@pgpm/metaschema-modules 0.16.8 → 0.18.0

package/README.md

@@ -1,4 +1,4 @@
-# @pgpm/metaschema-modules
+# @pgpm/db-meta-modules
 
 <p align="center" width="100%">
   <img height="250" src="https://raw.githubusercontent.com/constructive-io/constructive/refs/heads/main/assets/outline-logo.svg" />
@@ -9,14 +9,14 @@
     <img height="20" src="https://github.com/constructive-io/pgpm-modules/actions/workflows/ci.yml/badge.svg" />
   </a>
    <a href="https://github.com/constructive-io/pgpm-modules/blob/main/LICENSE"><img height="20" src="https://img.shields.io/badge/license-MIT-blue.svg"/></a>
-   <a href="https://www.npmjs.com/package/@pgpm/metaschema-modules"><img height="20" src="https://img.shields.io/github/package-json/v/constructive-io/pgpm-modules?filename=packages%2Fmetaschema-modules%2Fpackage.json"/></a>
+   <a href="https://www.npmjs.com/package/@pgpm/db-meta-modules"><img height="20" src="https://img.shields.io/github/package-json/v/constructive-io/pgpm-modules?filename=packages%2Fdb-meta-modules%2Fpackage.json"/></a>
 </p>
 
 Module metadata handling and dependency tracking.
 
 ## Overview
 
-`@pgpm/metaschema-modules` extends the `@pgpm/metaschema-schema` package with module-specific metadata tables. This package provides tables for tracking various pgpm modules including authentication, permissions, memberships, encrypted secrets, and more. It enables configuration and metadata storage for modular application features.
+`@pgpm/db-meta-modules` extends the `@pgpm/db-meta-schema` package with module-specific metadata tables. This package provides tables for tracking various pgpm modules including authentication, permissions, memberships, encrypted secrets, and more. It enables configuration and metadata storage for modular application features.
 
 ## Features
 
@@ -33,7 +33,7 @@ Module metadata handling and dependency tracking.
 If you have `pgpm` installed:
 
 ```bash
-pgpm install @pgpm/metaschema-modules
+pgpm install @pgpm/db-meta-modules
 pgpm deploy
 ```
 
@@ -56,7 +56,7 @@ eval "$(pgpm env)"
 
 ```bash
 # 1. Install the package
-pgpm install @pgpm/metaschema-modules
+pgpm install @pgpm/db-meta-modules
 
 # 2. Deploy locally
 pgpm deploy 
@@ -74,7 +74,7 @@ pgpm init
 
 # 3. Install a package
 cd packages/my-module
-pgpm install @pgpm/metaschema-modules
+pgpm install @pgpm/db-meta-modules
 
 # 4. Deploy everything
 pgpm deploy --createdb --database mydb1
@@ -213,8 +213,7 @@ Use module tables as feature flags:
 
 ## Dependencies
 
-- `@pgpm/metaschema-schema`: Core metadata management
-- `@pgpm/services`: Services schemas for APIs, sites, and domains
+- `@pgpm/db-meta-schema`: Core metadata management
 - `@pgpm/verify`: Verification utilities
 
 ## Testing

package/deploy/schemas/metaschema_modules_public/tables/field_module/table.sql

@@ -13,8 +13,14 @@ CREATE TABLE metaschema_modules_public.field_module (
     table_id uuid NOT NULL DEFAULT uuid_nil(),
     field_id uuid NOT NULL DEFAULT uuid_nil(),
 
+    -- Node type from node_type_registry (e.g., 'FieldSlug', 'FieldImmutable', 'FieldInflection', 'FieldOwned')
     node_type text NOT NULL,
 
+    -- Type-specific parameters as jsonb
+    -- FieldSlug: {"source_field_id": "uuid"}
+    -- FieldImmutable: {} (no extra params)
+    -- FieldInflection: {"ops": ["snake_case", "uppercase"]}
+    -- FieldOwned: {"role_key_field_id": "uuid", "protected_field_ids": ["uuid", ...]}
     data jsonb NOT NULL DEFAULT '{}',
 
     triggers text[],
@@ -35,4 +41,3 @@ CREATE INDEX field_module_database_id_idx ON metaschema_modules_public.field_mod
 CREATE INDEX field_module_node_type_idx ON metaschema_modules_public.field_module ( node_type );
 
 COMMIT;
-

package/deploy/schemas/metaschema_modules_public/tables/profiles_module/table.sql

@@ -27,8 +27,6 @@ CREATE TABLE metaschema_modules_public.profiles_module (
     profile_definition_grants_table_id uuid NOT NULL DEFAULT uuid_nil(),
     profile_definition_grants_table_name text NOT NULL DEFAULT '',
     
-    -- Configuration
-    bitlen int NOT NULL DEFAULT 24,
     membership_type int NOT NULL,
     
     -- Entity table for org/group scoped profiles (NULL for app-level)

package/deploy/schemas/metaschema_modules_public/tables/relation_provision/table.sql

