node-type-registry 0.22.0 → 0.24.0

package/authz/authz-app-membership.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzAppMembership: NodeTypeDefinition;

package/authz/authz-app-membership.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthzAppMembership = void 0;
+exports.AuthzAppMembership = {
+    name: 'AuthzAppMembership',
+    slug: 'authz_app_membership_check',
+    category: 'authz',
+    display_name: 'App Membership Check',
+    description: 'App-level membership check (hardcoded membership_type=1). Verifies the user has app membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. For entity-scoped checks (org, channel, etc.), use AuthzEntityMembership instead.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            permission: {
+                type: 'string',
+                description: 'Single permission name to check (resolved to bitstring mask)',
+            },
+            permissions: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                },
+                description: 'Multiple permission names to check (ORed together into mask)',
+            },
+            is_admin: {
+                type: 'boolean',
+                description: 'If true, require is_admin flag',
+            },
+            is_owner: {
+                type: 'boolean',
+                description: 'If true, require is_owner flag',
+            },
+        },
+        required: [],
+    },
+    tags: ['membership', 'authz'],
+};

package/authz/index.d.ts

@@ -1,11 +1,11 @@
 export { AuthzAllowAll } from './authz-allow-all';
+export { AuthzAppMembership } from './authz-app-membership';
 export { AuthzComposite } from './authz-composite';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzDirectOwner } from './authz-direct-owner';
 export { AuthzDirectOwnerAny } from './authz-direct-owner-any';
 export { AuthzEntityMembership } from './authz-entity-membership';
 export { AuthzMemberList } from './authz-member-list';
-export { AuthzMembership } from './authz-membership-check';
 export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzOrgHierarchy } from './authz-org-hierarchy';
 export { AuthzPeerOwnership } from './authz-peer-ownership';

package/authz/index.js

@@ -1,8 +1,10 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthzTemporal = exports.AuthzRelatedPeerOwnership = exports.AuthzRelatedMemberList = exports.AuthzRelatedEntityMembership = exports.AuthzPublishable = exports.AuthzPeerOwnership = exports.AuthzOrgHierarchy = exports.AuthzNotReadOnly = exports.AuthzMembership = exports.AuthzMemberList = exports.AuthzEntityMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = exports.AuthzDenyAll = exports.AuthzComposite = exports.AuthzAllowAll = void 0;
+exports.AuthzTemporal = exports.AuthzRelatedPeerOwnership = exports.AuthzRelatedMemberList = exports.AuthzRelatedEntityMembership = exports.AuthzPublishable = exports.AuthzPeerOwnership = exports.AuthzOrgHierarchy = exports.AuthzNotReadOnly = exports.AuthzMemberList = exports.AuthzEntityMembership = exports.AuthzDirectOwnerAny = exports.AuthzDirectOwner = exports.AuthzDenyAll = exports.AuthzComposite = exports.AuthzAppMembership = exports.AuthzAllowAll = void 0;
 var authz_allow_all_1 = require("./authz-allow-all");
 Object.defineProperty(exports, "AuthzAllowAll", { enumerable: true, get: function () { return authz_allow_all_1.AuthzAllowAll; } });
+var authz_app_membership_1 = require("./authz-app-membership");
+Object.defineProperty(exports, "AuthzAppMembership", { enumerable: true, get: function () { return authz_app_membership_1.AuthzAppMembership; } });
 var authz_composite_1 = require("./authz-composite");
 Object.defineProperty(exports, "AuthzComposite", { enumerable: true, get: function () { return authz_composite_1.AuthzComposite; } });
 var authz_deny_all_1 = require("./authz-deny-all");
@@ -15,8 +17,6 @@ var authz_entity_membership_1 = require("./authz-entity-membership");
 Object.defineProperty(exports, "AuthzEntityMembership", { enumerable: true, get: function () { return authz_entity_membership_1.AuthzEntityMembership; } });
 var authz_member_list_1 = require("./authz-member-list");
 Object.defineProperty(exports, "AuthzMemberList", { enumerable: true, get: function () { return authz_member_list_1.AuthzMemberList; } });
-var authz_membership_check_1 = require("./authz-membership-check");
-Object.defineProperty(exports, "AuthzMembership", { enumerable: true, get: function () { return authz_membership_check_1.AuthzMembership; } });
 var authz_not_read_only_1 = require("./authz-not-read-only");
 Object.defineProperty(exports, "AuthzNotReadOnly", { enumerable: true, get: function () { return authz_not_read_only_1.AuthzNotReadOnly; } });
 var authz_org_hierarchy_1 = require("./authz-org-hierarchy");

