latticesql 3.4.5 → 3.4.7

package/dist/cli.js

@@ -10313,6 +10313,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -13156,6 +13171,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -13371,6 +13387,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -13701,6 +13732,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -56049,9 +56081,41 @@ var appJs = `
     }
     function reloadForUpdate(label) {
       if (reloadingForUpdate) return;
+      // Guard against an infinite reload loop. Reloading when the server version
+      // changes is the seamless-update trigger \u2014 but if the version the page was
+      // SERVED with keeps disagreeing with /api/version (e.g. a stale or duplicate
+      // server is holding the port and reporting a different version), every fresh
+      // page would reload again. That unbounded loop pegs memory and crashes the
+      // browser. Cap reloads to MAX within WINDOW; past that, stop and surface the
+      // mismatch instead of spinning. A genuine update reloads once and then the
+      // versions agree, which clears the counter (see checkServerVersion).
+      var KEY = 'lattice:updateReloads',
+        MAX = 3,
+        WINDOW = 60000,
+        now = Date.now(),
+        recent = [];
+      try {
+        recent = (JSON.parse(sessionStorage.getItem(KEY) || '[]') || []).filter(function (t) {
+          return now - t < WINDOW;
+        });
+      } catch (_) {
+        /* sessionStorage blocked \u2014 degrade to a single best-effort reload below */
+      }
+      if (recent.length >= MAX) {
+        showUpdatePill('Version mismatch \u2014 stopped auto-reloading. Reload manually if needed.');
+        return;
+      }
+      recent.push(now);
+      try {
+        sessionStorage.setItem(KEY, JSON.stringify(recent));
+      } catch (_) {
+        /* best-effort */
+      }
       reloadingForUpdate = true;
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
-      setTimeout(function () { location.reload(); }, 600);
+      setTimeout(function () {
+        location.reload();
+      }, 600);
     }
     // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
     // the version chip only when the server reports a newer, installable version.
@@ -56083,7 +56147,16 @@ var appJs = `
           var v = d && d.version ? String(d.version).replace(/^v/, '').trim() : '';
           if (!v) return;
           if (v !== BOOT_VERSION) reloadForUpdate('Updated to v' + v + ' \u2014 reloading\u2026');
-          else hideUpdatePill();
+          else {
+            hideUpdatePill();
+            // Versions agree \u2014 clear the reload-loop guard so a later genuine
+            // update can reload again from a clean slate.
+            try {
+              sessionStorage.removeItem('lattice:updateReloads');
+            } catch (_) {
+              /* best-effort */
+            }
+          }
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
       // Refresh the manual-upgrade link alongside the reconnect version check.
@@ -64852,7 +64925,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 
 // src/framework/cloud-migration.ts
 init_lattice();
@@ -65647,7 +65720,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -69987,6 +70060,28 @@ ${e6.stack ?? ""}`
   };
 }
 
+// src/gui/probe-running.ts
+async function probeRunningGui(port, timeoutMs = 1e3) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => {
+    controller.abort();
+  }, timeoutMs);
+  try {
+    const res = await fetch(`http://127.0.0.1:${String(port)}/api/version`, {
+      signal: controller.signal
+    });
+    if (!res.ok) return null;
+    const data = await res.json();
+    if (typeof data !== "object" || data === null || !("version" in data)) return null;
+    const v2 = data.version;
+    return { version: typeof v2 === "string" ? v2 : "" };
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+
 // src/gui/supervisor.ts
 import { spawn as spawn3 } from "child_process";
 async function superviseGui(opts) {
@@ -70221,7 +70316,7 @@ function printHelp() {
   );
 }
 function getVersion() {
-  if (true) return "3.4.5";
+  if (true) return "3.4.7";
   try {
     const pkgPath = new URL("../package.json", import.meta.url).pathname;
