Sync with constructive-db

packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap

@@ -37,6 +37,7 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
     "permissions_module",
     "phone_numbers_module",
     "plans_module",
+    "principal_auth_module",
     "profiles_module",
     "rate_limit_meters_module",
     "rate_limits_module",
@@ -60,8 +61,8 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
 
 exports[`db_meta_modules should verify all module tables exist in metaschema_modules_public schema 1`] = `
 {
-  "moduleTablesCount": 51,
-  "totalTables": 58,
+  "moduleTablesCount": 52,
+  "totalTables": 59,
 }
 `;
 
@@ -128,13 +129,13 @@ exports[`db_meta_modules should verify emails_module table structure 1`] = `
 
 exports[`db_meta_modules should verify module table structures have database_id foreign keys 1`] = `
 {
-  "constraintCount": 310683,
+  "constraintCount": 325432,
 }
 `;
 
 exports[`db_meta_modules should verify module tables have proper foreign key relationships 1`] = `
 {
-  "constraintCount": 459911,
+  "constraintCount": 482213,
   "foreignTables": [
     "database",
     "field",

packages/metaschema-modules/__tests__/modules.test.ts

@@ -1,4 +1,4 @@
-import { getConnections, PgTestClient, snapshot } from 'pgsql-test';
+import { getConnections, PgTestClient, snapshot } from 'constructive-test';
 
 let pg: PgTestClient;
 let teardown: () => Promise<void>;
@@ -171,7 +171,7 @@ describe('db_meta_modules', () => {
     }
 
     expect(snapshot({ constraintCount: constraints.length })).toMatchSnapshot();
-  }, 60000);
+  });
 
   it('should verify all module tables exist in metaschema_modules_public schema', async () => {
     const tables = await pg.any(`
@@ -222,7 +222,7 @@ describe('db_meta_modules', () => {
       constraintCount: fkConstraints.length,
       foreignTables: foreignTables.sort()
     })).toMatchSnapshot();
-  }, 60000);
+  }, 30000);
 
   it('should verify specific module table column defaults', async () => {
     // Check that modules have sensible defaults

packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/principal_auth_module/table.sql

@@ -0,0 +1,58 @@
+-- Deploy schemas/metaschema_modules_public/tables/principal_auth_module/table to pg
+
+-- requires: schemas/metaschema_modules_public/schema
+
+BEGIN;
+
+CREATE TABLE metaschema_modules_public.principal_auth_module (
+    id uuid PRIMARY KEY DEFAULT uuidv7(),
+    database_id uuid NOT NULL,
+
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+    principals_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    principal_entities_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    principal_scope_overrides_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    users_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    sessions_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    session_credentials_table_id uuid NOT NULL DEFAULT uuid_nil(),
+    audits_table_id uuid NOT NULL DEFAULT uuid_nil(),
+
+    principals_table_name text NOT NULL DEFAULT 'principals',
+    create_principal_function text NOT NULL DEFAULT 'create_principal',
+    delete_principal_function text NOT NULL DEFAULT 'delete_principal',
+
+    -- Org principal function names (generated when org memberships exist)
+    create_org_principal_function text NOT NULL DEFAULT 'create_org_principal',
+    delete_org_principal_function text NOT NULL DEFAULT 'delete_org_principal',
+
+    -- Org API key function names (generated when org memberships exist)
+    create_org_api_key_function text NOT NULL DEFAULT 'create_org_api_key',
+    revoke_org_api_key_function text NOT NULL DEFAULT 'revoke_org_api_key',
+
+    api_name text DEFAULT 'auth',
+
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
+    CONSTRAINT principals_table_fkey FOREIGN KEY (principals_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT principal_entities_table_fkey FOREIGN KEY (principal_entities_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT users_table_fkey FOREIGN KEY (users_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT sessions_table_fkey FOREIGN KEY (sessions_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+    CONSTRAINT session_credentials_table_fkey FOREIGN KEY (session_credentials_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
+);
+
+CREATE INDEX principal_auth_module_database_id_idx ON metaschema_modules_public.principal_auth_module ( database_id );
+
+COMMENT ON CONSTRAINT principals_table_fkey
+     ON metaschema_modules_public.principal_auth_module IS E'@omit';
+COMMENT ON CONSTRAINT users_table_fkey
+     ON metaschema_modules_public.principal_auth_module IS E'@omit';
+COMMENT ON CONSTRAINT sessions_table_fkey
+     ON metaschema_modules_public.principal_auth_module IS E'@omit';
+COMMENT ON CONSTRAINT session_credentials_table_fkey
+     ON metaschema_modules_public.principal_auth_module IS E'@omit';
+COMMENT ON CONSTRAINT principal_entities_table_fkey
+     ON metaschema_modules_public.principal_auth_module IS E'@omit';
+
+COMMENT ON TABLE metaschema_modules_public.principal_auth_module IS 'Provisions the principals subsystem: a principals table, a principal_entities junction table, create/delete mutations, and org API key management. Supports both human-owned principals (AuthzDirectOwner, AuthzHumanOnly) and org-owned principals (AuthzEntityMembership with is_admin). Org principal and org API key functions are only generated when an org-scoped memberships_module exists for the database.';
+
+COMMIT;

packages/metaschema-modules/jest.config.js

@@ -3,6 +3,7 @@ module.exports = {
   forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
+  testTimeout: 30000,
 
   // Match both __tests__ and colocated test files
   testMatch: ['**/?(*.)+(test|spec).{ts,tsx,js,jsx}'],

packages/metaschema-modules/package.json

@@ -25,6 +25,7 @@
     "@pgpm/verify": "workspace:*"
   },
   "devDependencies": {
+    "constructive-test": "^0.4.1",
     "pgpm": "^4.28.7"
   },
   "repository": {

packages/metaschema-modules/pgpm.plan

@@ -69,3 +69,4 @@ schemas/metaschema_modules_public/tables/user_settings_module/table [schemas/met
 schemas/metaschema_modules_public/tables/i18n_module/table [schemas/metaschema_modules_public/schema] 2026-05-28T00:00:00Z devin <devin@cognition.ai> # add i18n_module config table for internationalization settings
 schemas/metaschema_modules_public/tables/function_deployment_module/table [schemas/metaschema_modules_public/schema schemas/metaschema_modules_public/tables/function_module/table schemas/metaschema_modules_public/tables/namespace_module/table] 2026-06-11T06:00:00Z devin <devin@cognition.ai> # add function_deployment_module config table for function-to-namespace deployment binding
 schemas/metaschema_modules_public/tables/function_module/constraints/one_platform_database [schemas/metaschema_modules_public/tables/function_module/table] 2026-06-11T08:00:00Z devin <devin@cognition.ai> # enforce at most one platform-scope function_module (unambiguous resolveDatabaseId)
+schemas/metaschema_modules_public/tables/principal_auth_module/table [schemas/metaschema_modules_public/schema] 2026-06-24T11:15:00Z devin <devin@cognition.ai> # add principal_auth_module config table for scoped API keys and agent principals

packages/metaschema-modules/revert/schemas/metaschema_modules_public/tables/agent_chat_module/table.sql

@@ -0,0 +1,3 @@
+-- Revert schemas/metaschema_modules_public/tables/agent_module/table from pg
+
+DROP TABLE IF EXISTS metaschema_modules_public.agent_module;

packages/metaschema-modules/revert/schemas/metaschema_modules_public/tables/principal_auth_module/table.sql

@@ -0,0 +1,7 @@
+-- Revert schemas/metaschema_modules_public/tables/principal_auth_module/table from pg
+
+BEGIN;
+
+DROP TABLE metaschema_modules_public.principal_auth_module;
+
+COMMIT;

packages/metaschema-modules/sql/metaschema-modules--0.15.5.sql

@@ -3403,4 +3403,67 @@ CREATE TABLE metaschema_modules_public.function_deployment_module (
 
 CREATE INDEX function_deployment_module_database_id_idx ON metaschema_modules_public.function_deployment_module (database_id);
 
