latticesql 3.4.4 → 3.4.6

package/dist/cli.js

@@ -632,14 +632,6 @@ function resolveDbPath(raw, configDir2) {
   }
   return resolve(configDir2, raw);
 }
-function warnDeprecatedRef(entity, field, target) {
-  const key = `${entity}.${field}`;
-  if (warnedDeprecatedRefs.has(key)) return;
-  warnedDeprecatedRefs.add(key);
-  console.warn(
-    `Lattice: one-to-many \`ref:\` on "${entity}.${field}" \u2192 "${target}" is deprecated in favor of many-to-many junction tables and will be removed in 2.0.`
-  );
-}
 function entityToTableDef(entityName, entity) {
   const rawFields = entity.fields;
   if (!rawFields || typeof rawFields !== "object" || Array.isArray(rawFields)) {
@@ -666,7 +658,6 @@ function entityToTableDef(entityName, entity) {
         table: field.ref,
         foreignKey: fieldName
       };
-      warnDeprecatedRef(entityName, fieldName, field.ref);
     }
   }
   const primaryKey = entity.primaryKey ?? pkFromField;
@@ -823,12 +814,10 @@ function parseEntityContexts(entityContexts) {
   }
   return result;
 }
-var warnedDeprecatedRefs;
 var init_parser = __esm({
   "src/config/parser.ts"() {
     "use strict";
     init_user_config();
-    warnedDeprecatedRefs = /* @__PURE__ */ new Set();
   }
 });
 
