Skip to content

feat(schema): add graph_execution_module — 7 partitioned execution tables + execution tree#98

Closed
pyramation wants to merge 11 commits into
mainfrom
feat/graph-execution-module
Closed

feat(schema): add graph_execution_module — 7 partitioned execution tables + execution tree#98
pyramation wants to merge 11 commits into
mainfrom
feat/graph-execution-module

Conversation

@pyramation

@pyramation pyramation commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Summary

Splits execution concerns out of graph_module into a new graph_execution_module, mirroring the function_module / function_invocation_module pattern. This enables platform-scoped graph definitions with entity-scoped executions.

Schema (slice export from constructive-db #1622):

graph_execution_module generator produces 7 partitioned tables + 4 execution functions:

executions, execution_outputs, execution_node_states     # Phase 1 (live status)
execution_tree_object, _store, _commit, _ref             # Phase 2 (merkle tree)
start_execution, tick_execution, complete_node, fail_node

graph_module retains only definition tables (graphs + merkle store).

pgpm standalone deploy fixes:

  • Cross-package constructive-infra: prefix on FK constraint deps in constructive-compute/pgpm.plan
  • constructive_private schema + no-op trigger stub (generated at runtime by constructive-db)
  • Missing DROP TYPE keyword in function_requirement revert script
  • pgpm.json workspace config + constructive-infra-seed excluded from test (multi-package seed)

Refs: constructive-planning #1057"

Link to Devin session: https://app.devin.ai/sessions/b2291a8e333e445aa125a2efd1996206
Requested by: @pyramation

…bles + execution tree

Phase 2 schema: split graph_module (definitions only) from
graph_execution_module (ephemeral execution state + merkle tree).

New execution tables (all partitioned by time):
- executions, outputs, node_states (moved from graph_module)
- execution_tree_object, _store, _commit, _ref (merkle tree for
  time-travel debugging)

New execution_store_id column on executions table links each
execution to its merkle tree store.

Includes pgpm modules, SDK (schemas, ORM, CLI, hooks), and
pgpm-test CI workflow.
@devin-ai-integration

Copy link
Copy Markdown

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@socket-security

socket-security Bot commented Jun 13, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @constructive-io/s3-utils is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/@constructive-io/graphql-query@3.27.6npm/@constructive-io/s3-utils@2.18.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@constructive-io/s3-utils@2.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @constructive-io/s3-utils is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/@constructive-io/graphql-query@3.27.6npm/@constructive-io/s3-utils@2.18.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@constructive-io/s3-utils@2.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @internationalized/date is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/@constructive-io/graphql-query@3.27.6npm/@internationalized/date@3.12.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@internationalized/date@3.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm cheerio is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/cheerio@1.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cheerio@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm htmlparser2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/htmlparser2@10.1.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/htmlparser2@10.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm js-yaml is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/js-yaml@4.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm markdown-it is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/@constructive-io/graphql-query@3.27.6npm/markdown-it@14.2.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-it@14.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm pgpm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pgpm/constructive-compute/package.jsonnpm/pgpm@4.28.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pgpm@4.28.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm react-stately is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@constructive-io/cli@7.23.2npm/pgpm@4.28.2npm/@constructive-io/graphql-codegen@4.47.8npm/@constructive-io/graphql-query@3.27.6npm/react-stately@3.47.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-stately@3.47.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@devin-ai-integration

Copy link
Copy Markdown

Closing — will rebuild on top of feat/flows-panel-ui

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant