node-type-registry 0.16.0 → 0.17.1

package/module-presets/auth-passkey.d.ts

@@ -0,0 +1,14 @@
+import type { ModulePreset } from './types';
+/**
+ * `auth:passkey` — `auth:email` plus WebAuthn / passkeys.
+ *
+ * Adds `webauthn_credentials_module` (stores each user's registered public
+ * keys and credential IDs), `webauthn_auth_module` (the auth-time challenge
+ * storage + flow), and `session_secrets_module` (where the one-time
+ * challenge nonces live). The generator then emits WebAuthn registration
+ * and assertion procedures.
+ *
+ * Password flows stay on by default as a recovery path; toggle them off in
+ * `app_settings_auth` if you want strictly-passkey.
+ */
+export declare const PresetAuthPasskey: ModulePreset;

package/module-presets/auth-passkey.js

@@ -0,0 +1,59 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetAuthPasskey = void 0;
+/**
+ * `auth:passkey` — `auth:email` plus WebAuthn / passkeys.
+ *
+ * Adds `webauthn_credentials_module` (stores each user's registered public
+ * keys and credential IDs), `webauthn_auth_module` (the auth-time challenge
+ * storage + flow), and `session_secrets_module` (where the one-time
+ * challenge nonces live). The generator then emits WebAuthn registration
+ * and assertion procedures.
+ *
+ * Password flows stay on by default as a recovery path; toggle them off in
+ * `app_settings_auth` if you want strictly-passkey.
+ */
+exports.PresetAuthPasskey = {
+    name: 'auth:passkey',
+    display_name: 'Passkeys (WebAuthn)',
+    summary: '`auth:email` plus WebAuthn passkey registration and assertion.',
+    description: "Installs the three modules WebAuthn needs: `webauthn_credentials_module` for each user's " +
+        "registered public keys, `webauthn_auth_module` for the runtime challenge/assertion flow, " +
+        "and `session_secrets_module` for the one-time challenge nonces. With these installed, " +
+        "the generator emits WebAuthn registration/login procs. Keep password flows as a recovery " +
+        "path, or disable them in `app_settings_auth` for passkey-only deployments.",
+    good_for: [
+        'Apps where you want users to adopt phishing-resistant auth',
+        'Consumer apps with a tech-forward audience',
+        'Internal tools protecting sensitive data where FIDO2 is a requirement'
+    ],
+    not_for: [
+        'Apps that also need SSO or SMS — use `auth:hardened` for everything',
+        'Apps where the end-user device mix is heavy on old browsers that lack WebAuthn'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'memberships_module:app',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module'
+    ],
+    includes_notes: {
+        webauthn_credentials_module: 'Per-user WebAuthn credential storage. Without it, passkey registration does not compile.',
+        webauthn_auth_module: 'Runtime challenge + assertion flow.',
+        session_secrets_module: 'Challenge nonces for registration and assertion.'
+    },
+    omits_notes: {
+        rate_limits_module: 'Add via `auth:hardened` for production.',
+        connected_accounts_module: 'No OAuth / SSO — add via `auth:hardened`.',
+        phone_numbers_module: 'No SMS.'
+    },
+    extends: ['auth:email']
+};

package/module-presets/auth-sso.d.ts

@@ -0,0 +1,21 @@
+import type { ModulePreset } from './types';
+/**
+ * `auth:sso` — `auth:email` plus OAuth / OpenID Connect sign-in.
+ *
+ * Adds `connected_accounts_module` (the junction table mapping a user to
+ * `(provider, external_id)`) and `identity_providers_module` (the provider
+ * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
+ * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
+ * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * secret at auth time.
+ *
+ * Password fallback stays on by default (break-glass for admins); flip the
+ * `allow_password_sign_*` toggles off in `app_settings_auth` for strictly
+ * SSO-only.
+ *
+ * Note: `emails_module` is still required — the `user_auth_module` insert
+ * trigger hard-requires it today. A pure SSO-only install without emails
+ * is a separate refactor (see `docs/architecture/module-presets.md` in
+ * constructive-db).
+ */
+export declare const PresetAuthSso: ModulePreset;

