latticesql 3.2.0 → 3.2.1

package/dist/cli.js

@@ -49315,7 +49315,13 @@ var appJs = `
       var hash = location.hash || '#/';
       document.querySelectorAll('nav a').forEach(function (a) {
         var route = a.getAttribute('data-route') || a.getAttribute('href');
-        a.classList.toggle('active', route && hash.indexOf(route) === 0);
+        // Match the route exactly or as a full path segment (route + '/...'),
+        // never as a bare string prefix \u2014 otherwise '#/fs/files' would also
+        // light up '#/fs/files_projects' (any sibling whose name starts with
+        // the same word). The '/' boundary stops the prefix bleed while still
+        // keeping a parent active on its own detail routes.
+        var on = !!route && (hash === route || hash.indexOf(route + '/') === 0);
+        a.classList.toggle('active', on);
       });
     }
 
@@ -55596,6 +55602,202 @@ async function setCloudSetting(db, key, value) {
   await runAsyncOrSync(db.adapter, `SELECT lattice_set_cloud_setting(?, ?)`, [key, value]);
 }
 
+// src/cloud/audience.ts
+var ROLE_NAME_RE = /^[A-Za-z0-9_-]{1,63}$/;
+var COL_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
+function isRowAudience(audience) {
+  const a6 = (audience ?? "").trim();
+  return a6 === "" || a6 === "everyone" || a6 === "row-audience";
+}
+function audiencePredicate(audience, ctx) {
+  if (isRowAudience(audience)) return "true";
+  const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
+  const parts = [];
+  for (const clause of clauses) {
+    if (clause === "everyone" || clause === "row-audience") return "true";
+    if (clause === "owner") {
+      if (!ctx) throw new Error('lattice: the "owner" audience needs a row context');
+      parts.push(`lattice_is_owner(${ctx.tableLit}, ${ctx.pkExpr})`);
+      continue;
+    }
+    const idx = clause.indexOf(":");
+    const kind = idx === -1 ? clause : clause.slice(0, idx);
+    const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
+    if (kind === "role") {
+      if (!ROLE_NAME_RE.test(arg)) throw new Error(`lattice: invalid role in audience "${clause}"`);
+      parts.push(`lattice_has_role('${arg}')`);
+    } else if (kind === "subject") {
+      if (!COL_RE.test(arg))
+        throw new Error(`lattice: invalid subject column in audience "${clause}"`);
+      parts.push(`lattice_is_subject("${arg}")`);
+    } else if (kind === "source") {
+      if (!COL_RE.test(arg))
+        throw new Error(`lattice: invalid source column in audience "${clause}"`);
+      parts.push(`lattice_source_visible("${arg}")`);
+    } else {
+      throw new Error(`lattice: unknown audience clause "${clause}"`);
+    }
+  }
+  return parts.length > 0 ? parts.map((p3) => `(${p3})`).join(" OR ") : "true";
+}
+function tableNeedsAudienceView(columnAudience) {
+  return Object.values(columnAudience).some((a6) => !isRowAudience(a6));
+}
+function quoteIdent(s2) {
+  return `"${s2.replace(/"/g, '""')}"`;
+}
+function audienceViewSql(table, columns, pkCols, columnAudience) {
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  const lit = `'${table.replace(/'/g, "''")}'`;
+  const pkExpr = pkSqlExpr(pkCols, "");
+  const selectCols = columns.map((col) => {
+    const aud = columnAudience[col] ?? "";
+    if (isRowAudience(aud)) return quoteIdent(col);
+    const pred = audiencePredicate(aud, { tableLit: lit, pkExpr });
+    if (pred === "true") return quoteIdent(col);
+    const colLit = `'${col.replace(/'/g, "''")}'`;
+    const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
+    return `CASE WHEN ${full} THEN ${quoteIdent(col)} END AS ${quoteIdent(col)}`;
+  });
+  return [
+    `CREATE OR REPLACE VIEW ${view} AS SELECT ${selectCols.join(", ")} FROM ${base} WHERE lattice_row_visible(${lit}, ${pkSqlExpr(pkCols, "")});`,
+    `GRANT SELECT ON ${view} TO ${MEMBER_GROUP};`,
+    `REVOKE SELECT ON ${base} FROM ${MEMBER_GROUP};`
+  ].join("\n");
+}
+async function loadColumnPolicy(db, table) {
+  if (db.getDialect() !== "postgres") return {};
+  const rows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT "column_name", "audience" FROM "__lattice_column_policy" WHERE "table_name" = ?`,
+    [table]
+  );
+  const out = {};
+  for (const r6 of rows) out[r6.column_name] = r6.audience;
+  return out;
+}
+async function seedColumnPolicyFromYaml(db, table, yamlAudience) {
+  if (db.getDialect() !== "postgres") return;
