node-type-registry 0.37.0 → 0.39.0

package/esm/module-presets/auth-email-magic.js

@@ -38,8 +38,8 @@ export const PresetAuthEmailMagic = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/esm/module-presets/auth-email.js

@@ -23,7 +23,7 @@ export const PresetAuthEmail = {
     summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
         'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
-        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'dependencies), emails, user state, user secrets, sessions, plus RLS. You get the ' +
         'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
         "verify_email, delete_account, ...) and that's it. Everything else in the module " +
         'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
@@ -49,8 +49,8 @@ export const PresetAuthEmail = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module'
@@ -62,8 +62,8 @@ export const PresetAuthEmail = {
         'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
         'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
-        encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
-        secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
+        config_secrets_user_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
+        user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
     },
     omits_notes: {
         rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.',

package/esm/module-presets/auth-hardened.js

@@ -35,8 +35,8 @@ export const PresetAuthHardened = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/esm/module-presets/auth-passkey.js

@@ -36,8 +36,8 @@ export const PresetAuthPasskey = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/esm/module-presets/auth-sso.d.ts

@@ -6,7 +6,7 @@ import type { ModulePreset } from './types';
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * procedures which rely on `config_secrets_user_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the

package/esm/module-presets/auth-sso.js

@@ -5,7 +5,7 @@
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * procedures which rely on `config_secrets_user_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the
@@ -26,7 +26,7 @@ export const PresetAuthSso = {
         'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' +
         'Constructive user to a `(provider, external_id)` pair). The generator emits ' +
         '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' +
-        'through `encrypted_secrets_module` at auth time. Keep password flows as break-glass, or ' +
+        'through `config_secrets_user_module` at auth time. Keep password flows as break-glass, or ' +
         'disable them via `app_settings_auth` toggles for strictly-SSO deployments.',
     good_for: [
         'B2B apps where end users sign in via their employer IdP',
@@ -45,8 +45,8 @@ export const PresetAuthSso = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -56,7 +56,7 @@ export const PresetAuthSso = {
     includes_notes: {
         connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
         identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
-        encrypted_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
+        config_secrets_user_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
     },
     omits_notes: {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',

package/esm/module-presets/b2b-storage.js

@@ -17,9 +17,9 @@ export const PresetB2bStorage = {
         'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
         '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
         'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
-        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
-        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
-        'or any object storage tied to workspaces.',
+        'Entity-type provisioning with a non-empty `storage` array adds per-scope storage tables ' +
+        'automatically (multiple modules per entity via storage_key). Choose this when your B2B ' +
+        'app needs file uploads, avatars, attachments, or any object storage tied to workspaces.',
     good_for: [
         'B2B SaaS with file uploads (documents, avatars, attachments)',
         'Apps where storage is scoped to orgs/workspaces',
@@ -41,8 +41,8 @@ export const PresetB2bStorage = {
         'memberships_module:app',
         'memberships_module:org',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -62,7 +62,7 @@ export const PresetB2bStorage = {
         'devices_module'
     ],
     includes_notes: {
-        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.',
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via the `storage` array (array-only format, supports multiple modules per entity via storage_key).',
         devices_module: 'Device tracking and trusted-device MFA bypass.'
     },
     omits_notes: {

package/esm/module-presets/b2b.js

@@ -37,8 +37,8 @@ export const PresetB2b = {
         'memberships_module:app',
         'memberships_module:org',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/esm/module-presets/minimal.d.ts

@@ -5,7 +5,7 @@ import type { ModulePreset } from './types';
  *
  * This is the barest foundation: a `users` table, a `sessions` table so
  * something upstream can mint tokens, `rls_module` so row-level security
- * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * is enforceable, and `user_state_module` so you can issue API keys. Nothing
  * else.
  *
  * You still write your own identity bridge on top (or rely on a header-based

package/esm/module-presets/minimal.js

@@ -4,7 +4,7 @@
  *
  * This is the barest foundation: a `users` table, a `sessions` table so
  * something upstream can mint tokens, `rls_module` so row-level security
- * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * is enforceable, and `user_state_module` so you can issue API keys. Nothing
  * else.
  *
  * You still write your own identity bridge on top (or rely on a header-based
@@ -32,13 +32,13 @@ export const PresetMinimal = {
         'users_module',
         'sessions_module',
         'rls_module',
-        'secrets_module'
+        'user_state_module'
     ],
     includes_notes: {
         users_module: 'The canonical users table. Required by every preset.',
         sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.',
         rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.',
-        secrets_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
+        user_state_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
     },
     omits_notes: {
         user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.',

