node-type-registry 0.29.0 → 0.30.0

package/data/data-realtime.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataRealtime: NodeTypeDefinition;

package/data/data-realtime.js

@@ -0,0 +1,31 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataRealtime = void 0;
+exports.DataRealtime = {
+    name: 'DataRealtime',
+    slug: 'data_realtime',
+    category: 'data',
+    display_name: 'Realtime Subscriptions',
+    description: 'Creates per-table subscriber tables in subscriptions_public with ' +
+        'RLS policies derived from source table SELECT policies. Attaches ' +
+        'statement-level triggers to emit changes to subscribers.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            operations: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    enum: ['INSERT', 'UPDATE', 'DELETE']
+                },
+                description: 'Which DML operations to track with emit_change triggers',
+                default: ['INSERT', 'UPDATE', 'DELETE']
+            },
+            subscriber_table_name: {
+                type: 'string',
+                description: 'Custom name for the subscriber table (defaults to {source_table}_subscriber)'
+            }
+        }
+    },
+    tags: ['realtime', 'subscriptions', 'triggers']
+};

package/data/index.d.ts

@@ -17,6 +17,7 @@ export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';
 export { DataPeoplestamps } from './data-peoplestamps';
 export { DataPublishable } from './data-publishable';
+export { DataRealtime } from './data-realtime';
 export { DataSlug } from './data-slug';
 export { DataSoftDelete } from './data-soft-delete';
 export { DataStatusField } from './data-status-field';

package/data/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataLimitCounter = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataFeatureFlag = exports.DataFileEmbedding = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = exports.DataChunks = void 0;
+exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataRealtime = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataLimitCounter = exports.DataJobTrigger = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataImageEmbedding = exports.DataId = exports.DataForceCurrentUser = exports.DataFeatureFlag = exports.DataFileEmbedding = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = exports.DataChunks = void 0;
 var data_chunks_1 = require("./data-chunks");
 Object.defineProperty(exports, "DataChunks", { enumerable: true, get: function () { return data_chunks_1.DataChunks; } });
 var data_composite_field_1 = require("./data-composite-field");
@@ -39,6 +39,8 @@ var data_peoplestamps_1 = require("./data-peoplestamps");
 Object.defineProperty(exports, "DataPeoplestamps", { enumerable: true, get: function () { return data_peoplestamps_1.DataPeoplestamps; } });
 var data_publishable_1 = require("./data-publishable");
 Object.defineProperty(exports, "DataPublishable", { enumerable: true, get: function () { return data_publishable_1.DataPublishable; } });
+var data_realtime_1 = require("./data-realtime");
+Object.defineProperty(exports, "DataRealtime", { enumerable: true, get: function () { return data_realtime_1.DataRealtime; } });
 var data_slug_1 = require("./data-slug");
 Object.defineProperty(exports, "DataSlug", { enumerable: true, get: function () { return data_slug_1.DataSlug; } });
 var data_soft_delete_1 = require("./data-soft-delete");

package/esm/data/data-realtime.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataRealtime: NodeTypeDefinition;

package/esm/data/data-realtime.js

@@ -0,0 +1,28 @@
+export const DataRealtime = {
+    name: 'DataRealtime',
+    slug: 'data_realtime',
+    category: 'data',
+    display_name: 'Realtime Subscriptions',
+    description: 'Creates per-table subscriber tables in subscriptions_public with ' +
+        'RLS policies derived from source table SELECT policies. Attaches ' +
+        'statement-level triggers to emit changes to subscribers.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            operations: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    enum: ['INSERT', 'UPDATE', 'DELETE']
+                },
+                description: 'Which DML operations to track with emit_change triggers',
+                default: ['INSERT', 'UPDATE', 'DELETE']
+            },
+            subscriber_table_name: {
+                type: 'string',
+                description: 'Custom name for the subscriber table (defaults to {source_table}_subscriber)'
+            }
+        }
+    },
+    tags: ['realtime', 'subscriptions', 'triggers']
+};

package/esm/data/index.d.ts

@@ -17,6 +17,7 @@ export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';
 export { DataPeoplestamps } from './data-peoplestamps';
 export { DataPublishable } from './data-publishable';
+export { DataRealtime } from './data-realtime';
 export { DataSlug } from './data-slug';
 export { DataSoftDelete } from './data-soft-delete';
 export { DataStatusField } from './data-status-field';

package/esm/data/index.js

@@ -17,6 +17,7 @@ export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';
 export { DataPeoplestamps } from './data-peoplestamps';
 export { DataPublishable } from './data-publishable';
+export { DataRealtime } from './data-realtime';
 export { DataSlug } from './data-slug';
 export { DataSoftDelete } from './data-soft-delete';
 export { DataStatusField } from './data-status-field';

package/esm/module-presets/auth-email-magic.js

@@ -33,6 +33,9 @@ export const PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/auth-email.d.ts

