node-type-registry 0.10.1 → 0.12.0

package/README.md

@@ -83,14 +83,6 @@ cd graphql/node-type-registry && pnpm generate:types
 
 This produces `src/blueprint-types.generated.ts` from the TS node type source of truth.
 
-## Codegen: SQL seed
-
-Generate SQL seed scripts for `node_type_registry` table:
-
-```bash
-cd graphql/node-type-registry && pnpm generate:seed --pgpm ../../constructive-db/packages/metaschema
-```
-
 ---
 
 ## Education and Tutorials

package/authz/authz-entity-membership.js

@@ -19,7 +19,11 @@ exports.AuthzEntityMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",

package/authz/authz-membership-check.js

@@ -15,7 +15,11 @@ exports.AuthzMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",
@@ -37,9 +41,7 @@ exports.AuthzMembership = {
                 "description": "If true, require is_owner flag"
             }
         },
-        "required": [
-            "membership_type"
-        ]
+        "required": []
     },
     "tags": [
         "membership",

package/authz/authz-not-read-only.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzNotReadOnly: NodeTypeDefinition;

package/authz/authz-not-read-only.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzNotReadOnly = void 0;
+exports.AuthzNotReadOnly = {
+    "name": "AuthzNotReadOnly",
+    "slug": "authz_not_read_only",
+    "category": "authz",
+    "display_name": "Not Read-Only",
+    "description": "Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership.",
+    "parameter_schema": {
+        "type": "object",
+        "properties": {
+            "entity_field": {
+                "type": "string",
+                "description": "Column name referencing the entity (e.g., entity_id, org_id)"
+            },
+            "membership_type": {
+                "type": [
+                    "integer",
+                    "string"
+                ],
+                "description": "Scope: 2=org, 3+=dynamic entity types. Must be >= 2 (entity-scoped)."
+            }
+        },
+        "required": [
+            "entity_field"
+        ]
+    },
+    "tags": [
+        "membership",
+        "authz",
+        "restrictive"
+    ]
+};

package/authz/authz-peer-ownership.js

@@ -19,7 +19,11 @@ exports.AuthzPeerOwnership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",

package/authz/authz-related-entity-membership.js

@@ -19,7 +19,11 @@ exports.AuthzRelatedEntityMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "obj_table_id": {
                 "type": "string",

package/authz/authz-related-peer-ownership.js

@@ -19,7 +19,11 @@ exports.AuthzRelatedPeerOwnership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "obj_table_id": {
                 "type": "string",

package/authz/index.d.ts

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/authz/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthzRelatedPeerOwnership = exports.AuthzPeerOwnership = exports.AuthzComposite = exports.AuthzDenyAll = exports.AuthzAllowAll = exports.AuthzRelatedMemberList = exports.AuthzMemberList = exports.AuthzPublishable = exports.AuthzTemporal = exports.AuthzOrgHierarchy = exports.AuthzRelatedEntityMembership = exports.AuthzEntityMembership = exports.AuthzMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = void 0;
+exports.AuthzRelatedPeerOwnership = exports.AuthzPeerOwnership = exports.AuthzNotReadOnly = exports.AuthzComposite = exports.AuthzDenyAll = exports.AuthzAllowAll = exports.AuthzRelatedMemberList = exports.AuthzMemberList = exports.AuthzPublishable = exports.AuthzTemporal = exports.AuthzOrgHierarchy = exports.AuthzRelatedEntityMembership = exports.AuthzEntityMembership = exports.AuthzMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = void 0;
 var authz_direct_owner_1 = require("./authz-direct-owner");
 Object.defineProperty(exports, "AuthzDirectOwner", { enumerable: true, get: function () { return authz_direct_owner_1.AuthzDirectOwner; } });
 var authz_direct_owner_any_1 = require("./authz-direct-owner-any");
@@ -27,6 +27,8 @@ var authz_deny_all_1 = require("./authz-deny-all");
 Object.defineProperty(exports, "AuthzDenyAll", { enumerable: true, get: function () { return authz_deny_all_1.AuthzDenyAll; } });
 var authz_composite_1 = require("./authz-composite");
 Object.defineProperty(exports, "AuthzComposite", { enumerable: true, get: function () { return authz_composite_1.AuthzComposite; } });
+var authz_not_read_only_1 = require("./authz-not-read-only");
+Object.defineProperty(exports, "AuthzNotReadOnly", { enumerable: true, get: function () { return authz_not_read_only_1.AuthzNotReadOnly; } });
 var authz_peer_ownership_1 = require("./authz-peer-ownership");
 Object.defineProperty(exports, "AuthzPeerOwnership", { enumerable: true, get: function () { return authz_peer_ownership_1.AuthzPeerOwnership; } });
 var authz_related_peer_ownership_1 = require("./authz-related-peer-ownership");

package/blueprint-types.generated.d.ts

@@ -247,7 +247,8 @@ export interface AuthzDirectOwnerAnyParams {
 }
 /** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
 export interface AuthzMembershipParams {
-    membership_type: number | string;
+    membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -257,6 +258,7 @@ export interface AuthzMembershipParams {
 export interface AuthzEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -266,6 +268,7 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzRelatedEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -321,10 +324,16 @@ export interface AuthzCompositeParams {
         }[];
     };
 }
+/** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
+export interface AuthzNotReadOnlyParams {
+    entity_field: string;
+    membership_type?: number | string;
+}
 /** Peer visibility through shared entity membership. Authorizes access to user-owned rows when the owner and current user are both members of the same entity. Self-joins the SPRT table to find peers. */
 export interface AuthzPeerOwnershipParams {
     owner_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -334,6 +343,7 @@ export interface AuthzPeerOwnershipParams {
 export interface AuthzRelatedPeerOwnershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -452,7 +462,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
+    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -549,8 +559,31 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
+/** A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision. */
+export interface BlueprintMembershipType {
+    /** Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database. */
+    name: string;
+    /** Short prefix for generated objects (e.g., "dr", "ch", "dept"). Used in table/trigger naming. */
+    prefix: string;
+    /** Human-readable description of this entity type. */
+    description?: string;
+    /** Parent entity type name. Defaults to "org". */
+    parent_entity?: string;
+    /** Custom table name for the entity table. Defaults to name-derived convention. */
+    table_name?: string;
+    /** Whether this entity type is visible in the API. Defaults to true. */
+    is_visible?: boolean;
+    /** Whether to provision a limits module for this entity type. Defaults to false. */
+    has_limits?: boolean;
+    /** Whether to provision a profiles module for this entity type. Defaults to false. */
+    has_profiles?: boolean;
+    /** Whether to provision a levels module for this entity type. Defaults to false. */
+    has_levels?: boolean;
+    /** Whether to skip creating default RLS policies on the entity table. Defaults to false. */
+    skip_entity_policies?: boolean;
+}
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
+export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: "AuthzDirectOwner";
@@ -591,6 +624,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: "AuthzComposite";
     data: AuthzCompositeParams;
+} | {
+    $type: "AuthzNotReadOnly";
+    data: AuthzNotReadOnlyParams;
 } | {
     $type: "AuthzPeerOwnership";
     data: AuthzPeerOwnershipParams;
@@ -750,4 +786,6 @@ export interface BlueprintDefinition {
     full_text_searches?: BlueprintFullTextSearch[];
     /** Unique constraints on table columns. */
     unique_constraints?: BlueprintUniqueConstraint[];
+    /** Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security. */
+    membership_types?: BlueprintMembershipType[];
 }

package/codegen/generate-types.js

@@ -384,6 +384,20 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
+function buildBlueprintMembershipType() {
+    return addJSDoc(exportInterface('BlueprintMembershipType', [
+        addJSDoc(requiredProp('name', t.tsStringKeyword()), 'Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database.'),
+        addJSDoc(requiredProp('prefix', t.tsStringKeyword()), 'Short prefix for generated objects (e.g., "dr", "ch", "dept"). Used in table/trigger naming.'),
+        addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Human-readable description of this entity type.'),
+        addJSDoc(optionalProp('parent_entity', t.tsStringKeyword()), 'Parent entity type name. Defaults to "org".'),
+        addJSDoc(optionalProp('table_name', t.tsStringKeyword()), 'Custom table name for the entity table. Defaults to name-derived convention.'),
+        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether this entity type is visible in the API. Defaults to true.'),
+        addJSDoc(optionalProp('has_limits', t.tsBooleanKeyword()), 'Whether to provision a limits module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Whether to skip creating default RLS policies on the entity table. Defaults to false.'),
+    ]), 'A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision.');
+}
 function buildBlueprintTable() {
     return addJSDoc(exportInterface('BlueprintTable', [
         addJSDoc(requiredProp('table_name', t.tsStringKeyword()), 'The PostgreSQL table name to create.'),
@@ -406,6 +420,7 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintIndex')))), 'Indexes on table columns.'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFullTextSearch')))), 'Full-text search configurations.'),
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
+        addJSDoc(optionalProp('membership_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintMembershipType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -459,6 +474,7 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
+    statements.push(buildBlueprintMembershipType());
     // -- Node types discriminated union --
     statements.push(sectionComment('Node types -- discriminated union for nodes[] entries'));
     statements.push(...buildNodeTypes(dataNodes));

package/esm/authz/authz-entity-membership.js

@@ -16,7 +16,11 @@ export const AuthzEntityMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",

package/esm/authz/authz-membership-check.js

@@ -12,7 +12,11 @@ export const AuthzMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",
@@ -34,9 +38,7 @@ export const AuthzMembership = {
                 "description": "If true, require is_owner flag"
             }
         },
-        "required": [
-            "membership_type"
-        ]
+        "required": []
     },
     "tags": [
         "membership",

