node-type-registry 0.44.0 → 0.47.0

package/esm/blueprint-types.generated.d.ts

@@ -106,6 +106,13 @@ export interface DataEntityMembershipParams {
 export interface DataForceCurrentUserParams {
     field_name?: string;
 }
+/** Creates a companion _translations table with lang_code + translatable fields. Copies SELECT policies and column-ref fields from the base table. Adds @i18n smart comment so the Graphile i18n plugin discovers it. Requires i18n_module to be provisioned for the database. */
+export interface DataI18nParams {
+    fields: string[];
+    table_suffix?: string;
+    lang_code_type?: 'citext' | 'text';
+    copy_mutation_policies?: boolean;
+}
 /** Adds a UUID primary key column with auto-generation default (uuidv7). This is the standard primary key pattern for all tables. */
 export interface DataIdParams {
     field_name?: string;
@@ -664,16 +671,6 @@ export interface AuthzCompositeParams {
 }
 /** Denies all access. Generates FALSE expression. */
 export type AuthzDenyAllParams = {};
-/** Path-scoped file sharing via ltree containment. Grants access when a path_shares row matches the current user, bucket, and an ancestor path with the required permission. */
-export interface AuthzFilePathParams {
-    shares_schema: string;
-    shares_table: string;
-    files_schema?: string;
-    files_table: string;
-    permission_field: string;
-    bucket_field?: string;
-    path_field?: string;
-}
 /** Direct equality comparison between a table column and the current user ID. Simplest authorization pattern with no subqueries. */
 export interface AuthzDirectOwnerParams {
     entity_field: string;
@@ -693,10 +690,30 @@ export interface AuthzEntityMembershipParams {
     is_admin?: boolean;
     is_owner?: boolean;
 }
+/** Path-scoped file sharing via ltree containment. Grants access when a path_shares row matches the current user, bucket, and an ancestor path with the required permission. */
+export interface AuthzFilePathParams {
+    shares_schema: string;
+    shares_table: string;
+    files_schema?: string;
+    files_table: string;
+    permission_field: string;
+    bucket_field?: string;
+    path_field?: string;
+}
 /** Check if current user is in an array column on the same row. */
 export interface AuthzMemberListParams {
     array_field: string;
 }
+/** Compound policy: the row must be owned by the current user (owner_field = current_user_id) AND the current user must be a member of the entity referenced by entity_field. Combines direct ownership with entity membership — the actor can only access rows they own within entities they belong to. */
+export interface AuthzMemberOwnerParams {
+    owner_field: string;
+    entity_field: string;
+    sel_field?: string;
+    membership_type?: number | string;
+    entity_type?: string;
+    permission?: string;
+    permissions?: string[];
+}
 /** Restrictive policy that blocks read-only members from mutations. Checks actor_id + is_read_only IS NOT TRUE on the SPRT. Designed to run as a restrictive counterpart after a permissive AuthzEntityMembership policy has already verified membership. */
 export interface AuthzNotReadOnlyParams {
     entity_field: string;
@@ -709,16 +726,6 @@ export interface AuthzOrgHierarchyParams {
     anchor_field: string;
     max_depth?: number;
 }
-/** Compound policy: the row must be owned by the current user (owner_field = current_user_id) AND the current user must be a member of the entity referenced by entity_field. Combines direct ownership with entity membership — the actor can only access rows they own within entities they belong to. */
-export interface AuthzMemberOwnerParams {
-    owner_field: string;
-    entity_field: string;
-    sel_field?: string;
-    membership_type?: number | string;
-    entity_type?: string;
-    permission?: string;
-    permissions?: string[];
-}
