@lucern/contracts 0.3.0-alpha.10 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (234) hide show
  1. package/dist/api-enums.contract.d.ts +5 -3
  2. package/dist/api-enums.contract.js +14 -12
  3. package/dist/api-enums.contract.js.map +1 -1
  4. package/dist/component-boundary.contract.d.ts +1 -1
  5. package/dist/component-boundary.contract.js +45 -26
  6. package/dist/component-boundary.contract.js.map +1 -1
  7. package/dist/component-host-boundary.contract.d.ts +10 -5
  8. package/dist/component-host-boundary.contract.js +10 -4
  9. package/dist/component-host-boundary.contract.js.map +1 -1
  10. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  11. package/dist/{dsl-djCRfuWC.d.ts → dsl-DVPthQGY.d.ts} +1 -1
  12. package/dist/dsl.d.ts +2 -2
  13. package/dist/dsl.js.map +1 -1
  14. package/dist/function-registry/beliefs.d.ts +13 -0
  15. package/dist/function-registry/beliefs.js +50 -7
  16. package/dist/function-registry/beliefs.js.map +1 -1
  17. package/dist/function-registry/coding.d.ts +9 -0
  18. package/dist/function-registry/coding.js +117 -8
  19. package/dist/function-registry/coding.js.map +1 -1
  20. package/dist/function-registry/context.d.ts +6 -0
  21. package/dist/function-registry/context.js +50 -7
  22. package/dist/function-registry/context.js.map +1 -1
  23. package/dist/function-registry/contracts.d.ts +6 -0
  24. package/dist/function-registry/contracts.js +50 -7
  25. package/dist/function-registry/contracts.js.map +1 -1
  26. package/dist/function-registry/coordination.d.ts +12 -0
  27. package/dist/function-registry/coordination.js +50 -7
  28. package/dist/function-registry/coordination.js.map +1 -1
  29. package/dist/function-registry/edges.d.ts +9 -0
  30. package/dist/function-registry/edges.js +54 -14
  31. package/dist/function-registry/edges.js.map +1 -1
  32. package/dist/function-registry/evidence.d.ts +11 -0
  33. package/dist/function-registry/evidence.js +53 -11
  34. package/dist/function-registry/evidence.js.map +1 -1
  35. package/dist/function-registry/graph.d.ts +18 -0
  36. package/dist/function-registry/graph.js +50 -7
  37. package/dist/function-registry/graph.js.map +1 -1
  38. package/dist/function-registry/helpers.d.ts +4 -1
  39. package/dist/function-registry/helpers.js +51 -8
  40. package/dist/function-registry/helpers.js.map +1 -1
  41. package/dist/function-registry/identity.d.ts +6 -0
  42. package/dist/function-registry/identity.js +50 -7
  43. package/dist/function-registry/identity.js.map +1 -1
  44. package/dist/function-registry/index.d.ts +8 -320
  45. package/dist/function-registry/index.js +54 -384
  46. package/dist/function-registry/index.js.map +1 -1
  47. package/dist/function-registry/judgments.d.ts +5 -0
  48. package/dist/function-registry/judgments.js +50 -7
  49. package/dist/function-registry/judgments.js.map +1 -1
  50. package/dist/function-registry/legacy.d.ts +4 -0
  51. package/dist/function-registry/legacy.js +50 -7
  52. package/dist/function-registry/legacy.js.map +1 -1
  53. package/dist/function-registry/lenses.d.ts +7 -0
  54. package/dist/function-registry/lenses.js +50 -7
  55. package/dist/function-registry/lenses.js.map +1 -1
  56. package/dist/function-registry/nodes.d.ts +412 -0
  57. package/dist/function-registry/nodes.js +5303 -0
  58. package/dist/function-registry/nodes.js.map +1 -0
  59. package/dist/function-registry/ontologies.d.ts +14 -0
  60. package/dist/function-registry/ontologies.js +50 -7
  61. package/dist/function-registry/ontologies.js.map +1 -1
  62. package/dist/function-registry/pipeline.d.ts +6 -0
  63. package/dist/function-registry/pipeline.js +50 -7
  64. package/dist/function-registry/pipeline.js.map +1 -1
  65. package/dist/function-registry/questions.d.ts +15 -0
  66. package/dist/function-registry/questions.js +50 -7
  67. package/dist/function-registry/questions.js.map +1 -1
  68. package/dist/function-registry/tasks.d.ts +7 -0
  69. package/dist/function-registry/tasks.js +69 -16
  70. package/dist/function-registry/tasks.js.map +1 -1
  71. package/dist/function-registry/topics.d.ts +10 -0
  72. package/dist/function-registry/topics.js +50 -7
  73. package/dist/function-registry/topics.js.map +1 -1
  74. package/dist/function-registry/types.d.ts +5 -1
  75. package/dist/function-registry/worktrees.d.ts +14 -0
  76. package/dist/function-registry/worktrees.js +50 -7
  77. package/dist/function-registry/worktrees.js.map +1 -1
  78. package/dist/gateway.contract.d.ts +3 -0
  79. package/dist/gateway.contract.js.map +1 -1
  80. package/dist/generated/convexSchemas.d.ts +3 -3
  81. package/dist/generated/convexSchemas.js +35 -16
  82. package/dist/generated/convexSchemas.js.map +1 -1
  83. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  84. package/dist/generated/infisicalRuntimeEnv.js +26818 -0
  85. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  86. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  87. package/dist/generated/lucernGatewayEnv.js +38 -0
  88. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  89. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  90. package/dist/generated/lucernWebPublicEnv.js +32 -0
