latticesql 3.1.0 → 3.2.0

package/dist/index.js

@@ -41443,37 +41443,63 @@ var THROTTLE_WINDOW_MS = 200;
 var ProgressThrottle = class {
   cb;
   windowMs;
-  lastEmit = 0;
+  /**
+   * Last passthrough time, keyed per table (`event.table`, or `''` for the
+   * table-less `done`/`error` lifecycle events). Per-table — not a single shared
+   * clock — so when tables render CONCURRENTLY each one keeps its own ~5/sec
+   * budget: a fast table can't consume the window and starve a slow table's
+   * progress. `force` (table-start) resets only that table's budget.
+   */
+  lastEmit = /* @__PURE__ */ new Map();
   constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
     this.cb = cb;
     this.windowMs = windowMs;
   }
   /**
-   * Emit a `table-progress` event, but only if the window since the last
-   * passthrough has elapsed. Dropped events are simply not delivered — the next
-   * one that survives carries the latest running count.
+   * Emit a `table-progress` event, but only if the window since this table's
+   * last passthrough has elapsed. Dropped events are simply not delivered — the
+   * next one that survives carries the latest running count.
    */
   tick(event) {
     if (!this.cb) return;
+    const key = event.table ?? "";
     const now = Date.now();
-    if (now - this.lastEmit < this.windowMs) return;
-    this.lastEmit = now;
+    if (now - (this.lastEmit.get(key) ?? 0) < this.windowMs) return;
+    this.lastEmit.set(key, now);
     this.cb(event);
   }
   /**
-   * Emit a lifecycle event immediately and reset the throttle window. Use for
-   * `table-start`, `table-done`, `done`, and `error` — none of which should
-   * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+   * Emit a lifecycle event immediately and reset this table's throttle window.
+   * Use for `table-start`, `table-done`, `done`, and `error` — none of which
+   * should ever be dropped. Resetting on `table-start` gives each table a clean
+   * budget.
    */
   force(event) {
     if (!this.cb) return;
-    this.lastEmit = Date.now();
+    this.lastEmit.set(event.table ?? "", Date.now());
     this.cb(event);
   }
 };
 
+// src/concurrency.ts
+async function mapWithConcurrency(items, limit, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  const workerCount = Math.max(1, Math.min(limit, items.length));
+  const workers = Array.from({ length: workerCount }, async () => {
+    for (; ; ) {
+      const i6 = next++;
+      if (i6 >= items.length) break;
+      results[i6] = await fn(items[i6], i6);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
+
 // src/render/engine.ts
 var YIELD_EVERY_ENTITIES = 200;
+var RENDER_TABLE_CONCURRENCY = 4;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -41655,163 +41681,175 @@ var RenderEngine = class {
    * via `signal`.
    */
   async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
-    const manifestData = {};
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
     const entityTables = [...this._schema.getEntityContexts()];
     const tableCount = entityTables.length;
-    for (let tableIndex = 0; tableIndex < tableCount; tableIndex++) {
-      if (signal?.aborted) return null;
-      const [table, def] = entityTables[tableIndex];
-      const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
-      const allRows = await this._schema.queryTable(this._adapter, table);
-      const directoryRoot = def.directoryRoot ?? table;
-      const entitiesTotal = allRows.length;
-      throttle.force({
-        kind: "table-start",
-        table,
-        entitiesRendered: 0,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 0
-      });
-      const manifestEntry = {
-        directoryRoot,
-        ...def.index ? { indexFile: def.index.outputFile } : {},
-        declaredFiles: Object.keys(def.files),
-        protectedFiles: def.protectedFiles ?? [],
-        entities: {}
-      };
-      if (def.index) {
-        const indexPath = join4(outputDir, def.index.outputFile);
-        if (atomicWrite(indexPath, def.index.render(allRows))) {
-          filesWritten.push(indexPath);
-        } else {
-          counters.skipped++;
-        }
-      }
-      for (let i6 = 0; i6 < allRows.length; i6++) {
-        const entityRow = allRows[i6];
+    if (signal?.aborted) return null;
+    const renderedEntries = await mapWithConcurrency(
+      entityTables,
+      RENDER_TABLE_CONCURRENCY,
+      async ([table, def], tableIndex) => {
         if (signal?.aborted) return null;
-        if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
-          await new Promise((r6) => setImmediate(r6));
-        }
-        const rawSlug = def.slug(entityRow);
-        const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
-        if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
-          throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
-        }
-        const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
-        const resolvedDir = resolve(entityDir);
-        const resolvedBase = resolve(outputDir);
-        if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
-          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
-        }
-        mkdirSync2(entityDir, { recursive: true });