 /** Peer visibility through shared entity membership. Authorizes access to user-owned rows when the owner and current user are both members of the same entity. Self-joins the SPRT table to find peers. */
 export interface AuthzPeerOwnershipParams {
     owner_field: string;
@@ -905,7 +912,7 @@ export interface BlueprintField {
 /** An RLS policy entry for a blueprint table. Uses $type to match the blueprint JSON convention. */
 export interface BlueprintPolicy {
     /** Authz* policy type name (e.g., "AuthzDirectOwner", "AuthzAllowAll"). */
-    $type: 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzFilePath' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzMemberOwner' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
+    $type: 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzFilePath' | 'AuthzMemberList' | 'AuthzMemberOwner' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal';
     /** Privileges this policy applies to (e.g., ["select"], ["insert", "update", "delete"]). */
     privileges?: string[];
     /** Whether this policy is permissive (true) or restrictive (false). Defaults to true. */
@@ -1023,6 +1030,8 @@ export interface BlueprintStorageConfig {
     scope?: 'app' | 'org';
     /** Discriminator for multi-module storage. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{storage_key}_buckets. Max 16 chars, lowercase snake_case. */
     storage_key?: string;
+    /** Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "buckets" instead of "org_buckets"). */
+    prefix?: string;
     /** Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning. */
     buckets?: BlueprintBucketSeed[];
     /** Override for presigned upload URL expiry time in seconds. */
@@ -1084,6 +1093,8 @@ export interface BlueprintNamespaceConfig {
     scope?: 'app' | 'org';
     /** Module discriminator for multi-module namespaces. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_namespaces. */
     key?: string;
+    /** Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "namespaces" instead of "org_namespaces"). */
+    prefix?: string;
     /** RLS policy overrides for the namespaces table. NULL = apply defaults from apply_namespace_security(). */
     policies?: BlueprintPolicy[];
     /** Per-table overrides for namespace tables. Each key targets a specific table (namespaces, namespace_events) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision. */
@@ -1098,6 +1109,8 @@ export interface BlueprintFunctionConfig {
     scope?: 'app' | 'org';
     /** Module discriminator for multi-module functions. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_function_definitions. */
     key?: string;
+    /** Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "function_definitions" instead of "org_function_definitions"). */
+    prefix?: string;
     /** RLS policy overrides for the function tables. NULL = apply defaults from apply_function_security(). */
     policies?: BlueprintPolicy[];
     /** Per-table overrides for function tables. Each key targets a specific table (definitions, invocations, execution_logs) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision. */
@@ -1107,18 +1120,24 @@ export interface BlueprintFunctionConfig {
         execution_logs?: BlueprintEntityTableProvision;
     };
 }
-/** Agent module configuration. When used at the top level of a blueprint, the scope field controls whether agents are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions thread, message, task, prompt tables (and optionally knowledge with vector embeddings). */
+/** Agent module configuration. When used at the top level of a blueprint, the scope field controls whether agents are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions thread, message, task, prompt tables. Opt-in: has_plans (plan + approval workflow), has_resources (unified skills/knowledge with chunking), has_agents (agent registry + personas, implies has_resources). */
 export interface BlueprintAgentConfig {
