node-type-registry 0.28.0 → 0.29.1

package/data/data-chunks.d.ts

@@ -0,0 +1,18 @@
+import type { NodeTypeDefinition } from '../types';
+/**
+ * Standalone chunking node type.
+ *
+ * Creates an embedding_chunks record that provisions a chunks table with:
+ * - FK to parent table (CASCADE delete)
+ * - content text field
+ * - chunk_index integer field
+ * - embedding vector(N) field with HNSW index
+ * - metadata jsonb field
+ * - RLS policies inherited from parent
+ * - Optional job trigger for automatic chunking on INSERT/UPDATE
+ *
+ * This node is also composed internally by DataFileEmbedding (enabled by
+ * default in extract mode). Use it standalone when you want a chunks table
+ * without the full file-embedding pipeline.
+ */
+export declare const DataChunks: NodeTypeDefinition;

package/data/data-chunks.js

@@ -0,0 +1,101 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataChunks = void 0;
+/**
+ * Standalone chunking node type.
+ *
+ * Creates an embedding_chunks record that provisions a chunks table with:
+ * - FK to parent table (CASCADE delete)
+ * - content text field
+ * - chunk_index integer field
+ * - embedding vector(N) field with HNSW index
+ * - metadata jsonb field
+ * - RLS policies inherited from parent
+ * - Optional job trigger for automatic chunking on INSERT/UPDATE
+ *
+ * This node is also composed internally by DataFileEmbedding (enabled by
+ * default in extract mode). Use it standalone when you want a chunks table
+ * without the full file-embedding pipeline.
+ */
+exports.DataChunks = {
+    name: 'DataChunks',
+    slug: 'data_chunks',
+    category: 'data',
+    display_name: 'Chunks',
+    description: 'Creates a chunked-embedding child table for any parent table. ' +
+        'Provisions the chunks table with content, chunk_index, embedding vector, ' +
+        'metadata, HNSW index, inherited RLS, and optional job trigger for ' +
+        'automatic text splitting. Composed internally by DataFileEmbedding ' +
+        '(enabled by default in extract mode) but can also be used standalone.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            // ── Content config ─────────────────────────────────────────────
+            content_field_name: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Name of the text content column in the chunks table',
+                default: 'content'
+            },
+            // ── Chunking strategy ──────────────────────────────────────────
+            chunk_size: {
+                type: 'integer',
+                description: 'Maximum number of characters per chunk',
+                default: 1000
+            },
+            chunk_overlap: {
+                type: 'integer',
+                description: 'Number of overlapping characters between consecutive chunks',
+                default: 200
+            },
+            chunk_strategy: {
+                type: 'string',
+                enum: ['fixed', 'sentence', 'paragraph', 'semantic'],
+                description: 'Strategy for splitting text into chunks',
+                default: 'paragraph'
+            },
+            // ── Embedding config ───────────────────────────────────────────
+            dimensions: {
+                type: 'integer',
+                description: 'Vector dimensions for per-chunk embeddings',
+                default: 768
+            },
+            metric: {
+                type: 'string',
+                enum: ['cosine', 'l2', 'ip'],
+                description: 'Distance metric for the HNSW index on chunk embeddings',
+                default: 'cosine'
+            },
+            // ── Table naming ───────────────────────────────────────────────
+            chunks_table_name: {
+                type: 'string',
+                description: 'Override the chunks table name. Defaults to {parent_table}_chunks.',
+            },
+            // ── Metadata ───────────────────────────────────────────────────
+            metadata_fields: {
+                type: 'array',
+                items: { type: 'string' },
+                description: 'Field names from the parent table to copy into chunk metadata'
+            },
+            // ── Job trigger ────────────────────────────────────────────────
+            enqueue_chunking_job: {
+                type: 'boolean',
+                description: 'Whether to create a job trigger that auto-enqueues chunking ' +
+                    'on parent INSERT/UPDATE',
+                default: true
+            },
+            chunking_task_name: {
+                type: 'string',
+                description: 'Task identifier for the chunking job queue',
+                default: 'generate_chunks'
+            }
+        }
+    },
+    tags: [
+        'embedding',
+        'chunks',
+        'vector',
+        'ai',
+        'rag'
+    ]
+};

