npm - node-type-registry - Versions diffs - 0.17.0 → 0.18.0 - Mend

node-type-registry 0.17.0 → 0.18.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/blueprint-types.generated.d.ts +150 -96
package/blueprint-types.generated.js +1 -0
package/codegen/generate-types.js +82 -27
package/esm/blueprint-types.generated.d.ts +150 -96
package/esm/blueprint-types.generated.js +1 -0
package/esm/codegen/generate-types.js +83 -28
package/esm/relation/relation-many-to-many.js +20 -33
package/package.json +2 -2
package/relation/relation-many-to-many.js +20 -33

package/esm/codegen/generate-types.js CHANGED Viewed

@@ -19,7 +19,7 @@
 // eslint-disable-next-line @typescript-eslint/no-var-requires
 const generate = require('@babel/generator').default ?? require('@babel/generator');
 import * as t from '@babel/types';
-import { writeFileSync, readFileSync, mkdirSync, existsSync } from 'fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'fs';
 import { join } from 'path';
 import { generateTypeScriptTypes } from 'schema-typescript';
 import { allNodeTypes } from '../index';
@@ -29,7 +29,7 @@ import { allNodeTypes } from '../index';
 /** Attach a JSDoc-style leading comment to an AST node. */
 function addJSDoc(node, description) {
     node.leadingComments = [
-        { type: 'CommentBlock', value: `* ${description} ` },
+        { type: 'CommentBlock', value: `* ${description} ` }
     ];
     return node;
 }
@@ -112,7 +112,7 @@ function generateParamsInterfaces(nodeTypes) {
         const astNodes = generateTypeScriptTypes(sanitized, {
             includePropertyComments: true,
             includeTypeComments: false,
-            strictTypeSafety: true,
+            strictTypeSafety: true
         });
         if (astNodes.length > 0) {
             // The last node is the main interface for the title
@@ -208,7 +208,7 @@ function buildBlueprintField(meta) {
         addJSDoc(requiredProp('type', t.tsStringKeyword()), 'The PostgreSQL type (e.g., "text", "integer", "boolean", "uuid").'),
         addJSDoc(optionalProp('is_required', t.tsBooleanKeyword()), 'Whether the column has a NOT NULL constraint.'),
         addJSDoc(optionalProp('default_value', t.tsStringKeyword()), 'SQL default value expression (e.g., "true", "now()").'),
-        addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Comment/description for this field.'),
+        addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Comment/description for this field.')
     ]), 'A custom field (column) to add to a blueprint table.');
 }
 function buildBlueprintPolicy(authzNodes, _meta) {
@@ -225,14 +225,14 @@ function buildBlueprintPolicy(authzNodes, _meta) {
         addJSDoc(optionalProp('permissive', t.tsBooleanKeyword()), 'Whether this policy is permissive (true) or restrictive (false). Defaults to true.'),
         addJSDoc(optionalProp('policy_role', t.tsStringKeyword()), 'Role for this policy. Defaults to "authenticated".'),
         addJSDoc(optionalProp('policy_name', t.tsStringKeyword()), 'Optional custom name for this policy.'),
-        addJSDoc(optionalProp('data', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Policy-specific data (structure varies by policy type).'),
+        addJSDoc(optionalProp('data', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Policy-specific data (structure varies by policy type).')
     ]), 'An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention.');
 }
 function buildBlueprintFtsSource() {
     return addJSDoc(exportInterface('BlueprintFtsSource', [
         addJSDoc(requiredProp('field', t.tsStringKeyword()), 'Column name of the source field.'),
         addJSDoc(requiredProp('weight', t.tsStringKeyword()), 'TSVector weight: "A", "B", "C", or "D".'),
-        addJSDoc(optionalProp('lang', t.tsStringKeyword()), 'Language for text search. Defaults to "english".'),
+        addJSDoc(optionalProp('lang', t.tsStringKeyword()), 'Language for text search. Defaults to "english".')
     ]), 'A source field contributing to a full-text search tsvector column.');
 }
 function buildBlueprintFullTextSearch() {
@@ -240,14 +240,14 @@ function buildBlueprintFullTextSearch() {
         addJSDoc(requiredProp('table_name', t.tsStringKeyword()), 'Table name this full-text search belongs to.'),
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name for disambiguation (falls back to top-level default).'),
         addJSDoc(requiredProp('field', t.tsStringKeyword()), 'Name of the tsvector field on the table.'),
-        addJSDoc(requiredProp('sources', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFtsSource')))), 'Source fields that feed into this tsvector.'),
+        addJSDoc(requiredProp('sources', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFtsSource')))), 'Source fields that feed into this tsvector.')
     ]), 'A full-text search configuration for a blueprint table (top-level, requires table_name).');
 }
 function buildBlueprintTableFullTextSearch() {
     return addJSDoc(exportInterface('BlueprintTableFullTextSearch', [
         addJSDoc(requiredProp('field', t.tsStringKeyword()), 'Name of the tsvector field on the table.'),
         addJSDoc(requiredProp('sources', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFtsSource')))), 'Source fields that feed into this tsvector.'),
-        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
+        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.')
     ]), 'A full-text search configuration nested inside a table definition (table_name not required).');
 }
 function buildBlueprintIndex(meta) {
@@ -257,7 +257,7 @@ function buildBlueprintIndex(meta) {
             // JSONB columns get Record<string, unknown> instead of the default
             index_params: recordType(t.tsStringKeyword(), t.tsUnknownKeyword()),
             where_clause: recordType(t.tsStringKeyword(), t.tsUnknownKeyword()),
-            options: recordType(t.tsStringKeyword(), t.tsUnknownKeyword()),
+            options: recordType(t.tsStringKeyword(), t.tsUnknownKeyword())
         });
     }
     // Static fallback
@@ -270,7 +270,7 @@ function buildBlueprintIndex(meta) {
         addJSDoc(optionalProp('is_unique', t.tsBooleanKeyword()), 'Whether this is a unique index.'),
         addJSDoc(optionalProp('name', t.tsStringKeyword()), 'Optional custom name for the index.'),
         addJSDoc(optionalProp('op_classes', t.tsArrayType(t.tsStringKeyword())), 'Operator classes for the index columns.'),
-        addJSDoc(optionalProp('options', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Additional index-specific options.'),
+        addJSDoc(optionalProp('options', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Additional index-specific options.')
     ]), 'An index definition within a blueprint (top-level, requires table_name).');
 }
 function buildBlueprintTableIndex() {
@@ -282,7 +282,7 @@ function buildBlueprintTableIndex() {
         addJSDoc(optionalProp('name', t.tsStringKeyword()), 'Optional custom name for the index.'),
         addJSDoc(optionalProp('op_classes', t.tsArrayType(t.tsStringKeyword())), 'Operator classes for the index columns.'),
         addJSDoc(optionalProp('options', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Additional index-specific options.'),
-        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
+        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.')
     ]), 'An index definition nested inside a table definition (table_name not required).');
 }
 // ---------------------------------------------------------------------------
@@ -308,7 +308,7 @@ function buildNodeTypes(dataNodes) {
     // BlueprintNode -- shorthand | object
     results.push(addJSDoc(exportTypeAlias('BlueprintNode', t.tsUnionType([
         t.tsTypeReference(t.identifier('BlueprintNodeShorthand')),
-        t.tsTypeReference(t.identifier('BlueprintNodeObject')),
+        t.tsTypeReference(t.identifier('BlueprintNodeObject'))
     ])), 'A node entry in a blueprint table. Either a string shorthand or a typed object.'));
     return results;
 }
@@ -322,7 +322,7 @@ function buildRelationTypes(relationNodes) {
             requiredProp('source_table', t.tsStringKeyword()),
             requiredProp('target_table', t.tsStringKeyword()),
             optionalProp('source_schema_name', t.tsStringKeyword()),
-            optionalProp('target_schema_name', t.tsStringKeyword()),
+            optionalProp('target_schema_name', t.tsStringKeyword())
         ];
         // RelationSpatial is the only relation type that references *existing*
         // columns rather than creating FK/junction fields. Its blueprint JSON
@@ -336,11 +336,11 @@ function buildRelationTypes(relationNodes) {
         const baseType = t.tsTypeLiteral(baseMembers);
         return t.tsIntersectionType([
             baseType,
-            partialOf(t.tsTypeReference(t.identifier(`${nt.name}Params`))),
+            partialOf(t.tsTypeReference(t.identifier(`${nt.name}Params`)))
         ]);
     });
     return [
-        addJSDoc(exportTypeAlias('BlueprintRelation', t.tsUnionType(relationMembers)), 'A relation entry in a blueprint definition.'),
+        addJSDoc(exportTypeAlias('BlueprintRelation', t.tsUnionType(relationMembers)), 'A relation entry in a blueprint definition.')
     ];
 }
 // ---------------------------------------------------------------------------
@@ -350,23 +350,70 @@ function buildBlueprintUniqueConstraint() {
     return addJSDoc(exportInterface('BlueprintUniqueConstraint', [
         addJSDoc(requiredProp('table_name', t.tsStringKeyword()), 'Table name this unique constraint belongs to.'),
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name for disambiguation (falls back to top-level default).'),
-        addJSDoc(requiredProp('columns', t.tsArrayType(t.tsStringKeyword())), 'Column names that form the unique constraint.'),
+        addJSDoc(requiredProp('columns', t.tsArrayType(t.tsStringKeyword())), 'Column names that form the unique constraint.')
     ]), 'A unique constraint definition within a blueprint (top-level, requires table_name).');
 }
 function buildBlueprintTableUniqueConstraint() {
     return addJSDoc(exportInterface('BlueprintTableUniqueConstraint', [
         addJSDoc(requiredProp('columns', t.tsArrayType(t.tsStringKeyword())), 'Column names that form the unique constraint.'),
-        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.'),
+        addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.')
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
+/**
+ * Build the BlueprintStoragePolicy interface.
+ *
+ * Matches the jsonb policy objects accepted by apply_storage_security():
+ *   { "$type": "AuthzPublishable", "privileges": ["select"], "data": {...}, "tables": [...], "policy_name": "pub" }
+ */
+function buildBlueprintStoragePolicy() {
+    return addJSDoc(exportInterface('BlueprintStoragePolicy', [
+        addJSDoc(requiredProp('$type', t.tsStringKeyword()), 'Authz* policy generator type (e.g., "AuthzPublishable", "AuthzDirectOwner", "AuthzEntityMembership").'),
+        addJSDoc(requiredProp('privileges', t.tsArrayType(t.tsStringKeyword())), 'Privilege array (e.g., ["select", "insert", "update", "delete"]). Intersected with each storage table\'s supported operations.'),
+        addJSDoc(optionalProp('data', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Policy data config. Auto-derived from $type when omitted (e.g., AuthzPublishable defaults to {"is_published_field": "is_public", "require_published_at": false}).'),
+        addJSDoc(optionalProp('tables', t.tsArrayType(strUnion(['buckets', 'files', 'upload_requests']))), 'Which storage tables to apply this policy to. Defaults to all three when omitted. Uses logical names (not prefixed).'),
+        addJSDoc(optionalProp('policy_name', t.tsStringKeyword()), 'Custom RLS policy name suffix. Auto-derived from $type when omitted (pub/own/mem).')
+    ]), 'A storage-specific RLS policy object for apply_storage_security(). Each entry defines an Authz* policy with explicit privileges, scoped to specific storage tables.');
+}
+/**
+ * Build the BlueprintBucketSeed interface.
+ *
+ * Matches the bucket entries in storage_config.buckets[].
+ */
+function buildBlueprintBucketSeed() {
+    return addJSDoc(exportInterface('BlueprintBucketSeed', [
+        addJSDoc(requiredProp('name', t.tsStringKeyword()), 'Bucket key name (e.g., "avatars", "documents"). Becomes the key column value.'),
+        addJSDoc(optionalProp('description', t.tsStringKeyword()), 'Human-readable description of this bucket.'),
+        addJSDoc(optionalProp('is_public', t.tsBooleanKeyword()), 'Whether the bucket is publicly readable. Defaults to false.'),
+        addJSDoc(optionalProp('allowed_mime_types', t.tsArrayType(t.tsStringKeyword())), 'MIME type allowlist (e.g., ["image/png", "image/jpeg"]). NULL means all types allowed.'),
+        addJSDoc(optionalProp('max_file_size', t.tsNumberKeyword()), 'Maximum file size in bytes for this bucket. NULL means no limit.'),
+        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for this bucket.')
+    ]), 'A bucket seed entry for storage_config.buckets[]. Creates an initial bucket row in the {prefix}_buckets table during entity type provisioning. Only used for app-level storage (not entity-scoped).');
+}
+/**
+ * Build the BlueprintStorageConfig interface.
+ *
+ * Matches the jsonb shape accepted by storage_config on entity_type_provision.
+ */
+function buildBlueprintStorageConfig() {
+    return addJSDoc(exportInterface('BlueprintStorageConfig', [
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStoragePolicy')))), 'Custom RLS policies for storage tables. When provided, replaces the default policy set (AuthzPublishable + membership + AuthzDirectOwner). Each entry is a policy object with $type, privileges, and optional data/tables/policy_name.'),
+        addJSDoc(optionalProp('buckets', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintBucketSeed')))), 'Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. Only used for app-level storage (not entity-scoped).'),
+        addJSDoc(optionalProp('upload_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned upload URL expiry time in seconds.'),
+        addJSDoc(optionalProp('download_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned download URL expiry time in seconds.'),
+        addJSDoc(optionalProp('default_max_file_size', t.tsNumberKeyword()), 'Default maximum file size in bytes for the storage module.'),
+        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for the storage module.')
+    ]), 'Storage configuration for an entity type. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).');
+}
 function buildBlueprintEntityTableProvision() {
     return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
         addJSDoc(optionalProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), 'Node objects applied to the entity table for field creation (e.g., DataTimestamps, DataPeoplestamps). Forwarded to secure_table_provision as-is.'),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the entity table. Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_privileges', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants for the entity table as [verb, columns] tuples (e.g. [["select","*"],["insert","*"]]). Forwarded to secure_table_provision as-is.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Defaults to ["authenticated"].'),
-        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword()))
+        ]))), 'Unified grant objects for the entity table. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples. Forwarded to secure_table_provision as-is. Defaults to [].'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for the entity table. When present, these policies fully replace the five default entity-table policies (is_visible becomes a no-op).')
     ]), 'Override object for the entity table created by a BlueprintMembershipType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely.');
 }
 function buildBlueprintMembershipType() {
@@ -380,8 +427,10 @@ function buildBlueprintMembershipType() {
         addJSDoc(optionalProp('has_limits', t.tsBooleanKeyword()), 'Whether to provision a limits module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_storage', t.tsBooleanKeyword()), 'Whether to provision a storage module (buckets, files, upload_requests tables) for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
         addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
+        addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'Storage configuration. Only used when has_storage is true. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).')
     ]), 'A membership type entry for Phase 0 of construct_blueprint(). Provisions a full entity type with its own entity table, membership modules, and security policies via entity_type_provision.');
 }
 function buildBlueprintTable() {
@@ -391,12 +440,14 @@ function buildBlueprintTable() {
         addJSDoc(requiredProp('nodes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNode')))), "Array of node type entries that define the table's behavior."),
         addJSDoc(optionalProp('fields', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintField')))), 'Custom fields (columns) to add to the table.'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policies for this table.'),
-        addJSDoc(optionalProp('grant_roles', t.tsArrayType(t.tsStringKeyword())), 'Database roles to grant privileges to. Defaults to ["authenticated"].'),
-        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsUnknownKeyword())), 'Privilege grants as [verb, column] tuples or objects. Defaults to empty (no grants — callers must explicitly specify).'),
+        addJSDoc(optionalProp('grants', t.tsArrayType(t.tsTypeLiteral([
+            requiredProp('roles', t.tsArrayType(t.tsStringKeyword())),
+            requiredProp('privileges', t.tsArrayType(t.tsUnknownKeyword()))
+        ]))), 'Unified grant objects. Each entry is { roles: string[], privileges: unknown[] } where privileges are [verb, columns] tuples (e.g. [["select","*"]]). Enables per-role targeting. Defaults to [].'),
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on this table. Defaults to true.'),
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableIndex')))), 'Table-level indexes (table_name inherited from parent).'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableFullTextSearch')))), 'Table-level full-text search configurations (table_name inherited from parent).'),
-        addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableUniqueConstraint')))), 'Table-level unique constraints (table_name inherited from parent).'),
+        addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintTableUniqueConstraint')))), 'Table-level unique constraints (table_name inherited from parent).')
     ]), 'A table definition within a blueprint.');
 }
 function buildBlueprintDefinition() {
@@ -406,7 +457,7 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('indexes', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintIndex')))), 'Indexes on table columns.'),
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFullTextSearch')))), 'Full-text search configurations.'),
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
-        addJSDoc(optionalProp('membership_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintMembershipType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
+        addJSDoc(optionalProp('membership_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintMembershipType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.')
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -417,8 +468,8 @@ function sectionComment(title) {
     empty.leadingComments = [
         {
             type: 'CommentBlock',
-            value: `*\n * ===========================================================================\n * ${title}\n * ===========================================================================\n `,
-        },
+            value: `*\n * ===========================================================================\n * ${title}\n * ===========================================================================\n `
+        }
     ];
     return empty;
 }
@@ -460,6 +511,9 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
+    statements.push(buildBlueprintStoragePolicy());
+    statements.push(buildBlueprintBucketSeed());
+    statements.push(buildBlueprintStorageConfig());
     statements.push(buildBlueprintEntityTableProvision());
     statements.push(buildBlueprintMembershipType());
     // -- Node types discriminated union --
@@ -477,6 +531,7 @@ function buildProgram(meta) {
     const file = t.file(program);
     const header = [
         '// GENERATED FILE \u2014 DO NOT EDIT',
+        '/* eslint-disable @typescript-eslint/no-empty-object-type */',
         '//',
         '// Regenerate with:',
         '//   cd graphql/node-type-registry && pnpm generate:types',
@@ -484,9 +539,9 @@ function buildProgram(meta) {
         '// These types match the JSONB shape expected by construct_blueprint().',
         '// All field names are snake_case to match the SQL convention.',
         '',
-        '',
+        ''
     ].join('\n');
-    const output = generate(file, { comments: true });
+    const output = generate(file, { comments: true, jsescOption: { quotes: 'single' } });
     return header + output.code + '\n';
 }
 // ---------------------------------------------------------------------------

package/esm/relation/relation-many-to-many.js CHANGED Viewed

@@ -46,46 +46,33 @@ export const RelationManyToMany = {
                 },
                 "description": "Array of node objects for field creation on junction table. Each object has a $type key (e.g. DataId, DataEntityMembership) and optional data keys. Forwarded to secure_table_provision as-is. Empty array means no additional fields."
             },
-            "grant_roles": {
+            "grants": {
                 "type": "array",
                 "items": {
-                    "type": "string"
+                    "type": "object",
+                    "properties": {
+                        "roles": { "type": "array", "items": { "type": "string" } },
+                        "privileges": { "type": "array", "items": { "type": "array", "items": { "type": "string" } } }
+                    },
+                    "required": ["roles", "privileges"]
                 },
-                "description": "Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Default: [authenticated]"
+                "description": "Unified grant objects for the junction table. Each entry is { roles: string[], privileges: string[][] }. Forwarded to secure_table_provision as-is. Default: []"
             },
-            "grant_privileges": {
+            "policies": {
                 "type": "array",
                 "items": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                    "type": "object",
+                    "properties": {
+                        "$type": { "type": "string" },
+                        "data": { "type": "object" },
+                        "privileges": { "type": "array", "items": { "type": "string" } },
+                        "policy_role": { "type": "string" },
+                        "permissive": { "type": "boolean" },
+                        "policy_name": { "type": "string" }
+                    },
+                    "required": ["$type"]
                 },
-                "description": "Privilege grants for the junction table as [verb, columns] tuples (e.g. [['select','*'],['insert','*']]). Forwarded to secure_table_provision as-is. Default: select/insert/delete for all columns"
-            },
-            "policy_type": {
-                "type": "string",
-                "description": "RLS policy type for the junction table. Forwarded to secure_table_provision as-is. NULL means no policy."
-            },
-            "policy_privileges": {
-                "type": "array",
-                "items": {
-                    "type": "string"
-                },
-                "description": "Privileges the policy applies to. Forwarded to secure_table_provision as-is. NULL means derived from grant_privileges verbs."
-            },
-            "policy_role": {
-                "type": "string",
-                "description": "Database role the policy targets. Forwarded to secure_table_provision as-is. NULL means falls back to first grant_role."
-            },
-            "policy_permissive": {
-                "type": "boolean",
-                "description": "Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is.",
-                "default": true
-            },
-            "policy_data": {
-                "type": "object",
-                "description": "Policy configuration forwarded to secure_table_provision as-is. Structure varies by policy_type."
+                "description": "RLS policy objects for the junction table. Each entry has $type (Authz* generator), optional data, privileges, policy_role, permissive, policy_name. Forwarded to secure_table_provision as-is. Default: []"
             }
         },
         "required": [

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.17.0",
+  "version": "0.18.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "4988b64539a61786647412a456c56cb486722e18"
+  "gitHead": "058b8200e99eb505477d1599ee0d5ab795aa0123"
 }

package/relation/relation-many-to-many.js CHANGED Viewed

@@ -49,46 +49,33 @@ exports.RelationManyToMany = {
                 },
                 "description": "Array of node objects for field creation on junction table. Each object has a $type key (e.g. DataId, DataEntityMembership) and optional data keys. Forwarded to secure_table_provision as-is. Empty array means no additional fields."
             },
-            "grant_roles": {
+            "grants": {
                 "type": "array",
                 "items": {
-                    "type": "string"
+                    "type": "object",
+                    "properties": {
+                        "roles": { "type": "array", "items": { "type": "string" } },
+                        "privileges": { "type": "array", "items": { "type": "array", "items": { "type": "string" } } }
+                    },
+                    "required": ["roles", "privileges"]
                 },
-                "description": "Database roles to grant privileges to. Forwarded to secure_table_provision as-is. Default: [authenticated]"
+                "description": "Unified grant objects for the junction table. Each entry is { roles: string[], privileges: string[][] }. Forwarded to secure_table_provision as-is. Default: []"
             },
-            "grant_privileges": {
+            "policies": {
                 "type": "array",
                 "items": {
-                    "type": "array",
-                    "items": {
-                        "type": "string"
-                    }
+                    "type": "object",
+                    "properties": {
+                        "$type": { "type": "string" },
+                        "data": { "type": "object" },
+                        "privileges": { "type": "array", "items": { "type": "string" } },
+                        "policy_role": { "type": "string" },
+                        "permissive": { "type": "boolean" },
+                        "policy_name": { "type": "string" }
+                    },
+                    "required": ["$type"]
                 },
-                "description": "Privilege grants for the junction table as [verb, columns] tuples (e.g. [['select','*'],['insert','*']]). Forwarded to secure_table_provision as-is. Default: select/insert/delete for all columns"
-            },
-            "policy_type": {
-                "type": "string",
-                "description": "RLS policy type for the junction table. Forwarded to secure_table_provision as-is. NULL means no policy."
-            },
-            "policy_privileges": {
-                "type": "array",
-                "items": {
-                    "type": "string"
-                },
-                "description": "Privileges the policy applies to. Forwarded to secure_table_provision as-is. NULL means derived from grant_privileges verbs."
-            },
-            "policy_role": {
-                "type": "string",
-                "description": "Database role the policy targets. Forwarded to secure_table_provision as-is. NULL means falls back to first grant_role."
-            },
-            "policy_permissive": {
-                "type": "boolean",
-                "description": "Whether the policy is PERMISSIVE (true) or RESTRICTIVE (false). Forwarded to secure_table_provision as-is.",
-                "default": true
-            },
-            "policy_data": {
-                "type": "object",
-                "description": "Policy configuration forwarded to secure_table_provision as-is. Structure varies by policy_type."
+                "description": "RLS policy objects for the junction table. Each entry has $type (Authz* generator), optional data, privileges, policy_role, permissive, policy_name. Forwarded to secure_table_provision as-is. Default: []"
             }
         },
         "required": [