latticesql 3.2.1 → 3.3.1

package/dist/index.d.cts

@@ -1,4 +1,5 @@
 import Database from 'better-sqlite3';
+import { Server } from 'node:http';
 
 /**
  * Per-file tracking info stored in the manifest.
@@ -756,6 +757,17 @@ interface LatticeOptions {
      * (or `outputFile`) are unaffected.
      */
     renderSkipsEmpty?: boolean;
+    /**
+     * Reject any insert/upsert/update whose row payload exceeds this many
+     * bytes (sum of UTF-8 byte lengths of string columns + buffer lengths).
+     * Off by default — when unset, only Postgres TOAST / SQLite blob limits
+     * (~1 GB) cap row size. A modest cap (e.g. 1 MiB) blocks one class of
+     * denial-of-service from a malicious member writing oversized rows; a
+     * production deployment should set this to whatever your app actually
+     * needs plus headroom. Throws `Error("Lattice: row exceeds maxRowBytes
+     * ...")` on violation, so callers can catch it.
+     */
+    maxRowBytes?: number;
 }
 /**
  * Retention policy for the change log.
@@ -1887,6 +1899,14 @@ declare class Lattice {
     private readonly _errorHandlers;
     private readonly _reverseSeedHandlers;
     private readonly _writeHooks;
+    /** Optional cap on per-row payload bytes; see LatticeOptions.maxRowBytes. */
+    private _maxRowBytes;
+    /**
+     * Reject the row if its payload exceeds `_maxRowBytes`. Cost is dominated
+     * by Buffer.byteLength() on string columns; we skip numbers/booleans
+     * (negligible contribution). Off when `_maxRowBytes` is unset.
+     */
+    private _assertRowSize;
     constructor(pathOrConfig: string | LatticeConfigInput, options?: LatticeOptions);
     /**
      * Open a workspace under a `.lattice` root. Resolves the root (the
@@ -2030,11 +2050,12 @@ declare class Lattice {
      * PK skip, etc.) and refreshes the column cache so subsequent
      * `query`/`insert`/`update` calls are aware of the new column.
      *
-     * Does NOT update the SchemaManager's stored TableDefinition. The
-     * runtime column cache is what insert/update/query consult; the def
-     * is only consulted by `applySchema` (which is only re-run at init).
-     * Callers who care about def-level fidelity (most don't) should
-     * re-`defineLate` the table on the next session start.
+     * Also mirrors the new column into the SchemaManager's stored
+     * TableDefinition, so `getRegisteredColumns()` reflects the post-ALTER
+     * schema. This matters because the Teams `share` flow serializes that def
+     * to propagate the schema to teammates — without the mirror, a
+     * runtime-added column was silently dropped from the shared spec. The
+     * runtime column cache remains what insert/update/query consult.
      *
      * Idempotent: if the column already exists on the table, this is a
      * no-op (introspect-first; skip the ALTER).
@@ -4368,6 +4389,19 @@ declare function secureCloud(db: Lattice): Promise<void>;
  */
 /** Setting key for the chat system prompt an owner bundles into every member's chat. */
 declare const CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
+/**
+ * Setting key for the owner-set workspace logo — a `data:image/(png|jpeg);base64,…`
+ * URI that replaces the default Lattice topbar mark for every member of the cloud.
+ * Stored as text (base64) in the shared owner-write/member-read settings table.
+ */
+declare const CLOUD_SETTING_WORKSPACE_LOGO = "workspace_logo";
+/**
+ * Setting key for the workspace logo's content hash (sha256 hex of the decoded
+ * bytes, computed server-side on write). Used as the cache-busting `?v=` token and
+ * the `ETag` — cheap to read (~64 bytes) so a member's per-load cost is one tiny
+ * read, and the full blob is fetched at most once per logo version.
+ */
+declare const CLOUD_SETTING_WORKSPACE_LOGO_ETAG = "workspace_logo_etag";
 /**
  * Install the workspace-settings table + helpers. Idempotent (`CREATE TABLE IF
  * NOT EXISTS` / `CREATE OR REPLACE FUNCTION`). No-op on SQLite. Run as the cloud
@@ -4601,6 +4635,14 @@ interface CrawlOptions {
      * degrades silently when Playwright or a browser is absent.
