feat: upstream pgpm-modules from constructive-db

packages/achievements/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
   maxWorkers: 1,

packages/base32/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/database-jobs/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/defaults/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/encrypted-secrets-table/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/encrypted-secrets/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/faker/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/geotypes/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/inflection/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/jobs/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/jwt-claims/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/measurements/jest.config.js

@@ -1,5 +1,6 @@
 /** @type {import('ts-jest').JestConfigWithTsJest} */
 module.exports = {
+  forceExit: true,
   preset: 'ts-jest',
   testEnvironment: 'node',
 

packages/metaschema-modules/README.md

@@ -95,7 +95,7 @@ The package provides metadata tables for the following modules:
 - **permissions_module**: Permission system configuration
 - **memberships_module**: Membership management settings
 - **membership_types_module**: Membership type definitions
-- **levels_module**: User level configurations
+- **events_module**: User level configurations
 
 ### Security
 - **encrypted_secrets_module**: Encrypted secrets configuration

packages/metaschema-modules/__tests__/__snapshots__/modules.test.ts.snap

@@ -5,17 +5,19 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
   "moduleNames": [
     "billing_module",
     "billing_provider_module",
+    "config_secrets_org_module",
+    "config_secrets_user_module",
     "connected_accounts_module",
     "crypto_addresses_module",
     "crypto_auth_module",
     "default_ids_module",
     "devices_module",
     "emails_module",
-    "encrypted_secrets_module",
+    "events_module",
     "hierarchy_module",
     "identity_providers_module",
+    "inference_log_module",
     "invites_module",
-    "levels_module",
     "limits_module",
     "membership_types_module",
     "memberships_module",
@@ -24,14 +26,15 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
     "phone_numbers_module",
     "plans_module",
     "profiles_module",
+    "rate_limit_meters_module",
     "rate_limits_module",
     "realtime_module",
     "rls_module",
-    "secrets_module",
     "session_secrets_module",
     "sessions_module",
     "storage_module",
     "user_auth_module",
+    "user_state_module",
     "users_module",
     "webauthn_auth_module",
     "webauthn_credentials_module",
@@ -41,8 +44,8 @@ exports[`db_meta_modules should have all expected module tables 1`] = `
 
 exports[`db_meta_modules should verify all module tables exist in metaschema_modules_public schema 1`] = `
 {
-  "moduleTablesCount": 32,
-  "totalTables": 39,
+  "moduleTablesCount": 35,
+  "totalTables": 42,
 }
 `;
 
@@ -97,13 +100,13 @@ exports[`db_meta_modules should verify emails_module table structure 1`] = `
 
 exports[`db_meta_modules should verify module table structures have database_id foreign keys 1`] = `
 {
-  "constraintCount": 165888,
+  "constraintCount": 196875,
 }
 `;
 
 exports[`db_meta_modules should verify module tables have proper foreign key relationships 1`] = `
 {
-  "constraintCount": 238227,
+  "constraintCount": 286927,
   "foreignTables": [
     "database",
     "field",

packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/billing_module/table.sql

@@ -27,6 +27,10 @@ CREATE TABLE metaschema_modules_public.billing_module (
   balances_table_id uuid NOT NULL DEFAULT uuid_nil(),
   balances_table_name text NOT NULL DEFAULT '',
 
+  -- Meter credits table: append-only credit grants for billing meters
+  meter_credits_table_id uuid NOT NULL DEFAULT uuid_nil(),
+  meter_credits_table_name text NOT NULL DEFAULT '',
+
   -- Generated functions
   record_usage_function text NOT NULL DEFAULT '',
 
@@ -39,6 +43,7 @@ CREATE TABLE metaschema_modules_public.billing_module (
   CONSTRAINT plan_subscriptions_table_fkey FOREIGN KEY (plan_subscriptions_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
   CONSTRAINT ledger_table_fkey FOREIGN KEY (ledger_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
   CONSTRAINT balances_table_fkey FOREIGN KEY (balances_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
+  CONSTRAINT meter_credits_table_fkey FOREIGN KEY (meter_credits_table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE,
   CONSTRAINT billing_module_database_id_unique UNIQUE (database_id)
 );
 

packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/config_secrets_org_module/table.sql

