node-type-registry 0.41.0 → 0.42.0

package/codegen/generate-types.js

@@ -496,7 +496,7 @@ function buildBlueprintTableUniqueConstraint() {
 /**
  * Build the BlueprintBucketSeed interface.
  *
- * Matches the bucket entries in storage_config.buckets[].
+ * Matches the bucket entries in storage.buckets[].
  */
 function buildBlueprintBucketSeed() {
     return addJSDoc(exportInterface('BlueprintBucketSeed', [
@@ -506,12 +506,12 @@ function buildBlueprintBucketSeed() {
         addJSDoc(optionalProp('allowed_mime_types', t.tsArrayType(t.tsStringKeyword())), 'MIME type allowlist (e.g., ["image/png", "image/jpeg"]). NULL means all types allowed.'),
         addJSDoc(optionalProp('max_file_size', t.tsNumberKeyword()), 'Maximum file size in bytes for this bucket. NULL means no limit.'),
         addJSDoc(optionalProp('allowed_origins', t.tsArrayType(t.tsStringKeyword())), 'CORS allowed origins for this bucket.')
-    ]), 'A bucket seed entry for storage_config.buckets[]. Creates an initial bucket row in the {prefix}_buckets table during entity type provisioning. Only used for app-level storage (not entity-scoped).');
+    ]), 'A bucket seed entry for storage.buckets[]. Creates an initial bucket row in the {prefix}_buckets table during entity type provisioning. Only used for app-level storage (not entity-scoped).');
 }
 /**
  * Build the BlueprintStorageConfig interface.
  *
- * Matches the jsonb shape accepted by storage_config on entity_type_provision.
+ * Matches the jsonb shape accepted by storage on entity_type_provision.
  */
 function buildBlueprintStorageConfig() {
     return addJSDoc(exportInterface('BlueprintStorageConfig', [
@@ -564,6 +564,108 @@ function buildBlueprintAchievement() {
         addJSDoc(optionalProp('entity_prefix', t.tsStringKeyword()), 'Entity prefix to scope this achievement to (e.g., "org", "app"). Used to resolve the correct events_module. Defaults to "app".')
     ]), 'An achievement entry for the blueprint achievements[] section. Creates a level with requirements and optional rewards in the events_module. Requires events_module to be provisioned (e.g., via entity_types[].has_levels = true or modules includes events_module).');
 }
+// ---------------------------------------------------------------------------
+// Module config types (namespace, function, agent, graph)
+// ---------------------------------------------------------------------------
+/**
+ * Build the BlueprintNamespaceConfig interface.
+ *
+ * Matches the jsonb shape accepted by namespaces on entity_type_provision
+ * and the top-level definition.namespaces[] array in construct_blueprint().
+ */
+function buildBlueprintNamespaceConfig() {
+    return addJSDoc(exportInterface('BlueprintNamespaceConfig', [
+        addJSDoc(optionalProp('scope', t.tsUnionType([
+            t.tsLiteralType(t.stringLiteral('app')),
+            t.tsLiteralType(t.stringLiteral('org'))
+        ])), 'Namespace scope. "app" (default) creates app-level namespaces (membership_type = NULL). "org" creates per-org namespaces. Only used at the top level of a blueprint definition — entity-scoped namespaces inherit scope from the entity type.'),
+        addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module namespaces. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_namespaces.'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the namespaces table. NULL = apply defaults from apply_namespace_security().'),
+        addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
+            optionalProp('namespaces', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('namespace_events', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for namespace tables. Each key targets a specific table (namespaces, namespace_events) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision.')
+    ]), 'Namespace module configuration. When used at the top level of a blueprint, the scope field controls whether namespaces are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions a namespaces table with computed-name proxy, rename trigger, and entity-scoped RLS.');
+}
+/**
+ * Build the BlueprintFunctionConfig interface.
+ *
+ * Matches the jsonb shape accepted by functions on entity_type_provision
+ * and the top-level definition.functions[] array in construct_blueprint().
+ */
+function buildBlueprintFunctionConfig() {
+    return addJSDoc(exportInterface('BlueprintFunctionConfig', [
+        addJSDoc(optionalProp('scope', t.tsUnionType([
+            t.tsLiteralType(t.stringLiteral('app')),
+            t.tsLiteralType(t.stringLiteral('org'))
