@lucern/contracts 0.3.0-alpha.10 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (234) hide show
  1. package/dist/api-enums.contract.d.ts +5 -3
  2. package/dist/api-enums.contract.js +14 -12
  3. package/dist/api-enums.contract.js.map +1 -1
  4. package/dist/component-boundary.contract.d.ts +1 -1
  5. package/dist/component-boundary.contract.js +45 -26
  6. package/dist/component-boundary.contract.js.map +1 -1
  7. package/dist/component-host-boundary.contract.d.ts +10 -5
  8. package/dist/component-host-boundary.contract.js +10 -4
  9. package/dist/component-host-boundary.contract.js.map +1 -1
  10. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  11. package/dist/{dsl-djCRfuWC.d.ts → dsl-DVPthQGY.d.ts} +1 -1
  12. package/dist/dsl.d.ts +2 -2
  13. package/dist/dsl.js.map +1 -1
  14. package/dist/function-registry/beliefs.d.ts +13 -0
  15. package/dist/function-registry/beliefs.js +50 -7
  16. package/dist/function-registry/beliefs.js.map +1 -1
  17. package/dist/function-registry/coding.d.ts +9 -0
  18. package/dist/function-registry/coding.js +117 -8
  19. package/dist/function-registry/coding.js.map +1 -1
  20. package/dist/function-registry/context.d.ts +6 -0
  21. package/dist/function-registry/context.js +50 -7
  22. package/dist/function-registry/context.js.map +1 -1
  23. package/dist/function-registry/contracts.d.ts +6 -0
  24. package/dist/function-registry/contracts.js +50 -7
  25. package/dist/function-registry/contracts.js.map +1 -1
  26. package/dist/function-registry/coordination.d.ts +12 -0
  27. package/dist/function-registry/coordination.js +50 -7
  28. package/dist/function-registry/coordination.js.map +1 -1
  29. package/dist/function-registry/edges.d.ts +9 -0
  30. package/dist/function-registry/edges.js +54 -14
  31. package/dist/function-registry/edges.js.map +1 -1
  32. package/dist/function-registry/evidence.d.ts +11 -0
  33. package/dist/function-registry/evidence.js +53 -11
  34. package/dist/function-registry/evidence.js.map +1 -1
  35. package/dist/function-registry/graph.d.ts +18 -0
  36. package/dist/function-registry/graph.js +50 -7
  37. package/dist/function-registry/graph.js.map +1 -1
  38. package/dist/function-registry/helpers.d.ts +4 -1
  39. package/dist/function-registry/helpers.js +51 -8
  40. package/dist/function-registry/helpers.js.map +1 -1
  41. package/dist/function-registry/identity.d.ts +6 -0
  42. package/dist/function-registry/identity.js +50 -7
  43. package/dist/function-registry/identity.js.map +1 -1
  44. package/dist/function-registry/index.d.ts +8 -320
  45. package/dist/function-registry/index.js +54 -384
  46. package/dist/function-registry/index.js.map +1 -1
  47. package/dist/function-registry/judgments.d.ts +5 -0
  48. package/dist/function-registry/judgments.js +50 -7
  49. package/dist/function-registry/judgments.js.map +1 -1
  50. package/dist/function-registry/legacy.d.ts +4 -0
  51. package/dist/function-registry/legacy.js +50 -7
  52. package/dist/function-registry/legacy.js.map +1 -1
  53. package/dist/function-registry/lenses.d.ts +7 -0
  54. package/dist/function-registry/lenses.js +50 -7
  55. package/dist/function-registry/lenses.js.map +1 -1
  56. package/dist/function-registry/nodes.d.ts +412 -0
  57. package/dist/function-registry/nodes.js +5303 -0
  58. package/dist/function-registry/nodes.js.map +1 -0
  59. package/dist/function-registry/ontologies.d.ts +14 -0
  60. package/dist/function-registry/ontologies.js +50 -7
  61. package/dist/function-registry/ontologies.js.map +1 -1
  62. package/dist/function-registry/pipeline.d.ts +6 -0
  63. package/dist/function-registry/pipeline.js +50 -7
  64. package/dist/function-registry/pipeline.js.map +1 -1
  65. package/dist/function-registry/questions.d.ts +15 -0
  66. package/dist/function-registry/questions.js +50 -7
  67. package/dist/function-registry/questions.js.map +1 -1
  68. package/dist/function-registry/tasks.d.ts +7 -0
  69. package/dist/function-registry/tasks.js +69 -16
  70. package/dist/function-registry/tasks.js.map +1 -1
  71. package/dist/function-registry/topics.d.ts +10 -0
  72. package/dist/function-registry/topics.js +50 -7
  73. package/dist/function-registry/topics.js.map +1 -1
  74. package/dist/function-registry/types.d.ts +5 -1
  75. package/dist/function-registry/worktrees.d.ts +14 -0
  76. package/dist/function-registry/worktrees.js +50 -7
  77. package/dist/function-registry/worktrees.js.map +1 -1
  78. package/dist/gateway.contract.d.ts +3 -0
  79. package/dist/gateway.contract.js.map +1 -1
  80. package/dist/generated/convexSchemas.d.ts +3 -3
  81. package/dist/generated/convexSchemas.js +35 -16
  82. package/dist/generated/convexSchemas.js.map +1 -1
  83. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  84. package/dist/generated/infisicalRuntimeEnv.js +26818 -0
  85. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  86. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  87. package/dist/generated/lucernGatewayEnv.js +38 -0
  88. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  89. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  90. package/dist/generated/lucernWebPublicEnv.js +32 -0
  91. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  92. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  93. package/dist/generated/lucernWebServerEnv.js +51 -0
  94. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  95. package/dist/generated/schema-manifest.json +1165 -150
  96. package/dist/generated/tableOwnership.d.ts +46 -27
  97. package/dist/generated/tableOwnership.js +64 -26
  98. package/dist/generated/tableOwnership.js.map +1 -1
  99. package/dist/generated/tier-expectations.json +60 -8
  100. package/dist/{index-O09U2xHk.d.ts → index-CM1Pl_vI.d.ts} +3 -3
  101. package/dist/index.d.ts +9 -4
  102. package/dist/index.js +31371 -381
  103. package/dist/index.js.map +1 -1
  104. package/dist/infisical-runtime.contract.d.ts +1623 -3
  105. package/dist/infisical-runtime.contract.js +2819 -12
  106. package/dist/infisical-runtime.contract.js.map +1 -1
  107. package/dist/manifests/infisical-runtime-manifest.d.ts +1550 -3
  108. package/dist/manifests/infisical-runtime-manifest.js +2672 -9
  109. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  110. package/dist/manifests/tenant-client-manifest.d.ts +11 -11
  111. package/dist/manifests/tenant-client-manifest.js +11 -11
  112. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  113. package/dist/mcp-gateway-boundary.contract.d.ts +23 -3
  114. package/dist/mcp-gateway-boundary.contract.js +2 -0
  115. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  116. package/dist/permit-principal-projection.contract.d.ts +74 -0
  117. package/dist/permit-principal-projection.contract.js +161 -0
  118. package/dist/permit-principal-projection.contract.js.map +1 -0
  119. package/dist/projections/check-convex-args-shape.js +10 -6
  120. package/dist/projections/check-convex-args-shape.js.map +1 -1
  121. package/dist/projections/create-evidence.projection.d.ts +6 -6
  122. package/dist/projections/create-evidence.projection.js +2 -3
  123. package/dist/projections/create-evidence.projection.js.map +1 -1
  124. package/dist/projections/index.d.ts +3 -3
  125. package/dist/projections/index.js +10 -6
  126. package/dist/projections/index.js.map +1 -1
  127. package/dist/projections/list-tasks.projection.d.ts +20 -8
  128. package/dist/projections/list-tasks.projection.js +8 -3
  129. package/dist/projections/list-tasks.projection.js.map +1 -1
  130. package/dist/proof-attestation.json +45 -0
  131. package/dist/schemas/component-table-manifest.d.ts +6 -6
  132. package/dist/schemas/component-table-manifest.js +2 -2
  133. package/dist/schemas/component-table-manifest.js.map +1 -1
  134. package/dist/schemas/index.d.ts +2 -2
  135. package/dist/schemas/index.js +1088 -137
  136. package/dist/schemas/index.js.map +1 -1
  137. package/dist/schemas/manifest.d.ts +2010 -120
  138. package/dist/schemas/manifest.js +1086 -135
  139. package/dist/schemas/manifest.js.map +1 -1
  140. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  141. package/dist/schemas/tables/controlPlane/accessControl.js +655 -0
  142. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  143. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  144. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  145. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  146. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  147. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  148. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  149. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  150. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  151. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  152. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +1 -1
  153. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  154. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  155. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  156. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  157. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  158. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  159. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  160. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  161. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  162. package/dist/schemas/tables/kernel/config.js.map +1 -1
  163. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  164. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  165. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  166. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  167. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  168. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  169. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  170. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  171. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  172. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  173. package/dist/schemas/tables/kernel/infra.d.ts +1 -1
  174. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  175. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  176. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  177. package/dist/schemas/tables/kernel/lens.d.ts +1 -1
  178. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  179. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  180. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  181. package/dist/schemas/tables/kernel/platform.d.ts +1 -1
  182. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  183. package/dist/schemas/tables/kernel/spine.d.ts +2 -1
  184. package/dist/schemas/tables/kernel/spine.js +1 -0
  185. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  186. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  187. package/dist/schemas/tables/kernel/task.js.map +1 -1
  188. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  189. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  190. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  191. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  192. package/dist/schemas/tables/kernel/worktree.d.ts +5 -5
  193. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  194. package/dist/schemas/tables/mc/identity.d.ts +19 -2
  195. package/dist/schemas/tables/mc/identity.js +32 -1
  196. package/dist/schemas/tables/mc/identity.js.map +1 -1
  197. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  198. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  199. package/dist/schemas/tables/mc/pack.d.ts +1 -1
  200. package/dist/schemas/tables/mc/pack.js.map +1 -1
  201. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  202. package/dist/schemas/tables/mc/policy.js +1 -1
  203. package/dist/schemas/tables/mc/policy.js.map +1 -1
  204. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  205. package/dist/schemas/tables/mc/registry.js.map +1 -1
  206. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  207. package/dist/schemas/tables/mc/runtime.js +330 -104
  208. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  209. package/dist/schemas/tables/mc/tenant.d.ts +3 -2
  210. package/dist/schemas/tables/mc/tenant.js +2 -1
  211. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  212. package/dist/schemas/tables/mc/workspace.d.ts +22 -5
  213. package/dist/schemas/tables/mc/workspace.js +34 -2
  214. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  215. package/dist/sdk-tools.contract.js +26 -1
  216. package/dist/sdk-tools.contract.js.map +1 -1
  217. package/dist/tenant-bootstrap-seed.contract.d.ts +226 -58
  218. package/dist/tenant-bootstrap-seed.contract.js +126 -28
  219. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  220. package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
  221. package/dist/tenant-bootstrap-seed.defaults.js +1 -1
  222. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  223. package/dist/tenant-client.contract.d.ts +12 -12
  224. package/dist/tenant-client.contract.js +11 -11
  225. package/dist/tenant-client.contract.js.map +1 -1
  226. package/dist/tool-contracts.js +26 -1
  227. package/dist/tool-contracts.js.map +1 -1
  228. package/package.json +22 -1
  229. package/dist/schemas/tables/identity/agent.js.map +0 -1
  230. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  231. package/dist/schemas/tables/identity/model.js.map +0 -1
  232. package/dist/schemas/tables/identity/platform.js.map +0 -1
  233. package/dist/schemas/tables/identity/project.js.map +0 -1
  234. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -43,7 +43,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
43
43
  },
44
44
  {
45
45
  packageName: "@lucern/control-plane",
46
- role: "platform_runtime",
46
+ role: "component_runtime",
47
47
  directTenantImport: false
48
48
  },
49
49
  {
@@ -66,11 +66,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
66
66
  role: "host_addon_runtime",
67
67
  directTenantImport: true
68
68
  },
69
- {
70
- packageName: "@lucern/identity",
71
- role: "component_runtime",
72
- directTenantImport: false
73
- },
74
69
  {
75
70
  packageName: "@lucern/mcp",
76
71
  role: "runtime_entrypoint",
@@ -106,6 +101,11 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
106
101
  role: "runtime_entrypoint",
107
102
  directTenantImport: true
108
103
  },
104
+ {
105
+ packageName: "@lucern/secrets",
106
+ role: "sdk_dependency",
107
+ directTenantImport: false
108
+ },
109
109
  {
110
110
  packageName: "@lucern/server-core",
111
111
  role: "platform_runtime",
@@ -127,7 +127,7 @@ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
127
127
  );
128
128
 
129
129
  // src/infisical-runtime.contract.ts
130
- var INFISICAL_RUNTIME_CONTRACT_VERSION = "2026-04-28";
130
+ var INFISICAL_RUNTIME_CONTRACT_VERSION = "2026-05-06";
131
131
  var INFISICAL_RUNTIME_DEFAULT_API_URL = "https://app.infisical.com";
132
132
  var INFISICAL_RUNTIME_DEFAULT_PROJECT_ID = "344b0526-90df-4606-ba50-22c647a36c65";
133
133
  var INFISICAL_RUNTIME_ENVIRONMENTS = [
@@ -140,6 +140,59 @@ var INFISICAL_RUNTIME_DELIVERY_MODES = [
140
140
  "runtime_fetch",
141
141
  "device_auth"
142
142
  ];
143
+ var INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS = [
144
+ "development",
145
+ "preview",
146
+ "staging",
147
+ "production"
148
+ ];
149
+ var INFISICAL_VERCEL_TARGETS = [
150
+ "development",
151
+ "preview",
152
+ "production"
153
+ ];
154
+ var INFISICAL_CONVEX_TIERS = ["preprod", "prod"];
155
+ var INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT = {
156
+ development: "preprod",
157
+ preview: "preprod",
158
+ staging: "preprod",
159
+ production: "prod"
160
+ };
161
+ var INFISICAL_VERCEL_SYNC_RECONCILIATION = {
162
+ sourceOfTruth: "infisical",
163
+ writer: "vercel_api",
164
+ disableSecretDeletion: false,
165
+ pruneDestinationKeys: true
166
+ };
167
+ var INFISICAL_VERCEL_SYNC_DESTINATIONS = [
168
+ {
169
+ environment: "development",
170
+ vercelTarget: "development",
171
+ convexTier: "preprod"
172
+ },
173
+ {
174
+ environment: "preview",
175
+ vercelTarget: "preview",
176
+ convexTier: "preprod"
177
+ },
178
+ {
179
+ environment: "staging",
180
+ vercelTarget: "preview",
181
+ convexTier: "preprod",
182
+ customEnvironmentSlug: "staging",
183
+ customEnvironmentIdsByProjectName: {
184
+ stackos: "env_RbS0TYRRvWISTje8qR4u2lRg7TC8"
185
+ },
186
+ domainsByProjectName: {
187
+ stackos: "staging.stack.vc"
188
+ }
189
+ },
190
+ {
191
+ environment: "production",
192
+ vercelTarget: "production",
193
+ convexTier: "prod"
194
+ }
195
+ ];
143
196
  var INFISICAL_RUNTIME_SURFACE_IDS = [
144
197
  "lucern-web",
145
198
  "lucern-gateway",
@@ -165,6 +218,78 @@ var INFISICAL_RUNTIME_BOOTSTRAP_ENV = {
165
218
  organizationSlug: ["INFISICAL_ORG_SLUG", "INFISICAL_ORGANIZATION_SLUG"],
166
219
  disabled: ["LUCERN_INFISICAL_DISABLE", "INFISICAL_DISABLE"]
167
220
  };
221
+ var INFISICAL_RUNTIME_CONTROL_ENV = [
222
+ {
223
+ name: "NODE_ENV",
224
+ category: "framework",
225
+ description: "Node/Next runtime mode. Framework-owned, not written by Infisical."
