node-type-registry 0.44.0 → 0.47.0

package/esm/module-presets/b2b-storage.js

@@ -18,7 +18,7 @@ export const PresetB2bStorage = {
         '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
         'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
         'Entity-type provisioning with a non-empty `storage` array adds per-scope storage tables ' +
-        'automatically (multiple modules per entity via storage_key). Choose this when your B2B ' +
+        'automatically (multiple modules per entity via key). Choose this when your B2B ' +
         'app needs file uploads, avatars, attachments, or any object storage tied to workspaces.',
     good_for: [
         'B2B SaaS with file uploads (documents, avatars, attachments)',
@@ -32,17 +32,18 @@ export const PresetB2bStorage = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'permissions_module:org',
-        'limits_module:app',
-        'limits_module:org',
-        'levels_module:app',
-        'levels_module:org',
-        'memberships_module:app',
-        'memberships_module:org',
+        ['permissions_module', { scope: 'app' }],
+        ['permissions_module', { scope: 'org' }],
+        ['limits_module', { scope: 'app' }],
+        ['limits_module', { scope: 'org' }],
+        ['levels_module', { scope: 'app' }],
+        ['levels_module', { scope: 'org' }],
+        ['memberships_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'org' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -53,20 +54,13 @@ export const PresetB2bStorage = {
         'webauthn_credentials_module',
         'webauthn_auth_module',
         'phone_numbers_module',
-        'profiles_module:app',
-        'profiles_module:org',
-        'hierarchy_module:org',
-        'invites_module:app',
-        'invites_module:org',
+        ['profiles_module', { scope: 'app' }],
+        ['profiles_module', { scope: 'org' }],
+        ['hierarchy_module', { scope: 'org' }],
+        ['invites_module', { scope: 'app' }],
+        ['invites_module', { scope: 'org' }],
         'storage_module',
         'devices_module'
     ],
-    includes_notes: {
-        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via the `storage` array (array-only format, supports multiple modules per entity via storage_key).',
-        devices_module: 'Device tracking and trusted-device MFA bypass.'
-    },
-    omits_notes: {
-        crypto_addresses_module: 'Not a web3 preset.'
-    },
     extends: ['b2b']
 };

package/esm/module-presets/b2b.js

@@ -15,11 +15,11 @@ export const PresetB2b = {
     display_name: 'B2B SaaS (orgs + invites + permissions)',
     summary: '`auth:hardened` + orgs, invites, fine-grained permissions, levels, profiles, hierarchy.',
     description: 'Everything in `auth:hardened`, plus the full org/team/permission stack at both app and ' +
-        'org membership scopes. You get: `memberships_module:org` for org-scoped memberships, ' +
-        '`permissions_module:app/:org` for fine-grained RBAC, `limits_module:app/:org` for per-scope ' +
-        'quota enforcement, `levels_module:app/:org` for role bundles, `profiles_module:app/:org` ' +
-        'for per-scope user display info, `hierarchy_module:org` for nested org structures, and ' +
-        '`invites_module:app/:org` for invite flows at either scope. Choose this when the app has ' +
+        'org membership scopes. You get: memberships at org scope, permissions at app and org ' +
+        'scopes for fine-grained RBAC, limits at app and org scopes for per-scope quota ' +
+        'enforcement, levels at app and org scopes for role bundles, profiles at app and org ' +
+        'scopes for per-scope user display info, hierarchy at org scope for nested org structures, ' +
+        'and invites at app and org scopes for invite flows. Choose this when the app has ' +
         'the concept of a "workspace" / "team" / "tenant" that users belong to and act within.',
     good_for: [
         'B2B SaaS with multi-tenant workspaces / teams',
@@ -34,11 +34,12 @@ export const PresetB2b = {
     modules: [
         'users_module',
         'membership_types_module',
-        'memberships_module:app',
-        'memberships_module:org',
+        ['memberships_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'org' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -49,37 +50,18 @@ export const PresetB2b = {
         'webauthn_credentials_module',
         'webauthn_auth_module',
         'phone_numbers_module',
-        'permissions_module:app',
-        'permissions_module:org',
-        'limits_module:app',
-        'limits_module:org',
-        'levels_module:app',
-        'levels_module:org',
-        'profiles_module:app',
-        'profiles_module:org',
-        'hierarchy_module:org',
-        'invites_module:app',
-        'invites_module:org',
+        ['permissions_module', { scope: 'app' }],
+        ['permissions_module', { scope: 'org' }],
+        ['limits_module', { scope: 'app' }],
+        ['limits_module', { scope: 'org' }],
+        ['levels_module', { scope: 'app' }],
+        ['levels_module', { scope: 'org' }],
+        ['profiles_module', { scope: 'app' }],
+        ['profiles_module', { scope: 'org' }],
+        ['hierarchy_module', { scope: 'org' }],
+        ['invites_module', { scope: 'app' }],
+        ['invites_module', { scope: 'org' }],
         'devices_module'
     ],
-    includes_notes: {
-        'memberships_module:org': 'Org-scoped membership rows — every user in an org gets one.',
-        'permissions_module:app': 'App-wide permission grants (e.g. platform admins).',
-        'permissions_module:org': 'Org-scoped permission grants (per-workspace admins, members, viewers, ...).',
-        'limits_module:app': 'App-level quotas (e.g. max users per plan).',
-        'limits_module:org': 'Org-level quotas (e.g. per-workspace API call caps).',
-        'levels_module:app': 'Role/level bundles at the app scope.',
-        'levels_module:org': 'Role/level bundles at the org scope (admin / member / viewer, etc.).',
-        'profiles_module:app': 'App-scoped user profile (one per user).',
-        'profiles_module:org': 'Org-scoped user profile (per org a user belongs to).',
-        'hierarchy_module:org': 'Nested org structures (parent / child orgs).',
-        'invites_module:app': 'App-level invites (rare — usually platform admin adds another admin).',
-        'invites_module:org': 'Org-level invites (the common case — invite a teammate into a workspace).',
-        devices_module: 'Device tracking and trusted-device MFA bypass.'
-    },
-    omits_notes: {
-        storage_module: 'Add separately if you need file uploads tied to orgs.',
-        crypto_addresses_module: 'Not a web3 preset.'
-    },
     extends: ['auth:hardened']
 };

package/esm/module-presets/full.d.ts

@@ -3,7 +3,7 @@ import type { ModulePreset } from './types';
  * `full` — install every standard module.
  *
  * This is the maximalist preset: every module Constructive ships, including
- * `storage_module:full` for file uploads with all feature flags and
+ * `storage_module` with all feature flags enabled and
  * `crypto_addresses_module` for wallet-based sign-in.
  *
  * Usage logging modules (compute_log, inference_log, transfer_log,

package/esm/module-presets/full.js

@@ -2,7 +2,7 @@
  * `full` — install every standard module.
  *
  * This is the maximalist preset: every module Constructive ships, including
- * `storage_module:full` for file uploads with all feature flags and
+ * `storage_module` with all feature flags enabled and
  * `crypto_addresses_module` for wallet-based sign-in.
  *
  * Usage logging modules (compute_log, inference_log, transfer_log,
@@ -16,7 +16,7 @@ export const PresetFull = {
     display_name: 'Full (every module)',
     summary: 'Install every standard Constructive module with explicit module list.',
     description: 'Installs every standard module in the catalog: everything in `b2b` plus ' +
-        '`storage_module:full` for file uploads (versioning, content hash, custom keys, audit log), ' +
+        '`storage_module` with all feature flags (versioning, content hash, custom keys, audit log), ' +
         '`crypto_addresses_module` for wallet-based sign-in, `plans_module` and `billing_module` ' +
         'for subscription management, `notifications_module` for in-app notifications, and ' +
         '`events_module` at both app and org scopes. Usage logging modules are opt-in only — ' +
@@ -35,19 +35,19 @@ export const PresetFull = {
         'users_module',
         'membership_types_module',
         // App-level (membership_type = 1)
-        'permissions_module:app',
-        'limits_module:app',
-        'memberships_module:app',
-        'events_module:app',
-        'profiles_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
+        ['events_module', { scope: 'app' }],
+        ['profiles_module', { scope: 'app' }],
         // Org-level (membership_type = 2)
-        'permissions_module:org',
-        'limits_module:org',
-        'memberships_module:org',
-        'events_module:org',
-        'profiles_module:org',
+        ['permissions_module', { scope: 'org' }],
+        ['limits_module', { scope: 'org' }],
+        ['memberships_module', { scope: 'org' }],
+        ['events_module', { scope: 'org' }],
+        ['profiles_module', { scope: 'org' }],
         // Hierarchy
-        'hierarchy_module:org',
+        ['hierarchy_module', { scope: 'org' }],
         // Billing & Plans
         'plans_module',
         'billing_module',
@@ -59,35 +59,32 @@ export const PresetFull = {
         'session_secrets_module',
         'rate_limits_module',
         'devices_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'rls_module',
         // Contact modules
         'emails_module',
         'phone_numbers_module',
         'crypto_addresses_module',
         'webauthn_credentials_module',
+        // User settings + notifications (user_settings_module must precede notifications_module)
+        'user_settings_module',
         'notifications_module',
         // Connected accounts
         'connected_accounts_module',
         'identity_providers_module',
         // Invites & Auth
-        'invites_module:app',
-        'invites_module:org',
+        ['invites_module', { scope: 'app' }],
+        ['invites_module', { scope: 'org' }],
         'user_auth_module',
         'webauthn_auth_module',
+        // Internationalization
+        'i18n_module',
         // Storage (full features)
-        'storage_module:full'
+        ['storage_module', { has_versioning: true, has_content_hash: true, has_custom_keys: true, has_audit_log: true }],
+        // Infrastructure (functions, namespaces)
+        'namespace_module',
+        'function_module',
     ],
-    includes_notes: {
-        'storage_module:full': 'All storage feature flags enabled: versioning, content hash, custom keys, audit log.',
-        billing_module: 'Metered billing with credits waterfall and period reset.',
-        plans_module: 'Subscription plan management with plan-governed caps.',
-        notifications_module: 'In-app notification system with read/unread tracking.'
-    },
-    omits_notes: {
-        compute_log_module: 'Usage logging is opt-in. Add explicitly if needed.',
-        inference_log_module: 'Usage logging is opt-in. Add explicitly if needed.',
-        agent_module: 'Agent infrastructure is opt-in.'
-    },
     extends: ['b2b']
 };

package/esm/module-presets/minimal.js

@@ -33,16 +33,5 @@ export const PresetMinimal = {
         'sessions_module',
         'rls_module',
         'user_state_module'
-    ],
-    includes_notes: {
-        users_module: 'The canonical users table. Required by every preset.',
-        sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.',
-        rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.',
-        user_state_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
-    },
-    omits_notes: {
-        user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.',
-        emails_module: 'Not needed without password/magic-link flows; upstream auth handles identity.',
-        memberships_module: 'No memberships without a user_auth_module wiring them up.'
-    }
+    ]
 };

package/esm/module-presets/types.d.ts

@@ -34,24 +34,18 @@ export interface ModulePreset {
     /** Scenarios where this preset is the wrong choice — point at alternatives. */
     not_for: string[];
     /**
-     * Flat list of module names to install. Module names must match the
-     * canonical list accepted by
+     * List of modules to install. Each entry is either a plain module name
+     * (string) or a Babel-style tuple [name, options] for modules that need
+     * configuration. Module names must match the canonical list accepted by
      * `metaschema_generators.provision_database_modules` in constructive-db.
      * Order doesn't matter — provisioning resolves dependencies.
+     *
+     * Examples:
+     *   'users_module'                              — simple module
+     *   ['permissions_module', { scope: 'app' }]    — scoped module
+     *   ['agent_module', { has_plans: true }]        — feature-flagged module
      */
-    modules: string[];
-    /**
-     * Optional per-module justifications. Map from module name to a short
-     * "why this module is in this preset" note. Rendered in docs and CLI
-     * `--explain` output.
-     */
-    includes_notes?: Record<string, string>;
-    /**
-     * Optional per-module "why we deliberately leave this out" notes. Only
-     * list modules that a user might reasonably expect to be here; don't
-     * enumerate every omitted module.
-     */
-    omits_notes?: Record<string, string>;
+    modules: (string | [string, Record<string, unknown>])[];
     /**
      * Optional: name(s) of presets this one builds on. Purely documentary —
      * not enforced at runtime, `modules` must still be the full flat list.

package/module-presets/auth-email-magic.js

@@ -36,26 +36,18 @@ exports.PresetAuthEmailMagic = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
         'session_secrets_module'
     ],
-    includes_notes: {
-        session_secrets_module: 'Stores nonces for magic-link and email-OTP flows. Without it those procedures are not emitted.'
-    },
-    omits_notes: {
-        rate_limits_module: 'Same reasoning as `auth:email` — add later via `auth:hardened`.',
-        connected_accounts_module: 'No OAuth / SSO in this preset.',
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
-        phone_numbers_module: 'No SMS — add `auth:hardened`.'
-    },
     extends: ['auth:email']
 };

