@hotmeshio/hotmesh 0.12.1 → 0.14.0

package/build/types/dba.d.ts

@@ -37,15 +37,47 @@ export interface PruneOptions {
     jobs?: boolean;
     /**
      * If true, hard-deletes expired stream messages older than the
-     * retention window.
+     * retention window from both `engine_streams` and `worker_streams`.
+     * Use `engineStreams` / `workerStreams` for independent control.
      * @default true
      */
     streams?: boolean;
+    /**
+     * Override for `engine_streams` cleanup. When set, takes precedence
+     * over `streams` for the engine table. Engine streams contain internal
+     * routing messages and can be pruned aggressively.
+     * @default undefined (falls back to `streams`)
+     */
+    engineStreams?: boolean;
+    /**
+     * Override for `worker_streams` cleanup. When set, takes precedence
+     * over `streams` for the worker table. Worker streams contain workflow
+     * input arguments and activity payloads needed by the exporter — use
+     * a longer retention to preserve export fidelity.
+     * @default undefined (falls back to `streams`)
+     */
+    workerStreams?: boolean;
+    /**
+     * Retention override for `engine_streams`. When set, uses this interval
+     * instead of the global `expire` for engine stream cleanup.
+     * @default undefined (falls back to `expire`)
+     *
+     * @example '24 hours'
+     */
+    engineStreamsExpire?: string;
+    /**
+     * Retention override for `worker_streams`. When set, uses this interval
+     * instead of the global `expire` for worker stream cleanup.
+     * @default undefined (falls back to `expire`)
+     *
+     * @example '90 days'
+     */
+    workerStreamsExpire?: string;
     /**
      * If true, strips execution-artifact attributes from completed,
      * un-pruned jobs. Preserves `jdata` (return data), `udata`
      * (searchable data), and `jmark` (timeline/event history for
-     * Temporal-compatible export). See `keepHmark` for `hmark`.
+     * workflow execution export). See `keepHmark` for `hmark`.
      * @default false
      */
     attributes?: boolean;
@@ -79,8 +111,12 @@ export interface PruneOptions {
 export interface PruneResult {
     /** Number of expired job rows hard-deleted */
     jobs: number;
-    /** Number of expired stream message rows hard-deleted */
+    /** Number of expired stream message rows hard-deleted (engine + worker) */
     streams: number;
+    /** Number of expired engine_streams rows hard-deleted */
+    engineStreams: number;
+    /** Number of expired worker_streams rows hard-deleted */
+    workerStreams: number;
     /** Number of execution-artifact attribute rows stripped from completed jobs */
     attributes: number;
     /** Number of transient (entity IS NULL) job rows hard-deleted */