@@ -0,0 +1,287 @@
+-- Deploy schemas/metaschema_modules_public/tables/relation_provision/table to pg
+
+-- requires: schemas/metaschema_modules_public/schema
+
+BEGIN;
+
+CREATE TABLE metaschema_modules_public.relation_provision (
+    id uuid PRIMARY KEY DEFAULT uuid_generate_v4 (),
+
+    database_id uuid NOT NULL,
+
+    -- =========================================================================
+    -- Relation type and tables
+    -- =========================================================================
+
+    relation_type text NOT NULL CHECK (relation_type IN (
+        'RelationBelongsTo', 'RelationHasOne', 'RelationHasMany', 'RelationManyToMany'
+    )),
+
+    source_table_id uuid NOT NULL,
+
+    target_table_id uuid NOT NULL,
+
+    -- =========================================================================
+    -- BelongsTo / HasOne / HasMany: FK field config
+    -- =========================================================================
+
+    field_name text DEFAULT NULL,
+
+    delete_action text DEFAULT NULL,
+
+    is_required boolean NOT NULL DEFAULT true,
+
+    -- =========================================================================
+    -- ManyToMany: junction table identity
+    -- =========================================================================
+
+    junction_table_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    junction_table_name text DEFAULT NULL,
+
+    junction_schema_id uuid DEFAULT NULL,
+
+    source_field_name text DEFAULT NULL,
+
+    target_field_name text DEFAULT NULL,
+
+    -- =========================================================================
+    -- ManyToMany: junction table primary key strategy
+    -- =========================================================================
+
+    use_composite_key boolean NOT NULL DEFAULT false,
+
+    -- =========================================================================
+    -- ManyToMany: field creation (forwarded to secure_table_provision)
+    -- =========================================================================
+
+    node_type text DEFAULT NULL,
+
+    node_data jsonb NOT NULL DEFAULT '{}',
+
+    -- =========================================================================
+    -- ManyToMany: grants (forwarded to secure_table_provision)
+    -- =========================================================================
+
+    grant_roles text[] NOT NULL DEFAULT ARRAY['authenticated'],
+
+    grant_privileges jsonb NOT NULL DEFAULT '[["select","*"],["insert","*"],["delete","*"]]',
+
+    -- =========================================================================
+    -- ManyToMany: RLS policies (forwarded to secure_table_provision)
+    -- =========================================================================
+
+    policy_type text DEFAULT NULL,
+
+    policy_privileges text[] DEFAULT NULL,
+
+    policy_role text DEFAULT NULL,
+
+    policy_permissive boolean NOT NULL DEFAULT true,
+
+    policy_name text DEFAULT NULL,
+
+    policy_data jsonb NOT NULL DEFAULT '{}',
+
+    -- =========================================================================
+    -- Output columns (populated by the trigger, not set by callers)
+    -- =========================================================================
+
+    out_field_id uuid DEFAULT NULL,
+
+    out_junction_table_id uuid DEFAULT NULL,
+
+    out_source_field_id uuid DEFAULT NULL,
+
+    out_target_field_id uuid DEFAULT NULL,
+
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT source_table_fkey FOREIGN KEY (source_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT target_table_fkey FOREIGN KEY (target_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
+);
+
+-- =============================================================================
+-- Table-level comment
+-- =============================================================================
+
+COMMENT ON TABLE metaschema_modules_public.relation_provision IS
+    'Provisions relational structure between tables. Supports four relation types:
+     - RelationBelongsTo: adds a FK field on the source table referencing the target table (child perspective: "tasks belongs to projects" -> tasks.project_id).