     /** Agent scope. "app" (default) creates app-level agent tables (membership_type = NULL). "org" creates per-org agent tables. Only used at the top level of a blueprint definition — entity-scoped agents inherit scope from the entity type. */
     scope?: 'app' | 'org';
     /** Module discriminator for multi-module agents. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_agent_thread. */
     key?: string;
+    /** Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "agent_thread" instead of "org_agent_thread"). */
+    prefix?: string;
     /** API name for the agent module. Used in GraphQL naming. Defaults to "agent". */
     api_name?: string;
-    /** Whether to provision the agent_knowledge table with vector embeddings, tags, and trigger_phrases. Also inferred when a "knowledge" key is present. Defaults to false. */
-    has_knowledge?: boolean;
-    /** Knowledge configuration overrides. Set has_chunks to false to disable the chunking pipeline. Controls vector dimensions, chunking strategy, embedding model/provider, and text search indexes for the agent_knowledge table. Presence implies has_knowledge = true. */
-    knowledge?: {
+    /** Whether to provision the agent_plan table for workflow plans with ordered tasks and approval gates. When true, tasks belong to plans (plan_id NOT NULL) instead of directly to threads. Defaults to false. */
+    has_plans?: boolean;
+    /** Whether to provision the unified agent_resource table (kind: skill/knowledge/convention) with auto-chunking (ProcessChunks) and vector embeddings. Defaults to false. */
+    has_resources?: boolean;
+    /** Whether to provision agent + agent_persona tables for agent registry and templates. Implies has_resources. Defaults to false. */
+    has_agents?: boolean;
+    /** Resource configuration array. Controls vector dimensions, chunking strategy, embedding model/provider, and text search indexes for the agent_resource table. Set has_chunks to false to disable the ProcessChunks pipeline. Defaults: 768 dimensions, 1000 chunk_size, 200 chunk_overlap, paragraph strategy, ["tsvector"] search indexes. */
+    resources?: {
         has_chunks?: boolean;
         dimensions?: number;
         chunk_size?: number;
@@ -1126,17 +1145,20 @@ export interface BlueprintAgentConfig {
         chunk_strategy?: 'fixed' | 'sentence' | 'paragraph' | 'semantic';
         embedding_model?: string;
         embedding_provider?: string;
-        search_indexes?: ('fulltext' | 'bm25' | 'trigram')[];
-    };
+        search_indexes?: ('tsvector' | 'bm25' | 'trigram')[];
+    }[];
     /** RLS policy overrides for the agent tables. NULL = apply defaults from apply_agent_security(). */
     policies?: BlueprintPolicy[];
-    /** Per-table overrides for agent tables. Each key targets a specific table (thread, message, task, prompt, knowledge) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision. */
+    /** Per-table overrides for agent tables. Each key targets a specific table (thread, message, task, prompt, plan, resource, agent, persona) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision. */
     provisions?: {
         thread?: BlueprintEntityTableProvision;
         message?: BlueprintEntityTableProvision;
         task?: BlueprintEntityTableProvision;
         prompt?: BlueprintEntityTableProvision;
-        knowledge?: BlueprintEntityTableProvision;
+        plan?: BlueprintEntityTableProvision;
+        resource?: BlueprintEntityTableProvision;
+        agent?: BlueprintEntityTableProvision;
+        persona?: BlueprintEntityTableProvision;
     };
 }
 /** Graph module configuration. Presence triggers permission registration (manage_graphs, execute_graphs). The graph module requires a merkle_store_module_id dependency, so entity_type_provision only registers permissions here — the graph module itself must be provisioned separately. */