package/blueprint-types.generated.d.ts

@@ -38,6 +38,12 @@ export interface DataEntityMembershipParams {
     include_id?: boolean;
     include_user_fk?: boolean;
 }
+/** Gates a table behind a feature flag backed by the cap tables. Attaches a BEFORE INSERT trigger that checks whether the named feature cap value is > 0. Features are modeled as caps with max=0 (disabled) or max=1 (enabled) in limit_caps / limit_caps_defaults tables. Resolution: COALESCE(per-entity cap, scope default, 0). */
+export interface DataFeatureFlagParams {
+    feature_name: string;
+    scope?: 'app' | 'org';
+    entity_field?: string;
+}
 /** BEFORE INSERT trigger that forces a field to the value of jwt_public.current_user_id(). Prevents clients from spoofing the actor/uploader identity. The field value is always overwritten regardless of what the client provides. */
 export interface DataForceCurrentUserParams {
     field_name?: string;
@@ -95,6 +101,13 @@ export interface DataJobTriggerParams {
     run_at_delay?: string;
     max_attempts?: number;
 }
+/** Declaratively attaches limit-tracking triggers to a table. On INSERT the named limit is incremented; on DELETE it is decremented. Requires a provisioned limits_module for the target scope. */
+export interface DataLimitCounterParams {
+    limit_name: string;
+    scope?: 'app' | 'org';
+    actor_field?: string;
+    events?: ('INSERT' | 'DELETE' | 'UPDATE')[];
+}
 /** Adds a JSONB column with optional GIN index for containment queries (@>, ?, ?|, ?&). Standard pattern for semi-structured metadata. */
 export interface DataJsonbParams {
     field_name?: string;
@@ -284,6 +297,13 @@ export interface SearchVectorParams {
 }
 /** Allows all access. Generates TRUE expression. */
 export type AuthzAllowAllParams = {};
+/** App-level membership check (hardcoded membership_type=1). Verifies the user has app membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. For entity-scoped checks (org, channel, etc.), use AuthzEntityMembership instead. */
+export interface AuthzAppMembershipParams {
+    permission?: string;
+    permissions?: string[];
+    is_admin?: boolean;
+    is_owner?: boolean;
+}
 /** Composite authorization policy that combines multiple authorization nodes using boolean logic (AND/OR). The data field contains a JSONB AST with nested authorization nodes. */
 export interface AuthzCompositeParams {
     BoolExpr?: {
@@ -318,15 +338,6 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzMemberListParams {
     array_field: string;
 }
-/** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
-export interface AuthzMembershipParams {
-    membership_type?: number | string;
-    entity_type?: string;
-    permission?: string;
-    permissions?: string[];
-    is_admin?: boolean;
-    is_owner?: boolean;
-}
 /** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
 export interface AuthzNotReadOnlyParams {
     entity_field: string;
@@ -525,7 +536,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: 'AuthzAllowAll' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzMembership' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
+    $type: 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -703,11 +714,14 @@ export interface BlueprintEntityType {
     storage?: BlueprintStorageConfig;
 }
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzMembership' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataForceCurrentUser' | 'DataId' | 'DataImageEmbedding' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJobTrigger' | 'DataJsonb' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings';
+export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataFeatureFlag' | 'DataForceCurrentUser' | 'DataId' | 'DataImageEmbedding' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJobTrigger' | 'DataLimitCounter' | 'DataJsonb' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings';
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: 'AuthzAllowAll';
     data?: Record<string, never>;
+} | {
+    $type: 'AuthzAppMembership';
+    data: AuthzAppMembershipParams;
 } | {
     $type: 'AuthzComposite';
     data: AuthzCompositeParams;
@@ -726,9 +740,6 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'AuthzMemberList';
     data: AuthzMemberListParams;
-} | {
-    $type: 'AuthzMembership';
-    data: AuthzMembershipParams;
 } | {
     $type: 'AuthzNotReadOnly';
     data: AuthzNotReadOnlyParams;
@@ -762,6 +773,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'DataEntityMembership';
     data: DataEntityMembershipParams;
+} | {
+    $type: 'DataFeatureFlag';
+    data: DataFeatureFlagParams;
 } | {
     $type: 'DataForceCurrentUser';
     data: DataForceCurrentUserParams;
@@ -783,6 +797,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'DataJobTrigger';
     data: DataJobTriggerParams;
+} | {
+    $type: 'DataLimitCounter';
+    data: DataLimitCounterParams;
 } | {
     $type: 'DataJsonb';
     data: DataJsonbParams;

package/data/data-feature-flag.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataFeatureFlag: NodeTypeDefinition;

package/data/data-feature-flag.js

@@ -0,0 +1,33 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataFeatureFlag = void 0;
+exports.DataFeatureFlag = {
+    name: 'DataFeatureFlag',
+    slug: 'data_feature_flag',
+    category: 'data',
+    display_name: 'Feature Flag',
+    description: 'Gates a table behind a feature flag backed by the cap tables. Attaches a BEFORE INSERT trigger that checks whether the named feature cap value is > 0. Features are modeled as caps with max=0 (disabled) or max=1 (enabled) in limit_caps / limit_caps_defaults tables. Resolution: COALESCE(per-entity cap, scope default, 0).',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            feature_name: {
+                type: 'string',
+                description: 'Cap name representing this feature (must match a limit_caps_defaults entry with max=0 or max=1)',
+            },
+            scope: {
+                type: 'string',
+                enum: ['app', 'org'],
+                description: 'Feature scope: "app" (membership_type=1, app-level caps) or "org" (membership_type=2, per-entity caps)',
+                default: 'app',
+            },
+            entity_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column on the target table that holds the entity id for per-entity cap lookups (only used for org scope)',
+                default: 'entity_id',
+            },
+        },
+        required: ['feature_name'],
+    },
+    tags: ['limits', 'triggers', 'feature-flags', 'billing', 'caps'],
+};

package/data/data-limit-counter.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataLimitCounter: NodeTypeDefinition;

package/data/data-limit-counter.js

@@ -0,0 +1,42 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataLimitCounter = void 0;
+exports.DataLimitCounter = {
+    name: 'DataLimitCounter',
+    slug: 'data_limit_counter',
+    category: 'data',
+    display_name: 'Limit Counter',
+    description: 'Declaratively attaches limit-tracking triggers to a table. On INSERT the named limit is incremented; on DELETE it is decremented. Requires a provisioned limits_module for the target scope.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            limit_name: {
+                type: 'string',
+                description: 'Name of the limit to track (must match a default_limits entry, e.g. "projects", "members")',
+            },
+            scope: {
+                type: 'string',
+                enum: ['app', 'org'],
+                description: 'Limit scope: "app" (membership_type=1, user-level) or "org" (membership_type=2, entity-level)',
+                default: 'app',
+            },
+            actor_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column on the target table that holds the actor or entity id used for limit lookup',
+                default: 'owner_id',
+            },
+            events: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    enum: ['INSERT', 'DELETE', 'UPDATE'],
+                },
+                description: 'Which DML events to attach triggers for',
+                default: ['INSERT', 'DELETE'],
+            },
+        },
+        required: ['limit_name'],
+    },
+    tags: ['limits', 'triggers', 'billing'],
+};

package/data/index.d.ts

@@ -1,6 +1,7 @@
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';
+export { DataFeatureFlag } from './data-feature-flag';
 export { DataForceCurrentUser } from './data-force-current-user';
 export { DataId } from './data-id';
 export { DataImageEmbedding } from './data-image-embedding';
@@ -8,6 +9,7 @@ export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';
 export { DataInheritFromParent } from './data-inherit-from-parent';
 export { DataJobTrigger } from './data-job-trigger';
+export { DataLimitCounter } from './data-limit-counter';
 export { DataJsonb } from './data-jsonb';
 export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';

