latticesql 3.3.5 → 3.4.1

package/dist/index.d.cts

@@ -44,130 +44,6 @@ declare function manifestPath(outputDir: string): string;
 declare function readManifest(outputDir: string): LatticeManifest | null;
 declare function writeManifest(outputDir: string, manifest: LatticeManifest): void;
 
-/**
- * Adapter dialect identifier. Used by callers that need to issue
- * dialect-specific SQL (e.g. the migration runner's `pg_advisory_xact_lock`
- * on Postgres). Lattice itself uses this only for cross-dialect concerns
- * the dialect-translation layer can't paper over — most application code
- * should never need to branch on it.
- */
-type AdapterDialect = 'sqlite' | 'postgres';
-/** Pluggable storage backend interface */
-interface StorageAdapter {
-    /** Adapter dialect. Drives the few cross-dialect branches in lattice core. */
-    readonly dialect: AdapterDialect;
-    /** Execute a statement with no return value */
-    run(sql: string, params?: unknown[]): void;
-    /** Execute a statement and return one row or undefined */
-    get(sql: string, params?: unknown[]): Row | undefined;
-    /** Execute a statement and return all rows */
-    all(sql: string, params?: unknown[]): Row[];
-    /** Prepare and cache a statement for repeated execution */
-    prepare(sql: string): PreparedStatement;
-    /** Open the connection */
-    open(): void;
-    /** Close the connection */
-    close(): void;
-    /**
-     * Return the column names of a table. Used by the schema layer to detect
-     * missing columns and to drive entity-context queries. Implementations
-     * dispatch on their own dialect (SQLite uses `PRAGMA table_info`, Postgres
-     * uses `information_schema.columns`).
-     */
-    introspectColumns(table: string): string[];
-    /**
-     * Add a column to an existing table. Implementations handle dialect quirks:
-     * SQLite cannot use non-constant defaults in `ALTER TABLE ADD COLUMN` and
-     * must backfill them; Postgres handles `DEFAULT NOW()`/`DEFAULT random()`
-     * natively.
-     */
-    addColumn(table: string, column: string, typeSpec: string): void;
-    /** Async equivalent of run(). Returns when the statement has completed. */
-    runAsync?(sql: string, params?: unknown[]): Promise<void>;
-    /** Async equivalent of get(). */
-    getAsync?(sql: string, params?: unknown[]): Promise<Row | undefined>;
-    /** Async equivalent of all(). */
-    allAsync?(sql: string, params?: unknown[]): Promise<Row[]>;
-    /** Async equivalent of introspectColumns(). Used by the boot-path schema apply. */
-    introspectColumnsAsync?(table: string): Promise<string[]>;
-    /** Async equivalent of addColumn(). Used by the boot-path schema apply. */
-    addColumnAsync?(table: string, column: string, typeSpec: string): Promise<void>;
-    /**
-     * Async equivalent of prepare().
-     *
-     * Note: in Postgres under transaction-mode pooling (pgbouncer port 6543),
-     * server-side prepared statements cannot persist across calls because the
-     * upstream connection is returned to the pool at COMMIT. The PostgresAdapter
-     * implementation therefore stores SQL + binding shape and re-executes per
-     * call — semantically a prepared statement, but without SQLite-style
-     * binding cost amortization. SQLite's implementation keeps real prepared
-     * statements via better-sqlite3.
-     *
-     * Inside `withClient(fn)`, prefer the `tx.run`/`tx.get`/`tx.all` methods
-     * directly rather than `prepareAsync` — they share the same checked-out
-     * client for the transaction lifetime and avoid the per-call setup.
-     */
-    prepareAsync?(sql: string): PreparedStatementAsync;
-    /**
-     * Run `fn` against a single connection-scoped client, wrapped in BEGIN/COMMIT.
-     * `fn` receives a `TxClient` whose `run`/`get`/`all` calls are guaranteed to
-     * land on the same upstream connection for the lifetime of the transaction.
-     * Throws inside `fn` cause an automatic ROLLBACK; otherwise the transaction
-     * commits when `fn` resolves.
-     *
-     * Replacement for raw `adapter.run('BEGIN')` / `adapter.run('COMMIT')`
-     * sequences. With `pg.Pool`-backed adapters, raw BEGIN/COMMIT calls can
-     * land on different upstream connections and break atomicity silently;
-     * `withClient(fn)` is the only way to hold a single connection across the
-     * entire transaction.
