latticesql 3.4.0 → 3.4.2

package/dist/cli.js

@@ -1637,43 +1637,57 @@ var init_postgres = __esm({
       },
       {
         warn: "could not register json_extract polyfill:",
-        sql: `CREATE OR REPLACE FUNCTION json_extract(doc text, path text)
-         RETURNS text
-         LANGUAGE sql
-         IMMUTABLE
-         AS $fn$
-           SELECT doc::jsonb #>> string_to_array(regexp_replace(path, '^\\$\\.?', ''), '.')
-         $fn$;`
+        // Create ONLY if absent. `CREATE OR REPLACE` on an existing function requires
+        // ownership, but on a cloud the function is owned by whichever single role
+        // created it first — so every OTHER member's per-connect replace raised "must
+        // be owner of function" and (sharing the render transaction) aborted it,
+        // yielding an empty render. The IF-absent guard makes a present function a
+        // clean no-op for everyone, regardless of who owns it.
+        sql: `DO $do$ BEGIN
+      IF to_regprocedure('json_extract(text, text)') IS NULL THEN
+        CREATE FUNCTION json_extract(doc text, path text)
+          RETURNS text
+          LANGUAGE sql
+          IMMUTABLE
+          AS $fn$
+            SELECT doc::jsonb #>> string_to_array(regexp_replace(path, '^\\$\\.?', ''), '.')
+          $fn$;
+      END IF;
+    END $do$;`
       },
       {
         warn: "could not register strftime polyfill:",
-        sql: `CREATE OR REPLACE FUNCTION strftime(format text, modifier text)
-         RETURNS text
-         LANGUAGE plpgsql
-         IMMUTABLE
-         AS $fn$
-         DECLARE ts timestamptz;
-         BEGIN
-           IF modifier = 'now' THEN
-             ts := now();
-           ELSE
-             ts := modifier::timestamptz;
-           END IF;
-           RETURN to_char(
-             ts AT TIME ZONE 'UTC',
-             replace(replace(replace(replace(replace(replace(replace(replace(
-               format,
-               '%Y', 'YYYY'),
-               '%m', 'MM'),
-               '%d', 'DD'),
-               '%H', 'HH24'),
-               '%M', 'MI'),
-               '%S', 'SS'),
-               '%f', 'MS'),
-               'T', '"T"')
-           );
-         END;
-         $fn$;`
+        sql: `DO $do$ BEGIN
+      IF to_regprocedure('strftime(text, text)') IS NULL THEN
+        CREATE FUNCTION strftime(format text, modifier text)
+          RETURNS text
+          LANGUAGE plpgsql
+          IMMUTABLE
+          AS $fn$
+          DECLARE ts timestamptz;
+          BEGIN
+            IF modifier = 'now' THEN
+              ts := now();
+            ELSE
+              ts := modifier::timestamptz;
+            END IF;
+            RETURN to_char(
+              ts AT TIME ZONE 'UTC',
+              replace(replace(replace(replace(replace(replace(replace(replace(
+                format,
+                '%Y', 'YYYY'),
+                '%m', 'MM'),
+                '%d', 'DD'),
+                '%H', 'HH24'),
+                '%M', 'MI'),
+                '%S', 'SS'),
+                '%f', 'MS'),
+                'T', '"T"')
+            );
+          END;
+          $fn$;
+      END IF;
+    END $do$;`
       }
     ];
   }
@@ -3077,6 +3091,34 @@ var init_engine = __esm({
       setRenderFold(fn) {
         this._foldRows = fn;
       }
+      /**
+       * Incremental scope: is this entity-context table affected by a change to one
+       * of `changed`? Affected when the table itself changed (its own rows / `self`
+       * source / index) OR any of its files SOURCES from a changed table (a cross-
+       * table dependent — e.g. an AGENT.md that lists the agent's tasks must re-render
+       * when `tasks` changes). A `custom` source runs an arbitrary query, so we can't
+       * prove independence — treat it as always-affected (conservative, never stale).
+       */
+      _entityAffected(table, def, changed) {
+        if (changed.has(table)) return true;
+        for (const spec of Object.values(def.files)) {
+          if (this._sourceTouches(spec.source, changed)) return true;
+        }
+        return false;
+      }
+      _sourceTouches(source, changed) {
+        if (source == null || typeof source !== "object") return false;
+        const s2 = source;
+        if (s2.type === "custom") return true;
+        if (typeof s2.table === "string" && changed.has(s2.table)) return true;
+        if (typeof s2.junctionTable === "string" && changed.has(s2.junctionTable)) return true;
+        if (s2.sources != null && typeof s2.sources === "object") {
+          for (const sub of Object.values(s2.sources)) {
+            if (this._sourceTouches(sub, changed)) return true;
+          }
+        }
+        return false;
+      }
       async render(outputDir, opts = {}) {
         const start = Date.now();
         const filesWritten = [];
@@ -3086,6 +3128,7 @@ var init_engine = __esm({
         for (const [name, def] of this._schema.getTables()) {
           if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
           if (this._skipEmpty && def.render === NOOP_RENDER) continue;
+          if (opts.changedTables && !opts.changedTables.has(name)) continue;
           let rows = await this._schema.queryTable(this._adapter, name, this._readRel);
           if (def.relevanceFilter) {
             const ctx = this._getTaskContext();
@@ -3138,6 +3181,9 @@ var init_engine = __esm({
         }
         for (const [name, def] of this._schema.getMultis()) {
           if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
+          if (opts.changedTables && def.tables && !def.tables.some((t8) => opts.changedTables?.has(t8))) {
+            continue;
+          }
           const keys = await def.keys();
           const tables = {};
           if (def.tables) {
@@ -3169,16 +3215,22 @@ var init_engine = __esm({
           filesWritten,
           counters,
           throttle,
-          signal
+          signal,
+          opts.changedTables
         );
         if (entityContextManifest === null) {
           return this._abortedResult(filesWritten, counters, start);
         }
         if (this._schema.getEntityContexts().size > 0) {
+          let entityContexts = entityContextManifest;
+          if (opts.changedTables) {
+            const prev = readManifest(outputDir);
+            entityContexts = { ...prev?.entityContexts ?? {}, ...entityContextManifest };
+          }
           writeManifest(outputDir, {
             version: 2,
             generated_at: (/* @__PURE__ */ new Date()).toISOString(),
-            entityContexts: entityContextManifest
+            entityContexts
           });
         }
         const result = {
@@ -3244,12 +3296,14 @@ var init_engine = __esm({
        * partial tree). Progress is reported through `throttle`; abort is observed
        * via `signal`.
        */
-      async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal) {
+      async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal, changedTables) {
         const protectedTables = /* @__PURE__ */ new Set();
         for (const [t8, d6] of this._schema.getEntityContexts()) {
           if (d6.protected) protectedTables.add(t8);
         }
-        const entityTables = [...this._schema.getEntityContexts()];
+        const entityTables = [...this._schema.getEntityContexts()].filter(
+          ([table, def]) => !changedTables || this._entityAffected(table, def, changedTables)
+        );
         const tableCount = entityTables.length;
         if (signal?.aborted) return null;
         const renderedEntries = await mapWithConcurrency(
@@ -5077,6 +5131,16 @@ var init_lattice = __esm({
       _autoRenderPending = false;
       _autoRenderInFlight = false;
       _autoRenderDebounceMs = 250;
+      /**
+       * Incremental auto-render scope, accumulated between debounced renders. A write
+       * or a remote (cloud) change records the AFFECTED table here, so the next
+       * auto-render re-renders only that entity (+ its cross-table dependents) instead
+       * of the whole tree. `_pendingRenderAll` forces a full render (the initial
+       * render, or a change with no known table). Captured + reset when a render
+       * starts, so changes during a render re-accumulate and re-trigger.
+       */
+      _pendingRenderTables = /* @__PURE__ */ new Set();
+      _pendingRenderAll = true;
       /** Cache of actual table columns (from PRAGMA), populated after init(). */
       _columnCache = /* @__PURE__ */ new Map();
       /** Derived encryption key (from options.encryptionKey via scrypt). */
@@ -6172,7 +6236,7 @@ var init_lattice = __esm({
           `${verb} INTO "${junctionTable}" (${colNames}) VALUES (${placeholders})`,
           Object.values(filtered)
         );
-        this._scheduleAutoRender();
+        this._scheduleAutoRender(junctionTable);
       }
       /**
        * Delete rows from a junction table matching all given conditions.
