npm - @pgpm/metaschema-modules - Versions diffs - 0.16.7 → 0.17.0 - Mend

@pgpm/metaschema-modules 0.16.7 → 0.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql ADDED Viewed

@@ -0,0 +1,104 @@
+-- Deploy schemas/metaschema_modules_public/tables/secure_table_provision/table to pg
+-- requires: schemas/metaschema_modules_public/schema
+BEGIN;
+CREATE TABLE metaschema_modules_public.secure_table_provision (
+    id uuid PRIMARY KEY DEFAULT uuid_generate_v4 (),
+    database_id uuid NOT NULL,
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+    table_id uuid NOT NULL DEFAULT uuid_nil(),
+    table_name text DEFAULT NULL,
+    node_type text DEFAULT NULL,
+    use_rls boolean NOT NULL DEFAULT true,
+    node_data jsonb NOT NULL DEFAULT '{}',
+    grant_roles text[] NOT NULL DEFAULT ARRAY['authenticated'],
+    grant_privileges jsonb NOT NULL DEFAULT '[]',
+    policy_type text DEFAULT NULL,
+    policy_privileges text[] DEFAULT NULL,
+    policy_role text DEFAULT NULL,
+    policy_permissive boolean NOT NULL DEFAULT true,
+    policy_data jsonb NOT NULL DEFAULT '{}',
+    out_fields uuid[] DEFAULT NULL,
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT table_fkey FOREIGN KEY (table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE
+);
+COMMENT ON TABLE metaschema_modules_public.secure_table_provision IS
+    'Provisions security, fields, grants, and policies onto a table. Each row can independently: (1) create fields via node_type, (2) grant privileges via grant_privileges, (3) create RLS policies via policy_type. Multiple rows can target the same table to compose different concerns. All three concerns are optional and independent.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.id IS
+    'Unique identifier for this provision row.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.database_id IS
+    'The database this provision belongs to. Required.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.schema_id IS
+    'Target schema for the table. Defaults to uuid_nil(); the trigger resolves this to the app_public schema if not explicitly provided.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.table_id IS
+    'Target table to provision. Defaults to uuid_nil(); the trigger creates or resolves the table via table_name if not explicitly provided.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.table_name IS
+    'Name of the target table. Used to create or look up the table when table_id is not provided. If omitted, it is backfilled from the resolved table.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.node_type IS
+    'Which generator to invoke for field creation. One of: DataId, DataDirectOwner, DataEntityMembership, DataOwnershipInEntity, DataTimestamps, DataPeoplestamps, DataPublishable, DataSoftDelete. NULL means no field creation — the row only provisions grants and/or policies.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.use_rls IS
+    'If true and Row Level Security is not yet enabled on the target table, enable it. Automatically set to true by the trigger when policy_type is provided. Defaults to true.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.node_data IS
+    'Configuration passed to the generator function for field creation (only used when node_type is set). Known keys include: field_name (text, default ''id'') for DataId, owner_field_name (text, default ''owner_id'') for DataDirectOwner/DataOwnershipInEntity, entity_field_name (text, default ''entity_id'') for DataEntityMembership/DataOwnershipInEntity, include_id (boolean, default true) for most node_types, include_user_fk (boolean, default true) to add FK to users table. Defaults to ''{}''.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_roles IS
+    'Database roles to grant privileges to. Supports multiple roles, e.g. ARRAY[''authenticated'', ''admin'']. Each role receives all privileges defined in grant_privileges. Defaults to ARRAY[''authenticated''].';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_privileges IS
+    'Array of [privilege, columns] tuples defining table grants. Examples: [["select","*"],["insert","*"]] for full access, or [["update",["name","bio"]]] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''[]'' (no grants). The trigger validates this is a proper jsonb array.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_type IS
+    'Policy generator type, e.g. ''AuthzEntityMembership'', ''AuthzMembership'', ''AuthzAllowAll''. NULL means no policy is created. When set, the trigger automatically enables RLS on the target table.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_privileges IS
+    'Privileges the policy applies to, e.g. ARRAY[''select'',''update'']. NULL means privileges are derived from the grant_privileges verbs.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_role IS
+    'Role the policy targets. NULL means it falls back to the first role in grant_roles.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_permissive IS
+    'Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Defaults to true.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_data IS
+    'Opaque configuration passed through to metaschema.create_policy(). Structure varies by policy_type and is not interpreted by this trigger. Defaults to ''{}''.';
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.out_fields IS
+    'Output column populated by the trigger after field creation. Contains the UUIDs of the metaschema fields created on the target table by this provision row''s generator. NULL when node_type is NULL or before the trigger runs. Callers should not set this directly.';
+COMMENT ON CONSTRAINT schema_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT table_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT db_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+CREATE INDEX secure_table_provision_database_id_idx ON metaschema_modules_public.secure_table_provision ( database_id );
+CREATE INDEX secure_table_provision_table_id_idx ON metaschema_modules_public.secure_table_provision ( table_id );
+CREATE INDEX secure_table_provision_node_type_idx ON metaschema_modules_public.secure_table_provision ( node_type );
+COMMIT;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@pgpm/metaschema-modules",
-  "version": "0.16.7",
+  "version": "0.17.0",
   "description": "Module metadata handling and dependency tracking",
   "author": "Dan Lynch <pyramation@gmail.com>",
   "contributors": [
@@ -21,9 +21,9 @@
     "test:watch": "jest --watch"
   },
   "dependencies": {
-    "@pgpm/metaschema-schema": "0.16.6",
-    "@pgpm/services": "0.16.6",
-    "@pgpm/verify": "0.16.0"
+    "@pgpm/metaschema-schema": "0.17.0",
+    "@pgpm/services": "0.17.0",
+    "@pgpm/verify": "0.17.0"
   },
   "devDependencies": {
     "pgpm": "^1.3.0"
@@ -36,5 +36,5 @@
   "bugs": {
     "url": "https://github.com/constructive-io/pgpm-modules/issues"
   },
-  "gitHead": "3ada2add98b93ba6b6991d3ed791d8c9ea1b3297"
+  "gitHead": "8eb8b9e3a6784fb45a3a9e86838f8417f061925c"
 }