@@ -1202,7 +1224,7 @@ export interface BlueprintEntityType {
     graphs?: BlueprintGraphConfig[];
 }
 /** String shorthand -- just the node type name. */
-export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzFilePath' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzMemberList' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzMemberOwner' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'CheckGreaterThan' | 'CheckLessThan' | 'CheckNotEqual' | 'CheckOneOf' | 'DataBulk' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataForceCurrentUser' | 'DataId' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJsonb' | 'DataMemberOwner' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataRealtime' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings' | 'EventReferral' | 'EventTracker' | 'JobTrigger' | 'LimitEnforceAggregate' | 'LimitEnforceCounter' | 'LimitEnforceFeature' | 'LimitEnforceRate' | 'LimitTrackUsage' | 'LimitWarningAggregate' | 'LimitWarningCounter' | 'LimitWarningRate' | 'ProcessChunks' | 'ProcessExtraction' | 'ProcessFileEmbedding' | 'ProcessImageEmbedding' | 'ProcessImageVersions';
+export type BlueprintNodeShorthand = 'AuthzAllowAll' | 'AuthzAppMembership' | 'AuthzComposite' | 'AuthzDenyAll' | 'AuthzDirectOwner' | 'AuthzDirectOwnerAny' | 'AuthzEntityMembership' | 'AuthzFilePath' | 'AuthzMemberList' | 'AuthzMemberOwner' | 'AuthzNotReadOnly' | 'AuthzOrgHierarchy' | 'AuthzPeerOwnership' | 'AuthzPublishable' | 'AuthzRelatedEntityMembership' | 'AuthzRelatedMemberList' | 'AuthzRelatedPeerOwnership' | 'AuthzTemporal' | 'CheckGreaterThan' | 'CheckLessThan' | 'CheckNotEqual' | 'CheckOneOf' | 'DataBulk' | 'DataCompositeField' | 'DataDirectOwner' | 'DataEntityMembership' | 'DataForceCurrentUser' | 'DataI18n' | 'DataId' | 'DataImmutableFields' | 'DataInflection' | 'DataInheritFromParent' | 'DataJsonb' | 'DataMemberOwner' | 'DataOwnedFields' | 'DataOwnershipInEntity' | 'DataPeoplestamps' | 'DataPublishable' | 'DataRealtime' | 'DataSlug' | 'DataSoftDelete' | 'DataStatusField' | 'DataTags' | 'DataTimestamps' | 'SearchBm25' | 'SearchFullText' | 'SearchSpatial' | 'SearchSpatialAggregate' | 'SearchTrgm' | 'SearchUnified' | 'SearchVector' | 'TableOrganizationSettings' | 'TableUserProfiles' | 'TableUserSettings' | 'EventReferral' | 'EventTracker' | 'JobTrigger' | 'LimitEnforceAggregate' | 'LimitEnforceCounter' | 'LimitEnforceFeature' | 'LimitEnforceRate' | 'LimitTrackUsage' | 'LimitWarningAggregate' | 'LimitWarningCounter' | 'LimitWarningRate' | 'ProcessChunks' | 'ProcessExtraction' | 'ProcessFileEmbedding' | 'ProcessImageEmbedding' | 'ProcessImageVersions';
 /** Object form -- { $type, data } with typed parameters. */
 export type BlueprintNodeObject = {
     $type: 'AuthzAllowAll';
@@ -1216,9 +1238,6 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'AuthzDenyAll';
     data?: Record<string, never>;
-} | {
-    $type: 'AuthzFilePath';
-    data: AuthzFilePathParams;
 } | {
     $type: 'AuthzDirectOwner';
     data: AuthzDirectOwnerParams;
@@ -1228,18 +1247,21 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'AuthzEntityMembership';
     data: AuthzEntityMembershipParams;
+} | {
+    $type: 'AuthzFilePath';
+    data: AuthzFilePathParams;
 } | {
     $type: 'AuthzMemberList';
     data: AuthzMemberListParams;
+} | {
+    $type: 'AuthzMemberOwner';
+    data: AuthzMemberOwnerParams;
 } | {
     $type: 'AuthzNotReadOnly';
     data: AuthzNotReadOnlyParams;
 } | {
     $type: 'AuthzOrgHierarchy';
     data: AuthzOrgHierarchyParams;
-} | {
-    $type: 'AuthzMemberOwner';
-    data: AuthzMemberOwnerParams;
 } | {
     $type: 'AuthzPeerOwnership';
     data: AuthzPeerOwnershipParams;
@@ -1285,6 +1307,9 @@ export type BlueprintNodeObject = {
 } | {
     $type: 'DataForceCurrentUser';
     data: DataForceCurrentUserParams;
+} | {
+    $type: 'DataI18n';
+    data: DataI18nParams;
 } | {
     $type: 'DataId';
     data: DataIdParams;

