latticesql 3.4.2 → 3.4.4

package/dist/cli.js

@@ -507,7 +507,23 @@ function deleteAssistantCredential(kind) {
   void _removed;
   saveAssistantCredentials(rest);
 }
-var MASTER_KEY_FILENAME, IDENTITY_FILENAME, EMPTY_IDENTITY, PREFERENCES_FILENAME, DEFAULT_PREFERENCES, DB_CREDENTIALS_FILENAME, CRED_LOCK_FILENAME, LOCK_STALE_MS, LOCK_TIMEOUT_MS, lockDepthInProcess, S3_CONFIG_FILENAME, ASSISTANT_CREDENTIALS_FILENAME;
+function isAssistantCredentialCleared(kind) {
+  return loadAssistantCredentials()[CLEARED_SENTINEL_PREFIX + kind] === "1";
+}
+function setAssistantCredentialCleared(kind) {
+  const creds = loadAssistantCredentials();
+  creds[CLEARED_SENTINEL_PREFIX + kind] = "1";
+  saveAssistantCredentials(creds);
+}
+function clearAssistantCredentialCleared(kind) {
+  const creds = loadAssistantCredentials();
+  const sentinel = CLEARED_SENTINEL_PREFIX + kind;
+  if (!(sentinel in creds)) return;
+  const { [sentinel]: _removed, ...rest } = creds;
+  void _removed;
+  saveAssistantCredentials(rest);
+}
+var MASTER_KEY_FILENAME, IDENTITY_FILENAME, EMPTY_IDENTITY, PREFERENCES_FILENAME, DEFAULT_PREFERENCES, DB_CREDENTIALS_FILENAME, CRED_LOCK_FILENAME, LOCK_STALE_MS, LOCK_TIMEOUT_MS, lockDepthInProcess, S3_CONFIG_FILENAME, ASSISTANT_CREDENTIALS_FILENAME, CLEARED_SENTINEL_PREFIX;
 var init_user_config = __esm({
   "src/framework/user-config.ts"() {
     "use strict";
@@ -530,6 +546,7 @@ var init_user_config = __esm({
     lockDepthInProcess = 0;
     S3_CONFIG_FILENAME = "s3-config.enc";
     ASSISTANT_CREDENTIALS_FILENAME = "assistant-credentials.enc";
+    CLEARED_SENTINEL_PREFIX = "__cleared__:";
   }
 });
 
@@ -960,10 +977,12 @@ function readManifest(outputDir) {
 function writeManifest(outputDir, manifest) {
   atomicWrite(manifestPath(outputDir), JSON.stringify(manifest, null, 2));
 }
+var TEMPLATE_VERSION;
 var init_manifest = __esm({
   "src/lifecycle/manifest.ts"() {
     "use strict";
     init_writer();
+    TEMPLATE_VERSION = 1;
   }
 });
 
@@ -997,6 +1016,126 @@ var init_adapter = __esm({
   }
 });
 
+// src/lifecycle/render-cursor.ts
+function markToString(v2) {
+  if (v2 == null) return null;
+  if (v2 instanceof Date) return v2.toISOString();
+  if (typeof v2 === "string") return v2;
+  if (typeof v2 === "number" || typeof v2 === "bigint" || typeof v2 === "boolean") return String(v2);
+  return null;
+}
+function padNumericMark(v2) {
+  const s2 = markToString(v2);
+  if (s2 == null) return null;
+  if (/^\d+$/.test(s2)) return s2.padStart(20, "0");
+  return s2;
+}
+async function changelogExists(adapter) {
+  if (adapter.dialect === "postgres") {
+    const row2 = await getAsyncOrSync(
+      adapter,
+      `SELECT to_regclass('__lattice_changelog') AS reg`
+    );
+    return !!row2 && row2.reg != null;
+  }
+  const row = await getAsyncOrSync(
+    adapter,
+    `SELECT name FROM sqlite_master WHERE type='table' AND name='__lattice_changelog'`
+  );
+  return !!row;
+}
+async function changelogMark(adapter) {
+  try {
+    if (!await changelogExists(adapter)) return null;
+    const col = adapter.dialect === "postgres" ? "seq" : "rowid";
+    const row = await getAsyncOrSync(
+      adapter,
+      `SELECT MAX(${col}) AS m FROM __lattice_changelog`
+    );
+    return padNumericMark(row?.m);
+  } catch {
+    return null;
+  }
+}
+async function sharingMarks(adapter) {
+  if (adapter.dialect !== "postgres") return { grants: null, owners: null };
+  try {
+    const reg = await getAsyncOrSync(
+      adapter,
+      `SELECT to_regclass('__lattice_changes') AS reg`
+    );
+    const hasFeed = !!reg && reg.reg != null;
+    if (hasFeed) {
+      const row = await getAsyncOrSync(
+        adapter,
+        `SELECT COUNT(*) AS n, MAX(seq) AS m FROM lattice_changes_since(0, 1000)`
+      );
+      const digest = digestOf(row?.n, row?.m);
+      return { grants: digest, owners: digest };
+    }
+  } catch {
+  }
+  let owners = null;
+  let grants = null;
+  try {
+    const o3 = await getAsyncOrSync(
+      adapter,
+      `SELECT COUNT(*) AS n, MAX(updated_at) AS m FROM __lattice_owners`
+    );
+    owners = digestOf(o3?.n, o3?.m);
+  } catch {
+    owners = null;
+  }
+  try {
+    const g6 = await getAsyncOrSync(
+      adapter,
+      `SELECT COUNT(*) AS n, MAX(granted_at) AS m FROM __lattice_row_grants`
+    );
+    grants = digestOf(g6?.n, g6?.m);
+  } catch {
+    grants = null;
+  }
+  return { grants, owners };
+}
+function digestOf(count, max) {
+  const n3 = padNumericMark(count);
+  if (n3 == null) return null;
+  const m4 = markToString(max) ?? "";
+  return `${n3}#${m4}`;
+}
+async function computeRenderCursor(adapter) {
+  try {
+    const [changelog, sharing] = await Promise.all([changelogMark(adapter), sharingMarks(adapter)]);
+    return { changelog, grants: sharing.grants, owners: sharing.owners };
+  } catch {
+    return { ...EMPTY_CURSOR };
+  }
+}
+function cursorIsFresh(recorded, live, templateVersion = TEMPLATE_VERSION) {
+  if (recorded == null) return false;
+  if (recorded.templateVersion !== templateVersion) return false;
+  const rc = recorded.cursor;
+  if (rc == null) return false;
+  if (!fieldFresh(rc.changelog, live.changelog, (r6, l4) => l4 <= r6)) return false;
+  if (!fieldFresh(rc.grants, live.grants, (r6, l4) => l4 === r6)) return false;
+  if (!fieldFresh(rc.owners, live.owners, (r6, l4) => l4 === r6)) return false;
+  return true;
+}
+function fieldFresh(recorded, live, ok) {
+  if (recorded == null && live == null) return true;
+  if (recorded == null || live == null) return false;
+  return ok(recorded, live);
+}
+var EMPTY_CURSOR;
+var init_render_cursor = __esm({
+  "src/lifecycle/render-cursor.ts"() {
+    "use strict";
+    init_adapter();
+    init_manifest();
+    EMPTY_CURSOR = { changelog: null, grants: null, owners: null };
+  }
+});
+
 // src/db/sqlite.ts
 import Database from "better-sqlite3";
 var SQLiteAdapter;
@@ -3035,7 +3174,18 @@ var init_concurrency = __esm({
 // src/render/engine.ts
 import { join as join7, basename, isAbsolute, resolve as resolve3, sep } from "path";
 import { mkdirSync as mkdirSync5, existsSync as existsSync7, copyFileSync as copyFileSync2 } from "fs";
-var YIELD_EVERY_ENTITIES, RENDER_TABLE_CONCURRENCY, NOOP_RENDER, RenderEngine;
+function entityContentChanged(fresh, prior) {
+  const freshKeys = Object.keys(fresh);
+  const priorKeys = Object.keys(prior);
+  if (freshKeys.length !== priorKeys.length) return true;
+  for (const k6 of freshKeys) {
+    const p3 = prior[k6];
+    if (p3 == null) return true;
+    if (p3.hash === "" || p3.hash !== fresh[k6]?.hash) return true;
+  }
+  return false;
+}
+var DeferredTableProgress, YIELD_EVERY_ENTITIES, RENDER_TABLE_CONCURRENCY, NOOP_RENDER, RenderEngine;
 var init_engine = __esm({
   "src/render/engine.ts"() {
     "use strict";
@@ -3045,9 +3195,44 @@ var init_engine = __esm({
     init_entity_query();
     init_entity_templates();
     init_manifest();
+    init_render_cursor();
     init_cleanup();
     init_progress();
     init_concurrency();
+    DeferredTableProgress = class {
+      constructor(throttle) {
+        this.throttle = throttle;
+      }
+      changed = false;
+      pendingStart = null;
+      /** Buffer the `table-start` event; emitted only if/when the table changes. */
+      start(event) {
+        if (this.changed) {
+          this.throttle.force(event);
+          return;
+        }
+        this.pendingStart = event;
+      }
+      /** Mark that an entity's content changed — flush the held `table-start` once. */
+      markChanged() {
+        if (this.changed) return;
+        this.changed = true;
+        if (this.pendingStart) {
+          this.throttle.force(this.pendingStart);
+          this.pendingStart = null;
+        }
+      }
+      /** Coalesced per-entity progress — dropped entirely until the table changed. */
+      tick(event) {
+        if (!this.changed) return;
+        this.throttle.tick(event);
+      }
+      /** Lifecycle event (`table-done`) — emitted only if the table changed. */
+      force(event) {
+        if (!this.changed) return;
+        this.throttle.force(event);
+      }
+    };
     YIELD_EVERY_ENTITIES = 200;
     RENDER_TABLE_CONCURRENCY = 4;
     NOOP_RENDER = () => "";
@@ -3164,20 +3349,23 @@ var init_engine = __esm({
           }
           const content = def.tokenBudget ? applyTokenBudget(rows, def.render, def.tokenBudget, def.prioritizeBy) : def.render(rows);
           const filePath = join7(outputDir, def.outputFile);
-          if (atomicWrite(filePath, content)) {
+          const wrote = atomicWrite(filePath, content);
