node-type-registry 0.17.0 → 0.17.1

package/blueprint-types.generated.d.ts

@@ -391,15 +391,20 @@ export interface RelationManyToManyParams {
     nodes?: {
         [key: string]: unknown;
     }[];
-    grant_roles?: string[];
-    grant_privileges?: string[][];
-    policy_type?: string;
-    policy_privileges?: string[];
-    policy_role?: string;
-    policy_permissive?: boolean;
-    policy_data?: {
-        [key: string]: unknown;
-    };
+    grants?: {
+        roles: string[];
+        privileges: string[][];
+    }[];
+    policies?: {
+        $type: string;
+        data?: {
+            [key: string]: unknown;
+        };
+        privileges?: string[];
+        policy_role?: string;
+        permissive?: boolean;
+        policy_name?: string;
+    }[];
 }
 /** Declares a spatial predicate between two existing geometry/geography columns. Inserts a metaschema_public.spatial_relation row; the sync_spatial_relation_tags trigger then projects a @spatialRelation smart tag onto the owner column so graphile-postgis' PostgisSpatialRelationsPlugin can expose it as a cross-table filter in GraphQL. Metadata-only: both source_field and target_field must already exist on their tables. Idempotent on (source_table_id, name). One direction per tag — author two RelationSpatial entries if symmetry is desired. */
 export interface RelationSpatialParams {
@@ -577,10 +582,11 @@ export interface BlueprintEntityTableProvision {
     nodes?: BlueprintNode[];
     /** Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is. */
     fields?: BlueprintField[];
-    /** Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is. */
-    grant_privileges?: unknown[];
-    /** Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"]. */
-    grant_roles?: string[];
+    /** Unified grant objects for the entity table. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples. Forwarded to secure_table_provision as-is. Defaults to []. */
+    grants?: {
+        roles: string[];
+        privileges: unknown[];
+    }[];
     /** RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op). */
     policies?: BlueprintPolicy[];
 }
@@ -796,10 +802,11 @@ export interface BlueprintTable {
     fields?: BlueprintField[];
     /** RLS policies for this table. */
     policies?: BlueprintPolicy[];
-    /** Database roles to grant privileges to. Defaults to ["authenticated"]. */
-    grant_roles?: string[];
-    /** Privilege grants as [verb, column] tuples or objects. Defaults to empty (no grants — callers must explicitly specify). */
-    grants?: unknown[];
+    /** Unified grant objects. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples (e.g. [["select","*"]]). Enables per-role targeting. Defaults to []. */
+    grants?: {
+        roles: string[];
+        privileges: unknown[];
+    }[];
     /** Whether to enable RLS on this table. Defaults to true. */
     use_rls?: boolean;
     /** Table-level indexes (table_name inherited from parent). */

package/codegen/generate-types.js

@@ -399,8 +399,10 @@ function buildBlueprintEntityTableProvision() {
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
         addJSDoc(optionalProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), 'Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is.'),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_privileges', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"].'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword())),
+        ]))), 'Unified grant objects for the entity table. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples. Forwarded to secure_table_provision as-is. Defaults to [].'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).'),
     ]), 'Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely.');
 }
@@ -426,8 +428,10 @@ function buildBlueprintTable() {
         addJSDoc(requiredProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), "Array of node type entries that define the table's behavior."),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the table.'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for this table.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Defaults to ["authenticated"].'),
-        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants as [verb, column] tuples or objects. Defaults to empty (no grants — callers must explicitly specify).'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword())),
+        ]))), 'Unified grant objects. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples (e.g. [["select","*"]]). Enables per-role targeting. Defaults to [].'),
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on this table. Defaults to true.'),
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableIndex')))), 'Table-level indexes (table_name inherited from parent).'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableFullTextSearch')))), 'Table-level full-text search configurations (table_name inherited from parent).'),

package/esm/blueprint-types.generated.d.ts

@@ -391,15 +391,20 @@ export interface RelationManyToManyParams {
     nodes?: {
         [key: string]: unknown;
     }[];
-    grant_roles?: string[];
-    grant_privileges?: string[][];
-    policy_type?: string;
-    policy_privileges?: string[];
-    policy_role?: string;
-    policy_permissive?: boolean;
-    policy_data?: {
-        [key: string]: unknown;
-    };
+    grants?: {
+        roles: string[];
+        privileges: string[][];
+    }[];
+    policies?: {
+        $type: string;
+        data?: {
+            [key: string]: unknown;
+        };
+        privileges?: string[];
+        policy_role?: string;
+        permissive?: boolean;
+        policy_name?: string;
+    }[];
 }
 /** Declares a spatial predicate between two existing geometry/geography columns. Inserts a metaschema_public.spatial_relation row; the sync_spatial_relation_tags trigger then projects a @spatialRelation smart tag onto the owner column so graphile-postgis' PostgisSpatialRelationsPlugin can expose it as a cross-table filter in GraphQL. Metadata-only: both source_field and target_field must already exist on their tables. Idempotent on (source_table_id, name). One direction per tag — author two RelationSpatial entries if symmetry is desired. */
 export interface RelationSpatialParams {
@@ -577,10 +582,11 @@ export interface BlueprintEntityTableProvision {
     nodes?: BlueprintNode[];
     /** Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is. */
     fields?: BlueprintField[];
-    /** Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is. */
-    grant_privileges?: unknown[];
-    /** Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"]. */
-    grant_roles?: string[];
+    /** Unified grant objects for the entity table. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples. Forwarded to secure_table_provision as-is. Defaults to []. */
+    grants?: {
+        roles: string[];
+        privileges: unknown[];
+    }[];
     /** RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op). */
     policies?: BlueprintPolicy[];
 }
@@ -796,10 +802,11 @@ export interface BlueprintTable {
     fields?: BlueprintField[];
     /** RLS policies for this table. */
     policies?: BlueprintPolicy[];
-    /** Database roles to grant privileges to. Defaults to ["authenticated"]. */
-    grant_roles?: string[];
-    /** Privilege grants as [verb, column] tuples or objects. Defaults to empty (no grants — callers must explicitly specify). */
-    grants?: unknown[];
+    /** Unified grant objects. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples (e.g. [["select","*"]]). Enables per-role targeting. Defaults to []. */
+    grants?: {
+        roles: string[];
+        privileges: unknown[];
+    }[];
     /** Whether to enable RLS on this table. Defaults to true. */
     use_rls?: boolean;
     /** Table-level indexes (table_name inherited from parent). */

package/esm/codegen/generate-types.js

@@ -364,8 +364,10 @@ function buildBlueprintEntityTableProvision() {
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
         addJSDoc(optionalProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), 'Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is.'),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_privileges', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"].'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword())),
+        ]))), 'Unified grant objects for the entity table. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples. Forwarded to secure_table_provision as-is. Defaults to [].'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).'),
     ]), 'Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely.');
 }
@@ -391,8 +393,10 @@ function buildBlueprintTable() {
         addJSDoc(requiredProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), "Array of node type entries that define the table's behavior."),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the table.'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for this table.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Defaults to ["authenticated"].'),
-        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants as [verb, column] tuples or objects. Defaults to empty (no grants — callers must explicitly specify).'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword())),
+        ]))), 'Unified grant objects. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples (e.g. [["select","*"]]). Enables per-role targeting. Defaults to [].'),
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on this table. Defaults to true.'),
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableIndex')))), 'Table-level indexes (table_name inherited from parent).'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableFullTextSearch')))), 'Table-level full-text search configurations (table_name inherited from parent).'),

package/esm/relation/relation-many-to-many.js

@@ -46,46 +46,33 @@ export const RelationManyToMany = {
                 },
                 "description": "Array of node objects for field creation on junction table. Each object has a $type key (e.g. DataId, DataEntityMembership) and optional data keys. Forwarded to secure_table_provision as-is. Empty array means no additional fields."
             },
-            "grant_roles": {
+            "grants": {
                 "type": "array",
                 "items": {
-                    "type": "string"
+                    "type": "object",
+                    "properties": {
+                        "roles": { "type": "array", "items": { "type": "string" } },
+                        "privileges": { "type": "array", "items": { "type": "array", "items": { "type": "string" } } }
+                    },
+                    "required": ["roles", "privileges"]
                 },
-                "description": "Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Default: [authenticated]"
+                "description": "Unified grant objects for the junction table. Each entry is { roles: string[], privileges: string[][] }. Forwarded to secure_table_provision as-is. Default: []"
             },
-            "grant_privileges": {
+            "policies": {
                 "type": "array",
                 "items": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                    "type": "object",
+                    "properties": {
+                        "$type": { "type": "string" },
+                        "data": { "type": "object" },
+                        "privileges": { "type": "array", "items": { "type": "string" } },
+                        "policy_role": { "type": "string" },
+                        "permissive": { "type": "boolean" },
+                        "policy_name": { "type": "string" }
+                    },
+                    "required": ["$type"]
                 },
-                "description": "Privilege grants for the junction table as [verb, columns] tuples (e.g. [['select','*'],['insert','*']]). Forwarded to secure_table_provision as-is. Default: select/insert/delete for all columns"
-            },
-            "policy_type": {
-                "type": "string",
-                "description": "RLS policy type for the junction table. Forwarded to secure_table_provision as-is. NULL means no policy."
-            },
-            "policy_privileges": {
-                "type": "array",
-                "items": {
-                    "type": "string"
-                },
-                "description": "Privileges the policy applies to. Forwarded to secure_table_provision as-is. NULL means derived from grant_privileges verbs."
-            },
-            "policy_role": {
-                "type": "string",
-                "description": "Database role the policy targets. Forwarded to secure_table_provision as-is. NULL means falls back to first grant_role."
-            },
-            "policy_permissive": {
-                "type": "boolean",
-                "description": "Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is.",
-                "default": true
-            },
-            "policy_data": {
-                "type": "object",
-                "description": "Policy configuration forwarded to secure_table_provision as-is. Structure varies by policy_type."
+                "description": "RLS policy objects for the junction table. Each entry has $type (Authz* generator), optional data, privileges, policy_role, permissive, policy_name. Forwarded to secure_table_provision as-is. Default: []"
             }
         },
         "required": [

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.17.0",
+  "version": "0.17.1",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "4988b64539a61786647412a456c56cb486722e18"
+  "gitHead": "ad2d49ede1f962293e13d68843831897f267915d"
 }

package/relation/relation-many-to-many.js

@@ -49,46 +49,33 @@ exports.RelationManyToMany = {
                 },
                 "description": "Array of node objects for field creation on junction table. Each object has a $type key (e.g. DataId, DataEntityMembership) and optional data keys. Forwarded to secure_table_provision as-is. Empty array means no additional fields."
             },
-            "grant_roles": {
+            "grants": {
                 "type": "array",
                 "items": {
-                    "type": "string"
+                    "type": "object",
+                    "properties": {
+                        "roles": { "type": "array", "items": { "type": "string" } },
+                        "privileges": { "type": "array", "items": { "type": "array", "items": { "type": "string" } } }
+                    },
+                    "required": ["roles", "privileges"]
                 },
-                "description": "Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Default: [authenticated]"
+                "description": "Unified grant objects for the junction table. Each entry is { roles: string[], privileges: string[][] }. Forwarded to secure_table_provision as-is. Default: []"
             },
-            "grant_privileges": {
+            "policies": {
                 "type": "array",
                 "items": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                    "type": "object",
+                    "properties": {
+                        "$type": { "type": "string" },
+                        "data": { "type": "object" },
+                        "privileges": { "type": "array", "items": { "type": "string" } },
+                        "policy_role": { "type": "string" },
+                        "permissive": { "type": "boolean" },
+                        "policy_name": { "type": "string" }
+                    },
+                    "required": ["$type"]
                 },
-                "description": "Privilege grants for the junction table as [verb, columns] tuples (e.g. [['select','*'],['insert','*']]). Forwarded to secure_table_provision as-is. Default: select/insert/delete for all columns"
-            },
-            "policy_type": {
-                "type": "string",
-                "description": "RLS policy type for the junction table. Forwarded to secure_table_provision as-is. NULL means no policy."
-            },
-            "policy_privileges": {
-                "type": "array",
-                "items": {
-                    "type": "string"
-                },
-                "description": "Privileges the policy applies to. Forwarded to secure_table_provision as-is. NULL means derived from grant_privileges verbs."
-            },
-            "policy_role": {
-                "type": "string",
-                "description": "Database role the policy targets. Forwarded to secure_table_provision as-is. NULL means falls back to first grant_role."
-            },
-            "policy_permissive": {
-                "type": "boolean",
-                "description": "Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is.",
-                "default": true
-            },
-            "policy_data": {
-                "type": "object",
-                "description": "Policy configuration forwarded to secure_table_provision as-is. Structure varies by policy_type."
+                "description": "RLS policy objects for the junction table. Each entry has $type (Authz* generator), optional data, privileges, policy_role, permissive, policy_name. Forwarded to secure_table_provision as-is. Default: []"
             }
         },
         "required": [