@@ -10324,6 +10313,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -13167,6 +13171,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -13382,6 +13387,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -13712,6 +13732,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -54094,6 +54115,8 @@ var css = `
     .app-version:empty { display: none; }
     .app-update { flex: 0 0 auto; color: var(--accent, #4a9); font-size: 12px; white-space: nowrap; }
     .app-update[hidden] { display: none; }
+    #app-update-link { flex: 0 0 auto; margin-left: 8px; color: var(--accent, #4a9); font-size: 12px; cursor: pointer; white-space: nowrap; }
+    #app-update-link[hidden] { display: none; }
     /* Unseen-change count next to a sidebar entity. */
     .nav-badge {
       display: inline-block; min-width: 16px; text-align: center;
@@ -55572,6 +55595,12 @@ var appJs = `
       // drag handle once the app has booted.
       var savedRail = parseInt(window.localStorage.getItem(RAIL_KEY) || '', 10);
       if (!isNaN(savedRail)) applyRailWidth(savedRail);
+      // The version chip + manual-upgrade link live in the static shell (present
+      // from first paint, in both the normal and virgin-state boots), so wire the
+      // click handler and run the first availability check here \u2014 independent of
+      // the async workspace bootstrap. checkServerVersion() refreshes it later.
+      wireUpdateLink();
+      checkUpdateAvailable();
       // Failsafe: never leave the overlay up forever if a fetch hangs without
       // rejecting, or a future early-return (e.g. the virgin-state screen)
       // bypasses the .then() tail. Idempotent, so a later real hide is a no-op.
@@ -56056,6 +56085,26 @@ var appJs = `
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
       setTimeout(function () { location.reload(); }, 600);
     }
+    // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
+    // the version chip only when the server reports a newer, installable version.
+    // The auto-updater installs in the background on its own cadence; this lets
+    // the user force it now. Best-effort; the link stays hidden on any failure.
+    function checkUpdateAvailable() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      fetch('/api/update/status')
+        .then(function (r) { return r.ok ? r.json() : null; })
+        .then(function (s) {
+          if (s && s.latest && s.current && s.latest !== s.current && s.installable) {
+            el.textContent = 'Update available \u2014 Upgrade';
+            el.title = 'Install v' + s.latest + ' and restart';
+            el.hidden = false;
+          } else {
+            el.hidden = true;
+          }
+        })
+        .catch(function () { /* best-effort \u2014 keep the link hidden */ });
+    }
     // On every (re)connect, ask the server its version. A change vs BOOT_VERSION
     // means a relaunch onto new code \u2192 reload. Best-effort; never throws.
     function checkServerVersion() {
@@ -56069,6 +56118,31 @@ var appJs = `
           else hideUpdatePill();
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
+      // Refresh the manual-upgrade link alongside the reconnect version check.
+      checkUpdateAvailable();
+    }
+    // Wire the manual-upgrade link's click: kick off the install (the server
+    // installs the latest and restarts onto it) and surface the progress. On
+    // success we do nothing else \u2014 the update-applied event + the reconnect
+    // version check land the page on the new version (no manual reload). A
+    // false ok means the install can't run (unsupervised) \u2014 toast why.
+    function wireUpdateLink() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      el.addEventListener('click', function (e) {
+        e.preventDefault();
+        el.hidden = true;
+        showUpdatePill('Updating\u2026');
+        fetch('/api/update/apply', { method: 'POST' })
+          .then(function (r) { return r.json(); })
+          .then(function (d) {
+            if (d && d.ok === false) {
+              hideUpdatePill();
+              showToast(d.error || 'Update unavailable', {});
+            }
+          })
+          .catch(function () { /* server may already be restarting */ });
+      });
     }
     function dispatchStreamMessage(type, data) {
       if (type === 'realtime-state') {
@@ -62886,6 +62960,7 @@ var guiAppHtml = `<!doctype html>
     <span class="offline-pill" id="offline-pill" title="Edits queued offline \u2014 will sync when the cloud reconnects" hidden></span>
     <span class="app-update" id="app-update" title="A new version is being applied" hidden></span>
     <span class="app-version" id="app-version" title="Lattice version"><!--LATTICE_VERSION--></span>
+    <a id="app-update-link" href="#" hidden>Update available \u2014 Upgrade</a>
     <button id="settings-gear" title="Settings" aria-label="Open settings">
       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
         <circle cx="12" cy="12" r="3"/>
@@ -64809,7 +64884,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 
 // src/framework/cloud-migration.ts
 init_lattice();
@@ -65604,7 +65679,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -68096,6 +68171,28 @@ async function startGuiServer(options) {
     setActive(next, created.id);
     return created.id;
   };
+  const cleanupWorkspaceFiles = (root6, ws) => {
+    if (!ws.configPath && ws.kind === "local") {
+      rmSync(workspaceDir(root6, ws.dir), { recursive: true, force: true });
+    } else if (ws.kind === "cloud") {
+      if (ws.configPath && existsSync25(ws.configPath)) {
+        rmSync(ws.configPath, { force: true });
+      }
+      const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
+      const label = labelMatch?.[1];
+      if (label) {
+        const stillUsed = listWorkspaces(root6).some(
+          (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
+        );
+        if (!stillUsed) {
+          try {
+            deleteDbCredential(label);
+          } catch {
+          }
+        }
+      }
+    }
+  };
   const handleVirginRoute = async (req, res, pathname, method) => {
     if (method === "GET" && pathname === "/") {
       sendText(
@@ -68147,6 +68244,35 @@ async function startGuiServer(options) {
       }
       return true;
     }
+    if (method === "POST" && pathname === "/api/workspaces/delete") {
+      if (!latticeRoot) {
+        sendJson(res, { error: "No .lattice root \u2014 workspaces unavailable" }, 400);
+        return true;
+      }
+      const body = await readJson(req);
+      if (typeof body.id !== "string") {
+        sendJson(res, { error: "id must be a string" }, 400);
+        return true;
+      }
+      const ws = getWorkspace(latticeRoot, body.id);
+      if (!ws) {
+        sendJson(res, { error: `No workspace with id ${body.id}` }, 400);
+        return true;
+      }
+      removeWorkspace(latticeRoot, ws.id);
+      try {
+        cleanupWorkspaceFiles(latticeRoot, ws);
+      } catch (e6) {
+        sendJson(
+          res,
+          { error: `Workspace unregistered but file cleanup failed: ${e6.message}` },
+          500
+        );
+        return true;
+      }
+      sendJson(res, { ok: true, switchedTo: null });
+      return true;
+    }
     if (method === "POST" && pathname === "/api/cloud/redeem-invite") {
       await redeemInvite(createCloudWorkspace, req, res);
       return true;
@@ -68181,6 +68307,18 @@ async function startGuiServer(options) {
           );
           return;
         }
+        if (method === "POST" && pathname === "/api/update/apply") {
+          if (updateService) {
+            void updateService.checkNow(true);
+            sendJson(res, { ok: true, status: updateService.status() });
+          } else {
+            sendJson(res, {
+              ok: false,
+              error: "Automatic update is not available for this install. Reinstall from https://latticesql.com to get the latest version."
+            });
+          }
+          return;
+        }
         if (!activeRef) {
           if (await handleVirginRoute(req, res, pathname, method)) return;
           sendJson(res, { error: "No active workspace" }, 409);
@@ -69274,26 +69412,7 @@ async function startGuiServer(options) {
           }
           removeWorkspace(latticeRoot, ws.id);
           try {
-            if (!ws.configPath && ws.kind === "local") {
-              rmSync(workspaceDir(latticeRoot, ws.dir), { recursive: true, force: true });
-            } else if (ws.kind === "cloud") {
-              if (ws.configPath && existsSync25(ws.configPath)) {
-                rmSync(ws.configPath, { force: true });
-              }
-              const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
-              const label = labelMatch?.[1];
-              if (label) {
-                const stillUsed = listWorkspaces(latticeRoot).some(
-                  (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
-                );
-                if (!stillUsed) {
-                  try {
-                    deleteDbCredential(label);
-                  } catch {
-                  }
-                }
-              }
-            }
+            cleanupWorkspaceFiles(latticeRoot, ws);
           } catch (e6) {
             sendJson(
               res,
@@ -69759,7 +69878,9 @@ ${e6.stack ?? ""}`
       }
     }
   };
-  if (options.selfUpdate && guiVersion) {
+  if (options.updateServiceFactory) {
+    updateService = options.updateServiceFactory(broadcast);
+  } else if (options.selfUpdate && guiVersion) {
     updateService = createUpdateService({ currentVersion: guiVersion, emit: broadcast });
   }
   const handleEventStream = (ws) => {
@@ -70132,7 +70253,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.4";
+  if (true) return "3.4.6";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));