     const pkg = JSON.parse(readFileSync20(pkgPath, "utf-8"));
@@ -70418,6 +70513,18 @@ async function runWatch(args) {
   process.on("SIGTERM", shutdown);
 }
 async function runGui(args) {
+  const port = args.port;
+  if (!process.env.LATTICE_GUI_SUPERVISED) {
+    const running = await probeRunningGui(port);
+    if (running) {
+      const url = `http://127.0.0.1:${String(port)}/`;
+      console.log(
+        `Lattice is already running at ${url}${running.version ? ` (v${running.version})` : ""} \u2014 opening it.`
+      );
+      if (!args.noOpen) openUrl(url);
+      return;
+    }
+  }
   if (!process.env.LATTICE_GUI_SUPERVISED && detectInstallContext().installable) {
     try {
       await superviseGui({
@@ -70445,7 +70552,7 @@ async function runGui(args) {
       configPath: boot.configPath,
       outputDir: boot.contextDir,
       latticeRoot: boot.root,
-      port: args.port,
+      port,
       openBrowser: !args.noOpen,
       autoRender: true,
       version: getVersion(),

package/dist/index.cjs

@@ -50606,6 +50606,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -53028,6 +53043,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = (0, import_node_crypto18.randomUUID)();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53331,10 +53361,11 @@ async function executeFunction(ctx, name, args) {
     return { ok: false, error: e6.message };
   }
 }
-var DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
+var import_node_crypto18, DISPATCHABLE, ASSISTANT_HIDDEN_TABLES, SECRET_MASK, BULK_FILTER_OPS;
 var init_dispatch = __esm({
   "src/gui/ai/dispatch.ts"() {
     "use strict";
+    import_node_crypto18 = require("crypto");
     init_registry();
     init_lattice_docs();
     init_fts();
@@ -53358,6 +53389,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -57927,9 +57959,41 @@ var appJs = `
     }
     function reloadForUpdate(label) {
       if (reloadingForUpdate) return;
+      // Guard against an infinite reload loop. Reloading when the server version
+      // changes is the seamless-update trigger \u2014 but if the version the page was
+      // SERVED with keeps disagreeing with /api/version (e.g. a stale or duplicate
+      // server is holding the port and reporting a different version), every fresh
+      // page would reload again. That unbounded loop pegs memory and crashes the
+      // browser. Cap reloads to MAX within WINDOW; past that, stop and surface the
+      // mismatch instead of spinning. A genuine update reloads once and then the
+      // versions agree, which clears the counter (see checkServerVersion).
+      var KEY = 'lattice:updateReloads',
+        MAX = 3,
+        WINDOW = 60000,
+        now = Date.now(),
+        recent = [];
+      try {
+        recent = (JSON.parse(sessionStorage.getItem(KEY) || '[]') || []).filter(function (t) {
+          return now - t < WINDOW;
+        });
+      } catch (_) {
+        /* sessionStorage blocked \u2014 degrade to a single best-effort reload below */
+      }
+      if (recent.length >= MAX) {
+        showUpdatePill('Version mismatch \u2014 stopped auto-reloading. Reload manually if needed.');
+        return;
+      }
+      recent.push(now);
+      try {
+        sessionStorage.setItem(KEY, JSON.stringify(recent));
+      } catch (_) {
+        /* best-effort */
+      }
       reloadingForUpdate = true;
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
-      setTimeout(function () { location.reload(); }, 600);
+      setTimeout(function () {
+        location.reload();
+      }, 600);
     }
     // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
     // the version chip only when the server reports a newer, installable version.
@@ -57961,7 +58025,16 @@ var appJs = `
           var v = d && d.version ? String(d.version).replace(/^v/, '').trim() : '';
           if (!v) return;
           if (v !== BOOT_VERSION) reloadForUpdate('Updated to v' + v + ' \u2014 reloading\u2026');
-          else hideUpdatePill();
+          else {
+            hideUpdatePill();
+            // Versions agree \u2014 clear the reload-loop guard so a later genuine
+            // update can reload again from a clean slate.