226
+ },
227
+ {
228
+ name: "CI",
229
+ category: "ci",
230
+ description: "CI execution signal. Workflow-owned, not written by Infisical."
231
+ },
232
+ {
233
+ name: "VERCEL",
234
+ category: "vercel",
235
+ description: "Vercel runtime signal. Platform-owned, not written by Infisical."
236
+ },
237
+ {
238
+ name: "VERCEL_ENV",
239
+ category: "vercel",
240
+ description: "Vercel environment label used for build/runtime selection."
241
+ },
242
+ {
243
+ name: "VERCEL_URL",
244
+ category: "vercel",
245
+ description: "Vercel deployment URL supplied by Vercel for previews and builds."
246
+ },
247
+ {
248
+ name: "VERCEL_GIT_COMMIT_SHA",
249
+ category: "vercel",
250
+ description: "Vercel git metadata used for release labels. Platform-owned, not written by Infisical."
251
+ },
252
+ {
253
+ name: "NEXT_RUNTIME",
254
+ category: "nextjs",
255
+ description: "Next.js runtime selector for node/edge instrumentation modules."
256
+ },
257
+ {
258
+ name: "PORT",
259
+ category: "framework",
260
+ description: "Local/server port supplied by the runtime process manager."
261
+ },
262
+ {
263
+ name: "HOST",
264
+ category: "framework",
265
+ description: "Local/server host supplied by the runtime process manager."
266
+ },
267
+ {
268
+ name: "APP_URL",
269
+ category: "compatibility",
270
+ description: "Legacy local app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
271
+ },
272
+ {
273
+ name: "NEXT_PUBLIC_APP_URL",
274
+ category: "compatibility",
275
+ description: "Legacy public app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
276
+ },
277
+ {
278
+ name: "CLAUDE_PROJECT_DIR",
279
+ category: "agent_local",
280
+ description: "Local agent workspace hint. Agent-runtime-owned, not written by Infisical."
281
+ },
282
+ {
283
+ name: "HOME",
284
+ category: "os",
285
+ description: "Operating-system home directory used only for local credential discovery."
286
+ },
287
+ {
288
+ name: "USERPROFILE",
289
+ category: "os",
290
+ description: "Windows home directory used only for local credential discovery."
291
+ }
292
+ ];
168
293
  var INFISICAL_RUNTIME_PATHS = [
169
294
  {
170
295
  id: "platform-auth",
@@ -236,6 +361,13 @@ var INFISICAL_RUNTIME_PATHS = [
236
361
  public: false,
237
362
  aliases: ["LUCERN_ENV"],
238
363
  description: "Lucern environment label consumed by CLI profiles."
364
+ },
365
+ {
366
+ name: "LUCERN_CLI_SESSION_TTL_MS",
367
+ required: false,
368
+ secret: false,
369
+ public: false,
370
+ description: "Optional web-issued CLI login session lifetime override in milliseconds."
239
371
  }
240
372
  ]
241
373
  },
@@ -265,9 +397,10 @@ var INFISICAL_RUNTIME_SURFACES = [
265
397
  {
266
398
  id: "lucern-gateway",
267
399
  delivery: "vercel_sync",
400
+ fallback: "runtime_fetch",
268
401
  sourcePathIds: ["platform-auth", "platform-runtime"],
269
402
  consumer: "apps/gateway on Vercel project lucern-gateway",
270
- description: "Lucern gateway consumes platform config via Infisical-to-Vercel syncs."
403
+ description: "Lucern gateway consumes platform config via Infisical-to-Vercel syncs and may self-hydrate from Infisical when the host environment has scoped bootstrap credentials."
271
404
  },
272
405
  {
273
406
  id: "lucern-sdk",
@@ -303,15 +436,2689 @@ var INFISICAL_RUNTIME_SURFACES = [
303
436
  description: "Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces."
304
437
  }
305
438
  ];
439
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
440
+ {
441
+ id: "stack-frontend",
442
+ tenantKey: "stack",
443
+ workspaceKey: "frontend",
444
+ vercelProjectName: "ai-chatbot-diao",
445
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
446
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
447
+ repository: {
448
+ owner: "stack-vc",
449
+ name: "front-end"
450
+ },
451
+ sharedSourcePath: "/tenants/stack",
452
+ sharedVariablePolicy: "tenant_shared_all_systems",
453
+ convex: {
454
+ urlEnv: "CONVEX_FRONTEND_URL",
455
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
456
+ preprodDeployment: "rugged-lobster-664",
457
+ prodDeployment: "wonderful-toucan-0"
458
+ }
459
+ },
460
+ {
461
+ id: "stackos",
462
+ tenantKey: "stack",
463
+ workspaceKey: "stackos",
464
+ vercelProjectName: "stackos",
465
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
466
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
467
+ repository: {
468
+ owner: "stack-vc",
469
+ name: "stackos"
470
+ },
471
+ sharedSourcePath: "/tenants/stack",
472
+ sharedVariablePolicy: "tenant_shared_all_systems",
473
+ convex: {
474
+ urlEnv: "CONVEX_STACKOS_URL",
475
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
476
+ preprodDeployment: "giant-mandrill-761",
477
+ prodDeployment: "good-snake-515"
478
+ }
479
+ },
480
+ {
481
+ id: "stack-eng",
482
+ tenantKey: "stack",
483
+ workspaceKey: "engineering",
484
+ vercelProjectName: "stackos-engineering-graph",
485
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
486
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
487
+ repository: {
488
+ owner: "stack-vc",
489
+ name: "stackos-engineering-graph"
490
+ },
491
+ sharedSourcePath: "/tenants/stack/engineering",
492
+ sharedVariablePolicy: "tenant_shared_all_systems",
493
+ convex: {
494
+ urlEnv: "CONVEX_STACK_ENG_URL",
495
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
496
+ preprodDeployment: "small-oyster-270",
497
+ prodDeployment: "bold-cuttlefish-804"
498
+ }
499
+ },
500
+ {
501
+ id: "lucern-graph",
502
+ tenantKey: "lucern",
503
+ workspaceKey: "lucern",
504
+ vercelProjectName: "lucern-graph",
505
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
506
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
507
+ repository: {
508
+ owner: "LucernAI",
509
+ name: "lucern-graph"
510
+ },
511
+ sharedSourcePath: "/tenants/lucern/shared",
512
+ sharedVariablePolicy: "tenant_shared_all_systems",
513
+ convex: {
514
+ urlEnv: "CONVEX_LUCERN_URL",
515
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
516
+ preprodDeployment: "good-blackbird-774",
517
+ prodDeployment: "precious-dog-365"
518
+ }
519
+ }
520
+ ];
521
+ function findInfisicalTenantSoftwareSystem(systemId) {
522
+ return INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(
523
+ (system) => system.id === systemId
524
+ );
525
+ }
526
+ function tenantSoftwareSystemConvexEnvNames(systemId) {
527
+ const system = findInfisicalTenantSoftwareSystem(systemId);
528
+ if (!system) {
529
+ throw new Error(`Unknown tenant software system: ${systemId}.`);
530
+ }
531
+ return [system.convex.urlEnv, system.convex.deployKeyEnv];
532
+ }
533
+ function tenantSoftwareSystemOwnsConvexEnvName(systemId, envName) {
534
+ return tenantSoftwareSystemConvexEnvNames(systemId).includes(envName);
535
+ }
536
+ function convexTierForVercelDestinationEnvironment(environment) {
537
+ return INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT[environment];
538
+ }
539
+ function findInfisicalVercelSyncDestination(environment) {
540
+ return INFISICAL_VERCEL_SYNC_DESTINATIONS.find(
541
+ (destination) => destination.environment === environment
542
+ );
543
+ }
544
+ function vercelCustomEnvironmentIdForTenantSoftwareSystem(systemId, environment) {
545
+ const system = findInfisicalTenantSoftwareSystem(systemId);
546
+ const destination = findInfisicalVercelSyncDestination(environment);
547
+ if (!system || !destination) {
548
+ return void 0;
549
+ }
550
+ return destination.customEnvironmentIdsByProjectName?.[system.vercelProjectName];
551
+ }
552
+ function expectedTenantConvexDeploymentForVercelEnvironment(systemId, environment) {
553
+ const system = findInfisicalTenantSoftwareSystem(systemId);
554
+ if (!system) {
555
+ throw new Error(`Unknown tenant software system: ${systemId}.`);
556
+ }
557
+ return convexTierForVercelDestinationEnvironment(environment) === "prod" ? system.convex.prodDeployment : system.convex.preprodDeployment;
558
+ }
306
559
  function findInfisicalRuntimePath(pathId) {
307
560
  return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);
308
561
  }
309
562
  function findInfisicalRuntimeSurface(surfaceId) {
310
- return INFISICAL_RUNTIME_SURFACES.find(
311
- (surface) => surface.id === surfaceId
312
- );
563
+ return INFISICAL_RUNTIME_SURFACES.find((surface) => surface.id === surfaceId);
564
+ }
565
+ var INFISICAL_SECRET_OWNERS = [
566
+ "lucern_platform",
567
+ "tenant",
568
+ "provider",
569
+ "operator_local"
570
+ ];
571
+ var INFISICAL_SECRET_SCOPES = [
572
+ "global",
573
+ "environment",
574
+ "tenant",
575
+ "workspace",
576
+ "software_system",
577
+ "deployment",
578
+ "local"
579
+ ];
580
+ var INFISICAL_SECRET_ENVIRONMENT_POLICIES = [
581
+ "same_all_environments",
582
+ "environment_specific",
583
+ "preprod_staging_prod_prod",
584
+ "local_only"
585
+ ];
586
+ var INFISICAL_SECRET_CONSUMERS = [
587
+ "lucern-web",
588
+ "lucern-gateway",
589
+ "lucern-mcp",
590
+ "lucern-cli",
591
+ "lucern-ai-runtime",
592
+ "lucern-graph-sync",
593
+ "lucern-observability",
594
+ "lucern-repo-ci",
595
+ "mc-convex",
596
+ "mc-operator-tooling",
597
+ "tenant-vercel-app",
598
+ "tenant-convex-deployment",
599
+ "tenant-ai-runtime",
600
+ "tenant-graph-sync",
601
+ "tenant-observability",
602
+ "tenant-vector-store",
603
+ "tenant-deploy-tooling",
604
+ "tenant-agent-runtime"
605
+ ];
606
+ var INFISICAL_SECRET_DESTINATION_KINDS = [
607
+ "vercel",
608
+ "convex",
609
+ "github_actions",
610
+ "runtime_fetch",
611
+ "operator_local"
612
+ ];
613
+ var PLATFORM_SECRET_DEFINITIONS = [
614
+ {
615
+ id: "platform.clerk.publishable",
616
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
617
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
618
+ owner: "lucern_platform",
619
+ scope: "environment",
620
+ sourcePath: "/platform/auth",
621
+ environmentPolicy: "environment_specific",
622
+ required: true,
623
+ secret: false,
624
+ public: true,
625
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
626
+ destinations: [
627
+ {
628
+ kind: "vercel",
629
+ target: "lucern",
630
+ environmentPolicy: "environment_specific"
631
+ },
632
+ {
633
+ kind: "vercel",
634
+ target: "lucern-gateway",
635
+ environmentPolicy: "environment_specific"
636
+ },
637
+ {
638
+ kind: "runtime_fetch",
639
+ target: "hosted-mcp-oauth",
640
+ environmentPolicy: "environment_specific"
641
+ }
642
+ ],
643
+ description: "Lucern-owned Clerk browser key for platform web, gateway, and hosted MCP OAuth flows."
644
+ },
645
+ {
646
+ id: "platform.clerk.secret",
647
+ canonicalName: "CLERK_SECRET_KEY",
648
+ owner: "lucern_platform",
649
+ scope: "environment",
650
+ sourcePath: "/platform/auth",
651
+ environmentPolicy: "environment_specific",
652
+ required: true,
653
+ secret: true,
654
+ public: false,
655
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
656
+ destinations: [
657
+ {
658
+ kind: "vercel",
659
+ target: "lucern",
660
+ environmentPolicy: "environment_specific"
661
+ },
662
+ {
663
+ kind: "vercel",
664
+ target: "lucern-gateway",
665
+ environmentPolicy: "environment_specific"
666
+ },
667
+ {
668
+ kind: "runtime_fetch",
669
+ target: "hosted-mcp-oauth",
670
+ environmentPolicy: "environment_specific"
671
+ }
672
+ ],
673
+ description: "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
674
+ },
675
+ {
676
+ id: "platform.clerk.project",
677
+ canonicalName: "CLERK_PROJECT_ID",
678
+ aliases: ["LUCERN_CLERK_PROJECT_ID"],
679
+ owner: "lucern_platform",
680
+ scope: "environment",
681
+ sourcePath: "/platform/auth",
682
+ environmentPolicy: "environment_specific",
683
+ required: true,
684
+ secret: false,
685
+ public: false,
686
+ consumers: ["lucern-gateway", "mc-convex"],
687
+ destinations: [
688
+ {
689
+ kind: "vercel",
690
+ target: "lucern-gateway",
691
+ environmentPolicy: "environment_specific"
692
+ },
693
+ {
694
+ kind: "convex",
695
+ target: "master-control",
696
+ environmentPolicy: "environment_specific"
697
+ }
698
+ ],
699
+ description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
700
+ },
701
+ {
702
+ id: "platform.clerk.jwks",
703
+ canonicalName: "CLERK_JWKS_URL",
704
+ aliases: ["CLERK_JWT_ISSUER_DOMAIN"],
705
+ owner: "lucern_platform",
706
+ scope: "environment",
707
+ sourcePath: "/platform/auth",
708
+ environmentPolicy: "environment_specific",
709
+ required: false,
710
+ secret: false,
711
+ public: false,
712
+ consumers: ["lucern-mcp", "lucern-gateway"],
713
+ destinations: [
714
+ {
715
+ kind: "runtime_fetch",
716
+ target: "lucern-mcp",
717
+ environmentPolicy: "environment_specific"
718
+ },
719
+ {
720
+ kind: "vercel",
721
+ target: "lucern-gateway",
722
+ environmentPolicy: "environment_specific"
723
+ }
724
+ ],
725
+ description: "Optional Clerk JWKS/issuer override for server-side token verification."