  91. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  92. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  93. package/dist/generated/lucernWebServerEnv.js +51 -0
  94. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  95. package/dist/generated/schema-manifest.json +1165 -150
  96. package/dist/generated/tableOwnership.d.ts +46 -27
  97. package/dist/generated/tableOwnership.js +64 -26
  98. package/dist/generated/tableOwnership.js.map +1 -1
  99. package/dist/generated/tier-expectations.json +60 -8
  100. package/dist/{index-O09U2xHk.d.ts → index-CM1Pl_vI.d.ts} +3 -3
  101. package/dist/index.d.ts +9 -4
  102. package/dist/index.js +31371 -381
  103. package/dist/index.js.map +1 -1
  104. package/dist/infisical-runtime.contract.d.ts +1623 -3
  105. package/dist/infisical-runtime.contract.js +2819 -12
  106. package/dist/infisical-runtime.contract.js.map +1 -1
  107. package/dist/manifests/infisical-runtime-manifest.d.ts +1550 -3
  108. package/dist/manifests/infisical-runtime-manifest.js +2672 -9
  109. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  110. package/dist/manifests/tenant-client-manifest.d.ts +11 -11
  111. package/dist/manifests/tenant-client-manifest.js +11 -11
  112. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  113. package/dist/mcp-gateway-boundary.contract.d.ts +23 -3
  114. package/dist/mcp-gateway-boundary.contract.js +2 -0
  115. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  116. package/dist/permit-principal-projection.contract.d.ts +74 -0
  117. package/dist/permit-principal-projection.contract.js +161 -0
  118. package/dist/permit-principal-projection.contract.js.map +1 -0
  119. package/dist/projections/check-convex-args-shape.js +10 -6
  120. package/dist/projections/check-convex-args-shape.js.map +1 -1
  121. package/dist/projections/create-evidence.projection.d.ts +6 -6
  122. package/dist/projections/create-evidence.projection.js +2 -3
  123. package/dist/projections/create-evidence.projection.js.map +1 -1
  124. package/dist/projections/index.d.ts +3 -3
  125. package/dist/projections/index.js +10 -6
  126. package/dist/projections/index.js.map +1 -1
  127. package/dist/projections/list-tasks.projection.d.ts +20 -8
  128. package/dist/projections/list-tasks.projection.js +8 -3
  129. package/dist/projections/list-tasks.projection.js.map +1 -1
  130. package/dist/proof-attestation.json +45 -0
  131. package/dist/schemas/component-table-manifest.d.ts +6 -6
  132. package/dist/schemas/component-table-manifest.js +2 -2
  133. package/dist/schemas/component-table-manifest.js.map +1 -1
  134. package/dist/schemas/index.d.ts +2 -2
  135. package/dist/schemas/index.js +1088 -137
  136. package/dist/schemas/index.js.map +1 -1
  137. package/dist/schemas/manifest.d.ts +2010 -120
  138. package/dist/schemas/manifest.js +1086 -135
  139. package/dist/schemas/manifest.js.map +1 -1
  140. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  141. package/dist/schemas/tables/controlPlane/accessControl.js +655 -0
  142. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  143. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  144. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  145. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  146. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  147. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  148. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  149. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  150. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  151. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  152. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +1 -1
  153. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  154. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  155. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  156. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  157. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  158. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  159. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  160. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  161. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  162. package/dist/schemas/tables/kernel/config.js.map +1 -1
  163. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  164. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  165. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  166. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  167. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  168. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  169. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  170. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  171. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  172. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  173. package/dist/schemas/tables/kernel/infra.d.ts +1 -1