+  const marker = `internal:cloud-column-seed:${table}:v1`;
+  const already = await getAsyncOrSync(
+    db.adapter,
+    `SELECT 1 AS one FROM "__lattice_migrations" WHERE "version" = ?`,
+    [marker]
+  );
+  if (already) return;
+  for (const [col, aud] of Object.entries(yamlAudience)) {
+    if (isRowAudience(aud)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience")
+         VALUES (?, ?, ?) ON CONFLICT ("table_name","column_name") DO NOTHING`,
+      [table, col, aud]
+    );
+  }
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_migrations" ("version","applied_at") VALUES (?, ?)
+       ON CONFLICT ("version") DO NOTHING`,
+    [marker, (/* @__PURE__ */ new Date()).toISOString()]
+  );
+}
+async function regenerateAudienceViewFromDb(db, table, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  if (pkCols.length === 0) return;
+  const spec = await loadColumnPolicy(db, table);
+  const view = quoteIdent(`${table}_v`);
+  const base = quoteIdent(table);
+  if (!tableNeedsAudienceView(spec)) {
+    await runAsyncOrSync(
+      db.adapter,
+      `DROP VIEW IF EXISTS ${view};
+GRANT SELECT ON ${base} TO ${MEMBER_GROUP};`
+    );
+    return;
+  }
+  await runAsyncOrSync(db.adapter, audienceViewSql(table, columns, pkCols, spec));
+}
+async function setColumnAudience(db, table, column, audience, columns, pkCols) {
+  if (db.getDialect() !== "postgres") return;
+  await runAsyncOrSync(db.adapter, `SELECT lattice_set_column_audience(?, ?, ?)`, [
+    table,
+    column,
+    audience
+  ]);
+  await regenerateAudienceViewFromDb(db, table, columns, pkCols);
+}
+
+// src/cloud/setup.ts
+var PRIVATE_ONLY_TABLES = [...NATIVE_INTERNAL_NAMES, "secrets"];
+async function reconcileCloudMemberAccess(db) {
+  if (db.getDialect() !== "postgres") return;
+  const registered = db.getRegisteredTableNames();
+  for (const t8 of PRIVATE_ONLY_TABLES) {
+    if (!registered.includes(t8)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `SELECT lattice_set_table_never_share('${t8.replace(/'/g, "''")}', true)`
+    );
+  }
+  const rlsRows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT c.relname AS name FROM pg_class c
+       JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE n.nspname = current_schema() AND c.relkind = 'r' AND c.relrowsecurity`
+  );
+  const rlsOn = new Set(rlsRows.map((r6) => r6.name));
+  for (const table of registered) {
+    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
+    if (!rlsOn.has(table)) continue;
+    if (db.getPrimaryKey(table).length === 0) continue;
+    const q3 = `"${table.replace(/"/g, '""')}"`;
+    const masked = tableNeedsAudienceView(db.getColumnAudience(table) ?? {});
+    if (masked) {
+      const v2 = `"${`${table}_v`.replace(/"/g, '""')}"`;
+      await runAsyncOrSync(db.adapter, `GRANT SELECT ON ${v2} TO ${MEMBER_GROUP}`);
+      await runAsyncOrSync(db.adapter, `GRANT INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`);
+    } else {
+      await runAsyncOrSync(
+        db.adapter,
+        `GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`
+      );
+    }
+  }
+}
+async function secureNewCloudTable(db, table, pk) {
+  if (db.getDialect() !== "postgres") return;
+  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
+  if (pk.length === 0) return;
+  await backfillOwnership(db, table, pk);
+  await enableRlsForTable(db, table, pk);
+  const cols = db.getRegisteredColumns(table);
+  if (cols) {
+    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
+    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
+  }
+}
+async function secureCloud(db) {
+  if (db.getDialect() !== "postgres") return;
+  await installCloudRls(db);
+  await installCloudSettings(db);
+  await db.ensureObservationSubstrate();
+  await enableChangelogRls(db);
+  const registered = db.getRegisteredTableNames();
+  for (const table of registered) {
+    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
+  }
+  await reconcileCloudMemberAccess(db);
+  await runAsyncOrSync(
+    db.adapter,
+    `DO $LATTICE$ BEGIN
+       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
+         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
+       END IF;
+     END $LATTICE$`
+  );
+}
+
 // src/cloud/members.ts
 import { randomBytes as randomBytes6 } from "crypto";
 var ROLE_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
@@ -55792,134 +55994,6 @@ var FeedBus = class {
 