+          if (wrote) {
             filesWritten.push(filePath);
           } else {
             counters.skipped++;
           }
-          throttle.force({
-            kind: "table-done",
-            table: name,
-            entitiesRendered: rows.length,
-            entitiesTotal: rows.length,
-            tableIndex: 0,
-            tableCount: 0,
-            pct: 100
-          });
+          if (wrote) {
+            throttle.force({
+              kind: "table-done",
+              table: name,
+              entitiesRendered: rows.length,
+              entitiesTotal: rows.length,
+              tableIndex: 0,
+              tableCount: 0,
+              pct: 100
+            });
+          }
         }
         for (const [name, def] of this._schema.getMultis()) {
           if (signal?.aborted) return this._abortedResult(filesWritten, counters, start);
@@ -3191,32 +3379,38 @@ var init_engine = __esm({
               tables[t8] = await this._schema.queryTable(this._adapter, t8, this._readRel);
             }
           }
+          let wroteAny = false;
           for (const key of keys) {
             const content = def.render(key, tables);
             const filePath = join7(outputDir, def.outputFile(key));
             if (atomicWrite(filePath, content)) {
               filesWritten.push(filePath);
+              wroteAny = true;
             } else {
               counters.skipped++;
             }
           }
-          throttle.force({
-            kind: "table-done",
-            table: name,
-            entitiesRendered: keys.length,
-            entitiesTotal: keys.length,
-            tableIndex: 0,
-            tableCount: 0,
-            pct: 100
-          });
+          if (wroteAny) {
+            throttle.force({
+              kind: "table-done",
+              table: name,
+              entitiesRendered: keys.length,
+              entitiesTotal: keys.length,
+              tableIndex: 0,
+              tableCount: 0,
+              pct: 100
+            });
+          }
         }
+        const priorManifest = readManifest(outputDir);
         const entityContextManifest = await this._renderEntityContexts(
           outputDir,
           filesWritten,
           counters,
           throttle,
           signal,
-          opts.changedTables
+          opts.changedTables,
+          priorManifest
         );
         if (entityContextManifest === null) {
           return this._abortedResult(filesWritten, counters, start);
@@ -3227,10 +3421,13 @@ var init_engine = __esm({
             const prev = readManifest(outputDir);
             entityContexts = { ...prev?.entityContexts ?? {}, ...entityContextManifest };
           }
+          const cursor = await computeRenderCursor(this._adapter);
           writeManifest(outputDir, {
             version: 2,
             generated_at: (/* @__PURE__ */ new Date()).toISOString(),
-            entityContexts
+            entityContexts,
+            templateVersion: TEMPLATE_VERSION,
+            cursor
           });
         }
         const result = {
@@ -3296,7 +3493,7 @@ var init_engine = __esm({
        * partial tree). Progress is reported through `throttle`; abort is observed
        * via `signal`.
        */
-      async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal, changedTables) {
+      async _renderEntityContexts(outputDir, filesWritten, counters, throttle, signal, changedTables, priorManifest) {
         const protectedTables = /* @__PURE__ */ new Set();
         for (const [t8, d6] of this._schema.getEntityContexts()) {
           if (d6.protected) protectedTables.add(t8);
@@ -3315,8 +3512,10 @@ var init_engine = __esm({
             const baseRows = await this._schema.queryTable(this._adapter, table, this._readRel);
             const allRows = this._foldRows ? await this._foldRows(table, baseRows) : baseRows;
             const directoryRoot = def.directoryRoot ?? table;
+            const deferred = new DeferredTableProgress(throttle);
+            const priorEntities = priorManifest?.entityContexts[table]?.entities ?? {};
             const entitiesTotal = allRows.length;
-            throttle.force({
+            deferred.start({
               kind: "table-start",
               table,
               entitiesRendered: 0,
@@ -3325,6 +3524,7 @@ var init_engine = __esm({
               tableCount,
               pct: 0
             });
+            if (Object.keys(priorEntities).length !== entitiesTotal) deferred.markChanged();
             const manifestEntry = {
               directoryRoot,
               ...def.index ? { indexFile: def.index.outputFile } : {},
@@ -3440,8 +3640,10 @@ var init_engine = __esm({
                 }
               }
               manifestEntry.entities[slug] = entityFileHashes;
+              const priorHashes = normalizeEntityFiles(priorEntities[slug] ?? {});
+              if (entityContentChanged(entityFileHashes, priorHashes)) deferred.markChanged();
               const entitiesRendered = i6 + 1;
-              throttle.tick({
+              deferred.tick({
                 kind: "table-progress",
                 table,
                 entitiesRendered,
@@ -3451,7 +3653,7 @@ var init_engine = __esm({
                 pct: entitiesTotal > 0 ? entitiesRendered / entitiesTotal * 100 : 100
               });
             }
-            throttle.force({
+            deferred.force({
               kind: "table-done",
               table,
               entitiesRendered: entitiesTotal,
@@ -5085,6 +5287,7 @@ var init_lattice = __esm({
     init_shred();
     init_encryption();
     init_manifest();
+    init_render_cursor();
     init_adapter();
     init_sqlite();
     init_postgres();
@@ -5155,6 +5358,14 @@ var init_lattice = __esm({
       _changelogTables = /* @__PURE__ */ new Set();
       /** Current task context string for relevance filtering. */
       _taskContext = "";
+      /**
+       * True when this connection opened against an already-provisioned cloud as a
+       * SCOPED MEMBER (no role-management privilege → no CREATE/ALTER on the schema).
+       * Set during init() by the same probe that decides introspect-only. Drives
+       * {@link addColumn} to route DDL through the owner-side `lattice_member_add_column`
+       * SECURITY DEFINER helper instead of issuing a raw ALTER the member can't run.
+       */
+      _cloudMemberOpen = false;
       _auditHandlers = [];
       _renderHandlers = [];
       _writebackHandlers = [];
@@ -5401,7 +5612,7 @@ var init_lattice = __esm({
       /** Async tail of init(). See {@link init} for the sync-validation phase. */
       async _initAsync(options) {
         let introspectOnly = options.introspectOnly === true;
-        if (!introspectOnly && this.getDialect() === "postgres") {
+        if (this.getDialect() === "postgres") {
           try {
             const [marker, role] = await Promise.all([
               getAsyncOrSync(this._adapter, `SELECT to_regclass('__lattice_owners') AS reg`),
@@ -5412,7 +5623,9 @@ var init_lattice = __esm({
             ]);
             const provisioned = !!marker && marker.reg != null;
             const canCreateRoles = !!role && role.rolcreaterole === true;
-            introspectOnly = provisioned && !canCreateRoles;
+            const memberOpen = provisioned && !canCreateRoles;
+            introspectOnly = introspectOnly || memberOpen;
+            this._cloudMemberOpen = memberOpen;
           } catch {
           }
         }
@@ -5500,6 +5713,26 @@ var init_lattice = __esm({
       getDialect() {
         return this._adapter.dialect;
       }
+      /**
+       * True when a table opts into the observation/changelog substrate
+       * (`def.changelog`). Callers that want to bypass the high-level {@link delete}
+       * with a transaction-scoped raw delete use this to know whether the table also
+       * needs the changelog / write-hook / embedding side effects that only
+       * `delete()` performs — so they can keep the high-level path for such tables.
+       */
+      isChangelogTracked(table) {
+        return this._changelogTables.has(table);
+      }
+      /**
+       * True when this connection opened as a scoped cloud MEMBER (see
+       * {@link _cloudMemberOpen}). Callers use it to route DDL-bearing work through
+       * the owner-side SECURITY DEFINER helpers rather than issuing DDL the member's
+       * role can't run (e.g. {@link addColumn} regenerates the masking view inside
+       * `lattice_member_add_column`, so the caller must not also try to regenerate it).