package/esm/codegen/generate-types.js

@@ -537,6 +537,7 @@ function buildBlueprintStorageConfig() {
             t.tsLiteralType(t.stringLiteral('org'))
         ])), 'Storage scope. "app" (default) creates app-level storage (no owner_id). "org" creates per-org/user storage (owner_id = org entity id, buckets seeded per-entity via AFTER INSERT trigger). Only "app" and "org" are allowed — child entity types get storage via entity_types[].storage.'),
         addJSDoc(optionalProp('storage_key', t.tsStringKeyword()), 'Discriminator for multi-module storage. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{storage_key}_buckets. Max 16 chars, lowercase snake_case.'),
+        addJSDoc(optionalProp('prefix', t.tsStringKeyword()), 'Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "buckets" instead of "org_buckets").'),
         addJSDoc(optionalProp('buckets', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintBucketSeed')))), 'Initial bucket seed entries. Each creates a row in {prefix}_buckets during provisioning.'),
         addJSDoc(optionalProp('upload_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned upload URL expiry time in seconds.'),
         addJSDoc(optionalProp('download_url_expiry_seconds', t.tsNumberKeyword()), 'Override for presigned download URL expiry time in seconds.'),
@@ -597,6 +598,7 @@ function buildBlueprintNamespaceConfig() {
             t.tsLiteralType(t.stringLiteral('org'))
         ])), 'Namespace scope. "app" (default) creates app-level namespaces (membership_type = NULL). "org" creates per-org namespaces. Only used at the top level of a blueprint definition — entity-scoped namespaces inherit scope from the entity type.'),
         addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module namespaces. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_namespaces.'),
+        addJSDoc(optionalProp('prefix', t.tsStringKeyword()), 'Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "namespaces" instead of "org_namespaces").'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the namespaces table. NULL = apply defaults from apply_namespace_security().'),
         addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
             optionalProp('namespaces', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
@@ -617,6 +619,7 @@ function buildBlueprintFunctionConfig() {
             t.tsLiteralType(t.stringLiteral('org'))
         ])), 'Function scope. "app" (default) creates app-level functions (membership_type = NULL). "org" creates per-org functions. Only used at the top level of a blueprint definition — entity-scoped functions inherit scope from the entity type.'),
         addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module functions. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_function_definitions.'),
+        addJSDoc(optionalProp('prefix', t.tsStringKeyword()), 'Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "function_definitions" instead of "org_function_definitions").'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the function tables. NULL = apply defaults from apply_function_security().'),
         addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
             optionalProp('definitions', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
@@ -638,9 +641,12 @@ function buildBlueprintAgentConfig() {
             t.tsLiteralType(t.stringLiteral('org'))
         ])), 'Agent scope. "app" (default) creates app-level agent tables (membership_type = NULL). "org" creates per-org agent tables. Only used at the top level of a blueprint definition — entity-scoped agents inherit scope from the entity type.'),
         addJSDoc(optionalProp('key', t.tsStringKeyword()), 'Module discriminator for multi-module agents. Defaults to "default" (omitted from table names). Non-default keys appear as an infix: {prefix}_{key}_agent_thread.'),
+        addJSDoc(optionalProp('prefix', t.tsStringKeyword()), 'Override the table-name prefix. By default the prefix is derived from the scope (e.g. "org"). Set to an empty string to produce unprefixed table names (e.g. "agent_thread" instead of "org_agent_thread").'),
         addJSDoc(optionalProp('api_name', t.tsStringKeyword()), 'API name for the agent module. Used in GraphQL naming. Defaults to "agent".'),
-        addJSDoc(optionalProp('has_knowledge', t.tsBooleanKeyword()), 'Whether to provision the agent_knowledge table with vector embeddings, tags, and trigger_phrases. Also inferred when a "knowledge" key is present. Defaults to false.'),
