@lucern/contracts 0.3.0-alpha.1 → 0.3.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (303) hide show
  1. package/CHANGELOG.md +4 -0
  2. package/dist/api-enums.contract.d.ts +5 -3
  3. package/dist/api-enums.contract.js +14 -12
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/component-boundary.contract.d.ts +14 -0
  6. package/dist/component-boundary.contract.js +174 -0
  7. package/dist/component-boundary.contract.js.map +1 -0
  8. package/dist/component-host-boundary.contract.d.ts +46 -0
  9. package/dist/component-host-boundary.contract.js +60 -0
  10. package/dist/component-host-boundary.contract.js.map +1 -0
  11. package/dist/context-pack.contract.d.ts +5 -3
  12. package/dist/context-pack.contract.js.map +1 -1
  13. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  14. package/dist/{dsl-BgpoVOVQ.d.ts → dsl-DVPthQGY.d.ts} +2 -2
  15. package/dist/dsl.d.ts +2 -2
  16. package/dist/dsl.js +1 -4
  17. package/dist/dsl.js.map +1 -1
  18. package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +133 -0
  19. package/dist/function-registry/beliefs.d.ts +54 -41
  20. package/dist/function-registry/beliefs.js +759 -38
  21. package/dist/function-registry/beliefs.js.map +1 -1
  22. package/dist/function-registry/coding.d.ts +9 -0
  23. package/dist/function-registry/coding.js +811 -39
  24. package/dist/function-registry/coding.js.map +1 -1
  25. package/dist/function-registry/context.d.ts +19 -13
  26. package/dist/function-registry/context.js +750 -42
  27. package/dist/function-registry/context.js.map +1 -1
  28. package/dist/function-registry/contracts.d.ts +6 -0
  29. package/dist/function-registry/contracts.js +715 -35
  30. package/dist/function-registry/contracts.js.map +1 -1
  31. package/dist/function-registry/coordination.d.ts +12 -0
  32. package/dist/function-registry/coordination.js +715 -35
  33. package/dist/function-registry/coordination.js.map +1 -1
  34. package/dist/function-registry/edges.d.ts +165 -0
  35. package/dist/function-registry/edges.js +923 -67
  36. package/dist/function-registry/edges.js.map +1 -1
  37. package/dist/function-registry/evidence.d.ts +44 -33
  38. package/dist/function-registry/evidence.js +769 -47
  39. package/dist/function-registry/evidence.js.map +1 -1
  40. package/dist/function-registry/graph.d.ts +149 -53
  41. package/dist/function-registry/graph.js +831 -42
  42. package/dist/function-registry/graph.js.map +1 -1
  43. package/dist/function-registry/helpers.d.ts +6 -3
  44. package/dist/function-registry/helpers.js +716 -36
  45. package/dist/function-registry/helpers.js.map +1 -1
  46. package/dist/function-registry/identity.d.ts +6 -0
  47. package/dist/function-registry/identity.js +715 -35
  48. package/dist/function-registry/identity.js.map +1 -1
  49. package/dist/function-registry/index.d.ts +5 -3
  50. package/dist/function-registry/index.js +722 -39
  51. package/dist/function-registry/index.js.map +1 -1
  52. package/dist/function-registry/judgments.d.ts +14 -9
  53. package/dist/function-registry/judgments.js +727 -38
  54. package/dist/function-registry/judgments.js.map +1 -1
  55. package/dist/function-registry/legacy.d.ts +4 -0
  56. package/dist/function-registry/legacy.js +715 -35
  57. package/dist/function-registry/legacy.js.map +1 -1
  58. package/dist/function-registry/lenses.d.ts +24 -17
  59. package/dist/function-registry/lenses.js +738 -38
  60. package/dist/function-registry/lenses.js.map +1 -1
  61. package/dist/function-registry/manifest.d.ts +6 -6
  62. package/dist/function-registry/manifest.js +18 -2
  63. package/dist/function-registry/manifest.js.map +1 -1
  64. package/dist/function-registry/nodes.d.ts +412 -0
  65. package/dist/function-registry/nodes.js +5303 -0
  66. package/dist/function-registry/nodes.js.map +1 -0
  67. package/dist/function-registry/ontologies.d.ts +59 -45
  68. package/dist/function-registry/ontologies.js +733 -41
  69. package/dist/function-registry/ontologies.js.map +1 -1
  70. package/dist/function-registry/pipeline.d.ts +19 -13
  71. package/dist/function-registry/pipeline.js +724 -38
  72. package/dist/function-registry/pipeline.js.map +1 -1
  73. package/dist/function-registry/questions.d.ts +64 -49
  74. package/dist/function-registry/questions.js +812 -43
  75. package/dist/function-registry/questions.js.map +1 -1
  76. package/dist/function-registry/tasks.d.ts +24 -17
  77. package/dist/function-registry/tasks.js +776 -44
  78. package/dist/function-registry/tasks.js.map +1 -1