package/module-presets/auth-sso.js

@@ -0,0 +1,68 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetAuthSso = void 0;
+/**
+ * `auth:sso` — `auth:email` plus OAuth / OpenID Connect sign-in.
+ *
+ * Adds `connected_accounts_module` (the junction table mapping a user to
+ * `(provider, external_id)`) and `identity_providers_module` (the provider
+ * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
+ * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
+ * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * secret at auth time.
+ *
+ * Password fallback stays on by default (break-glass for admins); flip the
+ * `allow_password_sign_*` toggles off in `app_settings_auth` for strictly
+ * SSO-only.
+ *
+ * Note: `emails_module` is still required — the `user_auth_module` insert
+ * trigger hard-requires it today. A pure SSO-only install without emails
+ * is a separate refactor (see `docs/architecture/module-presets.md` in
+ * constructive-db).
+ */
+exports.PresetAuthSso = {
+    name: 'auth:sso',
+    display_name: 'OAuth / OpenID Connect',
+    summary: '`auth:email` plus OAuth providers and connected-account linkage.',
+    description: "Adds the two modules that make SSO work: `identity_providers_module` (where provider " +
+        "definitions live — Google, GitHub, Okta, etc., with their URLs, client IDs, and " +
+        "encrypted client secrets) and `connected_accounts_module` (the junction mapping a " +
+        "Constructive user to a `(provider, external_id)` pair). The generator emits " +
+        "`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret " +
+        "through `encrypted_secrets_module` at auth time. Keep password flows as break-glass, or " +
+        "disable them via `app_settings_auth` toggles for strictly-SSO deployments.",
+    good_for: [
+        'B2B apps where end users sign in via their employer IdP',
+        'Consumer apps that want "Sign in with Google / GitHub"',
+        'Apps that need to federate identity with a specific provider ecosystem'
+    ],
+    not_for: [
+        'Apps that also need passkeys and rate limits — use `auth:hardened`',
+        'Strictly-SSO apps that want NO email storage — needs the emails-optional refactor; not supported by a preset today'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'memberships_module:app',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'connected_accounts_module',
+        'identity_providers_module'
+    ],
+    includes_notes: {
+        connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
+        identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
+        encrypted_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
+    },
+    omits_notes: {
+        webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',
+        rate_limits_module: 'Omitted; add via `auth:hardened` for production.',
+        session_secrets_module: "Not required for authorization-code OAuth; add if you also want magic-link flows. PKCE doesn't require it for stateless OAuth flows today.",
+        phone_numbers_module: 'No SMS in this preset.'
+    },
+    extends: ['auth:email']
+};

package/module-presets/b2b.d.ts

@@ -0,0 +1,14 @@
+import type { ModulePreset } from './types';
+/**
+ * `b2b` — `auth:hardened` plus orgs, invites, permissions, levels,
+ * profiles, and hierarchy. The full multi-tenant / B2B SaaS shape.
+ *
+ * Installs both app-scoped AND org-scoped instances of the membership,
+ * permission, limit, level, profile, and invite modules. `hierarchy_module`
+ * at the org scope enables nested org/team structures.
+ *
+ * This is a large install — every B2B concept Constructive ships. Don't
+ * reach for it until you actually need orgs; moving from `auth:hardened`
+ * to `b2b` later is a provisioning step, not a schema rewrite.
+ */
+export declare const PresetB2b: ModulePreset;

package/module-presets/b2b.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetB2b = void 0;
+/**
+ * `b2b` — `auth:hardened` plus orgs, invites, permissions, levels,
+ * profiles, and hierarchy. The full multi-tenant / B2B SaaS shape.
+ *
+ * Installs both app-scoped AND org-scoped instances of the membership,
+ * permission, limit, level, profile, and invite modules. `hierarchy_module`
+ * at the org scope enables nested org/team structures.
+ *
+ * This is a large install — every B2B concept Constructive ships. Don't
+ * reach for it until you actually need orgs; moving from `auth:hardened`
+ * to `b2b` later is a provisioning step, not a schema rewrite.
+ */
+exports.PresetB2b = {
+    name: 'b2b',
+    display_name: 'B2B SaaS (orgs + invites + permissions)',
+    summary: '`auth:hardened` + orgs, invites, fine-grained permissions, levels, profiles, hierarchy.',
+    description: 'Everything in `auth:hardened`, plus the full org/team/permission stack at both app and ' +
+        'org membership scopes. You get: `memberships_module:org` for org-scoped memberships, ' +
+        '`permissions_module:app/:org` for fine-grained RBAC, `limits_module:app/:org` for per-scope ' +
+        'quota enforcement, `levels_module:app/:org` for role bundles, `profiles_module:app/:org` ' +
+        'for per-scope user display info, `hierarchy_module:org` for nested org structures, and ' +
+        '`invites_module:app/:org` for invite flows at either scope. Choose this when the app has ' +
+        'the concept of a "workspace" / "team" / "tenant" that users belong to and act within.',
+    good_for: [
+        'B2B SaaS with multi-tenant workspaces / teams',
+        'Apps where permissions scope to an organization, not globally',
+        'Apps with an invite-based onboarding flow (admins invite members)',
+        'Apps that need nested org hierarchies (parent org / sub-org / team)'
+    ],
+    not_for: [
+        'Single-tenant consumer apps — use `auth:hardened` or `auth:email`',
+        'Apps where all users see the same global dataset — orgs would add overhead with no benefit'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'memberships_module:app',
+        'memberships_module:org',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'rate_limits_module',
+        'connected_accounts_module',
+        'identity_providers_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module',
+        'phone_numbers_module',
+        'permissions_module:app',
+        'permissions_module:org',
+        'limits_module:app',
+        'limits_module:org',
+        'levels_module:app',
+        'levels_module:org',
+        'profiles_module:app',
+        'profiles_module:org',
+        'hierarchy_module:org',
+        'invites_module:app',
+        'invites_module:org'
+    ],
+    includes_notes: {
+        'memberships_module:org': 'Org-scoped membership rows — every user in an org gets one.',
+        'permissions_module:app': 'App-wide permission grants (e.g. platform admins).',
+        'permissions_module:org': 'Org-scoped permission grants (per-workspace admins, members, viewers, ...).',
+        'limits_module:app': 'App-level quotas (e.g. max users per plan).',
+        'limits_module:org': 'Org-level quotas (e.g. per-workspace API call caps).',
+        'levels_module:app': 'Role/level bundles at the app scope.',
+        'levels_module:org': 'Role/level bundles at the org scope (admin / member / viewer, etc.).',
+        'profiles_module:app': 'App-scoped user profile (one per user).',
+        'profiles_module:org': 'Org-scoped user profile (per org a user belongs to).',
+        'hierarchy_module:org': 'Nested org structures (parent / child orgs).',
+        'invites_module:app': 'App-level invites (rare — usually platform admin adds another admin).',
+        'invites_module:org': 'Org-level invites (the common case — invite a teammate into a workspace).'
+    },
+    omits_notes: {
+        storage_module: 'Add separately if you need file uploads tied to orgs.',
+        crypto_addresses_module: 'Not a web3 preset.'
+    },
+    extends: ['auth:hardened']
+};

package/module-presets/full.d.ts

@@ -0,0 +1,15 @@
+import type { ModulePreset } from './types';
+/**
+ * `full` — install everything. Equivalent to the default
+ * `provision_database_modules(v_modules => ARRAY['all'])` behavior.
+ *
+ * This is the maximalist preset: every module Constructive ships, including
+ * `storage_module` for file uploads and `crypto_addresses_module` for
+ * wallet-based sign-in. Use it for greenfield apps where you'd rather
+ * disable features via `app_settings_auth` toggles than uninstall modules,
+ * or for the "kitchen sink" example / demo databases.
+ *
+ * Prefer a more targeted preset for anything production-bound — installing
+ * a module you'll never use still costs tables, triggers, and grants.
+ */
+export declare const PresetFull: ModulePreset;

package/module-presets/full.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetFull = void 0;
+/**
+ * `full` — install everything. Equivalent to the default
+ * `provision_database_modules(v_modules => ARRAY['all'])` behavior.
+ *
+ * This is the maximalist preset: every module Constructive ships, including
+ * `storage_module` for file uploads and `crypto_addresses_module` for
+ * wallet-based sign-in. Use it for greenfield apps where you'd rather
+ * disable features via `app_settings_auth` toggles than uninstall modules,
+ * or for the "kitchen sink" example / demo databases.
+ *
+ * Prefer a more targeted preset for anything production-bound — installing
+ * a module you'll never use still costs tables, triggers, and grants.
+ */
+exports.PresetFull = {
+    name: 'full',
+    display_name: 'Full (every module)',
+    summary: "Install every Constructive module. Equivalent to v_modules => ARRAY['all'].",
+    description: 'Installs every module in the catalog: everything in `b2b` plus `storage_module` ' +
+        'for file uploads and `crypto_addresses_module` / `crypto_auth_module` for ' +
+        'wallet-based sign-in. This matches the current default when `provision_database_modules` ' +
+        "is called without an explicit `v_modules` argument. Use it for fully-featured " +
+        'demo/example databases, kitchen-sink reference deployments, or greenfield apps that ' +
+        'would rather feature-flag at the app_settings level than uninstall modules.',
+    good_for: [
+        'Reference / demo databases that showcase every Constructive feature',
+        'Greenfield apps where the product scope is still open-ended',
+        'Keeping the provisioning call identical to the pre-preset default'
+    ],
+    not_for: [
+        'Production apps with a defined feature set — pick the narrowest preset that fits',
+        'Resource-constrained environments — every module costs schema bloat, RLS policies, and grants'
+    ],
+    modules: ['all'],
+    includes_notes: {
+        all: "Sentinel — the provisioner installs every known module when `modules = ['all']`."
+    },
+    extends: ['b2b']
+};

package/module-presets/index.d.ts

@@ -0,0 +1,18 @@
+export type { ModulePreset } from './types';
+import type { ModulePreset } from './types';
+import { PresetMinimal } from './minimal';
+import { PresetAuthEmail } from './auth-email';
+import { PresetAuthEmailMagic } from './auth-email-magic';
+import { PresetAuthSso } from './auth-sso';
+import { PresetAuthPasskey } from './auth-passkey';
+import { PresetAuthHardened } from './auth-hardened';
+import { PresetB2b } from './b2b';
+import { PresetFull } from './full';
+export { PresetMinimal, PresetAuthEmail, PresetAuthEmailMagic, PresetAuthSso, PresetAuthPasskey, PresetAuthHardened, PresetB2b, PresetFull };
+/**
+ * Ordered list of all shipped module presets, from smallest to largest
+ * module footprint. Stable ordering — CLIs / UIs can present this directly.
+ */
+export declare const allModulePresets: ModulePreset[];
+/** Look up a preset by name. Returns undefined if the name isn't known. */
+export declare function getModulePreset(name: string): ModulePreset | undefined;

package/module-presets/index.js

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.allModulePresets = exports.PresetFull = exports.PresetB2b = exports.PresetAuthHardened = exports.PresetAuthPasskey = exports.PresetAuthSso = exports.PresetAuthEmailMagic = exports.PresetAuthEmail = exports.PresetMinimal = void 0;
+exports.getModulePreset = getModulePreset;
+const minimal_1 = require("./minimal");
+Object.defineProperty(exports, "PresetMinimal", { enumerable: true, get: function () { return minimal_1.PresetMinimal; } });
+const auth_email_1 = require("./auth-email");
+Object.defineProperty(exports, "PresetAuthEmail", { enumerable: true, get: function () { return auth_email_1.PresetAuthEmail; } });
+const auth_email_magic_1 = require("./auth-email-magic");
+Object.defineProperty(exports, "PresetAuthEmailMagic", { enumerable: true, get: function () { return auth_email_magic_1.PresetAuthEmailMagic; } });
+const auth_sso_1 = require("./auth-sso");
+Object.defineProperty(exports, "PresetAuthSso", { enumerable: true, get: function () { return auth_sso_1.PresetAuthSso; } });
+const auth_passkey_1 = require("./auth-passkey");
+Object.defineProperty(exports, "PresetAuthPasskey", { enumerable: true, get: function () { return auth_passkey_1.PresetAuthPasskey; } });
+const auth_hardened_1 = require("./auth-hardened");
+Object.defineProperty(exports, "PresetAuthHardened", { enumerable: true, get: function () { return auth_hardened_1.PresetAuthHardened; } });
+const b2b_1 = require("./b2b");
+Object.defineProperty(exports, "PresetB2b", { enumerable: true, get: function () { return b2b_1.PresetB2b; } });
+const full_1 = require("./full");
+Object.defineProperty(exports, "PresetFull", { enumerable: true, get: function () { return full_1.PresetFull; } });
+/**
+ * Ordered list of all shipped module presets, from smallest to largest
+ * module footprint. Stable ordering — CLIs / UIs can present this directly.
+ */
+exports.allModulePresets = [
+    minimal_1.PresetMinimal,
+    auth_email_1.PresetAuthEmail,
+    auth_email_magic_1.PresetAuthEmailMagic,
+    auth_sso_1.PresetAuthSso,
+    auth_passkey_1.PresetAuthPasskey,
+    auth_hardened_1.PresetAuthHardened,
+    b2b_1.PresetB2b,
+    full_1.PresetFull
+];
+/** Look up a preset by name. Returns undefined if the name isn't known. */
+function getModulePreset(name) {
+    return exports.allModulePresets.find((p) => p.name === name);
+}

package/module-presets/minimal.d.ts

@@ -0,0 +1,14 @@
+import type { ModulePreset } from './types';
+/**
+ * `minimal` — users + sessions + RLS + API keys. No auth procedures, no
+ * memberships, no orgs, no emails, no passwords.
+ *
+ * This is the barest foundation: a `users` table, a `sessions` table so
+ * something upstream can mint tokens, `rls_module` so row-level security
+ * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * else.
+ *
+ * You still write your own identity bridge on top (or rely on a header-based
+ * user-id coming from an upstream proxy / JWT verifier).
+ */
+export declare const PresetMinimal: ModulePreset;

package/module-presets/minimal.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetMinimal = void 0;
+/**
+ * `minimal` — users + sessions + RLS + API keys. No auth procedures, no
+ * memberships, no orgs, no emails, no passwords.
+ *
+ * This is the barest foundation: a `users` table, a `sessions` table so
+ * something upstream can mint tokens, `rls_module` so row-level security
+ * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * else.
+ *
+ * You still write your own identity bridge on top (or rely on a header-based
+ * user-id coming from an upstream proxy / JWT verifier).
+ */
+exports.PresetMinimal = {
+    name: 'minimal',
+    display_name: 'Minimal (RLS only)',
+    summary: 'users + sessions + RLS + API keys. No auth procedures installed.',
+    description: 'The smallest coherent Constructive install. You get a users table, a sessions table, ' +
+        'RLS enforcement, and API-key infrastructure — but no server-side sign_up/sign_in flow. ' +
+        'Pick this when authentication lives outside the database (an upstream IdP, a header from ' +
+        'a proxy, an internal service-to-service JWT) and Constructive is just the RLS-aware data ' +
+        'layer underneath.',
+    good_for: [
+        'Internal tools where an upstream proxy supplies the user identity',
+        'Backend-of-backend services that only need RLS, not an auth surface',
+        'Prototypes that will bolt on a richer auth preset later'
+    ],
+    not_for: [
+        'Any app that needs `sign_up` / `sign_in` / `reset_password` out of the box — use `auth:email` instead',
+        'Multi-tenant / org-scoped apps — use `b2b`'
+    ],
+    modules: [
+        'users_module',
+        'sessions_module',
+        'rls_module',
+        'secrets_module'
+    ],
+    includes_notes: {
+        users_module: 'The canonical users table. Required by every preset.',
+        sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.',
+        rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.',
+        secrets_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
+    },
+    omits_notes: {
+        user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.',
+        emails_module: 'Not needed without password/magic-link flows; upstream auth handles identity.',
+        memberships_module: 'No memberships without a user_auth_module wiring them up.'
+    }
+};

package/module-presets/types.d.ts

@@ -0,0 +1,60 @@
+/**
+ * A preset is a named, curated bundle of Constructive modules intended for a
+ * recognizable app shape (internal tool, consumer email login, SSO-only B2B,
+ * etc.). Presets are metadata only — passing `preset.modules` to
+ * `provision_database_modules(v_modules => ...)` is what actually installs
+ * them.
+ *
+ * Presets are NOT node types. They are a sibling concept: node types are
+ * reusable building blocks used inside a blueprint; presets are starting
+ * points for which modules to install before any blueprint is authored.
+ *
+ * All module names match the `rls_module`, `user_auth_module`, ... names in
+ * `metaschema_generators.provision_database_modules` in constructive-db.
+ *
+ * Naming uses snake_case for module names to match the server-side SQL
+ * convention, and kebab-ish `auth:email` for preset names because they're
+ * user-facing labels, not identifiers.
+ */
+export interface ModulePreset {
+    /** Preset identifier, e.g. 'auth:email'. Stable, used as a key in CLI/codegen. */
+    name: string;
+    /** Human-readable label for UIs, e.g. 'Email + Password'. */
+    display_name: string;
+    /** One-line pitch — what this preset is in plain English. */
+    summary: string;
+    /**
+     * Longer narrative. Explain when you'd reach for this preset, what it
+     * implies architecturally, and what tradeoffs the user is accepting by
+     * choosing it. Keep to a few paragraphs max.
+     */
+    description: string;
+    /** Concrete scenarios this preset fits well. */
+    good_for: string[];
+    /** Scenarios where this preset is the wrong choice — point at alternatives. */
+    not_for: string[];
+    /**
+     * Flat list of module names to install. Module names must match the
+     * canonical list accepted by
+     * `metaschema_generators.provision_database_modules` in constructive-db.
+     * Order doesn't matter — provisioning resolves dependencies.
+     */
+    modules: string[];
+    /**
+     * Optional per-module justifications. Map from module name to a short
+     * "why this module is in this preset" note. Rendered in docs and CLI
+     * `--explain` output.
+     */
+    includes_notes?: Record<string, string>;
+    /**
+     * Optional per-module "why we deliberately leave this out" notes. Only
+     * list modules that a user might reasonably expect to be here; don't
+     * enumerate every omitted module.
+     */
+    omits_notes?: Record<string, string>;
+    /**
+     * Optional: name(s) of presets this one builds on. Purely documentary —
+     * not enforced at runtime, `modules` must still be the full flat list.
+     */
+    extends?: string[];
+}

package/module-presets/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.16.0",
+  "version": "0.17.1",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "5094bbe92916be47234fe80c583c6957f51226e1"
+  "gitHead": "ad2d49ede1f962293e13d68843831897f267915d"
 }

package/relation/relation-many-to-many.js

@@ -49,46 +49,33 @@ exports.RelationManyToMany = {
                 },
                 "description": "Array of node objects for field creation on junction table. Each object has a $type key (e.g. DataId, DataEntityMembership) and optional data keys. Forwarded to secure_table_provision as-is. Empty array means no additional fields."
             },
-            "grant_roles": {
+            "grants": {
                 "type": "array",
                 "items": {
-                    "type": "string"
+                    "type": "object",
+                    "properties": {
+                        "roles": { "type": "array", "items": { "type": "string" } },
+                        "privileges": { "type": "array", "items": { "type": "array", "items": { "type": "string" } } }
+                    },
+                    "required": ["roles", "privileges"]
                 },
-                "description": "Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Default: [authenticated]"
+                "description": "Unified grant objects for the junction table. Each entry is { roles: string[], privileges: string[][] }. Forwarded to secure_table_provision as-is. Default: []"
             },
-            "grant_privileges": {
+            "policies": {
                 "type": "array",
                 "items": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                    "type": "object",
+                    "properties": {
+                        "$type": { "type": "string" },
+                        "data": { "type": "object" },
+                        "privileges": { "type": "array", "items": { "type": "string" } },
+                        "policy_role": { "type": "string" },
+                        "permissive": { "type": "boolean" },
+                        "policy_name": { "type": "string" }
+                    },
+                    "required": ["$type"]
                 },
-                "description": "Privilege grants for the junction table as [verb, columns] tuples (e.g. [['select','*'],['insert','*']]). Forwarded to secure_table_provision as-is. Default: select/insert/delete for all columns"
-            },
-            "policy_type": {
-                "type": "string",
-                "description": "RLS policy type for the junction table. Forwarded to secure_table_provision as-is. NULL means no policy."
-            },
-            "policy_privileges": {
-                "type": "array",
-                "items": {
-                    "type": "string"
-                },
-                "description": "Privileges the policy applies to. Forwarded to secure_table_provision as-is. NULL means derived from grant_privileges verbs."
-            },
-            "policy_role": {
-                "type": "string",
-                "description": "Database role the policy targets. Forwarded to secure_table_provision as-is. NULL means falls back to first grant_role."
-            },
-            "policy_permissive": {
-                "type": "boolean",
-                "description": "Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is.",
-                "default": true
-            },
-            "policy_data": {
-                "type": "object",
-                "description": "Policy configuration forwarded to secure_table_provision as-is. Structure varies by policy_type."
+                "description": "RLS policy objects for the junction table. Each entry has $type (Authz* generator), optional data, privileges, policy_role, permissive, policy_name. Forwarded to secure_table_provision as-is. Default: []"
             }
         },
         "required": [