+     - RelationHasMany: adds a FK field on the target table referencing the source table (parent perspective: "projects has many tasks" -> tasks.project_id). Inverse of BelongsTo.
+     - RelationHasOne: adds a FK field with a unique constraint on the source table referencing the target table. Also supports shared-primary-key patterns where the FK field IS the primary key (set field_name to the existing PK field name).
+     - RelationManyToMany: creates a junction table with FK fields to both source and target tables, delegating table creation and security to secure_table_provision.
+     This is a one-and-done structural provisioner. To layer additional security onto junction tables after creation, use secure_table_provision directly.
+     All operations are graceful: existing fields, FK constraints, and unique constraints are reused if found.
+     The trigger never injects values the caller did not provide. All security config is forwarded to secure_table_provision as-is.';
+
+-- =============================================================================
+-- Relation type and tables
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.id IS
+    'Unique identifier for this relation provision row.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.database_id IS
+    'The database this relation belongs to. Required. Must match the database of both source_table_id and target_table_id.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.relation_type IS
+    'The type of relation to create. Uses SuperCase naming matching the node_type_registry:
+     - RelationBelongsTo: creates a FK field on source_table referencing target_table (e.g., tasks belongs to projects -> tasks.project_id). Field name auto-derived from target table.
+     - RelationHasMany: creates a FK field on target_table referencing source_table (e.g., projects has many tasks -> tasks.project_id). Field name auto-derived from source table. Inverse of BelongsTo — same FK, different perspective.
+     - RelationHasOne: creates a FK field + unique constraint on source_table referencing target_table (e.g., user_settings has one user -> user_settings.user_id with UNIQUE). Also supports shared-primary-key patterns (e.g., user_profiles.id = users.id) by setting field_name to the existing PK field.
+     - RelationManyToMany: creates a junction table with FK fields to both tables (e.g., projects and tags -> project_tags table).
+     Each relation type uses a different subset of columns on this table. Required.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.source_table_id IS
+    'The source table in the relation. Required.
+     - RelationBelongsTo: the table that receives the FK field (e.g., tasks in "tasks belongs to projects").
+     - RelationHasMany: the parent table being referenced (e.g., projects in "projects has many tasks"). The FK field is created on the target table.
+     - RelationHasOne: the table that receives the FK field + unique constraint (e.g., user_settings in "user_settings has one user").
+     - RelationManyToMany: one of the two tables being joined (e.g., projects in "projects and tags"). The junction table will have a FK field referencing this table.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.target_table_id IS
+    'The target table in the relation. Required.
+     - RelationBelongsTo: the table being referenced by the FK (e.g., projects in "tasks belongs to projects").
+     - RelationHasMany: the table that receives the FK field (e.g., tasks in "projects has many tasks").
+     - RelationHasOne: the table being referenced by the FK (e.g., users in "user_settings has one user").
+     - RelationManyToMany: the other table being joined (e.g., tags in "projects and tags"). The junction table will have a FK field referencing this table.';
+
+-- =============================================================================
+-- BelongsTo / HasOne / HasMany: FK field config
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.field_name IS
+    'FK field name for RelationBelongsTo, RelationHasOne, and RelationHasMany.
+     - RelationBelongsTo/RelationHasOne: if NULL, auto-derived from the target table name (e.g., target "projects" derives "project_id").
+     - RelationHasMany: if NULL, auto-derived from the source table name (e.g., source "projects" derives "project_id").
+     For RelationHasOne shared-primary-key patterns, set field_name to the existing PK field (e.g., "id") so the FK reuses it.
+     Ignored for RelationManyToMany — use source_field_name/target_field_name instead.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.delete_action IS
+    'FK delete action for RelationBelongsTo, RelationHasOne, and RelationHasMany. One of: c (CASCADE), r (RESTRICT), n (SET NULL), d (SET DEFAULT), a (NO ACTION). Required — the trigger raises an error if not provided. The caller must explicitly choose the cascade behavior; there is no default. Ignored for RelationManyToMany (junction FK fields always use CASCADE).';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.is_required IS
+    'Whether the FK field is NOT NULL. Defaults to true.
+     - RelationBelongsTo: set to false for optional associations (e.g., tasks.assignee_id that can be NULL).
+     - RelationHasMany: set to false if the child can exist without a parent.
+     - RelationHasOne: typically true.
