latticesql 3.4.1 → 3.4.2

package/dist/cli.js

@@ -8131,6 +8131,33 @@ async function ownPolyfillsByGroup(db) {
     }
   }
 }
+async function enableGuiAuditRls(db) {
+  if (!isPg(db)) return;
+  const reg = await getAsyncOrSync(db.adapter, `SELECT to_regclass($1) AS reg`, [
+    "_lattice_gui_audit"
+  ]);
+  if (reg?.reg == null) return;
+  await runCloudBootstrapSql(
+    db,
+    `
+ALTER TABLE "_lattice_gui_audit" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_lattice_gui_audit" FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS "lattice_gui_audit_owner" ON "_lattice_gui_audit";
+DROP POLICY IF EXISTS "lattice_gui_audit_sel" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_sel" ON "_lattice_gui_audit" FOR SELECT
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_ins" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_ins" ON "_lattice_gui_audit" FOR INSERT
+  WITH CHECK ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_upd" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_upd" ON "_lattice_gui_audit" FOR UPDATE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_del" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_del" ON "_lattice_gui_audit" FOR DELETE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+`
+  );
+}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
@@ -8296,6 +8323,18 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
 -- bootstrap is now run directly + idempotently, not version-gated).
 ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
 
+-- Owner-published entity/render LAYOUT (the entities + entityContexts config
+-- blocks), so a joined member \u2014 whose generated config has entities: {} \u2014 can
+-- hydrate the full render layout and produce a complete context tree. This holds
+-- schema CONFIG, not row data, so it is safe to share with members (granted
+-- SELECT). A shared singleton, like __lattice_user_identity: no per-row RLS.
+CREATE TABLE IF NOT EXISTS "__lattice_shared_schema" (
+  "id" TEXT PRIMARY KEY DEFAULT 'singleton',
+  "entities_json" TEXT,
+  "contexts_json" TEXT,
+  "updated_at" TEXT
+);
+
 -- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
 -- the cloud with their minted credential, the join path calls this to CLAIM the
 -- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
@@ -10173,7 +10212,7 @@ var init_registry = __esm({
 });
 
 // src/gui/ai/lattice-docs.ts
-import { readFileSync as readFileSync13, readdirSync as readdirSync5, existsSync as existsSync17 } from "fs";
+import { readFileSync as readFileSync14, readdirSync as readdirSync5, existsSync as existsSync17 } from "fs";
 import { dirname as dirname8, join as join16 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function findDocsDir() {
@@ -10233,7 +10272,7 @@ function allSections() {
   }
   for (const f6 of files) {
     try {
-      out.push(...sectionsOf(f6, readFileSync13(join16(dir, f6), "utf8")));
+      out.push(...sectionsOf(f6, readFileSync14(join16(dir, f6), "utf8")));
     } catch {
     }
   }
@@ -62767,6 +62806,87 @@ async function discoverCloudTables(db) {
 // src/gui/server.ts
 init_rls();
 
+// src/cloud/shared-schema.ts
+init_lattice();
+init_adapter();
+
+// src/gui/config-io.ts
+import { readFileSync as readFileSync13, writeFileSync as writeFileSync6 } from "fs";
+import { parseDocument as parseDocument2 } from "yaml";
+async function execSql(db, sql) {
+  const adapter = db._adapter;
+  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
+  await adapter.runAsync(sql);
+}
+function loadConfigDoc(configPath) {
+  return parseDocument2(readFileSync13(configPath, "utf8"));
+}
+function saveConfigDoc(configPath, doc) {
+  writeFileSync6(configPath, doc.toString(), "utf8");
+}
+
+// src/cloud/shared-schema.ts
+async function publishSharedSchema(db, configPath) {
+  if (db.getDialect() !== "postgres") return;
+  const cfg = loadConfigDoc(configPath).toJSON();
+  const entities = cfg.entities ?? {};
+  if (Object.keys(entities).length === 0) return;
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_shared_schema" ("id","entities_json","contexts_json","updated_at")
+       VALUES ('singleton', $1, $2, $3)
+       ON CONFLICT ("id") DO UPDATE SET
+         "entities_json" = EXCLUDED."entities_json",
+         "contexts_json" = EXCLUDED."contexts_json",
+         "updated_at"    = EXCLUDED."updated_at"`,
+    [
+      JSON.stringify(entities),
+      JSON.stringify(cfg.entityContexts ?? null),
+      (/* @__PURE__ */ new Date()).toISOString()
+    ]
+  );
+}
+async function hydrateMemberConfigFromCloud(configPath, dbUrl, encryptionKey) {
+  if (!isPostgresUrl(dbUrl)) return false;
+  const existing = loadConfigDoc(configPath).toJSON();
+  if (Object.keys(existing.entities ?? {}).length > 0) return false;
+  try {
+    const peek = new Lattice({ config: configPath }, { encryptionKey });
+    try {
+      await peek.init({ introspectOnly: true });
+      const reg = await getAsyncOrSync(
+        peek.adapter,
+        "SELECT to_regclass('__lattice_shared_schema') AS reg"
+      );
+      if (reg?.reg == null) return false;
+      const row = await getAsyncOrSync(
+        peek.adapter,
+        'SELECT "entities_json","contexts_json" FROM "__lattice_shared_schema" WHERE "id" = $1',
+        ["singleton"]
+      );
+      if (row?.entities_json == null) return false;
+      const entities = JSON.parse(row.entities_json);
+      if (Object.keys(entities).length === 0) return false;
+      const doc = loadConfigDoc(configPath);
+      doc.setIn(["entities"], entities);
+      if (row.contexts_json != null) {
+        const ctx = JSON.parse(row.contexts_json);
+        if (ctx) doc.setIn(["entityContexts"], ctx);
+      }
+      saveConfigDoc(configPath, doc);
+      return true;
+    } finally {
+      peek.close();
+    }
+  } catch (e6) {
+    console.warn(
+      "[hydrateMemberConfigFromCloud] could not hydrate member schema:",
+      e6.message
+    );
+    return false;
+  }
+}
+
 // src/cloud/settings.ts
 init_adapter();
 init_rls();
@@ -62870,7 +62990,7 @@ var MEMBER_READABLE_BOOKKEEPING = [
   {
     name: "_lattice_gui_audit",
     privs: "SELECT, INSERT",
-    why: "the member's own GUI undo/redo log (session-scoped)"
+    why: "GUI undo/redo + version history; RLS (enableGuiAuditRls) scopes reads to entries whose underlying row the member can see"
   },
   {
     name: "__lattice_user_identity",
@@ -62881,6 +63001,11 @@ var MEMBER_READABLE_BOOKKEEPING = [
     name: "__lattice_changelog",
     privs: "SELECT, INSERT",
     why: "per-viewer-RLS-filtered change history for observe()/history (the policy filters reads, so the base grant is safe)"
+  },
+  {
+    name: "__lattice_shared_schema",
+    privs: "SELECT",
+    why: "owner-published entity/render layout (entities + entityContexts) a joined member hydrates its config from so render produces the full context tree"
   }
 ];
 var MEMBER_EXECUTE_FUNCTIONS = [
@@ -63037,6 +63162,7 @@ async function secureCloud(db) {
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
   await enableChatPrivacyRls(db);
+  await enableGuiAuditRls(db);
   await convergeLegacyColumnAudience(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
@@ -63133,21 +63259,6 @@ var FeedBus = class {
 init_fts();
 init_mutations();
 