package/data/data-file-embedding.js

@@ -9,9 +9,10 @@ exports.DataFileEmbedding = {
     description: 'Generic, MIME-scoped embedding node for file tables. Supports two modes: ' +
         'direct (whole-file to single vector, e.g. CLIP for images) when extraction ' +
         'is omitted, or extract (file to text to chunks to per-chunk vectors) when ' +
-        'extraction config is provided. Composes SearchVector + DataJobTrigger ' +
-        'internally. Multiple instances can coexist on the same table with different ' +
-        'MIME scopes, field names, and embedding strategies.',
+        'extraction config is provided. Composes SearchVector + DataJobTrigger + ' +
+        'DataChunks (enabled by default in extract mode) internally. Multiple ' +
+        'instances can coexist on the same table with different MIME scopes, field ' +
+        'names, and embedding strategies.',
     parameter_schema: {
         type: 'object',
         properties: {
@@ -114,12 +115,18 @@ exports.DataFileEmbedding = {
                     }
                 }
             },
-            // ── Chunking config (optional — creates embedding_chunks) ──────
+            // ── Chunking (enabled by default in extract mode) ──────────────
+            include_chunks: {
+                type: 'boolean',
+                description: 'Whether to create a chunks table via DataChunks. Defaults to true ' +
+                    'when extraction is provided, false in direct mode. Set explicitly ' +
+                    'to override.',
+            },
             chunks: {
                 type: 'object',
-                description: 'Chunking configuration. Creates an embedding_chunks record that drives ' +
-                    'automatic text splitting and per-chunk embedding. Only meaningful when ' +
-                    'extraction is also provided.',
+                description: 'Chunking configuration passed through to DataChunks. When ' +
+                    'include_chunks is true (or defaults to true in extract mode), these ' +
+                    'params configure the chunks table, embedding dimensions, strategy, etc.',
                 properties: {
                     content_field_name: {
                         type: 'string',
@@ -144,8 +151,9 @@ exports.DataFileEmbedding = {
                         default: 'paragraph'
                     },
                     metadata_fields: {
-                        type: 'object',
-                        description: 'Metadata fields from parent to copy into chunks'
+                        type: 'array',
+                        items: { type: 'string' },
+                        description: 'Field names from parent to copy into chunk metadata'
                     },
                     enqueue_chunking_job: {
                         type: 'boolean',

package/data/index.d.ts

@@ -1,3 +1,4 @@
+export { DataChunks } from './data-chunks';
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';

package/data/index.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataLimitCounter = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataFeatureFlag = exports.DataFileEmbedding = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = void 0;
+exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataLimitCounter = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataFeatureFlag = exports.DataFileEmbedding = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = exports.DataChunks = void 0;
+var data_chunks_1 = require("./data-chunks");
+Object.defineProperty(exports, "DataChunks", { enumerable: true, get: function () { return data_chunks_1.DataChunks; } });
 var data_composite_field_1 = require("./data-composite-field");
 Object.defineProperty(exports, "DataCompositeField", { enumerable: true, get: function () { return data_composite_field_1.DataCompositeField; } });
 var data_direct_owner_1 = require("./data-direct-owner");

package/esm/data/data-chunks.d.ts

@@ -0,0 +1,18 @@
+import type { NodeTypeDefinition } from '../types';
+/**
+ * Standalone chunking node type.
+ *
+ * Creates an embedding_chunks record that provisions a chunks table with:
+ * - FK to parent table (CASCADE delete)
+ * - content text field
+ * - chunk_index integer field
+ * - embedding vector(N) field with HNSW index
+ * - metadata jsonb field
+ * - RLS policies inherited from parent
+ * - Optional job trigger for automatic chunking on INSERT/UPDATE
+ *
+ * This node is also composed internally by DataFileEmbedding (enabled by
+ * default in extract mode). Use it standalone when you want a chunks table
+ * without the full file-embedding pipeline.
+ */
+export declare const DataChunks: NodeTypeDefinition;