package/data/index.js

@@ -1,12 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = void 0;
+exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataLimitCounter = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataFeatureFlag = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = void 0;
 var data_composite_field_1 = require("./data-composite-field");
 Object.defineProperty(exports, "DataCompositeField", { enumerable: true, get: function () { return data_composite_field_1.DataCompositeField; } });
 var data_direct_owner_1 = require("./data-direct-owner");
 Object.defineProperty(exports, "DataDirectOwner", { enumerable: true, get: function () { return data_direct_owner_1.DataDirectOwner; } });
 var data_entity_membership_1 = require("./data-entity-membership");
 Object.defineProperty(exports, "DataEntityMembership", { enumerable: true, get: function () { return data_entity_membership_1.DataEntityMembership; } });
+var data_feature_flag_1 = require("./data-feature-flag");
+Object.defineProperty(exports, "DataFeatureFlag", { enumerable: true, get: function () { return data_feature_flag_1.DataFeatureFlag; } });
 var data_force_current_user_1 = require("./data-force-current-user");
 Object.defineProperty(exports, "DataForceCurrentUser", { enumerable: true, get: function () { return data_force_current_user_1.DataForceCurrentUser; } });
 var data_id_1 = require("./data-id");
@@ -21,6 +23,8 @@ var data_inherit_from_parent_1 = require("./data-inherit-from-parent");
 Object.defineProperty(exports, "DataInheritFromParent", { enumerable: true, get: function () { return data_inherit_from_parent_1.DataInheritFromParent; } });
 var data_job_trigger_1 = require("./data-job-trigger");
 Object.defineProperty(exports, "DataJobTrigger", { enumerable: true, get: function () { return data_job_trigger_1.DataJobTrigger; } });
+var data_limit_counter_1 = require("./data-limit-counter");
+Object.defineProperty(exports, "DataLimitCounter", { enumerable: true, get: function () { return data_limit_counter_1.DataLimitCounter; } });
 var data_jsonb_1 = require("./data-jsonb");
 Object.defineProperty(exports, "DataJsonb", { enumerable: true, get: function () { return data_jsonb_1.DataJsonb; } });
 var data_owned_fields_1 = require("./data-owned-fields");

package/esm/authz/authz-app-membership.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzAppMembership: NodeTypeDefinition;

package/esm/authz/authz-app-membership.js

@@ -0,0 +1,33 @@
+export const AuthzAppMembership = {
+    name: 'AuthzAppMembership',
+    slug: 'authz_app_membership_check',
+    category: 'authz',
+    display_name: 'App Membership Check',
+    description: 'App-level membership check (hardcoded membership_type=1). Verifies the user has app membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. For entity-scoped checks (org, channel, etc.), use AuthzEntityMembership instead.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            permission: {
+                type: 'string',
+                description: 'Single permission name to check (resolved to bitstring mask)',
+            },
+            permissions: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                },
+                description: 'Multiple permission names to check (ORed together into mask)',
+            },
+            is_admin: {
+                type: 'boolean',
+                description: 'If true, require is_admin flag',
+            },
+            is_owner: {
+                type: 'boolean',
+                description: 'If true, require is_owner flag',
+            },
+        },
+        required: [],
+    },
+    tags: ['membership', 'authz'],
+};

package/esm/authz/index.d.ts

@@ -1,11 +1,11 @@
 export { AuthzAllowAll } from './authz-allow-all';
+export { AuthzAppMembership } from './authz-app-membership';
 export { AuthzComposite } from './authz-composite';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzDirectOwner } from './authz-direct-owner';
 export { AuthzDirectOwnerAny } from './authz-direct-owner-any';
 export { AuthzEntityMembership } from './authz-entity-membership';
 export { AuthzMemberList } from './authz-member-list';
-export { AuthzMembership } from './authz-membership-check';
 export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzOrgHierarchy } from './authz-org-hierarchy';
 export { AuthzPeerOwnership } from './authz-peer-ownership';

