npm - latticesql - Versions diffs - 3.1.0 → 3.2.1 - Mend

latticesql 3.1.0 → 3.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/README.md +4 -0
package/dist/cli.js +2174 -1016
package/dist/index.cjs +393 -190
package/dist/index.d.cts +15 -20
package/dist/index.d.ts +15 -20
package/dist/index.js +393 -190
package/docs/api-reference.md +1370 -0
package/docs/architecture.md +331 -0
package/docs/assistant.md +138 -0
package/docs/cli.md +515 -0
package/docs/cloud.md +675 -0
package/docs/collaboration.md +85 -0
package/docs/configuration.md +416 -0
package/docs/entity-context.md +510 -0
package/docs/examples/agent-system.md +313 -0
package/docs/examples/cms.md +366 -0
package/docs/examples/ticket-tracker.md +313 -0
package/docs/migrations.md +272 -0
package/docs/templates.md +338 -0
package/docs/workspaces.md +81 -0
package/package.json +3 -2

package/dist/index.js CHANGED Viewed

@@ -41443,37 +41443,63 @@ var THROTTLE_WINDOW_MS = 200;
 var ProgressThrottle = class {
   cb;
   windowMs;
-  lastEmit = 0;
+  /**
+   * Last passthrough time, keyed per table (`event.table`, or `''` for the
+   * table-less `done`/`error` lifecycle events). Per-table — not a single shared
+   * clock — so when tables render CONCURRENTLY each one keeps its own ~5/sec
+   * budget: a fast table can't consume the window and starve a slow table's
+   * progress. `force` (table-start) resets only that table's budget.
+   */
+  lastEmit = /* @__PURE__ */ new Map();
   constructor(cb, windowMs = THROTTLE_WINDOW_MS) {
     this.cb = cb;
     this.windowMs = windowMs;
   }
   /**
-   * Emit a `table-progress` event, but only if the window since the last
-   * passthrough has elapsed. Dropped events are simply not delivered — the next
-   * one that survives carries the latest running count.
+   * Emit a `table-progress` event, but only if the window since this table's
+   * last passthrough has elapsed. Dropped events are simply not delivered — the
+   * next one that survives carries the latest running count.
    */
   tick(event) {
     if (!this.cb) return;
+    const key = event.table ?? "";
     const now = Date.now();
-    if (now - this.lastEmit < this.windowMs) return;
-    this.lastEmit = now;
+    if (now - (this.lastEmit.get(key) ?? 0) < this.windowMs) return;
+    this.lastEmit.set(key, now);
     this.cb(event);
   }
   /**
-   * Emit a lifecycle event immediately and reset the throttle window. Use for
-   * `table-start`, `table-done`, `done`, and `error` — none of which should
-   * ever be dropped. Resetting on `table-start` gives each table a clean budget.
+   * Emit a lifecycle event immediately and reset this table's throttle window.
+   * Use for `table-start`, `table-done`, `done`, and `error` — none of which
+   * should ever be dropped. Resetting on `table-start` gives each table a clean
+   * budget.
    */
   force(event) {
     if (!this.cb) return;
-    this.lastEmit = Date.now();
+    this.lastEmit.set(event.table ?? "", Date.now());
     this.cb(event);
   }
 };
+// src/concurrency.ts
+async function mapWithConcurrency(items, limit, fn) {
+  const results = new Array(items.length);
+  let next = 0;
+  const workerCount = Math.max(1, Math.min(limit, items.length));
+  const workers = Array.from({ length: workerCount }, async () => {
+    for (; ; ) {
+      const i6 = next++;
+      if (i6 >= items.length) break;
+      results[i6] = await fn(items[i6], i6);
+    }
+  });
+  await Promise.all(workers);
+  return results;
+}
 // src/render/engine.ts
 var YIELD_EVERY_ENTITIES = 200;
+var RENDER_TABLE_CONCURRENCY = 4;
 var NOOP_RENDER = () => "";
 var RenderEngine = class {
   _schema;
@@ -41655,163 +41681,175 @@ var RenderEngine = class {
    * via `signal`.