  79. package/dist/function-registry/topics.d.ts +109 -21
  80. package/dist/function-registry/topics.js +797 -39
  81. package/dist/function-registry/topics.js.map +1 -1
  82. package/dist/function-registry/types.d.ts +6 -2
  83. package/dist/function-registry/worktrees.d.ts +94 -41
  84. package/dist/function-registry/worktrees.js +854 -47
  85. package/dist/function-registry/worktrees.js.map +1 -1
  86. package/dist/function-registry-input-audit.d.ts +13 -0
  87. package/dist/function-registry-input-audit.js +166 -0
  88. package/dist/function-registry-input-audit.js.map +1 -0
  89. package/dist/gateway.contract.d.ts +5 -0
  90. package/dist/gateway.contract.js.map +1 -1
  91. package/dist/generated/convexSchemas.d.ts +3 -3
  92. package/dist/generated/convexSchemas.js +38 -18
  93. package/dist/generated/convexSchemas.js.map +1 -1
  94. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  95. package/dist/generated/infisicalRuntimeEnv.js +26572 -0
  96. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  97. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  98. package/dist/generated/lucernGatewayEnv.js +38 -0
  99. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  100. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  101. package/dist/generated/lucernWebPublicEnv.js +32 -0
  102. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  103. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  104. package/dist/generated/lucernWebServerEnv.js +51 -0
  105. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  106. package/dist/generated/schema-manifest.json +1199 -138
  107. package/dist/generated/tableOwnership.d.ts +47 -27
  108. package/dist/generated/tableOwnership.js +66 -26
  109. package/dist/generated/tableOwnership.js.map +1 -1
  110. package/dist/generated/tier-expectations.json +62 -8
  111. package/dist/graph-intelligence.contract.d.ts +506 -0
  112. package/dist/graph-intelligence.contract.js +595 -0
  113. package/dist/graph-intelligence.contract.js.map +1 -0
  114. package/dist/graph-types/index.d.ts +5 -1
  115. package/dist/graph-types/index.js +15 -4
  116. package/dist/graph-types/index.js.map +1 -1
  117. package/dist/index-CM1Pl_vI.d.ts +28 -0
  118. package/dist/index.d.ts +29 -414
  119. package/dist/index.js +34791 -1088
  120. package/dist/index.js.map +1 -1
  121. package/dist/infisical-runtime.contract.d.ts +1768 -0
  122. package/dist/infisical-runtime.contract.js +3093 -0
  123. package/dist/infisical-runtime.contract.js.map +1 -0
  124. package/dist/lens-filter.contract.js +4 -3
  125. package/dist/lens-filter.contract.js.map +1 -1
  126. package/dist/lens-workflow.contract.js +4 -3
  127. package/dist/lens-workflow.contract.js.map +1 -1
  128. package/dist/manifests/edge-policy-manifest.d.ts +2 -0
  129. package/dist/manifests/edge-policy-manifest.data.d.ts +13 -0
  130. package/dist/manifests/edge-policy-manifest.data.js +26 -0
  131. package/dist/manifests/edge-policy-manifest.data.js.map +1 -0
  132. package/dist/manifests/edge-policy-manifest.js +92 -0
  133. package/dist/manifests/edge-policy-manifest.js.map +1 -0
  134. package/dist/manifests/infisical-runtime-manifest.d.ts +1672 -0
  135. package/dist/manifests/infisical-runtime-manifest.js +2948 -0
  136. package/dist/manifests/infisical-runtime-manifest.js.map +1 -0
  137. package/dist/manifests/invariant-manifest.d.ts +65 -0
  138. package/dist/manifests/invariant-manifest.js +18 -0
  139. package/dist/manifests/invariant-manifest.js.map +1 -0
  140. package/dist/manifests/invariants/ast-utils.d.ts +14 -0
  141. package/dist/manifests/invariants/ast-utils.js +54 -0
  142. package/dist/manifests/invariants/ast-utils.js.map +1 -0
  143. package/dist/manifests/invariants/index.d.ts +15 -0
  144. package/dist/manifests/invariants/index.js +183 -0
  145. package/dist/manifests/invariants/index.js.map +1 -0
  146. package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +12 -0
  147. package/dist/manifests/invariants/inv-1-beliefs-append-only.js +94 -0
  148. package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +1 -0
  149. package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +12 -0
  150. package/dist/manifests/invariants/inv-14-no-silent-transitions.js +99 -0
  151. package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +1 -0
  152. package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +12 -0
  153. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +42 -0