package/esm/authz/index.js

@@ -1,11 +1,11 @@
 export { AuthzAllowAll } from './authz-allow-all';
+export { AuthzAppMembership } from './authz-app-membership';
 export { AuthzComposite } from './authz-composite';
 export { AuthzDenyAll } from './authz-deny-all';
 export { AuthzDirectOwner } from './authz-direct-owner';
 export { AuthzDirectOwnerAny } from './authz-direct-owner-any';
 export { AuthzEntityMembership } from './authz-entity-membership';
 export { AuthzMemberList } from './authz-member-list';
-export { AuthzMembership } from './authz-membership-check';
 export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzOrgHierarchy } from './authz-org-hierarchy';
 export { AuthzPeerOwnership } from './authz-peer-ownership';

package/esm/blueprint-types.generated.d.ts

@@ -38,6 +38,12 @@ export interface DataEntityMembershipParams {
     include_id?: boolean;
     include_user_fk?: boolean;
 }
+/** Gates a table behind a feature flag backed by the cap tables. Attaches a BEFORE INSERT trigger that checks whether the named feature cap value is > 0. Features are modeled as caps with max=0 (disabled) or max=1 (enabled) in limit_caps / limit_caps_defaults tables. Resolution: COALESCE(per-entity cap, scope default, 0). */
+export interface DataFeatureFlagParams {
+    feature_name: string;
+    scope?: 'app' | 'org';
+    entity_field?: string;
+}
 /** BEFORE INSERT trigger that forces a field to the value of jwt_public.current_user_id(). Prevents clients from spoofing the actor/uploader identity. The field value is always overwritten regardless of what the client provides. */
 export interface DataForceCurrentUserParams {
     field_name?: string;
@@ -95,6 +101,13 @@ export interface DataJobTriggerParams {
     run_at_delay?: string;
     max_attempts?: number;
 }
+/** Declaratively attaches limit-tracking triggers to a table. On INSERT the named limit is incremented; on DELETE it is decremented. Requires a provisioned limits_module for the target scope. */
+export interface DataLimitCounterParams {
+    limit_name: string;
+    scope?: 'app' | 'org';
+    actor_field?: string;
+    events?: ('INSERT' | 'DELETE' | 'UPDATE')[];
+}
 /** Adds a JSONB column with optional GIN index for containment queries (@>, ?, ?|, ?&). Standard pattern for semi-structured metadata. */
 export interface DataJsonbParams {
     field_name?: string;
@@ -284,6 +297,13 @@ export interface SearchVectorParams {
 }
 /** Allows all access. Generates TRUE expression. */
 export type AuthzAllowAllParams = {};
+/** App-level membership check (hardcoded membership_type=1). Verifies the user has app membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. For entity-scoped checks (org, channel, etc.), use AuthzEntityMembership instead. */
+export interface AuthzAppMembershipParams {
+    permission?: string;
+    permissions?: string[];
+    is_admin?: boolean;
+    is_owner?: boolean;
+}
 /** Composite authorization policy that combines multiple authorization nodes using boolean logic (AND/OR). The data field contains a JSONB AST with nested authorization nodes. */
 export interface AuthzCompositeParams {
     BoolExpr?: {
@@ -318,15 +338,6 @@ export interface AuthzEntityMembershipParams {
 export interface AuthzMemberListParams {
     array_field: string;
 }
-/** Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table. */
-export interface AuthzMembershipParams {
-    membership_type?: number | string;
-    entity_type?: string;
-    permission?: string;
-    permissions?: string[];
-    is_admin?: boolean;
-    is_owner?: boolean;
-}
 /** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
 export interface AuthzNotReadOnlyParams {
     entity_field: string;
@@ -525,7 +536,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: 'AuthzAllowAll' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzMembership' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
+    $type: 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -703,11 +714,14 @@ export interface BlueprintEntityType {
     storage?: BlueprintStorageConfig;
 }
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzMembership' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataForceCurrentUser' | 'DataId' | 'DataImageEmbedding' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJobTrigger' | 'DataJsonb' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings';
+export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataFeatureFlag' | 'DataForceCurrentUser' | 'DataId' | 'DataImageEmbedding' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJobTrigger' | 'DataLimitCounter' | 'DataJsonb' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings';
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: 'AuthzAllowAll';
     data?: Record<string, never>;
+} | {
+    $type: 'AuthzAppMembership';
+    data: AuthzAppMembershipParams;
 } | {
     $type: 'AuthzComposite';
     data: AuthzCompositeParams;
@@ -726,9 +740,6 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'AuthzMemberList';
     data: AuthzMemberListParams;
-} | {
-    $type: 'AuthzMembership';
-    data: AuthzMembershipParams;
 } | {
     $type: 'AuthzNotReadOnly';
     data: AuthzNotReadOnlyParams;
@@ -762,6 +773,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'DataEntityMembership';
     data: DataEntityMembershipParams;
+} | {
+    $type: 'DataFeatureFlag';
+    data: DataFeatureFlagParams;
 } | {
     $type: 'DataForceCurrentUser';
     data: DataForceCurrentUserParams;
@@ -783,6 +797,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'DataJobTrigger';
     data: DataJobTriggerParams;
+} | {
+    $type: 'DataLimitCounter';
+    data: DataLimitCounterParams;
 } | {
     $type: 'DataJsonb';
     data: DataJsonbParams;