+        ])), 'Function scope. "app" (default) creates app-level functions (membership_type = NULL). "org" creates per-org functions. Only used at the top level of a blueprint definition — entity-scoped functions inherit scope from the entity type.'),
+        addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module functions. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_function_definitions.'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the function tables. NULL = apply defaults from apply_function_security().'),
+        addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
+            optionalProp('definitions', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('invocations', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('execution_logs', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for function tables. Each key targets a specific table (definitions, invocations, execution_logs) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision.')
+    ]), 'Function module configuration. When used at the top level of a blueprint, the scope field controls whether functions are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions function_definitions, function_invocations (partitioned, 12-month retention), and function_execution_logs tables.');
+}
+/**
+ * Build the BlueprintAgentConfig interface.
+ *
+ * Matches the jsonb shape accepted by agents on entity_type_provision
+ * and the top-level definition.agents[] array in construct_blueprint().
+ */
+function buildBlueprintAgentConfig() {
+    return addJSDoc(exportInterface('BlueprintAgentConfig', [
+        addJSDoc(optionalProp('scope', t.tsUnionType([
+            t.tsLiteralType(t.stringLiteral('app')),
+            t.tsLiteralType(t.stringLiteral('org'))
+        ])), 'Agent scope. "app" (default) creates app-level agent tables (membership_type = NULL). "org" creates per-org agent tables. Only used at the top level of a blueprint definition — entity-scoped agents inherit scope from the entity type.'),
+        addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module agents. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_agent_thread.'),
+        addJSDoc(optionalProp('api_name', t.tsStringKeyword()), 'API name for the agent module. Used in GraphQL naming. Defaults to "agent".'),
+        addJSDoc(optionalProp('has_knowledge', t.tsBooleanKeyword()), 'Whether to provision the agent_knowledge table with vector embeddings, tags, and trigger_phrases. Also inferred when a "knowledge" key is present. Defaults to false.'),
+        addJSDoc(optionalProp('knowledge', t.tsTypeLiteral([
+            optionalProp('has_chunks', t.tsBooleanKeyword()),
+            optionalProp('dimensions', t.tsNumberKeyword()),
+            optionalProp('chunk_size', t.tsNumberKeyword()),
+            optionalProp('chunk_overlap', t.tsNumberKeyword()),
+            optionalProp('chunk_strategy', t.tsUnionType([
+                t.tsLiteralType(t.stringLiteral('fixed')),
+                t.tsLiteralType(t.stringLiteral('sentence')),
+                t.tsLiteralType(t.stringLiteral('paragraph')),
+                t.tsLiteralType(t.stringLiteral('semantic'))
+            ])),
+            optionalProp('embedding_model', t.tsStringKeyword()),
+            optionalProp('embedding_provider', t.tsStringKeyword()),
+            optionalProp('search_indexes', t.tsArrayType(t.tsUnionType([
+                t.tsLiteralType(t.stringLiteral('fulltext')),
+                t.tsLiteralType(t.stringLiteral('bm25')),
+                t.tsLiteralType(t.stringLiteral('trigram'))
+            ])))
+        ])), 'Knowledge configuration overrides. Set has_chunks to false to disable the chunking pipeline. Controls vector dimensions, chunking strategy, embedding model/provider, and text search indexes for the agent_knowledge table. Presence implies has_knowledge = true.'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the agent tables. NULL = apply defaults from apply_agent_security().'),
+        addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
+            optionalProp('thread', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('message', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('task', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('prompt', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('knowledge', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for agent tables. Each key targets a specific table (thread, message, task, prompt, knowledge) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision.')
+    ]), 'Agent module configuration. When used at the top level of a blueprint, the scope field controls whether agents are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions thread, message, task, prompt tables (and optionally knowledge with vector embeddings).');