+       */
+      isCloudMemberOpen() {
+        return this._cloudMemberOpen;
+      }
       /**
        * Return the normalised primary-key column list for a registered
        * table. Falls back to `['id']` for tables registered via raw DDL
@@ -5576,7 +5809,15 @@ var init_lattice = __esm({
         assertSafeIdentifier(column, "column");
         const existing = await introspectColumnsAsyncOrSync(this._adapter, table);
         if (!existing.includes(column)) {
-          await addColumnAsyncOrSync(this._adapter, table, column, typeSpec);
+          if (this._cloudMemberOpen) {
+            await runAsyncOrSync(this._adapter, `SELECT lattice_member_add_column(?, ?, ?)`, [
+              table,
+              column,
+              typeSpec
+            ]);
+          } else {
+            await addColumnAsyncOrSync(this._adapter, table, column, typeSpec);
+          }
         }
         const cols = await introspectColumnsAsyncOrSync(this._adapter, table);
         this._columnCache.set(table, new Set(cols));
@@ -6508,12 +6749,39 @@ var init_lattice = __esm({
       async renderInBackground(outputDir, opts = {}) {
         const notInit = this._notInitError();
         if (notInit) return notInit;
+        if (opts.gateOnOpen && !opts.changedTables) {
+          const start = Date.now();
+          const recorded = readManifest(outputDir);
+          if (recorded != null) {
+            const live = await computeRenderCursor(this._adapter);
+            if (cursorIsFresh(recorded, live)) {
+              opts.onProgress?.({
+                kind: "done",
+                table: null,
+                entitiesRendered: 0,
+                entitiesTotal: 0,
+                tableIndex: 0,
+                tableCount: 0,
+                pct: 100,
+                durationMs: Date.now() - start
+              });
+              const skipped = {
+                filesWritten: [],
+                filesSkipped: 0,
+                durationMs: Date.now() - start
+              };
+              for (const h6 of this._renderHandlers) h6(skipped);
+              return skipped;
+            }
+          }
+        }
         if (!opts.changedTables) {
           this._pendingRenderAll = false;
           this._pendingRenderTables = /* @__PURE__ */ new Set();
           this._autoRenderPending = false;
         }
-        return this._renderGuarded(outputDir, opts);
+        const { gateOnOpen: _gateOnOpen, ...engineOpts } = opts;
+        return this._renderGuarded(outputDir, engineOpts);
       }
       /**
        * Install a per-viewer read-relation resolver for ALL renders (initial,
@@ -8623,6 +8891,111 @@ LANGUAGE sql STABLE SECURITY DEFINER AS $fn$
      AND g."pk" = ANY(p_pks)
      AND o."owner_role" = session_user;
 $fn$;
+
+-- Add a column to a user table AS THE OWNER, on behalf of a scoped member. A
+-- member's role has no CREATE/ALTER on the schema (the bootstrap REVOKEs CREATE
+-- from PUBLIC), so a member's GUI "add a field" write (createRow/updateRow with a
+-- field the table lacks) cannot run ALTER TABLE itself. This SECURITY DEFINER
+-- helper performs that ALTER \u2014 and the masking-view regen \u2014 with the owner's
+-- rights, so member-added columns behave identically to owner-added ones.
+--
+-- Injection-safe + minimal: p_table must be an existing BASE table in the current
+-- schema (rejected otherwise); p_type is whitelisted against the exact set the
+-- library's addColumn emits for an auto-added column (TEXT / INTEGER / REAL, plus
+-- BOOLEAN) \u2014 never interpolated raw; both identifiers go through %I (quote_ident).
+-- Member-callable (granted EXECUTE to the member group), but it can only widen the
+-- schema, never read or alter another member's data.
+CREATE OR REPLACE FUNCTION lattice_member_add_column(p_table text, p_column text, p_type text)
+RETURNS void LANGUAGE plpgsql SECURITY DEFINER AS $fn$
+DECLARE
+  v_type      text;
+  v_view      text := p_table || '_v';
+  v_has_view  boolean;
+  v_pk_expr   text;
+  v_select    text;
+BEGIN
+  -- Never alter internal bookkeeping tables (names start with "_"). The GUI only
+  -- ever calls this for a user entity table; rejecting the rest is defense-in-depth
+  -- against a member invoking the function directly against ownership/audit/policy
+  -- tables.
+  IF left(p_table, 1) = '_' THEN
+    RAISE EXCEPTION 'lattice: cannot add a column to internal table "%"', p_table;
+  END IF;
+
+  -- p_table must be a real base table in THIS schema (search_path is pinned to the
+  -- cloud schema by pinDefinerSearchPath, so to_regclass resolves there).
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_class c
+      JOIN pg_namespace n ON n.oid = c.relnamespace
+     WHERE n.nspname = current_schema() AND c.relname = p_table AND c.relkind = 'r'
+  ) THEN
+    RAISE EXCEPTION 'lattice: no such table "%"', p_table;
+  END IF;
+
+  -- Whitelist the column type. These are exactly the specs addColumn's
+  -- inferColumnType produces (TEXT / INTEGER / REAL); BOOLEAN is allowed too.
+  -- Anything else is rejected \u2014 the type is spliced as %s (NOT %I), so it must be
+  -- a known-safe literal and never caller-controlled SQL.
+  v_type := upper(btrim(p_type));
+  IF v_type NOT IN ('TEXT', 'INTEGER', 'REAL', 'BOOLEAN') THEN
+    RAISE EXCEPTION 'lattice: unsupported column type "%"', p_type;
+  END IF;
+
+  EXECUTE format('ALTER TABLE %I ADD COLUMN IF NOT EXISTS %I %s', p_table, p_column, v_type);
+
+  -- If the table is cell-masked (a "<table>_v" view exists, because some column has
+  -- an audience), the view selects an explicit column list \u2014 so a new column is
+  -- invisible to members until the view is regenerated. Rebuild it the same way the
+  -- owner path (audienceViewSql / regenerateAudienceViewFromDb) does: pass every
+  -- column through except those with an 'owner' audience in __lattice_column_policy
+  -- (CASE WHEN lattice_is_owner(...) THEN col END), re-apply row visibility with
+  -- WHERE lattice_row_visible(table, pk), and keep the member SELECT grant on the
+  -- view. Unmasked tables need no regen \u2014 the member group's table-level base grant
+  -- already covers the new column.
+  SELECT EXISTS (
+    SELECT 1 FROM pg_class c
+      JOIN pg_namespace n ON n.oid = c.relnamespace
+     WHERE n.nspname = current_schema() AND c.relname = v_view AND c.relkind = 'v'
+  ) INTO v_has_view;
+
+  IF v_has_view THEN
+    -- Canonical pk expression: CAST("col" AS TEXT) joined by TAB (chr(9)) \u2014 the
+    -- same serialization the RLS policies + audienceViewSql use.
+    SELECT string_agg(format('CAST(%I AS TEXT)', a.attname), ' || chr(9) || '
+                      ORDER BY array_position(i.indkey, a.attnum))
+      INTO v_pk_expr
+      FROM pg_index i
+      JOIN pg_class c ON c.oid = i.indrelid
+      JOIN pg_namespace n ON n.oid = c.relnamespace
+      JOIN pg_attribute a ON a.attrelid = c.oid AND a.attnum = ANY(i.indkey)
+     WHERE n.nspname = current_schema() AND c.relname = p_table AND i.indisprimary;
+    IF v_pk_expr IS NULL THEN
+      RAISE EXCEPTION 'lattice: cannot regenerate mask view for "%": no primary key', p_table;
+    END IF;
+
+    -- Build the masked SELECT list in column order, applying the per-column policy.
+    SELECT string_agg(
+             CASE
+               WHEN cp."audience" = 'owner'
+                 THEN format('CASE WHEN lattice_is_owner(%L, %s) THEN %I END AS %I',
+                             p_table, v_pk_expr, cols.column_name, cols.column_name)
+               ELSE format('%I', cols.column_name)
+             END,
+             ', ' ORDER BY cols.ordinal_position)
+      INTO v_select
+      FROM information_schema.columns cols
+      LEFT JOIN "__lattice_column_policy" cp
+        ON cp."table_name" = p_table AND cp."column_name" = cols.column_name
+       AND cp."audience" NOT IN ('', 'everyone', 'row-audience')
+     WHERE cols.table_schema = current_schema() AND cols.table_name = p_table;
+
+    EXECUTE format(
+      'CREATE OR REPLACE VIEW %I AS SELECT %s FROM %I WHERE lattice_row_visible(%L, %s)',
+      v_view, v_select, p_table, p_table, v_pk_expr);
+    EXECUTE format('GRANT SELECT ON %I TO ${MEMBER_GROUP}', v_view);
+  END IF;
+END $fn$;
+GRANT EXECUTE ON FUNCTION lattice_member_add_column(text, text, text) TO ${MEMBER_GROUP};
 `;
   }
 });
@@ -8796,18 +9169,9 @@ function sessionUndoneFilters(undone, sessionId) {
   if (sessionId) filters.push({ col: "session_id", op: "eq", val: sessionId });
   return filters;
 }
-async function appendAudit(db, feed, table, rowId, op, before, after, source = "gui", sessionId, editTs) {
-  const undone = await db.query("_lattice_gui_audit", {
-    filters: sessionUndoneFilters(1, sessionId)
-  });
-  for (const r6 of undone) await db.delete("_lattice_gui_audit", r6.id);
-  await db.insert("_lattice_gui_audit", {
+function buildAuditRow(table, rowId, op, before, after, sessionId, editTs) {
+  return {
     id: crypto.randomUUID(),
-    // Set ts explicitly (don't rely on the column DEFAULT — it uses the
-    // SQLite-only `strftime(...)`, which doesn't yield a parseable ISO string
-    // on Postgres, so cloud history rendered "Invalid Date"). #4.6 — honor the
-    // originating client's validated edit time when present (an offline edit
-    // replayed later records when it was MADE, not when it synced), else now().