  174. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  175. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  176. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  177. package/dist/schemas/tables/kernel/lens.d.ts +1 -1
  178. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  179. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  180. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  181. package/dist/schemas/tables/kernel/platform.d.ts +1 -1
  182. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  183. package/dist/schemas/tables/kernel/spine.d.ts +2 -1
  184. package/dist/schemas/tables/kernel/spine.js +1 -0
  185. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  186. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  187. package/dist/schemas/tables/kernel/task.js.map +1 -1
  188. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  189. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  190. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  191. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  192. package/dist/schemas/tables/kernel/worktree.d.ts +5 -5
  193. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  194. package/dist/schemas/tables/mc/identity.d.ts +19 -2
  195. package/dist/schemas/tables/mc/identity.js +32 -1
  196. package/dist/schemas/tables/mc/identity.js.map +1 -1
  197. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  198. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  199. package/dist/schemas/tables/mc/pack.d.ts +1 -1
  200. package/dist/schemas/tables/mc/pack.js.map +1 -1
  201. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  202. package/dist/schemas/tables/mc/policy.js +1 -1
  203. package/dist/schemas/tables/mc/policy.js.map +1 -1
  204. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  205. package/dist/schemas/tables/mc/registry.js.map +1 -1
  206. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  207. package/dist/schemas/tables/mc/runtime.js +330 -104
  208. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  209. package/dist/schemas/tables/mc/tenant.d.ts +3 -2
  210. package/dist/schemas/tables/mc/tenant.js +2 -1
  211. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  212. package/dist/schemas/tables/mc/workspace.d.ts +22 -5
  213. package/dist/schemas/tables/mc/workspace.js +34 -2
  214. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  215. package/dist/sdk-tools.contract.js +26 -1
  216. package/dist/sdk-tools.contract.js.map +1 -1
  217. package/dist/tenant-bootstrap-seed.contract.d.ts +226 -58
  218. package/dist/tenant-bootstrap-seed.contract.js +126 -28
  219. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  220. package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
  221. package/dist/tenant-bootstrap-seed.defaults.js +1 -1
  222. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  223. package/dist/tenant-client.contract.d.ts +12 -12
  224. package/dist/tenant-client.contract.js +11 -11
  225. package/dist/tenant-client.contract.js.map +1 -1
  226. package/dist/tool-contracts.js +26 -1
  227. package/dist/tool-contracts.js.map +1 -1
  228. package/package.json +22 -1
  229. package/dist/schemas/tables/identity/agent.js.map +0 -1
  230. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  231. package/dist/schemas/tables/identity/model.js.map +0 -1
  232. package/dist/schemas/tables/identity/platform.js.map +0 -1
  233. package/dist/schemas/tables/identity/project.js.map +0 -1
  234. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -1,9 +1,9 @@
1
1
  /**
2
2
  * Tenant bootstrap seed contract.
3
3
  *
4
- * Fresh tenant deployments install the Lucern kernel and identity components
4
+ * Fresh tenant deployments install the Lucern kernel and control-plane components
5
5
  * from npm, then copy canonical template rows for non-secret runtime defaults.
6
- * This contract is intentionally exhaustive for the K/I tables: it separates
6
+ * This contract is intentionally exhaustive for the K/CP tables: it separates
7
7
  * rows that must be carried by the template deployments from rows that are
8
8
  * runtime data, runtime credentials, logs, queues, or derived caches.
9
9
  */
@@ -20,10 +20,10 @@ declare const TENANT_BOOTSTRAP_SEED_COMPONENTS: {
20
20
  readonly prod: "cool-badger-368";
21
21
  };
22
22
  };
23
- readonly identity: {
24
- readonly componentName: "identity";
25
- readonly migrationModule: "migration";
26
- readonly templateService: "services/identity-template";
23
+ readonly "control-plane": {
24
+ readonly componentName: "controlPlane";
25
+ readonly migrationModule: "dist/migration";
26
+ readonly templateService: "services/control-plane-template";
27
27
  readonly templateDeployments: {
28
28
  readonly staging: "industrious-cheetah-864";
29
29
  readonly prod: "combative-beagle-879";
@@ -392,13 +392,13 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
392
392
  readonly copyMode: "none";
393
393
  readonly description: "Worktrees are tenant/runtime planning data.";
394
394
  }, {
395
- readonly component: "identity";
395
+ readonly component: "control-plane";
396
396
  readonly table: "agents";
397
397
  readonly prepopulation: "runtime_bootstrap";