+}
+/**
+ * Build the BlueprintGraphConfig interface.
+ *
+ * Matches the jsonb shape accepted by graphs on entity_type_provision.
+ * Graph module requires a merkle_store_module_id dependency, so
+ * entity_type_provision only registers permissions. The graph module itself
+ * must be provisioned separately with the merkle store dependency resolved.
+ */
+function buildBlueprintGraphConfig() {
+    return addJSDoc(exportInterface('BlueprintGraphConfig', [
+        addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module graphs. Defaults to "default".'),
+        addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the graph tables. NULL = apply defaults from apply_graph_security().')
+    ]), 'Graph module configuration. Presence triggers permission registration (manage_graphs, execute_graphs). The graph module requires a merkle_store_module_id dependency, so entity_type_provision only registers permissions here — the graph module itself must be provisioned separately.');
+}
 function buildBlueprintEntityTableProvision() {
     return addJSDoc(exportInterface('BlueprintEntityTableProvision', [
         addJSDoc(optionalProp('use_rls', t.tsBooleanKeyword()), 'Whether to enable RLS on the entity table. Forwarded to secure_table_provision. Defaults to true.'),
@@ -591,7 +693,11 @@ function buildBlueprintEntityType() {
         addJSDoc(optionalProp('has_invite_achievements', t.tsBooleanKeyword()), "Whether to auto-attach an EventTracker to the claimed_invites table for invite-based achievements. Requires has_invites=true AND has_levels=true. When true, records 'invite_claimed' events credited to the sender (inviter) on each claimed invite. Defaults to false."),
         addJSDoc(optionalProp('skip_entity_policies', t.tsBooleanKeyword()), 'Escape hatch: when true AND table_provision is NULL, zero policies are provisioned on the entity table. Defaults to false.'),
         addJSDoc(optionalProp('table_provision', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))), 'Override for the entity table. Shape mirrors BlueprintTable / secure_table_provision vocabulary. When supplied, its policies[] replaces the five default entity-table policies; is_visible becomes a no-op. When NULL (default), the five default policies are applied (gated by is_visible).'),
-        addJSDoc(optionalProp('storage', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStorageConfig')))), 'Storage module configuration array. Each entry provisions a separate storage module with its own tables, RLS, and settings. When non-empty, has_storage is derived as true. Each entry may specify a storage_key for multi-module support (defaults to "default").')
+        addJSDoc(optionalProp('storage', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStorageConfig')))), 'Storage module configuration array. Presence triggers provisioning (same inference model as namespaces, functions, agents). Each entry provisions a separate storage module with its own tables, RLS, and settings. Each entry may specify a storage_key for multi-module support (defaults to "default").'),
+        addJSDoc(optionalProp('namespaces', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNamespaceConfig')))), 'Namespace module configuration array. Presence triggers provisioning. Each entry provisions a namespace_module with its own tables, computed-name proxy, and entity-scoped RLS. Registers manage_namespaces permission bit. "[{}]" = provision one default namespace module.'),
+        addJSDoc(optionalProp('functions', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFunctionConfig')))), 'Function module configuration array. Presence triggers provisioning. Each entry provisions function_definitions, function_invocations (partitioned), and function_execution_logs tables. Registers manage_functions + invoke_functions permission bits. "[{}]" = provision one default function module.'),
+        addJSDoc(optionalProp('agents', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintAgentConfig')))), 'Agent module configuration array. Presence triggers provisioning. Each entry provisions thread, message, task, prompt tables (and optionally knowledge with vector embeddings). "[{}]" = provision one default agent module.'),
+        addJSDoc(optionalProp('graphs', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintGraphConfig')))), 'Graph module configuration array. Presence triggers permission registration (manage_graphs, execute_graphs). Graph module requires a merkle_store_module_id dependency, so entity_type_provision only registers permissions here. "[{}]" = register default graph permissions.')