package/build/types/durable.d.ts

@@ -9,12 +9,18 @@ import { StreamData, StreamError } from './stream';
 type WorkflowConfig = {
     /**
      * Backoff coefficient for retry mechanism.
-     * @default 10 (HMSH_DURABLE_EXP_BACKOFF)
+     * @default 5 (HMSH_DURABLE_EXP_BACKOFF)
      */
     backoffCoefficient?: number;
+    /**
+     * Initial interval before the first retry attempt.
+     * Formula: initialInterval * backoffCoefficient^retryCount, clamped by maximumInterval.
+     * @default '1s' (HMSH_DURABLE_INITIAL_INTERVAL)
+     */
+    initialInterval?: string;
     /**
      * Maximum number of attempts for retries.
-     * @default 5 (HMSH_DURABLE_MAX_ATTEMPTS)
+     * @default 50 (HMSH_DURABLE_MAX_ATTEMPTS)
      */
     maximumAttempts?: number;
     /**
@@ -104,6 +110,23 @@ type WorkflowContext = {
      */
     expire?: number;
 };
+/**
+ * Context available inside an executing activity function via
+ * `Durable.activity.getContext()`. Populated by the activity worker
+ * using `activityAsyncLocalStorage`.
+ */
+type DurableActivityContext = {
+    /** The name of the activity function being executed */
+    activityName: string;
+    /** The arguments passed to the activity */
+    arguments: any[];
+    /** Optional metadata provided via `proxyActivities({ headers })` */
+    headers: Record<string, any>;
+    /** The workflow ID of the parent workflow that dispatched this activity */
+    workflowId: string;
+    /** The workflow topic of the parent workflow */
+    workflowTopic: string;
+};
 /**
  * The schema for the full-text-search
  * @deprecated
@@ -354,6 +377,8 @@ type SignalOptions = {
 type ActivityWorkflowDataType = {
     activityName: string;
     arguments: any[];
+    headers?: Record<string, any>;
+    startToCloseTimeout?: number;
     workflowId: string;
     workflowTopic: string;
 };
@@ -365,6 +390,7 @@ type WorkflowDataType = {
     originJobId?: string;
     canRetry?: boolean;
     expire?: number;
+    continueGeneration?: number;
 };
 type Connection = ProviderConfig | ProvidersConfig;
 type ClientConfig = {
@@ -385,6 +411,14 @@ type WorkerConfig = {
     taskQueue: string;
     /** Target function or a record type with a name (string) and reference function */
     workflow: Function | Record<string | symbol, Function>;
+    /**
+     * Optional activity functions to register with this worker's task queue.
+     * When provided, these activities are registered and served on `{taskQueue}-activity`.
+     * Workflows can then call them via `proxyActivities()` without passing activities inline.
+     *
+     * Workflows can then call them via `proxyActivities()` without passing activities inline.
+     */
+    activities?: Record<string, Function>;
     /** Additional options for configuring the worker */
     options?: WorkerOptions;
     /** Search options for workflow execution details */
@@ -395,6 +429,19 @@ type WorkerConfig = {
      * when identifying the point of presence within the mesh.
      */
     guid?: string;
+    /**
+     * Scoped Postgres credentials for database-level worker isolation.
+     * When provided, the worker connects as a restricted Postgres role
+     * that can only dequeue/ack/respond on its allowed stream names
+     * via SECURITY DEFINER stored procedures.
+     *
+     * Provision credentials via `HotMesh.provisionWorkerRole()` (or
+     * the convenience alias `Durable.provisionWorkerRole()`).
+     */
+    workerCredentials?: {
+        user: string;
+        password: string;
+    };
 };
 type FindWhereQuery = {
     field: string;
@@ -437,10 +484,12 @@ type FindJobsOptions = {
 type WorkerOptions = {
     /** Log level: debug, info, warn, error */
     logLevel?: LogLevel;
-    /** Maximum number of attempts, default 5 (HMSH_DURABLE_MAX_ATTEMPTS) */
+    /** Maximum number of attempts, default 50 (HMSH_DURABLE_MAX_ATTEMPTS) */
     maximumAttempts?: number;
     /** Backoff coefficient for retry logic, default 10 (HMSH_DURABLE_EXP_BACKOFF) */
     backoffCoefficient?: number;
+    /** Initial interval before the first retry, default '1s' (HMSH_DURABLE_INITIAL_INTERVAL) */
+    initialInterval?: string;
     /** Maximum interval between retries, default 120s (HMSH_DURABLE_MAX_INTERVAL) */
     maximumInterval?: string;
 };
@@ -458,7 +507,7 @@ type ProxyType<ACT> = {
 type ActivityConfig = {
     /** place holder setting; unused at this time (re: activity workflow expire configuration) */
     expire?: number;
-    /** Start to close timeout for the activity; not yet implemented */