-     *
-     * SQLite implementations may execute `fn` inside `db.transaction(fn)` (or
-     * the equivalent `BEGIN`/`COMMIT` sequence) since better-sqlite3 has no
-     * pool to reason about — every operation runs against the single open
-     * connection. The TxClient surface is intentionally identical across
-     * dialects so callers don't need to branch on adapter type.
-     */
-    withClient?<T>(fn: (tx: TxClient) => Promise<T>): Promise<T>;
-}
-interface PreparedStatement {
-    run(...params: unknown[]): {
-        changes: number;
-        lastInsertRowid: number | bigint;
-    };
-    get(...params: unknown[]): Row | undefined;
-    all(...params: unknown[]): Row[];
-}
-/** Async equivalent of {@link PreparedStatement}. */
-interface PreparedStatementAsync {
-    run(...params: unknown[]): Promise<{
-        changes: number;
-        lastInsertRowid: number | bigint;
-    }>;
-    get(...params: unknown[]): Promise<Row | undefined>;
-    all(...params: unknown[]): Promise<Row[]>;
-}
-/**
- * Connection-scoped client passed to `StorageAdapter.withClient(fn)`. All
- * `run`/`get`/`all` calls made against the same `TxClient` instance are
- * guaranteed to land on the same upstream connection for the transaction's
- * lifetime — that's the whole point of withClient. This makes raw BEGIN/COMMIT
- * call-site migrations to withClient mechanical: rename `this._adapter.run(sql, params)`
- * to `await tx.run(sql, params)`, drop the manual BEGIN/COMMIT/ROLLBACK lines.
- *
- * `run` returns `{ changes }` so callers that count affected rows (e.g.
- * INSERT-OR-IGNORE patterns) can do so without an extra SELECT roundtrip.
- * SQLite reports `db.prepare(...).run(...).changes`; Postgres reports
- * `pg.QueryResult.rowCount` (zero when the driver doesn't surface a count
- * for the query type, matching the SQLite contract).
- */
-interface TxClient {
-    run(sql: string, params?: unknown[]): Promise<{
-        changes: number;
-    }>;
-    get(sql: string, params?: unknown[]): Promise<Row | undefined>;
-    all(sql: string, params?: unknown[]): Promise<Row[]>;
-}
-
 /**
  * Optional query refinements shared by `hasMany`, `manyToMany`, and
  * `belongsTo` sources.  All fields are additive — omitting them preserves
@@ -1685,6 +1561,154 @@ interface ReconcileResult extends RenderResult {
     reverseSeedRequired: ReverseSeedDetection[];
 }
 
+/**
+ * Adapter dialect identifier. Used by callers that need to issue
+ * dialect-specific SQL (e.g. the migration runner's `pg_advisory_xact_lock`
+ * on Postgres). Lattice itself uses this only for cross-dialect concerns
+ * the dialect-translation layer can't paper over — most application code
+ * should never need to branch on it.
+ */
+type AdapterDialect = 'sqlite' | 'postgres';
+/** Pluggable storage backend interface */
+interface StorageAdapter {
+    /** Adapter dialect. Drives the few cross-dialect branches in lattice core. */
+    readonly dialect: AdapterDialect;
+    /** Execute a statement with no return value */
+    run(sql: string, params?: unknown[]): void;
+    /** Execute a statement and return one row or undefined */
+    get(sql: string, params?: unknown[]): Row | undefined;
+    /** Execute a statement and return all rows */
+    all(sql: string, params?: unknown[]): Row[];
+    /** Prepare and cache a statement for repeated execution */
+    prepare(sql: string): PreparedStatement;
+    /** Open the connection */
+    open(): void;
+    /** Close the connection */
+    close(): void;
+    /**
+     * Return the column names of a table. Used by the schema layer to detect
+     * missing columns and to drive entity-context queries. Implementations
+     * dispatch on their own dialect (SQLite uses `PRAGMA table_info`, Postgres
+     * uses `information_schema.columns`).
+     */
+    introspectColumns(table: string): string[];
+    /**
+     * Add a column to an existing table. Implementations handle dialect quirks:
+     * SQLite cannot use non-constant defaults in `ALTER TABLE ADD COLUMN` and
+     * must backfill them; Postgres handles `DEFAULT NOW()`/`DEFAULT random()`
+     * natively.
+     */
+    addColumn(table: string, column: string, typeSpec: string): void;
+    /** Async equivalent of run(). Returns when the statement has completed. */
+    runAsync?(sql: string, params?: unknown[]): Promise<void>;
+    /** Async equivalent of get(). */
+    getAsync?(sql: string, params?: unknown[]): Promise<Row | undefined>;
+    /** Async equivalent of all(). */
+    allAsync?(sql: string, params?: unknown[]): Promise<Row[]>;
+    /** Async equivalent of introspectColumns(). Used by the boot-path schema apply. */
+    introspectColumnsAsync?(table: string): Promise<string[]>;
+    /** Async equivalent of addColumn(). Used by the boot-path schema apply. */
+    addColumnAsync?(table: string, column: string, typeSpec: string): Promise<void>;
+    /**
+     * Async equivalent of prepare().
+     *
+     * Note: in Postgres under transaction-mode pooling (pgbouncer port 6543),
+     * server-side prepared statements cannot persist across calls because the
+     * upstream connection is returned to the pool at COMMIT. The PostgresAdapter
+     * implementation therefore stores SQL + binding shape and re-executes per
+     * call — semantically a prepared statement, but without SQLite-style
+     * binding cost amortization. SQLite's implementation keeps real prepared
+     * statements via better-sqlite3.
+     *
+     * Inside `withClient(fn)`, prefer the `tx.run`/`tx.get`/`tx.all` methods
+     * directly rather than `prepareAsync` — they share the same checked-out
+     * client for the transaction lifetime and avoid the per-call setup.
+     */
+    prepareAsync?(sql: string): PreparedStatementAsync;
+    /**
+     * Run `fn` against a single connection-scoped client, wrapped in BEGIN/COMMIT.
+     * `fn` receives a `TxClient` whose `run`/`get`/`all` calls are guaranteed to
+     * land on the same upstream connection for the lifetime of the transaction.
+     * Throws inside `fn` cause an automatic ROLLBACK; otherwise the transaction
+     * commits when `fn` resolves.
+     *
+     * Replacement for raw `adapter.run('BEGIN')` / `adapter.run('COMMIT')`
+     * sequences. With `pg.Pool`-backed adapters, raw BEGIN/COMMIT calls can
+     * land on different upstream connections and break atomicity silently;
+     * `withClient(fn)` is the only way to hold a single connection across the
+     * entire transaction.
+     *
+     * SQLite implementations may execute `fn` inside `db.transaction(fn)` (or
+     * the equivalent `BEGIN`/`COMMIT` sequence) since better-sqlite3 has no
+     * pool to reason about — every operation runs against the single open
+     * connection. The TxClient surface is intentionally identical across
+     * dialects so callers don't need to branch on adapter type.
+     */
+    withClient?<T>(fn: (tx: TxClient) => Promise<T>): Promise<T>;
+}
+interface PreparedStatement {
+    run(...params: unknown[]): {
+        changes: number;
+        lastInsertRowid: number | bigint;
+    };
+    get(...params: unknown[]): Row | undefined;
+    all(...params: unknown[]): Row[];
+}
+/** Async equivalent of {@link PreparedStatement}. */
+interface PreparedStatementAsync {
+    run(...params: unknown[]): Promise<{
+        changes: number;
+        lastInsertRowid: number | bigint;
+    }>;
+    get(...params: unknown[]): Promise<Row | undefined>;
+    all(...params: unknown[]): Promise<Row[]>;
+}
+/**
+ * Connection-scoped client passed to `StorageAdapter.withClient(fn)`. All
+ * `run`/`get`/`all` calls made against the same `TxClient` instance are
+ * guaranteed to land on the same upstream connection for the transaction's
+ * lifetime — that's the whole point of withClient. This makes raw BEGIN/COMMIT
+ * call-site migrations to withClient mechanical: rename `this._adapter.run(sql, params)`
+ * to `await tx.run(sql, params)`, drop the manual BEGIN/COMMIT/ROLLBACK lines.
+ *
+ * `run` returns `{ changes }` so callers that count affected rows (e.g.