     ts: sanitizeEditTs(editTs) ?? (/* @__PURE__ */ new Date()).toISOString(),
     table_name: table,
     row_id: rowId,
@@ -8816,7 +9180,9 @@ async function appendAudit(db, feed, table, rowId, op, before, after, source = "
     after_json: after ? JSON.stringify(after) : null,
     undone: 0,
     session_id: sessionId ?? null
-  });
+  };
+}
+function publishMutationFeed(feed, table, rowId, op, before, after, source) {
   const labelRow = op === "delete" ? before : after;
   feed.publish({
     table,
@@ -8826,17 +9192,28 @@ async function appendAudit(db, feed, table, rowId, op, before, after, source = "
     summary: feedSummary(op, table, labelRow)
   });
 }
-function isSchemaOp(operation2) {
-  return operation2.startsWith(SCHEMA_OP_PREFIX);
-}
-async function recordSchemaAudit(db, feed, table, operation2, before, after, summary, source = "gui", sessionId) {
+async function purgeRedoStack(db, sessionId) {
   const undone = await db.query("_lattice_gui_audit", {
     filters: sessionUndoneFilters(1, sessionId)
   });
   for (const r6 of undone) await db.delete("_lattice_gui_audit", r6.id);
+}
+async function appendAudit(db, feed, table, rowId, op, before, after, source = "gui", sessionId, editTs) {
+  await purgeRedoStack(db, sessionId);
+  await db.insert(
+    "_lattice_gui_audit",
+    buildAuditRow(table, rowId, op, before, after, sessionId, editTs)
+  );
+  publishMutationFeed(feed, table, rowId, op, before, after, source);
+}
+function isSchemaOp(operation2) {
+  return operation2.startsWith(SCHEMA_OP_PREFIX);
+}
+async function recordSchemaAudit(db, feed, table, operation2, before, after, summary, source = "gui", sessionId) {
+  await purgeRedoStack(db, sessionId);
   await db.insert("_lattice_gui_audit", {
     id: crypto.randomUUID(),
-    // Explicit ISO ts — see appendAudit (the SQLite-only strftime DEFAULT
+    // Explicit ISO ts — see buildAuditRow (the SQLite-only strftime DEFAULT
     // rendered "Invalid Date" on the Postgres/cloud path).
     ts: (/* @__PURE__ */ new Date()).toISOString(),
     table_name: table,
@@ -8871,7 +9248,7 @@ async function ensureColumns(db, table, values) {
   const added = Object.keys(values).filter((k6) => !(k6 in existing));
   if (added.length === 0) return [];
   for (const col of added) await db.addColumn(table, col, inferColumnType(values[col]));
-  if (db.getDialect() === "postgres" && await cloudRlsInstalled(db)) {
+  if (!db.isCloudMemberOpen() && db.getDialect() === "postgres" && await cloudRlsInstalled(db)) {
     const cols = db.getRegisteredColumns(table);
     const pk = db.getPrimaryKey(table);
     if (cols && pk.length > 0) await regenerateAudienceViewFromDb(db, table, Object.keys(cols), pk);
@@ -8993,7 +9370,14 @@ async function deleteRow(ctx, table, id, hard) {
       ctx.clientTs
     );
   } else {
-    await ctx.db.delete(table, id);
+    await hardDelete(ctx, table, id, before);
+  }
+}
+async function hardDelete(ctx, table, id, before) {
+  const withClient = ctx.db.adapter.withClient?.bind(ctx.db.adapter);
+  const pkCols = ctx.db.getPrimaryKey(table);
+  const pkCol = pkCols.length === 1 ? pkCols[0] : void 0;
+  if (!withClient || ctx.db.isChangelogTracked(table) || pkCol === void 0) {
     await appendAudit(
       ctx.db,
       ctx.feed,
@@ -9006,10 +9390,30 @@ async function deleteRow(ctx, table, id, hard) {
       ctx.sessionId,
       ctx.clientTs
     );
+    await ctx.db.delete(table, id);
+    return;
   }
+  const auditRow = buildAuditRow(table, id, "delete", before, null, ctx.sessionId, ctx.clientTs);
+  await purgeRedoStack(ctx.db, ctx.sessionId);
+  const auditCols = AUDIT_COLUMNS.map((c6) => `"${c6}"`).join(", ");
+  const auditPlaceholders = AUDIT_COLUMNS.map(() => "?").join(", ");
+  const auditValues = AUDIT_COLUMNS.map((c6) => auditRow[c6]);
+  const pkColQuoted = pkCol.replace(/"/g, '""');
+  await withClient(async (tx) => {
+    await tx.run(
+      `INSERT INTO "_lattice_gui_audit" (${auditCols}) VALUES (${auditPlaceholders})`,
+      auditValues
+    );
+    await tx.run(`DELETE FROM "${table.replace(/"/g, '""')}" WHERE "${pkColQuoted}" = ?`, [id]);
+  });
+  publishMutationFeed(ctx.feed, table, id, "delete", before, null, ctx.source);
 }
-async function linkRows(ctx, table, body) {
-  await ctx.db.link(table, body);
+async function linkRows(ctx, table, body, forceVisibility) {
+  if (forceVisibility !== void 0) {
+    await ctx.db.insertForcingVisibility(table, body, forceVisibility);
+  } else {
+    await ctx.db.link(table, body);
+  }
   await appendAudit(ctx.db, ctx.feed, table, null, "link", null, body, ctx.source, ctx.sessionId);
 }
 async function unlinkRows(ctx, table, body) {
@@ -9147,12 +9551,23 @@ async function revertEntry(ctx, id) {
   });
   return { ok: true, entry };
 }
-var SCHEMA_OP_PREFIX;
+var AUDIT_COLUMNS, SCHEMA_OP_PREFIX;
 var init_mutations = __esm({
   "src/gui/mutations.ts"() {
     "use strict";
     init_cloud_connect();
     init_audience();
+    AUDIT_COLUMNS = [
+      "id",
+      "ts",
+      "table_name",
+      "row_id",
+      "operation",
+      "before_json",
+      "after_json",
+      "undone",
+      "session_id"
+    ];
     SCHEMA_OP_PREFIX = "schema.";
   }
 });
@@ -9439,6 +9854,10 @@ async function readMachineCredential(db, kind) {
   }
   return null;
 }
+async function resolveAnthropicKey(db) {
+  if (isAssistantCredentialCleared(CREDENTIALS.anthropic.kind)) return null;
+  return await readMachineCredential(db, CREDENTIALS.anthropic.kind) ?? process.env.ANTHROPIC_API_KEY ?? null;
+}
 function getAggressiveness() {
   const n3 = readPreferences().aggressiveness;
   if (!Number.isFinite(n3)) return DEFAULT_AGGRESSIVENESS;
@@ -9469,6 +9888,7 @@ async function getVoiceCredential(db) {
   return null;
 }
 async function hasCredential(db, name, envVar) {
+  if (isAssistantCredentialCleared(CREDENTIALS[name].kind)) return false;
   return Boolean(await readMachineCredential(db, CREDENTIALS[name].kind)) || Boolean(process.env[envVar]);
 }
 async function resolveClaudeAuth(db) {
@@ -9491,7 +9911,7 @@ async function resolveClaudeAuth(db) {
     } catch {
     }
   }
-  const apiKey = await readMachineCredential(db, CREDENTIALS.anthropic.kind) ?? process.env.ANTHROPIC_API_KEY ?? null;
+  const apiKey = await resolveAnthropicKey(db);
   return apiKey ? { apiKey } : null;
 }
 async function hasClaudeAuth(db) {
@@ -9588,6 +10008,7 @@ async function dispatchAssistantRoute(req, res, ctx) {
     }
     const cred = CREDENTIALS[name];
     setAssistantCredential(cred.kind, key);
+    clearAssistantCredentialCleared(cred.kind);
     if (db) {
       for (const row of await liveSecretsOfKind(db, cred.kind)) {
         await db.update("secrets", row.id, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
@@ -9604,6 +10025,7 @@ async function dispatchAssistantRoute(req, res, ctx) {
       return true;
     }
     deleteAssistantCredential(CREDENTIALS[name].kind);
+    setAssistantCredentialCleared(CREDENTIALS[name].kind);
     if (db) {
       for (const row of await liveSecretsOfKind(db, CREDENTIALS[name].kind)) {
         await db.update("secrets", row.id, { deleted_at: (/* @__PURE__ */ new Date()).toISOString() });
@@ -10810,6 +11232,11 @@ async function revokeRow(db, table, pk, grantee) {
   assertPg(db);
   await runAsyncOrSync(db.adapter, `SELECT lattice_revoke_row(?, ?, ?)`, [table, pk, grantee]);
 }
+async function batchRowGrants(db, table, pk, grant, revoke) {
+  assertPg(db);
+  for (const grantee of grant) await grantRow(db, table, pk, grantee);
+  for (const grantee of revoke) await revokeRow(db, table, pk, grantee);
+}
 async function revokeMemberRole(db, role) {
   assertPg(db);
   if (!ROLE_RE.test(role)) throw new Error(`lattice: invalid member role name "${role}"`);
@@ -12053,7 +12480,7 @@ function buildSchema(db) {
   }
   return out;
 }
-async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptions, createJunction, aggressiveness = DEFAULT_AGGRESSIVENESS, createEntity, untrusted = false) {
+async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptions, createJunction, aggressiveness = DEFAULT_AGGRESSIVENESS, createEntity, untrusted = false, privateMode = false) {