@@ -6188,7 +6252,7 @@ var init_lattice = __esm({
           `DELETE FROM "${junctionTable}" WHERE ${where}`,
           entries.map(([, v2]) => v2)
         );
-        this._scheduleAutoRender();
+        this._scheduleAutoRender(junctionTable);
       }
       // -------------------------------------------------------------------------
       // Seeding DSL (v0.13+)
@@ -6444,6 +6508,11 @@ var init_lattice = __esm({
       async renderInBackground(outputDir, opts = {}) {
         const notInit = this._notInitError();
         if (notInit) return notInit;
+        if (!opts.changedTables) {
+          this._pendingRenderAll = false;
+          this._pendingRenderTables = /* @__PURE__ */ new Set();
+          this._autoRenderPending = false;
+        }
         return this._renderGuarded(outputDir, opts);
       }
       /**
@@ -6473,9 +6542,12 @@ var init_lattice = __esm({
        * tree when a REMOTE change arrives — notably an owner re-sharing or un-sharing
        * a row, after which the member's per-viewer projection must be recompiled. A
        * no-op when auto-render isn't enabled.
+       *
+       * Pass the CHANGED table so only that entity (+ its cross-table dependents) is
+       * re-rendered instead of the whole tree; omit it to force a full render.
        */
-      requestRender() {
-        this._scheduleAutoRender();
+      requestRender(table) {
+        this._scheduleAutoRender(table);
       }
       /**
        * True while a render is actively writing the context tree + manifest (auto-
@@ -6876,7 +6948,7 @@ var init_lattice = __esm({
             for (const h6 of this._errorHandlers) h6(err instanceof Error ? err : new Error(String(err)));
           }
         }
-        this._scheduleAutoRender();
+        this._scheduleAutoRender(table);
       }
       /**
        * Turn on automatic rendering into `outputDir`. After this, every insert /
@@ -6900,10 +6972,18 @@ var init_lattice = __esm({
         this._autoRenderPending = false;
         return this;
       }
-      _scheduleAutoRender() {
+      _scheduleAutoRender(table) {
         if (!this._autoRenderDir) return;
+        if (table === void 0) this._pendingRenderAll = true;
+        else this._pendingRenderTables.add(table);
         this._autoRenderPending = true;
-        if (this._autoRenderTimer) return;
+        this._armAutoRenderTimer();
+      }
+      /** Arm the debounce timer if not already armed. Does NOT change the render
+       *  scope — used both by `_scheduleAutoRender` and the post-render re-arm so a
+       *  re-arm never escalates a pending incremental render to a full one. */
+      _armAutoRenderTimer() {
+        if (!this._autoRenderDir || this._autoRenderTimer) return;
         this._autoRenderTimer = setTimeout(() => {
           this._autoRenderTimer = void 0;
           void this._runAutoRender();
@@ -6943,10 +7023,15 @@ var init_lattice = __esm({
         }
         if (!this._autoRenderPending) return;
         this._autoRenderPending = false;
+        const renderAll = this._pendingRenderAll;
+        const changed = this._pendingRenderTables;
+        this._pendingRenderAll = false;
+        this._pendingRenderTables = /* @__PURE__ */ new Set();
         this._autoRenderInFlight = true;
         try {
           const prevManifest = readManifest(dir);
-          const result = await this._render.render(dir);
+          const renderOpts = renderAll || changed.size === 0 ? {} : { changedTables: changed };
+          const result = await this._render.render(dir, renderOpts);
           for (const h6 of this._renderHandlers) h6(result);
           const newManifest = readManifest(dir);
           await this._render.cleanup(dir, prevManifest, {}, newManifest);
@@ -6958,7 +7043,7 @@ var init_lattice = __esm({
         }
       }
       _rearmAutoRenderIfPending() {
-        if (this._autoRenderPending) this._scheduleAutoRender();
+        if (this._autoRenderPending) this._armAutoRenderTimer();
       }
       /**
        * Update or remove the embedding for a row.