726
+ },
727
+ {
728
+ id: "platform.runtime.api-base-url",
729
+ canonicalName: "LUCERN_API_URL",
730
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
731
+ owner: "lucern_platform",
732
+ scope: "environment",
733
+ sourcePath: "/platform/runtime",
734
+ environmentPolicy: "environment_specific",
735
+ required: true,
736
+ secret: false,
737
+ public: false,
738
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
739
+ destinations: [
740
+ {
741
+ kind: "vercel",
742
+ target: "lucern",
743
+ environmentPolicy: "environment_specific"
744
+ },
745
+ {
746
+ kind: "vercel",
747
+ target: "lucern-gateway",
748
+ environmentPolicy: "environment_specific"
749
+ },
750
+ {
751
+ kind: "runtime_fetch",
752
+ target: "lucern-cli-mcp-sdk",
753
+ environmentPolicy: "environment_specific"
754
+ }
755
+ ],
756
+ description: "Canonical Lucern API gateway base URL. Older names remain aliases only."
757
+ },
758
+ {
759
+ id: "platform.runtime.login-base-url",
760
+ canonicalName: "LUCERN_LOGIN_BASE_URL",
761
+ aliases: ["LUCERN_AUTH_BASE_URL", "LUCERN_WEB_BASE_URL"],
762
+ owner: "lucern_platform",
763
+ scope: "environment",
764
+ sourcePath: "/platform/runtime",
765
+ environmentPolicy: "environment_specific",
766
+ required: false,
767
+ secret: false,
768
+ public: false,
769
+ consumers: ["lucern-gateway", "lucern-mcp", "lucern-cli"],
770
+ destinations: [
771
+ {
772
+ kind: "vercel",
773
+ target: "lucern-gateway",
774
+ environmentPolicy: "environment_specific"
775
+ },
776
+ {
777
+ kind: "runtime_fetch",
778
+ target: "lucern-cli-mcp-sdk",
779
+ environmentPolicy: "environment_specific"
780
+ }
781
+ ],
782
+ description: "Browser login origin used when device/OAuth login is not served by the API base URL."
783
+ },
784
+ {
785
+ id: "platform.runtime.environment",
786
+ canonicalName: "LUCERN_ENVIRONMENT",
787
+ aliases: ["LUCERN_ENV"],
788
+ owner: "lucern_platform",
789
+ scope: "environment",
790
+ sourcePath: "/platform/runtime",
791
+ environmentPolicy: "environment_specific",
792
+ required: false,
793
+ secret: false,
794
+ public: false,
795
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
796
+ destinations: [
797
+ {
798
+ kind: "vercel",
799
+ target: "lucern",
800
+ environmentPolicy: "environment_specific"
801
+ },
802
+ {
803
+ kind: "vercel",
804
+ target: "lucern-gateway",
805
+ environmentPolicy: "environment_specific"
806
+ },
807
+ {
808
+ kind: "runtime_fetch",
809
+ target: "lucern-cli-mcp-sdk",
810
+ environmentPolicy: "environment_specific"
811
+ }
812
+ ],
813
+ description: "Lucern runtime environment label."
814
+ },
815
+ {
816
+ id: "platform.runtime.require-deployment-host-registry",
817
+ canonicalName: "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
818
+ owner: "lucern_platform",
819
+ scope: "environment",
820
+ sourcePath: "/platform/runtime",
821
+ environmentPolicy: "environment_specific",
822
+ required: false,
823
+ secret: false,
824
+ public: false,
825
+ consumers: ["lucern-gateway"],
826
+ destinations: [
827
+ {
828
+ kind: "vercel",
829
+ target: "lucern-gateway",
830
+ environmentPolicy: "environment_specific"
831
+ },
832
+ {
833
+ kind: "operator_local",
834
+ target: "lucern-repo",
835
+ environmentPolicy: "environment_specific"
836
+ }
837
+ ],
838
+ description: "Fail-closed gateway toggle that requires MC deployment host registry resolution before routing."
839
+ },
840
+ {
841
+ id: "platform.mc.convex-url",
842
+ canonicalName: "CONVEX_MC_URL",
843
+ aliases: [
844
+ "CONVEX_MC_PROD_URL",
845
+ "LUCERN_ADMIN_CONVEX_URL",
846
+ "LUCERN_CONVEX_URL",
847
+ "MC_CONVEX_URL"
848
+ ],
849
+ owner: "lucern_platform",
850
+ scope: "environment",
851
+ sourcePath: "/platform/mc",
852
+ environmentPolicy: "environment_specific",
853
+ required: true,
854
+ secret: false,
855
+ public: false,
856
+ consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
857
+ destinations: [
858
+ {
859
+ kind: "vercel",
860
+ target: "lucern-gateway",
861
+ environmentPolicy: "environment_specific"
862
+ },
863
+ {
864
+ kind: "github_actions",
865
+ target: "LucernAI/lucern",
866
+ environmentPolicy: "environment_specific"
867
+ },
868
+ {
869
+ kind: "operator_local",
870
+ target: "lucern-repo",
871
+ environmentPolicy: "environment_specific"
872
+ }
873
+ ],
874
+ description: "Master Control Convex URL. Prod must point to successful-clam-833; dev/staging to utmost-ox-403."
875
+ },
876
+ {
877
+ id: "platform.mc.convex-deploy-key",
878
+ canonicalName: "CONVEX_MC_DEPLOY_KEY",
879
+ aliases: [
880
+ "CONVEX_MC_PROD_DEPLOY_KEY",
881
+ "LUCERN_ADMIN_DEPLOY_KEY",
882
+ "LUCERN_DEPLOY_KEY",
883
+ "MC_DEPLOY_KEY",
884
+ "MC_PROD_DEPLOY_KEY"
885
+ ],
886
+ owner: "lucern_platform",
887
+ scope: "environment",
888
+ sourcePath: "/platform/mc",
889
+ environmentPolicy: "environment_specific",
890
+ required: true,
891
+ secret: true,
892
+ public: false,
893
+ consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
894
+ destinations: [
895
+ {
896
+ kind: "vercel",
897
+ target: "lucern-gateway",
898
+ environmentPolicy: "environment_specific"
899
+ },
900
+ {
901
+ kind: "github_actions",
902
+ target: "LucernAI/lucern",
903
+ environmentPolicy: "environment_specific"
904
+ },
905
+ {
906
+ kind: "operator_local",
907
+ target: "lucern-repo",
908
+ environmentPolicy: "environment_specific"
909
+ }
910
+ ],
911
+ description: "Master Control deploy/admin key. Never route to tenant Vercel projects or tenant Convex deployments."
912
+ },
913
+ {
914
+ id: "platform.mc.session-token-secret",
915
+ canonicalName: "LUCERN_SESSION_TOKEN_SECRET",
916
+ owner: "lucern_platform",
917
+ scope: "environment",
918
+ sourcePath: "/platform/mc",
919
+ environmentPolicy: "environment_specific",
920
+ required: true,
921
+ secret: true,
922
+ public: false,
923
+ consumers: ["lucern-mcp", "mc-convex", "lucern-gateway"],
924
+ destinations: [
925
+ {
926
+ kind: "convex",
927
+ target: "master-control",
928
+ environmentPolicy: "environment_specific"
929
+ },
930
+ {
931
+ kind: "runtime_fetch",
932
+ target: "hosted-mcp-oauth",
933
+ environmentPolicy: "environment_specific"
934
+ },
935
+ {
936
+ kind: "vercel",
937
+ target: "lucern-gateway",
938
+ environmentPolicy: "environment_specific"
939
+ }
940
+ ],
941
+ description: "Signs Lucern platform session/delegation tokens. This is platform-owned, not tenant-owned."
942
+ },
943
+ {
944
+ id: "platform.mc.tenant-secret-encryption-key",
945
+ canonicalName: "LUCERN_TENANT_SECRET_ENCRYPTION_KEY",
946
+ aliases: ["LUCERN_SESSION_TOKEN_SECRET"],
947
+ owner: "lucern_platform",
948
+ scope: "environment",
949
+ sourcePath: "/platform/mc",
950
+ environmentPolicy: "environment_specific",
951
+ required: true,
952
+ secret: true,
953
+ public: false,
954
+ consumers: ["mc-convex", "mc-operator-tooling"],
955
+ destinations: [
956
+ {
957
+ kind: "convex",
958
+ target: "master-control",
959
+ environmentPolicy: "environment_specific"
960
+ },
961
+ {
962
+ kind: "operator_local",
963
+ target: "mc-credential-maintenance",
964
+ environmentPolicy: "environment_specific"
965
+ }
966
+ ],
967
+ description: "Encrypts tenant deployment credentials stored in MC. Session-token fallback is legacy only."
968
+ },
969
+ {
970
+ id: "platform.permit.api-key",
971
+ canonicalName: "LUCERN_PERMIT_API_KEY",
972
+ aliases: ["PERMIT_API_KEY"],
973
+ owner: "lucern_platform",
974
+ scope: "environment",
975
+ sourcePath: "/platform/permit",
976
+ environmentPolicy: "environment_specific",
977
+ required: true,
978
+ secret: true,
979
+ public: false,
980
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
981
+ destinations: [
982
+ {
983
+ kind: "convex",
984
+ target: "master-control",
985
+ environmentPolicy: "environment_specific"
986
+ },
987
+ {
988
+ kind: "runtime_fetch",
989
+ target: "hosted-mcp-oauth",
990
+ environmentPolicy: "environment_specific"
991
+ },
992
+ {
993
+ kind: "vercel",
994
+ target: "lucern-gateway",
995
+ environmentPolicy: "environment_specific"
996
+ }
997
+ ],
998
+ description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing."
999
+ },
1000
+ {
1001
+ id: "platform.permit.webhook-secret",
1002
+ canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET",
1003
+ aliases: ["PERMIT_WEBHOOK_SECRET"],
1004
+ owner: "lucern_platform",
1005
+ scope: "environment",
1006
+ sourcePath: "/platform/permit",
1007
+ environmentPolicy: "environment_specific",
1008
+ required: true,
1009
+ secret: true,
1010
+ public: false,
1011
+ consumers: ["mc-convex", "lucern-gateway", "mc-operator-tooling"],
1012
+ destinations: [
1013
+ {
1014
+ kind: "convex",
1015
+ target: "master-control",
1016
+ environmentPolicy: "environment_specific"
1017
+ },
1018
+ {
1019
+ kind: "vercel",
1020
+ target: "lucern-gateway",
1021
+ environmentPolicy: "environment_specific"
1022
+ },
1023
+ {
1024
+ kind: "operator_local",
1025
+ target: "mc-credential-maintenance",
1026
+ environmentPolicy: "environment_specific"
1027
+ }
1028
+ ],
1029
+ description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
1030
+ },
1031
+ {
1032
+ id: "platform.permit.pdp-url",
1033
+ canonicalName: "LUCERN_PERMIT_PDP_URL",
1034
+ aliases: ["PERMIT_PDP_URL"],
1035
+ owner: "lucern_platform",
1036
+ scope: "environment",
1037
+ sourcePath: "/platform/permit",
1038
+ environmentPolicy: "environment_specific",
1039
+ required: false,
1040
+ secret: false,
1041
+ public: false,
1042
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1043
+ destinations: [
1044
+ {
1045
+ kind: "convex",
1046
+ target: "master-control",
1047
+ environmentPolicy: "environment_specific"
1048
+ },
1049
+ {
1050
+ kind: "runtime_fetch",
1051
+ target: "hosted-mcp-oauth",
1052
+ environmentPolicy: "environment_specific"
1053
+ },
1054
+ {
1055
+ kind: "vercel",
1056
+ target: "lucern-gateway",
1057
+ environmentPolicy: "environment_specific"
1058
+ }
1059
+ ],
1060
+ description: "Optional Permit PDP URL override."
1061
+ },
1062
+ {
1063
+ id: "platform.permit.api-url",
1064
+ canonicalName: "LUCERN_PERMIT_API_URL",
1065
+ aliases: ["PERMIT_API_URL"],
1066
+ owner: "lucern_platform",
1067
+ scope: "environment",
1068
+ sourcePath: "/platform/permit",
1069
+ environmentPolicy: "environment_specific",
1070
+ required: false,
1071
+ secret: false,
1072
+ public: false,
1073
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1074
+ destinations: [
1075
+ {
1076
+ kind: "convex",
1077
+ target: "master-control",
1078
+ environmentPolicy: "environment_specific"
1079
+ },
1080
+ {
1081
+ kind: "runtime_fetch",
1082
+ target: "hosted-mcp-oauth",
1083
+ environmentPolicy: "environment_specific"
1084
+ },
1085
+ {
1086
+ kind: "vercel",
1087
+ target: "lucern-gateway",
1088
+ environmentPolicy: "environment_specific"
1089
+ }
1090
+ ],
1091
+ description: "Optional Permit API URL override."
1092
+ },
1093
+ {
1094
+ id: "platform.ci.infisical-bootstrap-client-id",
1095
+ canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID",
1096
+ aliases: ["INFISICAL_CI_CLIENT_ID"],
1097
+ owner: "provider",
1098
+ scope: "environment",
1099
+ sourcePath: "/platform/ci",
1100
+ environmentPolicy: "same_all_environments",
1101
+ required: true,
1102
+ secret: true,
1103
+ public: false,
1104
+ consumers: ["lucern-repo-ci"],
1105
+ destinations: [
1106
+ {
1107
+ kind: "github_actions",
1108
+ target: "LucernAI/lucern",
1109
+ environmentPolicy: "same_all_environments"
1110
+ }
1111
+ ],
1112
+ description: "Machine identity client id used by CI to reconcile Infisical desired state."
1113
+ },
1114
+ {
1115
+ id: "platform.ci.infisical-bootstrap-client-secret",
1116
+ canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_SECRET",
1117
+ aliases: ["INFISICAL_CI_CLIENT_SECRET"],
1118
+ owner: "provider",
1119
+ scope: "environment",
1120
+ sourcePath: "/platform/ci",
1121
+ environmentPolicy: "same_all_environments",
1122
+ required: true,
1123
+ secret: true,
1124
+ public: false,
1125
+ consumers: ["lucern-repo-ci"],
1126
+ destinations: [
1127
+ {
1128
+ kind: "github_actions",
1129
+ target: "LucernAI/lucern",
1130
+ environmentPolicy: "same_all_environments"
1131
+ }
1132
+ ],
1133
+ description: "Machine identity client secret used by CI to reconcile Infisical desired state."