 // src/gui/mutations.ts
 import { createHash as createHash3 } from "crypto";
-
-// src/cloud/audience.ts
-var ROLE_NAME_RE = /^[A-Za-z0-9_-]{1,63}$/;
-var COL_RE = /^[A-Za-z_][A-Za-z0-9_]{0,62}$/;
-function isRowAudience(audience) {
-  const a6 = (audience ?? "").trim();
-  return a6 === "" || a6 === "everyone" || a6 === "row-audience";
-}
-function audiencePredicate(audience, ctx) {
-  if (isRowAudience(audience)) return "true";
-  const clauses = audience.split("+").map((c6) => c6.trim()).filter(Boolean);
-  const parts = [];
-  for (const clause of clauses) {
-    if (clause === "everyone" || clause === "row-audience") return "true";
-    if (clause === "owner") {
-      if (!ctx) throw new Error('lattice: the "owner" audience needs a row context');
-      parts.push(`lattice_is_owner(${ctx.tableLit}, ${ctx.pkExpr})`);
-      continue;
-    }
-    const idx = clause.indexOf(":");
-    const kind = idx === -1 ? clause : clause.slice(0, idx);
-    const arg = idx === -1 ? "" : clause.slice(idx + 1).trim();
-    if (kind === "role") {
-      if (!ROLE_NAME_RE.test(arg)) throw new Error(`lattice: invalid role in audience "${clause}"`);
-      parts.push(`lattice_has_role('${arg}')`);
-    } else if (kind === "subject") {
-      if (!COL_RE.test(arg))
-        throw new Error(`lattice: invalid subject column in audience "${clause}"`);
-      parts.push(`lattice_is_subject("${arg}")`);
-    } else if (kind === "source") {
-      if (!COL_RE.test(arg))
-        throw new Error(`lattice: invalid source column in audience "${clause}"`);
-      parts.push(`lattice_source_visible("${arg}")`);
-    } else {
-      throw new Error(`lattice: unknown audience clause "${clause}"`);
-    }
-  }
-  return parts.length > 0 ? parts.map((p3) => `(${p3})`).join(" OR ") : "true";
-}
-function tableNeedsAudienceView(columnAudience) {
-  return Object.values(columnAudience).some((a6) => !isRowAudience(a6));
-}
-function quoteIdent(s2) {
-  return `"${s2.replace(/"/g, '""')}"`;
-}
-function audienceViewSql(table, columns, pkCols, columnAudience) {
-  const view = quoteIdent(`${table}_v`);
-  const base = quoteIdent(table);
-  const lit = `'${table.replace(/'/g, "''")}'`;
-  const pkExpr = pkSqlExpr(pkCols, "");
-  const selectCols = columns.map((col) => {
-    const aud = columnAudience[col] ?? "";
-    if (isRowAudience(aud)) return quoteIdent(col);
-    const pred = audiencePredicate(aud, { tableLit: lit, pkExpr });
-    if (pred === "true") return quoteIdent(col);
-    const colLit = `'${col.replace(/'/g, "''")}'`;
-    const full = `(${pred}) OR lattice_cell_visible(${lit}, ${pkExpr}, ${colLit})`;
-    return `CASE WHEN ${full} THEN ${quoteIdent(col)} END AS ${quoteIdent(col)}`;
-  });
-  return [
-    `CREATE OR REPLACE VIEW ${view} AS SELECT ${selectCols.join(", ")} FROM ${base} WHERE lattice_row_visible(${lit}, ${pkSqlExpr(pkCols, "")});`,
-    `GRANT SELECT ON ${view} TO ${MEMBER_GROUP};`,
-    `REVOKE SELECT ON ${base} FROM ${MEMBER_GROUP};`
-  ].join("\n");
-}
-async function loadColumnPolicy(db, table) {
-  if (db.getDialect() !== "postgres") return {};
-  const rows = await allAsyncOrSync(
-    db.adapter,
-    `SELECT "column_name", "audience" FROM "__lattice_column_policy" WHERE "table_name" = ?`,
-    [table]
-  );
-  const out = {};
-  for (const r6 of rows) out[r6.column_name] = r6.audience;
-  return out;
-}
-async function seedColumnPolicyFromYaml(db, table, yamlAudience) {
-  if (db.getDialect() !== "postgres") return;
-  const marker = `internal:cloud-column-seed:${table}:v1`;
-  const already = await getAsyncOrSync(
-    db.adapter,
-    `SELECT 1 AS one FROM "__lattice_migrations" WHERE "version" = ?`,
-    [marker]
-  );
-  if (already) return;
-  for (const [col, aud] of Object.entries(yamlAudience)) {
-    if (isRowAudience(aud)) continue;
-    await runAsyncOrSync(
-      db.adapter,
-      `INSERT INTO "__lattice_column_policy" ("table_name","column_name","audience")
-         VALUES (?, ?, ?) ON CONFLICT ("table_name","column_name") DO NOTHING`,
-      [table, col, aud]
-    );
-  }
-  await runAsyncOrSync(
-    db.adapter,
-    `INSERT INTO "__lattice_migrations" ("version","applied_at") VALUES (?, ?)
-       ON CONFLICT ("version") DO NOTHING`,
-    [marker, (/* @__PURE__ */ new Date()).toISOString()]
-  );
-}
-async function regenerateAudienceViewFromDb(db, table, columns, pkCols) {
-  if (db.getDialect() !== "postgres") return;
-  if (pkCols.length === 0) return;
-  const spec = await loadColumnPolicy(db, table);
-  const view = quoteIdent(`${table}_v`);
-  const base = quoteIdent(table);
-  if (!tableNeedsAudienceView(spec)) {
-    await runAsyncOrSync(
-      db.adapter,
-      `DROP VIEW IF EXISTS ${view};
-GRANT SELECT ON ${base} TO ${MEMBER_GROUP};`
-    );
-    return;
-  }
-  await runAsyncOrSync(db.adapter, audienceViewSql(table, columns, pkCols, spec));
-}
-async function setColumnAudience(db, table, column, audience, columns, pkCols) {
-  if (db.getDialect() !== "postgres") return;
-  await runAsyncOrSync(db.adapter, `SELECT lattice_set_column_audience(?, ?, ?)`, [
-    table,
-    column,
-    audience
-  ]);
-  await regenerateAudienceViewFromDb(db, table, columns, pkCols);
-}
-
-// src/gui/mutations.ts
 function rowLabel2(row) {
   if (!row || typeof row !== "object") return null;
   const r6 = row;
@@ -56346,42 +56420,6 @@ function saveConfigDoc(configPath, doc) {
   writeFileSync6(configPath, doc.toString(), "utf8");
 }
 