+ * INSERT-OR-IGNORE patterns) can do so without an extra SELECT roundtrip.
+ * SQLite reports `db.prepare(...).run(...).changes`; Postgres reports
+ * `pg.QueryResult.rowCount` (zero when the driver doesn't surface a count
+ * for the query type, matching the SQLite contract).
+ */
+interface TxClient {
+    run(sql: string, params?: unknown[]): Promise<{
+        changes: number;
+    }>;
+    get(sql: string, params?: unknown[]): Promise<Row | undefined>;
+    all(sql: string, params?: unknown[]): Promise<Row[]>;
+}
+
+/**
+ * Options for {@link ReverseSyncEngine.process}.
+ *
+ * With no options the engine keeps its original behavior: only files with a
+ * hand-written `reverseSync` are processed, and updates are applied via raw SQL.
+ * The GUI file-loopback passes `apply` (to route writes through the changelog
+ * path so a file edit is version-controlled exactly like a GUI edit) and
+ * `useDefault` (to round-trip frontmatter + body `key: value` fields for files
+ * that have no hand-written `reverseSync`).
+ */
+interface ReverseSyncProcessOptions {
+    /** Apply each update through a changelog-aware path instead of raw SQL. */
+    apply?: (update: ReverseSyncUpdate) => Promise<void>;
+    /** Derive updates for files lacking a hand-written `reverseSync`. */
+    useDefault?: boolean;
+    /** Called when a changed file produced no importable update (free-form/custom render). */
+    onSkip?: (info: {
+        table: string;
+        slug: string;
+        filename: string;
+        filePath: string;
+    }) => void;
+}
+
 /**
  * Cryptographic erasure ("crypto-shred") for sources flagged sensitive.
  *
@@ -1792,6 +1816,16 @@ type RenderProgressCallback = (event: RenderProgress) => void;
 interface RenderOptions {
     onProgress?: RenderProgressCallback;
     signal?: AbortSignal;
+    /**
+     * Incremental render scope. When set, ONLY the entity-context tables affected
+     * by a change to one of these tables are re-rendered — the changed table itself
+     * plus any entity context that SOURCES from it (cross-table dependents) — and
+     * every other table's manifest entry + rendered files are left untouched. Used
+     * by the auto-render that fires on a single write or a single remote (cloud)
+     * change, so a one-row edit re-renders one entity instead of the whole tree.
+     * Omitted → a full render of everything (initial open, explicit `render()`).
+     */
+    changedTables?: ReadonlySet<string>;
 }
 /**
  * Coalesces high-frequency `table-progress` events down to ≤ ~5/sec per table,
@@ -1879,6 +1913,16 @@ declare class Lattice {
     private _autoRenderPending;
     private _autoRenderInFlight;
     private _autoRenderDebounceMs;
+    /**
+     * Incremental auto-render scope, accumulated between debounced renders. A write
+     * or a remote (cloud) change records the AFFECTED table here, so the next
+     * auto-render re-renders only that entity (+ its cross-table dependents) instead
+     * of the whole tree. `_pendingRenderAll` forces a full render (the initial
+     * render, or a change with no known table). Captured + reset when a render
+     * starts, so changes during a render re-accumulate and re-trigger.
+     */
+    private _pendingRenderTables;
+    private _pendingRenderAll;
     /** Cache of actual table columns (from PRAGMA), populated after init(). */
     private readonly _columnCache;
     /** Derived encryption key (from options.encryptionKey via scrypt). */
@@ -2276,6 +2320,55 @@ declare class Lattice {
      * not swallowed here.
      */
     renderInBackground(outputDir: string, opts?: RenderOptions): Promise<RenderResult>;
+    /**
+     * Install a per-viewer read-relation resolver for ALL renders (initial,
+     * background, and the debounced auto-render that fires after every write).
+     * A cloud member open passes `(t) => maskedReadViews.get(t) ?? t` so the
+     * rendered context tree is read THROUGH the member's RLS connection + masking
+     * views — making the on-disk tree the viewer's own scoped projection. Owner /
+     * local SQLite leave it unset → identity → unchanged behavior. Set on the
+     * engine (not per-render-call) so the opts-less auto-render path masks too.