1134
+ },
1135
+ {
1136
+ id: "platform.publish.npm-token",
1137
+ canonicalName: "NPM_TOKEN",
1138
+ aliases: ["NODE_AUTH_TOKEN"],
1139
+ owner: "provider",
1140
+ scope: "environment",
1141
+ sourcePath: "/platform/publish",
1142
+ environmentPolicy: "same_all_environments",
1143
+ required: true,
1144
+ secret: true,
1145
+ public: false,
1146
+ consumers: ["lucern-repo-ci"],
1147
+ destinations: [
1148
+ {
1149
+ kind: "github_actions",
1150
+ target: "LucernAI/lucern",
1151
+ environmentPolicy: "same_all_environments"
1152
+ }
1153
+ ],
1154
+ description: "Package publish/install token for @lucern/* release automation."
1155
+ }
1156
+ ];
1157
+ var PLATFORM_AI_SECRET_DEFINITIONS = [
1158
+ {
1159
+ id: "platform.ai.openai-api-key",
1160
+ canonicalName: "OPENAI_API_KEY",
1161
+ owner: "lucern_platform",
1162
+ scope: "environment",
1163
+ sourcePath: "/platform/ai",
1164
+ environmentPolicy: "environment_specific",
1165
+ required: false,
1166
+ secret: true,
1167
+ public: false,
1168
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1169
+ destinations: [
1170
+ {
1171
+ kind: "runtime_fetch",
1172
+ target: "lucern-ai-runtime",
1173
+ environmentPolicy: "environment_specific"
1174
+ },
1175
+ {
1176
+ kind: "github_actions",
1177
+ target: "LucernAI/lucern",
1178
+ environmentPolicy: "environment_specific"
1179
+ }
1180
+ ],
1181
+ description: "Lucern-owned OpenAI key for platform AI jobs, benchmarks, and controlled operator automation."
1182
+ },
1183
+ {
1184
+ id: "platform.ai.anthropic-api-key",
1185
+ canonicalName: "ANTHROPIC_API_KEY",
1186
+ owner: "lucern_platform",
1187
+ scope: "environment",
1188
+ sourcePath: "/platform/ai",
1189
+ environmentPolicy: "environment_specific",
1190
+ required: false,
1191
+ secret: true,
1192
+ public: false,
1193
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1194
+ destinations: [
1195
+ {
1196
+ kind: "runtime_fetch",
1197
+ target: "lucern-ai-runtime",
1198
+ environmentPolicy: "environment_specific"
1199
+ },
1200
+ {
1201
+ kind: "github_actions",
1202
+ target: "LucernAI/lucern",
1203
+ environmentPolicy: "environment_specific"
1204
+ }
1205
+ ],
1206
+ description: "Lucern-owned Anthropic key for platform AI jobs, benchmarks, and controlled operator automation."
1207
+ },
1208
+ {
1209
+ id: "platform.ai.gemini-api-key",
1210
+ canonicalName: "GEMINI_API_KEY",
1211
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
1212
+ owner: "lucern_platform",
1213
+ scope: "environment",
1214
+ sourcePath: "/platform/ai",
1215
+ environmentPolicy: "environment_specific",
1216
+ required: false,
1217
+ secret: true,
1218
+ public: false,
1219
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1220
+ destinations: [
1221
+ {
1222
+ kind: "runtime_fetch",
1223
+ target: "lucern-ai-runtime",
1224
+ environmentPolicy: "environment_specific"
1225
+ },
1226
+ {
1227
+ kind: "github_actions",
1228
+ target: "LucernAI/lucern",
1229
+ environmentPolicy: "environment_specific"
1230
+ }
1231
+ ],
1232
+ description: "Lucern-owned Google/Gemini key. Google alias names are read compatibility only."
1233
+ }
1234
+ ];
1235
+ var PLATFORM_LANGFUSE_SECRET_DEFINITIONS = [
1236
+ {
1237
+ id: "platform.langfuse.secret-key",
1238
+ canonicalName: "LANGFUSE_SECRET_KEY",
1239
+ owner: "lucern_platform",
1240
+ scope: "environment",
1241
+ sourcePath: "/platform/observability/langfuse",
1242
+ environmentPolicy: "environment_specific",
1243
+ required: false,
1244
+ secret: true,
1245
+ public: false,
1246
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1247
+ destinations: [
1248
+ {
1249
+ kind: "runtime_fetch",
1250
+ target: "lucern-ai-runtime",
1251
+ environmentPolicy: "environment_specific"
1252
+ },
1253
+ {
1254
+ kind: "github_actions",
1255
+ target: "LucernAI/lucern",
1256
+ environmentPolicy: "environment_specific"
1257
+ }
1258
+ ],
1259
+ description: "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
1260
+ },
1261
+ {
1262
+ id: "platform.langfuse.public-key",
1263
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
1264
+ owner: "lucern_platform",
1265
+ scope: "environment",
1266
+ sourcePath: "/platform/observability/langfuse",
1267
+ environmentPolicy: "environment_specific",
1268
+ required: false,
1269
+ secret: false,
1270
+ public: false,
1271
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1272
+ destinations: [
1273
+ {
1274
+ kind: "runtime_fetch",
1275
+ target: "lucern-ai-runtime",
1276
+ environmentPolicy: "environment_specific"
1277
+ },
1278
+ {
1279
+ kind: "github_actions",
1280
+ target: "LucernAI/lucern",
1281
+ environmentPolicy: "environment_specific"
1282
+ }
1283
+ ],
1284
+ description: "Lucern-owned Langfuse public key paired with LANGFUSE_SECRET_KEY."
1285
+ },
1286
+ {
1287
+ id: "platform.langfuse.base-url",
1288
+ canonicalName: "LANGFUSE_BASE_URL",
1289
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
1290
+ owner: "lucern_platform",
1291
+ scope: "environment",
1292
+ sourcePath: "/platform/observability/langfuse",
1293
+ environmentPolicy: "environment_specific",
1294
+ required: false,
1295
+ secret: false,
1296
+ public: false,
1297
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1298
+ destinations: [
1299
+ {
1300
+ kind: "runtime_fetch",
1301
+ target: "lucern-ai-runtime",
1302
+ environmentPolicy: "environment_specific"
1303
+ },
1304
+ {
1305
+ kind: "github_actions",
1306
+ target: "LucernAI/lucern",
1307
+ environmentPolicy: "environment_specific"
1308
+ }
1309
+ ],
1310
+ description: "Canonical Langfuse API origin. BASEURL/HOST are compatibility aliases."
1311
+ }
1312
+ ];
1313
+ var PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS = [
1314
+ {
1315
+ id: "platform.neo4j.uri",
1316
+ canonicalName: "NEO4J_URI",
1317
+ owner: "lucern_platform",
1318
+ scope: "environment",
1319
+ sourcePath: "/platform/graph/neo4j",
1320
+ environmentPolicy: "environment_specific",
1321
+ required: false,
1322
+ secret: false,
1323
+ public: false,
1324
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1325
+ destinations: [
1326
+ {
1327
+ kind: "runtime_fetch",
1328
+ target: "lucern-graph-sync",
1329
+ environmentPolicy: "environment_specific"
1330
+ },
1331
+ {
1332
+ kind: "github_actions",
1333
+ target: "LucernAI/lucern",
1334
+ environmentPolicy: "environment_specific"
1335
+ }
1336
+ ],
1337
+ description: "Lucern-owned Neo4j URI for platform graph-sync surfaces."
1338
+ },
1339
+ {
1340
+ id: "platform.neo4j.user",
1341
+ canonicalName: "NEO4J_USER",
1342
+ aliases: ["NEO4J_USERNAME"],
1343
+ owner: "lucern_platform",
1344
+ scope: "environment",
1345
+ sourcePath: "/platform/graph/neo4j",
1346
+ environmentPolicy: "environment_specific",
1347
+ required: false,
1348
+ secret: false,
1349
+ public: false,
1350
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1351
+ destinations: [
1352
+ {
1353
+ kind: "runtime_fetch",
1354
+ target: "lucern-graph-sync",
1355
+ environmentPolicy: "environment_specific"
1356
+ },
1357
+ {
1358
+ kind: "github_actions",
1359
+ target: "LucernAI/lucern",
1360
+ environmentPolicy: "environment_specific"
1361
+ }
1362
+ ],
1363
+ description: "Lucern-owned Neo4j username for platform graph-sync surfaces."
1364
+ },
1365
+ {
1366
+ id: "platform.neo4j.password",
1367
+ canonicalName: "NEO4J_PASSWORD",
1368
+ owner: "lucern_platform",
1369
+ scope: "environment",
1370
+ sourcePath: "/platform/graph/neo4j",
1371
+ environmentPolicy: "environment_specific",
1372
+ required: false,
1373
+ secret: true,
1374
+ public: false,
1375
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1376
+ destinations: [
1377
+ {
1378
+ kind: "runtime_fetch",
1379
+ target: "lucern-graph-sync",
1380
+ environmentPolicy: "environment_specific"
1381
+ },
1382
+ {
1383
+ kind: "github_actions",
1384
+ target: "LucernAI/lucern",
1385
+ environmentPolicy: "environment_specific"
1386
+ }
1387
+ ],
1388
+ description: "Lucern-owned Neo4j password for platform graph-sync surfaces."
1389
+ },
1390
+ {
1391
+ id: "platform.neo4j.sync-secret",
1392
+ canonicalName: "NEO4J_SYNC_SECRET",
1393
+ owner: "lucern_platform",
1394
+ scope: "environment",
1395
+ sourcePath: "/platform/graph/neo4j",
1396
+ environmentPolicy: "environment_specific",
1397
+ required: false,
1398
+ secret: true,
1399
+ public: false,
1400
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1401
+ destinations: [
1402
+ {
1403
+ kind: "runtime_fetch",
1404
+ target: "lucern-graph-sync",
1405
+ environmentPolicy: "environment_specific"
1406
+ },
1407
+ {
1408
+ kind: "github_actions",
1409
+ target: "LucernAI/lucern",
1410
+ environmentPolicy: "environment_specific"
1411
+ }
1412
+ ],
1413
+ description: "Shared secret protecting Lucern-owned graph-sync HTTP/query proxy calls."
1414
+ },
1415
+ {
1416
+ id: "platform.neo4j.database",
1417
+ canonicalName: "NEO4J_DATABASE",
1418
+ owner: "lucern_platform",
1419
+ scope: "environment",
1420
+ sourcePath: "/platform/graph/neo4j",
1421
+ environmentPolicy: "environment_specific",
1422
+ required: false,
1423
+ secret: false,
1424
+ public: false,
1425
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1426
+ destinations: [
1427
+ {
1428
+ kind: "runtime_fetch",
1429
+ target: "lucern-graph-sync",
1430
+ environmentPolicy: "environment_specific"
1431
+ },
1432
+ {
1433
+ kind: "github_actions",
1434
+ target: "LucernAI/lucern",
1435
+ environmentPolicy: "environment_specific"
1436
+ }
1437
+ ],
1438
+ description: "Optional Neo4j database name for Lucern-owned graph-sync surfaces."
1439
+ }
1440
+ ];
1441
+ var PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS = [
1442
+ {
1443
+ id: "platform.pinecone.api-key",
1444
+ canonicalName: "PINECONE_API_KEY",
1445
+ owner: "lucern_platform",
1446
+ scope: "environment",
1447
+ sourcePath: "/platform/vector/pinecone",
1448
+ environmentPolicy: "environment_specific",
1449
+ required: false,
1450
+ secret: true,
1451
+ public: false,
1452
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1453
+ destinations: [
1454
+ {
1455
+ kind: "runtime_fetch",
1456
+ target: "lucern-ai-runtime",
1457
+ environmentPolicy: "environment_specific"
1458
+ },
1459
+ {
1460
+ kind: "github_actions",
1461
+ target: "LucernAI/lucern",
1462
+ environmentPolicy: "environment_specific"
1463
+ }
1464
+ ],
1465
+ description: "Lucern-owned Pinecone API key for platform vector search."
1466
+ },
1467
+ {
1468
+ id: "platform.pinecone.index-name",
1469
+ canonicalName: "PINECONE_INDEX_NAME",
1470
+ aliases: ["PINECONE_INDEX"],
1471
+ owner: "lucern_platform",
1472
+ scope: "environment",
1473
+ sourcePath: "/platform/vector/pinecone",
1474
+ environmentPolicy: "environment_specific",
1475
+ required: false,
1476
+ secret: false,
1477
+ public: false,
1478
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1479
+ destinations: [
1480
+ {
1481
+ kind: "runtime_fetch",
1482
+ target: "lucern-ai-runtime",
1483
+ environmentPolicy: "environment_specific"
1484
+ },
1485
+ {
1486
+ kind: "github_actions",
1487
+ target: "LucernAI/lucern",
1488
+ environmentPolicy: "environment_specific"
1489
+ }
1490
+ ],
1491
+ description: "Lucern-owned Pinecone index name."
1492
+ },
1493
+ {
1494
+ id: "platform.pinecone.host",
1495
+ canonicalName: "PINECONE_HOST",
1496
+ aliases: ["PINECONE_INDEX_HOST"],
1497
+ owner: "lucern_platform",
1498
+ scope: "environment",
1499
+ sourcePath: "/platform/vector/pinecone",
1500
+ environmentPolicy: "environment_specific",
1501
+ required: false,
1502
+ secret: false,
1503
+ public: false,
1504
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1505
+ destinations: [
1506
+ {
1507
+ kind: "runtime_fetch",
1508
+ target: "lucern-ai-runtime",
1509
+ environmentPolicy: "environment_specific"
1510
+ },
1511
+ {
1512
+ kind: "github_actions",
1513
+ target: "LucernAI/lucern",
1514
+ environmentPolicy: "environment_specific"
1515
+ }
1516
+ ],
1517
+ description: "Lucern-owned Pinecone host/index host."
1518
+ }
1519
+ ];
1520
+ var PLATFORM_SENTRY_SECRET_DEFINITIONS = [
1521
+ {
1522
+ id: "platform.sentry.dsn",
1523
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
1524
+ aliases: ["SENTRY_DSN", "NEXT_PUBLIC_SENTRY_DSN_NEXTJS"],
1525
+ owner: "provider",
1526
+ scope: "environment",
1527
+ sourcePath: "/platform/observability/sentry",
1528
+ environmentPolicy: "environment_specific",
1529
+ required: false,
1530
+ secret: false,
1531
+ public: true,
1532
+ consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1533
+ destinations: [
1534
+ {
1535
+ kind: "vercel",
1536
+ target: "lucern",
1537
+ environmentPolicy: "environment_specific"
1538
+ },
1539
+ {
1540
+ kind: "vercel",
1541
+ target: "lucern-gateway",
1542
+ environmentPolicy: "environment_specific"
1543
+ }
1544
+ ],
1545
+ description: "Lucern-owned Sentry DSN for browser/server error telemetry."
1546
+ },
1547
+ {
1548
+ id: "platform.sentry.auth-token",
1549
+ canonicalName: "SENTRY_AUTH_TOKEN",
1550
+ owner: "provider",
1551
+ scope: "environment",
1552
+ sourcePath: "/platform/observability/sentry",
1553
+ environmentPolicy: "same_all_environments",
1554
+ required: false,
1555
+ secret: true,
1556
+ public: false,
1557
+ consumers: ["lucern-repo-ci", "lucern-observability"],
1558
+ destinations: [
1559
+ {
1560
+ kind: "github_actions",
1561
+ target: "LucernAI/lucern",
1562
+ environmentPolicy: "same_all_environments"
1563
+ },
1564
+ {
1565
+ kind: "vercel",
1566
+ target: "lucern",
1567
+ environmentPolicy: "same_all_environments"
1568
+ }
1569
+ ],
1570
+ description: "Sentry release-upload token. Runtime services must not use it for authorization."