    */
   async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
-    const manifestData = {};
     const protectedTables = /* @__PURE__ */ new Set();
     for (const [t8, d6] of this._schema.getEntityContexts()) {
       if (d6.protected) protectedTables.add(t8);
     }
     const entityTables = [...this._schema.getEntityContexts()];
     const tableCount = entityTables.length;
-    for (let tableIndex = 0; tableIndex < tableCount; tableIndex++) {
-      if (signal?.aborted) return null;
-      const [table, def] = entityTables[tableIndex];
-      const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
-      const allRows = await this._schema.queryTable(this._adapter, table);
-      const directoryRoot = def.directoryRoot ?? table;
-      const entitiesTotal = allRows.length;
-      throttle.force({
-        kind: "table-start",
-        table,
-        entitiesRendered: 0,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 0
-      });
-      const manifestEntry = {
-        directoryRoot,
-        ...def.index ? { indexFile: def.index.outputFile } : {},
-        declaredFiles: Object.keys(def.files),
-        protectedFiles: def.protectedFiles ?? [],
-        entities: {}
-      };
-      if (def.index) {
-        const indexPath = join4(outputDir, def.index.outputFile);
-        if (atomicWrite(indexPath, def.index.render(allRows))) {
-          filesWritten.push(indexPath);
-        } else {
-          counters.skipped++;
-        }
-      }
-      for (let i6 = 0; i6 < allRows.length; i6++) {
-        const entityRow = allRows[i6];
+    if (signal?.aborted) return null;
+    const renderedEntries = await mapWithConcurrency(
+      entityTables,
+      RENDER_TABLE_CONCURRENCY,
+      async ([table, def], tableIndex) => {
         if (signal?.aborted) return null;
-        if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
-          await new Promise((r6) => setImmediate(r6));
-        }
-        const rawSlug = def.slug(entityRow);
-        const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
-        if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
-          throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
-        }
-        const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
-        const resolvedDir = resolve(entityDir);
-        const resolvedBase = resolve(outputDir);
-        if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
-          throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
-        }
-        mkdirSync2(entityDir, { recursive: true });
-        if (def.attachFileColumn) {
-          const filePath = entityRow[def.attachFileColumn];
-          if (filePath && typeof filePath === "string" && filePath.length > 0) {
-            if (def.attachFileMode === "reference") {
-              const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
-              try {
-                atomicWrite(refPath, `# Reference
+        const entityPk = this._schema.getPrimaryKey(table)[0] ?? "id";
+        const allRows = await this._schema.queryTable(this._adapter, table);
+        const directoryRoot = def.directoryRoot ?? table;
+        const entitiesTotal = allRows.length;
+        throttle.force({
+          kind: "table-start",
+          table,
+          entitiesRendered: 0,
+          entitiesTotal,
+          tableIndex,
+          tableCount,
+          pct: 0
+        });
+        const manifestEntry = {
+          directoryRoot,
+          ...def.index ? { indexFile: def.index.outputFile } : {},
+          declaredFiles: Object.keys(def.files),
+          protectedFiles: def.protectedFiles ?? [],
+          entities: {}
+        };
+        if (def.index) {
+          const indexPath = join4(outputDir, def.index.outputFile);
+          if (atomicWrite(indexPath, def.index.render(allRows))) {
+            filesWritten.push(indexPath);
+          } else {
+            counters.skipped++;
+          }
+        }
+        for (let i6 = 0; i6 < allRows.length; i6++) {
+          const entityRow = allRows[i6];
+          if (signal?.aborted) return null;
+          if (i6 > 0 && i6 % YIELD_EVERY_ENTITIES === 0) {
+            await new Promise((r6) => setImmediate(r6));
+          }
+          const rawSlug = def.slug(entityRow);
+          const slug = rawSlug.replace(/[\u00A0\u2000-\u200B\u202F\u205F\u3000]/g, " ").replace(/[\u0000-\u001F\u007F]/g, "");
+          if (/[^a-zA-Z0-9.\-_ @(),#&'+:;!~[\]]/.test(slug)) {