@@ -8035,6 +8120,44 @@ CREATE TRIGGER "${trg}" AFTER INSERT OR UPDATE OR DELETE ON ${q3}
   FOR EACH ROW EXECUTE FUNCTION "${trg}"();
 `;
 }
+async function ownPolyfillsByGroup(db) {
+  if (!isPg(db)) return;
+  for (const sig of ["json_extract(text, text)", "strftime(text, text)"]) {
+    try {
+      const reg = await getAsyncOrSync(db.adapter, `SELECT to_regprocedure($1) AS reg`, [sig]);
+      if (reg?.reg == null) continue;
+      await runAsyncOrSync(db.adapter, `ALTER FUNCTION ${sig} OWNER TO "${MEMBER_GROUP}"`);
+    } catch {
+    }
+  }
+}
+async function enableGuiAuditRls(db) {
+  if (!isPg(db)) return;
+  const reg = await getAsyncOrSync(db.adapter, `SELECT to_regclass($1) AS reg`, [
+    "_lattice_gui_audit"
+  ]);
+  if (reg?.reg == null) return;
+  await runCloudBootstrapSql(
+    db,
+    `
+ALTER TABLE "_lattice_gui_audit" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_lattice_gui_audit" FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS "lattice_gui_audit_owner" ON "_lattice_gui_audit";
+DROP POLICY IF EXISTS "lattice_gui_audit_sel" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_sel" ON "_lattice_gui_audit" FOR SELECT
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_ins" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_ins" ON "_lattice_gui_audit" FOR INSERT
+  WITH CHECK ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_upd" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_upd" ON "_lattice_gui_audit" FOR UPDATE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_del" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_del" ON "_lattice_gui_audit" FOR DELETE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+`
+  );
+}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
@@ -8068,6 +8191,24 @@ CREATE POLICY "lattice_changelog_ins" ON "__lattice_changelog" FOR INSERT WITH C
 `
   );
 }
+async function enableChatPrivacyRls(db) {
+  if (!isPg(db)) return;
+  for (const t8 of ["chat_threads", "chat_messages"]) {
+    const reg = await getAsyncOrSync(db.adapter, `SELECT to_regclass($1) AS reg`, [t8]);
+    if (reg?.reg == null) continue;
+    const q3 = `"${t8}"`;
+    await runCloudBootstrapSql(
+      db,
+      `
+ALTER TABLE ${q3} ENABLE ROW LEVEL SECURITY;
+ALTER TABLE ${q3} FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS "lattice_chat_owner" ON ${q3};
+CREATE POLICY "lattice_chat_owner" ON ${q3} AS RESTRICTIVE FOR SELECT
+  USING ("owner_user_id" IS NOT NULL AND "owner_user_id" = session_user);
+`
+    );
+  }
+}
 async function enableRlsForTable(db, table, pkCols) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
@@ -8182,6 +8323,18 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
 -- bootstrap is now run directly + idempotently, not version-gated).
 ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
 
+-- Owner-published entity/render LAYOUT (the entities + entityContexts config
+-- blocks), so a joined member \u2014 whose generated config has entities: {} \u2014 can
+-- hydrate the full render layout and produce a complete context tree. This holds
+-- schema CONFIG, not row data, so it is safe to share with members (granted
+-- SELECT). A shared singleton, like __lattice_user_identity: no per-row RLS.