package/dist/index.cjs

@@ -4527,14 +4527,6 @@ function resolveDbPath(raw, configDir2) {
   }
   return (0, import_node_path11.resolve)(configDir2, raw);
 }
-function warnDeprecatedRef(entity, field, target) {
-  const key = `${entity}.${field}`;
-  if (warnedDeprecatedRefs.has(key)) return;
-  warnedDeprecatedRefs.add(key);
-  console.warn(
-    `Lattice: one-to-many \`ref:\` on "${entity}.${field}" \u2192 "${target}" is deprecated in favor of many-to-many junction tables and will be removed in 2.0.`
-  );
-}
 function entityToTableDef(entityName, entity) {
   const rawFields = entity.fields;
   if (!rawFields || typeof rawFields !== "object" || Array.isArray(rawFields)) {
@@ -4561,7 +4553,6 @@ function entityToTableDef(entityName, entity) {
         table: field.ref,
         foreignKey: fieldName
       };
-      warnDeprecatedRef(entityName, fieldName, field.ref);
     }
   }
   const primaryKey = entity.primaryKey ?? pkFromField;
@@ -4718,7 +4709,7 @@ function parseEntityContexts(entityContexts) {
   }
   return result;
 }
-var import_node_fs10, import_node_path11, import_yaml3, warnedDeprecatedRefs;
+var import_node_fs10, import_node_path11, import_yaml3;
 var init_parser = __esm({
   "src/config/parser.ts"() {
     "use strict";
@@ -4726,7 +4717,6 @@ var init_parser = __esm({
     import_node_path11 = require("path");
     import_yaml3 = require("yaml");
     init_user_config();
-    warnedDeprecatedRefs = /* @__PURE__ */ new Set();
   }
 });
 
@@ -50616,6 +50606,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -53038,6 +53043,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = (0, import_node_crypto18.randomUUID)();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53341,10 +53361,11 @@ async function executeFunction(ctx, name, args) {
     return { ok: false, error: e6.message };
   }
 }
-var DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
+var import_node_crypto18, DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
 var init_dispatch = __esm({
   "src/gui/ai/dispatch.ts"() {
     "use strict";
+    import_node_crypto18 = require("crypto");
     init_registry();
     init_lattice_docs();
     init_fts();
@@ -53368,6 +53389,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -55971,6 +55993,8 @@ var css = `
     .app-version:empty { display: none; }
     .app-update { flex: 0 0 auto; color: var(--accent, #4a9); font-size: 12px; white-space: nowrap; }
     .app-update[hidden] { display: none; }
+    #app-update-link { flex: 0 0 auto; margin-left: 8px; color: var(--accent, #4a9); font-size: 12px; cursor: pointer; white-space: nowrap; }
+    #app-update-link[hidden] { display: none; }
     /* Unseen-change count next to a sidebar entity. */
     .nav-badge {
       display: inline-block; min-width: 16px; text-align: center;
@@ -57449,6 +57473,12 @@ var appJs = `
       // drag handle once the app has booted.
       var savedRail = parseInt(window.localStorage.getItem(RAIL_KEY) || '', 10);
       if (!isNaN(savedRail)) applyRailWidth(savedRail);
+      // The version chip + manual-upgrade link live in the static shell (present
+      // from first paint, in both the normal and virgin-state boots), so wire the
+      // click handler and run the first availability check here \u2014 independent of
+      // the async workspace bootstrap. checkServerVersion() refreshes it later.
+      wireUpdateLink();
+      checkUpdateAvailable();
       // Failsafe: never leave the overlay up forever if a fetch hangs without
       // rejecting, or a future early-return (e.g. the virgin-state screen)
       // bypasses the .then() tail. Idempotent, so a later real hide is a no-op.
@@ -57933,6 +57963,26 @@ var appJs = `
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
       setTimeout(function () { location.reload(); }, 600);
     }
+    // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
+    // the version chip only when the server reports a newer, installable version.
+    // The auto-updater installs in the background on its own cadence; this lets
+    // the user force it now. Best-effort; the link stays hidden on any failure.
+    function checkUpdateAvailable() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      fetch('/api/update/status')
+        .then(function (r) { return r.ok ? r.json() : null; })
+        .then(function (s) {
+          if (s && s.latest && s.current && s.latest !== s.current && s.installable) {
+            el.textContent = 'Update available \u2014 Upgrade';
+            el.title = 'Install v' + s.latest + ' and restart';
+            el.hidden = false;
+          } else {
+            el.hidden = true;
+          }
+        })
+        .catch(function () { /* best-effort \u2014 keep the link hidden */ });
+    }
     // On every (re)connect, ask the server its version. A change vs BOOT_VERSION
     // means a relaunch onto new code \u2192 reload. Best-effort; never throws.
     function checkServerVersion() {
@@ -57946,6 +57996,31 @@ var appJs = `
           else hideUpdatePill();
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
+      // Refresh the manual-upgrade link alongside the reconnect version check.
+      checkUpdateAvailable();
+    }
+    // Wire the manual-upgrade link's click: kick off the install (the server
+    // installs the latest and restarts onto it) and surface the progress. On
+    // success we do nothing else \u2014 the update-applied event + the reconnect
+    // version check land the page on the new version (no manual reload). A
+    // false ok means the install can't run (unsupervised) \u2014 toast why.
+    function wireUpdateLink() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      el.addEventListener('click', function (e) {
+        e.preventDefault();
+        el.hidden = true;
+        showUpdatePill('Updating\u2026');
+        fetch('/api/update/apply', { method: 'POST' })
+          .then(function (r) { return r.json(); })
+          .then(function (d) {
+            if (d && d.ok === false) {
+              hideUpdatePill();
+              showToast(d.error || 'Update unavailable', {});
+            }
+          })
+          .catch(function () { /* server may already be restarting */ });
+      });
     }
     function dispatchStreamMessage(type, data) {
       if (type === 'realtime-state') {
@@ -64763,6 +64838,7 @@ var guiAppHtml = `<!doctype html>
     <span class="offline-pill" id="offline-pill" title="Edits queued offline \u2014 will sync when the cloud reconnects" hidden></span>
     <span class="app-update" id="app-update" title="A new version is being applied" hidden></span>
     <span class="app-version" id="app-version" title="Lattice version"><!--LATTICE_VERSION--></span>
+    <a id="app-update-link" href="#" hidden>Update available \u2014 Upgrade</a>
     <button id="settings-gear" title="Settings" aria-label="Open settings">
       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
         <circle cx="12" cy="12" r="3"/>
@@ -66278,11 +66354,11 @@ var import_yaml6 = require("yaml");
 init_lattice();
 init_user_config();
 init_cloud_connect();
-var import_node_crypto19 = require("crypto");
+var import_node_crypto20 = require("crypto");
 init_members();
 
 // src/cloud/invite.ts
-var import_node_crypto18 = require("crypto");
+var import_node_crypto19 = require("crypto");
 var VERSION = 1;
 var SALT_LEN = 16;
 var SECRET_LEN = 32;
@@ -66300,15 +66376,15 @@ function poolerAwareUser(host, role, ownerUser) {
   return ref ? `${role}.${ref}` : role;
 }
 function deriveKey2(tokenSecret, email, salt) {
-  const emailSalt = Buffer.from((0, import_node_crypto18.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
-  return Buffer.from((0, import_node_crypto18.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
+  const emailSalt = Buffer.from((0, import_node_crypto19.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
+  return Buffer.from((0, import_node_crypto19.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
 }
 function mintInviteToken(input) {
   const email = normalizeEmail(input.email);
   if (!email) throw new Error("lattice: an invite must be bound to an email");
-  const salt = (0, import_node_crypto18.randomBytes)(SALT_LEN);
-  const tokenSecret = (0, import_node_crypto18.randomBytes)(SECRET_LEN);
-  const nonce = (0, import_node_crypto18.randomBytes)(NONCE_LEN);
+  const salt = (0, import_node_crypto19.randomBytes)(SALT_LEN);
+  const tokenSecret = (0, import_node_crypto19.randomBytes)(SECRET_LEN);
+  const nonce = (0, import_node_crypto19.randomBytes)(NONCE_LEN);
   const key = deriveKey2(tokenSecret, email, salt);
   const payload = {
     v: 1,
@@ -66322,7 +66398,7 @@ function mintInviteToken(input) {
     expires_at: input.expiresAt.toISOString(),
     ...input.workspaceName?.trim() ? { workspace_name: input.workspaceName.trim() } : {}
   };
-  const cipher = (0, import_node_crypto18.createCipheriv)("aes-256-gcm", key, nonce);
+  const cipher = (0, import_node_crypto19.createCipheriv)("aes-256-gcm", key, nonce);
   cipher.setAAD(Buffer.from(email, "utf8"));
   const ct = Buffer.concat([cipher.update(JSON.stringify(payload), "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
@@ -66345,7 +66421,7 @@ function redeemInviteToken(email, token) {
   const tag = raw.subarray(raw.length - TAG_LEN2);
   const ct = raw.subarray(off, raw.length - TAG_LEN2);
   const key = deriveKey2(tokenSecret, normEmail, salt);
-  const decipher = (0, import_node_crypto18.createDecipheriv)("aes-256-gcm", key, nonce);
+  const decipher = (0, import_node_crypto19.createDecipheriv)("aes-256-gcm", key, nonce);
   decipher.setAAD(Buffer.from(normEmail, "utf8"));
   decipher.setAuthTag(tag);
   let plaintext;
@@ -66373,7 +66449,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-var import_node_crypto20 = require("crypto");
+var import_node_crypto21 = require("crypto");
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66458,7 +66534,7 @@ function parseAndValidateLogo(dataUri) {
       error: `logo must be square (got ${String(dims.width)}\xD7${String(dims.height)})`
     };
   }
-  return { ok: true, mime, bytes, etag: (0, import_node_crypto19.createHash)("sha256").update(bytes).digest("hex") };
+  return { ok: true, mime, bytes, etag: (0, import_node_crypto20.createHash)("sha256").update(bytes).digest("hex") };
 }
 function updateActiveWorkspaceToCloud(configPath, displayName, key) {
   const root6 = findLatticeRoot((0, import_node_path36.dirname)(configPath));
@@ -66968,7 +67044,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          (0, import_node_crypto20.randomUUID)(),
+          (0, import_node_crypto21.randomUUID)(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -67794,7 +67870,7 @@ var import_node_os9 = require("os");
 var import_node_path37 = require("path");
 init_mutations();
 init_extract();
-var import_node_crypto21 = require("crypto");
+var import_node_crypto22 = require("crypto");
 init_assistant_routes();
 init_enrich();
 init_ingest_url();
@@ -68035,7 +68111,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     let s3Status = null;
     const s3cfg = resolveActiveS3Config(ctx.configPath);
     if (s3cfg) {
-      const sha256 = blob?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+      const sha256 = blob?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
       const key = s3Key(s3cfg.prefix, sha256);
       try {
         const store = await createS3Store(s3cfg);
@@ -68067,7 +68143,7 @@ async function dispatchIngestRoute(req, res, ctx) {
         realPath = rawFilePath;
       }
     }
-    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
     const uploadRow = {
       id: fileId,
       ...fileIdentity(name2, fileId),
@@ -69305,6 +69381,28 @@ async function startGuiServer(options) {
     setActive(next, created.id);
     return created.id;
   };
+  const cleanupWorkspaceFiles = (root6, ws) => {
+    if (!ws.configPath && ws.kind === "local") {
+      (0, import_node_fs35.rmSync)(workspaceDir(root6, ws.dir), { recursive: true, force: true });
+    } else if (ws.kind === "cloud") {
+      if (ws.configPath && (0, import_node_fs35.existsSync)(ws.configPath)) {
+        (0, import_node_fs35.rmSync)(ws.configPath, { force: true });
+      }
+      const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
+      const label = labelMatch?.[1];
+      if (label) {
+        const stillUsed = listWorkspaces(root6).some(
+          (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
+        );
+        if (!stillUsed) {
+          try {
+            deleteDbCredential(label);
+          } catch {
+          }
+        }
+      }
+    }
+  };
   const handleVirginRoute = async (req, res, pathname, method) => {
     if (method === "GET" && pathname === "/") {
       sendText(
@@ -69356,6 +69454,35 @@ async function startGuiServer(options) {
       }
       return true;
     }
+    if (method === "POST" && pathname === "/api/workspaces/delete") {
+      if (!latticeRoot) {
+        sendJson(res, { error: "No .lattice root \u2014 workspaces unavailable" }, 400);
+        return true;
+      }
+      const body = await readJson(req);
+      if (typeof body.id !== "string") {
+        sendJson(res, { error: "id must be a string" }, 400);