+            throw new Error(`Invalid slug "${slug}": contains characters outside the allowed set`);
+          }
+          const entityDir = def.directory ? join4(outputDir, def.directory(entityRow)) : join4(outputDir, directoryRoot, slug);
+          const resolvedDir = resolve(entityDir);
+          const resolvedBase = resolve(outputDir);
+          if (!resolvedDir.startsWith(resolvedBase + sep) && resolvedDir !== resolvedBase) {
+            throw new Error(`Path traversal detected: slug "${slug}" escapes output directory`);
+          }
+          mkdirSync2(entityDir, { recursive: true });
+          if (def.attachFileColumn) {
+            const filePath = entityRow[def.attachFileColumn];
+            if (filePath && typeof filePath === "string" && filePath.length > 0) {
+              if (def.attachFileMode === "reference") {
+                const refPath = join4(entityDir, `${basename(filePath)}.ref.md`);
+                try {
+                  atomicWrite(refPath, `# Reference
 - **location:** ${filePath}
 `);
-                filesWritten.push(refPath);
-              } catch {
-              }
-            } else {
-              const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
-              if (existsSync4(absPath)) {
-                const destPath = join4(entityDir, basename(absPath));
-                if (!existsSync4(destPath)) {
-                  try {
-                    copyFileSync2(absPath, destPath);
-                    filesWritten.push(destPath);
-                  } catch {
+                  filesWritten.push(refPath);
+                } catch {
+                }
+              } else {
+                const absPath = isAbsolute(filePath) ? filePath : resolve(outputDir, filePath);
+                if (existsSync4(absPath)) {
+                  const destPath = join4(entityDir, basename(absPath));
+                  if (!existsSync4(destPath)) {
+                    try {
+                      copyFileSync2(absPath, destPath);
+                      filesWritten.push(destPath);
+                    } catch {
+                    }
                   }
                 }
               }
             }
           }
-        }
-        const renderedFiles = /* @__PURE__ */ new Map();
-        const entityFileHashes = {};
-        const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
-        for (const [filename, spec] of Object.entries(def.files)) {
-          if (signal?.aborted) return null;
-          const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
-          const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
-          const rows = await resolveEntitySource(
-            source,
-            entityRow,
-            entityPk,
-            this._adapter,
-            protection
-          );
-          if (spec.omitIfEmpty && rows.length === 0) continue;
-          const renderFn = compileEntityRender(spec.render);
-          const content = truncateContent(renderFn(rows), spec.budget);
-          renderedFiles.set(filename, content);
-          entityFileHashes[filename] = { hash: contentHash(content) };
-          const filePath = join4(entityDir, filename);
-          if (atomicWrite(filePath, content)) {
-            filesWritten.push(filePath);
-          } else {
-            counters.skipped++;
-          }
-        }
-        const fileKeys = Object.keys(def.files);
-        const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
-          // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
-          { outputFile: fileKeys[0] }
-        ) : void 0);
-        if (effectiveCombined && renderedFiles.size > 0) {
-          const excluded = new Set(effectiveCombined.exclude ?? []);
-          const parts = [];
-          for (const filename of Object.keys(def.files)) {
-            if (!excluded.has(filename) && renderedFiles.has(filename)) {
-              parts.push(renderedFiles.get(filename) ?? "");
-            }
-          }
-          if (parts.length > 0) {
-            const combinedContent = parts.join("\n\n---\n\n");
-            const combinedPath = join4(entityDir, effectiveCombined.outputFile);
-            if (atomicWrite(combinedPath, combinedContent)) {
-              filesWritten.push(combinedPath);
+          const renderedFiles = /* @__PURE__ */ new Map();
+          const entityFileHashes = {};
+          const protection = protectedTables.size > 0 ? { protectedTables, currentTable: table } : void 0;
+          for (const [filename, spec] of Object.entries(def.files)) {
+            if (signal?.aborted) return null;
+            const mergeDefaults = def.sourceDefaults && spec.source.type !== "self" && spec.source.type !== "custom" && spec.source.type !== "enriched";
+            const source = mergeDefaults ? { ...def.sourceDefaults, ...spec.source } : spec.source;
+            const rows = await resolveEntitySource(
+              source,
+              entityRow,
+              entityPk,
+              this._adapter,
+              protection
+            );
+            if (spec.omitIfEmpty && rows.length === 0) continue;
+            const renderFn = compileEntityRender(spec.render);
+            const content = truncateContent(renderFn(rows), spec.budget);
+            renderedFiles.set(filename, content);
+            entityFileHashes[filename] = { hash: contentHash(content) };
+            const filePath = join4(entityDir, filename);
+            if (atomicWrite(filePath, content)) {
+              filesWritten.push(filePath);
             } else {
               counters.skipped++;
             }
-            renderedFiles.set(effectiveCombined.outputFile, combinedContent);
-            entityFileHashes[effectiveCombined.outputFile] = { hash: contentHash(combinedContent) };
           }
+          const fileKeys = Object.keys(def.files);
+          const effectiveCombined = def.combined ?? (fileKeys.length > 1 && renderedFiles.size > 1 ? (
+            // eslint-disable-next-line @typescript-eslint/no-non-null-assertion
+            { outputFile: fileKeys[0] }
+          ) : void 0);
+          if (effectiveCombined && renderedFiles.size > 0) {
+            const excluded = new Set(effectiveCombined.exclude ?? []);
+            const parts = [];
+            for (const filename of Object.keys(def.files)) {
+              if (!excluded.has(filename) && renderedFiles.has(filename)) {
+                parts.push(renderedFiles.get(filename) ?? "");
+              }
+            }
+            if (parts.length > 0) {
+              const combinedContent = parts.join("\n\n---\n\n");
+              const combinedPath = join4(entityDir, effectiveCombined.outputFile);
+              if (atomicWrite(combinedPath, combinedContent)) {
+                filesWritten.push(combinedPath);
+              } else {
+                counters.skipped++;
+              }
+              renderedFiles.set(effectiveCombined.outputFile, combinedContent);
+              entityFileHashes[effectiveCombined.outputFile] = {
+                hash: contentHash(combinedContent)
+              };
+            }
+          }
+          manifestEntry.entities[slug] = entityFileHashes;
+          const entitiesRendered = i6 + 1;
+          throttle.tick({
+            kind: "table-progress",
+            table,
+            entitiesRendered,
+            entitiesTotal,
+            tableIndex,
+            tableCount,
+            pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          });
         }
-        manifestEntry.entities[slug] = entityFileHashes;
-        const entitiesRendered = i6 + 1;
-        throttle.tick({
-          kind: "table-progress",
+        throttle.force({
+          kind: "table-done",
           table,
-          entitiesRendered,
+          entitiesRendered: entitiesTotal,
           entitiesTotal,
           tableIndex,
           tableCount,
-          pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
+          pct: 100
         });
+        return manifestEntry;
       }
-      manifestData[table] = manifestEntry;
-      throttle.force({
-        kind: "table-done",
-        table,
-        entitiesRendered: entitiesTotal,
-        entitiesTotal,
-        tableIndex,
-        tableCount,
-        pct: 100
-      });
+    );
+    if (signal?.aborted) return null;
+    const manifestData = {};
+    for (let i6 = 0; i6 < renderedEntries.length; i6++) {
+      const entry = renderedEntries[i6];
+      if (entry == null) return null;
+      manifestData[entityTables[i6][0]] = entry;
     }
     return manifestData;
   }
@@ -43071,14 +43109,27 @@ function buildParsedConfig(raw, sourceName, configDir2) {
   const entityContexts = parseEntityContexts(config.entityContexts);
   return name !== void 0 ? { dbPath, name, tables, entityContexts } : { dbPath, tables, entityContexts };
 }
+function isDbRefShaped(raw) {
+  return /^\s*\$\{LATTICE_DB:/.test(raw);
+}
+function parseDbRef(raw) {