     ]), 'An entity type entry for Phase 0 of construct_blueprint(). When name is provided, provisions a new entity type with its own entity table, membership modules, and security policies via entity_type_provision. When name is omitted and only prefix is given, extends an existing entity type (e.g., the built-in "org") with additional capabilities like storage — without creating a new entity type.');
 }
 function buildBlueprintTable() {
@@ -620,7 +726,10 @@ function buildBlueprintDefinition() {
         addJSDoc(optionalProp('unique_constraints', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintUniqueConstraint')))), 'Unique constraints on table columns.'),
         addJSDoc(optionalProp('entity_types', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintEntityType')))), 'Entity types to provision in Phase 0 (before tables). Each entry creates an entity table with membership modules and security.'),
         addJSDoc(optionalProp('storage', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintStorageConfig')))), 'Top-level storage configuration array. Each entry has an optional scope ("app" or "org"). App-scoped (default) creates storage_module with membership_type = NULL. Org-scoped creates per-org/user storage with owner_id and AFTER INSERT bucket seeding. When infra is installed, a private "functions" bucket is auto-injected into org-scoped entries. For child entity type storage, use entity_types[].storage instead.'),
-        addJSDoc(optionalProp('achievements', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintAchievement')))), 'Achievement definitions. Each entry creates a level with requirements and optional rewards in the events_module. Requires events_module to be provisioned (e.g., via entity_types[].has_levels = true or modules includes events_module).')
+        addJSDoc(optionalProp('achievements', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintAchievement')))), 'Achievement definitions. Each entry creates a level with requirements and optional rewards in the events_module. Requires events_module to be provisioned (e.g., via entity_types[].has_levels = true or modules includes events_module).'),
+        addJSDoc(optionalProp('namespaces', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintNamespaceConfig')))), 'Top-level namespace configuration array (Phase 0.6). Each entry has an optional scope ("app" or "org"). App-scoped (default) creates namespace_module with membership_type = NULL. Org-scoped creates per-org namespaces. For entity-scoped namespaces, use entity_types[].namespaces instead.'),
+        addJSDoc(optionalProp('functions', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintFunctionConfig')))), 'Top-level function configuration array (Phase 0.6). Each entry has an optional scope ("app" or "org"). App-scoped (default) creates function_module with membership_type = NULL. Org-scoped creates per-org functions. For entity-scoped functions, use entity_types[].functions instead.'),
+        addJSDoc(optionalProp('agents', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintAgentConfig')))), 'Top-level agent configuration array (Phase 0.6). Each entry has an optional scope ("app" or "org"). App-scoped (default) creates agent_module with membership_type = NULL. Org-scoped creates per-org agents. For entity-scoped agents, use entity_types[].agents instead.')
     ]), 'The complete blueprint definition -- the JSONB shape accepted by construct_blueprint().');
 }
 // ---------------------------------------------------------------------------
@@ -655,7 +764,7 @@ function buildProgram(meta) {
     statements.push(sectionComment('Shared recursive types'));
     statements.push(buildTriggerConditionInterface());
     // -- Parameter interfaces grouped by category --
-    const categoryOrder = ['billing', 'check', 'data', 'limit', 'search', 'job', 'process', 'authz', 'relation', 'view'];
+    const categoryOrder = ['billing', 'check', 'data', 'event', 'limit', 'limit_enforce', 'limit_track', 'limit_warning', 'search', 'job', 'process', 'authz', 'relation', 'view'];
     for (const cat of categoryOrder) {
         const nts = categories.get(cat);
         if (!nts || nts.length === 0)
@@ -682,6 +791,10 @@ function buildProgram(meta) {
     statements.push(buildBlueprintAchievementRequirement());
     statements.push(buildBlueprintAchievementReward());
     statements.push(buildBlueprintAchievement());
+    statements.push(buildBlueprintNamespaceConfig());
+    statements.push(buildBlueprintFunctionConfig());
+    statements.push(buildBlueprintAgentConfig());
+    statements.push(buildBlueprintGraphConfig());
     statements.push(buildBlueprintEntityTableProvision());
     statements.push(buildBlueprintEntityType());
     // -- Node types discriminated union --