   if (!text.trim()) return [];
   const auth = await resolveClaudeAuth(db);
   if (!auth) {
@@ -12075,6 +12502,7 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
     });
     return [];
   }
+  const forceVis = privateMode ? "private" : void 0;
   const temperature = aggressivenessToTemperature(aggressiveness);
   let description = "";
   try {
@@ -12117,11 +12545,16 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
       }
       if (jx) {
         try {
-          await linkRows(mctx, jx.junction, {
-            id: crypto.randomUUID(),
-            [jx.fileFk]: fileId,
-            [jx.otherFk]: m4.id
-          });
+          await linkRows(
+            mctx,
+            jx.junction,
+            {
+              id: crypto.randomUUID(),
+              [jx.fileFk]: fileId,
+              [jx.otherFk]: m4.id
+            },
+            forceVis
+          );
           linkedCount++;
           if (created) {
             mctx.feed.publish({
@@ -12180,16 +12613,21 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
           if ("name" in cols && row.name == null) row.name = obj2.label;
           if ("title" in cols && row.title == null) row.title = obj2.label;
           try {
-            const { id: rowId } = await createRow(mctx, entity, row);
+            const { id: rowId } = await createRow(mctx, entity, row, forceVis);
             createdCount++;
             const ent = entity;
             const jx = junctions.find((j6) => j6.otherTable === ent) ?? (createJunction ? await createJunction(ent) : null);
             if (jx) {
-              await linkRows(mctx, jx.junction, {
-                id: crypto.randomUUID(),
-                [jx.fileFk]: fileId,
-                [jx.otherFk]: rowId
-              });
+              await linkRows(
+                mctx,
+                jx.junction,
+                {
+                  id: crypto.randomUUID(),
+                  [jx.fileFk]: fileId,
+                  [jx.otherFk]: rowId
+                },
+                forceVis
+              );
             }
           } catch (e6) {
             console.warn(`[ingest] create ${entity} from document failed:`, e6.message);
@@ -12203,12 +12641,17 @@ async function enrichWithLlm(mctx, db, fileId, text, name, junctions, descriptio
       try {
         const title = name.replace(/\.[^./\\]+$/, "").trim() || "Note";
         const body = description.length > 0 ? description : text.slice(0, 2e3);
-        const { id: noteId } = await createRow(mctx, "notes", {
-          id: crypto.randomUUID(),
-          title,
-          body,
-          source_file_id: fileId
-        });
+        const { id: noteId } = await createRow(
+          mctx,
+          "notes",
+          {
+            id: crypto.randomUUID(),
+            title,
+            body,
+            source_file_id: fileId
+          },
+          forceVis
+        );
         mctx.feed.publish({
           table: "notes",
           op: "insert",
@@ -12694,7 +13137,8 @@ async function ingestUrlAsFile(ctx, rawUrl, opts = {}) {
       ctx.enrich.createJunction,
       ctx.enrich.aggressiveness,
       ctx.enrich.createEntity,
-      true
+      true,
+      ctx.privateMode === true
     );
   }
   return {
@@ -13573,13 +14017,22 @@ function loadSdk() {
     throw new Error("Could not resolve the Anthropic constructor from '@anthropic-ai/sdk'");
   return ctor;
 }
-function createAnthropicClient(auth) {
-  const Anthropic = loadSdk();
+function buildAnthropicConfig(auth) {
   const config = {};
-  if (auth.authToken) config.authToken = auth.authToken;
-  else if (auth.apiKey) config.apiKey = auth.apiKey;
+  if (auth.authToken) {
+    config.authToken = auth.authToken;
+    config.apiKey = null;
+  } else if (auth.apiKey) {
+    config.apiKey = auth.apiKey;
+  } else {
+    config.apiKey = null;
+  }
   if (auth.betaHeader) config.defaultHeaders = { "anthropic-beta": auth.betaHeader };
-  const sdk = new Anthropic(config);
+  return config;
+}
+function createAnthropicClient(auth) {
+  const Anthropic = loadSdk();
+  const sdk = new Anthropic(buildAnthropicConfig(auth));
   return {
     async runTurn(params) {
       const stream = sdk.messages.stream({
@@ -53145,7 +53598,7 @@ async function checkForUpdate(pkgName, currentVersion, opts = {}) {
 // src/update-context.ts
 init_user_config();
 import { execFileSync } from "child_process";
-import { existsSync as existsSync14, lstatSync, readFileSync as readFileSync10 } from "fs";
+import { existsSync as existsSync14, lstatSync, readFileSync as readFileSync10, realpathSync } from "fs";
 import { dirname as dirname7, join as join13, sep as sep2 } from "path";
 var SEMVER_RE = /^\d+\.\d+\.\d+(-[\w.]+)?$/;
 function isValidVersion(v2) {
@@ -53175,10 +53628,19 @@ function isUnderGlobalPrefix(packageRoot, execPath) {
 }
 function detectInstallContext(opts = {}) {
   const pkgName = opts.pkgName ?? "latticesql";
-  const cwd = opts.cwd ?? process.cwd();
   const env2 = opts.env ?? process.env;
   const execPath = opts.execPath ?? process.execPath;
-  const modulePath = opts.modulePath ?? process.argv[1] ?? cwd;
+  const rawCwd = opts.cwd ?? process.cwd();
+  const rawModulePath = opts.modulePath ?? process.argv[1] ?? rawCwd;
+  const resolveReal = (p3) => {
+    try {
+      return realpathSync(p3);
+    } catch {
+      return p3;
+    }
+  };
+  const modulePath = resolveReal(rawModulePath);
+  const cwd = resolveReal(rawCwd);
   const packageRoot = findPackageRoot(dirname7(modulePath), pkgName);
   if (packageRoot && existsSync14(join13(packageRoot, ".git"))) {
     return {
@@ -54179,6 +54641,8 @@ var css = `
     .grants-panel .grants-title { font-weight: 600; margin-bottom: 6px; }
     .grants-panel .grants-row { display: flex; align-items: center; gap: 8px; padding: 3px 0; cursor: pointer; }
     .grants-panel .grants-row input { accent-color: var(--accent); }
+    .grants-panel .grants-actions { display: flex; align-items: center; gap: 8px; margin-top: 10px; padding-top: 8px; border-top: 1px solid var(--border); }
+    .grants-panel .grants-dirty { font-size: 12px; }
 
     /* Inline create-row at the bottom of every table */
     tr.create-row td { background: var(--surface-2); }
@@ -54523,6 +54987,25 @@ var css = `
       animation: feedSpin 0.7s linear infinite; vertical-align: middle;
     }
     @keyframes feedSpin { to { transform: rotate(360deg); } }
+    /* Batch-upload progress bar \u2014 pinned to the top of the feed while a
+       multi-file drop drains through the bounded-concurrency queue. */
+    .ingest-progress {
+      position: sticky; top: 0; z-index: 3;
+      display: flex; flex-direction: column; gap: 6px;
+      padding: 8px 10px; border-radius: 8px;
+      background: var(--surface); border: 1px solid rgba(190, 242, 100, 0.22);
+      box-shadow: var(--shadow-1), var(--glow-accent-soft);
+    }
+    .ingest-progress-label { font-size: 12px; font-weight: 500; color: var(--text); }
+    .ingest-progress-track {
+      height: 6px; border-radius: 999px; overflow: hidden; background: var(--border-strong);
+    }
+    .ingest-progress-fill {
+      height: 100%; width: 0%; border-radius: 999px;
+      background: linear-gradient(90deg, var(--accent-deep), var(--accent));
+      box-shadow: 0 0 8px rgba(190, 242, 100, 0.5);
+      transition: width 0.3s ease;
+    }
     .assistant-rail {
       position: relative;
       background:
@@ -56626,6 +57109,15 @@ var appJs = `
     // Per-table view state: 'live' (default) or 'trash' (soft-deleted rows).
     var tableViewMode = {};
 
+    // The (table, pk) of the per-row "Manage access" grants panel that is
+    // currently open, or null when none is. A soft re-render (a concurrent edit
+    // by another client fires pg_notify \u2192 realtime refresh \u2192 renderRoute({soft})
+    // \u2192 renderDetail/renderFsItem repaint) would otherwise re-create the detail
+    // view with the panel collapsed, dropping a staged multi-select mid-edit.