+  const m4 = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
+  return m4 ? { label: m4[1] ?? "" } : null;
+}
 function resolveDbPath(raw, configDir2) {
-  const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(raw.trim());
-  if (labelMatch) {
-    const label = labelMatch[1] ?? "";
-    const url = getDbCredential(label);
+  if (isDbRefShaped(raw)) {
+    const ref = parseDbRef(raw);
+    if (!ref) {
+      throw new Error(
+        `Lattice: malformed \${LATTICE_DB:\u2026} reference ${JSON.stringify(
+          raw.trim()
+        )} \u2014 the label may contain only [A-Za-z0-9._-] (no spaces). This usually means a workspace was created with an unsanitized name.`
+      );
+    }
+    const url = getDbCredential(ref.label);
     if (!url) {
       throw new Error(
-        `Lattice: config references \${LATTICE_DB:${label}} but no credential is saved for "${label}". Save one via the GUI's Database panel or set LATTICE_DB_${label}.`
+        `Lattice: config references \${LATTICE_DB:${ref.label}} but no credential is saved for "${ref.label}". Save one via the GUI's Database panel or set LATTICE_DB_${ref.label}.`
       );
     }
     return url;
@@ -43086,6 +43137,13 @@ function resolveDbPath(raw, configDir2) {
   if (/^postgres(ql)?:\/\//i.test(raw) || raw.startsWith("file:") || raw === ":memory:") {
     return raw;
   }
+  if (raw.includes("${")) {
+    throw new Error(
+      `Lattice: refusing to treat ${JSON.stringify(
+        raw.trim()
+      )} as a database path \u2014 it looks like a malformed variable reference, not a file path.`
+    );
+  }
   return resolve2(configDir2, raw);
 }
 var warnedDeprecatedRefs = /* @__PURE__ */ new Set();
@@ -46534,6 +46592,10 @@ var NATIVE_ENTITY_NAMES = new Set(Object.keys(NATIVE_ENTITY_DEFS));
 function isNativeEntity(name) {
   return NATIVE_ENTITY_NAMES.has(name);
 }
+var NATIVE_INTERNAL_NAMES = /* @__PURE__ */ new Set([
+  "chat_threads",
+  "chat_messages"
+]);
 function registerNativeEntities(db) {
   const existing = new Set(db.getRegisteredTableNames());
   for (const [name, def] of Object.entries(NATIVE_ENTITY_DEFS)) {
@@ -47139,7 +47201,7 @@ function archiveLocalSqlite(dbPath) {
 async function cloudRlsInstalled(probe) {
   const row = await getAsyncOrSync(
     probe.adapter,
-    `SELECT to_regclass('public.__lattice_owners') AS reg`
+    `SELECT to_regclass('__lattice_owners') AS reg`
   );
   return !!row && row.reg != null;
 }
@@ -47196,6 +47258,19 @@ function isPostgresUrl(url) {
 }
 // src/cloud/rls.ts
+async function runCloudBootstrapSql(db, sql) {
+  const adapter = db.adapter;
+  if (adapter.withClient) {
+    await adapter.withClient(async (tx) => {
+      await tx.run("SELECT pg_advisory_xact_lock($1::bigint)", [
+        LATTICE_MIGRATION_LOCK_ID.toString()
+      ]);
+      await tx.run(sql);
+    });
+  } else {
+    await runAsyncOrSync(adapter, sql);
+  }
+}
 function isPg(db) {
   return db.getDialect() === "postgres";
 }
@@ -47329,12 +47404,42 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
   "id"          text PRIMARY KEY,
   "role"        text NOT NULL,
   "email_hash"  text NOT NULL,
+  "email"       text,
   "created_by"  text NOT NULL DEFAULT session_user,
   "created_at"  timestamptz NOT NULL DEFAULT now(),
   "expires_at"  timestamptz NOT NULL,
   "redeemed_at" timestamptz,
   "revoked_at"  timestamptz
 );
+-- Plaintext invitee email (owner-only table; members have no grant) so the
+-- owner's Members list can show who each member is. Added via ALTER so clouds
+-- created before this column converge to it on the owner's next open (the
+-- bootstrap is now run directly + idempotently, not version-gated).
+ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
+-- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
+-- the cloud with their minted credential, the join path calls this to CLAIM the
+-- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
+-- an invite for the CALLING role (session_user) is still pending: not already
+-- redeemed (one-time-use), not revoked, and not expired. A replayed redeem of a
+-- leaked token, a revoked invite, or an expired one returns false, so the caller
+-- rejects the join. Members have no direct grant on the owner-only
+-- __lattice_member_invites table \u2014 this SECURITY DEFINER function is the only
+-- path, and it can claim ONLY the caller's own invite (keyed on session_user,
+-- never a caller-supplied parameter, so one member can't burn another's invite).