-// src/gui/config-io.ts
-import { readFileSync as readFileSync14, writeFileSync as writeFileSync6 } from "fs";
-import { parseDocument as parseDocument2 } from "yaml";
-async function execSql(db, sql) {
-  const adapter = db._adapter;
-  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
-  await adapter.runAsync(sql);
-}
-function loadConfigDoc(configPath) {
-  return parseDocument2(readFileSync14(configPath, "utf8"));
-}
-function saveConfigDoc(configPath, doc) {
-  writeFileSync6(configPath, doc.toString(), "utf8");
-}
-
 // src/gui/schema-ops.ts
 init_parser();
 init_canonical_context();
@@ -64683,6 +64794,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         const result = await migrateLatticeData(ctx.db, target);
         await target.rebuildFtsIndexes();
         await secureCloud(target);
+        await publishSharedSchema(target, ctx.configPath);
         target.close();
         const sourceDbPath = parseConfigFile(ctx.configPath).dbPath;
         const backupPath = archiveLocalSqlite(sourceDbPath);
@@ -66541,10 +66653,13 @@ function resolveOutputDirForConfig(configPath) {
 async function openConfig(configPath, outputDir, autoRender = false, realtimeWatchdogMs) {
   healRawDbUrl(configPath);
   const parsed = parseConfigFile(configPath);
+  const encryptionKey = getOrCreateMasterKey();
   if (!/^postgres(ql)?:\/\//i.test(parsed.dbPath) && !parsed.dbPath.startsWith("file:") && parsed.dbPath !== ":memory:") {
     mkdirSync11(dirname14(parsed.dbPath), { recursive: true });
   }
-  const encryptionKey = getOrCreateMasterKey();
+  if (/^postgres(ql)?:\/\//i.test(parsed.dbPath)) {
+    await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  }
   const db = new Lattice({ config: configPath }, { encryptionKey });
   registerNativeEntities(db);
   db.define("_lattice_gui_meta", {
@@ -66701,16 +66816,27 @@ async function openConfig(configPath, outputDir, autoRender = false, realtimeWat
         await db.ensureObservationSubstrate();
         await enableChangelogRls(db);
         await enableChatPrivacyRls(db);
+        await enableGuiAuditRls(db);
         const access = await reconcileCloudMemberAccess(db);
         convergeWarnings = access.skipped;
         for (const s2 of convergeWarnings) {
           console.warn(`[openConfig] cloud converge could not manage "${s2.table}": ${s2.reason}`);
         }
+        await publishSharedSchema(db, configPath);
       }
     } catch (e6) {
       console.error("[openConfig] cloud bootstrap converge failed:", e6.message);
     }
   }
+  if (memberOpen) {
+    const userTables = db.getRegisteredTableNames().filter((t8) => !t8.startsWith("_") && !discoveredJunctions.has(t8));
+    if (userTables.length === 0) {
+      convergeWarnings.push({
+        table: "(schema)",
+        reason: "No entity layout is configured for this cloud workspace yet \u2014 ask the cloud owner to open the workspace once so it publishes the schema, then reopen. Until then, render produces no context files."
+      });
+    }
+  }
   const validTables = new Set(parsed.tables.map((t8) => t8.name));
   for (const name of db.getRegisteredTableNames()) {
     if (name.startsWith("__lattice_") || name.startsWith("_lattice_")) continue;
@@ -69298,7 +69424,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.1";
+  if (true) return "3.4.2";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));
@@ -69366,14 +69492,17 @@ function runGenerate(args) {
 }
 async function runRender(args) {
   const outputDir = resolve11(args.output);
+  const configPath = resolve11(args.config);
   let parsed;
   try {
-    parsed = parseConfigFile(resolve11(args.config));
+    parsed = parseConfigFile(configPath);
   } catch (e6) {
     console.error(`Error: ${e6.message}`);
     process.exit(1);
   }
-  const db = new Lattice({ config: resolve11(args.config) });
+  const encryptionKey = getOrCreateMasterKey();
+  await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  const db = new Lattice({ config: configPath }, { encryptionKey });
   try {
     await db.init();
     const start = Date.now();
@@ -69389,7 +69518,6 @@ async function runRender(args) {
   } finally {
     db.close();
   }
-  void parsed;
 }
 async function runReconcile(args, isDryRun) {
   const outputDir = resolve11(args.output);

package/dist/index.cjs

@@ -47378,6 +47378,33 @@ async function ownPolyfillsByGroup(db) {
     }
   }
 }
+async function enableGuiAuditRls(db) {
+  if (!isPg(db)) return;
+  const reg = await getAsyncOrSync(db.adapter, `SELECT to_regclass($1) AS reg`, [
+    "_lattice_gui_audit"
+  ]);
+  if (reg?.reg == null) return;
+  await runCloudBootstrapSql(
+    db,
+    `
+ALTER TABLE "_lattice_gui_audit" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_lattice_gui_audit" FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS "lattice_gui_audit_owner" ON "_lattice_gui_audit";
+DROP POLICY IF EXISTS "lattice_gui_audit_sel" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_sel" ON "_lattice_gui_audit" FOR SELECT
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_ins" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_ins" ON "_lattice_gui_audit" FOR INSERT
+  WITH CHECK ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_upd" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_upd" ON "_lattice_gui_audit" FOR UPDATE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_del" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_del" ON "_lattice_gui_audit" FOR DELETE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+`
+  );
+}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
@@ -47543,6 +47570,18 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
 -- bootstrap is now run directly + idempotently, not version-gated).
 ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
 
+-- Owner-published entity/render LAYOUT (the entities + entityContexts config
+-- blocks), so a joined member \u2014 whose generated config has entities: {} \u2014 can
+-- hydrate the full render layout and produce a complete context tree. This holds
+-- schema CONFIG, not row data, so it is safe to share with members (granted
+-- SELECT). A shared singleton, like __lattice_user_identity: no per-row RLS.
+CREATE TABLE IF NOT EXISTS "__lattice_shared_schema" (
+  "id" TEXT PRIMARY KEY DEFAULT 'singleton',
+  "entities_json" TEXT,
+  "contexts_json" TEXT,
+  "updated_at" TEXT
+);
+
 -- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
 -- the cloud with their minted credential, the join path calls this to CLAIM the
 -- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
@@ -50471,7 +50510,7 @@ function findDocsDir() {
   }
   for (let i6 = 0; i6 < 8; i6++) {
     const candidate = (0, import_node_path31.join)(dir, "docs");
-    if ((0, import_node_fs28.existsSync)((0, import_node_path31.join)(candidate, "cloud.md"))) {
+    if ((0, import_node_fs29.existsSync)((0, import_node_path31.join)(candidate, "cloud.md"))) {
       _docsDir = candidate;
       return _docsDir;
     }
@@ -50512,13 +50551,13 @@ function allSections() {
   const out = [];
   let files = [];
   try {
-    files = (0, import_node_fs28.readdirSync)(dir).filter((f6) => f6.endsWith(".md"));
+    files = (0, import_node_fs29.readdirSync)(dir).filter((f6) => f6.endsWith(".md"));
   } catch {
     files = [];
   }
   for (const f6 of files) {
     try {
-      out.push(...sectionsOf(f6, (0, import_node_fs28.readFileSync)((0, import_node_path31.join)(dir, f6), "utf8")));
+      out.push(...sectionsOf(f6, (0, import_node_fs29.readFileSync)((0, import_node_path31.join)(dir, f6), "utf8")));
     } catch {
     }
   }
@@ -50560,11 +50599,11 @@ function searchLatticeDocs(query, limit = 4) {
     }))
   };
 }
-var import_node_fs28, import_node_path31, import_node_url2, import_meta5, _docsDir, MAX_SECTION_CHARS, _cache;
+var import_node_fs29, import_node_path31, import_node_url2, import_meta5, _docsDir, MAX_SECTION_CHARS, _cache;
 var init_lattice_docs = __esm({
   "src/gui/ai/lattice-docs.ts"() {
     "use strict";
-    import_node_fs28 = require("fs");
+    import_node_fs29 = require("fs");
     import_node_path31 = require("path");
     import_node_url2 = require("url");
     import_meta5 = {};
@@ -54632,7 +54671,7 @@ var MEMBER_READABLE_BOOKKEEPING = [
   {
     name: "_lattice_gui_audit",
     privs: "SELECT, INSERT",
-    why: "the member's own GUI undo/redo log (session-scoped)"
+    why: "GUI undo/redo + version history; RLS (enableGuiAuditRls) scopes reads to entries whose underlying row the member can see"
   },
   {
     name: "__lattice_user_identity",
@@ -54643,6 +54682,11 @@ var MEMBER_READABLE_BOOKKEEPING = [
     name: "__lattice_changelog",
     privs: "SELECT, INSERT",
     why: "per-viewer-RLS-filtered change history for observe()/history (the policy filters reads, so the base grant is safe)"
+  },
+  {
+    name: "__lattice_shared_schema",
+    privs: "SELECT",
+    why: "owner-published entity/render layout (entities + entityContexts) a joined member hydrates its config from so render produces the full context tree"
   }
 ];
 var MEMBER_EXECUTE_FUNCTIONS = [
@@ -54799,6 +54843,7 @@ async function secureCloud(db) {
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
   await enableChatPrivacyRls(db);
+  await enableGuiAuditRls(db);
   await convergeLegacyColumnAudience(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
@@ -64752,6 +64797,87 @@ init_postgres();
 init_cloud_connect();
 init_rls();
 