-        addJSDoc(optionalProp('knowledge', t.tsTypeLiteral([
+        addJSDoc(optionalProp('has_plans', t.tsBooleanKeyword()), 'Whether to provision the agent_plan table for workflow plans with ordered tasks and approval gates. When true, tasks belong to plans (plan_id NOT NULL) instead of directly to threads. Defaults to false.'),
+        addJSDoc(optionalProp('has_resources', t.tsBooleanKeyword()), 'Whether to provision the unified agent_resource table (kind: skill/knowledge/convention) with auto-chunking (ProcessChunks) and vector embeddings. Defaults to false.'),
+        addJSDoc(optionalProp('has_agents', t.tsBooleanKeyword()), 'Whether to provision agent + agent_persona tables for agent registry and templates. Implies has_resources. Defaults to false.'),
+        addJSDoc(optionalProp('resources', t.tsArrayType(t.tsTypeLiteral([
             optionalProp('has_chunks', t.tsBooleanKeyword()),
             optionalProp('dimensions', t.tsNumberKeyword()),
             optionalProp('chunk_size', t.tsNumberKeyword()),
@@ -654,20 +660,23 @@ function buildBlueprintAgentConfig() {
             optionalProp('embedding_model', t.tsStringKeyword()),
             optionalProp('embedding_provider', t.tsStringKeyword()),
             optionalProp('search_indexes', t.tsArrayType(t.tsUnionType([
-                t.tsLiteralType(t.stringLiteral('fulltext')),
+                t.tsLiteralType(t.stringLiteral('tsvector')),
                 t.tsLiteralType(t.stringLiteral('bm25')),
                 t.tsLiteralType(t.stringLiteral('trigram'))
             ])))
-        ])), 'Knowledge configuration overrides. Set has_chunks to false to disable the chunking pipeline. Controls vector dimensions, chunking strategy, embedding model/provider, and text search indexes for the agent_knowledge table. Presence implies has_knowledge = true.'),
+        ]))), 'Resource configuration array. Controls vector dimensions, chunking strategy, embedding model/provider, and text search indexes for the agent_resource table. Set has_chunks to false to disable the ProcessChunks pipeline. Defaults: 768 dimensions, 1000 chunk_size, 200 chunk_overlap, paragraph strategy, ["tsvector"] search indexes.'),
         addJSDoc(optionalProp('policies', t.tsArrayType(t.tsTypeReference(t.identifier('BlueprintPolicy')))), 'RLS policy overrides for the agent tables. NULL = apply defaults from apply_agent_security().'),
         addJSDoc(optionalProp('provisions', t.tsTypeLiteral([
             optionalProp('thread', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
             optionalProp('message', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
             optionalProp('task', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
             optionalProp('prompt', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
-            optionalProp('knowledge', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
-        ])), 'Per-table overrides for agent tables. Each key targets a specific table (thread, message, task, prompt, knowledge) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision.')
-    ]), 'Agent module configuration. When used at the top level of a blueprint, the scope field controls whether agents are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions thread, message, task, prompt tables (and optionally knowledge with vector embeddings).');
+            optionalProp('plan', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('resource', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('agent', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision'))),
+            optionalProp('persona', t.tsTypeReference(t.identifier('BlueprintEntityTableProvision')))
+        ])), 'Per-table overrides for agent tables. Each key targets a specific table (thread, message, task, prompt, plan, resource, agent, persona) and uses the same shape as table_provision: { nodes, fields, grants, use_rls, policies }. Fanned out to secure_table_provision.')
+    ]), 'Agent module configuration. When used at the top level of a blueprint, the scope field controls whether agents are app-level ("app", default) or org-level ("org"). When used inside entity_types[], scope is inherited from the entity type. Provisions thread, message, task, prompt tables. Opt-in: has_plans (plan + approval workflow), has_resources (unified skills/knowledge with chunking), has_agents (agent registry + personas, implies has_resources).');
 }
 /**
  * Build the BlueprintGraphConfig interface.