+CREATE OR REPLACE FUNCTION lattice_claim_invite()
+RETURNS boolean LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE v_ok boolean;
+BEGIN
+  UPDATE "__lattice_member_invites"
+     SET "redeemed_at" = now()
+   WHERE "role" = session_user
+     AND "redeemed_at" IS NULL
+     AND "revoked_at" IS NULL
+     AND "expires_at" > now()
+  RETURNING true INTO v_ok;
+  RETURN COALESCE(v_ok, false);
+END $fn$;
 -- Visibility check. SECURITY DEFINER so it reads bookkeeping the member can't;
 -- keyed on session_user (the member's login role). A row with no ownership record
@@ -47617,6 +47722,62 @@ END $fn$;
 DROP TRIGGER IF EXISTS "lattice_notify_change_trg" ON "__lattice_changes";
 CREATE TRIGGER "lattice_notify_change_trg" AFTER INSERT ON "__lattice_changes"
   FOR EACH ROW EXECUTE FUNCTION lattice_notify_change();
+-- #4.4 \u2014 seq-based catch-up after a realtime gap. NOTIFY is fire-and-forget, so a
+-- broker that drops its LISTEN (network blip, laptop sleep) misses every change
+-- during the gap. The broker tracks the highest seq it delivered and, on
+-- reconnect, replays what it missed via this function. Members have NO direct
+-- grant on __lattice_changes (reading it raw would leak every change on the
+-- cloud), so this SECURITY DEFINER function is the only path and it returns ONLY
+-- the rows the CALLING role can see: keyed on session_user via lattice_row_visible
+-- (same gate as live fan-out, #4.3). Deletes are excluded \u2014 the ownership record
+-- is gone post-delete so visibility can't be verified, and replaying them would
+-- leak deleted-row pks (the client reconciles deletes on its reconnect refetch).
+-- Bounded (LIMIT clamped \u2264 1000) so a long gap can't stream the whole table (Rule:
+-- bounded reads on a hot path).
+CREATE OR REPLACE FUNCTION lattice_changes_since(p_seq bigint, p_limit int)
+RETURNS TABLE(seq bigint, table_name text, pk text, op text, owner_role text, created_at timestamptz)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT c."seq", c."table_name", c."pk", c."op", c."owner_role", c."created_at"
+    FROM "__lattice_changes" c
+   WHERE c."seq" > p_seq
+     AND c."op" = 'upsert'
+     AND lattice_row_visible(c."table_name", c."pk")
+   ORDER BY c."seq" ASC
+   LIMIT GREATEST(0, LEAST(COALESCE(p_limit, 500), 1000));
+$fn$;
+-- #2.1 \u2014 per-row access summary for the connecting role. The GUI attaches this as
+-- each row's _access so the sharing affordance renders, but __lattice_owners is
+-- owner-only bookkeeping (members have no grant), so a member reading it directly
+-- got "permission denied". This SECURITY DEFINER function returns visibility +
+-- whether the CALLER owns the row, ONLY for the rows the caller can actually see
+-- (lattice_row_visible, keyed on session_user) \u2014 so a member learns nothing about
+-- rows hidden from it. Member-callable; the owner gets the same view of its rows.
+CREATE OR REPLACE FUNCTION lattice_rows_access(p_table text, p_pks text[])
+RETURNS TABLE(pk text, visibility text, owned boolean)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT o."pk", o."visibility", (o."owner_role" = session_user) AS owned
+    FROM "__lattice_owners" o
+   WHERE o."table_name" = p_table
+     AND o."pk" = ANY(p_pks)
+     AND lattice_row_visible(o."table_name", o."pk");
+$fn$;
+-- #2.1 \u2014 grantees of a CALLER-OWNED custom-shared row (who you shared YOUR row
+-- with). Only the row owner sees this (the WHERE pins owner_role = session_user),
+-- so a member can't enumerate another owner's grants. __lattice_row_grants is
+-- member-ungranted, so this SECURITY DEFINER function is the member-safe path.
+CREATE OR REPLACE FUNCTION lattice_row_grantees(p_table text, p_pks text[])
+RETURNS TABLE(pk text, grantee_role text)
+LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
+  SELECT g."pk", g."grantee_role"
+    FROM "__lattice_row_grants" g
+    JOIN "__lattice_owners" o ON o."table_name" = g."table_name" AND o."pk" = g."pk"
+   WHERE g."table_name" = p_table
+     AND g."pk" = ANY(p_pks)
+     AND o."owner_role" = session_user;
+$fn$;
 `;
 function tableRlsSql(table, pkCols) {
   const q3 = `"${table.replace(/"/g, '""')}"`;
@@ -47684,28 +47845,14 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
-  const migration = {
-    // v3 added the audience helpers; v4 the role model; v5 the per-card override
-    // model (__lattice_cell_grants + lattice_cell_visible / lattice_grant_cell);
-    // v6 added per-table policy (__lattice_table_policy: default_row_visibility +
-    // never_share, enforced in the insert trigger + share/grant guards), the
-    // canonical column-audience store (__lattice_column_policy), lattice_is_owner,
-    // and the owner-only setters; v7 pins search_path on every SECURITY DEFINER
-    // helper (closes the pg_temp-shadow RLS bypass) + revokes schema CREATE from
-    // PUBLIC. The bootstrap is fully idempotent.