-        if (def.attachFileColumn) {
-          const filePath = entityRow[def.attachFileColumn];
-          if (filePath && typeof filePath === "string" && filePath.length > 0) {
-            if (def.attachFileMode === "reference") {
-              const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
-              try {
-                atomicWrite(refPath, `# Reference
+        const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
+        const allRows = await this._schema.queryTable(this._adapter, table);
+        const directoryRoot = def.directoryRoot ?? table;
+        const entitiesTotal = allRows.length;
+        throttle.force({
+          kind: "table-start",
+          table,
+          entitiesRendered: 0,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: 0
+        });
+        const manifestEntry = {
+          directoryRoot,
+          ...def.index ? { indexFile: def.index.outputFile } : {},
+          declaredFiles: Object.keys(def.files),
+          protectedFiles: def.protectedFiles ?? [],
+          entities: {}
+        };
+        if (def.index) {
+          const indexPath = join4(outputDir, def.index.outputFile);
+          if (atomicWrite(indexPath, def.index.render(allRows))) {
+            filesWritten.push(indexPath);
+          } else {
+            counters.skipped++;
+          }
+        }
+        for (let i6 = 0; i6 < allRows.length; i6++) {
+          const entityRow = allRows[i6];
+          if (signal?.aborted) return null;
+          if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+            await new Promise((r6) => setImmediate(r6));
+          }
+          const rawSlug = def.slug(entityRow);
+          const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
+          if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
+            throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
+          }
+          const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
+          const resolvedDir = resolve(entityDir);
+          const resolvedBase = resolve(outputDir);
+          if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
+            throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+          }
+          mkdirSync2(entityDir, { recursive: true });
+          if (def.attachFileColumn) {
+            const filePath = entityRow[def.attachFileColumn];
+            if (filePath && typeof filePath === "string" && filePath.length > 0) {
+              if (def.attachFileMode === "reference") {
+                const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
+                try {
+                  atomicWrite(refPath, `# Reference
 
 - **location:** ${filePath}
 `);
-                filesWritten.push(refPath);
-              } catch {
-              }
-            } else {
-              const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
-              if (existsSync4(absPath)) {
-                const destPath = join4(entityDir, basename(absPath));
-                if (!existsSync4(destPath)) {
-                  try {
-                    copyFileSync2(absPath, destPath);
-                    filesWritten.push(destPath);
-                  } catch {
+                  filesWritten.push(refPath);
+                } catch {
+                }
+              } else {
+                const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
+                if (existsSync4(absPath)) {
+                  const destPath = join4(entityDir, basename(absPath));
+                  if (!existsSync4(destPath)) {
+                    try {
+                      copyFileSync2(absPath, destPath);
+                      filesWritten.push(destPath);
+                    } catch {
+                    }
                   }
                 }
               }
             }
           }
-        }
-        const renderedFiles = /* @__PURE__ */ new Map();
-        const entityFileHashes = {};
-        const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
-        for (const [filename, spec] of Object.entries(def.files)) {
-          if (signal?.aborted) return null;
-          const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
-          const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
-          const rows = await resolveEntitySource(
-            source,
-            entityRow,
-            entityPk,
-            this._adapter,
-            protection
-          );
-          if (spec.omitIfEmpty && rows.length === 0) continue;
-          const renderFn = compileEntityRender(spec.render);
-          const content = truncateContent(renderFn(rows), spec.budget);
-          renderedFiles.set(filename, content);
-          entityFileHashes[filename] = { hash: contentHash(content) };
-          const filePath = join4(entityDir, filename);
-          if (atomicWrite(filePath, content)) {
-            filesWritten.push(filePath);
-          } else {
-            counters.skipped++;
-          }
-        }
-        const fileKeys = Object.keys(def.files);
-        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
-          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          { outputFile: fileKeys[0] }
-        ) : void 0);