package/data/data-member-owner.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataMemberOwner: NodeTypeDefinition;

package/data/data-member-owner.js

@@ -0,0 +1,53 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DataMemberOwner = void 0;
+exports.DataMemberOwner = {
+    name: 'DataMemberOwner',
+    slug: 'data_member_owner',
+    category: 'data',
+    display_name: 'Member Owner',
+    description: 'Adds owner_id and entity_id columns with a compound AuthzMemberOwner policy. The actor must own the row (owner_id = current_user_id()) AND be a member of the entity (entity_id in SPRT). Use for private data within an entity scope — e.g., personal chat threads that belong to the company but only the author can see.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            owner_field_name: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column name for the owner reference',
+                default: 'owner_id'
+            },
+            entity_field_name: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column name for the entity reference',
+                default: 'entity_id'
+            },
+            include_id: {
+                type: 'boolean',
+                description: 'If true, also adds a UUID primary key column with auto-generation',
+                default: true
+            },
+            include_user_fk: {
+                type: 'boolean',
+                description: 'If true, adds foreign key constraints from owner_id and entity_id to the users table',
+                default: true
+            },
+            create_index: {
+                type: 'boolean',
+                description: 'If true, creates B-tree indexes on the owner and entity columns',
+                default: true
+            },
+            membership_type: {
+                type: 'integer',
+                description: 'Membership type for SPRT resolution. Required for entity-scoped provisioning.',
+                default: null
+            }
+        }
+    },
+    tags: [
+        'ownership',
+        'membership',
+        'security',
+        'schema'
+    ]
+};

package/data/index.d.ts

@@ -12,6 +12,7 @@ export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';
 export { DataInheritFromParent } from './data-inherit-from-parent';
 export { DataJsonb } from './data-jsonb';
+export { DataMemberOwner } from './data-member-owner';
 export { DataOwnedFields } from './data-owned-fields';
 export { DataOwnershipInEntity } from './data-ownership-in-entity';
 export { DataPeoplestamps } from './data-peoplestamps';

package/data/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataRealtime = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataJsonb = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataId = exports.DataForceCurrentUser = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = exports.DataBulk = exports.CheckOneOf = exports.CheckNotEqual = exports.CheckLessThan = exports.CheckGreaterThan = void 0;
+exports.TableUserSettings = exports.TableUserProfiles = exports.TableOrganizationSettings = exports.SearchVector = exports.SearchUnified = exports.SearchTrgm = exports.SearchSpatialAggregate = exports.SearchSpatial = exports.SearchFullText = exports.SearchBm25 = exports.DataTimestamps = exports.DataTags = exports.DataStatusField = exports.DataSoftDelete = exports.DataSlug = exports.DataRealtime = exports.DataPublishable = exports.DataPeoplestamps = exports.DataOwnershipInEntity = exports.DataOwnedFields = exports.DataMemberOwner = exports.DataJsonb = exports.DataInheritFromParent = exports.DataInflection = exports.DataImmutableFields = exports.DataId = exports.DataForceCurrentUser = exports.DataEntityMembership = exports.DataDirectOwner = exports.DataCompositeField = exports.DataBulk = exports.CheckOneOf = exports.CheckNotEqual = exports.CheckLessThan = exports.CheckGreaterThan = void 0;
 var check_greater_than_1 = require("./check-greater-than");
 Object.defineProperty(exports, "CheckGreaterThan", { enumerable: true, get: function () { return check_greater_than_1.CheckGreaterThan; } });
 var check_less_than_1 = require("./check-less-than");
@@ -29,6 +29,8 @@ var data_inherit_from_parent_1 = require("./data-inherit-from-parent");
 Object.defineProperty(exports, "DataInheritFromParent", { enumerable: true, get: function () { return data_inherit_from_parent_1.DataInheritFromParent; } });
 var data_jsonb_1 = require("./data-jsonb");
 Object.defineProperty(exports, "DataJsonb", { enumerable: true, get: function () { return data_jsonb_1.DataJsonb; } });
+var data_member_owner_1 = require("./data-member-owner");
+Object.defineProperty(exports, "DataMemberOwner", { enumerable: true, get: function () { return data_member_owner_1.DataMemberOwner; } });
 var data_owned_fields_1 = require("./data-owned-fields");
 Object.defineProperty(exports, "DataOwnedFields", { enumerable: true, get: function () { return data_owned_fields_1.DataOwnedFields; } });
 var data_ownership_in_entity_1 = require("./data-ownership-in-entity");