      */
     noJs?: boolean;
+    /**
+     * Render with headless Chromium up front rather than only as a low-text
+     * fallback — for SPA-heavy pages whose static HTML is an empty shell. When
+     * Playwright is absent this degrades to the static extraction with a single
+     * loud warning (it is an optional dependency, not a hard requirement).
+     * Ignored when `noJs` is set. Default false.
+     */
+    forceJs?: boolean;
 }
 declare function crawlUrl(rawUrl: string, opts?: CrawlOptions): Promise<CrawlResult>;
 
@@ -4678,4 +4720,124 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
-export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };
+interface StartGuiServerOptions {
+    /**
+     * Active workspace config to open. NULL/empty ⇒ boot into the zero-workspace
+     * "virgin" state (no active DB): the server serves the shell + the
+     * workspace-management & onboarding routes, and every data route 409s until a
+     * workspace is created or joined. `latticeRoot` must be set in that case so the
+     * onboarding routes can register the new workspace.
+     */
+    configPath?: string | null;
+    /** Render output dir for the active workspace. NULL/empty in the virgin state. */
+    outputDir?: string | null;
+    /**
+     * The `.lattice` root. Normally discovered from `configPath`, but MUST be passed
+     * when booting virgin (no config to discover it from) so the management routes
+     * can add the first workspace into the right registry.
+     */
+    latticeRoot?: string | null;
+    port?: number;
+    openBrowser?: boolean;
+    /**
+     * Bind address. Defaults to `127.0.0.1`. Use `0.0.0.0` (or a specific
+     * interface) to expose the server outside localhost.
+     */
+    host?: string;
+    /**
+     * Workspace mode: derive canonical entity contexts for tables without one
+     * and keep the rendered Context/ tree synced via auto-render on every write.
+     * Set by `lattice gui` when opening a `.lattice` workspace. Off for a plain
+     * `--config` GUI (which serves only externally-rendered context).
+     */
+    autoRender?: boolean;
+    /**
+     * Package version string (no leading `v`), stamped into the served GUI shell
+     * at the `<!--LATTICE_VERSION-->` placeholder (shown left of the settings
+     * gear). Passed in by `cli.ts` (`getVersion()`) so the version is resolved in
+     * the ESM entrypoint — server.ts is bundled to both CJS and ESM, and reading
+     * package.json via `import.meta.url` here would break the CJS bundle. Omitted
+     * ⇒ the version chip stays hidden.
+     */
+    version?: string;
+    /**
+     * Realtime backstop liveness-poll interval (ms) for the RealtimeBroker. A
+     * managed-Postgres proxy (e.g. AWS RDS Proxy) can silently drop the LISTEN
+     * without closing the socket; the poll re-delivers missed changes regardless.
+     * Omitted ⇒ the broker's default (20s). 0 disables it.
+     */
+    realtimeWatchdogMs?: number;
+}
+interface GuiServerHandle {
+    server: Server;
+    port: number;
+    url: string;
+    close: () => Promise<void>;
+}
+declare function startGuiServer(options: StartGuiServerOptions): Promise<GuiServerHandle>;
+
+/**
+ * Durable, file-backed {@link SourceKeyStore} for production deployments.
+ *
+ * The default {@link InMemorySourceKeyStore} keeps source keys in process
+ * memory only — a restart implicitly shreds every key, making every
+ * sealed value unrecoverable. For real crypto-shred semantics you need a
+ * shred-DURABLE store: keys that survive restarts but can be irreversibly
+ * destroyed when you want to forget a source.
+ *
+ * This store writes keys to a single JSON file (one map of sourceId →
+ * 32-byte AES key, base64-encoded). The file is created with mode 0600
+ * and rewritten atomically (write-then-rename) on every change. An
+ * optional passphrase enables AES-256-GCM encryption-at-rest using
+ * scrypt-derived keys, so a stolen file is unreadable without the secret.