+     */
+    setRenderReadRelation(fn: (table: string) => string): void;
+    /**
+     * Turn on the per-viewer enrichment fold for ALL renders. A cloud member open
+     * calls this so the rendered context overlays the member-visible DERIVED
+     * observations onto each ground row ({@link foldRenderRows}). Owner / local
+     * SQLite leave it off → ground truth renders unchanged.
+     */
+    enableRenderFold(): void;
+    /**
+     * Request a debounced re-render (the same coalesced, pending-requeue path that
+     * a local write triggers). Used to eagerly refresh a cloud member's rendered
+     * tree when a REMOTE change arrives — notably an owner re-sharing or un-sharing
+     * a row, after which the member's per-viewer projection must be recompiled. A
+     * no-op when auto-render isn't enabled.
+     *
+     * Pass the CHANGED table so only that entity (+ its cross-table dependents) is
+     * re-rendered instead of the whole tree; omit it to force a full render.
+     */
+    requestRender(table?: string): void;
+    /**
+     * True while a render is actively writing the context tree + manifest (auto-
+     * render OR a guarded background render). The file-loopback watcher checks this
+     * to avoid reverse-syncing mid-render — a pass then would read half-written
+     * output whose manifest hash hasn't caught up yet and re-ingest the render's
+     * OWN writes as spurious "file-edit" changes.
+     */
+    isRendering(): boolean;
+    /**
+     * Fold the viewer-visible DERIVED observations onto a table's ground rows in one
+     * batched changelog read — the render-time, whole-table analogue of
+     * {@link foldForViewer} (which is per-row). Read THROUGH this connection: on a
+     * cloud member connection the changelog RLS (`lattice_changelog_sel`) already
+     * drops any derived observation whose sources the member can't all reach AND
+     * hides every owner-only ground-truth/audit entry — so what returns is exactly
+     * the member-visible derived set, and overlaying it is leak-free by construction
+     * (the database, not this code, is the enforcement point). One read per table,
+     * never per row (the per-row `history()` fan-out would be an unbounded hot-path
+     * cost). A no-op when the changelog substrate is absent or nothing is derived.
+     */
+    foldRenderRows(table: string, rows: Row[]): Promise<Row[]>;
     sync(outputDir: string): Promise<SyncResult>;
     /**
      * Recover rows from rendered files into empty database tables.
@@ -2291,6 +2384,28 @@ declare class Lattice {
      */
     reverseSeed(outputDir: string): Promise<ReverseSeedResult>;
     reconcile(outputDir: string, options?: ReconcileOptions): Promise<ReconcileResult>;
+    /** Build/refresh the full-text index for every `fts`-configured table (idempotent;
+     *  `ensureFtsIndex` creates the index, triggers, and backfills existing rows). */
+    private _buildFtsIndexes;
+    /**
+     * Rebuild the full-text search indexes for all `fts`-configured tables and
+     * backfill existing rows. `init()` runs this on an empty DB; this public entry
+     * point re-runs it AFTER rows are present — notably after a migrate-to-cloud row
+     * copy, which otherwise leaves the cloud with data but no `__lattice_fts_*`
+     * tables (so search/the assistant find nothing). Idempotent.
+     */
+    rebuildFtsIndexes(): Promise<void>;
+    /**
+     * Run reverse-sync against the rendered tree at `outputDir` and return what was
+     * applied. Unlike {@link reconcile} (which runs reverse-sync with raw SQL as a
+     * pre-render step), this is the changelog-aware entry point the GUI file-loopback
+     * uses: pass `apply` to route each update through a versioned write (so a file
+     * edit is recorded exactly like a GUI edit) and `useDefault` to round-trip
+     * frontmatter + body `key: value` fields for files lacking a hand-written
+     * `reverseSync`. Compares file hashes against the current manifest, so a
+     * render-written file is recognized as an echo and skipped.
+     */
+    reverseSyncFromFiles(outputDir: string, opts?: ReverseSyncProcessOptions): Promise<ReverseSyncResult>;
     watch(outputDir: string, opts?: WatchOptions): Promise<StopFn>;
     on(event: 'audit', handler: EventHandler<AuditEvent>): this;
     on(event: 'render', handler: EventHandler<RenderResult>): this;
@@ -2391,6 +2506,10 @@ declare class Lattice {
     /** Turn off automatic rendering and cancel any pending render. */
     disableAutoRender(): this;
     private _scheduleAutoRender;
+    /** Arm the debounce timer if not already armed. Does NOT change the render
+     *  scope — used both by `_scheduleAutoRender` and the post-render re-arm so a
+     *  re-arm never escalates a pending incremental render to a full one. */
+    private _armAutoRenderTimer;
     /**
      * Shared single-flight render path used by {@link renderInBackground}.
