node-type-registry 0.11.0 → 0.14.0

package/README.md

@@ -83,14 +83,6 @@ cd graphql/node-type-registry && pnpm generate:types
 
 This produces `src/blueprint-types.generated.ts` from the TS node type source of truth.
 
-## Codegen: SQL seed
-
-Generate SQL seed scripts for `node_type_registry` table:
-
-```bash
-cd graphql/node-type-registry && pnpm generate:seed --pgpm ../../constructive-db/packages/metaschema
-```
-
 ---
 
 ## Education and Tutorials

package/authz/authz-not-read-only.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzNotReadOnly: NodeTypeDefinition;

package/authz/authz-not-read-only.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzNotReadOnly = void 0;
+exports.AuthzNotReadOnly = {
+    "name": "AuthzNotReadOnly",
+    "slug": "authz_not_read_only",
+    "category": "authz",
+    "display_name": "Not Read-Only",
+    "description": "Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership.",
+    "parameter_schema": {
+        "type": "object",
+        "properties": {
+            "entity_field": {
+                "type": "string",
+                "description": "Column name referencing the entity (e.g., entity_id, org_id)"
+            },
+            "membership_type": {
+                "type": [
+                    "integer",
+                    "string"
+                ],
+                "description": "Scope: 2=org, 3+=dynamic entity types. Must be >= 2 (entity-scoped)."
+            }
+        },
+        "required": [
+            "entity_field"
+        ]
+    },
+    "tags": [
+        "membership",
+        "authz",
+        "restrictive"
+    ]
+};

package/authz/index.d.ts

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/authz/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthzRelatedPeerOwnership = exports.AuthzPeerOwnership = exports.AuthzComposite = exports.AuthzDenyAll = exports.AuthzAllowAll = exports.AuthzRelatedMemberList = exports.AuthzMemberList = exports.AuthzPublishable = exports.AuthzTemporal = exports.AuthzOrgHierarchy = exports.AuthzRelatedEntityMembership = exports.AuthzEntityMembership = exports.AuthzMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = void 0;
+exports.AuthzRelatedPeerOwnership = exports.AuthzPeerOwnership = exports.AuthzNotReadOnly = exports.AuthzComposite = exports.AuthzDenyAll = exports.AuthzAllowAll = exports.AuthzRelatedMemberList = exports.AuthzMemberList = exports.AuthzPublishable = exports.AuthzTemporal = exports.AuthzOrgHierarchy = exports.AuthzRelatedEntityMembership = exports.AuthzEntityMembership = exports.AuthzMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = void 0;
 var authz_direct_owner_1 = require("./authz-direct-owner");
 Object.defineProperty(exports, "AuthzDirectOwner", { enumerable: true, get: function () { return authz_direct_owner_1.AuthzDirectOwner; } });
 var authz_direct_owner_any_1 = require("./authz-direct-owner-any");
@@ -27,6 +27,8 @@ var authz_deny_all_1 = require("./authz-deny-all");
 Object.defineProperty(exports, "AuthzDenyAll", { enumerable: true, get: function () { return authz_deny_all_1.AuthzDenyAll; } });
 var authz_composite_1 = require("./authz-composite");
 Object.defineProperty(exports, "AuthzComposite", { enumerable: true, get: function () { return authz_composite_1.AuthzComposite; } });
+var authz_not_read_only_1 = require("./authz-not-read-only");
+Object.defineProperty(exports, "AuthzNotReadOnly", { enumerable: true, get: function () { return authz_not_read_only_1.AuthzNotReadOnly; } });
 var authz_peer_ownership_1 = require("./authz-peer-ownership");
 Object.defineProperty(exports, "AuthzPeerOwnership", { enumerable: true, get: function () { return authz_peer_ownership_1.AuthzPeerOwnership; } });
 var authz_related_peer_ownership_1 = require("./authz-related-peer-ownership");