+    /** Maximum time an activity can run after starting execution. If exceeded, the activity fails with a timeout error. Accepts duration strings (e.g., '30s', '5m', '1h'). */
     startToCloseTimeout?: string;
     /** Configuration for specific activities, type not yet specified */
     activities?: any;
@@ -481,7 +530,7 @@ type ActivityConfig = {
      * // Default: uses workflow's task queue (backward compatible)
      * const activities = Durable.workflow.proxyActivities<typeof activities>({
      *   activities,
-     *   retryPolicy: { maximumAttempts: 3 }
+     *   retry: { maximumAttempts: 3 }
      * });
      * // If workflow taskQueue is "orders", uses "orders-activity"
      *
@@ -489,18 +538,24 @@ type ActivityConfig = {
      * const { auditLog } = Durable.workflow.proxyActivities<typeof activities>({
      *   activities: { auditLog },
      *   taskQueue: 'shared-activities', // Uses "shared-activities-activity"
-     *   retryPolicy: { maximumAttempts: 3 }
+     *   retry: { maximumAttempts: 3 }
      * });
      * ```
      */
     taskQueue?: string;
+    /** Optional metadata to pass alongside activity arguments. This metadata
+     *  is transported as a dedicated schema field (not inside args) and made
+     *  available to the activity function via `Durable.activity.getContext()`. */
+    headers?: Record<string, any>;
     /** Retry policy configuration for activities */
-    retryPolicy?: {
-        /** Maximum number of retry attempts, default is 5 (HMSH_DURABLE_MAX_ATTEMPTS) */
+    retry?: {
+        /** Maximum number of retry attempts, default is 50 (HMSH_DURABLE_MAX_ATTEMPTS) */
         maximumAttempts?: number;
-        /** Factor by which the retry timeout increases, default is 10 (HMSH_DURABLE_MAX_INTERVAL) */
+        /** Factor by which the retry timeout increases, default is 10 (HMSH_DURABLE_EXP_BACKOFF) */
         backoffCoefficient?: number;
-        /** Maximum interval between retries, default is '120s' (HMSH_DURABLE_EXP_BACKOFF) */
+        /** Initial interval before the first retry. Formula: initialInterval * backoffCoefficient^retryCount, clamped by maximumInterval. Default is '1s' */
+        initialInterval?: string;
+        /** Maximum interval between retries, default is '120s' (HMSH_DURABLE_MAX_INTERVAL) */
         maximumInterval?: string;
         /** Whether to throw an error on failure, default is true */
         throwOnError?: boolean;
@@ -547,7 +602,7 @@ interface ClientWorkflow {
  * @example
  * ```typescript
  * // Simple logging interceptor
- * const loggingInterceptor: WorkflowInterceptor = {
+ * const loggingInterceptor: WorkflowInboundCallsInterceptor = {
  *   async execute(ctx, next) {
  *     console.log('Before workflow');
  *     try {
@@ -565,7 +620,7 @@ interface ClientWorkflow {
  * Durable.registerInterceptor(loggingInterceptor);
  * ```
  */
-export interface WorkflowInterceptor {
+export interface WorkflowInboundCallsInterceptor {
     /**
      * Called before workflow execution to wrap the workflow in custom logic
      *
@@ -606,27 +661,32 @@ export interface WorkflowInterceptor {
  */
 export interface InterceptorRegistry {
     /**
-     * Array of registered workflow interceptors that will wrap workflow execution
+     * Array of registered inbound interceptors that will wrap workflow execution
      * in the order they were registered (first registered = outermost wrapper).
      */
-    interceptors: WorkflowInterceptor[];
+    inbound: WorkflowInboundCallsInterceptor[];
     /**
-     * Array of registered activity interceptors that will wrap individual
+     * Array of registered outbound interceptors that will wrap individual
      * proxied activity calls in the order they were registered
      * (first registered = outermost wrapper).
      */
-    activityInterceptors: ActivityInterceptor[];
+    outbound: WorkflowOutboundCallsInterceptor[];
+    /**
+     * Array of registered activity inbound interceptors that wrap the actual
+     * activity function execution on the activity worker side.
+     */
+    activityInbound: ActivityInboundCallsInterceptor[];
 }
 /**
  * Context provided to an activity interceptor, containing metadata
  * about the proxied activity being invoked.
  */
-export interface ActivityInterceptorContext {
+export interface WorkflowOutboundCallsInterceptorContext {
     /** The name of the activity function being called */
     activityName: string;
     /** The arguments passed to the activity call */
     args: any[];