package/esm/data/data-chunks.js

@@ -0,0 +1,98 @@
+/**
+ * Standalone chunking node type.
+ *
+ * Creates an embedding_chunks record that provisions a chunks table with:
+ * - FK to parent table (CASCADE delete)
+ * - content text field
+ * - chunk_index integer field
+ * - embedding vector(N) field with HNSW index
+ * - metadata jsonb field
+ * - RLS policies inherited from parent
+ * - Optional job trigger for automatic chunking on INSERT/UPDATE
+ *
+ * This node is also composed internally by DataFileEmbedding (enabled by
+ * default in extract mode). Use it standalone when you want a chunks table
+ * without the full file-embedding pipeline.
+ */
+export const DataChunks = {
+    name: 'DataChunks',
+    slug: 'data_chunks',
+    category: 'data',
+    display_name: 'Chunks',
+    description: 'Creates a chunked-embedding child table for any parent table. ' +
+        'Provisions the chunks table with content, chunk_index, embedding vector, ' +
+        'metadata, HNSW index, inherited RLS, and optional job trigger for ' +
+        'automatic text splitting. Composed internally by DataFileEmbedding ' +
+        '(enabled by default in extract mode) but can also be used standalone.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            // ── Content config ─────────────────────────────────────────────
+            content_field_name: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Name of the text content column in the chunks table',
+                default: 'content'
+            },
+            // ── Chunking strategy ──────────────────────────────────────────
+            chunk_size: {
+                type: 'integer',
+                description: 'Maximum number of characters per chunk',
+                default: 1000
+            },
+            chunk_overlap: {
+                type: 'integer',
+                description: 'Number of overlapping characters between consecutive chunks',
+                default: 200
+            },
+            chunk_strategy: {
+                type: 'string',
+                enum: ['fixed', 'sentence', 'paragraph', 'semantic'],
+                description: 'Strategy for splitting text into chunks',
+                default: 'paragraph'
+            },
+            // ── Embedding config ───────────────────────────────────────────
+            dimensions: {
+                type: 'integer',
+                description: 'Vector dimensions for per-chunk embeddings',
+                default: 768
+            },
+            metric: {
+                type: 'string',
+                enum: ['cosine', 'l2', 'ip'],
+                description: 'Distance metric for the HNSW index on chunk embeddings',
+                default: 'cosine'
+            },
+            // ── Table naming ───────────────────────────────────────────────
+            chunks_table_name: {
+                type: 'string',
+                description: 'Override the chunks table name. Defaults to {parent_table}_chunks.',
+            },
+            // ── Metadata ───────────────────────────────────────────────────
+            metadata_fields: {
+                type: 'array',
+                items: { type: 'string' },
+                description: 'Field names from the parent table to copy into chunk metadata'
+            },
+            // ── Job trigger ────────────────────────────────────────────────
+            enqueue_chunking_job: {
+                type: 'boolean',
+                description: 'Whether to create a job trigger that auto-enqueues chunking ' +
+                    'on parent INSERT/UPDATE',
+                default: true
+            },
+            chunking_task_name: {
+                type: 'string',
+                description: 'Task identifier for the chunking job queue',
+                default: 'generate_chunks'
+            }
+        }
+    },
+    tags: [
+        'embedding',
+        'chunks',
+        'vector',
+        'ai',
+        'rag'
+    ]
+};

package/esm/data/data-file-embedding.js

@@ -6,9 +6,10 @@ export const DataFileEmbedding = {
     description: 'Generic, MIME-scoped embedding node for file tables. Supports two modes: ' +
         'direct (whole-file to single vector, e.g. CLIP for images) when extraction ' +
         'is omitted, or extract (file to text to chunks to per-chunk vectors) when ' +
-        'extraction config is provided. Composes SearchVector + DataJobTrigger ' +
-        'internally. Multiple instances can coexist on the same table with different ' +
-        'MIME scopes, field names, and embedding strategies.',
+        'extraction config is provided. Composes SearchVector + DataJobTrigger + ' +
+        'DataChunks (enabled by default in extract mode) internally. Multiple ' +
+        'instances can coexist on the same table with different MIME scopes, field ' +
+        'names, and embedding strategies.',
     parameter_schema: {
         type: 'object',
         properties: {
@@ -111,12 +112,18 @@ export const DataFileEmbedding = {
                     }
                 }
             },
-            // ── Chunking config (optional — creates embedding_chunks) ──────
+            // ── Chunking (enabled by default in extract mode) ──────────────
+            include_chunks: {
+                type: 'boolean',
+                description: 'Whether to create a chunks table via DataChunks. Defaults to true ' +
+                    'when extraction is provided, false in direct mode. Set explicitly ' +
+                    'to override.',
+            },
             chunks: {
                 type: 'object',
-                description: 'Chunking configuration. Creates an embedding_chunks record that drives ' +
-                    'automatic text splitting and per-chunk embedding. Only meaningful when ' +
-                    'extraction is also provided.',
+                description: 'Chunking configuration passed through to DataChunks. When ' +
+                    'include_chunks is true (or defaults to true in extract mode), these ' +
+                    'params configure the chunks table, embedding dimensions, strategy, etc.',
                 properties: {
                     content_field_name: {
                         type: 'string',
@@ -141,8 +148,9 @@ export const DataFileEmbedding = {
                         default: 'paragraph'
                     },
                     metadata_fields: {
-                        type: 'object',
-                        description: 'Metadata fields from parent to copy into chunks'
+                        type: 'array',
+                        items: { type: 'string' },
+                        description: 'Field names from parent to copy into chunk metadata'
                     },
                     enqueue_chunking_job: {
                         type: 'boolean',