+            try {
+              sessionStorage.removeItem('lattice:updateReloads');
+            } catch (_) {
+              /* best-effort */
+            }
+          }
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
       // Refresh the manual-upgrade link alongside the reconnect version check.
@@ -66322,11 +66395,11 @@ var import_yaml6 = require("yaml");
 init_lattice();
 init_user_config();
 init_cloud_connect();
-var import_node_crypto19 = require("crypto");
+var import_node_crypto20 = require("crypto");
 init_members();
 
 // src/cloud/invite.ts
-var import_node_crypto18 = require("crypto");
+var import_node_crypto19 = require("crypto");
 var VERSION = 1;
 var SALT_LEN = 16;
 var SECRET_LEN = 32;
@@ -66344,15 +66417,15 @@ function poolerAwareUser(host, role, ownerUser) {
   return ref ? `${role}.${ref}` : role;
 }
 function deriveKey2(tokenSecret, email, salt) {
-  const emailSalt = Buffer.from((0, import_node_crypto18.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
-  return Buffer.from((0, import_node_crypto18.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
+  const emailSalt = Buffer.from((0, import_node_crypto19.scryptSync)(normalizeEmail(email), salt, KEY_LEN));
+  return Buffer.from((0, import_node_crypto19.hkdfSync)("sha256", tokenSecret, emailSalt, HKDF_INFO, KEY_LEN));
 }
 function mintInviteToken(input) {
   const email = normalizeEmail(input.email);
   if (!email) throw new Error("lattice: an invite must be bound to an email");
-  const salt = (0, import_node_crypto18.randomBytes)(SALT_LEN);
-  const tokenSecret = (0, import_node_crypto18.randomBytes)(SECRET_LEN);
-  const nonce = (0, import_node_crypto18.randomBytes)(NONCE_LEN);
+  const salt = (0, import_node_crypto19.randomBytes)(SALT_LEN);
+  const tokenSecret = (0, import_node_crypto19.randomBytes)(SECRET_LEN);
+  const nonce = (0, import_node_crypto19.randomBytes)(NONCE_LEN);
   const key = deriveKey2(tokenSecret, email, salt);
   const payload = {
     v: 1,
@@ -66366,7 +66439,7 @@ function mintInviteToken(input) {
     expires_at: input.expiresAt.toISOString(),
     ...input.workspaceName?.trim() ? { workspace_name: input.workspaceName.trim() } : {}
   };
-  const cipher = (0, import_node_crypto18.createCipheriv)("aes-256-gcm", key, nonce);
+  const cipher = (0, import_node_crypto19.createCipheriv)("aes-256-gcm", key, nonce);
   cipher.setAAD(Buffer.from(email, "utf8"));
   const ct = Buffer.concat([cipher.update(JSON.stringify(payload), "utf8"), cipher.final()]);
   const tag = cipher.getAuthTag();
@@ -66389,7 +66462,7 @@ function redeemInviteToken(email, token) {
   const tag = raw.subarray(raw.length - TAG_LEN2);
   const ct = raw.subarray(off, raw.length - TAG_LEN2);
   const key = deriveKey2(tokenSecret, normEmail, salt);
-  const decipher = (0, import_node_crypto18.createDecipheriv)("aes-256-gcm", key, nonce);
+  const decipher = (0, import_node_crypto19.createDecipheriv)("aes-256-gcm", key, nonce);
   decipher.setAAD(Buffer.from(normEmail, "utf8"));
   decipher.setAuthTag(tag);
   let plaintext;
@@ -66417,7 +66490,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-var import_node_crypto20 = require("crypto");
+var import_node_crypto21 = require("crypto");
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66502,7 +66575,7 @@ function parseAndValidateLogo(dataUri) {
       error: `logo must be square (got ${String(dims.width)}\xD7${String(dims.height)})`
     };
   }
-  return { ok: true, mime, bytes, etag: (0, import_node_crypto19.createHash)("sha256").update(bytes).digest("hex") };
+  return { ok: true, mime, bytes, etag: (0, import_node_crypto20.createHash)("sha256").update(bytes).digest("hex") };
 }
 function updateActiveWorkspaceToCloud(configPath, displayName, key) {
   const root6 = findLatticeRoot((0, import_node_path36.dirname)(configPath));
@@ -67012,7 +67085,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          (0, import_node_crypto20.randomUUID)(),
+          (0, import_node_crypto21.randomUUID)(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's
