Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
"agent_module",
"billing_module",
"billing_provider_module",
"certificate_module",
"compute_log_module",
"config_secrets_module",
"config_secrets_org_module",
Expand Down Expand Up @@ -43,6 +44,9 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
"rate_limits_module",
"realtime_module",
"rls_module",
"route_module",
"server_definition_module",
"server_deployment_module",
"session_secrets_module",
"sessions_module",
"storage_log_module",
Expand All @@ -61,8 +65,8 @@ exports[`db_meta_modules should have all expected module tables 1`] = `

exports[`db_meta_modules should verify all module tables exist in metaschema_modules_public schema 1`] = `
{
"moduleTablesCount": 52,
"totalTables": 59,
"moduleTablesCount": 56,
"totalTables": 63,
}
`;

Expand Down Expand Up @@ -129,13 +133,13 @@ exports[`db_meta_modules should verify emails_module table structure 1`] = `

exports[`db_meta_modules should verify module table structures have database_id foreign keys 1`] = `
{
"constraintCount": 325432,
"constraintCount": 325436,
}
`;

exports[`db_meta_modules should verify module tables have proper foreign key relationships 1`] = `
{
"constraintCount": 482213,
"constraintCount": 482239,
"foreignTables": [
"database",
"field",
Expand All @@ -144,6 +148,7 @@ exports[`db_meta_modules should verify module tables have proper foreign key rel
"merkle_store_module",
"namespace_module",
"schema",
"server_definition_module",
"table",
],
}
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
-- Deploy schemas/metaschema_modules_public/tables/certificate_module/table to pg

-- requires: schemas/metaschema_modules_public/schema

BEGIN;

CREATE TABLE metaschema_modules_public.certificate_module (
id uuid PRIMARY KEY DEFAULT uuidv7(),
database_id uuid NOT NULL,

-- Schema references (if uuid_nil, resolved from schema name or default)
schema_id uuid NOT NULL DEFAULT uuid_nil(),
private_schema_id uuid NOT NULL DEFAULT uuid_nil(),

-- Optional schema name overrides (used when schema IDs are not provided)
public_schema_name text,
private_schema_name text,

-- Generated table IDs (populated by the generator)
certificates_table_id uuid NOT NULL DEFAULT uuid_nil(),
certificate_domains_table_id uuid NOT NULL DEFAULT uuid_nil(),
certificate_events_table_id uuid NOT NULL DEFAULT uuid_nil(),

-- Table names (input to the generator — bare names without scope prefix).
certificates_table_name text NOT NULL DEFAULT 'certificates',
certificate_domains_table_name text NOT NULL DEFAULT 'certificate_domains',
certificate_events_table_name text NOT NULL DEFAULT 'certificate_events',

-- API routing (get-or-create: if set, schema is added to this API; if NULL, no API is added)
api_name text,
private_api_name text,

-- Scope: determines the security level for this module instance.
scope text NOT NULL DEFAULT 'platform',

-- Table name prefix. Auto-derived from scope by the trigger when empty.
prefix text NOT NULL DEFAULT '',

-- Entity table for RLS
entity_table_id uuid NULL,

-- Configurable security policies (NULL = use defaults based on scope).
policies jsonb NULL,

-- Per-table provisions overrides from blueprint config.
provisions jsonb NULL,

-- Default permissions: permission names auto-granted to new members.
default_permissions text[] DEFAULT NULL,

-- Constraints
CONSTRAINT certificate_module_db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_private_schema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_certs_table_fkey FOREIGN KEY (certificates_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_cert_domains_table_fkey FOREIGN KEY (certificate_domains_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_events_table_fkey FOREIGN KEY (certificate_events_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT certificate_module_entity_table_fkey FOREIGN KEY (entity_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
);

CREATE INDEX certificate_module_database_id_idx ON metaschema_modules_public.certificate_module ( database_id );

-- Unique constraint: one certificate module per database per scope per prefix.
CREATE UNIQUE INDEX certificate_module_unique_scope ON metaschema_modules_public.certificate_module ( database_id, scope, prefix );