package/esm/data/index.d.ts

@@ -1,3 +1,4 @@
+export { DataChunks } from './data-chunks';
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';

package/esm/data/index.js

@@ -1,3 +1,4 @@
+export { DataChunks } from './data-chunks';
 export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';

package/esm/module-presets/auth-email-magic.js

@@ -33,6 +33,9 @@ export const PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/auth-email.d.ts

@@ -9,9 +9,13 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export declare const PresetAuthEmail: ModulePreset;

package/esm/module-presets/auth-email.js

@@ -8,24 +8,28 @@
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export const PresetAuthEmail = {
     name: 'auth:email',
     display_name: 'Email + Password',
-    summary: 'Standard email/password auth flow. No orgs, no SSO, no MFA, no rate limits.',
+    summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
-        'hard-requires: users, app-scoped memberships, emails, secrets, encrypted secrets, ' +
-        'sessions, plus RLS. You get the standard password-based auth procedures (sign_up, ' +
-        "sign_in, reset_password, verify_email, delete_account, ...) and that's it. " +
-        'Everything else in the module catalog — SSO, passkeys, SMS, rate limits, orgs, ' +
-        'invites, permissions — is deliberately omitted. This is the right shape for single-tenant ' +
-        'consumer apps in the first weeks, internal tools that need a real login, or anything ' +
-        'where you want the lightest possible working auth and will add complexity only when ' +
-        'forced to.',
+        'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
+        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
+        "verify_email, delete_account, ...) and that's it. Everything else in the module " +
+        'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
+        'This is the right shape for single-tenant consumer apps in the first weeks, internal ' +
+        'tools that need a real login, or anything where you want the lightest possible working ' +
+        'auth and will add complexity only when forced to.',
     good_for: [
         'Single-tenant consumer apps in the first week of development',
         'Internal tools where one simple login is enough',
@@ -40,6 +44,9 @@ export const PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -51,6 +58,9 @@ export const PresetAuthEmail = {
     includes_notes: {
         'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
         membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
+        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
+        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
+        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
         encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
         secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
@@ -62,7 +72,6 @@ export const PresetAuthEmail = {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
         phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
         'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        'permissions_module:app': 'No fine-grained RBAC; the `is_admin` flag on users is the only gate.',
         invites_module: 'Self-serve signup only.',
         session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
     }

package/esm/module-presets/auth-hardened.js

@@ -30,6 +30,9 @@ export const PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -56,7 +59,6 @@ export const PresetAuthHardened = {
     },
     omits_notes: {
         'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        'permissions_module:app': 'No RBAC beyond the `is_admin` flag — add via `b2b`.',
         invites_module: 'No invite flow — add via `b2b`.',
         storage_module: 'Add separately if you need file uploads.',
         crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'

package/esm/module-presets/auth-passkey.js

@@ -31,6 +31,9 @@ export const PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/auth-sso.js

@@ -40,6 +40,9 @@ export const PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/b2b-storage.d.ts