+    // wireRowSharing reads this after each repaint and re-opens + re-populates the
+    // panel WITHOUT any network call, so the staged selection survives.
+    var openGrantsPanel = null;
+
     function renderTable(content, tableName) {
       var myGen = renderGen;
       clearUnseen(tableName);
@@ -57104,70 +57596,151 @@ var appJs = `
           }).catch(function (e) { showToast('Visibility update failed: ' + e.message, {}); });
         });
       });
-      var detailVisManage = content.querySelector('#detail-vis-manage');
-      if (detailVisManage) detailVisManage.addEventListener('click', function () {
+      var access = row._access || {};
+
+      // Render the staged member checklist + a single "Save sharing" / "Cancel"
+      // into the panel. Checkbox toggles mutate ONLY the local desired map \u2014
+      // NO network call per toggle (the old design auto-saved live, one POST per
+      // checkbox, and each grant's pg_notify collapsed the panel). A single batch
+      // request fires on Save. members is the already-fetched list; desired
+      // seeds from the row's current grantees (or a caller-supplied staged map
+      // when re-opening after a soft re-render).
+      function populateGrantsPanel(panel, members, desired) {
+        // Snapshot the CURRENT (committed) grantees so Save can diff desired-vs-
+        // current into adds/removes. effectiveVisibility decides whether we're
+        // actually switching INTO specific-people mode (custom-0 reads as private).
+        var current = {};
+        (access.grantees || []).forEach(function (g) { current[g] = true; });
+        if (members.length === 0) {
+          panel.innerHTML = '<div class="muted">No other members in this workspace yet.</div>';
+          panel.hidden = false;
+          return;
+        }
+        function dirtyCount() {
+          var n = 0;
+          members.forEach(function (m) {
+            if (!!desired[m.role] !== !!current[m.role]) n++;
+          });
+          return n;
+        }
+        function render() {
+          var changed = dirtyCount();
+          panel.innerHTML = '<div class="grants-title">Who can see this</div>' +
+            members.map(function (m) {
+              var label = m.name || m.email || m.role;
+              return '<label class="grants-row"><input type="checkbox" data-grant-role="' + escapeHtml(m.role) + '"' +
+                (desired[m.role] ? ' checked' : '') + '> ' + escapeHtml(label) + '</label>';
+            }).join('') +
+            '<div class="grants-actions">' +
+              '<button class="btn primary" id="grants-save"' + (changed ? '' : ' disabled') + '>Save sharing</button>' +
+              '<button class="btn" id="grants-cancel">Cancel</button>' +
+              '<span class="grants-dirty muted">' + (changed ? (changed === 1 ? '1 change' : changed + ' changes') : 'No changes') + '</span>' +
+            '</div>';
+          panel.querySelectorAll('[data-grant-role]').forEach(function (cb) {
+            cb.addEventListener('change', function () {
+              var role = cb.getAttribute('data-grant-role');
+              if (cb.checked) desired[role] = true; else delete desired[role];
+              render(); // re-render to refresh the dirty indicator + Save state
+            });
+          });
+          var cancelBtn = panel.querySelector('#grants-cancel');
+          if (cancelBtn) cancelBtn.addEventListener('click', function () { closeGrantsPanel(panel); });
+          var saveBtn = panel.querySelector('#grants-save');
+          if (saveBtn) saveBtn.addEventListener('click', function () {
+            var toAdd = [];
+            var toRemove = [];
+            members.forEach(function (m) {
+              var want = !!desired[m.role];
+              var have = !!current[m.role];
+              if (want && !have) toAdd.push(m.role);
+              if (!want && have) toRemove.push(m.role);
+            });
+            if (toAdd.length === 0 && toRemove.length === 0) { closeGrantsPanel(panel); return; }
+            // Confirm the mode change ONCE, here \u2014 only when actually switching
+            // INTO specific-people mode (effective vis isn't already custom AND we
+            // are adding at least one grantee). Never per checkbox.
+            if (effectiveVisibility(access) !== 'custom' && toAdd.length > 0) {
+              if (!confirm('Sharing this with specific people switches it off "everyone"/"private". The chosen people will be able to see it. Continue?')) return;
+            }
+            withBusy(saveBtn, function () {
+              return fetchJson('/api/cloud/row-grants', {
+                method: 'POST',
+                headers: { 'content-type': 'application/json' },
+                body: JSON.stringify({ table: tableName, pk: id, grant: toAdd, revoke: toRemove }),
+              }).then(function () {
+                // Mirror the committed state locally so the re-render's indicator
+                // is correct. The first grant flips the row to custom server-side;
+                // revoking the last leaves custom-0, which effectiveVisibility
+                // renders as private.
+                var list = [];
+                members.forEach(function (m) { if (desired[m.role]) list.push(m.role); });
+                access.grantees = list;
+                if (list.length > 0) access.visibility = 'custom';
+                openGrantsPanel = null; // a successful save closes the staging session
+                invalidate(tableName);
+                showToast('Sharing updated', {});
+                reRender();
+              }).catch(function (e) {
+                // Surface loudly + leave the staged selection intact so the user
+                // can retry; no silent partial-success.
+                showToast('Sharing update failed: ' + e.message, {});
+              });
+            });
+          });
+          panel.hidden = false;
+        }
+        render();
+      }
+
+      function closeGrantsPanel(panel) {
+        if (panel) panel.hidden = true;
+        openGrantsPanel = null;
+      }
+
+      // Open (or toggle shut) the manage-access panel. Fetches the member list,
+      // then stages from the row's current grantees. Opening must NOT pre-flip
+      // the row to 'custom' \u2014 that left a never-shared row stuck at "custom (0)".
+      function openManagePanel(triggerBtn) {
         var panel = content.querySelector('#grants-panel');
         if (!panel) return;
-        if (!panel.hidden) { panel.hidden = true; return; }
-        var access = row._access || {};
-        // Opening the panel must NOT pre-flip the row to 'custom' \u2014 that left a
-        // row the user never actually shared stuck at "custom (0)". The first
-        // grant flips it to custom server-side (lattice_grant_row); revoking the
-        // last leaves it custom-with-0-grantees, which now reads as private. So
-        // just load the member checklist.
-        var ensure = Promise.resolve();
-        withBusy(detailVisManage, function () {
-          return ensure.then(function () {
-            return fetchJson('/api/cloud/members');
-          }).then(function (d) {
+        if (!panel.hidden) { closeGrantsPanel(panel); return; }
+        withBusy(triggerBtn, function () {
+          return fetchJson('/api/cloud/members').then(function (d) {
             // The grant target is a member ROLE: lattice_grant_row keys on the
             // role, and _access.grantees holds role names. List every member
             // except the owner (you don't grant the owner their own row).
             var members = ((d && d.members) || []).filter(function (m) { return !m.isYou && m.status !== 'owner'; });
-            var granted = {};
-            (access.grantees || []).forEach(function (g) { granted[g] = true; });
-            if (members.length === 0) {
-              panel.innerHTML = '<div class="muted">No other members in this workspace yet.</div>';
-            } else {
-              panel.innerHTML = '<div class="grants-title">Who can see this</div>' + members.map(function (m) {
-                var label = m.name || m.email || m.role;
-                return '<label class="grants-row"><input type="checkbox" data-grant-role="' + escapeHtml(m.role) + '"' +
-                  (granted[m.role] ? ' checked' : '') + '> ' + escapeHtml(label) + '</label>';
-              }).join('');
-            }
-            panel.hidden = false;
-            panel.querySelectorAll('[data-grant-role]').forEach(function (cb) {
-              cb.addEventListener('change', function () {
-                var role = cb.getAttribute('data-grant-role');
-                cb.disabled = true;
-                fetchJson('/api/cloud/row-grant', {
-                  method: 'POST',
-                  headers: { 'content-type': 'application/json' },
-                  body: JSON.stringify({ table: tableName, pk: id, grantee: role, revoke: !cb.checked }),
-                }).then(function () {
-                  var list = access.grantees || (access.grantees = []);
-                  var at = list.indexOf(role);
-                  if (cb.checked && at === -1) list.push(role);
-                  if (!cb.checked && at !== -1) list.splice(at, 1);
-                  // The first grant flips the row to custom server-side; mirror
-                  // that locally so the indicator updates. Revoking the last leaves
-                  // visibility 'custom' but effectiveVisibility renders custom-0 as
-                  // private, so the label flips back to "Private to you".