+     Ignored for RelationManyToMany (junction FK fields are always required).';
+
+-- =============================================================================
+-- ManyToMany: junction table identity
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.junction_table_id IS
+    'For RelationManyToMany: an existing junction table to use. Defaults to uuid_nil().
+     - When uuid_nil(): the trigger creates a new junction table via secure_table_provision using junction_table_name.
+     - When set to a valid table UUID: the trigger skips table creation and only adds FK fields, composite key (if use_composite_key is true), and security to the existing table.
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.junction_table_name IS
+    'For RelationManyToMany: name of the junction table to create or look up. If NULL, auto-derived from source and target table names using inflection_db (e.g., "projects" + "tags" derives "project_tags"). Only used when junction_table_id is uuid_nil(). Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.junction_schema_id IS
+    'For RelationManyToMany: schema for the junction table. If NULL, defaults to the source table''s schema. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.source_field_name IS
+    'For RelationManyToMany: FK field name on the junction table referencing the source table. If NULL, auto-derived from the source table name using inflection_db.get_foreign_key_field_name() (e.g., source table "projects" derives "project_id"). Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.target_field_name IS
+    'For RelationManyToMany: FK field name on the junction table referencing the target table. If NULL, auto-derived from the target table name using inflection_db.get_foreign_key_field_name() (e.g., target table "tags" derives "tag_id"). Ignored for RelationBelongsTo/RelationHasOne.';
+
+-- =============================================================================
+-- ManyToMany: junction table primary key strategy
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.use_composite_key IS
+    'For RelationManyToMany: whether to create a composite primary key from the two FK fields (source + target) on the junction table. Defaults to false.
+     - When true: the trigger calls metaschema.pk() with ARRAY[source_field_id, target_field_id] to create a composite PK. No separate id column is created. This enforces uniqueness of the pair and is suitable for simple junction tables.
+     - When false: no primary key is created by the trigger. The caller should provide node_type=''DataId'' to create a UUID primary key, or handle the PK strategy via a separate secure_table_provision row.
+     use_composite_key and node_type=''DataId'' are mutually exclusive — using both would create two conflicting PKs.
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+-- =============================================================================
+-- ManyToMany: field creation (forwarded to secure_table_provision)
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.node_type IS
+    'For RelationManyToMany: which generator to invoke for field creation on the junction table. Forwarded to secure_table_provision as-is. The trigger does not interpret or validate this value.
+     Examples: DataId (creates UUID primary key), DataDirectOwner (creates owner_id field), DataEntityMembership (creates entity_id field), DataOwnershipInEntity (creates both owner_id and entity_id), DataTimestamps, DataPeoplestamps, DataPublishable, DataSoftDelete.
+     NULL means no field creation beyond the FK fields (and composite key if use_composite_key is true).
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.node_data IS
+    'For RelationManyToMany: configuration passed to the generator function for field creation on the junction table. Forwarded to secure_table_provision as-is. The trigger does not interpret or validate this value.
+     Only used when node_type is set. Structure varies by node_type. Examples:
+     - DataId: {"field_name": "id"} (default field name is ''id'')
+     - DataEntityMembership: {"entity_field_name": "entity_id", "include_id": false, "include_user_fk": true}
+     - DataDirectOwner: {"owner_field_name": "owner_id"}
+     Defaults to ''{}'' (empty object).
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+-- =============================================================================
+-- ManyToMany: grants (forwarded to secure_table_provision)
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.grant_roles IS
+    'For RelationManyToMany: database roles to grant privileges to on the junction table. Forwarded to secure_table_provision as-is. Supports multiple roles, e.g. ARRAY[''authenticated'', ''admin'']. Each role receives all privileges defined in grant_privileges. Defaults to ARRAY[''authenticated'']. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.grant_privileges IS
+    'For RelationManyToMany: privilege grants for the junction table. Forwarded to secure_table_provision as-is. Format: array of [privilege, columns] tuples. Examples: [["select","*"],["insert","*"]] for full access, or [["update",["name","bio"]]] for column-level grants. "*" means all columns. Defaults to select/insert/delete for all columns. Ignored for RelationBelongsTo/RelationHasOne.';
+
+-- =============================================================================
+-- ManyToMany: RLS policies (forwarded to secure_table_provision)
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_type IS
+    'For RelationManyToMany: RLS policy type for the junction table. Forwarded to secure_table_provision as-is. The trigger does not interpret or validate this value.