package/esm/{data/data-chunks.js → process/chunks.js}

@@ -90,9 +90,8 @@ export const ProcessChunks = {
                 type: 'array',
                 items: { type: 'string', enum: ['fulltext', 'bm25', 'trigram'] },
                 description: 'Text search indexes to create on the chunks content column. ' +
-                    'Enables keyword-based retrieval alongside vector search for ' +
-                    'hybrid RAG workflows.',
-                default: ['fulltext']
+                    'Omit to mirror the parent table\'s text search indexes. ' +
+                    'Set explicitly to override (e.g. ["fulltext", "bm25"]).'
             },
             // ── Job trigger ────────────────────────────────────────────────
             enqueue_chunking_job: {

package/esm/{data/data-file-embedding.js → process/file-embedding.js}

@@ -156,8 +156,8 @@ export const ProcessFileEmbedding = {
                         type: 'array',
                         items: { type: 'string', enum: ['fulltext', 'bm25', 'trigram'] },
                         description: 'Text search indexes to create on the chunks content column. ' +
-                            'Enables keyword-based retrieval alongside vector search.',
-                        default: ['fulltext']
+                            'Omit to mirror the parent table\'s text search indexes. ' +
+                            'Set explicitly to override.'
                     },
                     enqueue_chunking_job: {
                         type: 'boolean',

package/esm/process/index.d.ts

@@ -0,0 +1,5 @@
+export { ProcessChunks } from './chunks';
+export { ProcessExtraction } from './extraction';
+export { ProcessFileEmbedding } from './file-embedding';
+export { ProcessImageEmbedding } from './image-embedding';
+export { ProcessImageVersions } from './image-versions';

package/esm/process/index.js

@@ -0,0 +1,5 @@
+export { ProcessChunks } from './chunks';
+export { ProcessExtraction } from './extraction';
+export { ProcessFileEmbedding } from './file-embedding';
+export { ProcessImageEmbedding } from './image-embedding';
+export { ProcessImageVersions } from './image-versions';

package/event/index.d.ts

@@ -0,0 +1,2 @@
+export { EventReferral } from './referral';
+export { EventTracker } from './tracker';

package/event/index.js

@@ -0,0 +1,7 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventTracker = exports.EventReferral = void 0;
+var referral_1 = require("./referral");
+Object.defineProperty(exports, "EventReferral", { enumerable: true, get: function () { return referral_1.EventReferral; } });
+var tracker_1 = require("./tracker");
+Object.defineProperty(exports, "EventTracker", { enumerable: true, get: function () { return tracker_1.EventTracker; } });

package/event/referral.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const EventReferral: NodeTypeDefinition;

package/event/referral.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EventReferral = void 0;
+const conditions_1 = require("../conditions");
+exports.EventReferral = {
+    name: 'EventReferral',
+    slug: 'event_referral',
+    category: 'event',
+    display_name: 'Event Referral',
+    description: 'Creates triggers that record events for the referrer (inviter) when their ' +
+        'invitees perform actions on a watched table. Resolves the referrer automatically ' +
+        'via the invites module\'s claimed_invites table using the membership_type context. ' +
+        'Supports the same compound condition system as EventTracker. Use with achievements ' +
+        'to unlock levels and grant credits based on invitee activity.',
+    parameter_schema: {
+        type: 'object',
+        $defs: conditions_1.conditionDefs,
+        properties: {
+            event_name: {
+                type: 'string',
+                description: 'Event type name to record for the referrer (e.g., "invitee_uploaded_avatar", "invitee_completed_onboarding")'
+            },
+            events: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    enum: [
+                        'INSERT',
+                        'UPDATE',
+                        'DELETE'
+                    ]
+                },
+                description: 'DML events that trigger recording',
+                default: ['INSERT']
+            },
+            actor_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column containing the invitee (actor) ID on the source table — used to look up the referrer via claimed_invites.receiver_id',
+                default: 'owner_id'
+            },
+            entity_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column containing the entity ID (org/group) for entity-scoped referral events. Omit for user-only events.'
+            },
+            auto_register_type: {
+                type: 'boolean',
+                description: 'Automatically register the event_name in event_types during provisioning',
+                default: true
+            },
+            ...conditions_1.conditionProperties
+        },
+        required: [
+            'event_name'
+        ]
+    },
+    tags: [
+        'events',
+        'referral',
+        'invites',
+        'analytics',
+        'tracking'
+    ]
+};

package/index.d.ts

@@ -2,7 +2,11 @@ export * from './authz';
 export * from './blueprint-types.generated';
 export * from './conditions';
 export * from './data';
+export * from './event';
+export * from './job';
+export * from './limit';
 export * from './module-presets';
+export * from './process';
 export * from './relation';
 export type { JSONSchema, NodeTypeDefinition } from './types';
 export * from './view';