-                  if (list.length > 0) access.visibility = 'custom';
-                  var infoEl = content.querySelector('#detail-vis-info');
-                  if (infoEl) infoEl.textContent = visInfoLabel(access);
-                  invalidate(tableName);
-                }).catch(function (e) {
-                  cb.checked = !cb.checked; // revert the failed change
-                  showToast('Access update failed: ' + e.message, {});
-                }).then(function () { cb.disabled = false; });
-              });
-            });
-            var infoEl = content.querySelector('#detail-vis-info');
-            if (infoEl) infoEl.textContent = visInfoLabel(access);
+            var desired = {};
+            (access.grantees || []).forEach(function (g) { desired[g] = true; });
+            openGrantsPanel = { table: tableName, pk: id };
+            populateGrantsPanel(panel, members, desired);
           }).catch(function (e) { showToast('Could not load members: ' + e.message, {}); });
         });
+      }
+
+      var detailVisManage = content.querySelector('#detail-vis-manage');
+      if (detailVisManage) detailVisManage.addEventListener('click', function () {
+        openManagePanel(detailVisManage);
       });
+
+      // Preserve an open panel across a soft re-render: if the tracked panel
+      // matches the row this view just repainted, re-open it and re-populate the
+      // checklist from the freshly-fetched row._access WITHOUT any network call,
+      // so a concurrent edit by another client doesn't lose a staged selection.
+      if (openGrantsPanel && openGrantsPanel.table === tableName && openGrantsPanel.pk === id) {
+        var rpanel = content.querySelector('#grants-panel');
+        if (rpanel) {
+          fetchJson('/api/cloud/members').then(function (d) {
+            // Only re-populate if THIS panel is still the tracked-open one (a
+            // newer navigation/save may have cleared it while members loaded).
+            if (!openGrantsPanel || openGrantsPanel.table !== tableName || openGrantsPanel.pk !== id) return;
+            var members = ((d && d.members) || []).filter(function (m) { return !m.isYou && m.status !== 'owner'; });
+            var desired = {};
+            (access.grantees || []).forEach(function (g) { desired[g] = true; });
+            populateGrantsPanel(rpanel, members, desired);
+          }).catch(function () { /* best-effort restore; a click reopens it */ });
+        }
+      }
     }
     function renderDetail(content, tableName, id) {
       var myGen = renderGen;
@@ -61859,6 +62432,63 @@ var appJs = `
     // Browsers can't expose the local path, so we POST the bytes; the
     // server extracts + summarizes, then discards them (path stays null).
     // \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500
+    // Cap how many uploads are in flight at once. A browser allows only ~6
+    // HTTP/1.1 connections per host, so a bulk drop of N files would fire N
+    // upload POSTs in parallel and saturate that budget \u2014 every other data
+    // request (entities, rows, navigation) then queues for minutes behind the
+    // multi-minute ingests and the GUI looks frozen. Holding uploads to a few
+    // at a time leaves connections free for the rest of the app (and eases the
+    // AI rate limit each ingest hits server-side). The realtime/feed streams are
+    // already off this budget \u2014 they share one WebSocket \u2014 so this is the last
+    // place a big batch could starve the connection pool.
+    var INGEST_MAX_CONCURRENCY = 3;
+    // Run a batch of upload thunks with at most \`limit\` in flight, calling
+    // onProgress(done, total) as each settles. One failure never stalls the
+    // batch \u2014 uploadFile surfaces its own error and resolves.
+    function runIngestBatch(thunks, limit, onProgress) {
+      return new Promise(function (resolve) {
+        var total = thunks.length, idx = 0, done = 0;
+        function startNext() {
+          if (idx >= total) return;
+          var thunk = thunks[idx++];
+          Promise.resolve().then(thunk).catch(function () { /* already surfaced */ }).then(function () {
+            done++;
+            if (onProgress) onProgress(done, total);
+            if (done === total) resolve(); else startNext();
+          });
+        }
+        for (var i = 0; i < Math.min(limit, total); i++) startNext();
+      });
+    }
+    // A batch-upload progress bar pinned to the top of the rail feed
+    // ("Analyzing N of M\u2026"). The per-file "Analyzing <name>\u2026" cards still
+    // appear, but only INGEST_MAX_CONCURRENCY at a time; this gives the
+    // whole-batch view that the individual cards can't. Returns
+    // { update(done, total), done() }.
+    function ingestProgress(total) {
+      var feedEl = document.getElementById('rail-feed');
+      if (!feedEl) return { update: function () {}, done: function () {} };
+      railEmptyGone();
+      var wrap = document.createElement('div');
+      wrap.className = 'ingest-progress';
+      wrap.innerHTML =
+        '<div class="ingest-progress-label">Analyzing 0 of ' + total + '\u2026</div>' +
+        '<div class="ingest-progress-track"><div class="ingest-progress-fill"></div></div>';
+      feedEl.insertBefore(wrap, feedEl.firstChild);
+      var label = wrap.querySelector('.ingest-progress-label');
+      var fill = wrap.querySelector('.ingest-progress-fill');
+      return {
+        update: function (n, t) {
+          if (label) label.textContent = 'Analyzing ' + n + ' of ' + t + '\u2026';
+          if (fill) fill.style.width = Math.round((n / t) * 100) + '%';
+        },
+        done: function () {
+          if (fill) fill.style.width = '100%';
+          if (label) label.textContent = 'Analyzed ' + total + ' file' + (total === 1 ? '' : 's');
+          setTimeout(function () { if (wrap.parentNode) wrap.parentNode.removeChild(wrap); }, 2500);
+        },
+      };
+    }
     // Append a transient "Analyzing <file>\u2026" row to the feed so the user sees
     // the ingest is processing in the background; returns a disposer. The real
     // create/link feed events stream in over SSE as the server materializes them.
@@ -61894,13 +62524,21 @@ var appJs = `
     }
     function uploadFile(file) {
       var done = pendingIngestItem(file.name || 'file');
+      // Carry the composer's "Private mode" intent so an upload made while the
+      // box is checked is stamped private at insert, instead of inheriting the
+      // files-table default (which can be shared-to-everyone on a cloud). Read
+      // the checkbox defensively \u2014 it may not be rendered. On a local workspace
+      // the box is checked+disabled, so this is '1' there too; forced visibility
+      // is a harmless no-op on the single-user SQLite path.
+      var pv = document.getElementById('chat-private');
+      var priv = pv && pv.checked ? '1' : '0';
       return fetch('/api/ingest/upload', {
         method: 'POST',
         // Percent-encode the filename: HTTP header values must be ISO-8859-1,
         // so a Unicode filename (emoji, smart quote, accent, em-dash) would
         // otherwise make fetch() throw "String contains non ISO-8859-1 code
         // point". The server decodeURIComponent()s it back.
-        headers: { 'content-type': file.type || 'application/octet-stream', 'x-filename': encodeURIComponent(file.name || 'file') },
+        headers: { 'content-type': file.type || 'application/octet-stream', 'x-filename': encodeURIComponent(file.name || 'file'), 'x-lattice-private': priv },
         body: file,
       })
         .then(function (r) { return r.json().then(function (j) { if (!r.ok) throw new Error(j.error || ('HTTP ' + r.status)); return j; }); })
@@ -61918,7 +62556,14 @@ var appJs = `
         });
         return;
       }
-      for (var i = 0; i < files.length; i++) uploadFile(files[i]);
+      // Multi-file: drain through the bounded-concurrency queue (so a big drop
+      // can't saturate the connection budget) with a batch progress bar.
+      var bar = ingestProgress(files.length);
+      var thunks = [];
+      for (var i = 0; i < files.length; i++) {
+        (function (f) { thunks.push(function () { return uploadFile(f); }); })(files[i]);
+      }
+      runIngestBatch(thunks, INGEST_MAX_CONCURRENCY, bar.update).then(bar.done);
     }
     // Mobile: tapping the handle expands/collapses the bottom drawer.
     function initRailDrawer() {
@@ -62989,8 +63634,14 @@ var MEMBER_READABLE_BOOKKEEPING = [
   },
   {
     name: "_lattice_gui_audit",
-    privs: "SELECT, INSERT",
-    why: "GUI undo/redo + version history; RLS (enableGuiAuditRls) scopes reads to entries whose underlying row the member can see"
+    // UPDATE + DELETE are needed by undo/redo/revert (flips an entry's `undone`)
+    // and the redo-stack purge on a new mutation (deletes the session's undone
+    // entries). Safe because enableGuiAuditRls installs per-op UPDATE and DELETE
+    // policies whose USING is `row_id IS NULL OR lattice_row_visible(table_name,
+    // row_id)` — so a member can only update/delete audit rows for entities it can
+    // already see (or schema-level entries that carry no row data).