package/blueprint-types.generated.d.ts

@@ -247,7 +247,8 @@ export interface AuthzDirectOwnerAnyParams {
 }
 /** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
 export interface AuthzMembershipParams {
-    membership_type: number | string;
+    membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -257,6 +258,7 @@ export interface AuthzMembershipParams {
 export interface AuthzEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -266,6 +268,7 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzRelatedEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -321,10 +324,16 @@ export interface AuthzCompositeParams {
         }[];
     };
 }
+/** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
+export interface AuthzNotReadOnlyParams {
+    entity_field: string;
+    membership_type?: number | string;
+}
 /** Peer visibility through shared entity membership. Authorizes access to user-owned rows when the owner and current user are both members of the same entity. Self-joins the SPRT table to find peers. */
 export interface AuthzPeerOwnershipParams {
     owner_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -334,6 +343,7 @@ export interface AuthzPeerOwnershipParams {
 export interface AuthzRelatedPeerOwnershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -391,6 +401,16 @@ export interface RelationManyToManyParams {
         [key: string]: unknown;
     };
 }
+/** Declares a spatial predicate between two existing geometry/geography columns. Inserts a metaschema_public.spatial_relation row; the sync_spatial_relation_tags trigger then projects a @spatialRelation smart tag onto the owner column so graphile-postgis' PostgisSpatialRelationsPlugin can expose it as a cross-table filter in GraphQL. Metadata-only: both source_field and target_field must already exist on their tables. Idempotent on (source_table_id, name). One direction per tag — author two RelationSpatial entries if symmetry is desired. */
+export interface RelationSpatialParams {
+    source_table_id: string;
+    source_field_id: string;
+    target_table_id: string;
+    target_field_id: string;
+    name: string;
+    operator: "st_contains" | "st_within" | "st_intersects" | "st_covers" | "st_coveredby" | "st_overlaps" | "st_touches" | "st_dwithin";
+    param_name?: string;
+}
 /** Simple column selection from a single source table. Projects all or specific fields. */
 export interface ViewTableProjectionParams {
     source_table_id: string;
@@ -452,7 +472,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
+    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -549,6 +569,21 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
+/** Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely. */
+export interface BlueprintEntityTableProvision {
+    /** Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true. */
+    use_rls?: boolean;
+    /** Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is. */
+    nodes?: BlueprintNode[];
+    /** Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is. */
+    fields?: BlueprintField[];
+    /** Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is. */
+    grant_privileges?: unknown[];
+    /** Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"]. */
+    grant_roles?: string[];
+    /** RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op). */
+    policies?: BlueprintPolicy[];
+}
 /** A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision. */
 export interface BlueprintMembershipType {
     /** Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database. */
@@ -561,7 +596,7 @@ export interface BlueprintMembershipType {
     parent_entity?: string;
     /** Custom table name for the entity table. Defaults to name-derived convention. */
     table_name?: string;
-    /** Whether this entity type is visible in the API. Defaults to true. */
+    /** Whether parent-entity members can see child entities via the default parent_member SELECT policy. Gates one of the five default policies. No-op when table_provision is supplied. Defaults to true. */
     is_visible?: boolean;
     /** Whether to provision a limits module for this entity type. Defaults to false. */
     has_limits?: boolean;
@@ -569,11 +604,13 @@ export interface BlueprintMembershipType {
     has_profiles?: boolean;
     /** Whether to provision a levels module for this entity type. Defaults to false. */
     has_levels?: boolean;
-    /** Whether to skip creating default RLS policies on the entity table. Defaults to false. */
+    /** Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false. */
     skip_entity_policies?: boolean;
+    /** Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible). */
+    table_provision?: BlueprintEntityTableProvision;
 }
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
+export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: "AuthzDirectOwner";
@@ -614,6 +651,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: "AuthzComposite";
     data: AuthzCompositeParams;
+} | {
+    $type: "AuthzNotReadOnly";
+    data: AuthzNotReadOnlyParams;
 } | {
     $type: "AuthzPeerOwnership";
     data: AuthzPeerOwnershipParams;
@@ -735,7 +775,13 @@ export type BlueprintRelation = {
     target_table: string;
     source_schema_name?: string;
     target_schema_name?: string;
-} & Partial<RelationManyToManyParams>;
+} & Partial<RelationManyToManyParams> | {
+    $type: "RelationSpatial";
+    source_table: string;
+    target_table: string;
+    source_schema_name?: string;
+    target_schema_name?: string;
+} & Partial<RelationSpatialParams>;
 /** A table definition within a blueprint. */
 export interface BlueprintTable {
     /** The PostgreSQL table name to create. */

package/codegen/generate-types.js

@@ -384,6 +384,16 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
+function buildBlueprintEntityTableProvision() {
+    return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
+        addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
+        addJSDoc(optionalProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), 'Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('grant_privileges', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"].'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).'),
+    ]), 'Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely.');
+}
 function buildBlueprintMembershipType() {
     return addJSDoc(exportInterface('BlueprintMembershipType', [
         addJSDoc(requiredProp('name', t.tsStringKeyword()), 'Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database.'),
@@ -391,11 +401,12 @@ function buildBlueprintMembershipType() {
         addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Human-readable description of this entity type.'),
         addJSDoc(optionalProp('parent_entity', t.tsStringKeyword()), 'Parent entity type name. Defaults to "org".'),
         addJSDoc(optionalProp('table_name', t.tsStringKeyword()), 'Custom table name for the entity table. Defaults to name-derived convention.'),
-        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether this entity type is visible in the API. Defaults to true.'),
+        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether parent-entity members can see child entities via the default parent_member SELECT policy. Gates one of the five default policies. No-op when table_provision is supplied. Defaults to true.'),
         addJSDoc(optionalProp('has_limits', t.tsBooleanKeyword()), 'Whether to provision a limits module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
-        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Whether to skip creating default RLS policies on the entity table. Defaults to false.'),
+        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
+        addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
     ]), 'A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision.');
 }
 function buildBlueprintTable() {
@@ -474,6 +485,7 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
+    statements.push(buildBlueprintEntityTableProvision());
     statements.push(buildBlueprintMembershipType());
     // -- Node types discriminated union --
     statements.push(sectionComment('Node types -- discriminated union for nodes[] entries'));

package/esm/authz/authz-not-read-only.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzNotReadOnly: NodeTypeDefinition;

package/esm/authz/authz-not-read-only.js

@@ -0,0 +1,31 @@
+export const AuthzNotReadOnly = {
+    "name": "AuthzNotReadOnly",
+    "slug": "authz_not_read_only",
+    "category": "authz",
+    "display_name": "Not Read-Only",
+    "description": "Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership.",
+    "parameter_schema": {
+        "type": "object",
+        "properties": {
+            "entity_field": {
+                "type": "string",
+                "description": "Column name referencing the entity (e.g., entity_id, org_id)"
+            },
+            "membership_type": {
+                "type": [
+                    "integer",
+                    "string"
+                ],
+                "description": "Scope: 2=org, 3+=dynamic entity types. Must be >= 2 (entity-scoped)."
+            }
+        },
+        "required": [
+            "entity_field"
+        ]
+    },
+    "tags": [
+        "membership",
+        "authz",
+        "restrictive"
+    ]
+};

package/esm/authz/index.d.ts

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/esm/authz/index.js

@@ -11,5 +11,6 @@ export { AuthzRelatedMemberList } from './authz-related-member-list';
 export { AuthzAllowAll } from './authz-allow-all';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzComposite } from './authz-composite';
+export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzRelatedPeerOwnership } from './authz-related-peer-ownership';

package/esm/blueprint-types.generated.d.ts

@@ -247,7 +247,8 @@ export interface AuthzDirectOwnerAnyParams {
 }
 /** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
 export interface AuthzMembershipParams {
-    membership_type: number | string;
+    membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -257,6 +258,7 @@ export interface AuthzMembershipParams {
 export interface AuthzEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -266,6 +268,7 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzRelatedEntityMembershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -321,10 +324,16 @@ export interface AuthzCompositeParams {
         }[];
     };
 }
+/** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
+export interface AuthzNotReadOnlyParams {
+    entity_field: string;
+    membership_type?: number | string;
+}
 /** Peer visibility through shared entity membership. Authorizes access to user-owned rows when the owner and current user are both members of the same entity. Self-joins the SPRT table to find peers. */
 export interface AuthzPeerOwnershipParams {
     owner_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     permission?: string;
     permissions?: string[];
     is_admin?: boolean;
@@ -334,6 +343,7 @@ export interface AuthzPeerOwnershipParams {
 export interface AuthzRelatedPeerOwnershipParams {
     entity_field: string;
     membership_type?: number | string;
+    entity_type?: string;
     obj_table_id?: string;
     obj_schema?: string;
     obj_table?: string;
@@ -391,6 +401,16 @@ export interface RelationManyToManyParams {
         [key: string]: unknown;
     };
 }
+/** Declares a spatial predicate between two existing geometry/geography columns. Inserts a metaschema_public.spatial_relation row; the sync_spatial_relation_tags trigger then projects a @spatialRelation smart tag onto the owner column so graphile-postgis' PostgisSpatialRelationsPlugin can expose it as a cross-table filter in GraphQL. Metadata-only: both source_field and target_field must already exist on their tables. Idempotent on (source_table_id, name). One direction per tag — author two RelationSpatial entries if symmetry is desired. */
+export interface RelationSpatialParams {
+    source_table_id: string;
+    source_field_id: string;
+    target_table_id: string;
+    target_field_id: string;
+    name: string;
+    operator: "st_contains" | "st_within" | "st_intersects" | "st_covers" | "st_coveredby" | "st_overlaps" | "st_touches" | "st_dwithin";
+    param_name?: string;
+}
 /** Simple column selection from a single source table. Projects all or specific fields. */
 export interface ViewTableProjectionParams {
     source_table_id: string;
@@ -452,7 +472,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
+    $type: "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership";
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -549,6 +569,21 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
+/** Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely. */
+export interface BlueprintEntityTableProvision {
+    /** Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true. */
+    use_rls?: boolean;
+    /** Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is. */
+    nodes?: BlueprintNode[];
+    /** Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is. */
+    fields?: BlueprintField[];
+    /** Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is. */
+    grant_privileges?: unknown[];
+    /** Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"]. */
+    grant_roles?: string[];
+    /** RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op). */
+    policies?: BlueprintPolicy[];
+}
 /** A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision. */
 export interface BlueprintMembershipType {
     /** Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database. */
@@ -561,7 +596,7 @@ export interface BlueprintMembershipType {
     parent_entity?: string;
     /** Custom table name for the entity table. Defaults to name-derived convention. */
     table_name?: string;
-    /** Whether this entity type is visible in the API. Defaults to true. */
+    /** Whether parent-entity members can see child entities via the default parent_member SELECT policy. Gates one of the five default policies. No-op when table_provision is supplied. Defaults to true. */
     is_visible?: boolean;
     /** Whether to provision a limits module for this entity type. Defaults to false. */
     has_limits?: boolean;
@@ -569,11 +604,13 @@ export interface BlueprintMembershipType {
     has_profiles?: boolean;
     /** Whether to provision a levels module for this entity type. Defaults to false. */
     has_levels?: boolean;
-    /** Whether to skip creating default RLS policies on the entity table. Defaults to false. */
+    /** Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false. */
     skip_entity_policies?: boolean;
+    /** Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible). */
+    table_provision?: BlueprintEntityTableProvision;
 }
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
+export type BlueprintNodeShorthand = "AuthzDirectOwner" | "AuthzDirectOwnerAny" | "AuthzMembership" | "AuthzEntityMembership" | "AuthzRelatedEntityMembership" | "AuthzOrgHierarchy" | "AuthzTemporal" | "AuthzPublishable" | "AuthzMemberList" | "AuthzRelatedMemberList" | "AuthzAllowAll" | "AuthzDenyAll" | "AuthzComposite" | "AuthzNotReadOnly" | "AuthzPeerOwnership" | "AuthzRelatedPeerOwnership" | "DataId" | "DataDirectOwner" | "DataEntityMembership" | "DataOwnershipInEntity" | "DataTimestamps" | "DataPeoplestamps" | "DataPublishable" | "DataSoftDelete" | "SearchVector" | "SearchFullText" | "SearchBm25" | "SearchUnified" | "SearchSpatial" | "SearchSpatialAggregate" | "DataJobTrigger" | "DataTags" | "DataStatusField" | "DataJsonb" | "SearchTrgm" | "DataSlug" | "DataInflection" | "DataOwnedFields" | "DataInheritFromParent" | "DataForceCurrentUser" | "DataImmutableFields" | "DataCompositeField" | "TableUserProfiles" | "TableOrganizationSettings" | "TableUserSettings";
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: "AuthzDirectOwner";
@@ -614,6 +651,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: "AuthzComposite";
     data: AuthzCompositeParams;
+} | {
+    $type: "AuthzNotReadOnly";
+    data: AuthzNotReadOnlyParams;
 } | {
     $type: "AuthzPeerOwnership";
     data: AuthzPeerOwnershipParams;
@@ -735,7 +775,13 @@ export type BlueprintRelation = {
     target_table: string;
     source_schema_name?: string;
     target_schema_name?: string;
-} & Partial<RelationManyToManyParams>;
+} & Partial<RelationManyToManyParams> | {
+    $type: "RelationSpatial";
+    source_table: string;
+    target_table: string;
+    source_schema_name?: string;
+    target_schema_name?: string;
+} & Partial<RelationSpatialParams>;
 /** A table definition within a blueprint. */
 export interface BlueprintTable {
     /** The PostgreSQL table name to create. */

package/esm/codegen/generate-types.js

@@ -349,6 +349,16 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
+function buildBlueprintEntityTableProvision() {
+    return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
+        addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
+        addJSDoc(optionalProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), 'Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('grant_privileges', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is.'),
+        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"].'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).'),
+    ]), 'Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely.');
+}
 function buildBlueprintMembershipType() {
     return addJSDoc(exportInterface('BlueprintMembershipType', [
         addJSDoc(requiredProp('name', t.tsStringKeyword()), 'Entity type name (e.g., "data_room", "channel", "department"). Must be unique per database.'),
@@ -356,11 +366,12 @@ function buildBlueprintMembershipType() {
         addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Human-readable description of this entity type.'),
         addJSDoc(optionalProp('parent_entity', t.tsStringKeyword()), 'Parent entity type name. Defaults to "org".'),
         addJSDoc(optionalProp('table_name', t.tsStringKeyword()), 'Custom table name for the entity table. Defaults to name-derived convention.'),
-        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether this entity type is visible in the API. Defaults to true.'),
+        addJSDoc(optionalProp('is_visible', t.tsBooleanKeyword()), 'Whether parent-entity members can see child entities via the default parent_member SELECT policy. Gates one of the five default policies. No-op when table_provision is supplied. Defaults to true.'),
         addJSDoc(optionalProp('has_limits', t.tsBooleanKeyword()), 'Whether to provision a limits module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
-        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Whether to skip creating default RLS policies on the entity table. Defaults to false.'),
+        addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
+        addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
     ]), 'A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision.');
 }
 function buildBlueprintTable() {
@@ -439,6 +450,7 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
+    statements.push(buildBlueprintEntityTableProvision());
     statements.push(buildBlueprintMembershipType());
     // -- Node types discriminated union --
     statements.push(sectionComment('Node types -- discriminated union for nodes[] entries'));

package/esm/relation/index.d.ts

@@ -2,3 +2,4 @@ export { RelationBelongsTo } from './relation-belongs-to';
 export { RelationHasOne } from './relation-has-one';
 export { RelationHasMany } from './relation-has-many';
 export { RelationManyToMany } from './relation-many-to-many';
+export { RelationSpatial } from './relation-spatial';

package/esm/relation/index.js

@@ -2,3 +2,4 @@ export { RelationBelongsTo } from './relation-belongs-to';
 export { RelationHasOne } from './relation-has-one';
 export { RelationHasMany } from './relation-has-many';
 export { RelationManyToMany } from './relation-many-to-many';
+export { RelationSpatial } from './relation-spatial';

package/esm/relation/relation-spatial.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const RelationSpatial: NodeTypeDefinition;

package/esm/relation/relation-spatial.js

@@ -0,0 +1,68 @@
+export const RelationSpatial = {
+    "name": "RelationSpatial",
+    "slug": "relation_spatial",
+    "category": "relation",
+    "display_name": "Spatial Relation",
+    "description": "Declares a spatial predicate between two existing geometry/geography columns. Inserts a metaschema_public.spatial_relation row; the sync_spatial_relation_tags trigger then projects a @spatialRelation smart tag onto the owner column so graphile-postgis' PostgisSpatialRelationsPlugin can expose it as a cross-table filter in GraphQL. Metadata-only: both source_field and target_field must already exist on their tables. Idempotent on (source_table_id, name). One direction per tag — author two RelationSpatial entries if symmetry is desired.",
+    "parameter_schema": {
+        "type": "object",
+        "properties": {
+            "source_table_id": {
+                "type": "string",
+                "format": "uuid",
+                "description": "Table that owns the relation (the @spatialRelation tag is emitted on the owner column of this table)"
+            },
+            "source_field_id": {
+                "type": "string",
+                "format": "uuid",
+                "description": "Geometry/geography column on source_table that carries the @spatialRelation smart tag"
+            },
+            "target_table_id": {
+                "type": "string",
+                "format": "uuid",
+                "description": "Table being referenced by the spatial predicate"
+            },
+            "target_field_id": {
+                "type": "string",
+                "format": "uuid",
+                "description": "Geometry/geography column on target_table that the predicate is evaluated against"
+            },
+            "name": {
+                "type": "string",
+                "description": "Relation name (stable, snake_case). Becomes the generated filter field name in GraphQL (e.g. nearby_clinic). Unique per (source_table_id, name) — idempotency key."
+            },
+            "operator": {
+                "type": "string",
+                "enum": [
+                    "st_contains",
+                    "st_within",
+                    "st_intersects",
+                    "st_covers",
+                    "st_coveredby",
+                    "st_overlaps",
+                    "st_touches",
+                    "st_dwithin"
+                ],
+                "description": "PostGIS spatial predicate. One of the 8 whitelisted operators. st_dwithin requires param_name."
+            },
+            "param_name": {
+                "type": "string",
+                "description": "Parameter name for parametric operators (currently only st_dwithin, which needs a distance argument). Must be NULL for all other operators. Enforced by table CHECK."
+            }
+        },
+        "required": [
+            "source_table_id",
+            "source_field_id",
+            "target_table_id",
+            "target_field_id",
+            "name",
+            "operator"
+        ]
+    },
+    "tags": [
+        "relation",
+        "spatial",
+        "postgis",
+        "schema"
+    ]
+};