@@ -67838,7 +67911,7 @@ var import_node_os9 = require("os");
 var import_node_path37 = require("path");
 init_mutations();
 init_extract();
-var import_node_crypto21 = require("crypto");
+var import_node_crypto22 = require("crypto");
 init_assistant_routes();
 init_enrich();
 init_ingest_url();
@@ -68079,7 +68152,7 @@ async function dispatchIngestRoute(req, res, ctx) {
     let s3Status = null;
     const s3cfg = resolveActiveS3Config(ctx.configPath);
     if (s3cfg) {
-      const sha256 = blob?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+      const sha256 = blob?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
       const key = s3Key(s3cfg.prefix, sha256);
       try {
         const store = await createS3Store(s3cfg);
@@ -68111,7 +68184,7 @@ async function dispatchIngestRoute(req, res, ctx) {
         realPath = rawFilePath;
       }
     }
-    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto21.createHash)("sha256").update(buf).digest("hex");
+    const fileSha = blob?.sha256 ?? s3Ref?.sha256 ?? (0, import_node_crypto22.createHash)("sha256").update(buf).digest("hex");
     const uploadRow = {
       id: fileId,
       ...fileIdentity(name2, fileId),
@@ -71200,7 +71273,7 @@ ${e6.stack ?? ""}`
 // src/cloud/file-source-key-store.ts
 var import_node_fs36 = require("fs");
 var import_node_path39 = require("path");
-var import_node_crypto22 = require("crypto");
+var import_node_crypto23 = require("crypto");
 var ENC_HEADER = "LATTICE-KMS-v1\n";
 var SCRYPT_N = 1 << 15;
 var SCRYPT_R = 8;
@@ -71227,7 +71300,7 @@ var FileSourceKeyStore = class {
   getOrCreate(sourceId) {
     let key = this.cache.get(sourceId);
     if (!key) {
-      key = (0, import_node_crypto22.randomBytes)(KEY_LEN2);
+      key = (0, import_node_crypto23.randomBytes)(KEY_LEN2);
       this.cache.set(sourceId, key);
       this.persist();
     }
@@ -71271,7 +71344,7 @@ var FileSourceKeyStore = class {
     const obj2 = {};
     for (const [k6, v2] of this.cache) obj2[k6] = v2.toString("base64");
     const encoded = this.encodeFile(obj2);
-    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto22.randomBytes)(4).toString("hex")}`;
+    const tmpPath = `${this.path}.tmp-${process.pid.toString()}-${(0, import_node_crypto23.randomBytes)(4).toString("hex")}`;
     (0, import_node_fs36.writeFileSync)(tmpPath, encoded, { mode: 384 });
     try {
       (0, import_node_fs36.chmodSync)(tmpPath, 384);
@@ -71314,14 +71387,14 @@ var FileSourceKeyStore = class {
     if (passphrase === void 0) {
       throw new Error("lattice: key file is encrypted but no passphrase was configured");
     }
-    const derived = (0, import_node_crypto22.scryptSync)(passphrase, salt, KEY_LEN2, {
+    const derived = (0, import_node_crypto23.scryptSync)(passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
       // raise Node's default 32MB cap so N=2^15 fits
     });
-    const decipher = (0, import_node_crypto22.createDecipheriv)("aes-256-gcm", derived, iv);
+    const decipher = (0, import_node_crypto23.createDecipheriv)("aes-256-gcm", derived, iv);
     decipher.setAuthTag(tag);
     let plaintext;
     try {
@@ -71336,15 +71409,15 @@ var FileSourceKeyStore = class {
     if (!this.passphrase) {
       return Buffer.from(json, "utf8");
     }
-    const salt = (0, import_node_crypto22.randomBytes)(SALT_LEN2);
-    const iv = (0, import_node_crypto22.randomBytes)(IV_LEN2);
-    const derived = (0, import_node_crypto22.scryptSync)(this.passphrase, salt, KEY_LEN2, {
+    const salt = (0, import_node_crypto23.randomBytes)(SALT_LEN2);
+    const iv = (0, import_node_crypto23.randomBytes)(IV_LEN2);
+    const derived = (0, import_node_crypto23.scryptSync)(this.passphrase, salt, KEY_LEN2, {
       N: SCRYPT_N,
       r: SCRYPT_R,
       p: SCRYPT_P,
       maxmem: 64 * 1024 * 1024
     });
-    const cipher = (0, import_node_crypto22.createCipheriv)("aes-256-gcm", derived, iv);
+    const cipher = (0, import_node_crypto23.createCipheriv)("aes-256-gcm", derived, iv);
     const ct = Buffer.concat([cipher.update(json, "utf8"), cipher.final()]);