@@ -9,9 +9,13 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export declare const PresetAuthEmail: ModulePreset;

package/esm/module-presets/auth-email.js

@@ -8,24 +8,28 @@
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export const PresetAuthEmail = {
     name: 'auth:email',
     display_name: 'Email + Password',
-    summary: 'Standard email/password auth flow. No orgs, no SSO, no MFA, no rate limits.',
+    summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
-        'hard-requires: users, app-scoped memberships, emails, secrets, encrypted secrets, ' +
-        'sessions, plus RLS. You get the standard password-based auth procedures (sign_up, ' +
-        "sign_in, reset_password, verify_email, delete_account, ...) and that's it. " +
-        'Everything else in the module catalog — SSO, passkeys, SMS, rate limits, orgs, ' +
-        'invites, permissions — is deliberately omitted. This is the right shape for single-tenant ' +
-        'consumer apps in the first weeks, internal tools that need a real login, or anything ' +
-        'where you want the lightest possible working auth and will add complexity only when ' +
-        'forced to.',
+        'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
+        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
+        "verify_email, delete_account, ...) and that's it. Everything else in the module " +
+        'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
+        'This is the right shape for single-tenant consumer apps in the first weeks, internal ' +
+        'tools that need a real login, or anything where you want the lightest possible working ' +
+        'auth and will add complexity only when forced to.',
     good_for: [
         'Single-tenant consumer apps in the first week of development',
         'Internal tools where one simple login is enough',
@@ -40,6 +44,9 @@ export const PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -51,6 +58,9 @@ export const PresetAuthEmail = {
     includes_notes: {
         'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
         membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
+        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
+        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
+        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
         encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
         secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
@@ -62,7 +72,6 @@ export const PresetAuthEmail = {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
         phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
         'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        'permissions_module:app': 'No fine-grained RBAC; the `is_admin` flag on users is the only gate.',
         invites_module: 'Self-serve signup only.',
         session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
     }

package/esm/module-presets/auth-hardened.js

@@ -30,6 +30,9 @@ export const PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -56,7 +59,6 @@ export const PresetAuthHardened = {
     },
     omits_notes: {
         'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        'permissions_module:app': 'No RBAC beyond the `is_admin` flag — add via `b2b`.',
         invites_module: 'No invite flow — add via `b2b`.',
         storage_module: 'Add separately if you need file uploads.',
         crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'

package/esm/module-presets/auth-passkey.js

@@ -31,6 +31,9 @@ export const PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/auth-sso.js

@@ -40,6 +40,9 @@ export const PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/esm/module-presets/b2b-storage.d.ts

@@ -0,0 +1,13 @@
+import type { ModulePreset } from './types';
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export declare const PresetB2bStorage: ModulePreset;

package/esm/module-presets/b2b-storage.js

@@ -0,0 +1,70 @@
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export const PresetB2bStorage = {
+    name: 'b2b:storage',
+    display_name: 'B2B SaaS + File Storage',
+    summary: '`b2b` + file upload infrastructure (buckets, files, RLS).',
+    description: 'Everything in `b2b` (auth:hardened + orgs + invites + permissions + levels + profiles + ' +
+        'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
+        '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
+        'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
+        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
+        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
+        'or any object storage tied to workspaces.',
+    good_for: [
+        'B2B SaaS with file uploads (documents, avatars, attachments)',
+        'Apps where storage is scoped to orgs/workspaces',
+        'Apps that need per-entity-type file storage (e.g., project files, team assets)'
+    ],
+    not_for: [
+        'Single-tenant consumer apps — use `auth:email` or `auth:hardened` and add storage separately',
+        'Apps without file upload needs — use `b2b` to avoid the storage table overhead'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'permissions_module:app',
+        'permissions_module:org',
+        'limits_module:app',
+        'limits_module:org',
+        'levels_module:app',
+        'levels_module:org',
+        'memberships_module:app',
+        'memberships_module:org',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'rate_limits_module',
+        'connected_accounts_module',
+        'identity_providers_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module',
+        'phone_numbers_module',
+        'profiles_module:app',
+        'profiles_module:org',
+        'hierarchy_module:org',
+        'invites_module:app',
+        'invites_module:org',
+        'storage_module'
+    ],
+    includes_notes: {
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.'
+    },
+    omits_notes: {
+        crypto_addresses_module: 'Not a web3 preset.'
+    },
+    extends: ['b2b']
+};

package/esm/module-presets/index.d.ts

@@ -5,10 +5,11 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
 import type { ModulePreset } from './types';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.