package/esm/data/data-feature-flag.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataFeatureFlag: NodeTypeDefinition;

package/esm/data/data-feature-flag.js

@@ -0,0 +1,30 @@
+export const DataFeatureFlag = {
+    name: 'DataFeatureFlag',
+    slug: 'data_feature_flag',
+    category: 'data',
+    display_name: 'Feature Flag',
+    description: 'Gates a table behind a feature flag backed by the cap tables. Attaches a BEFORE INSERT trigger that checks whether the named feature cap value is > 0. Features are modeled as caps with max=0 (disabled) or max=1 (enabled) in limit_caps / limit_caps_defaults tables. Resolution: COALESCE(per-entity cap, scope default, 0).',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            feature_name: {
+                type: 'string',
+                description: 'Cap name representing this feature (must match a limit_caps_defaults entry with max=0 or max=1)',
+            },
+            scope: {
+                type: 'string',
+                enum: ['app', 'org'],
+                description: 'Feature scope: "app" (membership_type=1, app-level caps) or "org" (membership_type=2, per-entity caps)',
+                default: 'app',
+            },
+            entity_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column on the target table that holds the entity id for per-entity cap lookups (only used for org scope)',
+                default: 'entity_id',
+            },
+        },
+        required: ['feature_name'],
+    },
+    tags: ['limits', 'triggers', 'feature-flags', 'billing', 'caps'],
+};

package/esm/data/data-limit-counter.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataLimitCounter: NodeTypeDefinition;

package/esm/data/data-limit-counter.js

@@ -0,0 +1,39 @@
+export const DataLimitCounter = {
+    name: 'DataLimitCounter',
+    slug: 'data_limit_counter',
+    category: 'data',
+    display_name: 'Limit Counter',
+    description: 'Declaratively attaches limit-tracking triggers to a table. On INSERT the named limit is incremented; on DELETE it is decremented. Requires a provisioned limits_module for the target scope.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            limit_name: {
+                type: 'string',
+                description: 'Name of the limit to track (must match a default_limits entry, e.g. "projects", "members")',
+            },
+            scope: {
+                type: 'string',
+                enum: ['app', 'org'],
+                description: 'Limit scope: "app" (membership_type=1, user-level) or "org" (membership_type=2, entity-level)',
+                default: 'app',
+            },
+            actor_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column on the target table that holds the actor or entity id used for limit lookup',
+                default: 'owner_id',
+            },
+            events: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    enum: ['INSERT', 'DELETE', 'UPDATE'],
+                },
+                description: 'Which DML events to attach triggers for',
+                default: ['INSERT', 'DELETE'],
+            },
+        },
+        required: ['limit_name'],
+    },
+    tags: ['limits', 'triggers', 'billing'],
+};