+        return true;
+      }
+      const ws = getWorkspace(latticeRoot, body.id);
+      if (!ws) {
+        sendJson(res, { error: `No workspace with id ${body.id}` }, 400);
+        return true;
+      }
+      removeWorkspace(latticeRoot, ws.id);
+      try {
+        cleanupWorkspaceFiles(latticeRoot, ws);
+      } catch (e6) {
+        sendJson(
+          res,
+          { error: `Workspace unregistered but file cleanup failed: ${e6.message}` },
+          500
+        );
+        return true;
+      }
+      sendJson(res, { ok: true, switchedTo: null });
+      return true;
+    }
     if (method === "POST" && pathname === "/api/cloud/redeem-invite") {
       await redeemInvite(createCloudWorkspace, req, res);
       return true;
@@ -69390,6 +69517,18 @@ async function startGuiServer(options) {
           );
           return;
         }
+        if (method === "POST" && pathname === "/api/update/apply") {
+          if (updateService) {
+            void updateService.checkNow(true);
+            sendJson(res, { ok: true, status: updateService.status() });
+          } else {
+            sendJson(res, {
+              ok: false,
+              error: "Automatic update is not available for this install. Reinstall from https://latticesql.com to get the latest version."
+            });
+          }
+          return;
+        }
         if (!activeRef) {
           if (await handleVirginRoute(req, res, pathname, method)) return;
           sendJson(res, { error: "No active workspace" }, 409);
@@ -70483,26 +70622,7 @@ async function startGuiServer(options) {
           }
           removeWorkspace(latticeRoot, ws.id);
           try {
-            if (!ws.configPath && ws.kind === "local") {
-              (0, import_node_fs35.rmSync)(workspaceDir(latticeRoot, ws.dir), { recursive: true, force: true });
-            } else if (ws.kind === "cloud") {
-              if (ws.configPath && (0, import_node_fs35.existsSync)(ws.configPath)) {
-                (0, import_node_fs35.rmSync)(ws.configPath, { force: true });
-              }
-              const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
-              const label = labelMatch?.[1];
-              if (label) {
-                const stillUsed = listWorkspaces(latticeRoot).some(
-                  (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
-                );
-                if (!stillUsed) {
-                  try {
-                    deleteDbCredential(label);
-                  } catch {
-                  }
-                }
-              }
-            }
+            cleanupWorkspaceFiles(latticeRoot, ws);
           } catch (e6) {
             sendJson(
               res,
@@ -70968,7 +71088,9 @@ ${e6.stack ?? ""}`
       }
     }
   };
-  if (options.selfUpdate && guiVersion) {
+  if (options.updateServiceFactory) {
+    updateService = options.updateServiceFactory(broadcast);
+  } else if (options.selfUpdate && guiVersion) {
     updateService = createUpdateService({ currentVersion: guiVersion, emit: broadcast });
   }
   const handleEventStream = (ws) => {
@@ -71110,7 +71232,7 @@ ${e6.stack ?? ""}`
 // src/cloud/file-source-key-store.ts
 var import_node_fs36 = require("fs");
 var import_node_path39 = require("path");
-var import_node_crypto22 = require("crypto");
+var import_node_crypto23 = require("crypto");
 var ENC_HEADER = "LATTICE-KMS-v1\n";
 var SCRYPT_N = 1 << 15;
 var SCRYPT_R = 8;
@@ -71137,7 +71259,7 @@ var FileSourceKeyStore = class {
   getOrCreate(sourceId) {
     let key = this.cache.get(sourceId);
     if (!key) {
-      key = (0, import_node_crypto22.randomBytes)(KEY_LEN2);
+      key = (0, import_node_crypto23.randomBytes)(KEY_LEN2);
       this.cache.set(sourceId, key);
       this.persist();
     }
@@ -71181,7 +71303,7 @@ var FileSourceKeyStore = class {
     const obj2 = {};
     for (const [k6, v2] of this.cache) obj2[k6] = v2.toString("base64");
     const encoded = this.encodeFile(obj2);
-    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto22.randomBytes)(4).toString("hex")}`;
+    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto23.randomBytes)(4).toString("hex")}`;
     (0, import_node_fs36.writeFileSync)(tmpPath, encoded, { mode: 384 });
     try {
       (0, import_node_fs36.chmodSync)(tmpPath, 384);
@@ -71224,14 +71346,14 @@ var FileSourceKeyStore = class {
     if (passphrase === void 0) {
       throw new Error("lattice: key file is encrypted but no passphrase was configured");
     }
-    const derived = (0, import_node_crypto22.scryptSync)(passphrase, salt, KEY_LEN2, {
+    const derived = (0, import_node_crypto23.scryptSync)(passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
       // raise Node's default 32MB cap so N=2^15 fits
     });
-    const decipher = (0, import_node_crypto22.createDecipheriv)("aes-256-gcm", derived, iv);
+    const decipher = (0, import_node_crypto23.createDecipheriv)("aes-256-gcm", derived, iv);
     decipher.setAuthTag(tag);
     let plaintext;
     try {
@@ -71246,15 +71368,15 @@ var FileSourceKeyStore = class {
     if (!this.passphrase) {
       return Buffer.from(json, "utf8");
     }
-    const salt = (0, import_node_crypto22.randomBytes)(SALT_LEN2);
-    const iv = (0, import_node_crypto22.randomBytes)(IV_LEN2);
-    const derived = (0, import_node_crypto22.scryptSync)(this.passphrase, salt, KEY_LEN2, {
+    const salt = (0, import_node_crypto23.randomBytes)(SALT_LEN2);
+    const iv = (0, import_node_crypto23.randomBytes)(IV_LEN2);
+    const derived = (0, import_node_crypto23.scryptSync)(this.passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
     });
-    const cipher = (0, import_node_crypto22.createCipheriv)("aes-256-gcm", derived, iv);
+    const cipher = (0, import_node_crypto23.createCipheriv)("aes-256-gcm", derived, iv);
     const ct = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
     const tag = cipher.getAuthTag();
     const body = `${salt.toString("hex")}:${iv.toString("hex")}:${Buffer.concat([ct, tag]).toString("hex")}`;