-    /** The activity configuration (retryPolicy, taskQueue, etc.) */
+    /** The activity configuration (retry, taskQueue, etc.) */
     options?: ActivityConfig;
 }
 /**
@@ -653,13 +713,13 @@ export interface ActivityInterceptorContext {
  *
  * @example
  * ```typescript
- * const auditInterceptor: ActivityInterceptor = {
+ * const auditInterceptor: WorkflowOutboundCallsInterceptor = {
  *   async execute(activityCtx, workflowCtx, next) {
  *     const { auditLog } = Durable.workflow.proxyActivities<{
  *       auditLog: (id: string, action: string) => Promise<void>;
  *     }>({
  *       taskQueue: 'shared-audit',
- *       retryPolicy: { maximumAttempts: 3 },
+ *       retry: { maximumAttempts: 3 },
  *     });
  *
  *     await auditLog(workflowCtx.get('workflowId'), `before:${activityCtx.activityName}`);
@@ -669,20 +729,58 @@ export interface ActivityInterceptorContext {
  *   },
  * };
  *
- * Durable.registerActivityInterceptor(auditInterceptor);
+ * Durable.registerWorkflowOutboundCallsInterceptor(auditInterceptor);
  * ```
  */
-export interface ActivityInterceptor {
+export interface WorkflowOutboundCallsInterceptor {
     /**
      * Called around each proxied activity invocation. Code before `next()`
      * runs in the before phase; code after `next()` runs in the after phase
      * once the activity result is available on replay.
      *
      * @param activityCtx - Metadata about the activity being called (args may be modified)
-     * @param workflowCtx - The workflow context map (same as WorkflowInterceptor receives)
+     * @param workflowCtx - The workflow context map (same as WorkflowInboundCallsInterceptor receives)
      * @param next - Call to proceed to the next interceptor or the core activity function
      * @returns The activity result (from replay or after interruption/re-execution)
      */
-    execute(activityCtx: ActivityInterceptorContext, workflowCtx: Map<string, any>, next: () => Promise<any>): Promise<any>;
+    execute(activityCtx: WorkflowOutboundCallsInterceptorContext, workflowCtx: Map<string, any>, next: () => Promise<any>): Promise<any>;
+}
+/**
+ * Interceptor for activity function execution on the activity worker side.
+ * Runs inside the activity's `activityAsyncLocalStorage` context, wrapping
+ * the actual activity function invocation — not the proxy call in the workflow.
+ *
+ * Unlike workflow-side interceptors, this runs where the activity actually executes.
+ * Use it for cross-cutting concerns like logging, metrics, auth validation,
+ * or error enrichment at the point where the activity actually executes.
+ *
+ * @example
+ * ```typescript
+ * Durable.registerActivityInboundInterceptor({
+ *   async execute(activityName, args, next) {
+ *     console.log(`Activity ${activityName} starting with`, args);
+ *     const start = Date.now();
+ *     try {
+ *       const result = await next();
+ *       console.log(`Activity ${activityName} completed in ${Date.now() - start}ms`);
+ *       return result;
+ *     } catch (err) {
+ *       console.error(`Activity ${activityName} failed`, err);
+ *       throw err;
+ *     }
+ *   }
+ * });
+ * ```
+ */
+export interface ActivityInboundCallsInterceptor {
+    /**
+     * Called around the actual activity function execution on the worker.
+     *
+     * @param activityName - The name of the activity being executed
+     * @param args - The arguments passed to the activity
+     * @param next - Call to execute the next interceptor or the activity itself
+     * @returns The activity function's return value
+     */
+    execute(activityName: string, args: any[], next: () => Promise<any>): Promise<any>;
 }
-export { ActivityConfig, ActivityWorkflowDataType, ChildResponseType, ClientConfig, ClientWorkflow, ContextType, Connection, FunctionSignature, ProxyResponseType, ProxyType, Registry, SignalOptions, FindJobsOptions, FindOptions, FindWhereOptions, FindWhereQuery, HookOptions, SearchResults, WorkerConfig, WorkflowConfig, WorkerOptions, WorkflowSearchOptions, WorkflowDataType, WorkflowOptions, WorkflowContext, };
+export { ActivityConfig, DurableActivityContext, ActivityWorkflowDataType, ChildResponseType, ClientConfig, ClientWorkflow, ContextType, Connection, FunctionSignature, ProxyResponseType, ProxyType, Registry, SignalOptions, FindJobsOptions, FindOptions, FindWhereOptions, FindWhereQuery, HookOptions, SearchResults, WorkerConfig, WorkflowConfig, WorkerOptions, WorkflowSearchOptions, WorkflowDataType, WorkflowOptions, WorkflowContext, };