      *
@@ -4148,14 +4267,6 @@ declare function provisionMemberRole(db: Lattice, role: string, password: string
  * its columns joined by TAB, matching Lattice's serialization.
  */
 declare function setRowVisibility(db: Lattice, table: string, pk: string, visibility: string): Promise<void>;
-/**
- * Per-card audience override: grant (or revoke) one member access to ONE masked
- * cell — a specific (table, pk, column) — without changing the column's
- * schema-level audience. Owner-only (the SQL function raises for a non-owner).
- * `pk` is the row's canonical primary-key string.
- */
-declare function grantCell(db: Lattice, table: string, pk: string, column: string, grantee: string): Promise<void>;
-declare function revokeCell(db: Lattice, table: string, pk: string, column: string, grantee: string): Promise<void>;
 /**
  * Remove a member: clear its privileges and drop the role. NOTE: rows the member
  * owned remain in their tables but become unreachable (their `owner_role` no
@@ -4191,6 +4302,22 @@ interface DiscoveredTable {
  */
 declare function discoverCloudTables(db: Lattice): Promise<DiscoveredTable[]>;
 
+/**
+ * Per-column audience → a generated cell-masking view (Stage 2 of the per-viewer
+ * enrichment model). Postgres RLS is whole-row; column-level masking is layered
+ * on with one generated view per entity: every column passes through, except a
+ * column with a non-default `audience`, which becomes
+ * `CASE WHEN <audience-predicate> THEN col END` — masked cells read as NULL, so
+ * `SELECT *` keeps working and the column stays a real column (no side tables).
+ *
+ * The `owner` predicate calls the `session_user`-keyed `SECURITY DEFINER` helper
+ * `lattice_is_owner` from the RLS bootstrap, so the mask binds to the real member
+ * even though the view executes with its owner's rights. That identity choice is
+ * what lets an owner-defined view filter per-viewer without re-broadening.
+ *
+ * The view is a rendered artifact, generated from schema metadata, never
+ * hand-edited. Postgres-only; SQLite (single-user, local) needs no masking.
+ */
 /** Row context the `owner` clause needs (the table literal + pk SQL expression). */
 interface AudienceRowCtx {
     tableLit: string;
@@ -4199,9 +4326,9 @@ interface AudienceRowCtx {
 /** True when this audience means "no mask" (visible to whoever can see the row). */
 declare function isRowAudience(audience: string | undefined): boolean;
 /**
- * Compile a column `audience` spec into a boolean SQL predicate over the helper
- * functions. Returns `'true'` for the row-audience / everyone case. Throws on an
- * unknown or malformed clause.
+ * Compile a column `audience` spec into a boolean SQL predicate. Returns `'true'`
+ * for the row-audience / everyone case, `lattice_is_owner(...)` for the owner
+ * (secret-column) case. Throws on anything else — fail closed.
  */
 declare function audiencePredicate(audience: string, ctx?: AudienceRowCtx): string;
 /** Whether a table needs a masking view at all (any column has a real audience). */
@@ -4382,7 +4509,7 @@ declare function secureCloud(db: Lattice): Promise<void>;
  *     **app-mediated** (hidden from the UI + every API response), NOT cryptographic
  *     — a member CAN read the value from their own session if they go looking.
  *   - `lattice_set_cloud_setting(key, value)` — owner-only (RAISEs unless the
- *     caller can create roles, the same gate as `lattice_assign_role`).
+ *     caller can create roles, the cloud-owner gate).
  *
  * Postgres-only: a local SQLite workspace is single-user, so there is nothing to
  * keep secret and these are all no-ops / null there.
@@ -4767,6 +4894,15 @@ interface StartGuiServerOptions {
      * Omitted ⇒ the broker's default (20s). 0 disables it.
      */
     realtimeWatchdogMs?: number;
+    /**
+     * Run the in-process auto-update poll: while the GUI is open, check npm for a
+     * newer version and, when one lands on an installable copy, install it and
+     * exit with the supervisor's restart code so it relaunches on the new version.