-        if (effectiveCombined && renderedFiles.size > 0) {
-          const excluded = new Set(effectiveCombined.exclude ?? []);
-          const parts = [];
-          for (const filename of Object.keys(def.files)) {
-            if (!excluded.has(filename) && renderedFiles.has(filename)) {
-              parts.push(renderedFiles.get(filename) ?? "");
-            }
-          }
-          if (parts.length > 0) {
-            const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join4(entityDir, effectiveCombined.outputFile);
-            if (atomicWrite(combinedPath, combinedContent)) {
-              filesWritten.push(combinedPath);
+          const renderedFiles = /* @__PURE__ */ new Map();
+          const entityFileHashes = {};
+          const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
+          for (const [filename, spec] of Object.entries(def.files)) {
+            if (signal?.aborted) return null;
+            const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
+            const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
+            const rows = await resolveEntitySource(
+              source,
+              entityRow,
+              entityPk,
+              this._adapter,
+              protection
+            );
+            if (spec.omitIfEmpty && rows.length === 0) continue;
+            const renderFn = compileEntityRender(spec.render);
+            const content = truncateContent(renderFn(rows), spec.budget);
+            renderedFiles.set(filename, content);
+            entityFileHashes[filename] = { hash: contentHash(content) };
+            const filePath = join4(entityDir, filename);
+            if (atomicWrite(filePath, content)) {
+              filesWritten.push(filePath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
-            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
+          const fileKeys = Object.keys(def.files);
+          const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            { outputFile: fileKeys[0] }
+          ) : void 0);
+          if (effectiveCombined && renderedFiles.size > 0) {
+            const excluded = new Set(effectiveCombined.exclude ?? []);
+            const parts = [];
+            for (const filename of Object.keys(def.files)) {
+              if (!excluded.has(filename) && renderedFiles.has(filename)) {
+                parts.push(renderedFiles.get(filename) ?? "");
+              }
+            }
+            if (parts.length > 0) {
+              const combinedContent = parts.join("\n\n---\n\n");
+              const combinedPath = join4(entityDir, effectiveCombined.outputFile);
+              if (atomicWrite(combinedPath, combinedContent)) {
+                filesWritten.push(combinedPath);
+              } else {
+                counters.skipped++;
+              }
+              renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+              entityFileHashes[effectiveCombined.outputFile] = {
+                hash: contentHash(combinedContent)
+              };
+            }
+          }
+          manifestEntry.entities[slug] = entityFileHashes;
+          const entitiesRendered = i6 + 1;
+          throttle.tick({
+            kind: "table-progress",
+            table,
+            entitiesRendered,
+            entitiesTotal,
+            tableIndex,
+            tableCount,
+            pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          });
         }
-        manifestEntry.entities[slug] = entityFileHashes;
-        const entitiesRendered = i6 + 1;
-        throttle.tick({
-          kind: "table-progress",
+        throttle.force({
+          kind: "table-done",
           table,
-          entitiesRendered,
+          entitiesRendered: entitiesTotal,
           entitiesTotal,
           tableIndex,
           tableCount,
-          pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          pct: 100
         });
+        return manifestEntry;
       }
-      manifestData[table] = manifestEntry;
-      throttle.force({
-        kind: "table-done",
-        table,
-        entitiesRendered: entitiesTotal,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 100
-      });
+    );
+    if (signal?.aborted) return null;
+    const manifestData = {};
+    for (let i6 = 0; i6 < renderedEntries.length; i6++) {
+      const entry = renderedEntries[i6];
+      if (entry == null) return null;
+      manifestData[entityTables[i6][0]] = entry;
     }
     return manifestData;
   }
@@ -43071,14 +43109,27 @@ function buildParsedConfig(raw, sourceName, configDir2) {
   const entityContexts = parseEntityContexts(config.entityContexts);
   return name !== void 0 ? { dbPath, name, tables, entityContexts } : { dbPath, tables, entityContexts };
 }
+function isDbRefShaped(raw) {
+  return /^\s*\$\{LATTICE_DB:/.test(raw);
+}
+function parseDbRef(raw) {
+  const m4 = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
+  return m4 ? { label: m4[1] ?? "" } : null;
+}
 function resolveDbPath(raw, configDir2) {
-  const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
-  if (labelMatch) {
-    const label = labelMatch[1] ?? "";
-    const url = getDbCredential(label);
+  if (isDbRefShaped(raw)) {
+    const ref = parseDbRef(raw);