package/module-presets/auth-email.d.ts

@@ -9,9 +9,9 @@ import type { ModulePreset } from './types';
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
- * Includes `permissions_module:app`, `limits_module:app`, and
- * `levels_module:app` because `memberships_module:app` has NOT NULL
- * foreign keys to the tables they create (grants, caps, levels).
+ * Includes permissions, limits, and levels modules (app scope) because
+ * the app-scoped memberships module has NOT NULL foreign keys to the
+ * tables they create (grants, caps, levels).
  *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,

package/module-presets/auth-email.js

@@ -11,9 +11,9 @@ exports.PresetAuthEmail = void 0;
  * `set_password`, `reset_password`, `forgot_password`, `verify_email`,
  * `delete_account`, `my_sessions`, API-key CRUD. Nothing more.
  *
- * Includes `permissions_module:app`, `limits_module:app`, and
- * `levels_module:app` because `memberships_module:app` has NOT NULL
- * foreign keys to the tables they create (grants, caps, levels).
+ * Includes permissions, limits, and levels modules (app scope) because
+ * the app-scoped memberships module has NOT NULL foreign keys to the
+ * tables they create (grants, caps, levels).
  *
  * It deliberately excludes rate limits, connected accounts / identity
  * providers (OAuth), WebAuthn (passkeys), phone numbers (SMS), invites,
@@ -47,35 +47,16 @@ exports.PresetAuthEmail = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module'
-    ],
-    includes_notes: {
-        'memberships_module:app': 'Required by `user_auth_module`: every user gets an app-level membership row at sign-up.',
-        membership_types_module: "Required by `memberships_module:app`; defines the 'app' scope.",
-        'permissions_module:app': 'Required by `memberships_module:app`: NOT NULL FK to grants table.',
-        'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
-        'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
-        emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
-        config_secrets_user_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
-        user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
-    },
-    omits_notes: {
-        rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.',
-        connected_accounts_module: 'No OAuth / SSO in this preset — add `auth:sso`.',
-        identity_providers_module: 'No OAuth provider configs without connected_accounts.',
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey`.',
-        phone_numbers_module: 'No SMS login — add `auth:hardened` or the SMS-only refactor path.',
-        'memberships_module:org': 'No org/team structure — move to `b2b` when you need one.',
-        invites_module: 'Self-serve signup only.',
-        session_secrets_module: 'No magic-link / email-OTP nonces; add `auth:email+magic`.'
-    }
+    ]
 };

package/module-presets/auth-hardened.js

@@ -33,13 +33,14 @@ exports.PresetAuthHardened = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -52,21 +53,5 @@ exports.PresetAuthHardened = {
         'phone_numbers_module',
         'devices_module'
     ],
-    includes_notes: {
-        rate_limits_module: 'Throttling for sign-in, password reset, sign-up, and IP-based gates.',
-        connected_accounts_module: 'OAuth / SSO linkage.',
-        identity_providers_module: 'OAuth provider configs (required for `connected_accounts_module`).',
-        webauthn_credentials_module: 'Per-user passkey storage.',
-        webauthn_auth_module: 'Passkey challenge + assertion runtime.',
-        session_secrets_module: 'Nonces for magic links, email OTP, and WebAuthn challenges.',
-        phone_numbers_module: 'SMS sign-in / MFA support.',
-        devices_module: 'Device tracking and trusted-device MFA bypass.'
-    },
-    omits_notes: {
-        'memberships_module:org': 'No orgs / teams — use `b2b` when you need multi-tenancy.',
-        invites_module: 'No invite flow — add via `b2b`.',
-        storage_module: 'Add separately if you need file uploads.',
-        crypto_addresses_module: 'Not a web3 preset; omit unless doing wallet sign-in.'
-    },
     extends: ['auth:email', 'auth:email+magic', 'auth:sso', 'auth:passkey']
 };

package/module-presets/auth-passkey.js

@@ -34,13 +34,14 @@ exports.PresetAuthPasskey = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -48,15 +49,5 @@ exports.PresetAuthPasskey = {
         'webauthn_credentials_module',
         'webauthn_auth_module'
     ],
-    includes_notes: {
-        webauthn_credentials_module: 'Per-user WebAuthn credential storage. Without it, passkey registration does not compile.',
-        webauthn_auth_module: 'Runtime challenge + assertion flow.',
-        session_secrets_module: 'Challenge nonces for registration and assertion.'
-    },
-    omits_notes: {
-        rate_limits_module: 'Add via `auth:hardened` for production.',
-        connected_accounts_module: 'No OAuth / SSO — add via `auth:hardened`.',
-        phone_numbers_module: 'No SMS.'
-    },
     extends: ['auth:email']
 };

package/module-presets/auth-sso.d.ts

@@ -6,7 +6,7 @@ import type { ModulePreset } from './types';
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `config_secrets_user_module` to decrypt the client
+ * procedures which rely on `config_secrets_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the

package/module-presets/auth-sso.js

@@ -8,7 +8,7 @@ exports.PresetAuthSso = void 0;
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `config_secrets_user_module` to decrypt the client
+ * procedures which rely on `config_secrets_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the
@@ -29,7 +29,7 @@ exports.PresetAuthSso = {
         'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' +
         'Constructive user to a `(provider, external_id)` pair). The generator emits ' +
         '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' +
-        'through `config_secrets_user_module` at auth time. Keep password flows as break-glass, or ' +
+        'through `config_secrets_module` at auth time. Keep password flows as break-glass, or ' +
         'disable them via `app_settings_auth` toggles for strictly-SSO deployments.',
     good_for: [
         'B2B apps where end users sign in via their employer IdP',
@@ -43,29 +43,19 @@ exports.PresetAuthSso = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'limits_module:app',
-        'levels_module:app',
-        'memberships_module:app',
+        ['permissions_module', { scope: 'app' }],
+        ['limits_module', { scope: 'app' }],
+        ['levels_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'app' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
         'connected_accounts_module',
         'identity_providers_module'
     ],
-    includes_notes: {
-        connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
-        identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
-        config_secrets_user_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
-    },
-    omits_notes: {
-        webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',
-        rate_limits_module: 'Omitted; add via `auth:hardened` for production.',
-        session_secrets_module: "Not required for authorization-code OAuth; add if you also want magic-link flows. PKCE doesn't require it for stateless OAuth flows today.",
-        phone_numbers_module: 'No SMS in this preset.'
-    },
     extends: ['auth:email']
 };

package/module-presets/b2b-storage.js

@@ -21,7 +21,7 @@ exports.PresetB2bStorage = {
         '`app_buckets` and `app_files` tables with full RLS: AuthzPublishable for public reads, ' +
         'AuthzAppMembership for member access, AuthzDirectOwner for uploader-only modify/delete. ' +
         'Entity-type provisioning with a non-empty `storage` array adds per-scope storage tables ' +
-        'automatically (multiple modules per entity via storage_key). Choose this when your B2B ' +
+        'automatically (multiple modules per entity via key). Choose this when your B2B ' +
         'app needs file uploads, avatars, attachments, or any object storage tied to workspaces.',
     good_for: [
         'B2B SaaS with file uploads (documents, avatars, attachments)',
@@ -35,17 +35,18 @@ exports.PresetB2bStorage = {
     modules: [
         'users_module',
         'membership_types_module',
-        'permissions_module:app',
-        'permissions_module:org',
-        'limits_module:app',
-        'limits_module:org',
-        'levels_module:app',
-        'levels_module:org',
-        'memberships_module:app',
-        'memberships_module:org',
+        ['permissions_module', { scope: 'app' }],
+        ['permissions_module', { scope: 'org' }],
+        ['limits_module', { scope: 'app' }],
+        ['limits_module', { scope: 'org' }],
+        ['levels_module', { scope: 'app' }],
+        ['levels_module', { scope: 'org' }],
+        ['memberships_module', { scope: 'app' }],
+        ['memberships_module', { scope: 'org' }],
         'sessions_module',
         'user_state_module',
-        'config_secrets_user_module',
+        'user_credentials_module',
+        'config_secrets_module',
         'emails_module',
         'rls_module',
         'user_auth_module',
@@ -56,20 +57,13 @@ exports.PresetB2bStorage = {
         'webauthn_credentials_module',
         'webauthn_auth_module',
         'phone_numbers_module',
-        'profiles_module:app',
-        'profiles_module:org',
-        'hierarchy_module:org',
-        'invites_module:app',
-        'invites_module:org',
+        ['profiles_module', { scope: 'app' }],
+        ['profiles_module', { scope: 'org' }],
+        ['hierarchy_module', { scope: 'org' }],
+        ['invites_module', { scope: 'app' }],
+        ['invites_module', { scope: 'org' }],
         'storage_module',
         'devices_module'
     ],
-    includes_notes: {
-        storage_module: 'File upload infrastructure: app_buckets + app_files tables with RLS. Entity-type storage scopes layered on top via the `storage` array (array-only format, supports multiple modules per entity via storage_key).',
-        devices_module: 'Device tracking and trusted-device MFA bypass.'
-    },
-    omits_notes: {
-        crypto_addresses_module: 'Not a web3 preset.'
-    },
     extends: ['b2b']
 };