package/dist/index.d.cts

@@ -4923,6 +4923,37 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
+/** How the running copy of the package was installed. */
+type InstallKind = 'global' | 'local' | 'npx' | 'linked-dev' | 'unknown';
+interface InstallContext {
+    kind: InstallKind;
+    /** True only when an `npm install` may safely upgrade this copy in place. */
+    installable: boolean;
+    /** Directory to run the install from (the consumer project root for `local`). */
+    cwd: string;
+    /** Resolved package root of the running copy, if found. */
+    packageRoot: string | null;
+    /** Human-readable explanation (logged / surfaced in `/api/update/status`). */
+    reason: string;
+}
+
+interface UpdateStatus {
+    current: string;
+    latest: string | null;
+    kind: InstallContext['kind'];
+    installable: boolean;
+    checking: boolean;
+    installing: boolean;
+    lastError: string | null;
+}
+interface UpdateService {
+    start(): void;
+    stop(): void;
+    status(): UpdateStatus;
+    /** Run a check now (and install if applicable). Returns the resulting status. */
+    checkNow(force?: boolean): Promise<UpdateStatus>;
+}
+
 interface StartGuiServerOptions {
     /**
      * Active workspace config to open. NULL/empty ⇒ boot into the zero-workspace
@@ -4979,6 +5010,13 @@ interface StartGuiServerOptions {
      * `GET /api/version` + `GET /api/update/status` are served regardless.
      */
     selfUpdate?: boolean;
+    /**
+     * Test seam: supply the update service instead of building one from the real
+     * npm-backed install context. Lets tests exercise the update routes against a
+     * deterministic fake (no real registry check, no real npm install). When set,
+     * it overrides `selfUpdate`'s default factory.
+     */
+    updateServiceFactory?: (emit: (type: string, data: unknown) => void) => UpdateService;
 }
 interface GuiServerHandle {
     server: Server;

package/dist/index.d.ts

@@ -4923,6 +4923,37 @@ interface PdfOptions {
  */
 declare function describePdf(auth: ClaudeAuth, path: string, opts?: PdfOptions): Promise<string>;
 
+/** How the running copy of the package was installed. */
+type InstallKind = 'global' | 'local' | 'npx' | 'linked-dev' | 'unknown';
+interface InstallContext {
+    kind: InstallKind;
+    /** True only when an `npm install` may safely upgrade this copy in place. */
+    installable: boolean;
+    /** Directory to run the install from (the consumer project root for `local`). */
+    cwd: string;
+    /** Resolved package root of the running copy, if found. */
+    packageRoot: string | null;
+    /** Human-readable explanation (logged / surfaced in `/api/update/status`). */
+    reason: string;
+}
+
+interface UpdateStatus {
+    current: string;
+    latest: string | null;
+    kind: InstallContext['kind'];
+    installable: boolean;
+    checking: boolean;
+    installing: boolean;
+    lastError: string | null;
+}
+interface UpdateService {
+    start(): void;
+    stop(): void;
+    status(): UpdateStatus;
+    /** Run a check now (and install if applicable). Returns the resulting status. */
+    checkNow(force?: boolean): Promise<UpdateStatus>;
+}
+
 interface StartGuiServerOptions {
     /**
      * Active workspace config to open. NULL/empty ⇒ boot into the zero-workspace
@@ -4979,6 +5010,13 @@ interface StartGuiServerOptions {
      * `GET /api/version` + `GET /api/update/status` are served regardless.
      */
     selfUpdate?: boolean;
+    /**
+     * Test seam: supply the update service instead of building one from the real
+     * npm-backed install context. Lets tests exercise the update routes against a
+     * deterministic fake (no real registry check, no real npm install). When set,
+     * it overrides `selfUpdate`'s default factory.
+     */
+    updateServiceFactory?: (emit: (type: string, data: unknown) => void) => UpdateService;
 }
 interface GuiServerHandle {
     server: Server;