package/pgpm.plan CHANGED Viewed

@@ -32,3 +32,4 @@ schemas/metaschema_modules_public/tables/users_module/table [schemas/metaschema_
 schemas/metaschema_modules_public/tables/uuid_module/table [schemas/metaschema_modules_public/schema] 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/metaschema_modules_public/tables/uuid_module/table
 schemas/metaschema_modules_public/tables/hierarchy_module/table [schemas/metaschema_modules_public/schema] 2024-12-28T00:00:00Z skitch <skitch@5b0c196eeb62> # add schemas/metaschema_modules_public/tables/hierarchy_module/table
 schemas/metaschema_modules_public/tables/table_template_module/table [schemas/metaschema_modules_public/schema] 2026-01-14T00:00:00Z devin <devin@cognition.ai> # add schemas/metaschema_modules_public/tables/table_template_module/table
+schemas/metaschema_modules_public/tables/secure_table_provision/table [schemas/metaschema_modules_public/schema] 2026-02-26T00:00:00Z devin <devin@cognition.ai> # add schemas/metaschema_modules_public/tables/secure_table_provision/table

package/revert/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql ADDED Viewed

@@ -0,0 +1,7 @@
+-- Revert schemas/metaschema_modules_public/tables/secure_table_provision/table from pg
+BEGIN;
+DROP TABLE IF EXISTS metaschema_modules_public.secure_table_provision;
+COMMIT;

package/verify/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql ADDED Viewed

@@ -0,0 +1,25 @@
+-- Verify schemas/metaschema_modules_public/tables/secure_table_provision/table on pg
+BEGIN;
+SELECT
+    id,
+    database_id,
+    schema_id,
+    table_id,
+    table_name,
+    node_type,
+    use_rls,
+    node_data,
+    grant_roles,
+    grant_privileges,
+    policy_type,
+    policy_privileges,
+    policy_role,
+    policy_permissive,
+    policy_data,
+    out_fields
+FROM metaschema_modules_public.secure_table_provision
+WHERE FALSE;
+ROLLBACK;