  154. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +1 -0
  155. package/dist/manifests/tenant-client-manifest.d.ts +322 -0
  156. package/dist/manifests/tenant-client-manifest.js +432 -0
  157. package/dist/manifests/tenant-client-manifest.js.map +1 -0
  158. package/dist/mcp-gateway-boundary.contract.d.ts +201 -0
  159. package/dist/mcp-gateway-boundary.contract.js +45 -0
  160. package/dist/mcp-gateway-boundary.contract.js.map +1 -0
  161. package/dist/projections/check-convex-args-shape.d.ts +3 -0
  162. package/dist/projections/check-convex-args-shape.js +403 -0
  163. package/dist/projections/check-convex-args-shape.js.map +1 -0
  164. package/dist/projections/create-evidence.projection.d.ts +176 -0
  165. package/dist/projections/create-evidence.projection.js +130 -0
  166. package/dist/projections/create-evidence.projection.js.map +1 -0
  167. package/dist/projections/index.d.ts +102 -0
  168. package/dist/projections/index.js +352 -0
  169. package/dist/projections/index.js.map +1 -0
  170. package/dist/projections/list-beliefs.projection.d.ts +36 -0
  171. package/dist/projections/list-beliefs.projection.js +54 -0
  172. package/dist/projections/list-beliefs.projection.js.map +1 -0
  173. package/dist/projections/list-tasks.projection.d.ts +44 -0
  174. package/dist/projections/list-tasks.projection.js +57 -0
  175. package/dist/projections/list-tasks.projection.js.map +1 -0
  176. package/dist/projections/modulate-confidence.projection.d.ts +219 -0
  177. package/dist/projections/modulate-confidence.projection.js +148 -0
  178. package/dist/projections/modulate-confidence.projection.js.map +1 -0
  179. package/dist/projections/projection-dsl.d.ts +11 -0
  180. package/dist/projections/projection-dsl.js +8 -0
  181. package/dist/projections/projection-dsl.js.map +1 -0
  182. package/dist/proof-attestation.json +45 -0
  183. package/dist/schema-helpers/enumValidation.js +2 -5
  184. package/dist/schema-helpers/enumValidation.js.map +1 -1
  185. package/dist/schema-helpers/spine/nodes/decision.js +2 -1
  186. package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
  187. package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
  188. package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
  189. package/dist/schemas/component-table-manifest.d.ts +6 -6
  190. package/dist/schemas/component-table-manifest.js +2 -2
  191. package/dist/schemas/component-table-manifest.js.map +1 -1
  192. package/dist/schemas/enums.d.ts +5 -2
  193. package/dist/schemas/enums.js +5 -2
  194. package/dist/schemas/enums.js.map +1 -1
  195. package/dist/schemas/index.d.ts +3 -3
  196. package/dist/schemas/index.js +1129 -139
  197. package/dist/schemas/index.js.map +1 -1
  198. package/dist/schemas/manifest.d.ts +2979 -949
  199. package/dist/schemas/manifest.js +1127 -137
  200. package/dist/schemas/manifest.js.map +1 -1
  201. package/dist/schemas/sl-opinion.d.ts +4 -4
  202. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  203. package/dist/schemas/tables/controlPlane/accessControl.js +653 -0
  204. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  205. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  206. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  207. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  208. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  209. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  210. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  211. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  212. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  213. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  214. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +11 -11
  215. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  216. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  217. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  218. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  219. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  220. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  221. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  222. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  223. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  224. package/dist/schemas/tables/kernel/config.js.map +1 -1