+CREATE TABLE IF NOT EXISTS "__lattice_shared_schema" (
+  "id" TEXT PRIMARY KEY DEFAULT 'singleton',
+  "entities_json" TEXT,
+  "contexts_json" TEXT,
+  "updated_at" TEXT
+);
+
 -- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
 -- the cloud with their minted credential, the join path calls this to CLAIM the
 -- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
@@ -10059,7 +10212,7 @@ var init_registry = __esm({
 });
 
 // src/gui/ai/lattice-docs.ts
-import { readFileSync as readFileSync13, readdirSync as readdirSync5, existsSync as existsSync17 } from "fs";
+import { readFileSync as readFileSync14, readdirSync as readdirSync5, existsSync as existsSync17 } from "fs";
 import { dirname as dirname8, join as join16 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function findDocsDir() {
@@ -10119,7 +10272,7 @@ function allSections() {
   }
   for (const f6 of files) {
     try {
-      out.push(...sectionsOf(f6, readFileSync13(join16(dir, f6), "utf8")));
+      out.push(...sectionsOf(f6, readFileSync14(join16(dir, f6), "utf8")));
     } catch {
     }
   }
@@ -55860,12 +56013,17 @@ var appJs = `
         fetchJson('/api/gui-meta/columns').catch(function () { return {}; }),
         fetchJson('/api/system-tables').catch(function () { return { tables: [] }; }),
         fetchJson('/api/workspaces').catch(function () { return null; }),
+        fetchJson('/api/dbconfig').catch(function () { return {}; }),
       ]).then(function (results) {
         state.entities = results[0];
         state.iconOverrides = results[1] || {};
         state.columnMeta = results[2] || {};
         state.systemTables = (results[3] && results[3].tables) || [];
         renderWsSwitcher(results[4]);
+        // Re-point the header logo at the NEW workspace's mark \u2014 the switch path
+        // must refresh branding the way boot does (the etag cache-busts the
+        // <img>), else the previous workspace's logo stays until a hard refresh.
+        applyWorkspaceLogo((results[5] || {}).logoEtag);
         renderSidebar();
         // renderWsSwitcher set cloudMode from the new workspace's kind; re-render
         // the composer so the Private-mode toggle reflects local vs cloud (it is
@@ -62648,6 +62806,87 @@ async function discoverCloudTables(db) {
 // src/gui/server.ts
 init_rls();
 
+// src/cloud/shared-schema.ts
+init_lattice();
+init_adapter();
+
+// src/gui/config-io.ts
+import { readFileSync as readFileSync13, writeFileSync as writeFileSync6 } from "fs";
+import { parseDocument as parseDocument2 } from "yaml";
+async function execSql(db, sql) {
+  const adapter = db._adapter;
+  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
+  await adapter.runAsync(sql);
+}
+function loadConfigDoc(configPath) {
+  return parseDocument2(readFileSync13(configPath, "utf8"));
+}
+function saveConfigDoc(configPath, doc) {
+  writeFileSync6(configPath, doc.toString(), "utf8");
+}
+
+// src/cloud/shared-schema.ts
+async function publishSharedSchema(db, configPath) {
+  if (db.getDialect() !== "postgres") return;
+  const cfg = loadConfigDoc(configPath).toJSON();
+  const entities = cfg.entities ?? {};
+  if (Object.keys(entities).length === 0) return;
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_shared_schema" ("id","entities_json","contexts_json","updated_at")
+       VALUES ('singleton', $1, $2, $3)
+       ON CONFLICT ("id") DO UPDATE SET
+         "entities_json" = EXCLUDED."entities_json",
+         "contexts_json" = EXCLUDED."contexts_json",
+         "updated_at"    = EXCLUDED."updated_at"`,
+    [
+      JSON.stringify(entities),
+      JSON.stringify(cfg.entityContexts ?? null),
+      (/* @__PURE__ */ new Date()).toISOString()
+    ]
+  );
+}
+async function hydrateMemberConfigFromCloud(configPath, dbUrl, encryptionKey) {
+  if (!isPostgresUrl(dbUrl)) return false;
+  const existing = loadConfigDoc(configPath).toJSON();
+  if (Object.keys(existing.entities ?? {}).length > 0) return false;
+  try {
+    const peek = new Lattice({ config: configPath }, { encryptionKey });
+    try {
