latticesql 3.4.5 → 3.4.6

package/dist/cli.js

@@ -10313,6 +10313,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -13156,6 +13171,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -13371,6 +13387,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -13701,6 +13732,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -64852,7 +64884,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 
 // src/framework/cloud-migration.ts
 init_lattice();
@@ -65647,7 +65679,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -70221,7 +70253,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.5";
+  if (true) return "3.4.6";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));

package/dist/index.cjs

@@ -50606,6 +50606,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -53028,6 +53043,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = (0, import_node_crypto18.randomUUID)();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53331,10 +53361,11 @@ async function executeFunction(ctx, name, args) {
     return { ok: false, error: e6.message };
   }
 }
-var DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
+var import_node_crypto18, DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
 var init_dispatch = __esm({
   "src/gui/ai/dispatch.ts"() {
     "use strict";
+    import_node_crypto18 = require("crypto");
     init_registry();
     init_lattice_docs();
     init_fts();
@@ -53358,6 +53389,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -66322,11 +66354,11 @@ var import_yaml6 = require("yaml");
 init_lattice();
 init_user_config();
 init_cloud_connect();
-var import_node_crypto19 = require("crypto");
+var import_node_crypto20 = require("crypto");
 init_members();
 
 // src/cloud/invite.ts
-var import_node_crypto18 = require("crypto");
+var import_node_crypto19 = require("crypto");
 var VERSION = 1;
 var SALT_LEN = 16;
 var SECRET_LEN = 32;
@@ -66344,15 +66376,15 @@ function poolerAwareUser(host, role, ownerUser) {
   return ref ? `${role}.${ref}` : role;
 }
 function deriveKey2(tokenSecret, email, salt) {
-  const emailSalt = Buffer.from((0, import_node_crypto18.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
-  return Buffer.from((0, import_node_crypto18.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
+  const emailSalt = Buffer.from((0, import_node_crypto19.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
+  return Buffer.from((0, import_node_crypto19.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
 }
 function mintInviteToken(input) {
   const email = normalizeEmail(input.email);
   if (!email) throw new Error("lattice: an invite must be bound to an email");
-  const salt = (0, import_node_crypto18.randomBytes)(SALT_LEN);
-  const tokenSecret = (0, import_node_crypto18.randomBytes)(SECRET_LEN);
-  const nonce = (0, import_node_crypto18.randomBytes)(NONCE_LEN);
+  const salt = (0, import_node_crypto19.randomBytes)(SALT_LEN);
+  const tokenSecret = (0, import_node_crypto19.randomBytes)(SECRET_LEN);
+  const nonce = (0, import_node_crypto19.randomBytes)(NONCE_LEN);
   const key = deriveKey2(tokenSecret, email, salt);
   const payload = {
     v: 1,
@@ -66366,7 +66398,7 @@ function mintInviteToken(input) {
     expires_at: input.expiresAt.toISOString(),
     ...input.workspaceName?.trim() ? { workspace_name: input.workspaceName.trim() } : {}
   };
-  const cipher = (0, import_node_crypto18.createCipheriv)("aes-256-gcm", key, nonce);
+  const cipher = (0, import_node_crypto19.createCipheriv)("aes-256-gcm", key, nonce);
   cipher.setAAD(Buffer.from(email, "utf8"));
   const ct = Buffer.concat([cipher.update(JSON.stringify(payload), "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
@@ -66389,7 +66421,7 @@ function redeemInviteToken(email, token) {
   const tag = raw.subarray(raw.length - TAG_LEN2);
   const ct = raw.subarray(off, raw.length - TAG_LEN2);
   const key = deriveKey2(tokenSecret, normEmail, salt);
-  const decipher = (0, import_node_crypto18.createDecipheriv)("aes-256-gcm", key, nonce);
+  const decipher = (0, import_node_crypto19.createDecipheriv)("aes-256-gcm", key, nonce);
   decipher.setAAD(Buffer.from(normEmail, "utf8"));
   decipher.setAuthTag(tag);
   let plaintext;
@@ -66417,7 +66449,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-var import_node_crypto20 = require("crypto");
+var import_node_crypto21 = require("crypto");
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66502,7 +66534,7 @@ function parseAndValidateLogo(dataUri) {
       error: `logo must be square (got ${String(dims.width)}\xD7${String(dims.height)})`
     };
   }
-  return { ok: true, mime, bytes, etag: (0, import_node_crypto19.createHash)("sha256").update(bytes).digest("hex") };
+  return { ok: true, mime, bytes, etag: (0, import_node_crypto20.createHash)("sha256").update(bytes).digest("hex") };
 }