+ *
+ * **Threat-model note.** Keys should live SEPARATE from data so a
+ * database compromise alone doesn't surrender every shredded value's
+ * plaintext. This store satisfies that when its file is on a separate
+ * filesystem / volume / backup-policy from the Postgres data — the
+ * common production pattern is to mount this file from a secrets volume
+ * (AWS Secrets Manager file ref, mounted via Secrets Store CSI; or a
+ * dedicated EBS volume excluded from DB backups). Keeping the file on
+ * the same disk as Postgres data is *better than InMemory* but does not
+ * provide the strongest crypto-shred guarantee.
+ *
+ * For KMS-backed deployments, implement {@link SourceKeyStore} directly
+ * against the KMS API — this class is the simplest durable option for
+ * teams who don't want a KMS dependency.
+ */
+interface FileSourceKeyStoreOptions {
+    /**
+     * Absolute or relative filesystem path where the key map is persisted.
+     * Created if missing along with its parent directory. The file is
+     * always chmod'd to 0600 (owner read/write only) on write.
+     */
+    path: string;
+    /**
+     * Optional passphrase. When set, the file is encrypted at rest with
+     * AES-256-GCM under a scrypt-derived key (random salt per write). When
+     * omitted, the file is stored as plaintext JSON — only acceptable if
+     * the underlying filesystem already enforces secrecy (e.g. a Secrets
+     * Manager mount, an LUKS-encrypted volume, or an HSM-backed disk).
+     */
+    passphrase?: string;
+}
+declare class FileSourceKeyStore implements SourceKeyStore {
+    private readonly path;
+    private readonly passphrase;
+    private readonly cache;
+    constructor(opts: FileSourceKeyStoreOptions);
+    get(sourceId: string): Buffer | undefined;
+    getOrCreate(sourceId: string): Buffer;
+    destroy(sourceId: string): void;
+    /**
+     * Number of keys currently held — useful for diagnostics. Not part of
+     * the SourceKeyStore interface.
+     */
+    size(): number;
+    private load;
+    private persist;
+    private decodeFile;
+    private encodeFile;
+}
+
+export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CLOUD_SETTING_WORKSPACE_LOGO, CLOUD_SETTING_WORKSPACE_LOGO_ETAG, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, FileSourceKeyStore, type FileSourceKeyStoreOptions, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type GuiServerHandle, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StartGuiServerOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, startGuiServer, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };

package/dist/index.d.ts

@@ -1,4 +1,5 @@
 import Database from 'better-sqlite3';
+import { Server } from 'node:http';
 
 /**
  * Per-file tracking info stored in the manifest.
@@ -756,6 +757,17 @@ interface LatticeOptions {
      * (or `outputFile`) are unaffected.
      */
     renderSkipsEmpty?: boolean;
+    /**
+     * Reject any insert/upsert/update whose row payload exceeds this many
+     * bytes (sum of UTF-8 byte lengths of string columns + buffer lengths).
+     * Off by default — when unset, only Postgres TOAST / SQLite blob limits
+     * (~1 GB) cap row size. A modest cap (e.g. 1 MiB) blocks one class of
+     * denial-of-service from a malicious member writing oversized rows; a
+     * production deployment should set this to whatever your app actually
+     * needs plus headroom. Throws `Error("Lattice: row exceeds maxRowBytes
+     * ...")` on violation, so callers can catch it.
+     */
+    maxRowBytes?: number;
 }
 /**
  * Retention policy for the change log.
@@ -1887,6 +1899,14 @@ declare class Lattice {
     private readonly _errorHandlers;
     private readonly _reverseSeedHandlers;
     private readonly _writeHooks;
+    /** Optional cap on per-row payload bytes; see LatticeOptions.maxRowBytes. */
+    private _maxRowBytes;
+    /**
+     * Reject the row if its payload exceeds `_maxRowBytes`. Cost is dominated
+     * by Buffer.byteLength() on string columns; we skip numbers/booleans
+     * (negligible contribution). Off when `_maxRowBytes` is unset.
+     */
+    private _assertRowSize;
     constructor(pathOrConfig: string | LatticeConfigInput, options?: LatticeOptions);
     /**
      * Open a workspace under a `.lattice` root. Resolves the root (the
@@ -2030,11 +2050,12 @@ declare class Lattice {
      * PK skip, etc.) and refreshes the column cache so subsequent
      * `query`/`insert`/`update` calls are aware of the new column.