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
-- Deploy schemas/metaschema_modules_public/tables/route_module/table to pg

-- requires: schemas/metaschema_modules_public/schema

BEGIN;

CREATE TABLE metaschema_modules_public.route_module (
id uuid PRIMARY KEY DEFAULT uuidv7(),
database_id uuid NOT NULL,

-- Schema references (if uuid_nil, resolved from schema name or default)
schema_id uuid NOT NULL DEFAULT uuid_nil(),
private_schema_id uuid NOT NULL DEFAULT uuid_nil(),

-- Optional schema name overrides (used when schema IDs are not provided)
public_schema_name text,
private_schema_name text,

-- Generated table IDs (populated by the generator)
routes_table_id uuid NOT NULL DEFAULT uuid_nil(),
route_events_table_id uuid NOT NULL DEFAULT uuid_nil(),

-- Table names (input to the generator — bare names without scope prefix).
routes_table_name text NOT NULL DEFAULT 'routes',
route_events_table_name text NOT NULL DEFAULT 'route_events',

-- API routing (get-or-create: if set, schema is added to this API; if NULL, no API is added)
api_name text,
private_api_name text,

-- Scope: determines the security level for this module instance.
scope text NOT NULL DEFAULT 'platform',

-- Table name prefix. Auto-derived from scope by the trigger when empty.
prefix text NOT NULL DEFAULT '',

-- Entity table for RLS
entity_table_id uuid NULL,

-- Configurable security policies (NULL = use defaults based on scope).
policies jsonb NULL,

-- Per-table provisions overrides from blueprint config.
provisions jsonb NULL,

-- Default permissions: permission names auto-granted to new members.
default_permissions text[] DEFAULT NULL,

-- Constraints
CONSTRAINT route_module_db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
CONSTRAINT route_module_schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT route_module_private_schema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT route_module_routes_table_fkey FOREIGN KEY (routes_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT route_module_events_table_fkey FOREIGN KEY (route_events_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT route_module_entity_table_fkey FOREIGN KEY (entity_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
);

CREATE INDEX route_module_database_id_idx ON metaschema_modules_public.route_module ( database_id );

-- Unique constraint: one route module per database per scope per prefix.
CREATE UNIQUE INDEX route_module_unique_scope ON metaschema_modules_public.route_module ( database_id, scope, prefix );

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,70 @@
-- Deploy schemas/metaschema_modules_public/tables/server_definition_module/table to pg

-- requires: schemas/metaschema_modules_public/schema

BEGIN;

CREATE TABLE metaschema_modules_public.server_definition_module (
id uuid PRIMARY KEY DEFAULT uuidv7(),
database_id uuid NOT NULL,

-- Schema references (if uuid_nil, resolved from schema name or default)
schema_id uuid NOT NULL DEFAULT uuid_nil(),
private_schema_id uuid NOT NULL DEFAULT uuid_nil(),

-- Optional schema name overrides (used when schema IDs are not provided)
public_schema_name text,
private_schema_name text,

-- Generated table IDs (populated by the generator)
definitions_table_id uuid NOT NULL DEFAULT uuid_nil(),

-- Table names (input to the generator — bare names without scope prefix).
-- The trigger prepends the scope prefix automatically.
definitions_table_name text NOT NULL DEFAULT 'server_definitions',

-- API routing (get-or-create: if set, schema is added to this API; if NULL, no API is added)
api_name text,
private_api_name text,

-- Scope: determines the security level for this module instance.
-- Resolved to a membership_type integer at trigger time via membership_types table.
scope text NOT NULL DEFAULT 'platform',

-- Table name prefix. Auto-derived from scope by the trigger when empty.
-- Override to create multiple module instances at the same scope.
prefix text NOT NULL DEFAULT '',

-- Entity table for RLS (NULL for platform-level definitions, entity table for entity-scoped)
entity_table_id uuid NULL,

-- Configurable security policies (NULL = use defaults based on scope).
-- When provided, replaces the default policy set in apply_server_definition_security.
-- Accepts a JSON array of policy objects:
-- {"$type": "AuthzEntityMembership", "privileges": ["select", "update"], "data": {...}}
policies jsonb NULL,