1571
+ },
1572
+ {
1573
+ id: "platform.sentry.org",
1574
+ canonicalName: "SENTRY_ORG",
1575
+ aliases: ["SENTRY_ORG_SLUG"],
1576
+ owner: "provider",
1577
+ scope: "global",
1578
+ sourcePath: "/platform/observability/sentry",
1579
+ environmentPolicy: "same_all_environments",
1580
+ required: false,
1581
+ secret: false,
1582
+ public: false,
1583
+ consumers: ["lucern-repo-ci", "lucern-observability"],
1584
+ destinations: [
1585
+ {
1586
+ kind: "github_actions",
1587
+ target: "LucernAI/lucern",
1588
+ environmentPolicy: "same_all_environments"
1589
+ },
1590
+ {
1591
+ kind: "vercel",
1592
+ target: "lucern",
1593
+ environmentPolicy: "same_all_environments"
1594
+ }
1595
+ ],
1596
+ description: "Sentry organization slug for Lucern release uploads."
1597
+ },
1598
+ {
1599
+ id: "platform.sentry.project",
1600
+ canonicalName: "SENTRY_PROJECT",
1601
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
1602
+ owner: "provider",
1603
+ scope: "global",
1604
+ sourcePath: "/platform/observability/sentry",
1605
+ environmentPolicy: "same_all_environments",
1606
+ required: false,
1607
+ secret: false,
1608
+ public: false,
1609
+ consumers: ["lucern-repo-ci", "lucern-observability"],
1610
+ destinations: [
1611
+ {
1612
+ kind: "github_actions",
1613
+ target: "LucernAI/lucern",
1614
+ environmentPolicy: "same_all_environments"
1615
+ },
1616
+ {
1617
+ kind: "vercel",
1618
+ target: "lucern",
1619
+ environmentPolicy: "same_all_environments"
1620
+ }
1621
+ ],
1622
+ description: "Sentry project slug for Lucern release uploads."
1623
+ },
1624
+ {
1625
+ id: "platform.sentry.environment",
1626
+ canonicalName: "SENTRY_ENVIRONMENT",
1627
+ aliases: ["NEXT_PUBLIC_SENTRY_ENVIRONMENT"],
1628
+ owner: "provider",
1629
+ scope: "environment",
1630
+ sourcePath: "/platform/observability/sentry",
1631
+ environmentPolicy: "environment_specific",
1632
+ required: false,
1633
+ secret: false,
1634
+ public: false,
1635
+ consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1636
+ destinations: [
1637
+ {
1638
+ kind: "vercel",
1639
+ target: "lucern",
1640
+ environmentPolicy: "environment_specific",
1641
+ writeNames: ["SENTRY_ENVIRONMENT", "NEXT_PUBLIC_SENTRY_ENVIRONMENT"]
1642
+ },
1643
+ {
1644
+ kind: "vercel",
1645
+ target: "lucern-gateway",
1646
+ environmentPolicy: "environment_specific"
1647
+ }
1648
+ ],
1649
+ description: "Lucern-owned Sentry environment label."
1650
+ },
1651
+ {
1652
+ id: "platform.sentry.release",
1653
+ canonicalName: "SENTRY_RELEASE",
1654
+ aliases: ["NEXT_PUBLIC_SENTRY_RELEASE"],
1655
+ owner: "provider",
1656
+ scope: "environment",
1657
+ sourcePath: "/platform/observability/sentry",
1658
+ environmentPolicy: "environment_specific",
1659
+ required: false,
1660
+ secret: false,
1661
+ public: false,
1662
+ consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1663
+ destinations: [
1664
+ {
1665
+ kind: "vercel",
1666
+ target: "lucern",
1667
+ environmentPolicy: "environment_specific",
1668
+ writeNames: ["SENTRY_RELEASE", "NEXT_PUBLIC_SENTRY_RELEASE"]
1669
+ },
1670
+ {
1671
+ kind: "vercel",
1672
+ target: "lucern-gateway",
1673
+ environmentPolicy: "environment_specific"
1674
+ }
1675
+ ],
1676
+ description: "Lucern-owned Sentry release name."
1677
+ }
1678
+ ];
1679
+ var PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS = [
1680
+ {
1681
+ id: "platform.deploy.vercel-token",
1682
+ canonicalName: "VERCEL_TOKEN",
1683
+ owner: "provider",
1684
+ scope: "global",
1685
+ sourcePath: "/platform/deploy/vercel",
1686
+ environmentPolicy: "same_all_environments",
1687
+ required: false,
1688
+ secret: true,
1689
+ public: false,
1690
+ consumers: ["lucern-repo-ci"],
1691
+ destinations: [
1692
+ {
1693
+ kind: "github_actions",
1694
+ target: "LucernAI/lucern",
1695
+ environmentPolicy: "same_all_environments"
1696
+ },
1697
+ {
1698
+ kind: "operator_local",
1699
+ target: "secret-sync-writer",
1700
+ environmentPolicy: "same_all_environments"
1701
+ }
1702
+ ],
1703
+ description: "Vercel API token for the future reviewed live writer. Never copy into tenant apps."
1704
+ },
1705
+ {
1706
+ id: "platform.deploy.vercel-org-id",
1707
+ canonicalName: "VERCEL_ORG_ID",
1708
+ owner: "provider",
1709
+ scope: "global",
1710
+ sourcePath: "/platform/deploy/vercel",
1711
+ environmentPolicy: "same_all_environments",
1712
+ required: false,
1713
+ secret: false,
1714
+ public: false,
1715
+ consumers: ["lucern-repo-ci"],
1716
+ destinations: [
1717
+ {
1718
+ kind: "github_actions",
1719
+ target: "LucernAI/lucern",
1720
+ environmentPolicy: "same_all_environments"
1721
+ },
1722
+ {
1723
+ kind: "operator_local",
1724
+ target: "secret-sync-writer",
1725
+ environmentPolicy: "same_all_environments"
1726
+ }
1727
+ ],
1728
+ description: "Vercel team/org id used by deployment and sync automation."
1729
+ }
1730
+ ];
1731
+ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
1732
+ {
1733
+ id: "platform.docs.gap-audit-api-key",
1734
+ canonicalName: "DOC_GAP_AUDIT_API_KEY",
1735
+ owner: "lucern_platform",
1736
+ scope: "environment",
1737
+ sourcePath: "/platform/docs",
1738
+ environmentPolicy: "environment_specific",
1739
+ required: false,
1740
+ secret: true,
1741
+ public: false,
1742
+ consumers: ["lucern-repo-ci"],
1743
+ destinations: [
1744
+ {
1745
+ kind: "github_actions",
1746
+ target: "LucernAI/lucern",
1747
+ environmentPolicy: "environment_specific"
1748
+ },
1749
+ {
1750
+ kind: "operator_local",
1751
+ target: "lucern-repo",
1752
+ environmentPolicy: "environment_specific"
1753
+ }
1754
+ ],
1755
+ description: "Optional model key for docs gap audits."
1756
+ },
1757
+ {
1758
+ id: "platform.docs.gap-audit-provider",
1759
+ canonicalName: "DOC_GAP_AUDIT_PROVIDER",
1760
+ owner: "lucern_platform",
1761
+ scope: "environment",
1762
+ sourcePath: "/platform/docs",
1763
+ environmentPolicy: "environment_specific",
1764
+ required: false,
1765
+ secret: false,
1766
+ public: false,
1767
+ consumers: ["lucern-repo-ci"],
1768
+ destinations: [
1769
+ {
1770
+ kind: "github_actions",
1771
+ target: "LucernAI/lucern",
1772
+ environmentPolicy: "environment_specific"
1773
+ },
1774
+ {
1775
+ kind: "operator_local",
1776
+ target: "lucern-repo",
1777
+ environmentPolicy: "environment_specific"
1778
+ }
1779
+ ],
1780
+ description: "Optional docs gap audit provider selector."
1781
+ },
1782
+ {
1783
+ id: "platform.docs.gap-audit-model",
1784
+ canonicalName: "DOC_GAP_AUDIT_MODEL",
1785
+ owner: "lucern_platform",
1786
+ scope: "environment",
1787
+ sourcePath: "/platform/docs",
1788
+ environmentPolicy: "environment_specific",
1789
+ required: false,
1790
+ secret: false,
1791
+ public: false,
1792
+ consumers: ["lucern-repo-ci"],
1793
+ destinations: [
1794
+ {
1795
+ kind: "github_actions",
1796
+ target: "LucernAI/lucern",
1797
+ environmentPolicy: "environment_specific"
1798
+ },
1799
+ {
1800
+ kind: "operator_local",
1801
+ target: "lucern-repo",
1802
+ environmentPolicy: "environment_specific"
1803
+ }
1804
+ ],
1805
+ description: "Optional docs gap audit model selector."
1806
+ },
1807
+ {
1808
+ id: "platform.infisical.local-cli",
1809
+ canonicalName: "INFISICAL_BIN",
1810
+ aliases: ["INFISICAL_API_URL", "INFISICAL_URL"],
1811
+ owner: "lucern_platform",
1812
+ scope: "global",
1813
+ sourcePath: "/platform/infisical",
1814
+ environmentPolicy: "same_all_environments",
1815
+ required: false,
1816
+ secret: false,
1817
+ public: false,
1818
+ consumers: ["mc-operator-tooling", "lucern-repo-ci"],
1819
+ destinations: [
1820
+ {
1821
+ kind: "operator_local",
1822
+ target: "lucern-repo",
1823
+ environmentPolicy: "same_all_environments"
1824
+ }
1825
+ ],
1826
+ description: "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
1827
+ },
1828
+ {
1829
+ id: "platform.gateway.device-verification-base-url",
1830
+ canonicalName: "LUCERN_DEVICE_VERIFICATION_BASE_URL",
1831
+ owner: "lucern_platform",
1832
+ scope: "environment",
1833
+ sourcePath: "/platform/runtime",
1834
+ environmentPolicy: "environment_specific",
1835
+ required: false,
1836
+ secret: false,
1837
+ public: false,
1838
+ consumers: ["lucern-gateway"],
1839
+ destinations: [
1840
+ {
1841
+ kind: "vercel",
1842
+ target: "lucern-gateway",
1843
+ environmentPolicy: "environment_specific"
1844
+ }
1845
+ ],
1846
+ description: "Base URL shown during Lucern CLI/device authentication."
1847
+ },
1848
+ {
1849
+ id: "platform.gateway.mode",
1850
+ canonicalName: "LUCERN_GATEWAY_MODE",
1851
+ aliases: ["LUCERN_GATEWAY_ENV"],
1852
+ owner: "lucern_platform",
1853
+ scope: "environment",
1854
+ sourcePath: "/platform/runtime",
1855
+ environmentPolicy: "environment_specific",
1856
+ required: false,
1857
+ secret: false,
1858
+ public: false,
1859
+ consumers: ["lucern-gateway", "lucern-repo-ci"],
1860
+ destinations: [
1861
+ {
1862
+ kind: "vercel",
1863
+ target: "lucern-gateway",
1864
+ environmentPolicy: "environment_specific"
1865
+ },
1866
+ {
1867
+ kind: "github_actions",
1868
+ target: "LucernAI/lucern",
1869
+ environmentPolicy: "environment_specific"
1870
+ }
1871
+ ],
1872
+ description: "Gateway runtime mode/environment label."
1873
+ },
1874
+ {
1875
+ id: "platform.mcp.runtime",
1876
+ canonicalName: "LUCERN_MCP_URL",
1877
+ aliases: [
1878
+ "LUCERN_AGENT_IDENTITY",
1879
+ "LUCERN_HTTP_HOST",
1880
+ "LUCERN_HTTP_PORT",
1881
+ "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
1882
+ "LUCERN_MCP_DEBUG",
1883
+ "LUCERN_MCP_DIAGNOSTICS_FILE",
1884
+ "LUCERN_MCP_HEALTH_PATH",
1885
+ "LUCERN_MCP_HEALTH_URL",
1886
+ "LUCERN_MCP_HOST",
1887
+ "LUCERN_MCP_PATH",
1888
+ "LUCERN_MCP_PORT",
1889
+ "LUCERN_MCP_QUIET",
1890
+ "LUCERN_MCP_TRANSPORT",
1891
+ "LUCERN_PROFILE",
1892
+ "LUCERN_PUBLIC_URL",
1893
+ "MCP_SERVER_URL"
1894
+ ],
1895
+ owner: "lucern_platform",
1896
+ scope: "environment",
1897
+ sourcePath: "/platform/runtime",
1898
+ environmentPolicy: "environment_specific",
1899
+ required: false,
1900
+ secret: false,
1901
+ public: false,
1902
+ consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
1903
+ destinations: [
1904
+ {
1905
+ kind: "runtime_fetch",
1906
+ target: "lucern-cli-mcp-sdk",
1907
+ environmentPolicy: "environment_specific"
1908
+ },
1909
+ {
1910
+ kind: "operator_local",
1911
+ target: "lucern-repo",
1912
+ environmentPolicy: "environment_specific"
1913
+ }
1914
+ ],
1915
+ description: "Lucern MCP/CLI runtime knobs. Aliases are compatibility names and not Vercel write names."
1916
+ },
1917
+ {
1918
+ id: "platform.mcp.auth-token",
1919
+ canonicalName: "LUCERN_MCP_SERVER_AUTH_TOKEN",
1920
+ aliases: ["LUCERN_USER_TOKEN", "MCP_SERVER_TOKEN"],
1921
+ owner: "lucern_platform",
1922
+ scope: "environment",
1923
+ sourcePath: "/platform/runtime",
1924
+ environmentPolicy: "environment_specific",
1925
+ required: false,
1926
+ secret: true,
1927
+ public: false,
1928
+ consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
1929
+ destinations: [
1930
+ {
1931
+ kind: "runtime_fetch",
1932
+ target: "lucern-cli-mcp-sdk",
1933
+ environmentPolicy: "environment_specific"
1934
+ },
1935
+ {
1936
+ kind: "operator_local",
1937
+ target: "lucern-repo",
1938
+ environmentPolicy: "environment_specific"
1939
+ }
1940
+ ],
1941
+ description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
1942
+ },
1943
+ {
1944
+ id: "platform.graph-sync.proxy",
1945
+ canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
1946
+ aliases: [
1947
+ "LUCERN_DEFAULT_TENANT_ID",
1948
+ "LUCERN_GRAPH_SYNC_ALLOWED_PROXY_HOSTS"
1949
+ ],
1950
+ owner: "lucern_platform",
1951
+ scope: "environment",
1952
+ sourcePath: "/platform/graph/neo4j",
1953
+ environmentPolicy: "environment_specific",
1954
+ required: false,
1955
+ secret: false,
1956
+ public: false,
1957
+ consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1958
+ destinations: [
1959
+ {
1960
+ kind: "runtime_fetch",
1961
+ target: "lucern-graph-sync",
1962
+ environmentPolicy: "environment_specific"
1963
+ },
1964
+ {
1965
+ kind: "github_actions",
1966
+ target: "LucernAI/lucern",
1967
+ environmentPolicy: "environment_specific"
1968
+ }
1969
+ ],
1970
+ description: "Graph-sync proxy URL, tenant filter, and allowed host list."