  225. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  226. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  227. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  228. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  229. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  230. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  231. package/dist/schemas/tables/kernel/epistemic.d.ts +7 -7
  232. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  233. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  234. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  235. package/dist/schemas/tables/kernel/infra.d.ts +5 -5
  236. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  237. package/dist/schemas/tables/kernel/intelligence.d.ts +11 -11
  238. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  239. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  240. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  241. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  242. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  243. package/dist/schemas/tables/kernel/platform.d.ts +13 -13
  244. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  245. package/dist/schemas/tables/kernel/spine.d.ts +5 -4
  246. package/dist/schemas/tables/kernel/spine.js +6 -2
  247. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  248. package/dist/schemas/tables/kernel/task.d.ts +43 -43
  249. package/dist/schemas/tables/kernel/task.js.map +1 -1
  250. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  251. package/dist/schemas/tables/kernel/topic.js +5 -1
  252. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  253. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  254. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  255. package/dist/schemas/tables/kernel/worktree.d.ts +55 -55
  256. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  257. package/dist/schemas/tables/mc/identity.d.ts +44 -4
  258. package/dist/schemas/tables/mc/identity.js +66 -1
  259. package/dist/schemas/tables/mc/identity.js.map +1 -1
  260. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  261. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  262. package/dist/schemas/tables/mc/pack.d.ts +21 -21
  263. package/dist/schemas/tables/mc/pack.js.map +1 -1
  264. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  265. package/dist/schemas/tables/mc/policy.js +1 -1
  266. package/dist/schemas/tables/mc/policy.js.map +1 -1
  267. package/dist/schemas/tables/mc/registry.d.ts +5 -5
  268. package/dist/schemas/tables/mc/registry.js.map +1 -1
  269. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  270. package/dist/schemas/tables/mc/runtime.js +330 -104
  271. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  272. package/dist/schemas/tables/mc/tenant.d.ts +3 -2
  273. package/dist/schemas/tables/mc/tenant.js +2 -1
  274. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  275. package/dist/schemas/tables/mc/workspace.d.ts +28 -5
  276. package/dist/schemas/tables/mc/workspace.js +36 -2
  277. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  278. package/dist/sdk-methods.contract.d.ts +2 -2
  279. package/dist/{sdk-tools.contract-S4ia0TTo.d.ts → sdk-tools.contract-BNklQDfB.d.ts} +2 -2
  280. package/dist/sdk-tools.contract.d.ts +2 -2
  281. package/dist/sdk-tools.contract.js +672 -24
  282. package/dist/sdk-tools.contract.js.map +1 -1
  283. package/dist/tenant-bootstrap-seed.contract.d.ts +1269 -0
  284. package/dist/tenant-bootstrap-seed.contract.js +751 -0
  285. package/dist/tenant-bootstrap-seed.contract.js.map +1 -0
  286. package/dist/tenant-bootstrap-seed.defaults.d.ts +16 -0
  287. package/dist/tenant-bootstrap-seed.defaults.js +303 -0
  288. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -0
  289. package/dist/tenant-client.contract.d.ts +349 -0
  290. package/dist/tenant-client.contract.js +488 -0
  291. package/dist/tenant-client.contract.js.map +1 -0
  292. package/dist/{tool-contracts-C92-9ueT.d.ts → tool-contracts-BevD9Ho2.d.ts} +36 -2
  293. package/dist/tool-contracts.d.ts +1 -1
  294. package/dist/tool-contracts.js +673 -25
  295. package/dist/tool-contracts.js.map +1 -1
  296. package/package.json +30 -1
  297. package/dist/index-CV-0_VWJ.d.ts +0 -25
  298. package/dist/schemas/tables/identity/agent.js.map +0 -1
  299. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  300. package/dist/schemas/tables/identity/model.js.map +0 -1
  301. package/dist/schemas/tables/identity/platform.js.map +0 -1
  302. package/dist/schemas/tables/identity/project.js.map +0 -1
  303. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -0,0 +1,13 @@
1