+    privs: "SELECT, INSERT, UPDATE, DELETE",
+    why: "GUI undo/redo/revert + redo-stack purge + version history; RLS (enableGuiAuditRls) scopes every op to entries whose underlying row the member can see"
   },
   {
     name: "__lattice_user_identity",
@@ -65065,6 +65716,27 @@ async function dispatchDbConfigRoute(req, res, ctx) {
     });
     return true;
   }
+  if (pathname === "/api/cloud/row-grants" && method === "POST") {
+    await tryHandler(res, async () => {
+      const body = await readJson(req);
+      const table = typeof body.table === "string" ? body.table : "";
+      const pk = typeof body.pk === "string" ? body.pk : "";
+      const strList = (v2) => Array.isArray(v2) ? v2.filter((x2) => typeof x2 === "string") : [];
+      const grant = strList(body.grant);
+      const revoke = strList(body.revoke);
+      if (!table || !pk) {
+        sendJson(res, { error: "table and pk are required" }, 400);
+        return;
+      }
+      if (ctx.db.getDialect() !== "postgres") {
+        sendJson(res, { error: "Per-row sharing requires a cloud (Postgres) database" }, 400);
+        return;
+      }
+      await batchRowGrants(ctx.db, table, pk, grant, revoke);
+      sendJson(res, { ok: true, table, pk, granted: grant, revoked: revoke });
+    });
+    return true;
+  }
   if (pathname === "/api/cloud/s3-config" && method === "GET") {
     await tryHandler(res, () => {
       const label = activeWorkspaceLabel(ctx.configPath);
@@ -65807,6 +66479,19 @@ async function normalizeImage(path2, maxBytes) {
 function renderJpeg(sharp, path2, quality) {
   return sharp(path2).rotate().resize({ width: MAX_DIM, height: MAX_DIM, fit: "inside", withoutEnlargement: true }).jpeg({ quality }).toBuffer();
 }
+function buildVisionAnthropicConfig(auth) {
+  const config = {};
+  if (auth.authToken) {
+    config.authToken = auth.authToken;
+    config.apiKey = null;
+  } else if (auth.apiKey) {
+    config.apiKey = auth.apiKey;
+  } else {
+    config.apiKey = null;
+  }
+  if (auth.betaHeader) config.defaultHeaders = { "anthropic-beta": auth.betaHeader };
+  return config;
+}
 function defaultSender(auth) {
   return async (input) => {
     const importMetaUrl = import.meta.url;
@@ -65814,11 +66499,7 @@ function defaultSender(auth) {
     const sdk = req("@anthropic-ai/sdk");
     const Anthropic = sdk.Anthropic ?? sdk.default;
     if (!Anthropic) throw new Error("Could not resolve Anthropic from '@anthropic-ai/sdk'");
-    const config = {};
-    if (auth.authToken) config.authToken = auth.authToken;
-    else if (auth.apiKey) config.apiKey = auth.apiKey;
-    if (auth.betaHeader) config.defaultHeaders = { "anthropic-beta": auth.betaHeader };
-    const client = new Anthropic(config);
+    const client = new Anthropic(buildVisionAnthropicConfig(auth));
     const res = await client.messages.create({
       model: input.model,
       max_tokens: 1024,
@@ -65845,11 +66526,7 @@ function defaultPdfSender(auth) {
     const sdk = req("@anthropic-ai/sdk");
     const Anthropic = sdk.Anthropic ?? sdk.default;
     if (!Anthropic) throw new Error("Could not resolve Anthropic from '@anthropic-ai/sdk'");
-    const config = {};
-    if (auth.authToken) config.authToken = auth.authToken;
-    else if (auth.apiKey) config.apiKey = auth.apiKey;
-    if (auth.betaHeader) config.defaultHeaders = { "anthropic-beta": auth.betaHeader };
-    const client = new Anthropic(config);
+    const client = new Anthropic(buildVisionAnthropicConfig(auth));
     const res = await client.messages.create({
       model: input.model,
       max_tokens: 4096,
@@ -66011,7 +66688,7 @@ function enrichContext(ctx) {
     ...ctx.createEntity ? { createEntity: ctx.createEntity } : {}
   };
 }
-async function enrichOrFail(mctx, db, fileId, text, name, ctx, res) {
+async function enrichOrFail(mctx, db, fileId, text, name, ctx, res, privateMode) {
   try {
     return await enrichWithLlm(
       mctx,
@@ -66023,7 +66700,9 @@ async function enrichOrFail(mctx, db, fileId, text, name, ctx, res) {
       ctx.entityDescriptions,
       ctx.createJunction,
       ctx.aggressiveness,
-      ctx.createEntity
+      ctx.createEntity,
+      false,
+      privateMode
     );
   } catch (e6) {
     const err = e6;
@@ -66102,7 +66781,9 @@ async function dispatchIngestRoute(req, res, ctx) {
     source: "ingest",
     onColumnsAdded: columnDescriptionHook(ctx.db)
   };
+  const headerPrivate = req.headers["x-lattice-private"] === "1";
   if (ctx.pathname === "/api/ingest/upload") {
+    const forcePrivate2 = headerPrivate;
     const rawName = typeof req.headers["x-filename"] === "string" && req.headers["x-filename"] || "";
     let name2 = "upload";
     if (rawName) {
@@ -66200,10 +66881,15 @@ async function dispatchIngestRoute(req, res, ctx) {
         ...blob ? { blob_path: blob.blob_path } : {}
       } : blob ? { ref_kind: "blob", blob_path: blob.blob_path } : {}
     };
-    const { id: id2 } = await createRow(mctx, "files", {
-      ...await requiredFileDefaults(ctx.db, name2, fileId, uploadRow),
-      ...uploadRow
-    });
+    const { id: id2 } = await createRow(
+      mctx,
+      "files",
+      {
+        ...await requiredFileDefaults(ctx.db, name2, fileId, uploadRow),
+        ...uploadRow
+      },
+      forcePrivate2 ? "private" : void 0
+    );
     try {
       const dedupCtx = {
         db: ctx.db,
@@ -66229,7 +66915,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     }
     let suggestedLinks = [];
     if (!result.skip) {
-      const links = await enrichOrFail(mctx, ctx.db, id2, result.text, name2, ctx, res);
+      const links = await enrichOrFail(mctx, ctx.db, id2, result.text, name2, ctx, res, forcePrivate2);
       if (links === null) return true;
       suggestedLinks = links;
     }
@@ -66256,6 +66942,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     sendJson4(res, { error: e6.message }, 400);
     return true;
   }
+  const forcePrivate = headerPrivate || body.private === true;
   if (ctx.pathname === "/api/ingest/text") {
     const rawText = typeof body.text === "string" ? body.text : "";
     if (!rawText.trim()) {
@@ -66266,7 +66953,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     if (sourceUrl) {
       try {
         const result = await ingestUrlAsFile(
-          { db: ctx.db, mctx, enrich: enrichContext(ctx) },
+          { db: ctx.db, mctx, enrich: enrichContext(ctx), privateMode: forcePrivate },
           sourceUrl
         );
         sendJson4(
@@ -66295,11 +66982,25 @@ async function dispatchIngestRoute(req, res, ctx) {
       description: describe(content, mime2, title),
       extraction_status: "extracted"
     };
-    const { id: id2 } = await createRow(mctx, "files", {
-      ...await requiredFileDefaults(ctx.db, title, textFileId, textRow),
-      ...textRow
-    });
-    const suggestedLinks = await enrichOrFail(mctx, ctx.db, id2, content, title, ctx, res);
+    const { id: id2 } = await createRow(
+      mctx,
+      "files",
+      {
+        ...await requiredFileDefaults(ctx.db, title, textFileId, textRow),
+        ...textRow
+      },
+      forcePrivate ? "private" : void 0
+    );
+    const suggestedLinks = await enrichOrFail(
+      mctx,
+      ctx.db,
+      id2,
+      content,
+      title,
+      ctx,
+      res,
+      forcePrivate
+    );
     if (suggestedLinks === null) return true;
     sendJson4(res, { id: id2, extraction_status: "extracted", suggestedLinks }, 201);
     return true;
@@ -66338,10 +67039,15 @@ async function dispatchIngestRoute(req, res, ctx) {
     size_bytes: size,
     extraction_status: "pending"
   };
-  const { id } = await createRow(mctx, "files", {
-    ...await requiredFileDefaults(ctx.db, name, localFileId, localRow),
-    ...localRow
-  });
+  const { id } = await createRow(
+    mctx,
+    "files",
+    {
+      ...await requiredFileDefaults(ctx.db, name, localFileId, localRow),
+      ...localRow
+    },
+    forcePrivate ? "private" : void 0
+  );
   try {
     const result = await extractSource(ctx.db, abs, mime, name);
     await updateRow(mctx, "files", id, {
@@ -66359,7 +67065,9 @@ async function dispatchIngestRoute(req, res, ctx) {
       ctx.entityDescriptions,
       ctx.createJunction,
       ctx.aggressiveness,
-      ctx.createEntity
+      ctx.createEntity,
+      false,
+      forcePrivate
     );
     sendJson4(
       res,
@@ -67046,7 +67754,7 @@ function startBackgroundRender(active) {
     }
     bus.publish(e6);
   };
-  void db.renderInBackground(active.outputDir, { signal, onProgress }).then(
+  void db.renderInBackground(active.outputDir, { signal, onProgress, gateOnOpen: true }).then(
     () => {
     },
     (err) => {
@@ -69424,7 +70132,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.2";
+  if (true) return "3.4.4";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));