package/build/types/error.d.ts

@@ -2,6 +2,7 @@ export type DurableChildErrorType = {
     arguments: string[];
     await?: boolean;
     backoffCoefficient?: number;
+    initialInterval?: number;
     index: number;
     expire?: number;
     persistent?: boolean;
@@ -29,10 +30,13 @@ export type DurableWaitForAllErrorType = {
 };
 export type DurableProxyErrorType = {
     arguments: string[];
+    headers?: Record<string, any>;
     activityName: string;
     backoffCoefficient?: number;
+    initialInterval?: number;
     index: number;
     expire?: number;
+    startToCloseTimeout?: number;
     maximumAttempts?: number;
     maximumInterval?: number;
     originJobId: string | null;
@@ -53,3 +57,9 @@ export type DurableSleepErrorType = {
     workflowDimension: string;
     workflowId: string;
 };
+export type DurableContinueAsNewErrorType = {
+    arguments: any[];
+    index: number;
+    workflowDimension: string;
+    workflowId: string;
+};

package/build/types/exporter.d.ts

@@ -251,7 +251,7 @@ export interface ExecutionExportOptions {
      * When true, fetches the full stream message history for this workflow
      * from the worker_streams table and attaches it as `stream_history`.
      * This provides raw activity input/output data from the original stream
-     * messages, enabling Temporal-grade export fidelity.
+     * messages, enabling full export fidelity.
      *
      * @default false
      */

package/build/types/hotmesh.d.ts

@@ -122,7 +122,7 @@ type HotMeshEngine = {
      * @example
      * ```typescript
      * {
-     *   retryPolicy: {
+     *   retry: {
      *     maximumAttempts: 5,
      *     backoffCoefficient: 2,
      *     maximumInterval: '300s'
@@ -130,8 +130,25 @@ type HotMeshEngine = {
      * }
      * ```
      */
-    retryPolicy?: import('./stream').RetryPolicy;
+    retry?: import('./stream').RetryPolicy;
 };
+/**
+ * Configuration for a HotMesh worker that consumes messages from a
+ * Postgres stream topic. Workers can run on the same process as the
+ * engine or on entirely separate servers — the only coupling is the
+ * shared Postgres database.
+ *
+ * ## Connection Modes
+ *
+ * **Standard**: Worker uses the same Postgres credentials as the engine.
+ * Set `connection` with admin credentials. Suitable for trusted, co-located workers.
+ *
+ * **Secured**: Worker connects as a restricted Postgres role with
+ * `workerCredentials`. The role can only dequeue/ack/respond on its
+ * allowed stream topics via SECURITY DEFINER stored procedures — zero
+ * direct table access. Use for untrusted workloads: K8s containers,
+ * LLM agents, third-party integrations.
+ */
 type HotMeshWorker = {
     /**
      * the topic/task queue that the worker subscribes to (stream_name)
@@ -212,7 +229,7 @@ type HotMeshWorker = {
      * @example
      * ```typescript
      * {
-     *   retryPolicy: {
+     *   retry: {
      *     maximumAttempts: 5,
      *     backoffCoefficient: 2,
      *     maximumInterval: '300s'
@@ -220,7 +237,53 @@ type HotMeshWorker = {
      * }
      * ```
      */
-    retryPolicy?: import('./stream').RetryPolicy;
+    retry?: import('./stream').RetryPolicy;
+    /**
+     * Scoped Postgres credentials for database-level worker isolation.
+     *
+     * When provided, the `user` and `password` in the worker's connection
+     * options are overridden with these values, and all stream operations
+     * route through SECURITY DEFINER stored procedures that validate
+     * `app.allowed_streams` before executing. The worker role has **zero
+     * direct table access**.
+     *
+     * Use this for workers running in untrusted environments: pluggable
+     * K8s containers, LLM-driven agents (e.g., MCP tool servers),
+     * third-party integrations, or any workload that should be isolated
+     * from the engine's database surface.
+     *
+     * Provision credentials via `HotMesh.provisionWorkerRole()` or by
+     * creating a Postgres role with `EXECUTE` on the schema's worker
+     * stored procedures and `ALTER ROLE ... SET app.allowed_streams`.
+     *
+     * **Limitations:** Workflows running under scoped credentials cannot
+     * use `Durable.workflow.entity()`, `Durable.workflow.search()`, or
+     * `Durable.workflow.enrich()` — these write directly to the `jobs`
+     * and `jobs_attributes` tables, which the scoped role has no access
+     * to. All other workflow primitives (`proxyActivities`, `sleep`,
+     * `condition`, `signal`, `emit`, `executeChild`, etc.) work normally.
+     *
+     * @example
+     * ```typescript
+     * // Admin provisions scoped credentials (one-time)
+     * const cred = await HotMesh.provisionWorkerRole({
+     *   connection: { class: Postgres, options: adminOptions },
+     *   streamNames: ['order.process'],
+     * });
+     *
+     * // Worker connects with restricted role
+     * workers: [{
+     *   topic: 'order.process',
+     *   connection: { class: Postgres, options: { host: 'pg.prod', database: 'db' } },
+     *   workerCredentials: { user: cred.roleName, password: cred.password },
+     *   callback: myCallback,
+     * }]
+     * ```
+     */
+    workerCredentials?: {
+        user: string;
+        password: string;
+    };
 };
 type HotMeshConfig = {
     appId: string;