-    version: "internal:cloud-rls:bootstrap:v7",
-    sql: pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema)
-  };
-  await db.migrate([migration]);
+  const sql = pinDefinerSearchPath(CLOUD_RLS_BOOTSTRAP_SQL, schema) + revokeSchemaCreateSql(schema);
+  await runCloudBootstrapSql(db, sql);
 }
 async function enableChangelogRls(db) {
   if (!isPg(db)) return;
-  const migration = {
-    // v2: ground-truth/audit entries are owner-only (was lattice_row_visible),
-    // closing the masked-column-via-history leak. Bump re-installs the policy on
-    // existing clouds.
-    version: "internal:cloud-rls:changelog:v2",
-    sql: `
+  await runCloudBootstrapSql(
+    db,
+    `
 ALTER TABLE "__lattice_changelog" ENABLE ROW LEVEL SECURITY;
 ALTER TABLE "__lattice_changelog" FORCE ROW LEVEL SECURITY;
 GRANT SELECT, INSERT ON "__lattice_changelog" TO ${MEMBER_GROUP};
@@ -47715,6 +47862,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
   CASE
     WHEN "change_kind" = 'derived' THEN
       "source_ref" IS NOT NULL
+      AND jsonb_array_length("source_ref"::jsonb) > 0
       AND NOT EXISTS (
         SELECT 1 FROM jsonb_array_elements_text("source_ref"::jsonb) AS src(sid)
          WHERE NOT lattice_source_visible(src.sid)
@@ -47725,8 +47873,7 @@ CREATE POLICY "lattice_changelog_sel" ON "__lattice_changelog" FOR SELECT USING
 DROP POLICY IF EXISTS "lattice_changelog_ins" ON "__lattice_changelog";
 CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH CHECK (true);
 `
-  };
-  await db.migrate([migration]);
+  );
 }
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
@@ -47780,7 +47927,12 @@ async function provisionMemberRole(db, role, password) {
        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '${role}') THEN
          CREATE ROLE "${role}" LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
        ELSE
-         ALTER ROLE "${role}" WITH LOGIN NOSUPERUSER NOCREATEDB NOCREATEROLE PASSWORD '${password}';
+         -- Re-invite of an EXISTING role: set ONLY what changed (login + password).
+         -- Restating NOSUPERUSER/superuser-class attrs trips Supabase supautils
+         -- ("only superuser may alter the SUPERUSER attribute", 42501) since the
+         -- owner 'postgres' isn't a true superuser. The role was already created
+         -- NOSUPERUSER NOCREATEDB NOCREATEROLE, so there is nothing to restate.