package/esm/authz/authz-member-owner.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const AuthzMemberOwner: NodeTypeDefinition;

package/esm/authz/authz-member-owner.js

@@ -0,0 +1,48 @@
+export const AuthzMemberOwner = {
+    name: 'AuthzMemberOwner',
+    slug: 'authz_member_owner',
+    category: 'authz',
+    display_name: 'Member Owner',
+    description: 'Compound policy: the row must be owned by the current user (owner_field = current_user_id) AND the current user must be a member of the entity referenced by entity_field. Combines direct ownership with entity membership — the actor can only access rows they own within entities they belong to.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            owner_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column name containing the owner user ID (e.g., owner_id)',
+                default: 'owner_id'
+            },
+            entity_field: {
+                type: 'string',
+                format: 'column-ref',
+                description: 'Column name referencing the entity (e.g., entity_id)',
+                default: 'entity_id'
+            },
+            sel_field: {
+                type: 'string',
+                description: 'SPRT column to select for the entity match',
+                default: 'entity_id'
+            },
+            membership_type: {
+                type: ['integer', 'string'],
+                description: 'Scope: 1=app, 2=org, 3+=dynamic entity types (or string name resolved via membership_types_module)'
+            },
+            entity_type: {
+                type: 'string',
+                description: "Entity type prefix (e.g. 'channel', 'department'). Resolved to membership_type integer via memberships_module lookup."
+            },
+            permission: {
+                type: 'string',
+                description: 'Single permission name to check (resolved to bitstring mask)'
+            },
+            permissions: {
+                type: 'array',
+                items: { type: 'string' },
+                description: 'Multiple permission names to check (ORed together into mask)'
+            }
+        },
+        required: ['owner_field', 'entity_field']
+    },
+    tags: ['ownership', 'membership', 'authz']
+};

package/esm/authz/index.d.ts

@@ -9,6 +9,7 @@ export { AuthzEntityMembership } from './authz-entity-membership';
 export { AuthzMemberList } from './authz-member-list';
 export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzOrgHierarchy } from './authz-org-hierarchy';
+export { AuthzMemberOwner } from './authz-member-owner';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzPublishable } from './authz-publishable';
 export { AuthzRelatedEntityMembership } from './authz-related-entity-membership';

package/esm/authz/index.js

@@ -9,6 +9,7 @@ export { AuthzEntityMembership } from './authz-entity-membership';
 export { AuthzMemberList } from './authz-member-list';
 export { AuthzNotReadOnly } from './authz-not-read-only';
 export { AuthzOrgHierarchy } from './authz-org-hierarchy';
+export { AuthzMemberOwner } from './authz-member-owner';
 export { AuthzPeerOwnership } from './authz-peer-ownership';
 export { AuthzPublishable } from './authz-publishable';
 export { AuthzRelatedEntityMembership } from './authz-related-entity-membership';