     const tag = cipher.getAuthTag();
     const body = `${salt.toString("hex")}:${iv.toString("hex")}:${Buffer.concat([ct, tag]).toString("hex")}`;

package/dist/index.js

@@ -50597,6 +50597,21 @@ var init_registry = __esm({
           ["table", "values"]
         )
       },
+      {
+        name: "create_secret",
+        description: "Store a secret/credential \u2014 an API key, password, OAuth token, connection string, etc. \u2014 by name in the encrypted secrets store. Use this whenever the user gives you a credential to save or asks you to remember/store a secret. WRITE-ONLY: you can save a secret but you can NEVER read, list, echo, or retrieve existing secret values \u2014 they are hidden from you. The value is encrypted at rest.",
+        mutates: true,
+        category: "row",
+        args: obj(
+          {
+            name: str('A short label for the secret, e.g. "GitHub password" or "OpenAI API key".'),
+            value: str("The secret value to store."),
+            kind: str('Optional kind, e.g. "password", "api_key", "token", "connection_string".'),
+            description: str("Optional note about what the secret is for.")
+          },
+          ["name", "value"]
+        )
+      },
       {
         name: "create_artifact",
         description: "Create a markdown document and save it as a file artifact. Use this whenever the user asks you to create, write, draft, or make a document, note, write-up, summary, report, or file \u2014 you author the content as GitHub-flavored markdown and it is saved in the files entity as a markdown artifact, then opened in the viewer for them. Prefer this over create_row on files for any document the user wants to keep. It follows the same sharing rules as any file (private mode \u2192 private).",
@@ -52803,6 +52818,7 @@ var init_ingest_url = __esm({
 });
 
 // src/gui/ai/dispatch.ts
+import { randomUUID } from "crypto";
 function visibilityDenialReason(opts) {
   if (opts.kind === "table") {
     return opts.canManageTableDefault ? null : "Only the workspace owner can change a table's default sharing.";
@@ -53018,6 +53034,21 @@ async function executeFunction(ctx, name, args) {
         );
         return { ok: true, result: { id } };
       }
+      case "create_secret": {
+        const secretName = requireString(args.name, "name");
+        const secretValue2 = requireString(args.value, "value");
+        const kind = typeof args.kind === "string" && args.kind ? args.kind : null;
+        const description = typeof args.description === "string" && args.description ? args.description : null;
+        const id = randomUUID();
+        await ctx.db.insert("secrets", {
+          id,
+          name: secretName,
+          value: secretValue2,
+          kind,
+          description
+        });
+        return { ok: true, result: { id, name: secretName } };
+      }
       case "create_artifact": {
         const table = requireTable("files", ctx.validTables);
         const title = requireString(args.title, "title");
@@ -53348,6 +53379,7 @@ var init_dispatch = __esm({
       "get_history",
       "create_row",
       "create_artifact",
+      "create_secret",
       "ingest_url",
       "set_definition",
       "set_visibility",
@@ -57752,9 +57784,41 @@ var appJs = `
     }
     function reloadForUpdate(label) {
       if (reloadingForUpdate) return;
+      // Guard against an infinite reload loop. Reloading when the server version
+      // changes is the seamless-update trigger \u2014 but if the version the page was
+      // SERVED with keeps disagreeing with /api/version (e.g. a stale or duplicate
+      // server is holding the port and reporting a different version), every fresh
+      // page would reload again. That unbounded loop pegs memory and crashes the
+      // browser. Cap reloads to MAX within WINDOW; past that, stop and surface the
+      // mismatch instead of spinning. A genuine update reloads once and then the
+      // versions agree, which clears the counter (see checkServerVersion).