+      await peek.init({ introspectOnly: true });
+      const reg = await getAsyncOrSync(
+        peek.adapter,
+        "SELECT to_regclass('__lattice_shared_schema') AS reg"
+      );
+      if (reg?.reg == null) return false;
+      const row = await getAsyncOrSync(
+        peek.adapter,
+        'SELECT "entities_json","contexts_json" FROM "__lattice_shared_schema" WHERE "id" = $1',
+        ["singleton"]
+      );
+      if (row?.entities_json == null) return false;
+      const entities = JSON.parse(row.entities_json);
+      if (Object.keys(entities).length === 0) return false;
+      const doc = loadConfigDoc(configPath);
+      doc.setIn(["entities"], entities);
+      if (row.contexts_json != null) {
+        const ctx = JSON.parse(row.contexts_json);
+        if (ctx) doc.setIn(["entityContexts"], ctx);
+      }
+      saveConfigDoc(configPath, doc);
+      return true;
+    } finally {
+      peek.close();
+    }
+  } catch (e6) {
+    console.warn(
+      "[hydrateMemberConfigFromCloud] could not hydrate member schema:",
+      e6.message
+    );
+    return false;
+  }
+}
+
 // src/cloud/settings.ts
 init_adapter();
 init_rls();
@@ -62751,7 +62990,7 @@ var MEMBER_READABLE_BOOKKEEPING = [
   {
     name: "_lattice_gui_audit",
     privs: "SELECT, INSERT",
-    why: "the member's own GUI undo/redo log (session-scoped)"
+    why: "GUI undo/redo + version history; RLS (enableGuiAuditRls) scopes reads to entries whose underlying row the member can see"
   },
   {
     name: "__lattice_user_identity",
@@ -62762,6 +63001,11 @@ var MEMBER_READABLE_BOOKKEEPING = [
     name: "__lattice_changelog",
     privs: "SELECT, INSERT",
     why: "per-viewer-RLS-filtered change history for observe()/history (the policy filters reads, so the base grant is safe)"
+  },
+  {
+    name: "__lattice_shared_schema",
+    privs: "SELECT",
+    why: "owner-published entity/render layout (entities + entityContexts) a joined member hydrates its config from so render produces the full context tree"
   }
 ];
 var MEMBER_EXECUTE_FUNCTIONS = [
@@ -62913,9 +63157,12 @@ async function secureCloud(db) {
   if (db.getDialect() !== "postgres") return;
   await registerPostgresPolyfills((sql) => runAsyncOrSync(db.adapter, sql));
   await installCloudRls(db);
+  await ownPolyfillsByGroup(db);
   await installCloudSettings(db);
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
+  await enableChatPrivacyRls(db);
+  await enableGuiAuditRls(db);
   await convergeLegacyColumnAudience(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
@@ -63012,21 +63259,6 @@ var FeedBus = class {
 init_fts();
 init_mutations();
 
-// src/gui/config-io.ts
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
-import { parseDocument as parseDocument2 } from "yaml";
-async function execSql(db, sql) {
-  const adapter = db._adapter;
-  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
-  await adapter.runAsync(sql);
-}
-function loadConfigDoc(configPath) {
-  return parseDocument2(readFileSync14(configPath, "utf8"));
-}
-function saveConfigDoc(configPath, doc) {
-  writeFileSync6(configPath, doc.toString(), "utf8");
-}
-
 // src/gui/schema-ops.ts
 init_parser();
 init_canonical_context();
@@ -64562,6 +64794,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         const result = await migrateLatticeData(ctx.db, target);
         await target.rebuildFtsIndexes();
         await secureCloud(target);
+        await publishSharedSchema(target, ctx.configPath);
         target.close();
         const sourceDbPath = parseConfigFile(ctx.configPath).dbPath;
         const backupPath = archiveLocalSqlite(sourceDbPath);
@@ -65024,6 +65257,7 @@ function activeCloudCoords(configPath) {
 init_assistant_routes();
 
 // src/gui/chat-routes.ts
+init_adapter();
 init_assistant_routes();
 init_chat();
 init_user_config();
@@ -65049,6 +65283,15 @@ function sendJson3(res, body, status = 200) {
 function asStr(v2, fallback = "") {
   return typeof v2 === "string" ? v2 : fallback;
 }
+function isCloudChat(db) {
+  return db.getDialect() === "postgres";
+}
+async function resolveChatOwnerId(db) {
