feat: rename secrets_module → user_state_module and encrypted_secrets_module → user_secrets_module in presets + export pipeline

packages/node-type-registry/src/module-presets/auth-email-magic.ts

@@ -41,8 +41,8 @@ export const PresetAuthEmailMagic: ModulePreset = {
     'levels_module:app',
     'memberships_module:app',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',

packages/node-type-registry/src/module-presets/auth-email.ts

@@ -26,7 +26,7 @@ export const PresetAuthEmail: ModulePreset = {
   description:
     'Installs `user_auth_module` with exactly the table dependencies its insert trigger ' +
     'hard-requires: users, app-scoped memberships (plus their permissions/limits/levels ' +
-    'dependencies), emails, secrets, encrypted secrets, sessions, plus RLS. You get the ' +
+    'dependencies), emails, user state, user secrets, sessions, plus RLS. You get the ' +
     'standard password-based auth procedures (sign_up, sign_in, reset_password, ' +
     "verify_email, delete_account, ...) and that's it. Everything else in the module " +
     'catalog — SSO, passkeys, SMS, rate limits, orgs, invites — is deliberately omitted. ' +
@@ -52,8 +52,8 @@ export const PresetAuthEmail: ModulePreset = {
     'levels_module:app',
     'memberships_module:app',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module'
@@ -65,8 +65,8 @@ export const PresetAuthEmail: ModulePreset = {
     'limits_module:app': 'Required by `memberships_module:app`: NOT NULL FK to caps table.',
     'levels_module:app': 'Required by `memberships_module:app`: NOT NULL FK to levels table.',
     emails_module: 'Required by the `user_auth_module` insert trigger (`RAISE EXCEPTION REQUIRES emails_module`).',
-    encrypted_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
-    secrets_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
+    user_secrets_module: 'Required for password hashing; referenced by `set_password`, `verify_password`, and reset flows.',
+    user_state_module: 'API-key storage (`create_api_key`, `revoke_api_key`, `my_api_keys`).'
   },
   omits_notes: {
     rate_limits_module: 'Omitted intentionally; throttle_* helpers are null-safe and the auth procs compile without it. Add later via `auth:hardened`.',

packages/node-type-registry/src/module-presets/auth-hardened.ts

@@ -38,8 +38,8 @@ export const PresetAuthHardened: ModulePreset = {
     'levels_module:app',
     'memberships_module:app',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',

packages/node-type-registry/src/module-presets/auth-passkey.ts

@@ -39,8 +39,8 @@ export const PresetAuthPasskey: ModulePreset = {
     'levels_module:app',
     'memberships_module:app',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',

packages/node-type-registry/src/module-presets/auth-sso.ts

@@ -7,7 +7,7 @@ import type { ModulePreset } from './types';
  * `(provider, external_id)`) and `identity_providers_module` (the provider
  * config: URLs, client_id, encrypted client_secret, scopes, PKCE/nonce
  * knobs). The generator then emits `sign_in_identity` / `sign_up_identity`
- * procedures which rely on `encrypted_secrets_module` to decrypt the client
+ * procedures which rely on `user_secrets_module` to decrypt the client
  * secret at auth time.
  *
  * Password fallback stays on by default (break-glass for admins); flip the
@@ -29,7 +29,7 @@ export const PresetAuthSso: ModulePreset = {
     'encrypted client secrets) and `connected_accounts_module` (the junction mapping a ' +
     'Constructive user to a `(provider, external_id)` pair). The generator emits ' +
     '`sign_in_identity` and `sign_up_identity` procedures which decrypt the client secret ' +
-    'through `encrypted_secrets_module` at auth time. Keep password flows as break-glass, or ' +
+    'through `user_secrets_module` at auth time. Keep password flows as break-glass, or ' +
     'disable them via `app_settings_auth` toggles for strictly-SSO deployments.',
   good_for: [
     'B2B apps where end users sign in via their employer IdP',
@@ -48,8 +48,8 @@ export const PresetAuthSso: ModulePreset = {
     'levels_module:app',
     'memberships_module:app',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',
@@ -59,7 +59,7 @@ export const PresetAuthSso: ModulePreset = {
   includes_notes: {
     connected_accounts_module: 'Junction table for (user, provider, external_id). Without it, `sign_in_identity` does not compile.',
     identity_providers_module: 'Provider config table (URLs, client_id, encrypted client_secret, scopes, PKCE knobs).',
-    encrypted_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
+    user_secrets_module: 'Required by `auth:email` already; also used by SSO to decrypt the provider client_secret at auth time.'
   },
   omits_notes: {
     webauthn_credentials_module: 'No passkeys — add `auth:passkey` or move to `auth:hardened`.',