+ import { FunctionContract } from './function-registry/types.js';
2
+
3
+ type FunctionRegistryInputAuditFinding = {
4
+ contractName: string;
5
+ projectionKeys: string[];
6
+ acceptedKeys: string[];
7
+ missingKeys: string[];
8
+ };
9
+ type InputProjection = NonNullable<FunctionContract["convex"]>["inputProjection"];
10
+ declare function projectionReadKeys(projection: InputProjection): string[];
11
+ declare function auditFunctionRegistryInputs(contracts?: readonly FunctionContract[]): FunctionRegistryInputAuditFinding[];
12
+
13
+ export { type FunctionRegistryInputAuditFinding, auditFunctionRegistryInputs, projectionReadKeys };
@@ -0,0 +1,166 @@
1
+ import { z } from 'zod';
2
+ import { ALL_FUNCTION_CONTRACTS } from './function-registry/index.js';
3
+
4
+ // src/function-registry-input-audit.ts
5
+ var INTERNAL_OR_ALIAS_KEYS = /* @__PURE__ */ new Set([
6
+ "__sdkSessionId",
7
+ "actorId",
8
+ "beliefId",
9
+ "createdBy",
10
+ "evidenceId",
11
+ "id",
12
+ "insightId",
13
+ "nodeId",
14
+ "ontologyId",
15
+ "parentNodeId",
16
+ "principalId",
17
+ "projectId",
18
+ "questionId",
19
+ "tenantId",
20
+ "trustedBypassAccessCheck",
21
+ "userId",
22
+ "versionId",
23
+ "workspaceId"
24
+ ]);
25
+ var INTENTIONAL_PROJECTION_READS = {
26
+ add_evidence: ["linkedBeliefNodeId", "targetId"],
27
+ apply_lens_to_topic: ["metadata"],
28
+ archive_belief: ["reason"],
29
+ check_permission: ["principalId", "tenantId", "userId", "workspaceId"],
30
+ claim_files: ["paths", "touchedFiles"],
31
+ complete_task: ["summary"],
32
+ create_belief: ["formulation"],
33
+ discover: ["prompt", "topicHint"],
34
+ filter_by_permission: ["principalId", "tenantId", "userId", "workspaceId"],
35
+ get_change_history: ["status"],
36
+ get_failure_log: ["status"],
37
+ identity_whoami: ["principalId", "tenantId", "userId", "workspaceId"],
38
+ ingest_observation: ["reasoning", "trustedBypassAccessCheck"],
39
+ link_evidence: [
40
+ "beliefId",
41
+ "beliefNodeId",
42
+ "context",
43
+ "evidenceNodeId",
44
+ "globalId",
45
+ "insightId",
46
+ "topicId",
47
+ "trustedBypassAccessCheck",
48
+ "type"
49
+ ],
50
+ link_evidence_to_belief: [
51
+ "beliefNodeId",
52
+ "context",
53
+ "evidenceNodeId",
54
+ "globalId",
55
+ "insightId",
56
+ "targetId",
57
+ "topicId",
58
+ "trustedBypassAccessCheck",
59
+ "type"
60
+ ],
61
+ link_evidence_to_question: [
62
+ "context",
63
+ "evidenceNodeId",
64
+ "globalId",
65
+ "impactScore",
66
+ "insightId",
67
+ "questionNodeId",
68
+ "targetId",
69
+ "topicId",
70
+ "trustedBypassAccessCheck",
71
+ "weight"
72
+ ],
73
+ list_evidence: ["status"],
74
+ manage_write_policy: ["summary"],
75
+ merge: ["decisionsReached", "keyFindings", "nextSteps"],
76
+ record_attempt: ["reasoning", "trustedBypassAccessCheck"],
77
+ record_judgment: ["reasoning", "trustedBypassAccessCheck"],
78
+ record_scope_learning: ["reasoning", "trustedBypassAccessCheck"],
79
+ search_beliefs: ["searchQuery"],
80
+ search_evidence: ["query", "searchQuery"],
81
+ update_question_status: ["answer", "answerStatus", "nodeId", "questionId"],
82
+ update_topic: ["graphScopeProjectId"]
83
+ };
84
+ function unwrapObjectSchema(schema) {
85
+ let current = schema;
86
+ while (true) {
87
+ switch (current._def.typeName) {
88
+ case z.ZodFirstPartyTypeKind.ZodEffects:
89
+ current = current._def.schema;
90
+ continue;
91
+ case z.ZodFirstPartyTypeKind.ZodBranded:
92
+ current = current._def.type;
93
+ continue;
94
+ default:
95
+ return current instanceof z.ZodObject ? current : void 0;
96
+ }
97
+ }
98
+ }
99
+ function objectSchemaKeys(schema) {
100
+ const objectSchema = unwrapObjectSchema(schema);
101
+ if (!objectSchema) {
102
+ return /* @__PURE__ */ new Set();
103
+ }
104
+ const shape = typeof objectSchema._def.shape === "function" ? objectSchema._def.shape() : objectSchema._def.shape;
105
+ return new Set(Object.keys(shape));
106
+ }
107
+ function projectionReadKeys(projection) {
108
+ if (!projection) {
109
+ return [];
110
+ }
111
+ const source = String(projection);
112
+ const keys = /* @__PURE__ */ new Set();
113
+ for (const match of source.matchAll(/\binput\s*\.\s*([A-Za-z_$][\w$]*)/gu)) {
114
+ keys.add(match[1]);
115
+ }
116
+ for (const match of source.matchAll(/\binput\s*\[\s*["']([^"']+)["']\s*\]/gu)) {
117
+ keys.add(match[1]);
118
+ }
119
+ return [...keys].sort();
120
+ }
121
+ function acceptedInputKeys(contract) {
122
+ const keys = [
123
+ .../* @__PURE__ */ new Set([
124
+ ...objectSchemaKeys(contract.args),
125