-// src/cloud/setup.ts
-async function secureNewCloudTable(db, table, pk) {
-  if (db.getDialect() !== "postgres") return;
-  if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
-  if (pk.length === 0) return;
-  await backfillOwnership(db, table, pk);
-  await enableRlsForTable(db, table, pk);
-  const cols = db.getRegisteredColumns(table);
-  if (cols) {
-    await seedColumnPolicyFromYaml(db, table, db.getColumnAudience(table));
-    await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
-  }
-}
-async function secureCloud(db) {
-  if (db.getDialect() !== "postgres") return;
-  await installCloudRls(db);
-  await installCloudSettings(db);
-  await db.ensureObservationSubstrate();
-  await enableChangelogRls(db);
-  const registered = db.getRegisteredTableNames();
-  for (const table of registered) {
-    await secureNewCloudTable(db, table, db.getPrimaryKey(table));
-  }
-  if (registered.includes("secrets")) {
-    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
-  }
-  await runAsyncOrSync(
-    db.adapter,
-    `DO $LATTICE$ BEGIN
-       IF to_regclass('__lattice_user_identity') IS NOT NULL THEN
-         EXECUTE 'GRANT SELECT, INSERT, UPDATE ON "__lattice_user_identity" TO ${MEMBER_GROUP}';
-       END IF;
-     END $LATTICE$`
-  );
-}
-
 // src/gui/schema-ops.ts
 async function secureRuntimeTableIfCloud(active, name, pk) {
   const db = active.db;
@@ -62171,6 +62209,7 @@ async function openConfig(configPath, outputDir, autoRender = false) {
           const knownTables = /* @__PURE__ */ new Set([...declared, ...discovered.map((t8) => t8.name)]);
           for (const t8 of discovered) {
             if (declared.has(t8.name)) continue;
+            if (t8.columns.length === 0) continue;
             db.define(t8.name, {
               columns: Object.fromEntries(t8.columns.map((c6) => [c6, "TEXT"])),
               ...t8.pk.length > 0 ? { primaryKey: t8.pk.length === 1 ? t8.pk[0] : t8.pk } : {},
@@ -62207,6 +62246,7 @@ async function openConfig(configPath, outputDir, autoRender = false) {
         await installCloudSettings(db);
         await db.ensureObservationSubstrate();
         await enableChangelogRls(db);
+        await reconcileCloudMemberAccess(db);
       }
     } catch (e6) {
       console.error("[openConfig] cloud bootstrap converge failed:", e6.message);