+// src/cloud/shared-schema.ts
+init_lattice();
+init_adapter();
+
+// src/gui/config-io.ts
+var import_node_fs28 = require("fs");
+var import_yaml4 = require("yaml");
+async function execSql(db, sql) {
+  const adapter = db._adapter;
+  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
+  await adapter.runAsync(sql);
+}
+function loadConfigDoc(configPath) {
+  return (0, import_yaml4.parseDocument)((0, import_node_fs28.readFileSync)(configPath, "utf8"));
+}
+function saveConfigDoc(configPath, doc) {
+  (0, import_node_fs28.writeFileSync)(configPath, doc.toString(), "utf8");
+}
+
+// src/cloud/shared-schema.ts
+async function publishSharedSchema(db, configPath) {
+  if (db.getDialect() !== "postgres") return;
+  const cfg = loadConfigDoc(configPath).toJSON();
+  const entities = cfg.entities ?? {};
+  if (Object.keys(entities).length === 0) return;
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_shared_schema" ("id","entities_json","contexts_json","updated_at")
+       VALUES ('singleton', $1, $2, $3)
+       ON CONFLICT ("id") DO UPDATE SET
+         "entities_json" = EXCLUDED."entities_json",
+         "contexts_json" = EXCLUDED."contexts_json",
+         "updated_at"    = EXCLUDED."updated_at"`,
+    [
+      JSON.stringify(entities),
+      JSON.stringify(cfg.entityContexts ?? null),
+      (/* @__PURE__ */ new Date()).toISOString()
+    ]
+  );
+}
+async function hydrateMemberConfigFromCloud(configPath, dbUrl, encryptionKey) {
+  if (!isPostgresUrl(dbUrl)) return false;
+  const existing = loadConfigDoc(configPath).toJSON();
+  if (Object.keys(existing.entities ?? {}).length > 0) return false;
+  try {
+    const peek = new Lattice({ config: configPath }, { encryptionKey });
+    try {
+      await peek.init({ introspectOnly: true });
+      const reg = await getAsyncOrSync(
+        peek.adapter,
+        "SELECT to_regclass('__lattice_shared_schema') AS reg"
+      );
+      if (reg?.reg == null) return false;
+      const row = await getAsyncOrSync(
+        peek.adapter,
+        'SELECT "entities_json","contexts_json" FROM "__lattice_shared_schema" WHERE "id" = $1',
+        ["singleton"]
+      );
+      if (row?.entities_json == null) return false;
+      const entities = JSON.parse(row.entities_json);
+      if (Object.keys(entities).length === 0) return false;
+      const doc = loadConfigDoc(configPath);
+      doc.setIn(["entities"], entities);
+      if (row.contexts_json != null) {
+        const ctx = JSON.parse(row.contexts_json);
+        if (ctx) doc.setIn(["entityContexts"], ctx);
+      }
+      saveConfigDoc(configPath, doc);
+      return true;
+    } finally {
+      peek.close();
+    }
+  } catch (e6) {
+    console.warn(
+      "[hydrateMemberConfigFromCloud] could not hydrate member schema:",
+      e6.message
+    );
+    return false;
+  }
+}
+
 // src/gui/meta-gen.ts
 init_assistant_routes();
 init_chat();
@@ -64840,21 +64966,6 @@ var FeedBus = class {
 init_fts();
 init_mutations();
 
-// src/gui/config-io.ts
-var import_node_fs29 = require("fs");
-var import_yaml4 = require("yaml");
-async function execSql(db, sql) {
-  const adapter = db._adapter;
-  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
-  await adapter.runAsync(sql);
-}
-function loadConfigDoc(configPath) {
-  return (0, import_yaml4.parseDocument)((0, import_node_fs29.readFileSync)(configPath, "utf8"));
-}
-function saveConfigDoc(configPath, doc) {
-  (0, import_node_fs29.writeFileSync)(configPath, doc.toString(), "utf8");
-}
-
 // src/gui/schema-ops.ts
 init_parser();
 init_canonical_context();
@@ -66043,6 +66154,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         const result = await migrateLatticeData(ctx.db, target);
         await target.rebuildFtsIndexes();
         await secureCloud(target);
+        await publishSharedSchema(target, ctx.configPath);
         target.close();
         const sourceDbPath = parseConfigFile(ctx.configPath).dbPath;
         const backupPath = archiveLocalSqlite(sourceDbPath);
@@ -67751,10 +67863,13 @@ function resolveOutputDirForConfig(configPath) {
 async function openConfig(configPath, outputDir, autoRender = false, realtimeWatchdogMs) {
   healRawDbUrl(configPath);
   const parsed = parseConfigFile(configPath);
+  const encryptionKey = getOrCreateMasterKey();
   if (!/^postgres(ql)?:\/\//i.test(parsed.dbPath) && !parsed.dbPath.startsWith("file:") && parsed.dbPath !== ":memory:") {
     (0, import_node_fs35.mkdirSync)((0, import_node_path38.dirname)(parsed.dbPath), { recursive: true });
   }
-  const encryptionKey = getOrCreateMasterKey();
+  if (/^postgres(ql)?:\/\//i.test(parsed.dbPath)) {
+    await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  }
   const db = new Lattice({ config: configPath }, { encryptionKey });
   registerNativeEntities(db);
   db.define("_lattice_gui_meta", {
@@ -67911,16 +68026,27 @@ async function openConfig(configPath, outputDir, autoRender = false, realtimeWat
         await db.ensureObservationSubstrate();
         await enableChangelogRls(db);
         await enableChatPrivacyRls(db);
+        await enableGuiAuditRls(db);
         const access = await reconcileCloudMemberAccess(db);
         convergeWarnings = access.skipped;
         for (const s2 of convergeWarnings) {
           console.warn(`[openConfig] cloud converge could not manage "${s2.table}": ${s2.reason}`);
         }
+        await publishSharedSchema(db, configPath);
       }
     } catch (e6) {
       console.error("[openConfig] cloud bootstrap converge failed:", e6.message);
     }
   }
+  if (memberOpen) {
+    const userTables = db.getRegisteredTableNames().filter((t8) => !t8.startsWith("_") && !discoveredJunctions.has(t8));
+    if (userTables.length === 0) {
+      convergeWarnings.push({
+        table: "(schema)",
+        reason: "No entity layout is configured for this cloud workspace yet \u2014 ask the cloud owner to open the workspace once so it publishes the schema, then reopen. Until then, render produces no context files."
+      });
+    }
+  }
   const validTables = new Set(parsed.tables.map((t8) => t8.name));
   for (const name of db.getRegisteredTableNames()) {
     if (name.startsWith("__lattice_") || name.startsWith("_lattice_")) continue;

package/dist/index.js

@@ -47371,6 +47371,33 @@ async function ownPolyfillsByGroup(db) {
     }
   }
 }
+async function enableGuiAuditRls(db) {
+  if (!isPg(db)) return;
+  const reg = await getAsyncOrSync(db.adapter, `SELECT to_regclass($1) AS reg`, [
+    "_lattice_gui_audit"
+  ]);
+  if (reg?.reg == null) return;
+  await runCloudBootstrapSql(
+    db,
+    `
+ALTER TABLE "_lattice_gui_audit" ENABLE ROW LEVEL SECURITY;
+ALTER TABLE "_lattice_gui_audit" FORCE ROW LEVEL SECURITY;
+DROP POLICY IF EXISTS "lattice_gui_audit_owner" ON "_lattice_gui_audit";
+DROP POLICY IF EXISTS "lattice_gui_audit_sel" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_sel" ON "_lattice_gui_audit" FOR SELECT
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_ins" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_ins" ON "_lattice_gui_audit" FOR INSERT
+  WITH CHECK ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_upd" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_upd" ON "_lattice_gui_audit" FOR UPDATE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+DROP POLICY IF EXISTS "lattice_gui_audit_del" ON "_lattice_gui_audit";
+CREATE POLICY "lattice_gui_audit_del" ON "_lattice_gui_audit" FOR DELETE
+  USING ("row_id" IS NULL OR lattice_row_visible("table_name", "row_id"));
+`
+  );
+}
 async function installCloudRls(db) {
   if (!isPg(db)) return;
   const schema = await cloudSchema(db);
@@ -47536,6 +47563,18 @@ CREATE TABLE IF NOT EXISTS "__lattice_member_invites" (
 -- bootstrap is now run directly + idempotently, not version-gated).
 ALTER TABLE "__lattice_member_invites" ADD COLUMN IF NOT EXISTS "email" text;
 
+-- Owner-published entity/render LAYOUT (the entities + entityContexts config
+-- blocks), so a joined member \u2014 whose generated config has entities: {} \u2014 can
+-- hydrate the full render layout and produce a complete context tree. This holds
+-- schema CONFIG, not row data, so it is safe to share with members (granted
+-- SELECT). A shared singleton, like __lattice_user_identity: no per-row RLS.
+CREATE TABLE IF NOT EXISTS "__lattice_shared_schema" (
+  "id" TEXT PRIMARY KEY DEFAULT 'singleton',
+  "entities_json" TEXT,
+  "contexts_json" TEXT,
+  "updated_at" TEXT
+);
+
 -- #3.1 \u2014 one-time-use + revocation enforcement. After a member authenticates to
 -- the cloud with their minted credential, the join path calls this to CLAIM the
 -- invite. The single atomic UPDATE stamps redeemed_at and returns true ONLY when
@@ -50452,7 +50491,7 @@ var init_registry = __esm({
 });
 