@@ -0,0 +1,28 @@
+-- Deploy schemas/metaschema_modules_public/tables/config_secrets_org_module/table to pg
+
+-- requires: schemas/metaschema_modules_public/schema
+
+BEGIN;
+
+CREATE TABLE metaschema_modules_public.config_secrets_org_module (
+    id uuid PRIMARY KEY DEFAULT uuidv7(),
+    database_id uuid NOT NULL,
+
+    --
+    schema_id uuid NOT NULL DEFAULT uuid_nil(),
+    table_id uuid NOT NULL DEFAULT uuid_nil(),
+    table_name text NOT NULL DEFAULT 'org_secrets',
+    --
+
+    CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
+    CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
+    CONSTRAINT table_fkey FOREIGN KEY (table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
+);
+
+CREATE INDEX config_secrets_org_module_database_id_idx ON metaschema_modules_public.config_secrets_org_module ( database_id );
+CREATE INDEX config_secrets_org_module_schema_id_idx ON metaschema_modules_public.config_secrets_org_module ( schema_id );
+CREATE INDEX config_secrets_org_module_table_id_idx ON metaschema_modules_public.config_secrets_org_module ( table_id );
+
+COMMENT ON TABLE metaschema_modules_public.config_secrets_org_module IS 'Config row for the config_secrets_org_module, which provisions an organization-scoped encrypted key-value secrets store with manage_secrets permission and entity-membership RLS.';
+
+COMMIT;

packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/encrypted_secrets_module/table.sql → packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/config_secrets_user_module/table.sql

@@ -1,24 +1,24 @@
--- Deploy schemas/metaschema_modules_public/tables/encrypted_secrets_module/table to pg
+-- Deploy schemas/metaschema_modules_public/tables/config_secrets_user_module/table to pg
 
 -- requires: schemas/metaschema_modules_public/schema
 
 BEGIN;
 
-CREATE TABLE metaschema_modules_public.encrypted_secrets_module (
+CREATE TABLE metaschema_modules_public.config_secrets_user_module (
     id uuid PRIMARY KEY DEFAULT uuidv7(),
     database_id uuid NOT NULL,
 
     --
     schema_id uuid NOT NULL DEFAULT uuid_nil(),
     table_id uuid NOT NULL DEFAULT uuid_nil(),
-    table_name text NOT NULL DEFAULT 'encrypted_secrets',
+    table_name text NOT NULL DEFAULT 'user_secrets',
     -- 
 
     CONSTRAINT db_fkey FOREIGN KEY (database_id) REFERENCES metaschema_public.database (id) ON DELETE CASCADE,
     CONSTRAINT schema_fkey FOREIGN KEY (schema_id) REFERENCES metaschema_public.schema (id) ON DELETE CASCADE,
     CONSTRAINT table_fkey FOREIGN KEY (table_id) REFERENCES metaschema_public.table (id) ON DELETE CASCADE
 );
 
-CREATE INDEX encrypted_secrets_module_database_id_idx ON metaschema_modules_public.encrypted_secrets_module ( database_id );
+CREATE INDEX config_secrets_user_module_database_id_idx ON metaschema_modules_public.config_secrets_user_module ( database_id );
 
 COMMIT;

packages/metaschema-modules/deploy/schemas/metaschema_modules_public/tables/entity_type_provision/table.sql

@@ -51,9 +51,13 @@ CREATE TABLE metaschema_modules_public.entity_type_provision (
 
     has_invites boolean NOT NULL DEFAULT false,
 
+    has_invite_achievements boolean NOT NULL DEFAULT false,
+
     -- =========================================================================
-    -- Storage configuration: module-level overrides + initial bucket defs.
-    -- Only used when has_storage = true. NULL = use defaults.
+    -- Storage configuration: JSON array of storage module definitions.
+    -- Each element provisions a separate storage module with its own tables,
+    -- RLS policies, and feature flags. Only used when has_storage = true.
+    -- NULL = provision a single default storage module with default settings.
     -- =========================================================================
 
     storage_config jsonb DEFAULT NULL,
@@ -197,7 +201,7 @@ COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.has_profiles I
      When true, creates profile tables and applies profiles security.';
 
 COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.has_levels IS
-    'Whether to provision levels_module for this type. Defaults to false.
+    'Whether to provision events_module for this type. Defaults to false.
      Levels provide gamification/achievement tracking for members.
      When true, creates level steps, achievements, and level tables with security.';
 
@@ -216,6 +220,15 @@ COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.has_invites IS
      UNIQUE (database_id, membership_type) constraint on invites_module combined with
      ON CONFLICT DO NOTHING in the fan-out makes repeated INSERTs safe.';
 
+COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.has_invite_achievements IS
+    'Whether to auto-attach an EventTracker to the claimed_invites table for invite-based
+     achievements. Defaults to false. Requires has_invites=true AND has_levels=true.
+     When true, the trigger calls event_tracker() on the claimed_invites table with
+     event_name=''invite_claimed'', actor_field=''sender_id'', events=[''INSERT''],
+     crediting the SENDER (inviter) when someone claims their invite code.
+     Developers can then define achievements in the blueprint achievements[] section
+     that reference the ''invite_claimed'' event (e.g., "Invite 5 friends" = count: 5).';
+
 -- =============================================================================
 -- Escape hatch
 -- =============================================================================
@@ -284,36 +297,34 @@ COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.out_installed_
      Populated by the trigger. Useful for verifying which modules were provisioned.';
 
 COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.storage_config IS
-    'Optional jsonb object for storage module configuration and initial bucket seeding.
-     Only used when has_storage = true; ignored otherwise. NULL = use defaults.
-     Recognized keys (all optional):
-       - upload_url_expiry_seconds    (integer) presigned PUT URL expiry override
-       - download_url_expiry_seconds  (integer) presigned GET URL expiry override
-       - default_max_file_size        (bigint)  global max file size in bytes for this scope
-       - allowed_origins              (text[])  default CORS origins for all buckets in this scope
-       - buckets                      (jsonb[]) array of initial bucket definitions to seed
-     Each bucket in the buckets array recognizes:
-       - name               (text, required) bucket name e.g. ''documents''
-       - description         (text)           human-readable description
-       - is_public           (boolean)        whether files are publicly readable (default false)
-       - allowed_mime_types  (text[])         whitelist of MIME types (null = any)
-       - max_file_size       (bigint)         max file size in bytes (null = use scope default)
-       - allowed_origins     (text[])         per-bucket CORS override
-       - provisions (jsonb object) optional: customize storage tables
-                                  with additional nodes, fields, grants, and policies.
-                                  Keyed by table role: "files", "buckets".
-                                  Each value uses the same shape as table_provision:
-                                  { nodes, fields, grants, use_rls, policies }. Fanned out
-                                  to secure_table_provision targeting the corresponding table.
-                                  When a key includes policies[], those REPLACE the default
-                                  storage policies for that table; tables without a key still
-                                  get defaults. Missing "data" on policy entries is auto-populated
-                                  with storage-specific defaults (same as table_provision).
-                                  Example: add SearchBm25 for full-text search on files:
-                                  {"provisions": {"files": {"nodes": [{"$type":
-                                  "SearchBm25", "data": {"source_fields": ["description"]}}]}}}
-     Example:
-       storage_config := ''{"buckets": [{"name": "documents", "is_public": false, "allowed_mime_types": ["application/pdf"]}], "provisions": {"files": {"nodes": [{"$type": "SearchBm25", "data": {"source_fields": ["description"]}}]}}}''::jsonb';
+    'Optional JSON array of storage module definitions. Each element provisions a separate
+     storage module with its own tables ({prefix}_{storage_key}_buckets/files), RLS policies,
+     and feature flags. Only used when has_storage = true; ignored otherwise.
+     NULL = provision a single default storage module with all defaults.
+     Each array element recognizes (all optional):
+       - storage_key                   (text) module discriminator, max 16 chars, lowercase snake_case.
+                                              Defaults to ''default'' (omitted from table names).
+                                              Non-default keys become infixes: {prefix}_{key}_buckets.
+       - upload_url_expiry_seconds     (integer) presigned PUT URL expiry override
+       - download_url_expiry_seconds   (integer) presigned GET URL expiry override
+       - default_max_file_size         (bigint)  global max file size in bytes for this module
+       - allowed_origins               (text[])  default CORS origins for all buckets in this module
+       - restrict_reads                (boolean) require read_files permission for SELECT on files
+       - has_path_shares               (boolean) enable virtual filesystem + path share policies
+       - has_versioning                (boolean) enable file version chains
+       - has_content_hash              (boolean) enable content hash for dedup
+       - has_custom_keys               (boolean) allow client-provided S3 keys
+       - has_audit_log                 (boolean) enable file events audit table
+       - has_confirm_upload            (boolean) enable HeadObject confirmation flow
+       - confirm_upload_delay          (interval) delay before first confirmation attempt
+       - buckets                       (jsonb[]) array of initial bucket definitions to seed.
+         Each bucket: { name (required), description, is_public, allowed_mime_types, max_file_size, allowed_origins }
+       - provisions                    (jsonb object) per-table customization keyed by "files" or "buckets".
+                                              Each value: { nodes, fields, grants, use_rls, policies }.
+     Example (single module, backward compat):
+       storage_config := ''[{"buckets": [{"name": "documents"}]}]''::jsonb
+     Example (multi-module):
+       storage_config := ''[{"has_path_shares": true, "buckets": [{"name": "documents"}]}, {"storage_key": "fn", "has_custom_keys": true, "buckets": [{"name": "functions"}]}]''::jsonb';
 
 COMMENT ON COLUMN metaschema_modules_public.entity_type_provision.out_storage_module_id IS
     'Output: the UUID of the storage_module row created for this entity type. Populated by the trigger when has_storage=true.';