packages/node-type-registry/src/module-presets/b2b-storage.ts

@@ -44,8 +44,8 @@ export const PresetB2bStorage: ModulePreset = {
     'memberships_module:app',
     'memberships_module:org',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',

packages/node-type-registry/src/module-presets/b2b.ts

@@ -40,8 +40,8 @@ export const PresetB2b: ModulePreset = {
     'memberships_module:app',
     'memberships_module:org',
     'sessions_module',
-    'secrets_module',
-    'encrypted_secrets_module',
+    'user_state_module',
+    'user_secrets_module',
     'emails_module',
     'rls_module',
     'user_auth_module',

packages/node-type-registry/src/module-presets/minimal.ts

@@ -6,7 +6,7 @@ import type { ModulePreset } from './types';
  *
  * This is the barest foundation: a `users` table, a `sessions` table so
  * something upstream can mint tokens, `rls_module` so row-level security
- * is enforceable, and `secrets_module` so you can issue API keys. Nothing
+ * is enforceable, and `user_state_module` so you can issue API keys. Nothing
  * else.
  *
  * You still write your own identity bridge on top (or rely on a header-based
@@ -35,13 +35,13 @@ export const PresetMinimal: ModulePreset = {
     'users_module',
     'sessions_module',
     'rls_module',
-    'secrets_module'
+    'user_state_module'
   ],
   includes_notes: {
     users_module: 'The canonical users table. Required by every preset.',
     sessions_module: 'Session/token storage; needed so whatever upstream auth can mint a session row.',
     rls_module: 'RLS policy infrastructure. Without it, row-level security is not enforced.',
-    secrets_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
+    user_state_module: 'API-key storage. Optional for this preset but almost always wanted alongside upstream auth.'
   },
   omits_notes: {
     user_auth_module: 'No server-side sign_up/sign_in procedures in this preset.',

pgpm/export/__tests__/export-meta.test.ts

@@ -49,7 +49,7 @@ describe('Export Meta Config Validation', () => {
       'permissions_module', 'limits_module', 'levels_module',
       'users_module', 'hierarchy_module', 'membership_types_module',
       'invites_module', 'emails_module', 'sessions_module',
-      'secrets_module', 'profiles_module', 'encrypted_secrets_module',
+      'user_state_module', 'profiles_module', 'user_secrets_module',
       'connected_accounts_module', 'phone_numbers_module',
       'crypto_addresses_module', 'crypto_auth_module',
       'field_module', 'table_module', 'table_template_module',

pgpm/export/__tests__/graphql-naming.test.ts

@@ -63,9 +63,9 @@ describe('getGraphQLQueryName', () => {
     expect(getGraphQLQueryName('users_module')).toBe('usersModules');
     expect(getGraphQLQueryName('hierarchy_module')).toBe('hierarchyModules');
     expect(getGraphQLQueryName('sessions_module')).toBe('sessionsModules');
-    expect(getGraphQLQueryName('secrets_module')).toBe('secretsModules');
+    expect(getGraphQLQueryName('user_state_module')).toBe('userStateModules');
     expect(getGraphQLQueryName('profiles_module')).toBe('profilesModules');
-    expect(getGraphQLQueryName('encrypted_secrets_module')).toBe('encryptedSecretsModules');
+    expect(getGraphQLQueryName('user_secrets_module')).toBe('userSecretsModules');
     expect(getGraphQLQueryName('connected_accounts_module')).toBe('connectedAccountsModules');
     expect(getGraphQLQueryName('phone_numbers_module')).toBe('phoneNumbersModules');
     expect(getGraphQLQueryName('crypto_addresses_module')).toBe('cryptoAddressesModules');