-- Per-table provisions overrides from blueprint config.
-- Keys are table keys (definitions).
-- When a key is present, the module trigger skips default security for that table;
-- secure_table_provision applies the custom grants/policies instead.
provisions jsonb NULL,

-- Default permissions: permission names auto-granted to new members.
-- NULL uses the module's built-in defaults; explicit array overrides them.
default_permissions text[] DEFAULT NULL,

-- Constraints
CONSTRAINT server_definition_module_db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
CONSTRAINT server_definition_module_schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT server_definition_module_private_schema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT server_definition_module_definitions_table_fkey FOREIGN KEY (definitions_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT server_definition_module_entity_table_fkey FOREIGN KEY (entity_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
);

CREATE INDEX server_definition_module_database_id_idx ON metaschema_modules_public.server_definition_module ( database_id );

-- Unique constraint: one server definition module per database per scope per prefix.
CREATE UNIQUE INDEX server_definition_module_unique_scope ON metaschema_modules_public.server_definition_module ( database_id, scope, prefix );

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
-- Deploy schemas/metaschema_modules_public/tables/server_deployment_module/table to pg

-- requires: schemas/metaschema_modules_public/schema
-- requires: schemas/metaschema_modules_public/tables/server_definition_module/table
-- requires: schemas/metaschema_modules_public/tables/namespace_module/table

BEGIN;

CREATE TABLE metaschema_modules_public.server_deployment_module (
id uuid PRIMARY KEY DEFAULT uuidv7(),
database_id uuid NOT NULL,

-- Schema references (if uuid_nil, resolved from schema name or default)
schema_id uuid NOT NULL DEFAULT uuid_nil(),
private_schema_id uuid NOT NULL DEFAULT uuid_nil(),

-- Optional schema name overrides (used when schema IDs are not provided)
public_schema_name text,
private_schema_name text,

-- Generated table IDs (populated by the generator)
deployments_table_id uuid NOT NULL DEFAULT uuid_nil(),
deployment_events_table_id uuid NOT NULL DEFAULT uuid_nil(),

-- Table names (input to the generator — bare names without scope prefix).
-- The trigger prepends the scope prefix automatically.
deployments_table_name text NOT NULL DEFAULT 'server_deployments',
deployment_events_table_name text NOT NULL DEFAULT 'server_deployment_events',

-- API routing (get-or-create: if set, schema is added to this API; if NULL, no API is added)
api_name text,
private_api_name text,

-- Scope: determines the security level for this module instance.
-- Resolved to a membership_type integer at trigger time via membership_types table.
scope text NOT NULL DEFAULT 'app',

-- Table name prefix. Auto-derived from scope by the trigger when empty.
-- Override to create multiple module instances at the same scope.
prefix text NOT NULL DEFAULT '',

-- Entity table for RLS (NULL for app-level deployments, entity table for entity-scoped)
entity_table_id uuid NULL,

-- FK to server_definition_module: which server definitions table deployments reference
server_definition_module_id uuid NULL,

-- FK to namespace_module: which namespaces table deployments reference
namespace_module_id uuid NULL,

-- Configurable security policies (NULL = use defaults based on scope).
-- When provided, replaces the default policy set in apply_server_deployment_security.
-- Accepts a JSON array of policy objects:
-- {"$type": "AuthzEntityMembership", "privileges": ["select", "update"], "data": {...}}
policies jsonb NULL,

-- Per-table provisions overrides from blueprint config.
-- Keys are table keys (deployments, deployment_events).
-- When a key is present, the module trigger skips default security for that table;
-- secure_table_provision applies the custom grants/policies instead.
provisions jsonb NULL,

-- Default permissions: permission names auto-granted to new members.
-- NULL uses the module's built-in defaults; explicit array overrides them.
default_permissions text[] DEFAULT NULL,