+     Examples: AuthzEntityMembership, AuthzMembership, AuthzAllowAll, AuthzDirectOwner, AuthzOrgHierarchy.
+     NULL means no policy is created — the junction table will have RLS enabled but no policies (unless added separately via secure_table_provision).
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_privileges IS
+    'For RelationManyToMany: privileges the policy applies to, e.g. ARRAY[''select'',''insert'',''delete'']. Forwarded to secure_table_provision as-is. NULL means privileges are derived from the grant_privileges verbs by secure_table_provision. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_role IS
+    'For RelationManyToMany: database role the policy targets, e.g. ''authenticated''. Forwarded to secure_table_provision as-is. NULL means secure_table_provision falls back to the first role in grant_roles. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_permissive IS
+    'For RelationManyToMany: whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is. Defaults to true. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_name IS
+    'For RelationManyToMany: custom suffix for the generated policy name. Forwarded to secure_table_provision as-is. When NULL and policy_type is set, secure_table_provision auto-derives a suffix from policy_type (e.g. AuthzDirectOwner becomes direct_owner, producing policy names like auth_sel_direct_owner). When explicitly set, used as-is. This ensures multiple policies on the same junction table do not collide. Ignored for RelationBelongsTo/RelationHasOne.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.policy_data IS
+    'For RelationManyToMany: opaque policy configuration forwarded to secure_table_provision as-is. The trigger does not interpret or validate this value. Structure varies by policy_type. Examples:
+     - AuthzEntityMembership: {"entity_field": "entity_id", "membership_type": 2}
+     - AuthzDirectOwner: {"owner_field": "owner_id"}
+     - AuthzMembership: {"membership_type": 2}
+     Defaults to ''{}'' (empty object).
+     Ignored for RelationBelongsTo/RelationHasOne.';
+
+-- =============================================================================
+-- Output columns
+-- =============================================================================
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.out_field_id IS
+    'Output column for RelationBelongsTo/RelationHasOne/RelationHasMany: the UUID of the FK field created (or found). For BelongsTo/HasOne this is on the source table; for HasMany this is on the target table. Populated by the trigger. NULL for RelationManyToMany. Callers should not set this directly.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.out_junction_table_id IS
+    'Output column for RelationManyToMany: the UUID of the junction table created (or found). Populated by the trigger. NULL for RelationBelongsTo/RelationHasOne. Callers should not set this directly.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.out_source_field_id IS
+    'Output column for RelationManyToMany: the UUID of the FK field on the junction table referencing the source table. Populated by the trigger. NULL for RelationBelongsTo/RelationHasOne. Callers should not set this directly.';
+
+COMMENT ON COLUMN metaschema_modules_public.relation_provision.out_target_field_id IS
+    'Output column for RelationManyToMany: the UUID of the FK field on the junction table referencing the target table. Populated by the trigger. NULL for RelationBelongsTo/RelationHasOne. Callers should not set this directly.';
+
+COMMENT ON CONSTRAINT db_fkey ON metaschema_modules_public.relation_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT source_table_fkey ON metaschema_modules_public.relation_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT target_table_fkey ON metaschema_modules_public.relation_provision IS E'@omit manyToMany';
+
+CREATE INDEX relation_provision_database_id_idx ON metaschema_modules_public.relation_provision ( database_id );
+CREATE INDEX relation_provision_relation_type_idx ON metaschema_modules_public.relation_provision ( relation_type );
+CREATE INDEX relation_provision_source_table_id_idx ON metaschema_modules_public.relation_provision ( source_table_id );
+CREATE INDEX relation_provision_target_table_id_idx ON metaschema_modules_public.relation_provision ( target_table_id );
+
+COMMIT;

package/deploy/schemas/metaschema_modules_public/tables/rls_module/table.sql

@@ -12,7 +12,8 @@ CREATE TABLE metaschema_modules_public.rls_module (
     api_id uuid NOT NULL DEFAULT uuid_nil(),
     schema_id uuid NOT NULL DEFAULT uuid_nil(),