package/esm/module-presets/index.js

@@ -4,9 +4,10 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.
@@ -19,6 +20,7 @@ export const allModulePresets = [
     PresetAuthPasskey,
     PresetAuthHardened,
     PresetB2b,
+    PresetB2bStorage,
     PresetFull
 ];
 /** Look up a preset by name. Returns undefined if the name isn't known. */

package/module-presets/auth-email-magic.js

@@ -36,6 +36,9 @@ exports.PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/auth-email.d.ts

@@ -9,9 +9,13 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 export declare const PresetAuthEmail: ModulePreset;

package/module-presets/auth-email.js

@@ -11,24 +11,28 @@ exports.PresetAuthEmail = void 0;
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
+ * Includes `permissions_module:app`, `limits_module:app`, and
+ * `levels_module:app` because `memberships_module:app` has NOT NULL
+ * foreign keys to the tables they create (grants, caps, levels).
+ *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
- * permissions, and org-scoped memberships. Bolt those on by moving to a
- * richer preset (`auth:hardened`, `b2b`) when you actually need them.
+ * and org-scoped memberships. Bolt those on by moving to a richer preset
+ * (`auth:hardened`, `b2b`) when you actually need them.
  */
 exports.PresetAuthEmail = {
     name: 'auth:email',
     display_name: 'Email + Password',
-    summary: 'Standard email/password auth flow. No orgs, no SSO, no MFA, no rate limits.',
+    summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
-        'hard-requires: users, app-scoped memberships, emails, secrets, encrypted secrets, ' +
-        'sessions, plus RLS. You get the standard password-based auth procedures (sign_up, ' +
-        "sign_in, reset_password, verify_email, delete_account, ...) and that's it. " +
-        'Everything else in the module catalog — SSO, passkeys, SMS, rate limits, orgs, ' +
-        'invites, permissions — is deliberately omitted. This is the right shape for single-tenant ' +
-        'consumer apps in the first weeks, internal tools that need a real login, or anything ' +
-        'where you want the lightest possible working auth and will add complexity only when ' +
-        'forced to.',
+        'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
+        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
+        "verify_email, delete_account, ...) and that's it. Everything else in the module " +
+        'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
+        'This is the right shape for single-tenant consumer apps in the first weeks, internal ' +
+        'tools that need a real login, or anything where you want the lightest possible working ' +
+        'auth and will add complexity only when forced to.',
     good_for: [
         'Single-tenant consumer apps in the first week of development',
         'Internal tools where one simple login is enough',
@@ -43,6 +47,9 @@ exports.PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -54,6 +61,9 @@ exports.PresetAuthEmail = {
     includes_notes: {
         'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
         membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
+        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
+        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
+        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
         encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
         secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
@@ -65,7 +75,6 @@ exports.PresetAuthEmail = {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
         phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
         'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        'permissions_module:app': 'No fine-grained RBAC; the `is_admin` flag on users is the only gate.',
         invites_module: 'Self-serve signup only.',
         session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
     }

package/module-presets/auth-hardened.js

@@ -33,6 +33,9 @@ exports.PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',
@@ -59,7 +62,6 @@ exports.PresetAuthHardened = {
     },
     omits_notes: {
         'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        'permissions_module:app': 'No RBAC beyond the `is_admin` flag — add via `b2b`.',
         invites_module: 'No invite flow — add via `b2b`.',
         storage_module: 'Add separately if you need file uploads.',
         crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'

package/module-presets/auth-passkey.js

@@ -34,6 +34,9 @@ exports.PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/auth-sso.js

@@ -43,6 +43,9 @@ exports.PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
+        'permissions_module:app',
+        'limits_module:app',
+        'levels_module:app',
         'memberships_module:app',
         'sessions_module',
         'secrets_module',

package/module-presets/b2b-storage.d.ts

@@ -0,0 +1,13 @@
+import type { ModulePreset } from './types';
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+export declare const PresetB2bStorage: ModulePreset;