1971
+ },
1972
+ {
1973
+ id: "platform.package-smoke.local",
1974
+ canonicalName: "LUCERN_SDK_NPM_TOKEN",
1975
+ aliases: [
1976
+ "LUCERN_KERNEL_INSTALL_SPEC",
1977
+ "LUCERN_KERNEL_KEEP_CLEANROOM",
1978
+ "LUCERN_KERNEL_LOCAL_TARBALL",
1979
+ "LUCERN_KERNEL_NPM_TOKEN",
1980
+ "LUCERN_KERNEL_SCOPE_REGISTRY",
1981
+ "LUCERN_KERNEL_SKIP_CONVEX",
1982
+ "LUCERN_SDK_INSTALL_SPEC",
1983
+ "LUCERN_SDK_KEEP_CLEANROOM",
1984
+ "LUCERN_SDK_LOCAL_TARBALL",
1985
+ "LUCERN_SDK_SCOPE_REGISTRY",
1986
+ "LUCERN_SDK_SKIP_LIVE"
1987
+ ],
1988
+ owner: "lucern_platform",
1989
+ scope: "global",
1990
+ sourcePath: "/platform/package-publish",
1991
+ environmentPolicy: "same_all_environments",
1992
+ required: false,
1993
+ secret: true,
1994
+ public: false,
1995
+ consumers: ["lucern-repo-ci"],
1996
+ destinations: [
1997
+ {
1998
+ kind: "github_actions",
1999
+ target: "LucernAI/lucern",
2000
+ environmentPolicy: "same_all_environments"
2001
+ },
2002
+ {
2003
+ kind: "operator_local",
2004
+ target: "lucern-repo",
2005
+ environmentPolicy: "same_all_environments"
2006
+ }
2007
+ ],
2008
+ description: "Private package install smoke-test knobs. Values are not tenant runtime variables."
2009
+ },
2010
+ {
2011
+ id: "platform.convex-deploy.local-names",
2012
+ canonicalName: "LUCERN_CONVEX_DEPLOYMENT_NAME",
2013
+ aliases: [
2014
+ "CONVEX_DEPLOYMENT",
2015
+ "CONVEX_DEV_DEPLOYMENT_NAME",
2016
+ "CONVEX_PROD_DEPLOYMENT_NAME"
2017
+ ],
2018
+ owner: "lucern_platform",
2019
+ scope: "environment",
2020
+ sourcePath: "/platform/deploy/convex",
2021
+ environmentPolicy: "environment_specific",
2022
+ required: false,
2023
+ secret: false,
2024
+ public: false,
2025
+ consumers: ["mc-operator-tooling", "lucern-repo-ci"],
2026
+ destinations: [
2027
+ {
2028
+ kind: "operator_local",
2029
+ target: "lucern-repo",
2030
+ environmentPolicy: "environment_specific"
2031
+ }
2032
+ ],
2033
+ description: "Operator-only Convex deployment name hints. Deploy keys and URLs remain separately scoped."
2034
+ },
2035
+ {
2036
+ id: "platform.sdk.local-context",
2037
+ canonicalName: "LUCERN_TENANT_ID",
2038
+ aliases: [
2039
+ "LUCERN_AGENT_DISPLAY_NAME",
2040
+ "LUCERN_AGENT_ID",
2041
+ "LUCERN_API_ENVIRONMENT",
2042
+ "LUCERN_PACK_KEY",
2043
+ "LUCERN_PROJECT_ID",
2044
+ "LUCERN_TOPIC_ID",
2045
+ "LUCERN_WORKSPACE_ID",
2046
+ "LUCERN_WORKTREE_ID"
2047
+ ],
2048
+ owner: "lucern_platform",
2049
+ scope: "environment",
2050
+ sourcePath: "/platform/runtime",
2051
+ environmentPolicy: "environment_specific",
2052
+ required: false,
2053
+ secret: false,
2054
+ public: false,
2055
+ consumers: ["lucern-cli", "lucern-mcp", "tenant-agent-runtime"],
2056
+ destinations: [
2057
+ {
2058
+ kind: "runtime_fetch",
2059
+ target: "lucern-cli-mcp-sdk",
2060
+ environmentPolicy: "environment_specific"
2061
+ },
2062
+ {
2063
+ kind: "operator_local",
2064
+ target: "lucern-repo",
2065
+ environmentPolicy: "environment_specific"
2066
+ }
2067
+ ],
2068
+ description: "SDK, CLI, and agent context selectors. These identify scope and must not grant access by themselves."
2069
+ },
2070
+ {
2071
+ id: "platform.debug.local-flags",
2072
+ canonicalName: "LUCERN_FUNCTIONAL_DEBUG",
2073
+ aliases: [
2074
+ "LUCERN_CONTRACTS_SKIP_DTS",
2075
+ "LUCERN_DEPLOY_RECONCILIATION_DEBUG",
2076
+ "LUCERN_ENABLE_ADAPTIVE_LEARNING",
2077
+ "LUCERN_ENV_FILE",
2078
+ "LUCERN_EXAMPLE_DEBUG",
2079
+ "LUCERN_HTTP_SMOKE_DEBUG",
2080
+ "LUCERN_MULTI_TENANT",
2081
+ "LUCERN_PACK_ACTION_DEBUG",
2082
+ "LUCERN_RUN_LIVE_MCP"
2083
+ ],
2084
+ owner: "lucern_platform",
2085
+ scope: "environment",
2086
+ sourcePath: "/platform/runtime/debug",
2087
+ environmentPolicy: "environment_specific",
2088
+ required: false,
2089
+ secret: false,
2090
+ public: false,
2091
+ consumers: ["lucern-repo-ci", "mc-operator-tooling"],
2092
+ destinations: [
2093
+ {
2094
+ kind: "operator_local",
2095
+ target: "lucern-repo",
2096
+ environmentPolicy: "environment_specific"
2097
+ }
2098
+ ],
2099
+ description: "Local or CI debug toggles. They are manifest-known but not tenant runtime secrets."
2100
+ },
2101
+ {
2102
+ id: "tenant.stackos.deploy-guard.local",
2103
+ canonicalName: "STACKOS_DEPLOY_TARGET",
2104
+ aliases: [
2105
+ "STACKOS_DEPLOY_ENTRYPOINT",
2106
+ "STACKOS_EXPECTED_STAGING_COMMIT",
2107
+ "STACKOS_PROD_CUTOVER_APPROVED",
2108
+ "STACKOS_REPO_PATH",
2109
+ "STACKOS_REQUIRE_CHAT_RUNTIME",
2110
+ "STACKOS_SLOP_SCAN_BASELINE",
2111
+ "STACKOS_STAGING_API_KEY",
2112
+ "STACKOS_STAGING_BASE_URL",
2113
+ "STACK_DEPLOY_RECONCILIATION_SCHEMA_JSON"
2114
+ ],
2115
+ owner: "tenant",
2116
+ scope: "software_system",
2117
+ sourcePath: "/tenants/stack",
2118
+ environmentPolicy: "environment_specific",
2119
+ required: false,
2120
+ secret: true,
2121
+ public: false,
2122
+ consumers: ["tenant-deploy-tooling", "lucern-repo-ci"],
2123
+ destinations: [
2124
+ {
2125
+ kind: "operator_local",
2126
+ target: "stackos-deploy-guard",
2127
+ environmentPolicy: "environment_specific"
2128
+ },
2129
+ {
2130
+ kind: "github_actions",
2131
+ target: "stack-vc/stackos",
2132
+ environmentPolicy: "environment_specific"
2133
+ }
2134
+ ],
2135
+ description: "StackOS deploy/test guard variables. These are not written into the StackOS Vercel runtime."
2136
+ }
2137
+ ];
2138
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
2139
+ {
2140
+ idSuffix: "clerk.publishable",
2141
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
2142
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
2143
+ required: true,
2144
+ secret: false,
2145
+ public: true,
2146
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
2147
+ },
2148
+ {
2149
+ idSuffix: "clerk.secret",
2150
+ canonicalName: "CLERK_SECRET_KEY",
2151
+ required: true,
2152
+ secret: true,
2153
+ public: false,
2154
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
2155
+ },
2156
+ {
2157
+ idSuffix: "clerk.project",
2158
+ canonicalName: "CLERK_PROJECT_ID",
2159
+ required: true,
2160
+ secret: false,
2161
+ public: false,
2162
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
2163
+ },
2164
+ {
2165
+ idSuffix: "clerk.jwks",
2166
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
2167
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
2168
+ required: false,
2169
+ secret: false,
2170
+ public: false,
2171
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
2172
+ },
2173
+ {
2174
+ idSuffix: "clerk.jwt-key",
2175
+ canonicalName: "CLERK_JWT_KEY",
2176
+ required: false,
2177
+ secret: true,
2178
+ public: false,
2179
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
2180
+ },
2181
+ {
2182
+ idSuffix: "clerk.authorized-parties",
2183
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
2184
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
2185
+ required: false,
2186
+ secret: false,
2187
+ public: false,
2188
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
2189
+ },
2190
+ {
2191
+ idSuffix: "clerk.sign-in-url",
2192
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
2193
+ required: false,
2194
+ secret: false,
2195
+ public: true,
2196
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
2197
+ },
2198
+ {
2199
+ idSuffix: "clerk.sign-up-url",
2200
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
2201
+ required: false,
2202
+ secret: false,
2203
+ public: true,
2204
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
2205
+ }
2206
+ ];
2207
+ var TENANT_SHARED_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2208
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
2209
+ (template) => ({
2210
+ id: `tenant.${system.id}.${template.idSuffix}`,
2211
+ canonicalName: template.canonicalName,
2212
+ aliases: "aliases" in template ? template.aliases : void 0,
2213
+ owner: "tenant",
2214
+ scope: "tenant",
2215
+ sourcePath: system.sharedSourcePath,
2216
+ environmentPolicy: "environment_specific",
2217
+ required: template.required,
2218
+ secret: template.secret,
2219
+ public: template.public,
2220
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2221
+ destinations: [
2222
+ {
2223
+ kind: "vercel",
2224
+ target: system.vercelProjectName,
2225
+ environmentPolicy: "preprod_staging_prod_prod"
2226
+ },
2227
+ {
2228
+ kind: "convex",
2229
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2230
+ environmentPolicy: "preprod_staging_prod_prod"
2231
+ }
2232
+ ],
2233
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2234
+ })
2235
+ )
2236
+ );
2237
+ var TENANT_INSTALL_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
2238
+ (system) => ({
2239
+ id: `tenant.${system.id}.install-lucern-npm`,
2240
+ canonicalName: "INSTALL_LUCERN_NPM",
2241
+ owner: "provider",
2242
+ scope: "global",
2243
+ sourcePath: "/tenants/shared",
2244
+ environmentPolicy: "same_all_environments",
2245
+ required: true,
2246
+ secret: true,
2247
+ public: false,
2248
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2249
+ destinations: [
2250
+ {
2251
+ kind: "vercel",
2252
+ target: system.vercelProjectName,
2253
+ environmentPolicy: "same_all_environments"
2254
+ },
2255
+ {
2256
+ kind: "github_actions",
2257
+ target: `${system.repository.owner}/${system.repository.name}`,
2258
+ environmentPolicy: "same_all_environments"
2259
+ }
2260
+ ],
2261
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
2262
+ })
2263
+ );
2264
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
2265
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
2266
+ {
2267
+ idSuffix: "ai.openai-api-key",
2268
+ canonicalName: "OPENAI_API_KEY",
2269
+ required: false,
2270
+ secret: true,
2271
+ public: false,
2272
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2273
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
2274
+ },
2275
+ {
2276
+ idSuffix: "ai.anthropic-api-key",
2277
+ canonicalName: "ANTHROPIC_API_KEY",
2278
+ required: false,
2279
+ secret: true,
2280
+ public: false,
2281
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2282
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
2283
+ },
2284
+ {
2285
+ idSuffix: "ai.gemini-api-key",
2286
+ canonicalName: "GEMINI_API_KEY",
2287
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
2288
+ required: false,
2289
+ secret: true,
2290
+ public: false,
2291
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2292
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
2293
+ },
2294
+ {
2295
+ idSuffix: "langfuse.secret-key",
2296
+ canonicalName: "LANGFUSE_SECRET_KEY",
2297
+ required: false,
2298
+ secret: true,
2299
+ public: false,
2300
+ consumers: [
2301
+ "tenant-vercel-app",
2302
+ "tenant-convex-deployment",
2303
+ "tenant-observability"
2304
+ ],
2305
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
2306
+ },
2307
+ {
2308
+ idSuffix: "langfuse.public-key",
2309
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
2310
+ required: false,
2311
+ secret: false,
2312
+ public: false,
2313
+ consumers: [
2314
+ "tenant-vercel-app",
2315
+ "tenant-convex-deployment",
2316
+ "tenant-observability"
2317
+ ],
2318
+ description: "Tenant-owned Langfuse public key for product AI tracing."
2319
+ },
2320
+ {
2321
+ idSuffix: "langfuse.base-url",
2322
+ canonicalName: "LANGFUSE_BASE_URL",
2323
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
2324
+ required: false,
2325
+ secret: false,
2326
+ public: false,
2327
+ consumers: [
2328
+ "tenant-vercel-app",
2329
+ "tenant-convex-deployment",
2330
+ "tenant-observability"
2331
+ ],
2332
+ description: "Tenant-owned Langfuse API origin."
2333
+ },
2334
+ {
2335
+ idSuffix: "graph.neo4j-uri",
2336
+ canonicalName: "NEO4J_URI",
2337
+ required: false,
2338
+ secret: false,
2339
+ public: false,
2340
+ consumers: [
2341
+ "tenant-vercel-app",
2342
+ "tenant-convex-deployment",
2343
+ "tenant-graph-sync"
2344
+ ],
2345
+ description: "Tenant-owned Neo4j URI for product graph-sync."
2346
+ },
2347
+ {
2348
+ idSuffix: "graph.neo4j-user",
2349
+ canonicalName: "NEO4J_USER",
2350
+ aliases: ["NEO4J_USERNAME"],
2351
+ required: false,
2352
+ secret: false,
2353
+ public: false,
2354
+ consumers: [
2355
+ "tenant-vercel-app",
2356
+ "tenant-convex-deployment",
2357
+ "tenant-graph-sync"
2358
+ ],
2359
+ description: "Tenant-owned Neo4j user for product graph-sync."