+  if (!isCloudChat(db)) return null;
+  const row = await getAsyncOrSync(db.adapter, "SELECT session_user AS u");
+  const u2 = row?.u;
+  return typeof u2 === "string" && u2.length > 0 ? u2 : null;
+}
 function readJson3(req) {
   return new Promise((resolve12, reject) => {
     let raw = "";
@@ -65241,12 +65484,20 @@ async function persistMessage(db, threadId, role, text, ownerUserId, turns, star
   });
 }
 async function dispatchChatRoute(req, res, ctx) {
+  const ownerUserId = await resolveChatOwnerId(ctx.db);
+  const cloud = isCloudChat(ctx.db);
+  const ownedByMe = (r6) => !cloud || r6.owner_user_id != null && r6.owner_user_id === ownerUserId;
   if (ctx.method === "GET" && ctx.pathname === "/api/chat/threads") {
+    if (cloud && ownerUserId == null) {
+      sendJson3(res, { threads: [] });
+      return true;
+    }
     const filters = [
       { col: "deleted_at", op: "isNull" }
     ];
+    if (ownerUserId != null) filters.push({ col: "owner_user_id", op: "eq", val: ownerUserId });
     const rows = await ctx.db.query("chat_threads", { filters, limit: 100 });
-    const threads = rows.filter((r6) => !r6.deleted_at).map((r6) => ({
+    const threads = rows.filter((r6) => !r6.deleted_at && ownedByMe(r6)).map((r6) => ({
       id: asStr(r6.id),
       title: asStr(r6.title, "Chat"),
       created_at: asStr(r6.created_at)
@@ -65257,12 +65508,19 @@ async function dispatchChatRoute(req, res, ctx) {
   const msgMatch = /^\/api\/chat\/threads\/([^/]+)\/messages$/.exec(ctx.pathname);
   if (ctx.method === "GET" && msgMatch) {
     const threadId2 = decodeURIComponent(msgMatch[1] ?? "");
-    const msgFilters = [{ col: "thread_id", op: "eq", val: threadId2 }];
+    if (cloud && ownerUserId == null) {
+      sendJson3(res, { messages: [] });
+      return true;
+    }
+    const msgFilters = [
+      { col: "thread_id", op: "eq", val: threadId2 }
+    ];
+    if (ownerUserId != null) msgFilters.push({ col: "owner_user_id", op: "eq", val: ownerUserId });
     const rows = await ctx.db.query("chat_messages", {
       filters: msgFilters,
       limit: 1e3
     });
-    const messages = rows.filter((r6) => r6.thread_id === threadId2 && !r6.deleted_at).map((r6) => {
+    const messages = rows.filter((r6) => r6.thread_id === threadId2 && !r6.deleted_at && ownedByMe(r6)).map((r6) => {
       let text = "";
       let turns2;
       let startedAt;
@@ -65315,12 +65573,21 @@ async function dispatchChatRoute(req, res, ctx) {
     return true;
   }
   const requestedThread = typeof body.threadId === "string" ? body.threadId : null;
+  if (cloud && ownerUserId == null) {
+    sendJson3(res, { error: "Could not resolve your cloud identity; chat is disabled." }, 500);
+    return true;
+  }
   const activeContext = parseActiveContext(body.activeContext, ctx.validTables);
-  const history = await rehydrateHistory(ctx.db, requestedThread, mapHistory(body.history), null);
+  const history = await rehydrateHistory(
+    ctx.db,
+    requestedThread,
+    mapHistory(body.history),
+    ownerUserId
+  );
   let threadId = "";
   try {
-    threadId = await ensureThread(ctx.db, requestedThread, message, null);
-    await persistMessage(ctx.db, threadId, "user", message, null);
+    threadId = await ensureThread(ctx.db, requestedThread, message, ownerUserId);
+    await persistMessage(ctx.db, threadId, "user", message, ownerUserId);
   } catch (e6) {
     console.warn("[chat] persist user message failed:", e6.message);
   }
@@ -65392,7 +65659,7 @@ async function dispatchChatRoute(req, res, ctx) {
         threadId,
         "assistant",
         assistantText,
-        null,
+        ownerUserId,
         cleanTurns,
         turnStartedAt,
         assistantMsgId
@@ -66386,10 +66653,13 @@ function resolveOutputDirForConfig(configPath) {
 async function openConfig(configPath, outputDir, autoRender = false, realtimeWatchdogMs) {
   healRawDbUrl(configPath);
   const parsed = parseConfigFile(configPath);
+  const encryptionKey = getOrCreateMasterKey();
   if (!/^postgres(ql)?:\/\//i.test(parsed.dbPath) && !parsed.dbPath.startsWith("file:") && parsed.dbPath !== ":memory:") {