package/esm/data/data-i18n.d.ts

@@ -0,0 +1,2 @@
+import type { NodeTypeDefinition } from '../types';
+export declare const DataI18n: NodeTypeDefinition;

package/esm/data/data-i18n.js

@@ -0,0 +1,44 @@
+export const DataI18n = {
+    name: 'DataI18n',
+    slug: 'data_i18n',
+    category: 'data',
+    display_name: 'Internationalization',
+    description: 'Creates a companion _translations table with lang_code + translatable ' +
+        'fields. Copies SELECT policies and column-ref fields from the base ' +
+        'table. Adds @i18n smart comment so the Graphile i18n plugin discovers ' +
+        'it. Requires i18n_module to be provisioned for the database.',
+    parameter_schema: {
+        type: 'object',
+        properties: {
+            fields: {
+                type: 'array',
+                items: {
+                    type: 'string',
+                    format: 'column-ref'
+                },
+                description: 'Field names on the base table to make translatable. Each field ' +
+                    'is duplicated on the translation table with the same type.'
+            },
+            table_suffix: {
+                type: 'string',
+                description: 'Suffix for the translation table name',
+                default: '_translations'
+            },
+            lang_code_type: {
+                type: 'string',
+                enum: ['citext', 'text'],
+                description: 'Type for the lang_code column',
+                default: 'citext'
+            },
+            copy_mutation_policies: {
+                type: 'boolean',
+                description: 'Whether to also copy INSERT/UPDATE/DELETE policies (not just ' +
+                    'SELECT). Default true — translations should be editable by the ' +
+                    'same users who can edit the base row.',
+                default: true
+            }
+        },
+        required: ['fields']
+    },
+    tags: ['i18n', 'translation', 'schema']
+};

package/esm/data/index.d.ts

@@ -7,6 +7,7 @@ export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';
 export { DataForceCurrentUser } from './data-force-current-user';
+export { DataI18n } from './data-i18n';
 export { DataId } from './data-id';
 export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';

package/esm/data/index.js

@@ -7,6 +7,7 @@ export { DataCompositeField } from './data-composite-field';
 export { DataDirectOwner } from './data-direct-owner';
 export { DataEntityMembership } from './data-entity-membership';
 export { DataForceCurrentUser } from './data-force-current-user';
+export { DataI18n } from './data-i18n';
 export { DataId } from './data-id';
 export { DataImmutableFields } from './data-immutable-fields';
 export { DataInflection } from './data-inflection';

package/esm/module-presets/auth-email-magic.js

@@ -33,26 +33,18 @@ export const PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
         'session_secrets_module'
     ],
-    includes_notes: {
-        session_secrets_module: 'Stores nonces for magic-link and email-OTP flows. Without it those procedures are not emitted.'
-    },
-    omits_notes: {
-        rate_limits_module: 'Same reasoning as `auth:email` — add later via `auth:hardened`.',
-        connected_accounts_module: 'No OAuth / SSO in this preset.',
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
-        phone_numbers_module: 'No SMS — add `auth:hardened`.'
-    },
     extends: ['auth:email']
 };

package/esm/module-presets/auth-email.d.ts

@@ -9,9 +9,9 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
- * Includes `permissions_module:app`, `limits_module:app`, and
- * `levels_module:app` because `memberships_module:app` has NOT NULL
- * foreign keys to the tables they create (grants, caps, levels).
+ * Includes permissions, limits, and levels modules (app scope) because
+ * the app-scoped memberships module has NOT NULL foreign keys to the
+ * tables they create (grants, caps, levels).
  *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,

package/esm/module-presets/auth-email.js

@@ -8,9 +8,9 @@
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
- * Includes `permissions_module:app`, `limits_module:app`, and
- * `levels_module:app` because `memberships_module:app` has NOT NULL
- * foreign keys to the tables they create (grants, caps, levels).
+ * Includes permissions, limits, and levels modules (app scope) because
+ * the app-scoped memberships module has NOT NULL foreign keys to the
+ * tables they create (grants, caps, levels).
  *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
@@ -44,35 +44,16 @@ export const PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module'
-    ],
-    includes_notes: {
-        'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
-        membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
-        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
-        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
-        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
-        emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
-        config_secrets_user_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
-        user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
-    },
-    omits_notes: {
-        rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.',
-        connected_accounts_module: 'No OAuth / SSO in this preset — add `auth:sso`.',
-        identity_providers_module: 'No OAuth provider configs without connected_accounts.',
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
-        phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
-        'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        invites_module: 'Self-serve signup only.',
-        session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
-    }
+    ]
 };