398
398
  readonly copyMode: "none";
399
399
  readonly description: "Service agents are provisioned per tenant or service, not copied.";
400
400
  }, {
401
- readonly component: "identity";
401
+ readonly component: "control-plane";
402
402
  readonly table: "mcpWritePolicy";
403
403
  readonly prepopulation: "required_template";
404
404
  readonly copyMode: "template_global";
@@ -406,13 +406,13 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
406
406
  readonly uniqueKey: readonly ["topicId", "role", "toolCategory"];
407
407
  readonly description: "Global write policy defaults govern service and interactive MCP writes.";
408
408
  }, {
409
- readonly component: "identity";
409
+ readonly component: "control-plane";
410
410
  readonly table: "modelCallLogs";
411
411
  readonly prepopulation: "runtime_log";
412
412
  readonly copyMode: "none";
413
413
  readonly description: "Model call logs are runtime telemetry.";
414
414
  }, {
415
- readonly component: "identity";
415
+ readonly component: "control-plane";
416
416
  readonly table: "modelFunctionSlots";
417
417
  readonly prepopulation: "required_template";
418
418
  readonly copyMode: "template_global";
@@ -420,7 +420,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
420
420
  readonly uniqueKey: readonly ["slot"];
421
421
  readonly description: "Function-to-model slots are required by model runtime resolution.";
422
422
  }, {
423
- readonly component: "identity";
423
+ readonly component: "control-plane";
424
424
  readonly table: "modelRegistry";
425
425
  readonly prepopulation: "required_template";
426
426
  readonly copyMode: "template_global";
@@ -428,7 +428,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
428
428
  readonly uniqueKey: readonly ["key"];
429
429
  readonly description: "Model catalog defaults are required by model runtime clients.";
430
430
  }, {
431
- readonly component: "identity";
431
+ readonly component: "control-plane";
432
432
  readonly table: "modelSlotConfigs";
433
433
  readonly prepopulation: "required_template";
434
434
  readonly copyMode: "template_global";
@@ -436,13 +436,91 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
436
436
  readonly uniqueKey: readonly ["slot"];
437
437
  readonly description: "Slot-level defaults are required before tenant overrides exist.";
438
438
  }, {
439
- readonly component: "identity";
439
+ readonly component: "control-plane";
440
+ readonly table: "permitAccessReviewItems";
441
+ readonly prepopulation: "runtime_data";
442
+ readonly copyMode: "none";
443
+ readonly description: "Permit access-review item rows are tenant review data projected from Permit.";
444
+ }, {
445
+ readonly component: "control-plane";
446
+ readonly table: "permitAccessReviews";
447
+ readonly prepopulation: "runtime_data";
448
+ readonly copyMode: "none";
449
+ readonly description: "Permit access-review campaigns are tenant review data projected from Permit.";
450
+ }, {
451
+ readonly component: "control-plane";
452
+ readonly table: "permitAttributeBindings";
453
+ readonly prepopulation: "runtime_data";
454
+ readonly copyMode: "none";
455
+ readonly description: "Permit ABAC attribute bindings are tenant policy projection rows.";
456
+ }, {
457
+ readonly component: "control-plane";
458
+ readonly table: "permitGroups";
459
+ readonly prepopulation: "runtime_data";
460
+ readonly copyMode: "none";
461
+ readonly description: "Permit groups are tenant-defined policy subjects, not template data.";
462
+ }, {
463
+ readonly component: "control-plane";
464
+ readonly table: "permitGroupMemberships";
465
+ readonly prepopulation: "runtime_data";
466
+ readonly copyMode: "none";
467
+ readonly description: "Permit group memberships are tenant-specific policy projection rows.";
468
+ }, {
469
+ readonly component: "control-plane";
470
+ readonly table: "permitPolicyBundles";
471
+ readonly prepopulation: "runtime_derived";
472
+ readonly copyMode: "none";
473
+ readonly description: "Permit policy bundles are derived from the Permit control plane.";
474
+ }, {
475
+ readonly component: "control-plane";
476
+ readonly table: "permitPolicyDecisionReceipts";
477
+ readonly prepopulation: "runtime_log";
478
+ readonly copyMode: "none";
479
+ readonly description: "Permit decision receipts are runtime authorization audit logs.";
480
+ }, {
481
+ readonly component: "control-plane";
482
+ readonly table: "permitPrincipalAliases";
483
+ readonly prepopulation: "runtime_data";
484
+ readonly copyMode: "none";
485
+ readonly description: "Permit principal aliases are tenant-specific identity projection rows.";
486
+ }, {
487
+ readonly component: "control-plane";
488
+ readonly table: "permitPrincipals";
489
+ readonly prepopulation: "runtime_data";
490
+ readonly copyMode: "none";
491
+ readonly description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows.";
492
+ }, {
493
+ readonly component: "control-plane";
494
+ readonly table: "permitProjectionOutbox";
495
+ readonly prepopulation: "runtime_queue";
496
+ readonly copyMode: "none";
497