2360
+ },
2361
+ {
2362
+ idSuffix: "graph.neo4j-password",
2363
+ canonicalName: "NEO4J_PASSWORD",
2364
+ required: false,
2365
+ secret: true,
2366
+ public: false,
2367
+ consumers: [
2368
+ "tenant-vercel-app",
2369
+ "tenant-convex-deployment",
2370
+ "tenant-graph-sync"
2371
+ ],
2372
+ description: "Tenant-owned Neo4j password for product graph-sync."
2373
+ },
2374
+ {
2375
+ idSuffix: "graph.neo4j-sync-secret",
2376
+ canonicalName: "NEO4J_SYNC_SECRET",
2377
+ required: false,
2378
+ secret: true,
2379
+ public: false,
2380
+ consumers: [
2381
+ "tenant-vercel-app",
2382
+ "tenant-convex-deployment",
2383
+ "tenant-graph-sync"
2384
+ ],
2385
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
2386
+ },
2387
+ {
2388
+ idSuffix: "graph.neo4j-database",
2389
+ canonicalName: "NEO4J_DATABASE",
2390
+ required: false,
2391
+ secret: false,
2392
+ public: false,
2393
+ consumers: [
2394
+ "tenant-vercel-app",
2395
+ "tenant-convex-deployment",
2396
+ "tenant-graph-sync"
2397
+ ],
2398
+ description: "Tenant-owned Neo4j database name for product graph-sync."
2399
+ },
2400
+ {
2401
+ idSuffix: "vector.pinecone-api-key",
2402
+ canonicalName: "PINECONE_API_KEY",
2403
+ required: false,
2404
+ secret: true,
2405
+ public: false,
2406
+ consumers: [
2407
+ "tenant-vercel-app",
2408
+ "tenant-convex-deployment",
2409
+ "tenant-vector-store"
2410
+ ],
2411
+ description: "Tenant-owned Pinecone API key for product vector search."
2412
+ },
2413
+ {
2414
+ idSuffix: "vector.pinecone-index-name",
2415
+ canonicalName: "PINECONE_INDEX_NAME",
2416
+ aliases: ["PINECONE_INDEX"],
2417
+ required: false,
2418
+ secret: false,
2419
+ public: false,
2420
+ consumers: [
2421
+ "tenant-vercel-app",
2422
+ "tenant-convex-deployment",
2423
+ "tenant-vector-store"
2424
+ ],
2425
+ description: "Tenant-owned Pinecone index name for product vector search."
2426
+ },
2427
+ {
2428
+ idSuffix: "vector.pinecone-host",
2429
+ canonicalName: "PINECONE_HOST",
2430
+ aliases: ["PINECONE_INDEX_HOST"],
2431
+ required: false,
2432
+ secret: false,
2433
+ public: false,
2434
+ consumers: [
2435
+ "tenant-vercel-app",
2436
+ "tenant-convex-deployment",
2437
+ "tenant-vector-store"
2438
+ ],
2439
+ description: "Tenant-owned Pinecone host for product vector search."
2440
+ },
2441
+ {
2442
+ idSuffix: "vector.pinecone-namespace",
2443
+ canonicalName: "PINECONE_NAMESPACE",
2444
+ required: false,
2445
+ secret: false,
2446
+ public: false,
2447
+ consumers: [
2448
+ "tenant-vercel-app",
2449
+ "tenant-convex-deployment",
2450
+ "tenant-vector-store"
2451
+ ],
2452
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
2453
+ },
2454
+ {
2455
+ idSuffix: "storage.aws-access-key-id",
2456
+ canonicalName: "AWS_ACCESS_KEY_ID",
2457
+ required: false,
2458
+ secret: true,
2459
+ public: false,
2460
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2461
+ description: "Tenant-owned AWS access key id for document/file ingestion."
2462
+ },
2463
+ {
2464
+ idSuffix: "storage.aws-secret-access-key",
2465
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
2466
+ required: false,
2467
+ secret: true,
2468
+ public: false,
2469
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2470
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
2471
+ },
2472
+ {
2473
+ idSuffix: "storage.aws-region",
2474
+ canonicalName: "AWS_REGION",
2475
+ required: false,
2476
+ secret: false,
2477
+ public: false,
2478
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2479
+ description: "Tenant-owned AWS region for document/file ingestion."
2480
+ },
2481
+ {
2482
+ idSuffix: "observability.sentry-dsn",
2483
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
2484
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
2485
+ required: false,
2486
+ secret: false,
2487
+ public: true,
2488
+ consumers: ["tenant-vercel-app", "tenant-observability"],
2489
+ description: "Tenant-owned Sentry DSN for app telemetry."
2490
+ },
2491
+ {
2492
+ idSuffix: "observability.sentry-auth-token",
2493
+ canonicalName: "SENTRY_AUTH_TOKEN",
2494
+ required: false,
2495
+ secret: true,
2496
+ public: false,
2497
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
2498
+ description: "Tenant-owned Sentry release token for app deployments."
2499
+ },
2500
+ {
2501
+ idSuffix: "observability.sentry-org",
2502
+ canonicalName: "SENTRY_ORG",
2503
+ aliases: ["SENTRY_ORG_SLUG"],
2504
+ required: false,
2505
+ secret: false,
2506
+ public: false,
2507
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
2508
+ description: "Tenant-owned Sentry org slug for release uploads."
2509
+ },
2510
+ {
2511
+ idSuffix: "observability.sentry-project",
2512
+ canonicalName: "SENTRY_PROJECT",
2513
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
2514
+ required: false,
2515
+ secret: false,
2516
+ public: false,
2517
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
2518
+ description: "Tenant-owned Sentry project slug for release uploads."
2519
+ },
2520
+ {
2521
+ idSuffix: "observability.sentry-environment",
2522
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
2523
+ aliases: ["SENTRY_ENVIRONMENT"],
2524
+ required: false,
2525
+ secret: false,
2526
+ public: true,
2527
+ consumers: ["tenant-vercel-app", "tenant-observability"],
2528
+ description: "Tenant-owned Sentry environment label."
2529
+ },
2530
+ {
2531
+ idSuffix: "observability.sentry-release",
2532
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
2533
+ aliases: ["SENTRY_RELEASE"],
2534
+ required: false,
2535
+ secret: false,
2536
+ public: true,
2537
+ consumers: ["tenant-vercel-app", "tenant-observability"],
2538
+ description: "Tenant-owned Sentry release label."
2539
+ },
2540
+ {
2541
+ idSuffix: "observability.sentry-client-options",
2542
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
2543
+ aliases: [
2544
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
2545
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
2546
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
2547
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
2548
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
2549
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
2550
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
2551
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
2552
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
2553
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
2554
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
2555
+ ],
2556
+ required: false,
2557
+ secret: false,
2558
+ public: true,
2559
+ consumers: ["tenant-vercel-app", "tenant-observability"],
2560
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
2561
+ },
2562
+ {
2563
+ idSuffix: "observability.sentry-webhook-secret",
2564
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
2565
+ required: false,
2566
+ secret: true,
2567
+ public: false,
2568
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
2569
+ description: "Tenant-owned Sentry webhook verification secret."
2570
+ },
2571
+ {
2572
+ idSuffix: "lucern.gateway-api-key",
2573
+ canonicalName: "LUCERN_API_KEY",
2574
+ aliases: ["STACK_API_KEY"],
2575
+ required: false,
2576
+ secret: true,
2577
+ public: false,
2578
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2579
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
2580
+ },
2581
+ {
2582
+ idSuffix: "lucern.gateway-base-url",
2583
+ canonicalName: "LUCERN_BASE_URL",
2584
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
2585
+ required: false,
2586
+ secret: false,
2587
+ public: false,
2588
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2589
+ description: "Lucern/MC gateway base URL used by tenant product apps."
2590
+ },
2591
+ {
2592
+ idSuffix: "lucern.proxy-token-secret",
2593
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
2594
+ required: false,
2595
+ secret: true,
2596
+ public: false,
2597
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2598
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
2599
+ },
2600
+ {
2601
+ idSuffix: "tenant.integrations.linear-api-key",
2602
+ canonicalName: "LINEAR_API_KEY",
2603
+ required: false,
2604
+ secret: true,
2605
+ public: false,
2606
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2607
+ description: "Tenant-owned Linear API key for support/slash-command flows."
2608
+ },
2609
+ {
2610
+ idSuffix: "tenant.vercel.bypass-token",
2611
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
2612
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
2613
+ required: false,
2614
+ secret: true,
2615
+ public: false,
2616
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2617
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
2618
+ }
2619
+ ];
2620
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
2621
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
2622
+ ).flatMap(
2623
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
2624
+ (template) => ({
2625
+ id: `tenant.${system.id}.${template.idSuffix}`,
2626
+ canonicalName: template.canonicalName,
2627
+ aliases: "aliases" in template ? template.aliases : void 0,
2628
+ owner: "tenant",
2629
+ scope: "tenant",
2630
+ sourcePath: system.sharedSourcePath,
2631
+ environmentPolicy: "environment_specific",
2632
+ required: template.required,
2633
+ secret: template.secret,
2634
+ public: template.public,
2635
+ consumers: template.consumers,
2636
+ destinations: [
2637
+ {
2638
+ kind: "vercel",
2639
+ target: system.vercelProjectName,
2640
+ environmentPolicy: "preprod_staging_prod_prod"
2641
+ },
2642
+ {
2643
+ kind: "convex",
2644
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2645
+ environmentPolicy: "preprod_staging_prod_prod"
2646
+ },
2647
+ {
2648
+ kind: "github_actions",
2649
+ target: `${system.repository.owner}/${system.repository.name}`,
2650
+ environmentPolicy: "preprod_staging_prod_prod"
2651
+ }
2652
+ ],
2653
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2654
+ })
2655
+ )
2656
+ );
2657
+ function tenantVercelConvexUrlWriteNames(system) {
2658
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
2659
+ if (system.id === "stack-eng") {
2660
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2661
+ }
2662
+ return names;
2663
+ }
2664
+ function tenantRepositoryConvexUrlWriteNames(system) {
2665
+ if (system.id === "stack-eng") {
2666
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2667
+ }
2668
+ return [system.convex.urlEnv];
2669
+ }
2670
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
2671
+ if (system.id === "stack-eng") {
2672
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2673
+ }
2674
+ return [system.convex.deployKeyEnv];
2675
+ }
2676
+ function tenantConvexUrlAliases(system) {
2677
+ if (system.id === "stack-frontend") {
2678
+ return [
2679
+ "CONVEX_PROD_URL",
2680
+ "CONVEX_STACK_V2_PROD_URL",
2681
+ "CONVEX_STACK_V2_STAGING_URL",
2682
+ "STACK_CONVEX_URL"
2683
+ ];
2684
+ }
2685
+ if (system.id === "stackos") {
2686
+ return [
2687
+ "CONVEX_CLOUD_URL",
2688
+ "CONVEX_STACK_URL",
2689
+ "CONVEX_URL",
2690
+ "CONVEX_URL_DEVELOPMENT",
2691
+ "CONVEX_URL_PRODUCTION",
2692
+ "STACK_CONVEX_URL"
2693
+ ];
2694
+ }
2695
+ if (system.id === "stack-eng") {
2696
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2697
+ }
2698
+ if (system.id === "lucern-graph") {
2699
+ return [
2700
+ "CONVEX_GRAPH_URL",
2701
+ "LUCERN_PROD_URL",
2702
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
2703
+ ];
2704
+ }
2705
+ return void 0;
2706
+ }
2707
+ function tenantConvexDeployKeyAliases(system) {
2708
+ if (system.id === "stack-frontend") {
2709
+ return [
2710
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
2711
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
2712
+ "STACK_DEPLOY_KEY"
2713
+ ];
2714
+ }
2715
+ if (system.id === "stackos") {
2716
+ return [
2717
+ "CONVEX_DEPLOY_KEY",
2718
+ "CONVEX_DEV_DEPLOY_KEY",
2719
+ "CONVEX_PROD_DEPLOY_KEY",
2720
+ "CONVEX_STACK_DEPLOY_KEY",
2721
+ "STACK_DEPLOY_KEY"
2722
+ ];
2723
+ }
2724
+ if (system.id === "stack-eng") {
2725
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2726
+ }
2727
+ if (system.id === "lucern-graph") {
2728
+ return [
2729
+ "CONVEX_DEPLOY_KEY",
2730
+ "CONVEX_GRAPH_DEPLOY_KEY",
2731
+ "LUCERN_CONVEX_DEPLOY_KEY",
2732
+ "LUCERN_DEV_DEPLOY_KEY",
2733
+ "LUCERN_PROD_DEPLOY_KEY"
2734
+ ];
2735
+ }
2736
+ return void 0;
2737
+ }
2738
+ var TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2739
+ (system) => {
2740
+ if (system.id === "lucern-graph") {
2741
+ return [
2742
+ {
2743
+ id: "tenant.lucern-graph.public.tenant-id",
2744
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
2745
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
2746
+ owner: "tenant",
2747
+ scope: "workspace",
2748
+ sourcePath: system.sharedSourcePath,
2749
+ environmentPolicy: "environment_specific",
2750
+ required: false,
2751
+ secret: false,
2752
+ public: true,
2753
+ consumers: ["tenant-vercel-app"],
2754
+ destinations: [
2755
+ {
2756
+ kind: "vercel",
2757
+ target: system.vercelProjectName,
2758
+ environmentPolicy: "preprod_staging_prod_prod"
2759
+ }
2760
+ ],
2761
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
2762
+ },
2763
+ {
2764
+ id: "tenant.lucern-graph.public.tenant-label",
2765
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
2766
+ owner: "tenant",
2767
+ scope: "workspace",
2768
+ sourcePath: system.sharedSourcePath,
2769
+ environmentPolicy: "environment_specific",
2770
+ required: false,
2771
+ secret: false,
2772
+ public: true,
2773
+ consumers: ["tenant-vercel-app"],
2774
+ destinations: [
2775
+ {
2776
+ kind: "vercel",
2777
+ target: system.vercelProjectName,
2778
+ environmentPolicy: "preprod_staging_prod_prod"
2779
+ }
2780
+ ],
2781
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
2782
+ }
2783
+ ];
2784
+ }
2785
+ if (system.id === "stack-eng") {
2786
+ return [
2787
+ {
2788
+ id: "tenant.stack-eng.public.tenant-id",
2789
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
2790
+ owner: "tenant",
2791
+ scope: "workspace",
2792
+ sourcePath: system.sharedSourcePath,
2793
+ environmentPolicy: "environment_specific",
2794
+ required: false,
2795
+ secret: false,
2796
+ public: true,
2797
+ consumers: ["tenant-vercel-app"],
2798
+ destinations: [
2799
+ {
2800
+ kind: "vercel",
2801
+ target: system.vercelProjectName,
2802
+ environmentPolicy: "preprod_staging_prod_prod"
2803
+ }
2804
+ ],
2805
+ description: "Stack engineering graph public tenant id used by the graph explorer."