package/dist/index.cjs

@@ -46770,6 +46770,10 @@ var NATIVE_ENTITY_NAMES = new Set(Object.keys(NATIVE_ENTITY_DEFS));
 function isNativeEntity(name) {
   return NATIVE_ENTITY_NAMES.has(name);
 }
+var NATIVE_INTERNAL_NAMES = /* @__PURE__ */ new Set([
+  "chat_threads",
+  "chat_messages"
+]);
 function registerNativeEntities(db) {
   const existing = new Set(db.getRegisteredTableNames());
   for (const [name, def] of Object.entries(NATIVE_ENTITY_DEFS)) {
@@ -48469,6 +48473,42 @@ async function setCloudSetting(db, key, value) {
 }
 
 // src/cloud/setup.ts
+var PRIVATE_ONLY_TABLES = [...NATIVE_INTERNAL_NAMES, "secrets"];
+async function reconcileCloudMemberAccess(db) {
+  if (db.getDialect() !== "postgres") return;
+  const registered = db.getRegisteredTableNames();
+  for (const t8 of PRIVATE_ONLY_TABLES) {
+    if (!registered.includes(t8)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `SELECT lattice_set_table_never_share('${t8.replace(/'/g, "''")}', true)`
+    );
+  }
+  const rlsRows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT c.relname AS name FROM pg_class c
+       JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE n.nspname = current_schema() AND c.relkind = 'r' AND c.relrowsecurity`
+  );
+  const rlsOn = new Set(rlsRows.map((r6) => r6.name));
+  for (const table of registered) {
+    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
+    if (!rlsOn.has(table)) continue;
+    if (db.getPrimaryKey(table).length === 0) continue;
+    const q3 = `"${table.replace(/"/g, '""')}"`;
+    const masked = tableNeedsAudienceView(db.getColumnAudience(table) ?? {});
+    if (masked) {
+      const v2 = `"${`${table}_v`.replace(/"/g, '""')}"`;
+      await runAsyncOrSync(db.adapter, `GRANT SELECT ON ${v2} TO ${MEMBER_GROUP}`);
+      await runAsyncOrSync(db.adapter, `GRANT INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`);
+    } else {
+      await runAsyncOrSync(
+        db.adapter,
+        `GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`
+      );
+    }
+  }
+}
 async function secureNewCloudTable(db, table, pk) {
   if (db.getDialect() !== "postgres") return;
   if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
@@ -48491,9 +48531,7 @@ async function secureCloud(db) {
   for (const table of registered) {
     await secureNewCloudTable(db, table, db.getPrimaryKey(table));
   }
-  if (registered.includes("secrets")) {
-    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
-  }
+  await reconcileCloudMemberAccess(db);
   await runAsyncOrSync(
     db.adapter,
     `DO $LATTICE$ BEGIN