+ ...objectSchemaKeys(contract.input),
126
+ ...Object.keys(contract.mcp.parameters),
127
+ "__sdkSessionId"
128
+ ])
129
+ ];
130
+ keys.sort();
131
+ return keys;
132
+ }
133
+ function allowedProjectionKeys(contractName) {
134
+ return /* @__PURE__ */ new Set([
135
+ ...INTERNAL_OR_ALIAS_KEYS,
136
+ ...INTENTIONAL_PROJECTION_READS[contractName] ?? []
137
+ ]);
138
+ }
139
+ function auditFunctionRegistryInputs(contracts = ALL_FUNCTION_CONTRACTS) {
140
+ return contracts.flatMap((contract) => {
141
+ const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);
142
+ if (projectionKeys.length === 0) {
143
+ return [];
144
+ }
145
+ const accepted = new Set(acceptedInputKeys(contract));
146
+ const allowed = allowedProjectionKeys(contract.name);
147
+ const missingKeys = projectionKeys.filter(
148
+ (key) => !accepted.has(key) && !allowed.has(key)
149
+ );
150
+ if (missingKeys.length === 0) {
151
+ return [];
152
+ }
153
+ return [
154
+ {
155
+ contractName: contract.name,
156
+ projectionKeys,
157
+ acceptedKeys: [...accepted].sort(),
158
+ missingKeys
159
+ }
160
+ ];
161
+ });
162
+ }
163
+
164
+ export { auditFunctionRegistryInputs, projectionReadKeys };
165
+ //# sourceMappingURL=function-registry-input-audit.js.map
166
+ //# sourceMappingURL=function-registry-input-audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/function-registry-input-audit.ts"],"names":[],"mappings":";;;;AAeA,IAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,EACrC,gBAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,IAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,0BAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF,CAAC,CAAA;AAED,IAAM,4BAAA,GAAkE;AAAA,EACtE,YAAA,EAAc,CAAC,oBAAA,EAAsB,UAAU,CAAA;AAAA,EAC/C,mBAAA,EAAqB,CAAC,UAAU,CAAA;AAAA,EAChC,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,EACzB,gBAAA,EAAkB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACrE,WAAA,EAAa,CAAC,OAAA,EAAS,cAAc,CAAA;AAAA,EACrC,aAAA,EAAe,CAAC,SAAS,CAAA;AAAA,EACzB,aAAA,EAAe,CAAC,aAAa,CAAA;AAAA,EAC7B,QAAA,EAAU,CAAC,QAAA,EAAU,WAAW,CAAA;AAAA,EAChC,oBAAA,EAAsB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACzE,kBAAA,EAAoB,CAAC,QAAQ,CAAA;AAAA,EAC7B,eAAA,EAAiB,CAAC,QAAQ,CAAA;AAAA,EAC1B,eAAA,EAAiB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACpE,kBAAA,EAAoB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC5D,aAAA,EAAe;AAAA,IACb,UAAA;AAAA,IACA,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,yBAAA,EAA2B;AAAA,IACzB,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,CAAC,QAAQ,CAAA;AAAA,EACxB,mBAAA,EAAqB,CAAC,SAAS,CAAA;AAAA,EAC/B,KAAA,EAAO,CAAC,kBAAA,EAAoB,aAAA,EAAe,WAAW,CAAA;AAAA,EACtD,cAAA,EAAgB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACxD,eAAA,EAAiB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACzD,qBAAA,EAAuB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC/D,cAAA,EAAgB,CAAC,aAAa,CAAA;AAAA,EAC9B,eAAA,EAAiB,CAAC,OAAA,EAAS,aAAa,CAAA;AAAA,EACxC,sBAAA,EAAwB,CAAC,QAAA,EAAU,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,EACzE,YAAA,EAAc,CAAC,qBAAqB;AACtC,CAAA;AAEA,SAAS,mBACP,MAAA,EACwC;AACxC,EAAA,IAAI,OAAA,GAAU,MAAA;AACd,EAAA,OAAO,IAAA,EAAM;AACX,IAAA,QAAQ,OAAA,CAAQ,KAAK,QAAA;AAAU,MAC7B,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,MAAA;AACvB,QAAA;AAAA,MACF,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,IAAA;AACvB,QAAA;AAAA,MACF;AACE,QAAA,OAAO,OAAA,YAAmB,CAAA,CAAE,SAAA,GAAY,OAAA,GAAU,MAAA;AAAA;AACtD,EACF;AACF;AAEA,SAAS,iBAAiB,MAAA,EAAmC;AAC3D,EAAA,MAAM,YAAA,GAAe,mBAAmB,MAAM,CAAA;AAC9C,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,2BAAW,GAAA,EAAI;AAAA,EACjB;AACA,EAAA,MAAM,KAAA,GACJ,OAAO,YAAA,CAAa,IAAA,CAAK,KAAA,KAAU,UAAA,GAC/B,YAAA,CAAa,IAAA,CAAK,KAAA,EAAM,GACxB,YAAA,CAAa,IAAA,CAAK,KAAA;AACxB,EAAA,OAAO,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,KAAK,CAAC,CAAA;AACnC;AAEO,SAAS,mBACd,UAAA,EACU;AACV,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,OAAO,EAAC;AAAA,EACV;AACA,EAAA,MAAM,MAAA,GAAS,OAAO,UAAU,CAAA;AAChC,EAAA,MAAM,IAAA,uBAAW,GAAA,EAAY;AAE7B,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,qCAAqC,CAAA,EAAG;AAC1E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AACA,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,wCAAwC,CAAA,EAAG;AAC7E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,CAAA,CAAE,IAAA,EAAK;AACxB;AAEA,SAAS,kBAAkB,QAAA,EAAsC;AAC/D,EAAA,MAAM,IAAA,GAAO;AAAA,IACX,uBAAO,GAAA,CAAI;AAAA,MACT,GAAG,gBAAA,CAAiB,QAAA,CAAS,IAAI,CAAA;AAAA,MACjC,GAAG,gBAAA,CAAiB,QAAA,CAAS,KAAK,CAAA;AAAA,MAClC,GAAG,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