+    if (!ref) {
+      throw new Error(
+        `Lattice: malformed \${LATTICE_DB:\u2026} reference ${JSON.stringify(
+          raw.trim()
+        )} \u2014 the label may contain only [A-Za-z0-9._-] (no spaces). This usually means a workspace was created with an unsanitized name.`
+      );
+    }
+    const url = getDbCredential(ref.label);
     if (!url) {
       throw new Error(
-        `Lattice: config references \${LATTICE_DB:${label}} but no credential is saved for "${label}". Save one via the GUI's Database panel or set LATTICE_DB_${label}.`
+        `Lattice: config references \${LATTICE_DB:${ref.label}} but no credential is saved for "${ref.label}". Save one via the GUI's Database panel or set LATTICE_DB_${ref.label}.`
       );
     }
     return url;
@@ -43086,6 +43137,13 @@ function resolveDbPath(raw, configDir2) {
   if (/^postgres(ql)?:\/\//i.test(raw) || raw.startsWith("file:") || raw === ":memory:") {
     return raw;
   }
+  if (raw.includes("${")) {
+    throw new Error(
+      `Lattice: refusing to treat ${JSON.stringify(
+        raw.trim()
+      )} as a database path \u2014 it looks like a malformed variable reference, not a file path.`
+    );
+  }
   return resolve2(configDir2, raw);
 }
 var warnedDeprecatedRefs = /* @__PURE__ */ new Set();
@@ -47139,7 +47197,7 @@ function archiveLocalSqlite(dbPath) {
 async function cloudRlsInstalled(probe) {
   const row = await getAsyncOrSync(
     probe.adapter,
-    `SELECT to_regclass('public.__lattice_owners') AS reg`
+    `SELECT to_regclass('__lattice_owners') AS reg`
   );
   return !!row && row.reg != null;
 }
@@ -47196,6 +47254,19 @@ function isPostgresUrl(url) {
 }
 
 // src/cloud/rls.ts
+async function runCloudBootstrapSql(db, sql) {
+  const adapter = db.adapter;
+  if (adapter.withClient) {
+    await adapter.withClient(async (tx) => {
+      await tx.run("SELECT pg_advisory_xact_lock($1::bigint)", [
+        LATTICE_MIGRATION_LOCK_ID.toString()
+      ]);
+      await tx.run(sql);
+    });
+  } else {
+    await runAsyncOrSync(adapter, sql);
+  }
+}
 function isPg(db) {
   return db.getDialect() === "postgres";
 }
@@ -47329,12 +47400,42 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
   "id"          text PRIMARY KEY,
   "role"        text NOT NULL,
   "email_hash"  text NOT NULL,
+  "email"       text,
   "created_by"  text NOT NULL DEFAULT session_user,
   "created_at"  timestamptz NOT NULL DEFAULT now(),
   "expires_at"  timestamptz NOT NULL,
   "redeemed_at" timestamptz,
   "revoked_at"  timestamptz
 );
+-- Plaintext invitee email (owner-only table; members have no grant) so the
+-- owner's Members list can show who each member is. Added via ALTER so clouds
+-- created before this column converge to it on the owner's next open (the
+-- bootstrap is now run directly + idempotently, not version-gated).
+ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
+
+-- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
+-- the cloud with their minted credential, the join path calls this to CLAIM the
+-- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
+-- an invite for the CALLING role (session_user) is still pending: not already
+-- redeemed (one-time-use), not revoked, and not expired. A replayed redeem of a
+-- leaked token, a revoked invite, or an expired one returns false, so the caller
+-- rejects the join. Members have no direct grant on the owner-only
+-- __lattice_member_invites table \u2014 this SECURITY DEFINER function is the only
+-- path, and it can claim ONLY the caller's own invite (keyed on session_user,
+-- never a caller-supplied parameter, so one member can't burn another's invite).
+CREATE OR REPLACE FUNCTION lattice_claim_invite()
+RETURNS boolean LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_ok boolean;
+BEGIN
+  UPDATE "__lattice_member_invites"
+     SET "redeemed_at" = now()
+   WHERE "role" = session_user
+     AND "redeemed_at" IS NULL
+     AND "revoked_at" IS NULL
+     AND "expires_at" > now()
+  RETURNING true INTO v_ok;
+  RETURN COALESCE(v_ok, false);
+END $fn$;
 
 -- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
 -- keyed on session_user (the member's login role). A row with no ownership record
@@ -47617,6 +47718,62 @@ END $fn$;
 DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
 CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
   FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
+
+-- #4.4 \u2014 seq-based catch-up after a realtime gap. NOTIFY is fire-and-forget, so a
+-- broker that drops its LISTEN (network blip, laptop sleep) misses every change
+-- during the gap. The broker tracks the highest seq it delivered and, on
+-- reconnect, replays what it missed via this function. Members have NO direct
+-- grant on __lattice_changes (reading it raw would leak every change on the
+-- cloud), so this SECURITY DEFINER function is the only path and it returns ONLY
+-- the rows the CALLING role can see: keyed on session_user via lattice_row_visible
+-- (same gate as live fan-out, #4.3). Deletes are excluded \u2014 the ownership record
+-- is gone post-delete so visibility can't be verified, and replaying them would
+-- leak deleted-row pks (the client reconciles deletes on its reconnect refetch).