package/esm/data/index.d.ts

@@ -1,6 +1,7 @@
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';
+export { DataFeatureFlag } from './data-feature-flag';
 export { DataForceCurrentUser } from './data-force-current-user';
 export { DataId } from './data-id';
 export { DataImageEmbedding } from './data-image-embedding';
@@ -8,6 +9,7 @@ export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';
 export { DataInheritFromParent } from './data-inherit-from-parent';
 export { DataJobTrigger } from './data-job-trigger';
+export { DataLimitCounter } from './data-limit-counter';
 export { DataJsonb } from './data-jsonb';
 export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';

package/esm/data/index.js

@@ -1,6 +1,7 @@
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';
+export { DataFeatureFlag } from './data-feature-flag';
 export { DataForceCurrentUser } from './data-force-current-user';
 export { DataId } from './data-id';
 export { DataImageEmbedding } from './data-image-embedding';
@@ -8,6 +9,7 @@ export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';
 export { DataInheritFromParent } from './data-inherit-from-parent';
 export { DataJobTrigger } from './data-job-trigger';
+export { DataLimitCounter } from './data-limit-counter';
 export { DataJsonb } from './data-jsonb';
 export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.22.0",
+  "version": "0.24.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "0238640b70fed4b203eb84f48315c2bd807923b9"
+  "gitHead": "04633dc47399ffc9a5cefacfb0a90451acee988d"
 }

package/authz/authz-membership-check.d.ts

@@ -1,2 +0,0 @@
-import type { NodeTypeDefinition } from '../types';
-export declare const AuthzMembership: NodeTypeDefinition;

package/authz/authz-membership-check.js

@@ -1,50 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthzMembership = void 0;
-exports.AuthzMembership = {
-    name: 'AuthzMembership',
-    slug: 'authz_membership_check',
-    category: 'authz',
-    display_name: 'Membership Check',
-    description: 'Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table.',
-    parameter_schema: {
-        type: 'object',
-        properties: {
-            membership_type: {
-                type: [
-                    'integer',
-                    'string'
-                ],
-                description: 'Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)'
-            },
-            entity_type: {
-                type: 'string',
-                description: "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
-            },
-            permission: {
-                type: 'string',
-                description: 'Single permission name to check (resolved to bitstring mask)'
-            },
-            permissions: {
-                type: 'array',
-                items: {
-                    type: 'string'
-                },
-                description: 'Multiple permission names to check (ORed together into mask)'
-            },
-            is_admin: {
-                type: 'boolean',
-                description: 'If true, require is_admin flag'
-            },
-            is_owner: {
-                type: 'boolean',
-                description: 'If true, require is_owner flag'
-            }
-        },
-        required: []
-    },
-    tags: [
-        'membership',
-        'authz'
-    ]
-};

package/esm/authz/authz-membership-check.d.ts

@@ -1,2 +0,0 @@
-import type { NodeTypeDefinition } from '../types';
-export declare const AuthzMembership: NodeTypeDefinition;

package/esm/authz/authz-membership-check.js

@@ -1,47 +0,0 @@
-export const AuthzMembership = {
-    name: 'AuthzMembership',
-    slug: 'authz_membership_check',
-    category: 'authz',
-    display_name: 'Membership Check',
-    description: 'Membership check that verifies the user has membership (optionally with specific permission) without binding to any entity from the row. Uses EXISTS subquery against SPRT table.',
-    parameter_schema: {
-        type: 'object',
-        properties: {
-            membership_type: {
-                type: [
-                    'integer',
-                    'string'
-                ],
-                description: 'Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)'
-            },
-            entity_type: {
-                type: 'string',
-                description: "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup. Use instead of membership_type for readability."
-            },
-            permission: {
-                type: 'string',
-                description: 'Single permission name to check (resolved to bitstring mask)'
-            },
-            permissions: {
-                type: 'array',
-                items: {
-                    type: 'string'
-                },
-                description: 'Multiple permission names to check (ORed together into mask)'
-            },
-            is_admin: {
-                type: 'boolean',
-                description: 'If true, require is_admin flag'
-            },
-            is_owner: {
-                type: 'boolean',
-                description: 'If true, require is_owner flag'
-            }
-        },
-        required: []
-    },
-    tags: [
-        'membership',
-        'authz'
-    ]
-};