-- Constraints
CONSTRAINT server_deployment_module_db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_private_schema_fkey FOREIGN KEY (private_schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_deployments_table_fkey FOREIGN KEY (deployments_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_events_table_fkey FOREIGN KEY (deployment_events_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_entity_table_fkey FOREIGN KEY (entity_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
CONSTRAINT server_deployment_module_server_def_module_fkey FOREIGN KEY (server_definition_module_id) REFERENCES metaschema_modules_public.server_definition_module (id) ON DELETE SET NULL,
CONSTRAINT server_deployment_module_namespace_module_fkey FOREIGN KEY (namespace_module_id) REFERENCES metaschema_modules_public.namespace_module (id) ON DELETE SET NULL
);

CREATE INDEX server_deployment_module_database_id_idx ON metaschema_modules_public.server_deployment_module ( database_id );

-- Unique constraint: one server deployment module per database per scope per prefix.
CREATE UNIQUE INDEX server_deployment_module_unique_scope ON metaschema_modules_public.server_deployment_module ( database_id, scope, prefix );

COMMIT;
4 changes: 4 additions & 0 deletions packages/metaschema-modules/pgpm.plan
Original file line number Diff line number Diff line change
Expand Up @@ -70,3 +70,7 @@ schemas/metaschema_modules_public/tables/i18n_module/table [schemas/metaschema_m
schemas/metaschema_modules_public/tables/function_deployment_module/table [schemas/metaschema_modules_public/schema schemas/metaschema_modules_public/tables/function_module/table schemas/metaschema_modules_public/tables/namespace_module/table] 2026-06-11T06:00:00Z devin <devin@cognition.ai> # add function_deployment_module config table for function-to-namespace deployment binding
schemas/metaschema_modules_public/tables/function_module/constraints/one_platform_database [schemas/metaschema_modules_public/tables/function_module/table] 2026-06-11T08:00:00Z devin <devin@cognition.ai> # enforce at most one platform-scope function_module (unambiguous resolveDatabaseId)
schemas/metaschema_modules_public/tables/principal_auth_module/table [schemas/metaschema_modules_public/schema] 2026-06-24T11:15:00Z devin <devin@cognition.ai> # add principal_auth_module config table for scoped API keys and agent principals
schemas/metaschema_modules_public/tables/server_definition_module/table [schemas/metaschema_modules_public/schema] 2026-06-30T00:00:00Z devin <devin@cognition.ai> # add server_definition_module config table for persistent server definitions (GraphQL, agentic, WebSocket, etc.)
schemas/metaschema_modules_public/tables/server_deployment_module/table [schemas/metaschema_modules_public/schema schemas/metaschema_modules_public/tables/server_definition_module/table schemas/metaschema_modules_public/tables/namespace_module/table] 2026-06-30T00:00:01Z devin <devin@cognition.ai> # add server_deployment_module config table for server-to-namespace deployment binding
schemas/metaschema_modules_public/tables/route_module/table [schemas/metaschema_modules_public/schema] 2026-06-30T00:00:02Z devin <devin@cognition.ai> # add route_module config table for gateway route rules (domain+path to backend target)
schemas/metaschema_modules_public/tables/certificate_module/table [schemas/metaschema_modules_public/schema] 2026-06-30T00:00:03Z devin <devin@cognition.ai> # add certificate_module config table for TLS certificate lifecycle management
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-- Revert schemas/metaschema_modules_public/tables/certificate_module/table from pg

BEGIN;

DROP TABLE IF EXISTS metaschema_modules_public.certificate_module;

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-- Revert schemas/metaschema_modules_public/tables/route_module/table from pg

BEGIN;

DROP TABLE IF EXISTS metaschema_modules_public.route_module;

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-- Revert schemas/metaschema_modules_public/tables/server_definition_module/table from pg

BEGIN;

DROP TABLE IF EXISTS metaschema_modules_public.server_definition_module;

COMMIT;
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
-- Revert schemas/metaschema_modules_public/tables/server_deployment_module/table from pg

BEGIN;

DROP TABLE IF EXISTS metaschema_modules_public.server_deployment_module;

COMMIT;
Loading
Loading