+-- Bounded (LIMIT clamped \u2264 1000) so a long gap can't stream the whole table (Rule:
+-- bounded reads on a hot path).
+CREATE OR REPLACE FUNCTION lattice_changes_since(p_seq bigint, p_limit int)
+RETURNS TABLE(seq bigint, table_name text, pk text, op text, owner_role text, created_at timestamptz)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT c."seq", c."table_name", c."pk", c."op", c."owner_role", c."created_at"
+    FROM "__lattice_changes" c
+   WHERE c."seq" > p_seq
+     AND c."op" = 'upsert'
+     AND lattice_row_visible(c."table_name", c."pk")
+   ORDER BY c."seq" ASC
+   LIMIT GREATEST(0, LEAST(COALESCE(p_limit, 500), 1000));
+$fn$;
+
+-- #2.1 \u2014 per-row access summary for the connecting role. The GUI attaches this as
+-- each row's _access so the sharing affordance renders, but __lattice_owners is
+-- owner-only bookkeeping (members have no grant), so a member reading it directly
+-- got "permission denied". This SECURITY DEFINER function returns visibility +
+-- whether the CALLER owns the row, ONLY for the rows the caller can actually see
+-- (lattice_row_visible, keyed on session_user) \u2014 so a member learns nothing about
+-- rows hidden from it. Member-callable; the owner gets the same view of its rows.
+CREATE OR REPLACE FUNCTION lattice_rows_access(p_table text, p_pks text[])
+RETURNS TABLE(pk text, visibility text, owned boolean)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT o."pk", o."visibility", (o."owner_role" = session_user) AS owned
+    FROM "__lattice_owners" o
+   WHERE o."table_name" = p_table
+     AND o."pk" = ANY(p_pks)
+     AND lattice_row_visible(o."table_name", o."pk");
+$fn$;
+
+-- #2.1 \u2014 grantees of a CALLER-OWNED custom-shared row (who you shared YOUR row
+-- with). Only the row owner sees this (the WHERE pins owner_role = session_user),
+-- so a member can't enumerate another owner's grants. __lattice_row_grants is
+-- member-ungranted, so this SECURITY DEFINER function is the member-safe path.
+CREATE OR REPLACE FUNCTION lattice_row_grantees(p_table text, p_pks text[])
+RETURNS TABLE(pk text, grantee_role text)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT g."pk", g."grantee_role"
+    FROM "__lattice_row_grants" g
+    JOIN "__lattice_owners" o ON o."table_name" = g."table_name" AND o."pk" = g."pk"
+   WHERE g."table_name" = p_table
+     AND g."pk" = ANY(p_pks)
+     AND o."owner_role" = session_user;
+$fn$;
 `;
 function tableRlsSql(table, pkCols) {
   const q3 = `"${table.replace(/"/g, '""')}"`;
@@ -47684,28 +47841,14 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
-  const migration = {
-    // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell);
-    // v6 added per-table policy (__lattice_table_policy: default_row_visibility +
-    // never_share, enforced in the insert trigger + share/grant guards), the
-    // canonical column-audience store (__lattice_column_policy), lattice_is_owner,
-    // and the owner-only setters; v7 pins search_path on every SECURITY DEFINER
-    // helper (closes the pg_temp-shadow RLS bypass) + revokes schema CREATE from
-    // PUBLIC. The bootstrap is fully idempotent.
-    version: "internal:cloud-rls:bootstrap:v7",
-    sql: pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema)
-  };
-  await db.migrate([migration]);
+  const sql = pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema);
+  await runCloudBootstrapSql(db, sql);
 }
 async function enableChangelogRls(db) {
   if (!isPg(db)) return;
-  const migration = {
-    // v2: ground-truth/audit entries are owner-only (was lattice_row_visible),
-    // closing the masked-column-via-history leak. Bump re-installs the policy on
-    // existing clouds.