package/index.js

@@ -41,16 +41,28 @@ __exportStar(require("./authz"), exports);
 __exportStar(require("./blueprint-types.generated"), exports);
 __exportStar(require("./conditions"), exports);
 __exportStar(require("./data"), exports);
+__exportStar(require("./event"), exports);
+__exportStar(require("./job"), exports);
+__exportStar(require("./limit"), exports);
 __exportStar(require("./module-presets"), exports);
+__exportStar(require("./process"), exports);
 __exportStar(require("./relation"), exports);
 __exportStar(require("./view"), exports);
 const authz = __importStar(require("./authz"));
 const data = __importStar(require("./data"));
+const event = __importStar(require("./event"));
+const job = __importStar(require("./job"));
+const limit = __importStar(require("./limit"));
+const process = __importStar(require("./process"));
 const relation = __importStar(require("./relation"));
 const view = __importStar(require("./view"));
 exports.allNodeTypes = [
     ...Object.values(authz),
     ...Object.values(data),
+    ...Object.values(event),
+    ...Object.values(job),
+    ...Object.values(limit),
+    ...Object.values(process),
     ...Object.values(relation),
     ...Object.values(view)
 ];

package/job/index.d.ts

@@ -0,0 +1 @@
+export { JobTrigger } from './trigger';

package/job/index.js

@@ -0,0 +1,5 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.JobTrigger = void 0;
+var trigger_1 = require("./trigger");
+Object.defineProperty(exports, "JobTrigger", { enumerable: true, get: function () { return trigger_1.JobTrigger; } });

package/limit/index.d.ts

@@ -0,0 +1,8 @@
+export { LimitEnforceAggregate } from './enforce-aggregate';
+export { LimitEnforceCounter } from './enforce-counter';
+export { LimitEnforceFeature } from './enforce-feature';
+export { LimitEnforceRate } from './enforce-rate';
+export { LimitTrackUsage } from './track-usage';
+export { LimitWarningAggregate } from './warning-aggregate';
+export { LimitWarningCounter } from './warning-counter';
+export { LimitWarningRate } from './warning-rate';

package/limit/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.LimitWarningRate = exports.LimitWarningCounter = exports.LimitWarningAggregate = exports.LimitTrackUsage = exports.LimitEnforceRate = exports.LimitEnforceFeature = exports.LimitEnforceCounter = exports.LimitEnforceAggregate = void 0;
+var enforce_aggregate_1 = require("./enforce-aggregate");
+Object.defineProperty(exports, "LimitEnforceAggregate", { enumerable: true, get: function () { return enforce_aggregate_1.LimitEnforceAggregate; } });
+var enforce_counter_1 = require("./enforce-counter");
+Object.defineProperty(exports, "LimitEnforceCounter", { enumerable: true, get: function () { return enforce_counter_1.LimitEnforceCounter; } });
+var enforce_feature_1 = require("./enforce-feature");
+Object.defineProperty(exports, "LimitEnforceFeature", { enumerable: true, get: function () { return enforce_feature_1.LimitEnforceFeature; } });
+var enforce_rate_1 = require("./enforce-rate");
+Object.defineProperty(exports, "LimitEnforceRate", { enumerable: true, get: function () { return enforce_rate_1.LimitEnforceRate; } });
+var track_usage_1 = require("./track-usage");
+Object.defineProperty(exports, "LimitTrackUsage", { enumerable: true, get: function () { return track_usage_1.LimitTrackUsage; } });
+var warning_aggregate_1 = require("./warning-aggregate");
+Object.defineProperty(exports, "LimitWarningAggregate", { enumerable: true, get: function () { return warning_aggregate_1.LimitWarningAggregate; } });
+var warning_counter_1 = require("./warning-counter");
+Object.defineProperty(exports, "LimitWarningCounter", { enumerable: true, get: function () { return warning_counter_1.LimitWarningCounter; } });
+var warning_rate_1 = require("./warning-rate");
+Object.defineProperty(exports, "LimitWarningRate", { enumerable: true, get: function () { return warning_rate_1.LimitWarningRate; } });

package/module-presets/auth-email-magic.js

@@ -41,8 +41,8 @@ exports.PresetAuthEmailMagic = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/module-presets/auth-email.js

@@ -26,7 +26,7 @@ exports.PresetAuthEmail = {
     summary: 'Standard email/password auth flow with app-level permissions. No orgs, no SSO, no MFA.',
     description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
         'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
-        'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+        'dependencies), emails, user state, user secrets, sessions, plus RLS. You get the ' +
         'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
         "verify_email, delete_account, ...) and that's it. Everything else in the module " +
         'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
@@ -52,8 +52,8 @@ exports.PresetAuthEmail = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module'
@@ -65,8 +65,8 @@ exports.PresetAuthEmail = {
         'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
         'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
         emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
-        encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
-        secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
+        config_secrets_user_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
+        user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
     },
     omits_notes: {
         rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.',

package/module-presets/auth-hardened.js

@@ -38,8 +38,8 @@ exports.PresetAuthHardened = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/module-presets/auth-passkey.js

@@ -39,8 +39,8 @@ exports.PresetAuthPasskey = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/module-presets/auth-sso.d.ts

@@ -6,7 +6,7 @@ import type { ModulePreset } from './types';
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * procedures which rely on `config_secrets_user_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the

package/module-presets/auth-sso.js

@@ -8,7 +8,7 @@ exports.PresetAuthSso = void 0;
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * procedures which rely on `config_secrets_user_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the
@@ -29,7 +29,7 @@ exports.PresetAuthSso = {
         'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' +
         'Constructive user to a `(provider, external_id)` pair). The generator emits ' +
         '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' +
-        'through `encrypted_secrets_module` at auth time. Keep password flows as break-glass, or ' +
+        'through `config_secrets_user_module` at auth time. Keep password flows as break-glass, or ' +
         'disable them via `app_settings_auth` toggles for strictly-SSO deployments.',
     good_for: [
         'B2B apps where end users sign in via their employer IdP',
@@ -48,8 +48,8 @@ exports.PresetAuthSso = {
         'levels_module:app',
         'memberships_module:app',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -59,7 +59,7 @@ exports.PresetAuthSso = {
     includes_notes: {
         connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
         identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
-        encrypted_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
+        config_secrets_user_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
     },
     omits_notes: {
         webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',

package/module-presets/b2b-storage.js

@@ -20,9 +20,9 @@ exports.PresetB2bStorage = {
         'hierarchy), plus `storage_module` for file uploads. The storage module creates ' +
         '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
         'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
-        'Entity-type provisioning with `has_storage=true` adds per-scope storage tables ' +
-        'automatically. Choose this when your B2B app needs file uploads, avatars, attachments, ' +
-        'or any object storage tied to workspaces.',
+        'Entity-type provisioning with a non-empty `storage` array adds per-scope storage tables ' +
+        'automatically (multiple modules per entity via storage_key). Choose this when your B2B ' +
+        'app needs file uploads, avatars, attachments, or any object storage tied to workspaces.',
     good_for: [
         'B2B SaaS with file uploads (documents, avatars, attachments)',
         'Apps where storage is scoped to orgs/workspaces',
@@ -44,8 +44,8 @@ exports.PresetB2bStorage = {
         'memberships_module:app',
         'memberships_module:org',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -65,7 +65,7 @@ exports.PresetB2bStorage = {
         'devices_module'
     ],
     includes_notes: {
-        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via `has_storage=true`.',
+        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via the `storage` array (array-only format, supports multiple modules per entity via storage_key).',
         devices_module: 'Device tracking and trusted-device MFA bypass.'
     },
     omits_notes: {

package/module-presets/b2b.js

@@ -40,8 +40,8 @@ exports.PresetB2b = {
         'memberships_module:app',
         'memberships_module:org',
         'sessions_module',
-        'secrets_module',
-        'encrypted_secrets_module',
+        'user_state_module',
+        'config_secrets_user_module',
         'emails_module',
         'rls_module',
         'user_auth_module',

package/module-presets/minimal.d.ts

@@ -5,7 +5,7 @@ import type { ModulePreset } from './types';
  *
  * This is the barest foundation: a `users` table, a `sessions` table so
  * something upstream can mint tokens, `rls_module` so row-level security
- * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * is enforceable, and `user_state_module` so you can issue API keys. Nothing
  * else.
  *
  * You still write your own identity bridge on top (or rely on a header-based

package/module-presets/minimal.js

@@ -7,7 +7,7 @@ exports.PresetMinimal = void 0;
  *
  * This is the barest foundation: a `users` table, a `sessions` table so
  * something upstream can mint tokens, `rls_module` so row-level security
- * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * is enforceable, and `user_state_module` so you can issue API keys. Nothing
  * else.
  *
  * You still write your own identity bridge on top (or rely on a header-based
@@ -35,13 +35,13 @@ exports.PresetMinimal = {
         'users_module',
         'sessions_module',
         'rls_module',
-        'secrets_module'
+        'user_state_module'
     ],
     includes_notes: {
         users_module: 'The canonical users table. Required by every preset.',
         sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.',
         rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.',
-        secrets_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
+        user_state_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
     },
     omits_notes: {
         user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-type-registry",
-  "version": "0.37.0",
+  "version": "0.39.0",
   "description": "Node type definitions for the Constructive blueprint system. Single source of truth for all Authz*, Data*, Relation*, and View* node types.",
   "author": "Constructive <developers@constructive.io>",
   "main": "index.js",
@@ -47,5 +47,5 @@
     "registry",
     "graphile"
   ],
-  "gitHead": "62282a9e2b4a72a68c6c3c6a8729e3a0a42a54b2"
+  "gitHead": "7b7c25cb21fd0e97c2ab3c94b994b0ca89bd3247"
 }