+      var KEY = 'lattice:updateReloads',
+        MAX = 3,
+        WINDOW = 60000,
+        now = Date.now(),
+        recent = [];
+      try {
+        recent = (JSON.parse(sessionStorage.getItem(KEY) || '[]') || []).filter(function (t) {
+          return now - t < WINDOW;
+        });
+      } catch (_) {
+        /* sessionStorage blocked \u2014 degrade to a single best-effort reload below */
+      }
+      if (recent.length >= MAX) {
+        showUpdatePill('Version mismatch \u2014 stopped auto-reloading. Reload manually if needed.');
+        return;
+      }
+      recent.push(now);
+      try {
+        sessionStorage.setItem(KEY, JSON.stringify(recent));
+      } catch (_) {
+        /* best-effort */
+      }
       reloadingForUpdate = true;
       showUpdatePill(label || 'Updated \u2014 reloading\u2026');
-      setTimeout(function () { location.reload(); }, 600);
+      setTimeout(function () {
+        location.reload();
+      }, 600);
     }
     // Manual upgrade fallback: show an "Update available \u2014 Upgrade" link next to
     // the version chip only when the server reports a newer, installable version.
@@ -57786,7 +57850,16 @@ var appJs = `
           var v = d && d.version ? String(d.version).replace(/^v/, '').trim() : '';
           if (!v) return;
           if (v !== BOOT_VERSION) reloadForUpdate('Updated to v' + v + ' \u2014 reloading\u2026');
-          else hideUpdatePill();
+          else {
+            hideUpdatePill();
+            // Versions agree \u2014 clear the reload-loop guard so a later genuine
+            // update can reload again from a clean slate.
+            try {
+              sessionStorage.removeItem('lattice:updateReloads');
+            } catch (_) {
+              /* best-effort */
+            }
+          }
         })
         .catch(function () { /* offline / mid-restart \u2014 the next reconnect retries */ });
       // Refresh the manual-upgrade link alongside the reconnect version check.
@@ -66241,7 +66314,7 @@ function redeemInviteToken(email, token) {
 init_markdown();
 init_rls();
 init_adapter();
-import { randomUUID } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 init_parser();
 init_lattice_root();
 init_workspace();
@@ -66836,7 +66909,7 @@ async function dispatchDbConfigRoute(req, res, ctx) {
         `INSERT INTO "__lattice_member_invites" ("id","role","email_hash","email","expires_at")
            VALUES (?, ?, ?, ?, ?)`,
         [
-          randomUUID(),
+          randomUUID2(),
           role,
           emailHash,
           // Plaintext email stored ONLY in this owner-only table so the owner's

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "latticesql",
-  "version": "3.4.5",
+  "version": "3.4.7",
   "description": "Persistent structured memory for AI agent systems — pluggable SQLite or Postgres backend, LLM context bridge",
   "type": "module",
   "main": "./dist/index.js",