      *
-     * Does NOT update the SchemaManager's stored TableDefinition. The
-     * runtime column cache is what insert/update/query consult; the def
-     * is only consulted by `applySchema` (which is only re-run at init).
-     * Callers who care about def-level fidelity (most don't) should
-     * re-`defineLate` the table on the next session start.
+     * Also mirrors the new column into the SchemaManager's stored
+     * TableDefinition, so `getRegisteredColumns()` reflects the post-ALTER
+     * schema. This matters because the Teams `share` flow serializes that def
+     * to propagate the schema to teammates — without the mirror, a
+     * runtime-added column was silently dropped from the shared spec. The
+     * runtime column cache remains what insert/update/query consult.
      *
      * Idempotent: if the column already exists on the table, this is a
      * no-op (introspect-first; skip the ALTER).
@@ -4368,6 +4389,19 @@ declare function secureCloud(db: Lattice): Promise<void>;
  */
 /** Setting key for the chat system prompt an owner bundles into every member's chat. */
 declare const CLOUD_SETTING_SYSTEM_PROMPT = "chat_system_prompt";
+/**
+ * Setting key for the owner-set workspace logo — a `data:image/(png|jpeg);base64,…`
+ * URI that replaces the default Lattice topbar mark for every member of the cloud.
+ * Stored as text (base64) in the shared owner-write/member-read settings table.
+ */
+declare const CLOUD_SETTING_WORKSPACE_LOGO = "workspace_logo";
+/**
+ * Setting key for the workspace logo's content hash (sha256 hex of the decoded
+ * bytes, computed server-side on write). Used as the cache-busting `?v=` token and
+ * the `ETag` — cheap to read (~64 bytes) so a member's per-load cost is one tiny
+ * read, and the full blob is fetched at most once per logo version.
+ */
+declare const CLOUD_SETTING_WORKSPACE_LOGO_ETAG = "workspace_logo_etag";
 /**
  * Install the workspace-settings table + helpers. Idempotent (`CREATE TABLE IF
  * NOT EXISTS` / `CREATE OR REPLACE FUNCTION`). No-op on SQLite. Run as the cloud
@@ -4601,6 +4635,14 @@ interface CrawlOptions {
      * degrades silently when Playwright or a browser is absent.
      */
     noJs?: boolean;
+    /**
+     * Render with headless Chromium up front rather than only as a low-text
+     * fallback — for SPA-heavy pages whose static HTML is an empty shell. When
+     * Playwright is absent this degrades to the static extraction with a single
+     * loud warning (it is an optional dependency, not a hard requirement).
+     * Ignored when `noJs` is set. Default false.
+     */
+    forceJs?: boolean;
 }
 declare function crawlUrl(rawUrl: string, opts?: CrawlOptions): Promise<CrawlResult>;
 
@@ -4678,4 +4720,124 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
-export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };
+interface StartGuiServerOptions {
+    /**
+     * Active workspace config to open. NULL/empty ⇒ boot into the zero-workspace
+     * "virgin" state (no active DB): the server serves the shell + the
+     * workspace-management & onboarding routes, and every data route 409s until a
+     * workspace is created or joined. `latticeRoot` must be set in that case so the
+     * onboarding routes can register the new workspace.
+     */
+    configPath?: string | null;
+    /** Render output dir for the active workspace. NULL/empty in the virgin state. */
+    outputDir?: string | null;
+    /**
+     * The `.lattice` root. Normally discovered from `configPath`, but MUST be passed
+     * when booting virgin (no config to discover it from) so the management routes
+     * can add the first workspace into the right registry.
+     */
+    latticeRoot?: string | null;
+    port?: number;
+    openBrowser?: boolean;
+    /**
+     * Bind address. Defaults to `127.0.0.1`. Use `0.0.0.0` (or a specific
+     * interface) to expose the server outside localhost.
+     */
+    host?: string;
+    /**
+     * Workspace mode: derive canonical entity contexts for tables without one
+     * and keep the rendered Context/ tree synced via auto-render on every write.
+     * Set by `lattice gui` when opening a `.lattice` workspace. Off for a plain
+     * `--config` GUI (which serves only externally-rendered context).