package/dist/index.js

@@ -4531,14 +4531,6 @@ function resolveDbPath(raw, configDir2) {
   }
   return resolve2(configDir2, raw);
 }
-function warnDeprecatedRef(entity, field, target) {
-  const key = `${entity}.${field}`;
-  if (warnedDeprecatedRefs.has(key)) return;
-  warnedDeprecatedRefs.add(key);
-  console.warn(
-    `Lattice: one-to-many \`ref:\` on "${entity}.${field}" \u2192 "${target}" is deprecated in favor of many-to-many junction tables and will be removed in 2.0.`
-  );
-}
 function entityToTableDef(entityName, entity) {
   const rawFields = entity.fields;
   if (!rawFields || typeof rawFields !== "object" || Array.isArray(rawFields)) {
@@ -4565,7 +4557,6 @@ function entityToTableDef(entityName, entity) {
         table: field.ref,
         foreignKey: fieldName
       };
-      warnDeprecatedRef(entityName, fieldName, field.ref);
     }
   }
   const primaryKey = entity.primaryKey ?? pkFromField;
@@ -4722,12 +4713,10 @@ function parseEntityContexts(entityContexts) {
   }
   return result;
 }
-var warnedDeprecatedRefs;
 var init_parser = __esm({
   "src/config/parser.ts"() {
     "use strict";
     init_user_config();
-    warnedDeprecatedRefs = /* @__PURE__ */ new Set();
   }
 });
 