-    version: "internal:cloud-rls:changelog:v2",
-    sql: `
+  await runCloudBootstrapSql(
+    db,
+    `
 ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
 GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
@@ -47715,6 +47858,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
   CASE
     WHEN "change_kind" = 'derived' THEN
       "source_ref" IS NOT NULL
+      AND jsonb_array_length("source_ref"::jsonb) > 0
       AND NOT EXISTS (
         SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
          WHERE NOT lattice_source_visible(src.sid)
@@ -47725,8 +47869,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
 DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
 CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
 `
-  };
-  await db.migrate([migration]);
+  );
 }
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
@@ -47780,7 +47923,12 @@ async function provisionMemberRole(db, role, password) {
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
          CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
        ELSE
-         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+         -- Re-invite of an EXISTING role: set ONLY what changed (login + password).
+         -- Restating NOSUPERUSER/superuser-class attrs trips Supabase supautils
+         -- ("only superuser may alter the SUPERUSER attribute", 42501) since the
+         -- owner 'postgres' isn't a true superuser. The role was already created
+         -- NOSUPERUSER NOCREATEDB NOCREATEROLE, so there is nothing to restate.
+         ALTER ROLE "${role}" WITH LOGIN PASSWORD '${password}';
        END IF;
      END $LATTICE$`
   );
@@ -47819,9 +47967,28 @@ async function revokeCell(db, table, pk, column, grantee) {
 async function revokeMemberRole(db, role) {
   assertPg(db);
   if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
-  await runAsyncOrSync(db.adapter, `DROP OWNED BY "${role}"`).catch(() => void 0);
+  const exists = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS x FROM pg_roles WHERE rolname = ?`,
+    [role]
+  );
+  if (!exists) return;
+  for (const stmt of [`REASSIGN OWNED BY "${role}" TO CURRENT_USER`, `DROP OWNED BY "${role}"`]) {
+    try {
+      await runAsyncOrSync(db.adapter, stmt);
+    } catch (e6) {
+      if (!isInsufficientPrivilege(e6)) throw e6;
+      console.warn(
+        `[cloud] "${stmt.split(" ").slice(0, 2).join(" ")} \u2026" skipped (insufficient privilege; a scoped member owns no objects): ${e6.message}`
+      );
+    }
+  }
   await runAsyncOrSync(db.adapter, `DROP ROLE IF EXISTS "${role}"`);
 }
+function isInsufficientPrivilege(e6) {
+  const err = e6 ?? {};
+  return err.code === "42501" || /permission denied/i.test(err.message ?? "");
+}
 
 // src/cloud/discover.ts
 async function discoverCloudTables(db) {
@@ -48065,6 +48232,7 @@ var FoldCache = class {
 };
 
 // src/cloud/settings.ts
+import { createHash as createHash8, randomBytes as randomBytes6 } from "crypto";
 var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
 var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
 -- Owner-controlled, cloud-wide key/value settings. No grant to the member group,
@@ -48104,13 +48272,7 @@ END $fn$;
 async function installCloudSettings(db) {
   if (db.getDialect() !== "postgres") return;
   const schema = await cloudSchema(db);
-  const migration = {
-    // v2 pins search_path on the two SECURITY DEFINER helpers (closes the
-    // pg_temp-shadow class of bypass on the settings getter/setter).
-    version: "internal:cloud-settings:v2",
-    sql: pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema)
-  };
-  await db.migrate([migration]);
+  await runCloudBootstrapSql(db, pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema));
 }
 async function getCloudSetting(db, key) {
   if (db.getDialect() !== "postgres") return null;
@@ -48129,6 +48291,18 @@ async function setCloudSetting(db, key, value) {
 }
 
 // src/cloud/setup.ts
+async function secureNewCloudTable(db, table, pk) {
+  if (db.getDialect() !== "postgres") return;
+  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
+  if (pk.length === 0) return;
+  await backfillOwnership(db, table, pk);
+  await enableRlsForTable(db, table, pk);
+  const cols = db.getRegisteredColumns(table);
+  if (cols) {
+    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+}
 async function secureCloud(db) {
   if (db.getDialect() !== "postgres") return;
   await installCloudRls(db);
@@ -48137,16 +48311,7 @@ async function secureCloud(db) {
   await enableChangelogRls(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
-    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
-    const pk = db.getPrimaryKey(table);
-    if (pk.length === 0) continue;
-    await backfillOwnership(db, table, pk);
-    await enableRlsForTable(db, table, pk);
-    const cols = db.getRegisteredColumns(table);
-    if (cols) {
-      await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
-      await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
-    }
+    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
   }
   if (registered.includes("secrets")) {
     await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);