@@ -0,0 +1,13 @@
+import type { ModulePreset } from './types';
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export declare const PresetB2bStorage: ModulePreset;

package/esm/module-presets/b2b-storage.js

@@ -0,0 +1,70 @@
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export const PresetB2bStorage = {
+    name: 'b2b:storage',
+    display_name: 'B2B SaaS + File Storage',
+    summary: '`b2b` + file upload infrastructure (buckets, files, RLS).',
+    description: 'Everything in `b2b` (auth:hardened + orgs + invites + permissions + levels + profiles + ' +
+        'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
+        '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
+        'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
+        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
+        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
+        'or any object storage tied to workspaces.',
+    good_for: [
+        'B2B SaaS with file uploads (documents, avatars, attachments)',
+        'Apps where storage is scoped to orgs/workspaces',
+        'Apps that need per-entity-type file storage (e.g., project files, team assets)'
+    ],
+    not_for: [
+        'Single-tenant consumer apps — use `auth:email` or `auth:hardened` and add storage separately',
+        'Apps without file upload needs — use `b2b` to avoid the storage table overhead'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'permissions_module:app',
+        'permissions_module:org',
+        'limits_module:app',
+        'limits_module:org',
+        'levels_module:app',
+        'levels_module:org',
+        'memberships_module:app',
+        'memberships_module:org',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'rate_limits_module',
+        'connected_accounts_module',
+        'identity_providers_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module',
+        'phone_numbers_module',
+        'profiles_module:app',
+        'profiles_module:org',
+        'hierarchy_module:org',
+        'invites_module:app',
+        'invites_module:org',
+        'storage_module'
+    ],
+    includes_notes: {
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.'
+    },
+    omits_notes: {
+        crypto_addresses_module: 'Not a web3 preset.'
+    },
+    extends: ['b2b']
+};

package/esm/module-presets/index.d.ts

@@ -5,10 +5,11 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
 import type { ModulePreset } from './types';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.

package/esm/module-presets/index.js

@@ -4,9 +4,10 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.
@@ -19,6 +20,7 @@ export const allModulePresets = [
     PresetAuthPasskey,
     PresetAuthHardened,
     PresetB2b,
+    PresetB2bStorage,
     PresetFull
 ];
 /** Look up a preset by name. Returns undefined if the name isn't known. */

package/module-presets/auth-email-magic.js

@@ -36,6 +36,9 @@ exports.PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/auth-email.d.ts

@@ -9,9 +9,13 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export declare const PresetAuthEmail: ModulePreset;

package/module-presets/auth-email.js

@@ -11,24 +11,28 @@ exports.PresetAuthEmail = void 0;
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 exports.PresetAuthEmail = {
     name: 'auth:email',
     display_name: 'Email + Password',
-    summary: 'Standard email/password auth flow. No orgs, no SSO, no MFA, no rate limits.',
+    summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
-        'hard-requires: users, app-scoped memberships, emails, secrets, encrypted secrets, ' +
-        'sessions, plus RLS. You get the standard password-based auth procedures (sign_up, ' +
-        "sign_in, reset_password, verify_email, delete_account, ...) and that's it. " +
-        'Everything else in the module catalog — SSO, passkeys, SMS, rate limits, orgs, ' +
-        'invites, permissions — is deliberately omitted. This is the right shape for single-tenant ' +
-        'consumer apps in the first weeks, internal tools that need a real login, or anything ' +
-        'where you want the lightest possible working auth and will add complexity only when ' +
-        'forced to.',
+        'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
+        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
+        "verify_email, delete_account, ...) and that's it. Everything else in the module " +
+        'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
+        'This is the right shape for single-tenant consumer apps in the first weeks, internal ' +
+        'tools that need a real login, or anything where you want the lightest possible working ' +
+        'auth and will add complexity only when forced to.',
     good_for: [
         'Single-tenant consumer apps in the first week of development',
         'Internal tools where one simple login is enough',
@@ -43,6 +47,9 @@ exports.PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -54,6 +61,9 @@ exports.PresetAuthEmail = {
     includes_notes: {
         'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
         membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
+        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
+        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
+        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
         encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
         secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
@@ -65,7 +75,6 @@ exports.PresetAuthEmail = {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
         phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
         'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        'permissions_module:app': 'No fine-grained RBAC; the `is_admin` flag on users is the only gate.',
         invites_module: 'Self-serve signup only.',
         session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
     }

package/module-presets/auth-hardened.js

@@ -33,6 +33,9 @@ exports.PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -59,7 +62,6 @@ exports.PresetAuthHardened = {
     },
     omits_notes: {
         'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        'permissions_module:app': 'No RBAC beyond the `is_admin` flag — add via `b2b`.',
         invites_module: 'No invite flow — add via `b2b`.',
         storage_module: 'Add separately if you need file uploads.',
         crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'

package/module-presets/auth-passkey.js

@@ -34,6 +34,9 @@ exports.PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/auth-sso.js