package/esm/module-presets/auth-hardened.js

@@ -30,13 +30,14 @@ export const PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -49,21 +50,5 @@ export const PresetAuthHardened = {
         'phone_numbers_module',
         'devices_module'
     ],
-    includes_notes: {
-        rate_limits_module: 'Throttling for sign-in, password reset, sign-up, and IP-based gates.',
-        connected_accounts_module: 'OAuth / SSO linkage.',
-        identity_providers_module: 'OAuth provider configs (required for `connected_accounts_module`).',
-        webauthn_credentials_module: 'Per-user passkey storage.',
-        webauthn_auth_module: 'Passkey challenge + assertion runtime.',
-        session_secrets_module: 'Nonces for magic links, email OTP, and WebAuthn challenges.',
-        phone_numbers_module: 'SMS sign-in / MFA support.',
-        devices_module: 'Device tracking and trusted-device MFA bypass.'
-    },
-    omits_notes: {
-        'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        invites_module: 'No invite flow — add via `b2b`.',
-        storage_module: 'Add separately if you need file uploads.',
-        crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'
-    },
     extends: ['auth:email', 'auth:email+magic', 'auth:sso', 'auth:passkey']
 };

package/esm/module-presets/auth-passkey.js

@@ -31,13 +31,14 @@ export const PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -45,15 +46,5 @@ export const PresetAuthPasskey = {
         'webauthn_credentials_module',
         'webauthn_auth_module'
     ],
-    includes_notes: {
-        webauthn_credentials_module: 'Per-user WebAuthn credential storage. Without it, passkey registration does not compile.',
-        webauthn_auth_module: 'Runtime challenge + assertion flow.',
-        session_secrets_module: 'Challenge nonces for registration and assertion.'
-    },
-    omits_notes: {
-        rate_limits_module: 'Add via `auth:hardened` for production.',
-        connected_accounts_module: 'No OAuth / SSO — add via `auth:hardened`.',
-        phone_numbers_module: 'No SMS.'
-    },
     extends: ['auth:email']
 };

package/esm/module-presets/auth-sso.d.ts

@@ -6,7 +6,7 @@ import type { ModulePreset } from './types';
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `config_secrets_user_module` to decrypt the client
+ * procedures which rely on `config_secrets_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the

package/esm/module-presets/auth-sso.js

@@ -5,7 +5,7 @@
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `config_secrets_user_module` to decrypt the client
+ * procedures which rely on `config_secrets_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the
@@ -26,7 +26,7 @@ export const PresetAuthSso = {
         'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' +
         'Constructive user to a `(provider, external_id)` pair). The generator emits ' +
         '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' +
-        'through `config_secrets_user_module` at auth time. Keep password flows as break-glass, or ' +
+        'through `config_secrets_module` at auth time. Keep password flows as break-glass, or ' +
         'disable them via `app_settings_auth` toggles for strictly-SSO deployments.',
     good_for: [
         'B2B apps where end users sign in via their employer IdP',
@@ -40,29 +40,19 @@ export const PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
         'connected_accounts_module',
         'identity_providers_module'
     ],
-    includes_notes: {
-        connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
-        identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
-        config_secrets_user_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
-    },
-    omits_notes: {
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',
-        rate_limits_module: 'Omitted; add via `auth:hardened` for production.',
-        session_secrets_module: "Not required for authorization-code OAuth; add if you also want magic-link flows. PKCE doesn't require it for stateless OAuth flows today.",
-        phone_numbers_module: 'No SMS in this preset.'
-    },
     extends: ['auth:email']
 };