2806
+ },
2807
+ {
2808
+ id: "tenant.stack-eng.public.tenant-label",
2809
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
2810
+ owner: "tenant",
2811
+ scope: "workspace",
2812
+ sourcePath: system.sharedSourcePath,
2813
+ environmentPolicy: "environment_specific",
2814
+ required: false,
2815
+ secret: false,
2816
+ public: true,
2817
+ consumers: ["tenant-vercel-app"],
2818
+ destinations: [
2819
+ {
2820
+ kind: "vercel",
2821
+ target: system.vercelProjectName,
2822
+ environmentPolicy: "preprod_staging_prod_prod"
2823
+ }
2824
+ ],
2825
+ description: "Stack engineering graph public tenant label used by the graph explorer."
2826
+ },
2827
+ {
2828
+ id: "tenant.stack-eng.public.environment",
2829
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
2830
+ owner: "tenant",
2831
+ scope: "workspace",
2832
+ sourcePath: system.sharedSourcePath,
2833
+ environmentPolicy: "environment_specific",
2834
+ required: false,
2835
+ secret: false,
2836
+ public: true,
2837
+ consumers: ["tenant-vercel-app"],
2838
+ destinations: [
2839
+ {
2840
+ kind: "vercel",
2841
+ target: system.vercelProjectName,
2842
+ environmentPolicy: "preprod_staging_prod_prod"
2843
+ }
2844
+ ],
2845
+ description: "Stack engineering graph public environment label used by the graph explorer."
2846
+ }
2847
+ ];
2848
+ }
2849
+ return [];
2850
+ }
2851
+ );
2852
+ var STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS = [
2853
+ {
2854
+ id: "tenant.stack-eng.neo4j.uri",
2855
+ canonicalName: "NEO4J_URI",
2856
+ aliases: ["NEO4J_ENG_URI"],
2857
+ owner: "tenant",
2858
+ scope: "workspace",
2859
+ sourcePath: "/tenants/stack/engineering",
2860
+ environmentPolicy: "environment_specific",
2861
+ required: false,
2862
+ secret: false,
2863
+ public: false,
2864
+ consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2865
+ destinations: [
2866
+ {
2867
+ kind: "convex",
2868
+ target: "small-oyster-270|bold-cuttlefish-804",
2869
+ environmentPolicy: "preprod_staging_prod_prod"
2870
+ },
2871
+ {
2872
+ kind: "vercel",
2873
+ target: "stackos-engineering-graph",
2874
+ environmentPolicy: "preprod_staging_prod_prod"
2875
+ },
2876
+ {
2877
+ kind: "github_actions",
2878
+ target: "stack-vc/stackos-engineering-graph",
2879
+ environmentPolicy: "preprod_staging_prod_prod"
2880
+ }
2881
+ ],
2882
+ description: "Stack engineering graph Neo4j runtime URI. NEO4J_ENG_URI is the source alias used to avoid StackOS front-office collisions."
2883
+ },
2884
+ {
2885
+ id: "tenant.stack-eng.neo4j.user",
2886
+ canonicalName: "NEO4J_USER",
2887
+ aliases: ["NEO4J_ENG_USER"],
2888
+ owner: "tenant",
2889
+ scope: "workspace",
2890
+ sourcePath: "/tenants/stack/engineering",
2891
+ environmentPolicy: "environment_specific",
2892
+ required: false,
2893
+ secret: false,
2894
+ public: false,
2895
+ consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2896
+ destinations: [
2897
+ {
2898
+ kind: "convex",
2899
+ target: "small-oyster-270|bold-cuttlefish-804",
2900
+ environmentPolicy: "preprod_staging_prod_prod"
2901
+ },
2902
+ {
2903
+ kind: "vercel",
2904
+ target: "stackos-engineering-graph",
2905
+ environmentPolicy: "preprod_staging_prod_prod"
2906
+ },
2907
+ {
2908
+ kind: "github_actions",
2909
+ target: "stack-vc/stackos-engineering-graph",
2910
+ environmentPolicy: "preprod_staging_prod_prod"
2911
+ }
2912
+ ],
2913
+ description: "Stack engineering graph Neo4j runtime user."
2914
+ },
2915
+ {
2916
+ id: "tenant.stack-eng.neo4j.password",
2917
+ canonicalName: "NEO4J_PASSWORD",
2918
+ aliases: ["NEO4J_ENG_PASSWORD"],
2919
+ owner: "tenant",
2920
+ scope: "workspace",
2921
+ sourcePath: "/tenants/stack/engineering",
2922
+ environmentPolicy: "environment_specific",
2923
+ required: false,
2924
+ secret: true,
2925
+ public: false,
2926
+ consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2927
+ destinations: [
2928
+ {
2929
+ kind: "convex",
2930
+ target: "small-oyster-270|bold-cuttlefish-804",
2931
+ environmentPolicy: "preprod_staging_prod_prod"
2932
+ },
2933
+ {
2934
+ kind: "vercel",
2935
+ target: "stackos-engineering-graph",
2936
+ environmentPolicy: "preprod_staging_prod_prod"
2937
+ },
2938
+ {
2939
+ kind: "github_actions",
2940
+ target: "stack-vc/stackos-engineering-graph",
2941
+ environmentPolicy: "preprod_staging_prod_prod"
2942
+ }
2943
+ ],
2944
+ description: "Stack engineering graph Neo4j runtime password."
2945
+ },
2946
+ {
2947
+ id: "tenant.stack-eng.neo4j.sync-secret",
2948
+ canonicalName: "NEO4J_SYNC_SECRET",
2949
+ owner: "tenant",
2950
+ scope: "workspace",
2951
+ sourcePath: "/tenants/stack/engineering",
2952
+ environmentPolicy: "environment_specific",
2953
+ required: false,
2954
+ secret: true,
2955
+ public: false,
2956
+ consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2957
+ destinations: [
2958
+ {
2959
+ kind: "convex",
2960
+ target: "small-oyster-270|bold-cuttlefish-804",
2961
+ environmentPolicy: "preprod_staging_prod_prod"
2962
+ },
2963
+ {
2964
+ kind: "vercel",
2965
+ target: "stackos-engineering-graph",
2966
+ environmentPolicy: "preprod_staging_prod_prod"
2967
+ },
2968
+ {
2969
+ kind: "github_actions",
2970
+ target: "stack-vc/stackos-engineering-graph",
2971
+ environmentPolicy: "preprod_staging_prod_prod"
2972
+ }
2973
+ ],
2974
+ description: "Stack engineering graph sync secret for Convex-to-HTTP graph query/sync calls."
2975
+ }
2976
+ ];
2977
+ var TENANT_CONVEX_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
2978
+ {
2979
+ id: `tenant.${system.id}.convex.url`,
2980
+ canonicalName: system.convex.urlEnv,
2981
+ aliases: tenantConvexUrlAliases(system),
2982
+ owner: "tenant",
2983
+ scope: "software_system",
2984
+ sourcePath: system.sharedSourcePath,
2985
+ environmentPolicy: "preprod_staging_prod_prod",
2986
+ required: true,
2987
+ secret: false,
2988
+ public: false,
2989
+ consumers: [
2990
+ "tenant-vercel-app",
2991
+ "tenant-agent-runtime",
2992
+ "mc-operator-tooling"
2993
+ ],
2994
+ destinations: [
2995
+ {
2996
+ kind: "vercel",
2997
+ target: system.vercelProjectName,
2998
+ environmentPolicy: "preprod_staging_prod_prod",
2999
+ writeNames: tenantVercelConvexUrlWriteNames(system)
3000
+ },
3001
+ {
3002
+ kind: "github_actions",
3003
+ target: `${system.repository.owner}/${system.repository.name}`,
3004
+ environmentPolicy: "preprod_staging_prod_prod",
3005
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
3006
+ notes: "Only if that repository deploy/test workflow owns this software system."
3007
+ }
3008
+ ],
3009
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
3010
+ },
3011
+ {
3012
+ id: `tenant.${system.id}.convex.deploy-key`,
3013
+ canonicalName: system.convex.deployKeyEnv,
3014
+ aliases: tenantConvexDeployKeyAliases(system),
3015
+ owner: "tenant",
3016
+ scope: "software_system",
3017
+ sourcePath: system.sharedSourcePath,
3018
+ environmentPolicy: "preprod_staging_prod_prod",
3019
+ required: true,
3020
+ secret: true,
3021
+ public: false,
3022
+ consumers: [
3023
+ "tenant-vercel-app",
3024
+ "tenant-agent-runtime",
3025
+ "mc-operator-tooling"
3026
+ ],
3027
+ destinations: [
3028
+ {
3029
+ kind: "vercel",
3030
+ target: system.vercelProjectName,
3031
+ environmentPolicy: "preprod_staging_prod_prod"
3032
+ },
3033
+ {
3034
+ kind: "github_actions",
3035
+ target: `${system.repository.owner}/${system.repository.name}`,
3036
+ environmentPolicy: "preprod_staging_prod_prod",
3037
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
3038
+ notes: "Only if that repository deploy/test workflow owns this software system."
3039
+ }
3040
+ ],
3041
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
3042
+ }
3043
+ ]);
3044
+ var INFISICAL_SECRET_DEFINITIONS = [
3045
+ ...PLATFORM_SECRET_DEFINITIONS,
3046
+ ...PLATFORM_AI_SECRET_DEFINITIONS,
3047
+ ...PLATFORM_LANGFUSE_SECRET_DEFINITIONS,
3048
+ ...PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS,
3049
+ ...PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS,
3050
+ ...PLATFORM_SENTRY_SECRET_DEFINITIONS,
3051
+ ...PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS,
3052
+ ...PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS,
3053
+ ...TENANT_SHARED_SECRET_DEFINITIONS,
3054
+ ...TENANT_INSTALL_SECRET_DEFINITIONS,
3055
+ ...TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS,
3056
+ ...TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS,
3057
+ ...STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS,
3058
+ ...TENANT_CONVEX_SECRET_DEFINITIONS
3059
+ ];
3060
+ function findInfisicalSecretDefinition(secretId) {
3061
+ return INFISICAL_SECRET_DEFINITIONS.find((secret) => secret.id === secretId);
3062
+ }
3063
+ function infisicalSecretDefinitionsForConsumer(consumer) {
3064
+ return INFISICAL_SECRET_DEFINITIONS.filter(
3065
+ (secret) => secret.consumers.includes(consumer)
3066
+ );
3067
+ }
3068
+ function infisicalSecretDefinitionsForDestination(kind, target) {
3069
+ return INFISICAL_SECRET_DEFINITIONS.filter(
3070
+ (secret) => secret.destinations.some(
3071
+ (destination) => destination.kind === kind && destination.target === target
3072
+ )
3073
+ );
3074
+ }
3075
+ function validateInfisicalSecretDefinitions(definitions = INFISICAL_SECRET_DEFINITIONS) {
3076
+ const errors = [];
3077
+ const ids = /* @__PURE__ */ new Set();
3078
+ const platformOnlyNames = /* @__PURE__ */ new Set(["CONVEX_MC_URL", "CONVEX_MC_DEPLOY_KEY"]);
3079
+ for (const definition of definitions) {
3080
+ if (ids.has(definition.id)) {
3081
+ errors.push(`Duplicate secret definition id: ${definition.id}`);
3082
+ }
3083
+ ids.add(definition.id);
3084
+ if (!definition.canonicalName.startsWith("CONVEX_")) {
3085
+ continue;
3086
+ }
3087
+ if (platformOnlyNames.has(definition.canonicalName)) {
3088
+ if (definition.owner !== "lucern_platform") {
3089
+ errors.push(`${definition.canonicalName} must be Lucern platform-owned.`);
3090
+ }
3091
+ for (const destination of definition.destinations) {
3092
+ if (destination.kind === "vercel" && INFISICAL_TENANT_SOFTWARE_SYSTEMS.some(
3093
+ (system) => system.vercelProjectName === destination.target
3094
+ )) {
3095
+ errors.push(
3096
+ `${definition.canonicalName} must not route to tenant Vercel project ${destination.target}.`
3097
+ );
3098
+ }
3099
+ }
3100
+ continue;
3101
+ }
3102
+ const owner = INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(
3103
+ (system) => system.convex.urlEnv === definition.canonicalName || system.convex.deployKeyEnv === definition.canonicalName
3104
+ );
3105
+ if (!owner) {
3106
+ errors.push(
3107
+ `${definition.canonicalName} is a Convex variable without a tenant software owner.`
3108
+ );
3109
+ continue;
3110
+ }
3111
+ for (const destination of definition.destinations) {
3112
+ if (destination.kind === "vercel" && destination.target !== owner.vercelProjectName) {
3113
+ errors.push(
3114
+ `${definition.canonicalName} routes to ${destination.target}; expected ${owner.vercelProjectName}.`
3115
+ );
3116
+ }
3117
+ }
3118
+ }
3119
+ return errors;
313
3120
  }
314
3121
 
315
- export { INFISICAL_RUNTIME_BOOTSTRAP_ENV, INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_DEFAULT_API_URL, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DELIVERY_MODES, INFISICAL_RUNTIME_ENVIRONMENTS, INFISICAL_RUNTIME_PATHS, INFISICAL_RUNTIME_SURFACES, INFISICAL_RUNTIME_SURFACE_IDS, findInfisicalRuntimePath, findInfisicalRuntimeSurface };
3122
+ export { INFISICAL_CONVEX_TIERS, INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT, INFISICAL_RUNTIME_BOOTSTRAP_ENV, INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_CONTROL_ENV, INFISICAL_RUNTIME_DEFAULT_API_URL, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DELIVERY_MODES, INFISICAL_RUNTIME_ENVIRONMENTS, INFISICAL_RUNTIME_PATHS, INFISICAL_RUNTIME_SURFACES, INFISICAL_RUNTIME_SURFACE_IDS, INFISICAL_SECRET_CONSUMERS, INFISICAL_SECRET_DEFINITIONS, INFISICAL_SECRET_DESTINATION_KINDS, INFISICAL_SECRET_ENVIRONMENT_POLICIES, INFISICAL_SECRET_OWNERS, INFISICAL_SECRET_SCOPES, INFISICAL_TENANT_SOFTWARE_SYSTEMS, INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS, INFISICAL_VERCEL_SYNC_DESTINATIONS, INFISICAL_VERCEL_SYNC_RECONCILIATION, INFISICAL_VERCEL_TARGETS, convexTierForVercelDestinationEnvironment, expectedTenantConvexDeploymentForVercelEnvironment, findInfisicalRuntimePath, findInfisicalRuntimeSurface, findInfisicalSecretDefinition, findInfisicalTenantSoftwareSystem, findInfisicalVercelSyncDestination, infisicalSecretDefinitionsForConsumer, infisicalSecretDefinitionsForDestination, tenantSoftwareSystemConvexEnvNames, tenantSoftwareSystemOwnsConvexEnvName, validateInfisicalSecretDefinitions, vercelCustomEnvironmentIdForTenantSoftwareSystem };
316
3123
  //# sourceMappingURL=infisical-runtime.contract.js.map
317
3124
  //# sourceMappingURL=infisical-runtime.contract.js.map