     mkdirSync11(dirname14(parsed.dbPath), { recursive: true });
   }
-  const encryptionKey = getOrCreateMasterKey();
+  if (/^postgres(ql)?:\/\//i.test(parsed.dbPath)) {
+    await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  }
   const db = new Lattice({ config: configPath }, { encryptionKey });
   registerNativeEntities(db);
   db.define("_lattice_gui_meta", {
@@ -66541,19 +66811,32 @@ async function openConfig(configPath, outputDir, autoRender = false, realtimeWat
       if (await cloudRlsInstalled(db) && await canManageRoles(db)) {
         await registerPostgresPolyfills((sql) => runAsyncOrSync(db.adapter, sql));
         await installCloudRls(db);
+        await ownPolyfillsByGroup(db);
         await installCloudSettings(db);
         await db.ensureObservationSubstrate();
         await enableChangelogRls(db);
+        await enableChatPrivacyRls(db);
+        await enableGuiAuditRls(db);
         const access = await reconcileCloudMemberAccess(db);
         convergeWarnings = access.skipped;
         for (const s2 of convergeWarnings) {
           console.warn(`[openConfig] cloud converge could not manage "${s2.table}": ${s2.reason}`);
         }
+        await publishSharedSchema(db, configPath);
       }
     } catch (e6) {
       console.error("[openConfig] cloud bootstrap converge failed:", e6.message);
     }
   }
+  if (memberOpen) {
+    const userTables = db.getRegisteredTableNames().filter((t8) => !t8.startsWith("_") && !discoveredJunctions.has(t8));
+    if (userTables.length === 0) {
+      convergeWarnings.push({
+        table: "(schema)",
+        reason: "No entity layout is configured for this cloud workspace yet \u2014 ask the cloud owner to open the workspace once so it publishes the schema, then reopen. Until then, render produces no context files."
+      });
+    }
+  }
   const validTables = new Set(parsed.tables.map((t8) => t8.name));
   for (const name of db.getRegisteredTableNames()) {
     if (name.startsWith("__lattice_") || name.startsWith("_lattice_")) continue;
@@ -66705,11 +66988,22 @@ function startBackgroundRender(active) {
     active.eagerRenderWired = true;
     let lastFire = 0;
     let trailing;
+    const pendingTables = /* @__PURE__ */ new Set();
+    let pendingFull = false;
     const fire = () => {
       lastFire = Date.now();
-      active.db.requestRender();
+      if (pendingFull || pendingTables.size === 0) {
+        pendingFull = false;
+        pendingTables.clear();
+        active.db.requestRender();
+        return;
+      }
+      for (const t8 of pendingTables) active.db.requestRender(t8);
+      pendingTables.clear();
     };
-    active.realtime.subscribePayload(() => {
+    active.realtime.subscribePayload((payload) => {
+      if (payload.table_name) pendingTables.add(payload.table_name);
+      else pendingFull = true;
       const since = Date.now() - lastFire;
       if (since >= EAGER_RERENDER_MIN_INTERVAL_MS) {
         fire();
@@ -69130,7 +69424,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.0";
+  if (true) return "3.4.2";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));
@@ -69198,14 +69492,17 @@ function runGenerate(args) {
 }
 async function runRender(args) {
   const outputDir = resolve11(args.output);
+  const configPath = resolve11(args.config);
   let parsed;
   try {
-    parsed = parseConfigFile(resolve11(args.config));
+    parsed = parseConfigFile(configPath);
   } catch (e6) {
     console.error(`Error: ${e6.message}`);
     process.exit(1);
   }
-  const db = new Lattice({ config: resolve11(args.config) });
+  const encryptionKey = getOrCreateMasterKey();
+  await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  const db = new Lattice({ config: configPath }, { encryptionKey });
   try {
     await db.init();
     const start = Date.now();
@@ -69221,7 +69518,6 @@ async function runRender(args) {
   } finally {
     db.close();
   }
-  void parsed;
 }
 async function runReconcile(args, isDryRun) {
   const outputDir = resolve11(args.output);