 function updateActiveWorkspaceToCloud(configPath, displayName, key) {
   const root6 = findLatticeRoot((0, import_node_path36.dirname)(configPath));
@@ -67012,7 +67044,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          (0, import_node_crypto20.randomUUID)(),
+          (0, import_node_crypto21.randomUUID)(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -67838,7 +67870,7 @@ var import_node_os9 = require("os");
 var import_node_path37 = require("path");
 init_mutations();
 init_extract();
-var import_node_crypto21 = require("crypto");
+var import_node_crypto22 = require("crypto");
 init_assistant_routes();
 init_enrich();
 init_ingest_url();
@@ -68079,7 +68111,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     let s3Status = null;
     const s3cfg = resolveActiveS3Config(ctx.configPath);
     if (s3cfg) {
-      const sha256 = blob?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+      const sha256 = blob?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
       const key = s3Key(s3cfg.prefix, sha256);
       try {
         const store = await createS3Store(s3cfg);
@@ -68111,7 +68143,7 @@ async function dispatchIngestRoute(req, res, ctx) {
         realPath = rawFilePath;
       }
     }
-    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
     const uploadRow = {
       id: fileId,
       ...fileIdentity(name2, fileId),
@@ -71200,7 +71232,7 @@ ${e6.stack ?? ""}`
 // src/cloud/file-source-key-store.ts
 var import_node_fs36 = require("fs");
 var import_node_path39 = require("path");
-var import_node_crypto22 = require("crypto");
+var import_node_crypto23 = require("crypto");
 var ENC_HEADER = "LATTICE-KMS-v1\n";
 var SCRYPT_N = 1 << 15;
 var SCRYPT_R = 8;
@@ -71227,7 +71259,7 @@ var FileSourceKeyStore = class {
   getOrCreate(sourceId) {
     let key = this.cache.get(sourceId);
     if (!key) {
-      key = (0, import_node_crypto22.randomBytes)(KEY_LEN2);
+      key = (0, import_node_crypto23.randomBytes)(KEY_LEN2);
       this.cache.set(sourceId, key);
       this.persist();
     }
@@ -71271,7 +71303,7 @@ var FileSourceKeyStore = class {
     const obj2 = {};
     for (const [k6, v2] of this.cache) obj2[k6] = v2.toString("base64");
     const encoded = this.encodeFile(obj2);
-    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto22.randomBytes)(4).toString("hex")}`;
+    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto23.randomBytes)(4).toString("hex")}`;
     (0, import_node_fs36.writeFileSync)(tmpPath, encoded, { mode: 384 });
     try {
       (0, import_node_fs36.chmodSync)(tmpPath, 384);
@@ -71314,14 +71346,14 @@ var FileSourceKeyStore = class {
     if (passphrase === void 0) {
       throw new Error("lattice: key file is encrypted but no passphrase was configured");
     }
-    const derived = (0, import_node_crypto22.scryptSync)(passphrase, salt, KEY_LEN2, {
+    const derived = (0, import_node_crypto23.scryptSync)(passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
       // raise Node's default 32MB cap so N=2^15 fits
     });
-    const decipher = (0, import_node_crypto22.createDecipheriv)("aes-256-gcm", derived, iv);
+    const decipher = (0, import_node_crypto23.createDecipheriv)("aes-256-gcm", derived, iv);
     decipher.setAuthTag(tag);
     let plaintext;
     try {
@@ -71336,15 +71368,15 @@ var FileSourceKeyStore = class {
     if (!this.passphrase) {
       return Buffer.from(json, "utf8");
     }
-    const salt = (0, import_node_crypto22.randomBytes)(SALT_LEN2);
-    const iv = (0, import_node_crypto22.randomBytes)(IV_LEN2);
-    const derived = (0, import_node_crypto22.scryptSync)(this.passphrase, salt, KEY_LEN2, {
+    const salt = (0, import_node_crypto23.randomBytes)(SALT_LEN2);
+    const iv = (0, import_node_crypto23.randomBytes)(IV_LEN2);
+    const derived = (0, import_node_crypto23.scryptSync)(this.passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
     });
-    const cipher = (0, import_node_crypto22.createCipheriv)("aes-256-gcm", derived, iv);
+    const cipher = (0, import_node_crypto23.createCipheriv)("aes-256-gcm", derived, iv);
     const ct = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
     const tag = cipher.getAuthTag();
     const body = `${salt.toString("hex")}:${iv.toString("hex")}:${Buffer.concat([ct, tag]).toString("hex")}`;

package/dist/index.js

@@ -50597,6 +50597,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -52803,6 +52818,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -53018,6 +53034,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53348,6 +53379,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -66241,7 +66273,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66836,7 +66868,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "3.4.5",
+  "version": "3.4.6",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",