 // src/gui/ai/lattice-docs.ts
-import { readFileSync as readFileSync16, readdirSync as readdirSync5, existsSync as existsSync20 } from "fs";
+import { readFileSync as readFileSync17, readdirSync as readdirSync5, existsSync as existsSync20 } from "fs";
 import { dirname as dirname8, join as join25 } from "path";
 import { fileURLToPath as fileURLToPath2 } from "url";
 function findDocsDir() {
@@ -50512,7 +50551,7 @@ function allSections() {
   }
   for (const f6 of files) {
     try {
-      out.push(...sectionsOf(f6, readFileSync16(join25(dir, f6), "utf8")));
+      out.push(...sectionsOf(f6, readFileSync17(join25(dir, f6), "utf8")));
     } catch {
     }
   }
@@ -54450,7 +54489,7 @@ var MEMBER_READABLE_BOOKKEEPING = [
   {
     name: "_lattice_gui_audit",
     privs: "SELECT, INSERT",
-    why: "the member's own GUI undo/redo log (session-scoped)"
+    why: "GUI undo/redo + version history; RLS (enableGuiAuditRls) scopes reads to entries whose underlying row the member can see"
   },
   {
     name: "__lattice_user_identity",
@@ -54461,6 +54500,11 @@ var MEMBER_READABLE_BOOKKEEPING = [
     name: "__lattice_changelog",
     privs: "SELECT, INSERT",
     why: "per-viewer-RLS-filtered change history for observe()/history (the policy filters reads, so the base grant is safe)"
+  },
+  {
+    name: "__lattice_shared_schema",
+    privs: "SELECT",
+    why: "owner-published entity/render layout (entities + entityContexts) a joined member hydrates its config from so render produces the full context tree"
   }
 ];
 var MEMBER_EXECUTE_FUNCTIONS = [
@@ -54617,6 +54661,7 @@ async function secureCloud(db) {
   await db.ensureObservationSubstrate();
   await enableChangelogRls(db);
   await enableChatPrivacyRls(db);
+  await enableGuiAuditRls(db);
   await convergeLegacyColumnAudience(db);
   const registered = db.getRegisteredTableNames();
   for (const table of registered) {
@@ -64576,6 +64621,87 @@ init_postgres();
 init_cloud_connect();
 init_rls();
 
+// src/cloud/shared-schema.ts
+init_lattice();
+init_adapter();
+
+// src/gui/config-io.ts
+import { readFileSync as readFileSync16, writeFileSync as writeFileSync5 } from "fs";
+import { parseDocument as parseDocument2 } from "yaml";
+async function execSql(db, sql) {
+  const adapter = db._adapter;
+  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
+  await adapter.runAsync(sql);
+}
+function loadConfigDoc(configPath) {
+  return parseDocument2(readFileSync16(configPath, "utf8"));
+}
+function saveConfigDoc(configPath, doc) {
+  writeFileSync5(configPath, doc.toString(), "utf8");
+}
+
+// src/cloud/shared-schema.ts
+async function publishSharedSchema(db, configPath) {
+  if (db.getDialect() !== "postgres") return;
+  const cfg = loadConfigDoc(configPath).toJSON();
+  const entities = cfg.entities ?? {};
+  if (Object.keys(entities).length === 0) return;
+  await runAsyncOrSync(
+    db.adapter,
+    `INSERT INTO "__lattice_shared_schema" ("id","entities_json","contexts_json","updated_at")
+       VALUES ('singleton', $1, $2, $3)
+       ON CONFLICT ("id") DO UPDATE SET
+         "entities_json" = EXCLUDED."entities_json",
+         "contexts_json" = EXCLUDED."contexts_json",
+         "updated_at"    = EXCLUDED."updated_at"`,
+    [
+      JSON.stringify(entities),
+      JSON.stringify(cfg.entityContexts ?? null),
+      (/* @__PURE__ */ new Date()).toISOString()
+    ]
+  );
+}
+async function hydrateMemberConfigFromCloud(configPath, dbUrl, encryptionKey) {
+  if (!isPostgresUrl(dbUrl)) return false;
+  const existing = loadConfigDoc(configPath).toJSON();
+  if (Object.keys(existing.entities ?? {}).length > 0) return false;
+  try {
+    const peek = new Lattice({ config: configPath }, { encryptionKey });
+    try {
+      await peek.init({ introspectOnly: true });
+      const reg = await getAsyncOrSync(
+        peek.adapter,
+        "SELECT to_regclass('__lattice_shared_schema') AS reg"
+      );
+      if (reg?.reg == null) return false;
+      const row = await getAsyncOrSync(
+        peek.adapter,
+        'SELECT "entities_json","contexts_json" FROM "__lattice_shared_schema" WHERE "id" = $1',
+        ["singleton"]
+      );
+      if (row?.entities_json == null) return false;
+      const entities = JSON.parse(row.entities_json);
+      if (Object.keys(entities).length === 0) return false;
+      const doc = loadConfigDoc(configPath);
+      doc.setIn(["entities"], entities);
+      if (row.contexts_json != null) {
+        const ctx = JSON.parse(row.contexts_json);
+        if (ctx) doc.setIn(["entityContexts"], ctx);
+      }
+      saveConfigDoc(configPath, doc);
+      return true;
+    } finally {
+      peek.close();
+    }
+  } catch (e6) {
+    console.warn(
+      "[hydrateMemberConfigFromCloud] could not hydrate member schema:",
+      e6.message
+    );
+    return false;
+  }
+}
+
 // src/gui/meta-gen.ts
 init_assistant_routes();
 init_chat();
@@ -64664,21 +64790,6 @@ var FeedBus = class {
 init_fts();
 init_mutations();
 