package/module-presets/b2b-storage.js

@@ -0,0 +1,73 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PresetB2bStorage = void 0;
+/**
+ * `b2b:storage` — everything in `b2b` plus `storage_module` for file uploads.
+ *
+ * This is the common shape for B2B SaaS apps that need file upload
+ * infrastructure tied to their org/workspace structure. The storage module
+ * creates `app_buckets` and `app_files` tables with RLS policies, and
+ * entity-type-level storage scopes can be provisioned on top.
+ *
+ * If you don't need orgs, use a lighter preset and add `storage_module`
+ * separately via provisioning options.
+ */
+exports.PresetB2bStorage = {
+    name: 'b2b:storage',
+    display_name: 'B2B SaaS + File Storage',
+    summary: '`b2b` + file upload infrastructure (buckets, files, RLS).',
+    description: 'Everything in `b2b` (auth:hardened + orgs + invites + permissions + levels + profiles + ' +
+        'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
+        '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
+        'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
+        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
+        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
+        'or any object storage tied to workspaces.',
+    good_for: [
+        'B2B SaaS with file uploads (documents, avatars, attachments)',
+        'Apps where storage is scoped to orgs/workspaces',
+        'Apps that need per-entity-type file storage (e.g., project files, team assets)'
+    ],
+    not_for: [
+        'Single-tenant consumer apps — use `auth:email` or `auth:hardened` and add storage separately',
+        'Apps without file upload needs — use `b2b` to avoid the storage table overhead'
+    ],
+    modules: [
+        'users_module',
+        'membership_types_module',
+        'permissions_module:app',
+        'permissions_module:org',
+        'limits_module:app',
+        'limits_module:org',
+        'levels_module:app',
+        'levels_module:org',
+        'memberships_module:app',
+        'memberships_module:org',
+        'sessions_module',
+        'secrets_module',
+        'encrypted_secrets_module',
+        'emails_module',
+        'rls_module',
+        'user_auth_module',
+        'session_secrets_module',
+        'rate_limits_module',
+        'connected_accounts_module',
+        'identity_providers_module',
+        'webauthn_credentials_module',
+        'webauthn_auth_module',
+        'phone_numbers_module',
+        'profiles_module:app',
+        'profiles_module:org',
+        'hierarchy_module:org',
+        'invites_module:app',
+        'invites_module:org',
+        'storage_module'
+    ],
+    includes_notes: {
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.'
+    },
+    omits_notes: {
+        crypto_addresses_module: 'Not a web3 preset.'
+    },
+    extends: ['b2b']
+};

package/module-presets/index.d.ts

@@ -5,10 +5,11 @@ import { PresetAuthHardened } from './auth-hardened';
 import { PresetAuthPasskey } from './auth-passkey';
 import { PresetAuthSso } from './auth-sso';
 import { PresetB2b } from './b2b';
+import { PresetB2bStorage } from './b2b-storage';
 import { PresetFull } from './full';
 import { PresetMinimal } from './minimal';
 import type { ModulePreset } from './types';
-export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetFull, PresetMinimal };
+export { PresetAuthEmail, PresetAuthEmailMagic, PresetAuthHardened, PresetAuthPasskey, PresetAuthSso, PresetB2b, PresetB2bStorage, PresetFull, PresetMinimal };
 /**
  * Ordered list of all shipped module presets, from smallest to largest
  * module footprint. Stable ordering — CLIs / UIs can present this directly.

package/module-presets/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.allModulePresets = exports.PresetMinimal = exports.PresetFull = exports.PresetB2b = exports.PresetAuthSso = exports.PresetAuthPasskey = exports.PresetAuthHardened = exports.PresetAuthEmailMagic = exports.PresetAuthEmail = void 0;
+exports.allModulePresets = exports.PresetMinimal = exports.PresetFull = exports.PresetB2bStorage = exports.PresetB2b = exports.PresetAuthSso = exports.PresetAuthPasskey = exports.PresetAuthHardened = exports.PresetAuthEmailMagic = exports.PresetAuthEmail = void 0;
 exports.getModulePreset = getModulePreset;
 const auth_email_1 = require("./auth-email");
 Object.defineProperty(exports, "PresetAuthEmail", { enumerable: true, get: function () { return auth_email_1.PresetAuthEmail; } });
@@ -14,6 +14,8 @@ const auth_sso_1 = require("./auth-sso");
 Object.defineProperty(exports, "PresetAuthSso", { enumerable: true, get: function () { return auth_sso_1.PresetAuthSso; } });
 const b2b_1 = require("./b2b");
 Object.defineProperty(exports, "PresetB2b", { enumerable: true, get: function () { return b2b_1.PresetB2b; } });
+const b2b_storage_1 = require("./b2b-storage");
+Object.defineProperty(exports, "PresetB2bStorage", { enumerable: true, get: function () { return b2b_storage_1.PresetB2bStorage; } });
 const full_1 = require("./full");
 Object.defineProperty(exports, "PresetFull", { enumerable: true, get: function () { return full_1.PresetFull; } });
 const minimal_1 = require("./minimal");
@@ -30,6 +32,7 @@ exports.allModulePresets = [
     auth_passkey_1.PresetAuthPasskey,
     auth_hardened_1.PresetAuthHardened,
     b2b_1.PresetB2b,
+    b2b_storage_1.PresetB2bStorage,
     full_1.PresetFull
 ];
 /** Look up a preset by name. Returns undefined if the name isn't known. */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.29.0",
+  "version": "0.30.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "44e6712bd8a37e2089418a69d801d67651c89350"
+  "gitHead": "90016935b53d6fb84e0b83879377f0c2eb9abce6"
 }