package/build/types/index.d.ts

@@ -1,9 +1,10 @@
 export { ActivityType, ActivityDataType, ActivityContext, ActivityData, ActivityDuplex, ActivityLeg, ActivityMetadata, Consumes, AwaitActivity, BaseActivity, CycleActivity, HookActivity, WorkerActivity, InterruptActivity, SignalActivity, TriggerActivity, TriggerActivityStats, } from './activity';
 export { App, AppVID, AppTransitions, AppSubscriptions } from './app';
 export { AsyncSignal } from './async';
+export { PayloadCodec } from './codec';
 export { CacheMode } from './cache';
 export { CollationFaultType, CollationStage } from './collator';
-export { ActivityConfig, ActivityInterceptor, ActivityInterceptorContext, ActivityWorkflowDataType, ChildResponseType, ClientConfig, ClientWorkflow, ContextType, Connection, ProxyResponseType, ProxyType, Registry, SignalOptions, FindJobsOptions, FindOptions, FindWhereOptions, FindWhereQuery, HookOptions, SearchResults, WorkflowConfig, WorkerConfig, WorkerOptions, WorkflowContext, WorkflowSearchOptions, WorkflowSearchSchema, WorkflowDataType, WorkflowOptions, WorkflowInterceptor, InterceptorRegistry, } from './durable';
+export { ActivityConfig, DurableActivityContext, WorkflowOutboundCallsInterceptor, WorkflowOutboundCallsInterceptorContext, ActivityInboundCallsInterceptor, ActivityWorkflowDataType, ChildResponseType, ClientConfig, ClientWorkflow, ContextType, Connection, ProxyResponseType, ProxyType, Registry, SignalOptions, FindJobsOptions, FindOptions, FindWhereOptions, FindWhereQuery, HookOptions, SearchResults, WorkflowConfig, WorkerConfig, WorkerOptions, WorkflowContext, WorkflowSearchOptions, WorkflowSearchSchema, WorkflowDataType, WorkflowOptions, WorkflowInboundCallsInterceptor, InterceptorRegistry, } from './durable';
 export { PruneOptions, PruneResult, } from './dba';
 export { DurableChildErrorType, DurableProxyErrorType, DurableSleepErrorType, DurableWaitForAllErrorType, DurableWaitForErrorType, } from './error';
 export { ActivityAction, ActivityDetail, ActivityInputMap, ActivityTaskCompletedAttributes, ActivityTaskFailedAttributes, ActivityTaskScheduledAttributes, ChildWorkflowExecutionCompletedAttributes, ChildWorkflowExecutionFailedAttributes, ChildWorkflowExecutionStartedAttributes, DependencyExport, DurableJobExport, ExecutionExportOptions, ExportCycles, ExportFields, ExportItem, ExportMode, ExportOptions, ExportTransitions, JobAction, JobActionExport, JobAttributesRow, JobExport, JobRow, JobTimeline, StreamHistoryEntry, TimelineType, TimerFiredAttributes, TimerStartedAttributes, TransitionType, WorkflowEventAttributes, WorkflowEventCategory, WorkflowEventType, WorkflowExecution, WorkflowExecutionCompletedAttributes, WorkflowExecutionEvent, WorkflowExecutionFailedAttributes, WorkflowExecutionSignaledAttributes, WorkflowExecutionStartedAttributes, WorkflowExecutionStatus, WorkflowExecutionSummary, } from './exporter';

package/build/types/provider.d.ts

@@ -69,7 +69,7 @@ export type ProviderConfig = {
      * @example
      * ```typescript
      * {
-     *   retryPolicy: {
+     *   retry: {
      *     maximumAttempts: 5,
      *     backoffCoefficient: 2,
      *     maximumInterval: '300s'
@@ -77,7 +77,7 @@ export type ProviderConfig = {
      * }
      * ```
      */
-    retryPolicy?: import('./stream').RetryPolicy;
+    retry?: import('./stream').RetryPolicy;
 };
 export type ProvidersConfig = {
     sub: ProviderConfig;

package/build/types/quorum.d.ts

@@ -16,7 +16,7 @@ export interface NetworkStat {
     tx_sec: number;
     ms: number;
 }
-/** reveals: memory, cpu, network */
+/** Host-level resource snapshot collected at pong time. */
 export interface SystemHealth {
     TotalMemoryGB: string;
     FreeMemoryGB: string;
@@ -36,21 +36,55 @@ export type ThrottleOptions = {
     /** namespace */
     namespace?: string;
 };
+/**
+ * Snapshot of a single engine or worker instance, returned by
+ * `HotMesh.rollCall()`. Each connected instance responds to the
+ * quorum PING with its current profile.
+ *
+ * **Engines** populate `stream` (the engine stream key).
+ * **Workers** populate `worker_topic` (the task queue topic) and `stream`.
+ *
+ * Use `counts` and `error_count` for throughput and health monitoring.
+ */
 export interface QuorumProfile {
+    /** Namespace the instance belongs to. */
     namespace: string;
+    /** Application ID (matches `HotMeshConfig.appId`). */
     app_id: string;
+    /** Unique instance GUID (engine or worker). */
     engine_id: string;
+    /** Entity name (if applicable). */
     entity?: string;
+    /** Worker task queue topic. Present only for worker instances. */
     worker_topic?: string;
+    /** Stream key this instance consumes from. */
     stream?: string;
+    /** Number of pending (unprocessed) messages in the stream. */
     stream_depth?: number;
+    /**
+     * Cumulative messages processed, keyed by status code.
+     * Common codes: `'200'` (success), `'590'` (child workflow),
+     * `'591'` (activity dispatch), `'500'` (error).
+     */
     counts?: Record<string, number>;
+    /**
+     * Consecutive stream consumption errors. `0` = healthy.
+     * Non-zero means the consumer is in exponential backoff recovery.
+     */
+    error_count?: number;
+    /** ISO timestamp of when this instance was initialized. */
     inited?: string;
+    /** ISO timestamp of when this profile was generated. */
     timestamp?: string;
+    /** Current throttle delay in ms (`0` = no throttle). */
     throttle?: number;
+    /** Interval (ms) before reclaiming unacknowledged messages. */
     reclaimDelay?: number;
+    /** Max messages to reclaim per cycle. */
     reclaimCount?: number;
+    /** Host-level memory, CPU, and network stats. */
     system?: SystemHealth;
+    /** Stringified worker callback function (only if `signature: true` in rollcall). */
     signature?: string;
 }
 interface QuorumMessageBase {

package/build/types/stream.d.ts

@@ -5,7 +5,7 @@ import { ProviderTransaction } from './provider';
  *
  * @example
  * ```typescript
- * const retryPolicy: RetryPolicy = {
+ * const retry: RetryPolicy = {
  *   maximumAttempts: 5,
  *   backoffCoefficient: 2,
  *   maximumInterval: '300s',
@@ -172,7 +172,7 @@ export type RouterConfig = {
     /** if true, will not process stream messages; default true */
     readonly?: boolean;
     /** Retry policy for worker messages. Applied when worker callback throws an error */
-    retryPolicy?: RetryPolicy;
+    retry?: RetryPolicy;
 };
 export type StreamProviderType = 'postgres' | 'nats' | 'sqs';
 export interface StreamConfig {
@@ -195,7 +195,13 @@ export interface StreamConfig {
      * }
      * ```
      */
-    retryPolicy?: RetryPolicy;
+    retry?: RetryPolicy;
+    /**
+     * When true, worker stream operations use SECURITY DEFINER stored
+     * procedures instead of raw SQL. Enabled automatically when the
+     * worker connects with scoped `workerCredentials`.
+     */
+    securedWorker?: boolean;
     postgres?: {
         pollInterval?: number;
         vacuumInterval?: number;
@@ -227,7 +233,7 @@ export interface StreamMessage {
      * Retry policy configuration for this message.
      * Populated from database columns when available.
      */
-    retryPolicy?: RetryPolicy;
+    retry?: RetryPolicy;
 }
 export interface StreamMessageMetadata {
     timestamp?: number;
@@ -265,7 +271,7 @@ export interface PublishMessageConfig {
      * @example
      * ```typescript
      * await streamService.publishMessages('my-topic', [msg], {
-     *   retryPolicy: {
+     *   retry: {
      *     maximumAttempts: 10,
      *     backoffCoefficient: 2,
      *     maximumInterval: '600s',
@@ -273,7 +279,7 @@ export interface PublishMessageConfig {
      * });
      * ```
      */
-    retryPolicy?: RetryPolicy;
+    retry?: RetryPolicy;
 }
 /**
  * Notification consumer configuration for PostgreSQL stream provider.