-// src/gui/config-io.ts
-import { readFileSync as readFileSync17, writeFileSync as writeFileSync5 } from "fs";
-import { parseDocument as parseDocument2 } from "yaml";
-async function execSql(db, sql) {
-  const adapter = db._adapter;
-  if (!adapter.runAsync) throw new Error("Adapter does not support runAsync");
-  await adapter.runAsync(sql);
-}
-function loadConfigDoc(configPath) {
-  return parseDocument2(readFileSync17(configPath, "utf8"));
-}
-function saveConfigDoc(configPath, doc) {
-  writeFileSync5(configPath, doc.toString(), "utf8");
-}
-
 // src/gui/schema-ops.ts
 init_parser();
 init_canonical_context();
@@ -65867,6 +65978,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         const result = await migrateLatticeData(ctx.db, target);
         await target.rebuildFtsIndexes();
         await secureCloud(target);
+        await publishSharedSchema(target, ctx.configPath);
         target.close();
         const sourceDbPath = parseConfigFile(ctx.configPath).dbPath;
         const backupPath = archiveLocalSqlite(sourceDbPath);
@@ -67575,10 +67687,13 @@ function resolveOutputDirForConfig(configPath) {
 async function openConfig(configPath, outputDir, autoRender = false, realtimeWatchdogMs) {
   healRawDbUrl(configPath);
   const parsed = parseConfigFile(configPath);
+  const encryptionKey = getOrCreateMasterKey();
   if (!/^postgres(ql)?:\/\//i.test(parsed.dbPath) && !parsed.dbPath.startsWith("file:") && parsed.dbPath !== ":memory:") {
     mkdirSync10(dirname13(parsed.dbPath), { recursive: true });
   }
-  const encryptionKey = getOrCreateMasterKey();
+  if (/^postgres(ql)?:\/\//i.test(parsed.dbPath)) {
+    await hydrateMemberConfigFromCloud(configPath, parsed.dbPath, encryptionKey);
+  }
   const db = new Lattice({ config: configPath }, { encryptionKey });
   registerNativeEntities(db);
   db.define("_lattice_gui_meta", {
@@ -67735,16 +67850,27 @@ async function openConfig(configPath, outputDir, autoRender = false, realtimeWat
         await db.ensureObservationSubstrate();
         await enableChangelogRls(db);
         await enableChatPrivacyRls(db);
+        await enableGuiAuditRls(db);
         const access = await reconcileCloudMemberAccess(db);
         convergeWarnings = access.skipped;
         for (const s2 of convergeWarnings) {
           console.warn(`[openConfig] cloud converge could not manage "${s2.table}": ${s2.reason}`);
         }
+        await publishSharedSchema(db, configPath);
       }
     } catch (e6) {
       console.error("[openConfig] cloud bootstrap converge failed:", e6.message);
     }
   }
+  if (memberOpen) {
+    const userTables = db.getRegisteredTableNames().filter((t8) => !t8.startsWith("_") && !discoveredJunctions.has(t8));
+    if (userTables.length === 0) {
+      convergeWarnings.push({
+        table: "(schema)",
+        reason: "No entity layout is configured for this cloud workspace yet \u2014 ask the cloud owner to open the workspace once so it publishes the schema, then reopen. Until then, render produces no context files."
+      });
+    }
+  }
   const validTables = new Set(parsed.tables.map((t8) => t8.name));
   for (const name of db.getRegisteredTableNames()) {
     if (name.startsWith("__lattice_") || name.startsWith("_lattice_")) continue;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "3.4.1",
+  "version": "3.4.2",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",