pgpm/export/src/export-graphql-meta.ts

@@ -176,9 +176,9 @@ export const exportGraphQLMeta = async ({
     queryAndParse('invites_module'),
     queryAndParse('emails_module'),
     queryAndParse('sessions_module'),
-    queryAndParse('secrets_module'),
+    queryAndParse('user_state_module'),
     queryAndParse('profiles_module'),
-    queryAndParse('encrypted_secrets_module'),
+    queryAndParse('user_secrets_module'),
     queryAndParse('connected_accounts_module'),
     queryAndParse('phone_numbers_module'),
     queryAndParse('crypto_addresses_module'),

pgpm/export/src/export-meta.ts

@@ -184,9 +184,9 @@ export const exportMeta = async ({ opts, dbname, database_id }: ExportMetaParams
   await queryAndParse('invites_module', `SELECT * FROM metaschema_modules_public.invites_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('emails_module', `SELECT * FROM metaschema_modules_public.emails_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('sessions_module', `SELECT * FROM metaschema_modules_public.sessions_module WHERE database_id = $1 ORDER BY id`);
-  await queryAndParse('secrets_module', `SELECT * FROM metaschema_modules_public.secrets_module WHERE database_id = $1 ORDER BY id`);
+  await queryAndParse('user_state_module', `SELECT * FROM metaschema_modules_public.user_state_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('profiles_module', `SELECT * FROM metaschema_modules_public.profiles_module WHERE database_id = $1 ORDER BY id`);
-  await queryAndParse('encrypted_secrets_module', `SELECT * FROM metaschema_modules_public.encrypted_secrets_module WHERE database_id = $1 ORDER BY id`);
+  await queryAndParse('user_secrets_module', `SELECT * FROM metaschema_modules_public.user_secrets_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('connected_accounts_module', `SELECT * FROM metaschema_modules_public.connected_accounts_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('phone_numbers_module', `SELECT * FROM metaschema_modules_public.phone_numbers_module WHERE database_id = $1 ORDER BY id`);
   await queryAndParse('crypto_addresses_module', `SELECT * FROM metaschema_modules_public.crypto_addresses_module WHERE database_id = $1 ORDER BY id`);

pgpm/export/src/export-utils.ts

@@ -169,9 +169,9 @@ export const META_TABLE_ORDER = [
   'invites_module',
   'emails_module',
   'sessions_module',
-  'secrets_module',
+  'user_state_module',
   'profiles_module',
-  'encrypted_secrets_module',
+  'user_secrets_module',
   'connected_accounts_module',
   'phone_numbers_module',
   'crypto_addresses_module',
@@ -953,9 +953,9 @@ export const META_TABLE_CONFIG: Record<string, TableConfig> = {
       auth_settings_table: 'text'
     }
   },
-  secrets_module: {
+  user_state_module: {
     schema: 'metaschema_modules_public',
-    table: 'secrets_module',
+    table: 'user_state_module',
     fields: {
       id: 'uuid',
       database_id: 'uuid',
@@ -988,9 +988,9 @@ export const META_TABLE_CONFIG: Record<string, TableConfig> = {
       prefix: 'text'
     }
   },
-  encrypted_secrets_module: {
+  user_secrets_module: {
     schema: 'metaschema_modules_public',
-    table: 'encrypted_secrets_module',
+    table: 'user_secrets_module',
     fields: {
       id: 'uuid',
       database_id: 'uuid',