+         ALTER ROLE "${role}" WITH LOGIN PASSWORD '${password}';
        END IF;
      END $LATTICE$`
   );
@@ -47819,9 +47971,28 @@ async function revokeCell(db, table, pk, column, grantee) {
 async function revokeMemberRole(db, role) {
   assertPg(db);
   if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
-  await runAsyncOrSync(db.adapter, `DROP OWNED BY "${role}"`).catch(() => void 0);
+  const exists = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS x FROM pg_roles WHERE rolname = ?`,
+    [role]
+  );
+  if (!exists) return;
+  for (const stmt of [`REASSIGN OWNED BY "${role}" TO CURRENT_USER`, `DROP OWNED BY "${role}"`]) {
+    try {
+      await runAsyncOrSync(db.adapter, stmt);
+    } catch (e6) {
+      if (!isInsufficientPrivilege(e6)) throw e6;
+      console.warn(
+        `[cloud] "${stmt.split(" ").slice(0, 2).join(" ")} \u2026" skipped (insufficient privilege; a scoped member owns no objects): ${e6.message}`
+      );
+    }
+  }
   await runAsyncOrSync(db.adapter, `DROP ROLE IF EXISTS "${role}"`);
 }
+function isInsufficientPrivilege(e6) {
+  const err = e6 ?? {};
+  return err.code === "42501" || /permission denied/i.test(err.message ?? "");
+}
 // src/cloud/discover.ts
 async function discoverCloudTables(db) {
@@ -48065,6 +48236,7 @@ var FoldCache = class {
 };
 // src/cloud/settings.ts
+import { createHash as createHash8, randomBytes as randomBytes6 } from "crypto";
 var CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
 var CLOUD_SETTINGS_BOOTSTRAP_SQL = `
 -- Owner-controlled, cloud-wide key/value settings. No grant to the member group,
@@ -48104,13 +48276,7 @@ END $fn$;
 async function installCloudSettings(db) {
   if (db.getDialect() !== "postgres") return;
   const schema = await cloudSchema(db);
-  const migration = {
-    // v2 pins search_path on the two SECURITY DEFINER helpers (closes the
-    // pg_temp-shadow class of bypass on the settings getter/setter).
-    version: "internal:cloud-settings:v2",
-    sql: pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema)
-  };
-  await db.migrate([migration]);
+  await runCloudBootstrapSql(db, pinDefinerSearchPath(CLOUD_SETTINGS_BOOTSTRAP_SQL, schema));
 }
 async function getCloudSetting(db, key) {
   if (db.getDialect() !== "postgres") return null;
@@ -48129,6 +48295,54 @@ async function setCloudSetting(db, key, value) {
 }
 // src/cloud/setup.ts
+var PRIVATE_ONLY_TABLES = [...NATIVE_INTERNAL_NAMES, "secrets"];
+async function reconcileCloudMemberAccess(db) {
+  if (db.getDialect() !== "postgres") return;
+  const registered = db.getRegisteredTableNames();
+  for (const t8 of PRIVATE_ONLY_TABLES) {
+    if (!registered.includes(t8)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `SELECT lattice_set_table_never_share('${t8.replace(/'/g, "''")}', true)`
+    );
+  }
+  const rlsRows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT c.relname AS name FROM pg_class c
+       JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE n.nspname = current_schema() AND c.relkind = 'r' AND c.relrowsecurity`
+  );
+  const rlsOn = new Set(rlsRows.map((r6) => r6.name));
+  for (const table of registered) {
+    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
+    if (!rlsOn.has(table)) continue;
+    if (db.getPrimaryKey(table).length === 0) continue;
+    const q3 = `"${table.replace(/"/g, '""')}"`;
+    const masked = tableNeedsAudienceView(db.getColumnAudience(table) ?? {});
+    if (masked) {
+      const v2 = `"${`${table}_v`.replace(/"/g, '""')}"`;
+      await runAsyncOrSync(db.adapter, `GRANT SELECT ON ${v2} TO ${MEMBER_GROUP}`);
+      await runAsyncOrSync(db.adapter, `GRANT INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`);
+    } else {
+      await runAsyncOrSync(
+        db.adapter,
+        `GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`
+      );
+    }
+  }
+}
+async function secureNewCloudTable(db, table, pk) {
+  if (db.getDialect() !== "postgres") return;
+  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
+  if (pk.length === 0) return;
+  await backfillOwnership(db, table, pk);
+  await enableRlsForTable(db, table, pk);
+  const cols = db.getRegisteredColumns(table);
+  if (cols) {
+    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+}
 async function secureCloud(db) {
   if (db.getDialect() !== "postgres") return;
   await installCloudRls(db);
@@ -48137,20 +48351,9 @@ async function secureCloud(db) {
   await enableChangelogRls(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
-    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
-    const pk = db.getPrimaryKey(table);
-    if (pk.length === 0) continue;
-    await backfillOwnership(db, table, pk);
-    await enableRlsForTable(db, table, pk);
-    const cols = db.getRegisteredColumns(table);
-    if (cols) {
-      await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
-      await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
-    }
-  }
-  if (registered.includes("secrets")) {
-    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
+    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
   }
+  await reconcileCloudMemberAccess(db);
   await runAsyncOrSync(
     db.adapter,
     `DO $LATTICE$ BEGIN