+ readonly description: "Permit projection outbox rows are runtime sync queue data.";
498
+ }, {
499
+ readonly component: "control-plane";
500
+ readonly table: "permitRelationshipTuples";
501
+ readonly prepopulation: "runtime_data";
502
+ readonly copyMode: "none";
503
+ readonly description: "Permit ReBAC relationship tuples are tenant policy projection rows.";
504
+ }, {
505
+ readonly component: "control-plane";
506
+ readonly table: "permitResourceInstances";
507
+ readonly prepopulation: "runtime_data";
508
+ readonly copyMode: "none";
509
+ readonly description: "Permit resource instances are tenant/workspace graph and deployment projection rows.";
510
+ }, {
511
+ readonly component: "control-plane";
512
+ readonly table: "permitRoleAssignments";
513
+ readonly prepopulation: "runtime_data";
514
+ readonly copyMode: "none";
515
+ readonly description: "Permit role assignments are tenant-specific policy projection rows.";
516
+ }, {
517
+ readonly component: "control-plane";
440
518
  readonly table: "platformAudienceGrants";
441
519
  readonly prepopulation: "runtime_data";
442
520
  readonly copyMode: "none";
443
521
  readonly description: "Audience grants are principal/group-specific access rows.";
444
522
  }, {
445
- readonly component: "identity";
523
+ readonly component: "control-plane";
446
524
  readonly table: "platformAudiences";
447
525
  readonly prepopulation: "required_template";
448
526
  readonly copyMode: "template_tenant_rewrite";
@@ -450,31 +528,31 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
450
528
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "audienceKey"];
451
529
  readonly description: "Default tenant audience taxonomy rows are rewritten into each tenant.";
452
530
  }, {
453
- readonly component: "identity";
531
+ readonly component: "control-plane";
454
532
  readonly table: "platformPolicyDecisionLogs";
455
533
  readonly prepopulation: "runtime_log";
456
534
  readonly copyMode: "none";
457
535
  readonly description: "Policy decisions are runtime audit logs.";
458
536
  }, {
459
- readonly component: "identity";
537
+ readonly component: "control-plane";
460
538
  readonly table: "projectGrants";
461
539
  readonly prepopulation: "runtime_data";
462
540
  readonly copyMode: "none";
463
541
  readonly description: "Project/topic grants are principal or group-specific access rows.";
464
542
  }, {
465
- readonly component: "identity";
543
+ readonly component: "control-plane";
466
544
  readonly table: "reasoningPermissions";
467
545
  readonly prepopulation: "runtime_data";
468
546
  readonly copyMode: "none";
469
547
  readonly description: "Reasoning permissions are principal-specific policy rows.";
470
548
  }, {
471
- readonly component: "identity";
549
+ readonly component: "control-plane";
472
550
  readonly table: "tenantApiKeys";
473
551
  readonly prepopulation: "runtime_secret";
474
552
  readonly copyMode: "none";
475
553
  readonly description: "API keys are tenant credentials and must never be copied.";
476
554
  }, {
477
- readonly component: "identity";
555
+ readonly component: "control-plane";
478
556
  readonly table: "tenantConfig";
479
557
  readonly prepopulation: "required_template";
480
558
  readonly copyMode: "template_tenant_rewrite";
@@ -482,7 +560,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
482
560
  readonly uniqueKey: readonly ["tenantId"];
483
561
  readonly description: "Tenant-local config defaults are rewritten during bootstrap.";
484
562
  }, {
485
- readonly component: "identity";
563
+ readonly component: "control-plane";
486
564
  readonly table: "tenantIntegrations";
487
565
  readonly prepopulation: "required_template";
488
566
  readonly copyMode: "template_tenant_rewrite";
@@ -490,13 +568,19 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
490
568
  readonly uniqueKey: readonly ["tenantId", "integrationKey"];
491
569
  readonly description: "Non-secret integration descriptors are rewritten into each tenant.";
492
570
  }, {
493
- readonly component: "identity";
571
+ readonly component: "control-plane";
494
572
  readonly table: "tenantModelSlotBindings";
495
573
  readonly prepopulation: "runtime_secret";
496
574
  readonly copyMode: "none";
497
575
  readonly description: "Tenant model slot bindings reference provider secrets and are runtime-only.";
498
576
  }, {
499
- readonly component: "identity";
577
+ readonly component: "control-plane";
578
+ readonly table: "tenantPermitSyncStates";
579
+ readonly prepopulation: "runtime_derived";
580
+ readonly copyMode: "none";
581
+ readonly description: "Tenant Permit sync state rows are runtime reconciliation state.";
582
+ }, {
583
+ readonly component: "control-plane";
500
584
  readonly table: "tenantPolicies";
501
585
  readonly prepopulation: "required_template";
502
586
  readonly copyMode: "template_tenant_rewrite";
@@ -504,37 +588,37 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
504
588
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "roleName"];
505
589
  readonly description: "Default tenant policy roles are rewritten during bootstrap.";
506
590
  }, {
507
- readonly component: "identity";
591
+ readonly component: "control-plane";
508
592
  readonly table: "tenantProviderSecrets";
509
593
  readonly prepopulation: "runtime_secret";
510
594
  readonly copyMode: "none";
511
595
  readonly description: "Provider secrets are credentials and must never be copied.";
512
596
  }, {
513
- readonly component: "identity";
597
+ readonly component: "control-plane";
514
598
  readonly table: "tenantProxyGatewayUsage";
515
599
  readonly prepopulation: "runtime_log";
516
600
  readonly copyMode: "none";
517
601
  readonly description: "Proxy gateway usage rows are runtime telemetry.";
518
602
  }, {
519
- readonly component: "identity";
603
+ readonly component: "control-plane";
520
604
  readonly table: "tenantProxyTokenMints";
521
605
  readonly prepopulation: "runtime_secret";
522
606
  readonly copyMode: "none";
523
607
  readonly description: "Proxy token mints are ephemeral secret-bearing runtime rows.";
524
608
  }, {
525
- readonly component: "identity";
609
+ readonly component: "control-plane";
526
610
  readonly table: "tenantSandboxAuditEvents";
527
611
  readonly prepopulation: "runtime_log";
528
612
  readonly copyMode: "none";
529
613
  readonly description: "Sandbox audit rows are runtime security logs.";
530
614
  }, {
531
- readonly component: "identity";
615
+ readonly component: "control-plane";
532
616
  readonly table: "tenantSecrets";
533
617
  readonly prepopulation: "runtime_secret";
534
618
  readonly copyMode: "none";
535
619
  readonly description: "Tenant secrets are credentials and must never be copied.";
536
620
  }, {
537
- readonly component: "identity";
621
+ readonly component: "control-plane";
538
622
  readonly table: "toolAcls";
539
623
  readonly prepopulation: "required_template";
540
624
  readonly copyMode: "template_global";
@@ -542,7 +626,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
542
626
  readonly uniqueKey: readonly ["role", "toolName"];
543
627
  readonly description: "Default role-to-tool grants are required for SDK/MCP tool access.";
544
628
  }, {
545
- readonly component: "identity";
629
+ readonly component: "control-plane";
546
630
  readonly table: "toolRegistry";
547
631
  readonly prepopulation: "required_template";
548
632
  readonly copyMode: "template_global";
@@ -550,7 +634,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
550
634
  readonly uniqueKey: readonly ["toolName"];
551
635
  readonly description: "Core tool catalog rows are required before pack or tenant tools exist.";
552
636
  }, {
553
- readonly component: "identity";
637
+ readonly component: "control-plane";
554
638
  readonly table: "users";
555
639
  readonly prepopulation: "runtime_bootstrap";
556
640
  readonly copyMode: "none";
@@ -573,10 +657,10 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
573
657
  readonly prod: "cool-badger-368";
574
658
  };
575
659
  };
576
- readonly identity: {
577
- readonly componentName: "identity";
578
- readonly migrationModule: "migration";
579
- readonly templateService: "services/identity-template";
660
+ readonly "control-plane": {
661
+ readonly componentName: "controlPlane";
662
+ readonly migrationModule: "dist/migration";
663
+ readonly templateService: "services/control-plane-template";
580
664
  readonly templateDeployments: {
581
665
  readonly staging: "industrious-cheetah-864";
582
666
  readonly prod: "combative-beagle-879";
@@ -926,13 +1010,13 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
926
1010
  readonly copyMode: "none";
927
1011
  readonly description: "Worktrees are tenant/runtime planning data.";
928
1012
  }, {
929
- readonly component: "identity";
1013
+ readonly component: "control-plane";
930
1014
  readonly table: "agents";
931
1015
  readonly prepopulation: "runtime_bootstrap";
932
1016
  readonly copyMode: "none";
933
1017
  readonly description: "Service agents are provisioned per tenant or service, not copied.";
934
1018
  }, {
935
- readonly component: "identity";
1019
+ readonly component: "control-plane";
936
1020
  readonly table: "mcpWritePolicy";
937
1021
  readonly prepopulation: "required_template";
938
1022
  readonly copyMode: "template_global";
@@ -940,13 +1024,13 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
940
1024
  readonly uniqueKey: readonly ["topicId", "role", "toolCategory"];
941
1025
  readonly description: "Global write policy defaults govern service and interactive MCP writes.";
942
1026
  }, {
943
- readonly component: "identity";
1027
+ readonly component: "control-plane";
944
1028
  readonly table: "modelCallLogs";
945
1029
  readonly prepopulation: "runtime_log";
946
1030
  readonly copyMode: "none";
947
1031
  readonly description: "Model call logs are runtime telemetry.";
948
1032
  }, {
949
- readonly component: "identity";
1033
+ readonly component: "control-plane";
950
1034
  readonly table: "modelFunctionSlots";
951
1035
  readonly prepopulation: "required_template";
952
1036
  readonly copyMode: "template_global";
@@ -954,7 +1038,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
954
1038
  readonly uniqueKey: readonly ["slot"];
955
1039
  readonly description: "Function-to-model slots are required by model runtime resolution.";
956
1040
  }, {
957
- readonly component: "identity";
1041
+ readonly component: "control-plane";
958
1042
  readonly table: "modelRegistry";
959
1043
  readonly prepopulation: "required_template";
960
1044
  readonly copyMode: "template_global";
@@ -962,7 +1046,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
962
1046
  readonly uniqueKey: readonly ["key"];
963
1047
  readonly description: "Model catalog defaults are required by model runtime clients.";
964
1048
  }, {
965
- readonly component: "identity";
1049
+ readonly component: "control-plane";
966
1050
  readonly table: "modelSlotConfigs";
967
1051
  readonly prepopulation: "required_template";
968
1052
  readonly copyMode: "template_global";
@@ -970,13 +1054,91 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
970
1054
  readonly uniqueKey: readonly ["slot"];
971
1055
  readonly description: "Slot-level defaults are required before tenant overrides exist.";
972
1056
  }, {
973
- readonly component: "identity";
1057
+ readonly component: "control-plane";
1058
+ readonly table: "permitAccessReviewItems";
1059
+ readonly prepopulation: "runtime_data";
1060
+ readonly copyMode: "none";
1061
+ readonly description: "Permit access-review item rows are tenant review data projected from Permit.";
1062
+ }, {
1063
+ readonly component: "control-plane";
1064
+ readonly table: "permitAccessReviews";
1065
+ readonly prepopulation: "runtime_data";
1066
+ readonly copyMode: "none";
1067
+ readonly description: "Permit access-review campaigns are tenant review data projected from Permit.";
1068
+ }, {
1069
+ readonly component: "control-plane";
1070
+ readonly table: "permitAttributeBindings";
1071
+ readonly prepopulation: "runtime_data";
1072
+ readonly copyMode: "none";
1073
+ readonly description: "Permit ABAC attribute bindings are tenant policy projection rows.";
1074
+ }, {
1075
+ readonly component: "control-plane";
1076
+ readonly table: "permitGroups";
1077
+ readonly prepopulation: "runtime_data";
1078
+ readonly copyMode: "none";
1079
+ readonly description: "Permit groups are tenant-defined policy subjects, not template data.";
1080
+ }, {
1081
+ readonly component: "control-plane";
1082
+ readonly table: "permitGroupMemberships";
1083
+ readonly prepopulation: "runtime_data";
1084
+ readonly copyMode: "none";
1085
+ readonly description: "Permit group memberships are tenant-specific policy projection rows.";
1086
+ }, {
1087
+ readonly component: "control-plane";
1088
+ readonly table: "permitPolicyBundles";
1089
+ readonly prepopulation: "runtime_derived";
1090
+ readonly copyMode: "none";
1091
+ readonly description: "Permit policy bundles are derived from the Permit control plane.";
1092
+ }, {
1093
+ readonly component: "control-plane";
1094
+ readonly table: "permitPolicyDecisionReceipts";
1095
+ readonly prepopulation: "runtime_log";
1096
+ readonly copyMode: "none";
1097
+ readonly description: "Permit decision receipts are runtime authorization audit logs.";
1098
+ }, {
1099
+ readonly component: "control-plane";
1100
+ readonly table: "permitPrincipalAliases";
1101
+ readonly prepopulation: "runtime_data";
1102
+ readonly copyMode: "none";
1103
+ readonly description: "Permit principal aliases are tenant-specific identity projection rows.";
1104
+ }, {
1105
+ readonly component: "control-plane";
1106
+ readonly table: "permitPrincipals";
1107
+ readonly prepopulation: "runtime_data";
1108
+ readonly copyMode: "none";
1109
+ readonly description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows.";
1110
+ }, {
1111
+ readonly component: "control-plane";
1112
+ readonly table: "permitProjectionOutbox";
1113
+ readonly prepopulation: "runtime_queue";
1114
+ readonly copyMode: "none";
1115
+ readonly description: "Permit projection outbox rows are runtime sync queue data.";
1116
+ }, {
1117
+ readonly component: "control-plane";
1118
+ readonly table: "permitRelationshipTuples";
1119
+ readonly prepopulation: "runtime_data";
1120
+ readonly copyMode: "none";
1121
+ readonly description: "Permit ReBAC relationship tuples are tenant policy projection rows.";
1122
+ }, {
1123
+ readonly component: "control-plane";
1124
+ readonly table: "permitResourceInstances";
1125
+ readonly prepopulation: "runtime_data";
1126
+ readonly copyMode: "none";
1127
+ readonly description: "Permit resource instances are tenant/workspace graph and deployment projection rows.";
1128
+ }, {
1129
+ readonly component: "control-plane";
1130
+ readonly table: "permitRoleAssignments";
1131
+ readonly prepopulation: "runtime_data";
1132
+ readonly copyMode: "none";
1133
+ readonly description: "Permit role assignments are tenant-specific policy projection rows.";
1134
+ }, {
1135
+ readonly component: "control-plane";
974
1136
  readonly table: "platformAudienceGrants";
975
1137
  readonly prepopulation: "runtime_data";
976
1138
  readonly copyMode: "none";
977
1139