+     */
+    autoRender?: boolean;
+    /**
+     * Package version string (no leading `v`), stamped into the served GUI shell
+     * at the `<!--LATTICE_VERSION-->` placeholder (shown left of the settings
+     * gear). Passed in by `cli.ts` (`getVersion()`) so the version is resolved in
+     * the ESM entrypoint — server.ts is bundled to both CJS and ESM, and reading
+     * package.json via `import.meta.url` here would break the CJS bundle. Omitted
+     * ⇒ the version chip stays hidden.
+     */
+    version?: string;
+    /**
+     * Realtime backstop liveness-poll interval (ms) for the RealtimeBroker. A
+     * managed-Postgres proxy (e.g. AWS RDS Proxy) can silently drop the LISTEN
+     * without closing the socket; the poll re-delivers missed changes regardless.
+     * Omitted ⇒ the broker's default (20s). 0 disables it.
+     */
+    realtimeWatchdogMs?: number;
+}
+interface GuiServerHandle {
+    server: Server;
+    port: number;
+    url: string;
+    close: () => Promise<void>;
+}
+declare function startGuiServer(options: StartGuiServerOptions): Promise<GuiServerHandle>;
+
+/**
+ * Durable, file-backed {@link SourceKeyStore} for production deployments.
+ *
+ * The default {@link InMemorySourceKeyStore} keeps source keys in process
+ * memory only — a restart implicitly shreds every key, making every
+ * sealed value unrecoverable. For real crypto-shred semantics you need a
+ * shred-DURABLE store: keys that survive restarts but can be irreversibly
+ * destroyed when you want to forget a source.
+ *
+ * This store writes keys to a single JSON file (one map of sourceId →
+ * 32-byte AES key, base64-encoded). The file is created with mode 0600
+ * and rewritten atomically (write-then-rename) on every change. An
+ * optional passphrase enables AES-256-GCM encryption-at-rest using
+ * scrypt-derived keys, so a stolen file is unreadable without the secret.
+ *
+ * **Threat-model note.** Keys should live SEPARATE from data so a
+ * database compromise alone doesn't surrender every shredded value's
+ * plaintext. This store satisfies that when its file is on a separate
+ * filesystem / volume / backup-policy from the Postgres data — the
+ * common production pattern is to mount this file from a secrets volume
+ * (AWS Secrets Manager file ref, mounted via Secrets Store CSI; or a
+ * dedicated EBS volume excluded from DB backups). Keeping the file on
+ * the same disk as Postgres data is *better than InMemory* but does not
+ * provide the strongest crypto-shred guarantee.
+ *
+ * For KMS-backed deployments, implement {@link SourceKeyStore} directly
+ * against the KMS API — this class is the simplest durable option for
+ * teams who don't want a KMS dependency.
+ */
+interface FileSourceKeyStoreOptions {
+    /**
+     * Absolute or relative filesystem path where the key map is persisted.
+     * Created if missing along with its parent directory. The file is
+     * always chmod'd to 0600 (owner read/write only) on write.
+     */
+    path: string;
+    /**
+     * Optional passphrase. When set, the file is encrypted at rest with
+     * AES-256-GCM under a scrypt-derived key (random salt per write). When
+     * omitted, the file is stored as plaintext JSON — only acceptable if
+     * the underlying filesystem already enforces secrecy (e.g. a Secrets
+     * Manager mount, an LUKS-encrypted volume, or an HSM-backed disk).
+     */
+    passphrase?: string;
+}
+declare class FileSourceKeyStore implements SourceKeyStore {
+    private readonly path;
+    private readonly passphrase;
+    private readonly cache;
+    constructor(opts: FileSourceKeyStoreOptions);
+    get(sourceId: string): Buffer | undefined;
+    getOrCreate(sourceId: string): Buffer;
+    destroy(sourceId: string): void;
+    /**
+     * Number of keys currently held — useful for diagnostics. Not part of
+     * the SourceKeyStore interface.
+     */
+    size(): number;
+    private load;
+    private persist;
+    private decodeFile;
+    private encodeFile;
+}
+
+export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CLOUD_SETTING_WORKSPACE_LOGO, CLOUD_SETTING_WORKSPACE_LOGO_ETAG, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, FileSourceKeyStore, type FileSourceKeyStoreOptions, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type GuiServerHandle, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StartGuiServerOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, startGuiServer, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };