node-type-registry 0.18.1 → 0.19.0

package/blueprint-types.generated.d.ts

@@ -574,19 +574,6 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
-/** A storage-specific RLS policy object for apply_storage_security(). Each entry defines an Authz* policy with explicit privileges, scoped to specific storage tables. */
-export interface BlueprintStoragePolicy {
-    /** Authz* policy generator type (e.g., "AuthzPublishable", "AuthzDirectOwner", "AuthzEntityMembership"). */
-    $type: string;
-    /** Privilege array (e.g., ["select", "insert", "update", "delete"]). Intersected with each storage table's supported operations. */
-    privileges: string[];
-    /** Policy data config. Auto-derived from $type when omitted (e.g., AuthzPublishable defaults to {"is_published_field": "is_public", "require_published_at": false}). */
-    data?: Record<string, unknown>;
-    /** Which storage tables to apply this policy to. Defaults to all three when omitted. Uses logical names (not prefixed). */
-    tables?: ('buckets' | 'files' | 'upload_requests')[];
-    /** Custom RLS policy name suffix. Auto-derived from $type when omitted (pub/own/mem). */
-    policy_name?: string;
-}
 /** A bucket seed entry for storage_config.buckets[]. Creates an initial bucket row in the {prefix}_buckets table during entity type provisioning. Only used for app-level storage (not entity-scoped). */
 export interface BlueprintBucketSeed {
     /** Bucket key name (e.g., "avatars", "documents"). Becomes the key column value. */
@@ -602,10 +589,8 @@ export interface BlueprintBucketSeed {
     /** CORS allowed origins for this bucket. */
     allowed_origins?: string[];
 }
-/** Storage configuration for an entity type. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). */
+/** Storage configuration for an entity type. Seeds initial buckets, overrides module-level settings (expiry times, file size limits, CORS), and provides per-table provisioning overrides via provisions. */
 export interface BlueprintStorageConfig {
-    /** Custom RLS policies for storage tables. When provided, replaces the default policy set (AuthzPublishable + membership + AuthzDirectOwner). Each entry is a policy object with $type, privileges, and optional data/tables/policy_name. */
-    policies?: BlueprintStoragePolicy[];
     /** Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. Only used for app-level storage (not entity-scoped). */
     buckets?: BlueprintBucketSeed[];
     /** Override for presigned upload URL expiry time in seconds. */
@@ -616,6 +601,12 @@ export interface BlueprintStorageConfig {
     default_max_file_size?: number;
     /** CORS allowed origins for the storage module. */
     allowed_origins?: string[];
+    /** Per-table overrides for storage tables. Each key targets a specific storage table (files, buckets, upload_requests) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision targeting the corresponding table. When a key includes policies[], those REPLACE the default storage policies for that table; tables without a key still get defaults. */
+    provisions?: {
+        files?: BlueprintEntityTableProvision;
+        buckets?: BlueprintEntityTableProvision;
+        upload_requests?: BlueprintEntityTableProvision;
+    };
 }
 /** Override object for the entity table created by a BlueprintEntityType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely. */
 export interface BlueprintEntityTableProvision {
@@ -655,6 +646,8 @@ export interface BlueprintEntityType {
     has_levels?: boolean;
     /** Whether to provision a storage module (buckets, files, upload_requests tables) for this entity type. Defaults to false. */
     has_storage?: boolean;
+    /** Whether to provision entity-scoped invite tables ({prefix}_invites, {prefix}_claimed_invites) and a submit_{prefix}_invite_code() function. Defaults to false. */
+    has_invites?: boolean;
     /** Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false. */
     skip_entity_policies?: boolean;
     /** Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible). */
@@ -877,6 +870,6 @@ export interface BlueprintDefinition {
     unique_constraints?: BlueprintUniqueConstraint[];
     /** Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security. */
     entity_types?: BlueprintEntityType[];
-    /** App-level storage configuration. Creates a storage_module (membership_type = NULL) with the specified policies, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead. */
+    /** App-level storage configuration. Creates a storage_module (membership_type = NULL), seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). Use provisions for per-table policy overrides. For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead. */
     storage?: BlueprintStorageConfig;
 }

package/codegen/generate-types.js

@@ -394,21 +394,6 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.')
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
-/**
- * Build the BlueprintStoragePolicy interface.
- *
- * Matches the jsonb policy objects accepted by apply_storage_security():
- *   { "$type": "AuthzPublishable", "privileges": ["select"], "data": {...}, "tables": [...], "policy_name": "pub" }
- */
-function buildBlueprintStoragePolicy() {
-    return addJSDoc(exportInterface('BlueprintStoragePolicy', [
-        addJSDoc(requiredProp('$type', t.tsStringKeyword()), 'Authz* policy generator type (e.g., "AuthzPublishable", "AuthzDirectOwner", "AuthzEntityMembership").'),
-        addJSDoc(requiredProp('privileges', t.tsArrayType(t.tsStringKeyword())), 'Privilege array (e.g., ["select", "insert", "update", "delete"]). Intersected with each storage table\'s supported operations.'),
-        addJSDoc(optionalProp('data', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Policy data config. Auto-derived from $type when omitted (e.g., AuthzPublishable defaults to {"is_published_field": "is_public", "require_published_at": false}).'),
-        addJSDoc(optionalProp('tables', t.tsArrayType(strUnion(['buckets', 'files', 'upload_requests']))), 'Which storage tables to apply this policy to. Defaults to all three when omitted. Uses logical names (not prefixed).'),
-        addJSDoc(optionalProp('policy_name', t.tsStringKeyword()), 'Custom RLS policy name suffix. Auto-derived from $type when omitted (pub/own/mem).')
-    ]), 'A storage-specific RLS policy object for apply_storage_security(). Each entry defines an Authz* policy with explicit privileges, scoped to specific storage tables.');
-}
 /**
  * Build the BlueprintBucketSeed interface.
  *
@@ -431,13 +416,17 @@ function buildBlueprintBucketSeed() {
  */
 function buildBlueprintStorageConfig() {
     return addJSDoc(exportInterface('BlueprintStorageConfig', [
-        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStoragePolicy')))), 'Custom RLS policies for storage tables. When provided, replaces the default policy set (AuthzPublishable + membership + AuthzDirectOwner). Each entry is a policy object with $type, privileges, and optional data/tables/policy_name.'),
         addJSDoc(optionalProp('buckets', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintBucketSeed')))), 'Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. Only used for app-level storage (not entity-scoped).'),
         addJSDoc(optionalProp('upload_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned upload URL expiry time in seconds.'),
         addJSDoc(optionalProp('download_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned download URL expiry time in seconds.'),
         addJSDoc(optionalProp('default_max_file_size', t.tsNumberKeyword()), 'Default maximum file size in bytes for the storage module.'),
-        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for the storage module.')
-    ]), 'Storage configuration for an entity type. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).');
+        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for the storage module.'),
+        addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
+            optionalProp('files', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('buckets', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('upload_requests', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for storage tables. Each key targets a specific storage table (files, buckets, upload_requests) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision targeting the corresponding table. When a key includes policies[], those REPLACE the default storage policies for that table; tables without a key still get defaults.')
+    ]), 'Storage configuration for an entity type. Seeds initial buckets, overrides module-level settings (expiry times, file size limits, CORS), and provides per-table provisioning overrides via provisions.');
 }
 function buildBlueprintEntityTableProvision() {
     return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
@@ -463,6 +452,7 @@ function buildBlueprintEntityType() {
         addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_storage', t.tsBooleanKeyword()), 'Whether to provision a storage module (buckets, files, upload_requests tables) for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_invites', t.tsBooleanKeyword()), 'Whether to provision entity-scoped invite tables ({prefix}_invites, {prefix}_claimed_invites) and a submit_{prefix}_invite_code() function. Defaults to false.'),
         addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
         addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
         addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'Storage configuration. Only used when has_storage is true. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).')
@@ -493,7 +483,7 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFullTextSearch')))), 'Full-text search configurations.'),
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
         addJSDoc(optionalProp('entity_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintEntityType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
-        addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'App-level storage configuration. Creates a storage_module (membership_type = NULL) with the specified policies, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead.')
+        addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'App-level storage configuration. Creates a storage_module (membership_type = NULL), seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). Use provisions for per-table policy overrides. For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead.')
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -547,7 +537,6 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
-    statements.push(buildBlueprintStoragePolicy());
     statements.push(buildBlueprintBucketSeed());
     statements.push(buildBlueprintStorageConfig());
     statements.push(buildBlueprintEntityTableProvision());

package/esm/blueprint-types.generated.d.ts

@@ -574,19 +574,6 @@ export interface BlueprintTableUniqueConstraint {
     /** Optional schema name override. */
     schema_name?: string;
 }
-/** A storage-specific RLS policy object for apply_storage_security(). Each entry defines an Authz* policy with explicit privileges, scoped to specific storage tables. */
-export interface BlueprintStoragePolicy {
-    /** Authz* policy generator type (e.g., "AuthzPublishable", "AuthzDirectOwner", "AuthzEntityMembership"). */
-    $type: string;
-    /** Privilege array (e.g., ["select", "insert", "update", "delete"]). Intersected with each storage table's supported operations. */
-    privileges: string[];
-    /** Policy data config. Auto-derived from $type when omitted (e.g., AuthzPublishable defaults to {"is_published_field": "is_public", "require_published_at": false}). */
-    data?: Record<string, unknown>;
-    /** Which storage tables to apply this policy to. Defaults to all three when omitted. Uses logical names (not prefixed). */
-    tables?: ('buckets' | 'files' | 'upload_requests')[];
-    /** Custom RLS policy name suffix. Auto-derived from $type when omitted (pub/own/mem). */
-    policy_name?: string;
-}
 /** A bucket seed entry for storage_config.buckets[]. Creates an initial bucket row in the {prefix}_buckets table during entity type provisioning. Only used for app-level storage (not entity-scoped). */
 export interface BlueprintBucketSeed {
     /** Bucket key name (e.g., "avatars", "documents"). Becomes the key column value. */
@@ -602,10 +589,8 @@ export interface BlueprintBucketSeed {
     /** CORS allowed origins for this bucket. */
     allowed_origins?: string[];
 }
-/** Storage configuration for an entity type. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). */
+/** Storage configuration for an entity type. Seeds initial buckets, overrides module-level settings (expiry times, file size limits, CORS), and provides per-table provisioning overrides via provisions. */
 export interface BlueprintStorageConfig {
-    /** Custom RLS policies for storage tables. When provided, replaces the default policy set (AuthzPublishable + membership + AuthzDirectOwner). Each entry is a policy object with $type, privileges, and optional data/tables/policy_name. */
-    policies?: BlueprintStoragePolicy[];
     /** Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. Only used for app-level storage (not entity-scoped). */
     buckets?: BlueprintBucketSeed[];
     /** Override for presigned upload URL expiry time in seconds. */
@@ -616,6 +601,12 @@ export interface BlueprintStorageConfig {
     default_max_file_size?: number;
     /** CORS allowed origins for the storage module. */
     allowed_origins?: string[];
+    /** Per-table overrides for storage tables. Each key targets a specific storage table (files, buckets, upload_requests) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision targeting the corresponding table. When a key includes policies[], those REPLACE the default storage policies for that table; tables without a key still get defaults. */
+    provisions?: {
+        files?: BlueprintEntityTableProvision;
+        buckets?: BlueprintEntityTableProvision;
+        upload_requests?: BlueprintEntityTableProvision;
+    };
 }
 /** Override object for the entity table created by a BlueprintEntityType. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, policies[] replaces the default entity-table policies entirely. */
 export interface BlueprintEntityTableProvision {
@@ -655,6 +646,8 @@ export interface BlueprintEntityType {
     has_levels?: boolean;
     /** Whether to provision a storage module (buckets, files, upload_requests tables) for this entity type. Defaults to false. */
     has_storage?: boolean;
+    /** Whether to provision entity-scoped invite tables ({prefix}_invites, {prefix}_claimed_invites) and a submit_{prefix}_invite_code() function. Defaults to false. */
+    has_invites?: boolean;
     /** Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false. */
     skip_entity_policies?: boolean;
     /** Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible). */
@@ -877,6 +870,6 @@ export interface BlueprintDefinition {
     unique_constraints?: BlueprintUniqueConstraint[];
     /** Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security. */
     entity_types?: BlueprintEntityType[];
-    /** App-level storage configuration. Creates a storage_module (membership_type = NULL) with the specified policies, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead. */
+    /** App-level storage configuration. Creates a storage_module (membership_type = NULL), seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). Use provisions for per-table policy overrides. For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead. */
     storage?: BlueprintStorageConfig;
 }

package/esm/codegen/generate-types.js

@@ -359,21 +359,6 @@ function buildBlueprintTableUniqueConstraint() {
         addJSDoc(optionalProp('schema_name', t.tsStringKeyword()), 'Optional schema name override.')
     ]), 'A unique constraint nested inside a table definition (table_name not required).');
 }
-/**
- * Build the BlueprintStoragePolicy interface.
- *
- * Matches the jsonb policy objects accepted by apply_storage_security():
- *   { "$type": "AuthzPublishable", "privileges": ["select"], "data": {...}, "tables": [...], "policy_name": "pub" }
- */
-function buildBlueprintStoragePolicy() {
-    return addJSDoc(exportInterface('BlueprintStoragePolicy', [
-        addJSDoc(requiredProp('$type', t.tsStringKeyword()), 'Authz* policy generator type (e.g., "AuthzPublishable", "AuthzDirectOwner", "AuthzEntityMembership").'),
-        addJSDoc(requiredProp('privileges', t.tsArrayType(t.tsStringKeyword())), 'Privilege array (e.g., ["select", "insert", "update", "delete"]). Intersected with each storage table\'s supported operations.'),
-        addJSDoc(optionalProp('data', recordType(t.tsStringKeyword(), t.tsUnknownKeyword())), 'Policy data config. Auto-derived from $type when omitted (e.g., AuthzPublishable defaults to {"is_published_field": "is_public", "require_published_at": false}).'),
-        addJSDoc(optionalProp('tables', t.tsArrayType(strUnion(['buckets', 'files', 'upload_requests']))), 'Which storage tables to apply this policy to. Defaults to all three when omitted. Uses logical names (not prefixed).'),
-        addJSDoc(optionalProp('policy_name', t.tsStringKeyword()), 'Custom RLS policy name suffix. Auto-derived from $type when omitted (pub/own/mem).')
-    ]), 'A storage-specific RLS policy object for apply_storage_security(). Each entry defines an Authz* policy with explicit privileges, scoped to specific storage tables.');
-}
 /**
  * Build the BlueprintBucketSeed interface.
  *
@@ -396,13 +381,17 @@ function buildBlueprintBucketSeed() {
  */
 function buildBlueprintStorageConfig() {
     return addJSDoc(exportInterface('BlueprintStorageConfig', [
-        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStoragePolicy')))), 'Custom RLS policies for storage tables. When provided, replaces the default policy set (AuthzPublishable + membership + AuthzDirectOwner). Each entry is a policy object with $type, privileges, and optional data/tables/policy_name.'),
         addJSDoc(optionalProp('buckets', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintBucketSeed')))), 'Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. Only used for app-level storage (not entity-scoped).'),
         addJSDoc(optionalProp('upload_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned upload URL expiry time in seconds.'),
         addJSDoc(optionalProp('download_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned download URL expiry time in seconds.'),
         addJSDoc(optionalProp('default_max_file_size', t.tsNumberKeyword()), 'Default maximum file size in bytes for the storage module.'),
-        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for the storage module.')
-    ]), 'Storage configuration for an entity type. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).');
+        addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for the storage module.'),
+        addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
+            optionalProp('files', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('buckets', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('upload_requests', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for storage tables. Each key targets a specific storage table (files, buckets, upload_requests) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision targeting the corresponding table. When a key includes policies[], those REPLACE the default storage policies for that table; tables without a key still get defaults.')
+    ]), 'Storage configuration for an entity type. Seeds initial buckets, overrides module-level settings (expiry times, file size limits, CORS), and provides per-table provisioning overrides via provisions.');
 }
 function buildBlueprintEntityTableProvision() {
     return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
@@ -428,6 +417,7 @@ function buildBlueprintEntityType() {
         addJSDoc(optionalProp('has_profiles', t.tsBooleanKeyword()), 'Whether to provision a profiles module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_levels', t.tsBooleanKeyword()), 'Whether to provision a levels module for this entity type. Defaults to false.'),
         addJSDoc(optionalProp('has_storage', t.tsBooleanKeyword()), 'Whether to provision a storage module (buckets, files, upload_requests tables) for this entity type. Defaults to false.'),
+        addJSDoc(optionalProp('has_invites', t.tsBooleanKeyword()), 'Whether to provision entity-scoped invite tables ({prefix}_invites, {prefix}_claimed_invites) and a submit_{prefix}_invite_code() function. Defaults to false.'),
         addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
         addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
         addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'Storage configuration. Only used when has_storage is true. Controls RLS policies on storage tables, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS).')
@@ -458,7 +448,7 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('full_text_searches', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFullTextSearch')))), 'Full-text search configurations.'),
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
         addJSDoc(optionalProp('entity_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintEntityType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
-        addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'App-level storage configuration. Creates a storage_module (membership_type = NULL) with the specified policies, seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead.')
+        addJSDoc(optionalProp('storage', t.tsTypeReference(t.identifier('BlueprintStorageConfig'))), 'App-level storage configuration. Creates a storage_module (membership_type = NULL), seeds initial buckets, and overrides module-level settings (expiry times, file size limits, CORS). Use provisions for per-table policy overrides. For entity-scoped storage, use entity_types[].has_storage + entity_types[].storage instead.')
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -512,7 +502,6 @@ function buildProgram(meta) {
     statements.push(buildBlueprintTableIndex());
     statements.push(buildBlueprintUniqueConstraint());
     statements.push(buildBlueprintTableUniqueConstraint());
-    statements.push(buildBlueprintStoragePolicy());
     statements.push(buildBlueprintBucketSeed());
     statements.push(buildBlueprintStorageConfig());
     statements.push(buildBlueprintEntityTableProvision());

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.18.1",
+  "version": "0.19.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "af20c62a061cf31c85e9929d1728767d7f69bdfc"
+  "gitHead": "4ec54068fedd13e6145808b8059121f4a1b3891d"
 }