diff --git a/packages/node-type-registry/src/module-presets/auth-email-magic.ts b/packages/node-type-registry/src/module-presets/auth-email-magic.ts index 23abf3444..2698ffa1c 100644 --- a/packages/node-type-registry/src/module-presets/auth-email-magic.ts +++ b/packages/node-type-registry/src/module-presets/auth-email-magic.ts @@ -41,8 +41,8 @@ export const PresetAuthEmailMagic: ModulePreset = { 'levels_module:app', 'memberships_module:app', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', diff --git a/packages/node-type-registry/src/module-presets/auth-email.ts b/packages/node-type-registry/src/module-presets/auth-email.ts index 02dd2be09..5f40f95a2 100644 --- a/packages/node-type-registry/src/module-presets/auth-email.ts +++ b/packages/node-type-registry/src/module-presets/auth-email.ts @@ -26,7 +26,7 @@ export const PresetAuthEmail: ModulePreset = { description: 'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' + 'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' + - 'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' + + 'dependencies), emails, user state, user secrets, sessions, plus RLS. You get the ' + 'standard password-based auth procedures (sign_up, sign_in, reset_password, ' + "verify_email, delete_account, ...) and that's it. Everything else in the module " + 'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' + @@ -52,8 +52,8 @@ export const PresetAuthEmail: ModulePreset = { 'levels_module:app', 'memberships_module:app', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module' @@ -65,8 +65,8 @@ export const PresetAuthEmail: ModulePreset = { 'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.', 'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.', emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).', - encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.', - secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).' + user_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.', + user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).' }, omits_notes: { rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.', diff --git a/packages/node-type-registry/src/module-presets/auth-hardened.ts b/packages/node-type-registry/src/module-presets/auth-hardened.ts index 59dd9877e..335077286 100644 --- a/packages/node-type-registry/src/module-presets/auth-hardened.ts +++ b/packages/node-type-registry/src/module-presets/auth-hardened.ts @@ -38,8 +38,8 @@ export const PresetAuthHardened: ModulePreset = { 'levels_module:app', 'memberships_module:app', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', diff --git a/packages/node-type-registry/src/module-presets/auth-passkey.ts b/packages/node-type-registry/src/module-presets/auth-passkey.ts index 7058eb799..e106f40a2 100644 --- a/packages/node-type-registry/src/module-presets/auth-passkey.ts +++ b/packages/node-type-registry/src/module-presets/auth-passkey.ts @@ -39,8 +39,8 @@ export const PresetAuthPasskey: ModulePreset = { 'levels_module:app', 'memberships_module:app', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', diff --git a/packages/node-type-registry/src/module-presets/auth-sso.ts b/packages/node-type-registry/src/module-presets/auth-sso.ts index 050d5767b..36fff32e4 100644 --- a/packages/node-type-registry/src/module-presets/auth-sso.ts +++ b/packages/node-type-registry/src/module-presets/auth-sso.ts @@ -7,7 +7,7 @@ import type { ModulePreset } from './types'; * `(provider, external_id)`) and `identity_providers_module` (the provider * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce * knobs). The generator then emits `sign_in_identity` / `sign_up_identity` - * procedures which rely on `encrypted_secrets_module` to decrypt the client + * procedures which rely on `user_secrets_module` to decrypt the client * secret at auth time. * * Password fallback stays on by default (break-glass for admins); flip the @@ -29,7 +29,7 @@ export const PresetAuthSso: ModulePreset = { 'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' + 'Constructive user to a `(provider, external_id)` pair). The generator emits ' + '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' + - 'through `encrypted_secrets_module` at auth time. Keep password flows as break-glass, or ' + + 'through `user_secrets_module` at auth time. Keep password flows as break-glass, or ' + 'disable them via `app_settings_auth` toggles for strictly-SSO deployments.', good_for: [ 'B2B apps where end users sign in via their employer IdP', @@ -48,8 +48,8 @@ export const PresetAuthSso: ModulePreset = { 'levels_module:app', 'memberships_module:app', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', @@ -59,7 +59,7 @@ export const PresetAuthSso: ModulePreset = { includes_notes: { connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.', identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).', - encrypted_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.' + user_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.' }, omits_notes: { webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.', diff --git a/packages/node-type-registry/src/module-presets/b2b-storage.ts b/packages/node-type-registry/src/module-presets/b2b-storage.ts index 19d1b16a6..e3894ad3c 100644 --- a/packages/node-type-registry/src/module-presets/b2b-storage.ts +++ b/packages/node-type-registry/src/module-presets/b2b-storage.ts @@ -44,8 +44,8 @@ export const PresetB2bStorage: ModulePreset = { 'memberships_module:app', 'memberships_module:org', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', diff --git a/packages/node-type-registry/src/module-presets/b2b.ts b/packages/node-type-registry/src/module-presets/b2b.ts index 6d6c69ea6..d5ed3b093 100644 --- a/packages/node-type-registry/src/module-presets/b2b.ts +++ b/packages/node-type-registry/src/module-presets/b2b.ts @@ -40,8 +40,8 @@ export const PresetB2b: ModulePreset = { 'memberships_module:app', 'memberships_module:org', 'sessions_module', - 'secrets_module', - 'encrypted_secrets_module', + 'user_state_module', + 'user_secrets_module', 'emails_module', 'rls_module', 'user_auth_module', diff --git a/packages/node-type-registry/src/module-presets/minimal.ts b/packages/node-type-registry/src/module-presets/minimal.ts index 622d9d9f5..09ef1c644 100644 --- a/packages/node-type-registry/src/module-presets/minimal.ts +++ b/packages/node-type-registry/src/module-presets/minimal.ts @@ -6,7 +6,7 @@ import type { ModulePreset } from './types'; * * This is the barest foundation: a `users` table, a `sessions` table so * something upstream can mint tokens, `rls_module` so row-level security - * is enforceable, and `secrets_module` so you can issue API keys. Nothing + * is enforceable, and `user_state_module` so you can issue API keys. Nothing * else. * * You still write your own identity bridge on top (or rely on a header-based @@ -35,13 +35,13 @@ export const PresetMinimal: ModulePreset = { 'users_module', 'sessions_module', 'rls_module', - 'secrets_module' + 'user_state_module' ], includes_notes: { users_module: 'The canonical users table. Required by every preset.', sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.', rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.', - secrets_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.' + user_state_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.' }, omits_notes: { user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.', diff --git a/pgpm/export/__tests__/export-meta.test.ts b/pgpm/export/__tests__/export-meta.test.ts index f31298753..7cb20301e 100644 --- a/pgpm/export/__tests__/export-meta.test.ts +++ b/pgpm/export/__tests__/export-meta.test.ts @@ -49,7 +49,7 @@ describe('Export Meta Config Validation', () => { 'permissions_module', 'limits_module', 'levels_module', 'users_module', 'hierarchy_module', 'membership_types_module', 'invites_module', 'emails_module', 'sessions_module', - 'secrets_module', 'profiles_module', 'encrypted_secrets_module', + 'user_state_module', 'profiles_module', 'user_secrets_module', 'connected_accounts_module', 'phone_numbers_module', 'crypto_addresses_module', 'crypto_auth_module', 'field_module', 'table_module', 'table_template_module', diff --git a/pgpm/export/__tests__/graphql-naming.test.ts b/pgpm/export/__tests__/graphql-naming.test.ts index 32998dd46..a4e8f32f9 100644 --- a/pgpm/export/__tests__/graphql-naming.test.ts +++ b/pgpm/export/__tests__/graphql-naming.test.ts @@ -63,9 +63,9 @@ describe('getGraphQLQueryName', () => { expect(getGraphQLQueryName('users_module')).toBe('usersModules'); expect(getGraphQLQueryName('hierarchy_module')).toBe('hierarchyModules'); expect(getGraphQLQueryName('sessions_module')).toBe('sessionsModules'); - expect(getGraphQLQueryName('secrets_module')).toBe('secretsModules'); + expect(getGraphQLQueryName('user_state_module')).toBe('userStateModules'); expect(getGraphQLQueryName('profiles_module')).toBe('profilesModules'); - expect(getGraphQLQueryName('encrypted_secrets_module')).toBe('encryptedSecretsModules'); + expect(getGraphQLQueryName('user_secrets_module')).toBe('userSecretsModules'); expect(getGraphQLQueryName('connected_accounts_module')).toBe('connectedAccountsModules'); expect(getGraphQLQueryName('phone_numbers_module')).toBe('phoneNumbersModules'); expect(getGraphQLQueryName('crypto_addresses_module')).toBe('cryptoAddressesModules'); diff --git a/pgpm/export/src/export-graphql-meta.ts b/pgpm/export/src/export-graphql-meta.ts index 96622ea32..cb6f00721 100644 --- a/pgpm/export/src/export-graphql-meta.ts +++ b/pgpm/export/src/export-graphql-meta.ts @@ -176,9 +176,9 @@ export const exportGraphQLMeta = async ({ queryAndParse('invites_module'), queryAndParse('emails_module'), queryAndParse('sessions_module'), - queryAndParse('secrets_module'), + queryAndParse('user_state_module'), queryAndParse('profiles_module'), - queryAndParse('encrypted_secrets_module'), + queryAndParse('user_secrets_module'), queryAndParse('connected_accounts_module'), queryAndParse('phone_numbers_module'), queryAndParse('crypto_addresses_module'), diff --git a/pgpm/export/src/export-meta.ts b/pgpm/export/src/export-meta.ts index 9e58418f4..42218125b 100644 --- a/pgpm/export/src/export-meta.ts +++ b/pgpm/export/src/export-meta.ts @@ -184,9 +184,9 @@ export const exportMeta = async ({ opts, dbname, database_id }: ExportMetaParams await queryAndParse('invites_module', `SELECT * FROM metaschema_modules_public.invites_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('emails_module', `SELECT * FROM metaschema_modules_public.emails_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('sessions_module', `SELECT * FROM metaschema_modules_public.sessions_module WHERE database_id = $1 ORDER BY id`); - await queryAndParse('secrets_module', `SELECT * FROM metaschema_modules_public.secrets_module WHERE database_id = $1 ORDER BY id`); + await queryAndParse('user_state_module', `SELECT * FROM metaschema_modules_public.user_state_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('profiles_module', `SELECT * FROM metaschema_modules_public.profiles_module WHERE database_id = $1 ORDER BY id`); - await queryAndParse('encrypted_secrets_module', `SELECT * FROM metaschema_modules_public.encrypted_secrets_module WHERE database_id = $1 ORDER BY id`); + await queryAndParse('user_secrets_module', `SELECT * FROM metaschema_modules_public.user_secrets_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('connected_accounts_module', `SELECT * FROM metaschema_modules_public.connected_accounts_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('phone_numbers_module', `SELECT * FROM metaschema_modules_public.phone_numbers_module WHERE database_id = $1 ORDER BY id`); await queryAndParse('crypto_addresses_module', `SELECT * FROM metaschema_modules_public.crypto_addresses_module WHERE database_id = $1 ORDER BY id`); diff --git a/pgpm/export/src/export-utils.ts b/pgpm/export/src/export-utils.ts index db81cf99b..24693725d 100644 --- a/pgpm/export/src/export-utils.ts +++ b/pgpm/export/src/export-utils.ts @@ -169,9 +169,9 @@ export const META_TABLE_ORDER = [ 'invites_module', 'emails_module', 'sessions_module', - 'secrets_module', + 'user_state_module', 'profiles_module', - 'encrypted_secrets_module', + 'user_secrets_module', 'connected_accounts_module', 'phone_numbers_module', 'crypto_addresses_module', @@ -953,9 +953,9 @@ export const META_TABLE_CONFIG: Record = { auth_settings_table: 'text' } }, - secrets_module: { + user_state_module: { schema: 'metaschema_modules_public', - table: 'secrets_module', + table: 'user_state_module', fields: { id: 'uuid', database_id: 'uuid', @@ -988,9 +988,9 @@ export const META_TABLE_CONFIG: Record = { prefix: 'text' } }, - encrypted_secrets_module: { + user_secrets_module: { schema: 'metaschema_modules_public', - table: 'encrypted_secrets_module', + table: 'user_secrets_module', fields: { id: 'uuid', database_id: 'uuid',