-CREATE UNIQUE INDEX function_deployment_module_unique_scope ON metaschema_modules_public.function_deployment_module (database_id, scope, prefix);
+CREATE UNIQUE INDEX function_deployment_module_unique_scope ON metaschema_modules_public.function_deployment_module (database_id, scope, prefix);
+
+CREATE TABLE metaschema_modules_public.principal_auth_module (
+  id uuid PRIMARY KEY DEFAULT uuidv7(),
+  database_id uuid NOT NULL,
+  schema_id uuid NOT NULL DEFAULT uuid_nil(),
+  principals_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  principal_entities_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  principal_scope_overrides_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  users_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  sessions_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  session_credentials_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  audits_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  principals_table_name text NOT NULL DEFAULT 'principals',
+  create_principal_function text NOT NULL DEFAULT 'create_principal',
+  delete_principal_function text NOT NULL DEFAULT 'delete_principal',
+  create_org_principal_function text NOT NULL DEFAULT 'create_org_principal',
+  delete_org_principal_function text NOT NULL DEFAULT 'delete_org_principal',
+  create_org_api_key_function text NOT NULL DEFAULT 'create_org_api_key',
+  revoke_org_api_key_function text NOT NULL DEFAULT 'revoke_org_api_key',
+  api_name text DEFAULT 'auth',
+  CONSTRAINT db_fkey
+    FOREIGN KEY(database_id)
+    REFERENCES metaschema_public.database (id)
+    ON DELETE CASCADE,
+  CONSTRAINT schema_fkey
+    FOREIGN KEY(schema_id)
+    REFERENCES metaschema_public.schema (id)
+    ON DELETE CASCADE,
+  CONSTRAINT principals_table_fkey
+    FOREIGN KEY(principals_table_id)
+    REFERENCES metaschema_public."table" (id)
+    ON DELETE CASCADE,
+  CONSTRAINT principal_entities_table_fkey
+    FOREIGN KEY(principal_entities_table_id)
+    REFERENCES metaschema_public."table" (id)
+    ON DELETE CASCADE,
+  CONSTRAINT users_table_fkey
+    FOREIGN KEY(users_table_id)
+    REFERENCES metaschema_public."table" (id)
+    ON DELETE CASCADE,
+  CONSTRAINT sessions_table_fkey
+    FOREIGN KEY(sessions_table_id)
+    REFERENCES metaschema_public."table" (id)
+    ON DELETE CASCADE,
+  CONSTRAINT session_credentials_table_fkey
+    FOREIGN KEY(session_credentials_table_id)
+    REFERENCES metaschema_public."table" (id)
+    ON DELETE CASCADE
+);
+
+CREATE INDEX principal_auth_module_database_id_idx ON metaschema_modules_public.principal_auth_module (database_id);
+
+COMMENT ON CONSTRAINT principals_table_fkey ON metaschema_modules_public.principal_auth_module IS '@omit';
+
+COMMENT ON CONSTRAINT users_table_fkey ON metaschema_modules_public.principal_auth_module IS '@omit';
+
+COMMENT ON CONSTRAINT sessions_table_fkey ON metaschema_modules_public.principal_auth_module IS '@omit';
+
+COMMENT ON CONSTRAINT session_credentials_table_fkey ON metaschema_modules_public.principal_auth_module IS '@omit';
+
+COMMENT ON CONSTRAINT principal_entities_table_fkey ON metaschema_modules_public.principal_auth_module IS '@omit';
+
+COMMENT ON TABLE metaschema_modules_public.principal_auth_module IS 'Provisions the principals subsystem: a principals table, a principal_entities junction table, create/delete mutations, and org API key management. Supports both human-owned principals (AuthzDirectOwner, AuthzHumanOnly) and org-owned principals (AuthzEntityMembership with is_admin). Org principal and org API key functions are only generated when an org-scoped memberships_module exists for the database.';

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/agent_chat_module/table.sql

@@ -0,0 +1,20 @@
+-- Verify schemas/metaschema_modules_public/tables/agent_module/table on pg
+
+BEGIN;
+
+SELECT
+  id,
+  database_id,
+  schema_id,
+  private_schema_id,
+  thread_table_id,
+  thread_table_name,
+  message_table_id,
+  message_table_name,
+  task_table_id,
+  task_table_name,
+  prefix
+FROM metaschema_modules_public.agent_module
+WHERE FALSE;
+
+ROLLBACK;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/agent_module/table.sql

@@ -1,7 +1,5 @@
 -- Verify schemas/metaschema_modules_public/tables/agent_module/table on pg
 
-BEGIN;
-
-SELECT verify_table ('metaschema_modules_public.agent_module');
-
-ROLLBACK;
+SELECT id, database_id
+FROM metaschema_modules_public.agent_module
+WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/compute_log_module/table.sql

@@ -3,7 +3,8 @@
 SELECT id, database_id, schema_id, private_schema_id,
        compute_log_table_id, compute_log_table_name,
        usage_daily_table_id, usage_daily_table_name,
-       retention, scope, actor_fk_table_id, entity_fk_table_id,
+       retention, premake,
+       actor_fk_table_id, entity_fk_table_id,
        prefix
 FROM metaschema_modules_public.compute_log_module
 WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/config_secrets_org_module/table.sql

@@ -1,7 +1,5 @@
 -- Verify schemas/metaschema_modules_public/tables/config_secrets_org_module/table on pg
 
-BEGIN;
-
-SELECT verify_table ('metaschema_modules_public.config_secrets_org_module');
-
-ROLLBACK;
+SELECT id, database_id
+FROM metaschema_modules_public.config_secrets_org_module
+WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/db_usage_module/table.sql