@@ -50608,6 +50597,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -52814,6 +52818,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -53029,6 +53034,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53359,6 +53379,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -55797,6 +55818,8 @@ var css = `
     .app-version:empty { display: none; }
     .app-update { flex: 0 0 auto; color: var(--accent, #4a9); font-size: 12px; white-space: nowrap; }
     .app-update[hidden] { display: none; }
+    #app-update-link { flex: 0 0 auto; margin-left: 8px; color: var(--accent, #4a9); font-size: 12px; cursor: pointer; white-space: nowrap; }
+    #app-update-link[hidden] { display: none; }
     /* Unseen-change count next to a sidebar entity. */
     .nav-badge {
       display: inline-block; min-width: 16px; text-align: center;
@@ -57275,6 +57298,12 @@ var appJs = `
       // drag handle once the app has booted.
       var savedRail = parseInt(window.localStorage.getItem(RAIL_KEY) || '', 10);
       if (!isNaN(savedRail)) applyRailWidth(savedRail);
+      // The version chip + manual-upgrade link live in the static shell (present
+      // from first paint, in both the normal and virgin-state boots), so wire the
+      // click handler and run the first availability check here \u2014 independent of
+      // the async workspace bootstrap. checkServerVersion() refreshes it later.
+      wireUpdateLink();
+      checkUpdateAvailable();
       // Failsafe: never leave the overlay up forever if a fetch hangs without
       // rejecting, or a future early-return (e.g. the virgin-state screen)
       // bypasses the .then() tail. Idempotent, so a later real hide is a no-op.
@@ -57759,6 +57788,26 @@ var appJs = `
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
       setTimeout(function () { location.reload(); }, 600);
     }
+    // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
+    // the version chip only when the server reports a newer, installable version.
+    // The auto-updater installs in the background on its own cadence; this lets
+    // the user force it now. Best-effort; the link stays hidden on any failure.
+    function checkUpdateAvailable() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      fetch('/api/update/status')
+        .then(function (r) { return r.ok ? r.json() : null; })
+        .then(function (s) {
+          if (s && s.latest && s.current && s.latest !== s.current && s.installable) {
+            el.textContent = 'Update available \u2014 Upgrade';
+            el.title = 'Install v' + s.latest + ' and restart';
+            el.hidden = false;
+          } else {
+            el.hidden = true;
+          }
+        })
+        .catch(function () { /* best-effort \u2014 keep the link hidden */ });
+    }
     // On every (re)connect, ask the server its version. A change vs BOOT_VERSION
     // means a relaunch onto new code \u2192 reload. Best-effort; never throws.
     function checkServerVersion() {
@@ -57772,6 +57821,31 @@ var appJs = `
           else hideUpdatePill();
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
+      // Refresh the manual-upgrade link alongside the reconnect version check.
+      checkUpdateAvailable();
+    }
+    // Wire the manual-upgrade link's click: kick off the install (the server
+    // installs the latest and restarts onto it) and surface the progress. On
+    // success we do nothing else \u2014 the update-applied event + the reconnect
+    // version check land the page on the new version (no manual reload). A
+    // false ok means the install can't run (unsupervised) \u2014 toast why.
+    function wireUpdateLink() {
+      var el = document.getElementById('app-update-link');
+      if (!el) return;
+      el.addEventListener('click', function (e) {
+        e.preventDefault();
+        el.hidden = true;
+        showUpdatePill('Updating\u2026');
+        fetch('/api/update/apply', { method: 'POST' })
+          .then(function (r) { return r.json(); })
+          .then(function (d) {
+            if (d && d.ok === false) {
+              hideUpdatePill();
+              showToast(d.error || 'Update unavailable', {});
+            }
+          })
+          .catch(function () { /* server may already be restarting */ });
+      });
     }
     function dispatchStreamMessage(type, data) {
       if (type === 'realtime-state') {
@@ -64589,6 +64663,7 @@ var guiAppHtml = `<!doctype html>
     <span class="offline-pill" id="offline-pill" title="Edits queued offline \u2014 will sync when the cloud reconnects" hidden></span>
     <span class="app-update" id="app-update" title="A new version is being applied" hidden></span>
     <span class="app-version" id="app-version" title="Lattice version"><!--LATTICE_VERSION--></span>
+    <a id="app-update-link" href="#" hidden>Update available \u2014 Upgrade</a>
     <button id="settings-gear" title="Settings" aria-label="Open settings">
       <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true">
         <circle cx="12" cy="12" r="3"/>
@@ -66198,7 +66273,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66793,7 +66868,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -69130,6 +69205,28 @@ async function startGuiServer(options) {
     setActive(next, created.id);
     return created.id;
   };
+  const cleanupWorkspaceFiles = (root6, ws) => {
+    if (!ws.configPath && ws.kind === "local") {
+      rmSync(workspaceDir(root6, ws.dir), { recursive: true, force: true });
+    } else if (ws.kind === "cloud") {
+      if (ws.configPath && existsSync24(ws.configPath)) {
+        rmSync(ws.configPath, { force: true });
+      }
+      const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
+      const label = labelMatch?.[1];
+      if (label) {
+        const stillUsed = listWorkspaces(root6).some(
+          (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
+        );
+        if (!stillUsed) {
+          try {
+            deleteDbCredential(label);
+          } catch {
+          }
+        }
+      }
+    }
+  };
   const handleVirginRoute = async (req, res, pathname, method) => {
     if (method === "GET" && pathname === "/") {
       sendText(
@@ -69181,6 +69278,35 @@ async function startGuiServer(options) {
       }
       return true;
     }
+    if (method === "POST" && pathname === "/api/workspaces/delete") {
+      if (!latticeRoot) {
+        sendJson(res, { error: "No .lattice root \u2014 workspaces unavailable" }, 400);
+        return true;
+      }
+      const body = await readJson(req);
+      if (typeof body.id !== "string") {
+        sendJson(res, { error: "id must be a string" }, 400);
+        return true;
+      }
+      const ws = getWorkspace(latticeRoot, body.id);
+      if (!ws) {
+        sendJson(res, { error: `No workspace with id ${body.id}` }, 400);
+        return true;
+      }
+      removeWorkspace(latticeRoot, ws.id);
+      try {
+        cleanupWorkspaceFiles(latticeRoot, ws);
+      } catch (e6) {
+        sendJson(
+          res,
+          { error: `Workspace unregistered but file cleanup failed: ${e6.message}` },
+          500
+        );
+        return true;
+      }
+      sendJson(res, { ok: true, switchedTo: null });
+      return true;
+    }
     if (method === "POST" && pathname === "/api/cloud/redeem-invite") {
       await redeemInvite(createCloudWorkspace, req, res);
       return true;
@@ -69215,6 +69341,18 @@ async function startGuiServer(options) {
           );
           return;
         }
+        if (method === "POST" && pathname === "/api/update/apply") {
+          if (updateService) {
+            void updateService.checkNow(true);
+            sendJson(res, { ok: true, status: updateService.status() });
+          } else {
+            sendJson(res, {
+              ok: false,
+              error: "Automatic update is not available for this install. Reinstall from https://latticesql.com to get the latest version."
+            });
+          }
+          return;
+        }
         if (!activeRef) {
           if (await handleVirginRoute(req, res, pathname, method)) return;
           sendJson(res, { error: "No active workspace" }, 409);
@@ -70308,26 +70446,7 @@ async function startGuiServer(options) {
           }
           removeWorkspace(latticeRoot, ws.id);
           try {
-            if (!ws.configPath && ws.kind === "local") {
-              rmSync(workspaceDir(latticeRoot, ws.dir), { recursive: true, force: true });
-            } else if (ws.kind === "cloud") {
-              if (ws.configPath && existsSync24(ws.configPath)) {
-                rmSync(ws.configPath, { force: true });
-              }
-              const labelMatch = /^\$\{LATTICE_DB:([A-Za-z0-9._-]+)\}$/.exec(ws.db.trim());
-              const label = labelMatch?.[1];
-              if (label) {
-                const stillUsed = listWorkspaces(latticeRoot).some(
-                  (w2) => w2.db.includes("${LATTICE_DB:" + label + "}")
-                );
-                if (!stillUsed) {
-                  try {
-                    deleteDbCredential(label);
-                  } catch {
-                  }
-                }
-              }
-            }
+            cleanupWorkspaceFiles(latticeRoot, ws);
           } catch (e6) {
             sendJson(
               res,
@@ -70793,7 +70912,9 @@ ${e6.stack ?? ""}`
       }
     }
   };
-  if (options.selfUpdate && guiVersion) {
+  if (options.updateServiceFactory) {
+    updateService = options.updateServiceFactory(broadcast);
+  } else if (options.selfUpdate && guiVersion) {
     updateService = createUpdateService({ currentVersion: guiVersion, emit: broadcast });
   }
   const handleEventStream = (ws) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "3.4.4",
+  "version": "3.4.6",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",