+     * Set ONLY for a supervised child (`LATTICE_GUI_SUPERVISED=1`) — exiting to
+     * apply an update is safe only when a supervisor is there to respawn it.
+     * `GET /api/version` + `GET /api/update/status` are served regardless.
+     */
+    selfUpdate?: boolean;
 }
 interface GuiServerHandle {
     server: Server;
@@ -4840,4 +4976,4 @@ declare class FileSourceKeyStore implements SourceKeyStore {
     private encodeFile;
 }
 
-export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CLOUD_SETTING_WORKSPACE_LOGO, CLOUD_SETTING_WORKSPACE_LOGO_ETAG, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, FileSourceKeyStore, type FileSourceKeyStoreOptions, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type GuiServerHandle, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StartGuiServerOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, grantCell, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeCell, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, startGuiServer, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };
+export { type AddWorkspaceOptions, type AdoptNativeOptions, type AdoptResult, type ApplyWriteResult, type AudienceRowCtx, type AuditEvent, type AutoUpdateResult, type BelongsToRelation, type BelongsToSource, type BlobMetadata, type BuiltinTemplateName, CLOUD_SETTING_SYSTEM_PROMPT, CLOUD_SETTING_WORKSPACE_LOGO, CLOUD_SETTING_WORKSPACE_LOGO_ETAG, CONFIG_SUBDIR, type CatalogEntity, type CatalogRecord, type ChangeEntry, type ChangelogOptions, type ClassifyMatch, type CleanupOptions, type CleanupResult, type CloudProbeResult, type CountOptions, type CrawlOptions, type CrawlResult, type CustomSource, DEFAULT_ENTRY_TYPES, DEFAULT_TYPE_ALIASES, type DiscoveredTable, type EmbeddingsConfig, type EnrichOptions, type EnrichResult, type EnrichedSource, type EnrichmentLookup, type EntityContextDefinition, type EntityContextManifestEntry, type EntityFileManifestInfo, type EntityFileSource, type EntityFileSpec, type EntityProfileField, type EntityProfileSection, type EntityProfileTemplate, type EntityRenderSpec, type EntityRenderTemplate, type EntitySectionPerRow, type EntitySectionsTemplate, type EntityTableColumn, type EntityTableTemplate, type ExtractedObject, FileSourceKeyStore, type FileSourceKeyStoreOptions, type FilesRow, type Filter, type FilterOp, FoldCache, type FtsConfig, type FtsGroup, type FtsHit, type FtsOptions, type FtsResult, type GuiServerHandle, type HasManyRelation, type HasManySource, InMemorySourceKeyStore, InMemoryStateStore, type InitOptions, LOCAL_DB_RELPATH, Lattice, type LatticeConfig, type LatticeConfigInput, type LatticeEntityDef, type LatticeEntityRenderSpec, type LatticeFieldDef, type LatticeFieldType, type LatticeManifest, type LatticeOptions, type LinkOptions, type LlmClient, type LlmMessage, MEMBER_GROUP, type ManyToManySource, type MarkdownTableColumn, type MigrateResult, type Migration, type MigrationOptions, type MigrationProgress, type MigrationResult, type MultiTableDefinition, NATIVE_ENTITY_DEFS, NATIVE_ENTITY_NAMES, NATIVE_REGISTRY_TABLE, type Observation, type OrderBySpec, type OrganizeOptions, type OrganizeResult, type OrganizedCreation, type OrganizedLink, type ParseError, type ParseResult, type ParsedConfig, type PdfOptions, type PdfSenderInput, type PkLookup, PostgresAdapter, type PostgresAdapterOptions, type PreparedStatement, type PrimaryKey, ProgressThrottle, type QueryOptions, READ_ONLY_HEADER, ROOT_DIRNAME, type ReadOnlyHeaderOptions, type ReconcileOptions, type ReconcileResult, type RefKind, type RefProvider, type ReferenceMetadata, ReferenceUnavailableError, type Relation, type RemoteBlobStore, type RenderHooks, type RenderOptions, type RenderProgress, type RenderProgressCallback, type RenderProgressKind, type RenderResult, type