity, columns, sessionId),
             aggressiveness: getAggressiveness(),
-            latticeRoot: dirname11(active.configPath),
+            latticeRoot: dirname12(active.configPath),
             configPath: active.configPath,
             pathname,
             method
@@ -63133,7 +64211,7 @@ data: ${JSON.stringify(data)}
         if (pathname.startsWith("/api/files/")) {
           const handled = await dispatchFilesRoute(req, res, {
             db: active.db,
-            latticeRoot: dirname11(active.configPath),
+            latticeRoot: dirname12(active.configPath),
             configPath: active.configPath,
             pathname,
             method
@@ -63151,6 +64229,42 @@ data: ${JSON.stringify(data)}
               await disposeActive(active);
               active = next;
               startBackgroundRender(active);
+            },
+            // Join a cloud as a NEW workspace (never hijack the active one): save
+            // the credential, scaffold a new cloud workspace, open + activate it.
+            // Atomic — on open failure, roll back the half-created workspace +
+            // credential and rethrow (so a failed join leaves nothing behind).
+            createCloudWorkspace: async (displayName, key, url3) => {
+              if (!latticeRoot) {
+                throw new Error("No .lattice root \u2014 cannot create a cloud workspace");
+              }
+              saveDbCredential(key, url3);
+              let created;
+              try {
+                created = addWorkspace(latticeRoot, {
+                  displayName,
+                  db: "${LATTICE_DB:" + key + "}",
+                  makeActive: false
+                });
+              } catch (e6) {
+                deleteDbCredential(key);
+                throw e6;
+              }
+              const paths = resolveWorkspacePaths(latticeRoot, created);
+              let next;
+              try {
+                next = await openConfig(paths.configPath, paths.contextDir, autoRender);
+              } catch (e6) {
+                removeWorkspace(latticeRoot, created.id);
+                deleteDbCredential(key);
+                throw e6;
+              }
+              setActiveWorkspace(latticeRoot, created.id);
+              await disposeActive(active);
+              active = next;
+              startBackgroundRender(active);
+              currentWorkspaceId = created.id;
+              return created.id;
             }
           });
           if (handled) return;
@@ -63166,6 +64280,10 @@ data: ${JSON.stringify(data)}
           sendJson(res, { error: e6.message }, 403);
           return;
         }
+        if (e6.code === "row_write_conflict") {
+          sendJson(res, { error: e6.message }, 409);
+          return;
+        }
         console.error(
           `[gui] ${req.method ?? "?"} ${req.url ?? "?"} failed: ${e6.message}
 ${e6.stack ?? ""}`
@@ -63380,7 +64498,7 @@ function printHelp() {
 function getVersion() {
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
-    const pkg = JSON.parse(readFileSync17(pkgPath, "utf-8"));
+    const pkg = JSON.parse(readFileSync18(pkgPath, "utf-8"));
     return pkg.version;
   } catch {
     return "unknown";
@@ -63414,7 +64532,7 @@ function runGenerate(args) {
   const configPath = resolve10(args.config);
   let raw;
   try {
-    raw = readFileSync17(configPath, "utf-8");
+    raw = readFileSync18(configPath, "utf-8");
   } catch {
     console.error(`Error: cannot read config file at "${configPath}"`);
     process.exit(1);
@@ -63430,7 +64548,7 @@ function runGenerate(args) {
     console.error('Error: config must have an "entities" key');
     process.exit(1);
   }
-  const configDir2 = dirname12(configPath);
+  const configDir2 = dirname13(configPath);
   const outDir = resolve10(args.out);
   try {
     const result = generateAll({ config, configDir: configDir2, outDir, scaffold: args.scaffold });