,IAAI,UAAU,CAAA;AAAA,MACtC;AAAA,KACD;AAAA,GACH;AACA,EAAA,IAAA,CAAK,IAAA,EAAK;AACV,EAAA,OAAO,IAAA;AACT;AAEA,SAAS,sBAAsB,YAAA,EAAmC;AAChE,EAAA,2BAAW,GAAA,CAAI;AAAA,IACb,GAAG,sBAAA;AAAA,IACH,GAAI,4BAAA,CAA6B,YAAY,CAAA,IAAK;AAAC,GACpD,CAAA;AACH;AAEO,SAAS,2BAAA,CACd,YAAyC,sBAAA,EACJ;AACrC,EAAA,OAAO,SAAA,CAAU,OAAA,CAAQ,CAAC,QAAA,KAAa;AACrC,IAAA,MAAM,cAAA,GAAiB,kBAAA,CAAmB,QAAA,CAAS,MAAA,EAAQ,eAAe,CAAA;AAC1E,IAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,iBAAA,CAAkB,QAAQ,CAAC,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,qBAAA,CAAsB,QAAA,CAAS,IAAI,CAAA;AACnD,IAAA,MAAM,cAAc,cAAA,CAAe,MAAA;AAAA,MACjC,CAAC,GAAA,KAAQ,CAAC,QAAA,CAAS,GAAA,CAAI,GAAG,CAAA,IAAK,CAAC,OAAA,CAAQ,GAAA,CAAI,GAAG;AAAA,KACjD;AAEA,IAAA,IAAI,WAAA,CAAY,WAAW,CAAA,EAAG;AAC5B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,cAAc,QAAA,CAAS,IAAA;AAAA,QACvB,cAAA;AAAA,QACA,YAAA,EAAc,CAAC,GAAG,QAAQ,EAAE,IAAA,EAAK;AAAA,QACjC;AAAA;AACF,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"function-registry-input-audit.js","sourcesContent":["import { z } from \"zod\";\nimport { ALL_FUNCTION_CONTRACTS } from \"./function-registry/index.js\";\nimport type { FunctionContract } from \"./function-registry/types.js\";\n\nexport type FunctionRegistryInputAuditFinding = {\n contractName: string;\n projectionKeys: string[];\n acceptedKeys: string[];\n missingKeys: string[];\n};\n\ntype InputProjection = NonNullable<\n FunctionContract[\"convex\"]\n>[\"inputProjection\"];\n\nconst INTERNAL_OR_ALIAS_KEYS = new Set([\n \"__sdkSessionId\",\n \"actorId\",\n \"beliefId\",\n \"createdBy\",\n \"evidenceId\",\n \"id\",\n \"insightId\",\n \"nodeId\",\n \"ontologyId\",\n \"parentNodeId\",\n \"principalId\",\n \"projectId\",\n \"questionId\",\n \"tenantId\",\n \"trustedBypassAccessCheck\",\n \"userId\",\n \"versionId\",\n \"workspaceId\",\n]);\n\nconst INTENTIONAL_PROJECTION_READS: Record<string, readonly string[]> = {\n add_evidence: [\"linkedBeliefNodeId\", \"targetId\"],\n apply_lens_to_topic: [\"metadata\"],\n archive_belief: [\"reason\"],\n check_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n claim_files: [\"paths\", \"touchedFiles\"],\n complete_task: [\"summary\"],\n create_belief: [\"formulation\"],\n discover: [\"prompt\", \"topicHint\"],\n filter_by_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n get_change_history: [\"status\"],\n get_failure_log: [\"status\"],\n identity_whoami: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n ingest_observation: [\"reasoning\", \"trustedBypassAccessCheck\"],\n link_evidence: [\n \"beliefId\",\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_belief: [\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_question: [\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"impactScore\",\n \"insightId\",\n \"questionNodeId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"weight\",\n ],\n list_evidence: [\"status\"],\n manage_write_policy: [\"summary\"],\n merge: [\"decisionsReached\", \"keyFindings\", \"nextSteps\"],\n record_attempt: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_judgment: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_scope_learning: [\"reasoning\", \"trustedBypassAccessCheck\"],\n search_beliefs: [\"searchQuery\"],\n search_evidence: [\"query\", \"searchQuery\"],\n update_question_status: [\"answer\", \"answerStatus\", \"nodeId\", \"questionId\"],\n update_topic: [\"graphScopeProjectId\"],\n};\n\nfunction unwrapObjectSchema(\n schema: z.ZodTypeAny,\n): z.ZodObject<z.ZodRawShape> | undefined {\n let current = schema;\n while (true) {\n switch (current._def.typeName) {\n case z.ZodFirstPartyTypeKind.ZodEffects:\n current = current._def.schema;\n continue;\n case z.ZodFirstPartyTypeKind.ZodBranded:\n current = current._def.type;\n continue;\n default:\n return current instanceof z.ZodObject ? current : undefined;\n }\n }\n}\n\nfunction objectSchemaKeys(schema: z.ZodTypeAny): Set<string> {\n const objectSchema = unwrapObjectSchema(schema);\n if (!objectSchema) {\n return new Set();\n }\n const shape =\n typeof objectSchema._def.shape === \"function\"\n ? objectSchema._def.shape()\n : objectSchema._def.shape;\n return new Set(Object.keys(shape));\n}\n\nexport function projectionReadKeys(\n projection: InputProjection,\n): string[] {\n if (!projection) {\n return [];\n }\n const source = String(projection);\n const keys = new Set<string>();\n\n for (const match of source.matchAll(/\\binput\\s*\\.