package/esm/authz/authz-not-read-only.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzNotReadOnly: NodeTypeDefinition;

package/esm/authz/authz-not-read-only.js

@@ -0,0 +1,31 @@
+export const AuthzNotReadOnly = {
+    "name": "AuthzNotReadOnly",
+    "slug": "authz_not_read_only",
+    "category": "authz",
+    "display_name": "Not Read-Only",
+    "description": "Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership.",
+    "parameter_schema": {
+        "type": "object",
+        "properties": {
+            "entity_field": {
+                "type": "string",
+                "description": "Column name referencing the entity (e.g., entity_id, org_id)"
+            },
+            "membership_type": {
+                "type": [
+                    "integer",
+                    "string"
+                ],
+                "description": "Scope: 2=org, 3+=dynamic entity types. Must be >= 2 (entity-scoped)."
+            }
+        },
+        "required": [
+            "entity_field"
+        ]
+    },
+    "tags": [
+        "membership",
+        "authz",
+        "restrictive"
+    ]
+};

package/esm/authz/authz-peer-ownership.js

@@ -16,7 +16,11 @@ export const AuthzPeerOwnership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "permission": {
                 "type": "string",

package/esm/authz/authz-related-entity-membership.js

@@ -16,7 +16,11 @@ export const AuthzRelatedEntityMembership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "obj_table_id": {
                 "type": "string",

package/esm/authz/authz-related-peer-ownership.js

@@ -16,7 +16,11 @@ export const AuthzRelatedPeerOwnership = {
                     "integer",
                     "string"
                 ],
-                "description": "Scope: 1=app, 2=org, 3=group (or string name resolved via membership_types_module)"
+                "description": "Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)"
+            },
+            "entity_type": {
+                "type": "string",
+                "description": "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
             },
             "obj_table_id": {
                 "type": "string",

package/esm/authz/index.d.ts

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/esm/authz/index.js

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/esm/blueprint-types.generated.d.ts

@@ -247,7 +247,8 @@ export interface AuthzDirectOwnerAnyParams {
 }
 /** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
 export interface AuthzMembershipParams {
-    membership_type: number | string;
+    membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -257,6 +258,7 @@ export interface AuthzMembershipParams {
 export interface AuthzEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -266,6 +268,7 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzRelatedEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -321,10 +324,16 @@ export interface AuthzCompositeParams {
         }[];
     };
 }
+/** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
+export interface AuthzNotReadOnlyParams {
+    entity_field: string;
+    membership_type?: number | string;
+}
 /** Peer visibility through shared entity membership. Authorizes access to user-owned rows when the owner and current user are both members of the same entity. Self-joins the SPRT table to find peers. */
 export interface AuthzPeerOwnershipParams {
     owner_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -334,6 +343,7 @@ export interface AuthzPeerOwnershipParams {
 export interface AuthzRelatedPeerOwnershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -452,7 +462,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
+    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -549,8 +559,31 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
+/** A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision. */
+export interface BlueprintMembershipType {
+    /** Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database. */
+    name: string;
+    /** Short prefix for generated objects (e.g., "dr", "ch", "dept"). Used in table/trigger naming. */
+    prefix: string;
+    /** Human-readable description of this entity type. */
+    description?: string;
+    /** Parent entity type name. Defaults to "org". */
+    parent_entity?: string;
+    /** Custom table name for the entity table. Defaults to name-derived convention. */
+    table_name?: string;
+    /** Whether this entity type is visible in the API. Defaults to true. */
+    is_visible?: boolean;
+    /** Whether to provision a limits module for this entity type. Defaults to false. */
+    has_limits?: boolean;
+    /** Whether to provision a profiles module for this entity type. Defaults to false. */
+    has_profiles?: boolean;
+    /** Whether to provision a levels module for this entity type. Defaults to false. */
+    has_levels?: boolean;
+    /** Whether to skip creating default RLS policies on the entity table. Defaults to false. */
+    skip_entity_policies?: boolean;
+}
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
+export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: "AuthzDirectOwner";
@@ -591,6 +624,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: "AuthzComposite";
     data: AuthzCompositeParams;
+} | {
+    $type: "AuthzNotReadOnly";
+    data: AuthzNotReadOnlyParams;
 } | {
     $type: "AuthzPeerOwnership";
     data: AuthzPeerOwnershipParams;
@@ -750,4 +786,6 @@ export interface BlueprintDefinition {
     full_text_searches?: BlueprintFullTextSearch[];
     /** Unique constraints on table columns. */
     unique_constraints?: BlueprintUniqueConstraint[];
+    /** Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security. */
+    membership_types?: BlueprintMembershipType[];
 }

package/esm/codegen/generate-types.js

@@ -349,6 +349,20 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
+function buildBlueprintMembershipType() {
+    return addJSDoc(exportInterface('BlueprintMembershipType', [
+        addJSDoc(requiredProp('name', t.tsStringKeyword()), 'Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database.'),
+        addJSDoc(requiredProp('prefix', t.tsStringKeyword()), 'Short prefix for generated objects (e.g., "dr", "ch", "dept"). Used in table/trigger naming.'),
+        addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Human-readable description of this entity type.'),
+        addJSDoc(optionalProp('parent_entity', t.tsStringKeyword()), 'Parent entity type name. Defaults to "org".'),
+        addJSDoc(optionalProp('table_name', t.tsStringKeyword()), 'Custom table name for the entity table. Defaults to name-derived convention.'),
+        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether this entity type is visible in the API. Defaults to true.'),
+        addJSDoc(optionalProp('has_limits', t.tsBooleanKeyword()), 'Whether to provision a limits module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Whether to skip creating default RLS policies on the entity table. Defaults to false.'),
+    ]), 'A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision.');
+}
 function buildBlueprintTable() {
     return addJSDoc(exportInterface('BlueprintTable', [
         addJSDoc(requiredProp('table_name', t.tsStringKeyword()), 'The PostgreSQL table name to create.'),
@@ -371,6 +385,7 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintIndex')))), 'Indexes on table columns.'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFullTextSearch')))), 'Full-text search configurations.'),
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
+        addJSDoc(optionalProp('membership_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintMembershipType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -424,6 +439,7 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
+    statements.push(buildBlueprintMembershipType());
     // -- Node types discriminated union --
     statements.push(sectionComment('Node types -- discriminated union for nodes[] entries'));
     statements.push(...buildNodeTypes(dataNodes));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.10.1",
+  "version": "0.12.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -27,7 +27,6 @@
     "lint": "eslint . --fix",
     "test": "jest",
     "test:watch": "jest --watch",
-    "generate:seed": "ts-node src/codegen/generate-seed.ts",
     "generate:types": "ts-node src/codegen/generate-types.ts"
   },
   "dependencies": {
@@ -48,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "fe60f7b81252eea53dce227bb581d5ae2ef0ec36"
+  "gitHead": "0e97757923bc862adb144cfe8a34ec7ecf7aec8a"
 }

package/codegen/generate-seed.d.ts

@@ -1,32 +0,0 @@
-/**
- * Generate SQL seed scripts from TypeScript node type definitions.
- *
- * Uses pgsql-deparser to produce individual INSERT statements per node type,
- * suitable for use as separate pgpm migration files.
- *
- * Usage:
- *   npx ts-node src/codegen/generate-seed.ts [--outdir <dir>] [--single] [--pgpm <dir>]
- *
- *   --outdir <dir>   Directory to write individual SQL files (default: stdout)
- *   --single         Emit a single combined seed.sql instead of per-node files
- *   --pgpm <dir>     Generate deploy/revert/verify files in pgpm package layout.
- *                     <dir> is the pgpm package root (e.g. packages/metaschema).
- *                     Files are written relative to this root at:
- *                       deploy/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       revert/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       verify/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *
- * Examples:
- *   # Print all INSERT statements to stdout
- *   npx ts-node src/codegen/generate-seed.ts
- *
- *   # Generate individual migration files
- *   npx ts-node src/codegen/generate-seed.ts --outdir ./deploy/seed
- *
- *   # Generate a single combined seed file
- *   npx ts-node src/codegen/generate-seed.ts --single --outdir ./deploy
- *
- *   # Generate pgpm deploy/revert/verify files
- *   npx ts-node src/codegen/generate-seed.ts --pgpm ../../constructive-db/packages/metaschema
- */
-export {};

package/codegen/generate-seed.js

@@ -1,252 +0,0 @@
-"use strict";
-/**
- * Generate SQL seed scripts from TypeScript node type definitions.
- *
- * Uses pgsql-deparser to produce individual INSERT statements per node type,
- * suitable for use as separate pgpm migration files.
- *
- * Usage:
- *   npx ts-node src/codegen/generate-seed.ts [--outdir <dir>] [--single] [--pgpm <dir>]
- *
- *   --outdir <dir>   Directory to write individual SQL files (default: stdout)
- *   --single         Emit a single combined seed.sql instead of per-node files
- *   --pgpm <dir>     Generate deploy/revert/verify files in pgpm package layout.
- *                     <dir> is the pgpm package root (e.g. packages/metaschema).
- *                     Files are written relative to this root at:
- *                       deploy/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       revert/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       verify/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *
- * Examples:
- *   # Print all INSERT statements to stdout
- *   npx ts-node src/codegen/generate-seed.ts
- *
- *   # Generate individual migration files
- *   npx ts-node src/codegen/generate-seed.ts --outdir ./deploy/seed
- *
- *   # Generate a single combined seed file
- *   npx ts-node src/codegen/generate-seed.ts --single --outdir ./deploy
- *
- *   # Generate pgpm deploy/revert/verify files
- *   npx ts-node src/codegen/generate-seed.ts --pgpm ../../constructive-db/packages/metaschema
- */
-Object.defineProperty(exports, "__esModule", { value: true });
-const fs_1 = require("fs");
-const path_1 = require("path");
-const pgsql_deparser_1 = require("pgsql-deparser");
-const utils_1 = require("@pgsql/utils");
-const index_1 = require("../index");
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-const MIGRATION_PATH = 'schemas/metaschema_public/tables/node_type_registry/data/seed';
-// ---------------------------------------------------------------------------
-// AST helpers
-// ---------------------------------------------------------------------------
-const astr = (val) => utils_1.nodes.aConst({ sval: utils_1.ast.string({ sval: val }) });
-const makeCast = (arg, typeName) => ({
-    TypeCast: {
-        arg,
-        typeName: {
-            names: [{ String: { sval: typeName } }],
-            typemod: -1,
-        },
-    },
-});
-const makeArrayExpr = (elements) => ({
-    A_ArrayExpr: { elements },
-});
-// ---------------------------------------------------------------------------
-// Build a single INSERT statement for one node type
-// ---------------------------------------------------------------------------
-function buildInsertStmt(nt) {
-    const cols = [
-        'name',
-        'slug',
-        'category',
-        'display_name',
-        'description',
-        'parameter_schema',
-        'tags',
-    ];
-    const vals = [
-        astr(nt.name),
-        astr(nt.slug),
-        astr(nt.category),
-        astr(nt.display_name),
-        astr(nt.description),
-        makeCast(astr(JSON.stringify(nt.parameter_schema)), 'jsonb'),
-        makeArrayExpr(nt.tags.map((t) => astr(t))),
-    ];
-    return {
-        RawStmt: {
-            stmt: {
-                InsertStmt: {
-                    relation: {
-                        schemaname: 'metaschema_public',
-                        relname: 'node_type_registry',
-                        inh: true,
-                        relpersistence: 'p',
-                    },
-                    cols: cols.map((name) => utils_1.nodes.resTarget({ name })),
-                    selectStmt: {
-                        SelectStmt: {
-                            valuesLists: [
-                                {
-                                    List: { items: vals },
-                                },
-                            ],
-                            op: 'SETOP_NONE',
-                            limitOption: 'LIMIT_OPTION_DEFAULT',
-                        },
-                    },
-                    onConflictClause: {
-                        action: 'ONCONFLICT_NOTHING',
-                        infer: {
-                            indexElems: [
-                                {
-                                    IndexElem: {
-                                        name: 'slug',
-                                        ordering: 'SORTBY_DEFAULT',
-                                        nulls_ordering: 'SORTBY_NULLS_DEFAULT',
-                                    },
-                                },
-                            ],
-                        },
-                    },
-                    override: 'OVERRIDING_NOT_SET',
-                },
-            },
-            stmt_len: 1,
-        },
-    };
-}
-// ---------------------------------------------------------------------------
-// pgpm file generators
-// ---------------------------------------------------------------------------
-const GENERATED_HEADER = [
-    '-- GENERATED FILE — DO NOT EDIT',
-    '--',
-    '-- Regenerate with:',
-    '--   cd graphql/node-type-registry && pnpm generate:seed --pgpm ../../constructive-db/packages/metaschema',
-    '--',
-    '',
-].join('\n');
-async function buildDeploySql() {
-    const header = [
-        `-- Deploy ${MIGRATION_PATH} to pg`,
-        '',
-        GENERATED_HEADER,
-        '-- requires: schemas/metaschema_public/tables/node_type_registry/table',
-        '',
-    ].join('\n');
-    const stmts = index_1.allNodeTypes.map(buildInsertStmt);
-    const body = await (0, pgsql_deparser_1.deparse)(stmts);
-    return header + body + '\n';
-}
-function buildRevertSql() {
-    const names = index_1.allNodeTypes.map((nt) => `    '${nt.name}'`);
-    // Wrap names at ~4 per line for readability
-    const chunks = [];
-    for (let i = 0; i < names.length; i += 4) {
-        chunks.push(names.slice(i, i + 4).join(', '));
-    }
-    return [
-        `-- Revert ${MIGRATION_PATH} from pg`,
-        '',
-        GENERATED_HEADER,
-        'DELETE FROM metaschema_public.node_type_registry',
-        'WHERE name IN (',
-        chunks.join(',\n'),
-        ');',
-        '',
-    ].join('\n');
-}
-function buildVerifySql() {
-    // Pick one representative from each category
-    const categories = new Map();
-    for (const nt of index_1.allNodeTypes) {
-        if (!categories.has(nt.category)) {
-            categories.set(nt.category, nt);
-        }
-    }
-    const checks = Array.from(categories.values()).map((nt) => `SELECT 1 FROM metaschema_public.node_type_registry WHERE name = '${nt.name}';`);
-    return [
-        `-- Verify ${MIGRATION_PATH} on pg`,
-        '',
-        GENERATED_HEADER,
-        ...checks,
-        '',
-    ].join('\n');
-}
-// ---------------------------------------------------------------------------
-// File writer helper
-// ---------------------------------------------------------------------------
-function writeFile(filePath, content) {
-    const dir = (0, path_1.join)(filePath, '..');
-    if (!(0, fs_1.existsSync)(dir))
-        (0, fs_1.mkdirSync)(dir, { recursive: true });
-    (0, fs_1.writeFileSync)(filePath, content);
-}
-// ---------------------------------------------------------------------------
-// CLI
-// ---------------------------------------------------------------------------
-async function main() {
-    const args = process.argv.slice(2);
-    const outdirIdx = args.indexOf('--outdir');
-    const outdir = outdirIdx !== -1 ? args[outdirIdx + 1] : undefined;
-    const single = args.includes('--single');
-    const pgpmIdx = args.indexOf('--pgpm');
-    const pgpmRoot = pgpmIdx !== -1 ? args[pgpmIdx + 1] : undefined;
-    // --pgpm mode: generate deploy/revert/verify in pgpm package layout
-    if (pgpmRoot) {
-        const relPath = 'schemas/metaschema_public/tables/node_type_registry/data/seed.sql';
-        const deployPath = (0, path_1.join)(pgpmRoot, 'deploy', relPath);
-        const revertPath = (0, path_1.join)(pgpmRoot, 'revert', relPath);
-        const verifyPath = (0, path_1.join)(pgpmRoot, 'verify', relPath);
-        writeFile(deployPath, await buildDeploySql());
-        writeFile(revertPath, buildRevertSql());
-        writeFile(verifyPath, buildVerifySql());
-        console.log(`Wrote ${index_1.allNodeTypes.length} node types to pgpm layout:`);
-        console.log(`  deploy: ${deployPath}`);
-        console.log(`  revert: ${revertPath}`);
-        console.log(`  verify: ${verifyPath}`);
-        return;
-    }
-    if (single) {
-        // Emit all INSERT statements as a single SQL string
-        const stmts = index_1.allNodeTypes.map(buildInsertStmt);
-        const sql = await (0, pgsql_deparser_1.deparse)(stmts);
-        if (outdir) {
-            if (!(0, fs_1.existsSync)(outdir))
-                (0, fs_1.mkdirSync)(outdir, { recursive: true });
-            (0, fs_1.writeFileSync)((0, path_1.join)(outdir, 'seed.sql'), sql + '\n');
-            console.log(`Wrote ${index_1.allNodeTypes.length} node types to ${(0, path_1.join)(outdir, 'seed.sql')}`);
-        }
-        else {
-            process.stdout.write(sql + '\n');
-        }
-        return;
-    }
-    // Emit individual SQL files per node type
-    const stmts = await Promise.all(index_1.allNodeTypes.map(async (nt) => ({
-        nt,
-        sql: await (0, pgsql_deparser_1.deparse)([buildInsertStmt(nt)]),
-    })));
-    if (outdir) {
-        if (!(0, fs_1.existsSync)(outdir))
-            (0, fs_1.mkdirSync)(outdir, { recursive: true });
-        for (const { nt, sql } of stmts) {
-            const filename = `${nt.slug}.sql`;
-            (0, fs_1.writeFileSync)((0, path_1.join)(outdir, filename), sql + '\n');
-        }
-        console.log(`Wrote ${stmts.length} individual migration files to ${outdir}/`);
-    }
-    else {
-        for (const { nt, sql } of stmts) {
-            console.log(`-- ${nt.name} (${nt.slug})`);
-            console.log(sql + ';\n');
-        }
-    }
-}
-main();

package/esm/codegen/generate-seed.d.ts

@@ -1,32 +0,0 @@
-/**
- * Generate SQL seed scripts from TypeScript node type definitions.
- *
- * Uses pgsql-deparser to produce individual INSERT statements per node type,
- * suitable for use as separate pgpm migration files.
- *
- * Usage:
- *   npx ts-node src/codegen/generate-seed.ts [--outdir <dir>] [--single] [--pgpm <dir>]
- *
- *   --outdir <dir>   Directory to write individual SQL files (default: stdout)
- *   --single         Emit a single combined seed.sql instead of per-node files
- *   --pgpm <dir>     Generate deploy/revert/verify files in pgpm package layout.
- *                     <dir> is the pgpm package root (e.g. packages/metaschema).
- *                     Files are written relative to this root at:
- *                       deploy/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       revert/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       verify/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *
- * Examples:
- *   # Print all INSERT statements to stdout
- *   npx ts-node src/codegen/generate-seed.ts
- *
- *   # Generate individual migration files
- *   npx ts-node src/codegen/generate-seed.ts --outdir ./deploy/seed
- *
- *   # Generate a single combined seed file
- *   npx ts-node src/codegen/generate-seed.ts --single --outdir ./deploy
- *
- *   # Generate pgpm deploy/revert/verify files
- *   npx ts-node src/codegen/generate-seed.ts --pgpm ../../constructive-db/packages/metaschema
- */
-export {};

package/esm/codegen/generate-seed.js

@@ -1,250 +0,0 @@
-/**
- * Generate SQL seed scripts from TypeScript node type definitions.
- *
- * Uses pgsql-deparser to produce individual INSERT statements per node type,
- * suitable for use as separate pgpm migration files.
- *
- * Usage:
- *   npx ts-node src/codegen/generate-seed.ts [--outdir <dir>] [--single] [--pgpm <dir>]
- *
- *   --outdir <dir>   Directory to write individual SQL files (default: stdout)
- *   --single         Emit a single combined seed.sql instead of per-node files
- *   --pgpm <dir>     Generate deploy/revert/verify files in pgpm package layout.
- *                     <dir> is the pgpm package root (e.g. packages/metaschema).
- *                     Files are written relative to this root at:
- *                       deploy/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       revert/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *                       verify/schemas/metaschema_public/tables/node_type_registry/data/seed.sql
- *
- * Examples:
- *   # Print all INSERT statements to stdout
- *   npx ts-node src/codegen/generate-seed.ts
- *
- *   # Generate individual migration files
- *   npx ts-node src/codegen/generate-seed.ts --outdir ./deploy/seed
- *
- *   # Generate a single combined seed file
- *   npx ts-node src/codegen/generate-seed.ts --single --outdir ./deploy
- *
- *   # Generate pgpm deploy/revert/verify files
- *   npx ts-node src/codegen/generate-seed.ts --pgpm ../../constructive-db/packages/metaschema
- */
-import { writeFileSync, mkdirSync, existsSync } from 'fs';
-import { join } from 'path';
-import { deparse } from 'pgsql-deparser';
-import { ast, nodes } from '@pgsql/utils';
-import { allNodeTypes } from '../index';
-// ---------------------------------------------------------------------------
-// Constants
-// ---------------------------------------------------------------------------
-const MIGRATION_PATH = 'schemas/metaschema_public/tables/node_type_registry/data/seed';
-// ---------------------------------------------------------------------------
-// AST helpers
-// ---------------------------------------------------------------------------
-const astr = (val) => nodes.aConst({ sval: ast.string({ sval: val }) });
-const makeCast = (arg, typeName) => ({
-    TypeCast: {
-        arg,
-        typeName: {
-            names: [{ String: { sval: typeName } }],
-            typemod: -1,
-        },
-    },
-});
-const makeArrayExpr = (elements) => ({
-    A_ArrayExpr: { elements },
-});
-// ---------------------------------------------------------------------------
-// Build a single INSERT statement for one node type
-// ---------------------------------------------------------------------------
-function buildInsertStmt(nt) {
-    const cols = [
-        'name',
-        'slug',
-        'category',
-        'display_name',
-        'description',
-        'parameter_schema',
-        'tags',
-    ];
-    const vals = [
-        astr(nt.name),
-        astr(nt.slug),
-        astr(nt.category),
-        astr(nt.display_name),
-        astr(nt.description),
-        makeCast(astr(JSON.stringify(nt.parameter_schema)), 'jsonb'),
-        makeArrayExpr(nt.tags.map((t) => astr(t))),
-    ];
-    return {
-        RawStmt: {
-            stmt: {
-                InsertStmt: {
-                    relation: {
-                        schemaname: 'metaschema_public',
-                        relname: 'node_type_registry',
-                        inh: true,
-                        relpersistence: 'p',
-                    },
-                    cols: cols.map((name) => nodes.resTarget({ name })),
-                    selectStmt: {
-                        SelectStmt: {
-                            valuesLists: [
-                                {
-                                    List: { items: vals },
-                                },
-                            ],
-                            op: 'SETOP_NONE',
-                            limitOption: 'LIMIT_OPTION_DEFAULT',
-                        },
-                    },
-                    onConflictClause: {
-                        action: 'ONCONFLICT_NOTHING',
-                        infer: {
-                            indexElems: [
-                                {
-                                    IndexElem: {
-                                        name: 'slug',
-                                        ordering: 'SORTBY_DEFAULT',
-                                        nulls_ordering: 'SORTBY_NULLS_DEFAULT',
-                                    },
-                                },
-                            ],
-                        },
-                    },
-                    override: 'OVERRIDING_NOT_SET',
-                },
-            },
-            stmt_len: 1,
-        },
-    };
-}
-// ---------------------------------------------------------------------------
-// pgpm file generators
-// ---------------------------------------------------------------------------
-const GENERATED_HEADER = [
-    '-- GENERATED FILE — DO NOT EDIT',
-    '--',
-    '-- Regenerate with:',
-    '--   cd graphql/node-type-registry && pnpm generate:seed --pgpm ../../constructive-db/packages/metaschema',
-    '--',
-    '',
-].join('\n');
-async function buildDeploySql() {
-    const header = [
-        `-- Deploy ${MIGRATION_PATH} to pg`,
-        '',
-        GENERATED_HEADER,
-        '-- requires: schemas/metaschema_public/tables/node_type_registry/table',
-        '',
-    ].join('\n');
-    const stmts = allNodeTypes.map(buildInsertStmt);
-    const body = await deparse(stmts);
-    return header + body + '\n';
-}
-function buildRevertSql() {
-    const names = allNodeTypes.map((nt) => `    '${nt.name}'`);
-    // Wrap names at ~4 per line for readability
-    const chunks = [];
-    for (let i = 0; i < names.length; i += 4) {
-        chunks.push(names.slice(i, i + 4).join(', '));
-    }
-    return [
-        `-- Revert ${MIGRATION_PATH} from pg`,
-        '',
-        GENERATED_HEADER,
-        'DELETE FROM metaschema_public.node_type_registry',
-        'WHERE name IN (',
-        chunks.join(',\n'),
-        ');',
-        '',
-    ].join('\n');
-}
-function buildVerifySql() {
-    // Pick one representative from each category
-    const categories = new Map();
-    for (const nt of allNodeTypes) {
-        if (!categories.has(nt.category)) {
-            categories.set(nt.category, nt);
-        }
-    }
-    const checks = Array.from(categories.values()).map((nt) => `SELECT 1 FROM metaschema_public.node_type_registry WHERE name = '${nt.name}';`);
-    return [
-        `-- Verify ${MIGRATION_PATH} on pg`,
-        '',
-        GENERATED_HEADER,
-        ...checks,
-        '',
-    ].join('\n');
-}
-// ---------------------------------------------------------------------------
-// File writer helper
-// ---------------------------------------------------------------------------
-function writeFile(filePath, content) {
-    const dir = join(filePath, '..');
-    if (!existsSync(dir))
-        mkdirSync(dir, { recursive: true });
-    writeFileSync(filePath, content);
-}
-// ---------------------------------------------------------------------------
-// CLI
-// ---------------------------------------------------------------------------
-async function main() {
-    const args = process.argv.slice(2);
-    const outdirIdx = args.indexOf('--outdir');
-    const outdir = outdirIdx !== -1 ? args[outdirIdx + 1] : undefined;
-    const single = args.includes('--single');
-    const pgpmIdx = args.indexOf('--pgpm');
-    const pgpmRoot = pgpmIdx !== -1 ? args[pgpmIdx + 1] : undefined;
-    // --pgpm mode: generate deploy/revert/verify in pgpm package layout
-    if (pgpmRoot) {
-        const relPath = 'schemas/metaschema_public/tables/node_type_registry/data/seed.sql';
-        const deployPath = join(pgpmRoot, 'deploy', relPath);
-        const revertPath = join(pgpmRoot, 'revert', relPath);
-        const verifyPath = join(pgpmRoot, 'verify', relPath);
-        writeFile(deployPath, await buildDeploySql());
-        writeFile(revertPath, buildRevertSql());
-        writeFile(verifyPath, buildVerifySql());
-        console.log(`Wrote ${allNodeTypes.length} node types to pgpm layout:`);
-        console.log(`  deploy: ${deployPath}`);
-        console.log(`  revert: ${revertPath}`);
-        console.log(`  verify: ${verifyPath}`);
-        return;
-    }
-    if (single) {
-        // Emit all INSERT statements as a single SQL string
-        const stmts = allNodeTypes.map(buildInsertStmt);
-        const sql = await deparse(stmts);
-        if (outdir) {
-            if (!existsSync(outdir))
-                mkdirSync(outdir, { recursive: true });
-            writeFileSync(join(outdir, 'seed.sql'), sql + '\n');
-            console.log(`Wrote ${allNodeTypes.length} node types to ${join(outdir, 'seed.sql')}`);
-        }
-        else {
-            process.stdout.write(sql + '\n');
-        }
-        return;
-    }
-    // Emit individual SQL files per node type
-    const stmts = await Promise.all(allNodeTypes.map(async (nt) => ({
-        nt,
-        sql: await deparse([buildInsertStmt(nt)]),
-    })));
-    if (outdir) {
-        if (!existsSync(outdir))
-            mkdirSync(outdir, { recursive: true });
-        for (const { nt, sql } of stmts) {
-            const filename = `${nt.slug}.sql`;
-            writeFileSync(join(outdir, filename), sql + '\n');
-        }
-        console.log(`Wrote ${stmts.length} individual migration files to ${outdir}/`);
-    }
-    else {
-        for (const { nt, sql } of stmts) {
-            console.log(`-- ${nt.name} (${nt.slug})`);
-            console.log(sql + ';\n');
-        }
-    }
-}
-main();