package/dist/index.js

@@ -46592,6 +46592,10 @@ var NATIVE_ENTITY_NAMES = new Set(Object.keys(NATIVE_ENTITY_DEFS));
 function isNativeEntity(name) {
   return NATIVE_ENTITY_NAMES.has(name);
 }
+var NATIVE_INTERNAL_NAMES = /* @__PURE__ */ new Set([
+  "chat_threads",
+  "chat_messages"
+]);
 function registerNativeEntities(db) {
   const existing = new Set(db.getRegisteredTableNames());
   for (const [name, def] of Object.entries(NATIVE_ENTITY_DEFS)) {
@@ -48291,6 +48295,42 @@ async function setCloudSetting(db, key, value) {
 }
 
 // src/cloud/setup.ts
+var PRIVATE_ONLY_TABLES = [...NATIVE_INTERNAL_NAMES, "secrets"];
+async function reconcileCloudMemberAccess(db) {
+  if (db.getDialect() !== "postgres") return;
+  const registered = db.getRegisteredTableNames();
+  for (const t8 of PRIVATE_ONLY_TABLES) {
+    if (!registered.includes(t8)) continue;
+    await runAsyncOrSync(
+      db.adapter,
+      `SELECT lattice_set_table_never_share('${t8.replace(/'/g, "''")}', true)`
+    );
+  }
+  const rlsRows = await allAsyncOrSync(
+    db.adapter,
+    `SELECT c.relname AS name FROM pg_class c
+       JOIN pg_namespace n ON n.oid = c.relnamespace
+      WHERE n.nspname = current_schema() AND c.relkind = 'r' AND c.relrowsecurity`
+  );
+  const rlsOn = new Set(rlsRows.map((r6) => r6.name));
+  for (const table of registered) {
+    if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) continue;
+    if (!rlsOn.has(table)) continue;
+    if (db.getPrimaryKey(table).length === 0) continue;
+    const q3 = `"${table.replace(/"/g, '""')}"`;
+    const masked = tableNeedsAudienceView(db.getColumnAudience(table) ?? {});
+    if (masked) {
+      const v2 = `"${`${table}_v`.replace(/"/g, '""')}"`;
+      await runAsyncOrSync(db.adapter, `GRANT SELECT ON ${v2} TO ${MEMBER_GROUP}`);
+      await runAsyncOrSync(db.adapter, `GRANT INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`);
+    } else {
+      await runAsyncOrSync(
+        db.adapter,
+        `GRANT SELECT, INSERT, UPDATE, DELETE ON ${q3} TO ${MEMBER_GROUP}`
+      );
+    }
+  }
+}
 async function secureNewCloudTable(db, table, pk) {
   if (db.getDialect() !== "postgres") return;
   if (table.startsWith("__lattice_") || table.startsWith("_lattice_")) return;
@@ -48313,9 +48353,7 @@ async function secureCloud(db) {
   for (const table of registered) {
     await secureNewCloudTable(db, table, db.getPrimaryKey(table));
   }
-  if (registered.includes("secrets")) {
-    await runAsyncOrSync(db.adapter, `SELECT lattice_set_table_never_share('secrets', true)`);
-  }
+  await reconcileCloudMemberAccess(db);
   await runAsyncOrSync(
     db.adapter,
     `DO $LATTICE$ BEGIN

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "3.2.0",
+  "version": "3.2.1",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",