\\s*([A-Za-z_$][\\w$]*)/gu)) {\n keys.add(match[1]);\n }\n for (const match of source.matchAll(/\\binput\\s*\\[\\s*[\"']([^\"']+)[\"']\\s*\\]/gu)) {\n keys.add(match[1]);\n }\n\n return [...keys].sort();\n}\n\nfunction acceptedInputKeys(contract: FunctionContract): string[] {\n const keys = [\n ...new Set([\n ...objectSchemaKeys(contract.args),\n ...objectSchemaKeys(contract.input),\n ...Object.keys(contract.mcp.parameters),\n \"__sdkSessionId\",\n ]),\n ];\n keys.sort();\n return keys;\n}\n\nfunction allowedProjectionKeys(contractName: string): Set<string> {\n return new Set([\n ...INTERNAL_OR_ALIAS_KEYS,\n ...(INTENTIONAL_PROJECTION_READS[contractName] ?? []),\n ]);\n}\n\nexport function auditFunctionRegistryInputs(\n contracts: readonly FunctionContract[] = ALL_FUNCTION_CONTRACTS,\n): FunctionRegistryInputAuditFinding[] {\n return contracts.flatMap((contract) => {\n const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);\n if (projectionKeys.length === 0) {\n return [];\n }\n\n const accepted = new Set(acceptedInputKeys(contract));\n const allowed = allowedProjectionKeys(contract.name);\n const missingKeys = projectionKeys.filter(\n (key) => !accepted.has(key) && !allowed.has(key),\n );\n\n if (missingKeys.length === 0) {\n return [];\n }\n\n return [\n {\n contractName: contract.name,\n projectionKeys,\n acceptedKeys: [...accepted].sort(),\n missingKeys,\n },\n ];\n });\n}\n"]}
@@ -33,6 +33,7 @@ type CutoverFlagState = "legacy" | "cutover" | "disabled";
33
33
  */
34
34
  type GatewayAuthContext = {
35
35
  userId: string;
36
+ clerkId?: string;
36
37
  convexToken?: string;
37
38
  /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */
38
39
  convex: any;
@@ -40,8 +41,12 @@ type GatewayAuthContext = {
40
41
  principalId?: string;
41
42
  principalType?: SessionPrincipalType;
42
43
  tenantId?: string;
44
+ tenantSlug?: string;
43
45
  workspaceId?: string;
46
+ workspaceSlug?: string;
47
+ workspaceKey?: string;
44
48
  roles?: string[];
49
+ membershipId?: string;
45
50
  sessionId?: string;
46
51
  sessionAuthMode?: SessionAuthMode;
47
52
  sessionExpiresAt?: number;
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AA2IO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n workspaceId?: string;\n roles?: string[];\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
1
+ {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AAgJO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n tenantSlug?: string;\n workspaceId?: string;\n workspaceSlug?: string;\n workspaceKey?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
@@ -3,11 +3,11 @@ import { GenericSchema } from 'convex/server';
3
3
 
4
4
  type GeneratedSchemaTables = GenericSchema;
5
5
  declare const KERNEL_SCHEMA_TABLES: GeneratedSchemaTables;
6
- declare const IDENTITY_SCHEMA_TABLES: GeneratedSchemaTables;
6
+ declare const CONTROL_PLANE_SCHEMA_TABLES: GeneratedSchemaTables;
7
7
  declare const MC_SCHEMA_TABLES: GeneratedSchemaTables;
8
8
  declare const DEVELOPER_PACK_SCHEMA_TABLES: GeneratedSchemaTables;
9
9
  declare const EMPTY_SCHEMA_TABLES: GeneratedSchemaTables;
10
- declare const IDENTITY_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
10
+ declare const CONTROL_PLANE_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
11
11
  declare const KERNEL_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
12
12
  declare const KERNEL_COMPONENT_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
13
13
  declare const STACK_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
@@ -17,4 +17,4 @@ declare const FULL_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
17
17
  declare const TIER_SCHEMA_TABLES: Record<string, GeneratedSchemaTables>;
18
18
  declare const _default: convex_server.SchemaDefinition<GenericSchema, true>;
19
19
 
20
- export { DEVELOPER_PACK_SCHEMA_TABLES, EMPTY_SCHEMA_TABLES, FULL_TIER_SCHEMA_TABLES, IDENTITY_SCHEMA_TABLES, IDENTITY_TIER_SCHEMA_TABLES, KERNEL_COMPONENT_TIER_SCHEMA_TABLES, KERNEL_SCHEMA_TABLES, KERNEL_TIER_SCHEMA_TABLES, MC_SCHEMA_TABLES, MC_TIER_SCHEMA_TABLES, STACK_TIER_SCHEMA_TABLES, STACK_V2_TIER_SCHEMA_TABLES, TIER_SCHEMA_TABLES, _default as default };
20
+ export { CONTROL_PLANE_SCHEMA_TABLES, CONTROL_PLANE_TIER_SCHEMA_TABLES, DEVELOPER_PACK_SCHEMA_TABLES, EMPTY_SCHEMA_TABLES, FULL_TIER_SCHEMA_TABLES, KERNEL_COMPONENT_TIER_SCHEMA_TABLES, KERNEL_SCHEMA_TABLES, KERNEL_TIER_SCHEMA_TABLES, MC_SCHEMA_TABLES, MC_TIER_SCHEMA_TABLES, STACK_TIER_SCHEMA_TABLES, STACK_V2_TIER_SCHEMA_TABLES, TIER_SCHEMA_TABLES, _default as default };