@@ -43,6 +43,9 @@ exports.PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/b2b-storage.d.ts

@@ -0,0 +1,13 @@
+import type { ModulePreset } from './types';
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export declare const PresetB2bStorage: ModulePreset;

package/module-presets/b2b-storage.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetB2bStorage = void 0;
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+exports.PresetB2bStorage = {
+    name: 'b2b:storage',
+    display_name: 'B2B SaaS + File Storage',
+    summary: '`b2b` + file upload infrastructure (buckets, files, RLS).',
+    description: 'Everything in `b2b` (auth:hardened + orgs + invites + permissions + levels + profiles + ' +
+        'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
+        '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
+        'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
+        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
+        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
+        'or any object storage tied to workspaces.',
+    good_for: [
+        'B2B SaaS with file uploads (documents, avatars, attachments)',
+        'Apps where storage is scoped to orgs/workspaces',
+        'Apps that need per-entity-type file storage (e.g., project files, team assets)'
+    ],
+    not_for: [
+        'Single-tenant consumer apps — use `auth:email` or `auth:hardened` and add storage separately',
+        'Apps without file upload needs — use `b2b` to avoid the storage table overhead'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'permissions_module:app',
+        'permissions_module:org',
+        'limits_module:app',
+        'limits_module:org',
+        'levels_module:app',
+        'levels_module:org',
+        'memberships_module:app',
+        'memberships_module:org',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'rate_limits_module',
+        'connected_accounts_module',
+        'identity_providers_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module',
+        'phone_numbers_module',
+        'profiles_module:app',
+        'profiles_module:org',
+        'hierarchy_module:org',
+        'invites_module:app',
+        'invites_module:org',
+        'storage_module'
+    ],
+    includes_notes: {
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.'
+    },
+    omits_notes: {
+        crypto_addresses_module: 'Not a web3 preset.'
+    },
+    extends: ['b2b']
+};

package/module-presets/index.d.ts

@@ -5,10 +5,11 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
 import type { ModulePreset } from './types';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.

package/module-presets/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.allModulePresets = exports.PresetMinimal = exports.PresetFull = exports.PresetB2b = exports.PresetAuthSso = exports.PresetAuthPasskey = exports.PresetAuthHardened = exports.PresetAuthEmailMagic = exports.PresetAuthEmail = void 0;
+exports.allModulePresets = exports.PresetMinimal = exports.PresetFull = exports.PresetB2bStorage = exports.PresetB2b = exports.PresetAuthSso = exports.PresetAuthPasskey = exports.PresetAuthHardened = exports.PresetAuthEmailMagic = exports.PresetAuthEmail = void 0;
 exports.getModulePreset = getModulePreset;
 const auth_email_1 = require("./auth-email");
 Object.defineProperty(exports, "PresetAuthEmail", { enumerable: true, get: function () { return auth_email_1.PresetAuthEmail; } });
@@ -14,6 +14,8 @@ const auth_sso_1 = require("./auth-sso");
 Object.defineProperty(exports, "PresetAuthSso", { enumerable: true, get: function () { return auth_sso_1.PresetAuthSso; } });
 const b2b_1 = require("./b2b");
 Object.defineProperty(exports, "PresetB2b", { enumerable: true, get: function () { return b2b_1.PresetB2b; } });
+const b2b_storage_1 = require("./b2b-storage");
+Object.defineProperty(exports, "PresetB2bStorage", { enumerable: true, get: function () { return b2b_storage_1.PresetB2bStorage; } });
 const full_1 = require("./full");
 Object.defineProperty(exports, "PresetFull", { enumerable: true, get: function () { return full_1.PresetFull; } });
 const minimal_1 = require("./minimal");
@@ -30,6 +32,7 @@ exports.allModulePresets = [
     auth_passkey_1.PresetAuthPasskey,
     auth_hardened_1.PresetAuthHardened,
     b2b_1.PresetB2b,
+    b2b_storage_1.PresetB2bStorage,
     full_1.PresetFull
 ];
 /** Look up a preset by name. Returns undefined if the name isn't known. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.28.0",
+  "version": "0.29.1",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "0538fe39630e6bafd228cb3f2b114fff4f9a61aa"
+  "gitHead": "97ec8e14f2b0855b0ee0bc732a082e1a91301b64"
 }