RenderSpec, type ReportConfig, type ReportResult, type ReportSection, type ReportSectionResult, type ResolveOptions, type ReverseSeedDetection, type ReverseSeedResult, type ReverseSeedTableResult, type ReverseSyncError, type ReverseSyncResult, type ReverseSyncUpdate, type RewardScores, type Row, type RowVisibilityDefault, type S3Config, type S3StoreConfig, S3UnavailableError, SQLiteAdapter, type SchemaEntity, type SearchOptions, type SearchResult, type SecurityOptions, type SeedConfig, type SeedLinkSpec, SeedReconciliationError, type SeedResult, type SelfSource, type SessionEntry, type SessionParseOptions, type SessionWriteEntry, type SessionWriteOp, type SessionWriteParseResult, type SourceHandle, type SourceKeyStore, type SourceMetadata, type SourceQueryOptions, SourceShreddedError, type StartGuiServerOptions, type StopFn, type StorageAdapter, type SyncResult, type TableDefinition, type TablePolicy, type TemplateRenderSpec, type TurnParams, type TurnResult, type UnresolvedLink, type UpsertByNaturalKeyOptions, type UserIdentity, type UserPreferences, type Viewer, type VisionOptions, type VisionSenderInput, WORKSPACES_SUBDIR, type WatchOptions, type WorkspacePaths, type WorkspaceRecord, type WorkspaceRegistry, type WriteHook, type WriteHookContext, type WritebackDefinition, type WritebackStateStore, type WritebackValidationResult, activeWorkspaceLabel, addWorkspace, adoptNativeEntities, analyticsEnabled, applyTokenBudget, applyWriteEntry, archiveLocalSqlite, assertSafeUrl, attachBlob, audiencePredicate, audienceViewSql, autoFtsColumns, autoUpdate, backfillOwnership, canManageRoles, classifyLinks, cloudRlsInstalled, configDir, contentHash, crawlUrl, createReadOnlyHeader, createS3Store, createSQLiteStateStore, decrypt, defaultWorkspaceYaml, deleteDbCredential, deleteToken, deriveCanonicalContexts, deriveKey, describeImage, describePdf, discoverCloudTables, enableAudienceView, enableChangelogRls, enableRlsForTable, encrypt, enrichKnowledge, ensureFtsIndex, ensureLatticeRoot, entityFileNames, estimateTokens, extractObjects, findLatticeRoot, fixSchemaConflicts, foldEntity, frontmatter, ftsTableName, fullTextSearch, generateEntryId, generateMemberPassword, generateWriteEntryId, getActiveWorkspace, getCloudSetting, getDbCredential, getOrCreateMasterKey, getTablePolicy, getWorkspace, hasFtsIndex, hashFile, importLegacyUserConfig, installCloudRls, installCloudSettings, isEncrypted, isNativeEntity, isPostgresUrl, isPrivateIp, isRowAudience, isV1EntityFiles, listDbCredentials, listNativeBindings, listTokens, listWorkspaces, loadColumnPolicy, manifestPath, markdownTable, memberRoleName, migrateLatticeData, normalizeEntityFiles, observationVisible, observationsFromChange, openTargetLatticeForMigration, openUnderSource, organizeSource, parseConfigFile, parseConfigString, parseMarkdownEntries, parseMatches, parseObjects, parseSessionMD, parseSessionWrites, probeCloud, providerForUrl, provisionMemberRole, readIdentity, readManifest, readPreferences, readRegistry, readToken, referenceLocalFile, referenceUrl, regenerateAudienceViewFromDb, registerNativeEntities, registryPath, resolveActiveS3Config, resolveLatticeRoot, resolveSource, resolveWorkspacePaths, revokeMemberRole, rootConfigDir, s3Key, saveDbCredential, saveDbCredentialForTeam, sealUnderSource, secureCloud, seedColumnPolicyFromYaml, setActiveWorkspace, setCloudSetting, setColumnAudience, setRowVisibility, setTableDefaultVisibility, setTableNeverShare, shredSource, slugify, startGuiServer, summarizeText, tableNeedsAudienceView, toSafeDirName, truncate, validateEntryId, workspaceBlobsDir, workspaceConfigPath, workspaceContextDir, workspaceDataDir, workspaceDbPath, workspaceDir, workspacesDir, writeIdentity, writeManifest, writePreferences, writeRegistry, writeToken };