     private_schema_id uuid NOT NULL DEFAULT uuid_nil(),
-    tokens_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    session_credentials_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    sessions_table_id uuid NOT NULL DEFAULT uuid_nil(),
     users_table_id uuid NOT NULL DEFAULT uuid_nil(),
 
     --
@@ -25,7 +26,8 @@ CREATE TABLE metaschema_modules_public.rls_module (
     --
     CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
     CONSTRAINT api_fkey FOREIGN KEY (api_id) REFERENCES services_public.apis (id) ON DELETE CASCADE,
-    CONSTRAINT tokens_table_fkey FOREIGN KEY (tokens_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT session_credentials_table_fkey FOREIGN KEY (session_credentials_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT sessions_table_fkey FOREIGN KEY (sessions_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
     CONSTRAINT users_table_fkey FOREIGN KEY (users_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
     CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
     CONSTRAINT pschema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
@@ -39,7 +41,8 @@ COMMENT ON CONSTRAINT schema_fkey ON metaschema_modules_public.rls_module IS E'@
 COMMENT ON CONSTRAINT pschema_fkey ON metaschema_modules_public.rls_module IS E'@omit manyToMany';
 
 COMMENT ON CONSTRAINT db_fkey ON metaschema_modules_public.rls_module IS E'@omit';
-COMMENT ON CONSTRAINT tokens_table_fkey ON metaschema_modules_public.rls_module IS E'@omit';
+COMMENT ON CONSTRAINT session_credentials_table_fkey ON metaschema_modules_public.rls_module IS E'@omit';
+COMMENT ON CONSTRAINT sessions_table_fkey ON metaschema_modules_public.rls_module IS E'@omit';
 COMMENT ON CONSTRAINT users_table_fkey ON metaschema_modules_public.rls_module IS E'@omit';
 CREATE INDEX rls_module_database_id_idx ON metaschema_modules_public.rls_module ( database_id );
 

package/deploy/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql

@@ -0,0 +1,109 @@
+-- Deploy schemas/metaschema_modules_public/tables/secure_table_provision/table to pg
+
+-- requires: schemas/metaschema_modules_public/schema
+
+BEGIN;
+
+CREATE TABLE metaschema_modules_public.secure_table_provision (
+    id uuid PRIMARY KEY DEFAULT uuid_generate_v4 (),
+
+    database_id uuid NOT NULL,
+
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    table_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    table_name text DEFAULT NULL,
+
+    node_type text DEFAULT NULL,
+
+    use_rls boolean NOT NULL DEFAULT true,
+
+    node_data jsonb NOT NULL DEFAULT '{}',
+
+    grant_roles text[] NOT NULL DEFAULT ARRAY['authenticated'],
+
+    grant_privileges jsonb NOT NULL DEFAULT '[]',
+
+    policy_type text DEFAULT NULL,
+
+    policy_privileges text[] DEFAULT NULL,
+
+    policy_role text DEFAULT NULL,
+
+    policy_permissive boolean NOT NULL DEFAULT true,
+
+    policy_name text DEFAULT NULL,
+
+    policy_data jsonb NOT NULL DEFAULT '{}',
+
+    out_fields uuid[] DEFAULT NULL,
+
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT table_fkey FOREIGN KEY (table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE
+);
+
+COMMENT ON TABLE metaschema_modules_public.secure_table_provision IS
+    'Provisions security, fields, grants, and policies onto a table. Each row can independently: (1) create fields via node_type, (2) grant privileges via grant_privileges, (3) create RLS policies via policy_type. Multiple rows can target the same table to compose different concerns. All three concerns are optional and independent.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.id IS
+    'Unique identifier for this provision row.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.database_id IS
+    'The database this provision belongs to. Required.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.schema_id IS
+    'Target schema for the table. Defaults to uuid_nil(); the trigger resolves this to the app_public schema if not explicitly provided.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.table_id IS
+    'Target table to provision. Defaults to uuid_nil(); the trigger creates or resolves the table via table_name if not explicitly provided.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.table_name IS
+    'Name of the target table. Used to create or look up the table when table_id is not provided. If omitted, it is backfilled from the resolved table.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.node_type IS
+    'Which generator to invoke for field creation. One of: DataId, DataDirectOwner, DataEntityMembership, DataOwnershipInEntity, DataTimestamps, DataPeoplestamps, DataPublishable, DataSoftDelete. NULL means no field creation — the row only provisions grants and/or policies.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.use_rls IS
+    'If true and Row Level Security is not yet enabled on the target table, enable it. Automatically set to true by the trigger when policy_type is provided. Defaults to true.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.node_data IS
+    'Configuration passed to the generator function for field creation (only used when node_type is set). Known keys include: field_name (text, default ''id'') for DataId, owner_field_name (text, default ''owner_id'') for DataDirectOwner/DataOwnershipInEntity, entity_field_name (text, default ''entity_id'') for DataEntityMembership/DataOwnershipInEntity, include_id (boolean, default true) for most node_types, include_user_fk (boolean, default true) to add FK to users table. Defaults to ''{}''.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_roles IS
+    'Database roles to grant privileges to. Supports multiple roles, e.g. ARRAY[''authenticated'', ''admin'']. Each role receives all privileges defined in grant_privileges. Defaults to ARRAY[''authenticated''].';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.grant_privileges IS
+    'Array of [privilege, columns] tuples defining table grants. Examples: [["select","*"],["insert","*"]] for full access, or [["update",["name","bio"]]] for column-level grants. "*" means all columns; an array means column-level grant. Defaults to ''[]'' (no grants). The trigger validates this is a proper jsonb array.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_type IS
+    'Policy generator type, e.g. ''AuthzEntityMembership'', ''AuthzMembership'', ''AuthzAllowAll''. NULL means no policy is created. When set, the trigger automatically enables RLS on the target table.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_privileges IS
+    'Privileges the policy applies to, e.g. ARRAY[''select'',''update'']. NULL means privileges are derived from the grant_privileges verbs.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_role IS
+    'Role the policy targets. NULL means it falls back to the first role in grant_roles.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_permissive IS
+    'Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Defaults to true.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_name IS
+    'Custom suffix for the generated policy name. When NULL and policy_type is set, the trigger auto-derives a suffix from policy_type by stripping the Authz prefix and underscoring the remainder (e.g. AuthzDirectOwner becomes direct_owner, producing policy names like auth_sel_direct_owner). When explicitly set, the value is passed through as-is to metaschema.create_policy name parameter. This ensures multiple policies on the same table do not collide (e.g. AuthzDirectOwner + AuthzPublishable each get unique names).';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.policy_data IS
+    'Opaque configuration passed through to metaschema.create_policy(). Structure varies by policy_type and is not interpreted by this trigger. Defaults to ''{}''.';
+
+COMMENT ON COLUMN metaschema_modules_public.secure_table_provision.out_fields IS
+    'Output column populated by the trigger after field creation. Contains the UUIDs of the metaschema fields created on the target table by this provision row''s generator. NULL when node_type is NULL or before the trigger runs. Callers should not set this directly.';
+
+COMMENT ON CONSTRAINT schema_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT table_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT db_fkey ON metaschema_modules_public.secure_table_provision IS E'@omit manyToMany';
+
+CREATE INDEX secure_table_provision_database_id_idx ON metaschema_modules_public.secure_table_provision ( database_id );
+CREATE INDEX secure_table_provision_table_id_idx ON metaschema_modules_public.secure_table_provision ( table_id );
+CREATE INDEX secure_table_provision_node_type_idx ON metaschema_modules_public.secure_table_provision ( node_type );
+
+COMMIT;

package/deploy/schemas/metaschema_modules_public/tables/table_module/table.sql

@@ -7,24 +7,27 @@ BEGIN;
 CREATE TABLE metaschema_modules_public.table_module (
     id uuid PRIMARY KEY DEFAULT uuid_generate_v4 (),
     database_id uuid NOT NULL,
-    
-    private_schema_id uuid NOT NULL DEFAULT uuid_nil(),
-    
-    table_id uuid NOT NULL,
+
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    table_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    table_name text DEFAULT NULL,
 
     node_type text NOT NULL,
 
+    use_rls boolean NOT NULL DEFAULT true,
+
     data jsonb NOT NULL DEFAULT '{}',
 
     fields uuid[],
 
-    --
     CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
     CONSTRAINT table_fkey FOREIGN KEY (table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
-    CONSTRAINT private_schema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE
 );
 
-COMMENT ON CONSTRAINT private_schema_fkey ON metaschema_modules_public.table_module IS E'@omit manyToMany';
+COMMENT ON CONSTRAINT schema_fkey ON metaschema_modules_public.table_module IS E'@omit manyToMany';
 COMMENT ON CONSTRAINT table_fkey ON metaschema_modules_public.table_module IS E'@omit manyToMany';
 COMMENT ON CONSTRAINT db_fkey ON metaschema_modules_public.table_module IS E'@omit manyToMany';
 CREATE INDEX table_module_database_id_idx ON metaschema_modules_public.table_module ( database_id );

package/deploy/schemas/metaschema_modules_public/tables/table_template_module/table.sql

@@ -16,8 +16,13 @@ CREATE TABLE metaschema_modules_public.table_template_module (
 
     table_name text NOT NULL,
 
+    -- Node type from node_type_registry (e.g., 'TableUserProfiles', 'TableOrganizationSettings', 'TableUserSettings')
     node_type text NOT NULL,
 
+    -- Type-specific parameters as jsonb
+    -- TableUserProfiles: {} (uses default fields)
+    -- TableOrganizationSettings: {} (uses default fields)
+    -- TableUserSettings: {} (uses default fields)
     data jsonb NOT NULL DEFAULT '{}',
 
     --

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pgpm/metaschema-modules",
-  "version": "0.16.8",
+  "version": "0.18.0",
   "description": "Module metadata handling and dependency tracking",
   "author": "Dan Lynch <pyramation@gmail.com>",
   "contributors": [
@@ -21,12 +21,11 @@
     "test:watch": "jest --watch"
   },
   "dependencies": {
-    "@pgpm/metaschema-schema": "0.16.8",
-    "@pgpm/services": "0.16.8",
-    "@pgpm/verify": "0.16.0"
+    "@pgpm/metaschema-schema": "0.18.0",
+    "@pgpm/verify": "0.18.0"
   },
   "devDependencies": {
-    "pgpm": "^1.3.0"
+    "pgpm": "^4.2.3"
   },
   "repository": {
     "type": "git",
@@ -36,5 +35,5 @@
   "bugs": {
     "url": "https://github.com/constructive-io/pgpm-modules/issues"
   },
-  "gitHead": "a0718b6712d797acacfd51fbcdad8a6d577d8bbc"
+  "gitHead": "8144027c7fab4956bcdebd736d04c0d4f57344bc"
 }

package/pgpm.plan

@@ -32,3 +32,5 @@ schemas/metaschema_modules_public/tables/users_module/table [schemas/metaschema_
 schemas/metaschema_modules_public/tables/uuid_module/table [schemas/metaschema_modules_public/schema] 2017-08-11T08:11:51Z skitch <skitch@5b0c196eeb62> # add schemas/metaschema_modules_public/tables/uuid_module/table
 schemas/metaschema_modules_public/tables/hierarchy_module/table [schemas/metaschema_modules_public/schema] 2024-12-28T00:00:00Z skitch <skitch@5b0c196eeb62> # add schemas/metaschema_modules_public/tables/hierarchy_module/table
 schemas/metaschema_modules_public/tables/table_template_module/table [schemas/metaschema_modules_public/schema] 2026-01-14T00:00:00Z devin <devin@cognition.ai> # add schemas/metaschema_modules_public/tables/table_template_module/table
+schemas/metaschema_modules_public/tables/secure_table_provision/table [schemas/metaschema_modules_public/schema] 2026-02-25T00:00:00Z Constructive <developers@constructive.io> # add schemas/metaschema_modules_public/tables/secure_table_provision/table
+schemas/metaschema_modules_public/tables/relation_provision/table [schemas/metaschema_modules_public/schema] 2026-02-26T00:00:00Z Constructive <developers@constructive.io> # add schemas/metaschema_modules_public/tables/relation_provision/table

package/revert/schemas/metaschema_modules_public/tables/field_module/table.sql

@@ -2,6 +2,6 @@
 
 BEGIN;
 
-DROP TABLE metaschema_modules_public.field_module;
+DROP TABLE IF EXISTS metaschema_modules_public.field_module;
 
 COMMIT;

package/revert/schemas/metaschema_modules_public/tables/relation_provision/table.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/metaschema_modules_public/tables/relation_provision/table from pg
+
+BEGIN;
+
+DROP TABLE IF EXISTS metaschema_modules_public.relation_provision;
+
+COMMIT;

package/revert/schemas/metaschema_modules_public/tables/secure_table_provision/table.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/metaschema_modules_public/tables/secure_table_provision/table from pg
+
+BEGIN;
+
+DROP TABLE IF EXISTS metaschema_modules_public.secure_table_provision;
+
+COMMIT;