@@ -1,10 +1,7 @@
 -- Verify schemas/metaschema_modules_public/tables/db_usage_module/table on pg
 
 SELECT id, database_id, schema_id, private_schema_id,
-       table_stats_log_table_id, table_stats_log_table_name,
-       table_stats_daily_table_id, table_stats_daily_table_name,
-       query_stats_log_table_id, query_stats_log_table_name,
-       query_stats_daily_table_id, query_stats_daily_table_name,
-       retention, scope, prefix
+       retention, premake,
+       prefix
 FROM metaschema_modules_public.db_usage_module
 WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/entity_type_provision/table.sql

@@ -1,7 +1,5 @@
 -- Verify schemas/metaschema_modules_public/tables/entity_type_provision/table on pg
 
-BEGIN;
-
-SELECT verify_table ('metaschema_modules_public.entity_type_provision');
-
-ROLLBACK;
+SELECT id, database_id
+FROM metaschema_modules_public.entity_type_provision
+WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/function_invocation_module/table.sql

@@ -2,6 +2,14 @@
 
 BEGIN;
 
-SELECT verify_table ('metaschema_modules_public.function_invocation_module');
+SELECT id, database_id, schema_id, private_schema_id,
+       public_schema_name, private_schema_name,
+       invocations_table_id, execution_logs_table_id,
+       invocations_table_name, execution_logs_table_name,
+       api_name, private_api_name,
+       scope, prefix, entity_table_id,
+       policies, provisions, default_permissions
+FROM metaschema_modules_public.function_invocation_module
+WHERE false;
 
 ROLLBACK;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/graph_module/table.sql

@@ -1,7 +1,5 @@
 -- Verify schemas/metaschema_modules_public/tables/graph_module/table on pg
 
-BEGIN;
-
-SELECT verify_table ('metaschema_modules_public.graph_module');
-
-ROLLBACK;
+SELECT id, database_id
+FROM metaschema_modules_public.graph_module
+WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/inference_log_module/table.sql

@@ -11,8 +11,9 @@ SELECT
   inference_log_table_name,
   usage_daily_table_id,
   usage_daily_table_name,
+  "interval",
   retention,
-  scope,
+  premake,
   actor_fk_table_id,
   entity_fk_table_id,
   prefix

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/merkle_store_module/table.sql

@@ -1,7 +1,5 @@
 -- Verify schemas/metaschema_modules_public/tables/merkle_store_module/table on pg
 
-BEGIN;
-
-SELECT verify_table ('metaschema_modules_public.merkle_store_module');
-
-ROLLBACK;
+SELECT id, database_id
+FROM metaschema_modules_public.merkle_store_module
+WHERE FALSE;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/namespace_module/table.sql

@@ -3,11 +3,9 @@
 BEGIN;
 
 SELECT id, database_id, schema_id, private_schema_id,
-       public_schema_name, private_schema_name,
        namespaces_table_id, namespace_events_table_id,
        namespaces_table_name, namespace_events_table_name,
-       api_name, private_api_name, scope, prefix,
-       entity_table_id, policies, provisions, default_permissions
+       entity_table_id, policies
 FROM metaschema_modules_public.namespace_module
 WHERE false;
 

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/principal_auth_module/table.sql

@@ -0,0 +1,14 @@
+-- Verify schemas/metaschema_modules_public/tables/principal_auth_module/table on pg
+
+BEGIN;
+
+SELECT id, database_id, schema_id, principals_table_id,
+       principal_entities_table_id,
+       users_table_id, sessions_table_id, session_credentials_table_id,
+       audits_table_id, principals_table_name,
+       create_principal_function, delete_principal_function,
+       api_name
+  FROM metaschema_modules_public.principal_auth_module
+ WHERE FALSE;
+
+ROLLBACK;

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/profiles_module/table.sql

@@ -6,7 +6,6 @@ SELECT id, database_id, schema_id, private_schema_id, table_id, table_name,
        profile_permissions_table_id, profile_permissions_table_name,
        profile_grants_table_id, profile_grants_table_name,
        profile_definition_grants_table_id, profile_definition_grants_table_name,
-       profile_templates_table_id, profile_templates_table_name,
        entity_table_id, actor_table_id,
        permissions_table_id, memberships_table_id, prefix
 FROM metaschema_modules_public.profiles_module

packages/metaschema-modules/verify/schemas/metaschema_modules_public/tables/relation_provision/table.sql

@@ -18,9 +18,6 @@ SELECT
     source_field_name,
     target_field_name,
     use_composite_key,
-    create_index,
-    expose_in_api,
-    nodes,
     grants,
     policies,
     out_field_id,