  readonly description: "Audience grants are principal/group-specific access rows.";
978
1140
  }, {
979
- readonly component: "identity";
1141
+ readonly component: "control-plane";
980
1142
  readonly table: "platformAudiences";
981
1143
  readonly prepopulation: "required_template";
982
1144
  readonly copyMode: "template_tenant_rewrite";
@@ -984,31 +1146,31 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
984
1146
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "audienceKey"];
985
1147
  readonly description: "Default tenant audience taxonomy rows are rewritten into each tenant.";
986
1148
  }, {
987
- readonly component: "identity";
1149
+ readonly component: "control-plane";
988
1150
  readonly table: "platformPolicyDecisionLogs";
989
1151
  readonly prepopulation: "runtime_log";
990
1152
  readonly copyMode: "none";
991
1153
  readonly description: "Policy decisions are runtime audit logs.";
992
1154
  }, {
993
- readonly component: "identity";
1155
+ readonly component: "control-plane";
994
1156
  readonly table: "projectGrants";
995
1157
  readonly prepopulation: "runtime_data";
996
1158
  readonly copyMode: "none";
997
1159
  readonly description: "Project/topic grants are principal or group-specific access rows.";
998
1160
  }, {
999
- readonly component: "identity";
1161
+ readonly component: "control-plane";
1000
1162
  readonly table: "reasoningPermissions";
1001
1163
  readonly prepopulation: "runtime_data";
1002
1164
  readonly copyMode: "none";
1003
1165
  readonly description: "Reasoning permissions are principal-specific policy rows.";
1004
1166
  }, {
1005
- readonly component: "identity";
1167
+ readonly component: "control-plane";
1006
1168
  readonly table: "tenantApiKeys";
1007
1169
  readonly prepopulation: "runtime_secret";
1008
1170
  readonly copyMode: "none";
1009
1171
  readonly description: "API keys are tenant credentials and must never be copied.";
1010
1172
  }, {
1011
- readonly component: "identity";
1173
+ readonly component: "control-plane";
1012
1174
  readonly table: "tenantConfig";
1013
1175
  readonly prepopulation: "required_template";
1014
1176
  readonly copyMode: "template_tenant_rewrite";
@@ -1016,7 +1178,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1016
1178
  readonly uniqueKey: readonly ["tenantId"];
1017
1179
  readonly description: "Tenant-local config defaults are rewritten during bootstrap.";
1018
1180
  }, {
1019
- readonly component: "identity";
1181
+ readonly component: "control-plane";
1020
1182
  readonly table: "tenantIntegrations";
1021
1183
  readonly prepopulation: "required_template";
1022
1184
  readonly copyMode: "template_tenant_rewrite";
@@ -1024,13 +1186,19 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1024
1186
  readonly uniqueKey: readonly ["tenantId", "integrationKey"];
1025
1187
  readonly description: "Non-secret integration descriptors are rewritten into each tenant.";
1026
1188
  }, {
1027
- readonly component: "identity";
1189
+ readonly component: "control-plane";
1028
1190
  readonly table: "tenantModelSlotBindings";
1029
1191
  readonly prepopulation: "runtime_secret";
1030
1192
  readonly copyMode: "none";
1031
1193
  readonly description: "Tenant model slot bindings reference provider secrets and are runtime-only.";
1032
1194
  }, {
1033
- readonly component: "identity";
1195
+ readonly component: "control-plane";
1196
+ readonly table: "tenantPermitSyncStates";
1197
+ readonly prepopulation: "runtime_derived";
1198
+ readonly copyMode: "none";
1199
+ readonly description: "Tenant Permit sync state rows are runtime reconciliation state.";
1200
+ }, {
1201
+ readonly component: "control-plane";
1034
1202
  readonly table: "tenantPolicies";
1035
1203
  readonly prepopulation: "required_template";
1036
1204
  readonly copyMode: "template_tenant_rewrite";
@@ -1038,37 +1206,37 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1038
1206
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "roleName"];
1039
1207
  readonly description: "Default tenant policy roles are rewritten during bootstrap.";
1040
1208
  }, {
1041
- readonly component: "identity";
1209
+ readonly component: "control-plane";
1042
1210
  readonly table: "tenantProviderSecrets";
1043
1211
  readonly prepopulation: "runtime_secret";
1044
1212
  readonly copyMode: "none";
1045
1213
  readonly description: "Provider secrets are credentials and must never be copied.";
1046
1214
  }, {
1047
- readonly component: "identity";
1215
+ readonly component: "control-plane";
1048
1216
  readonly table: "tenantProxyGatewayUsage";
1049
1217
  readonly prepopulation: "runtime_log";
1050
1218
  readonly copyMode: "none";
1051
1219
  readonly description: "Proxy gateway usage rows are runtime telemetry.";
1052
1220
  }, {
1053
- readonly component: "identity";
1221
+ readonly component: "control-plane";
1054
1222
  readonly table: "tenantProxyTokenMints";
1055
1223
  readonly prepopulation: "runtime_secret";
1056
1224
  readonly copyMode: "none";
1057
1225
  readonly description: "Proxy token mints are ephemeral secret-bearing runtime rows.";
1058
1226
  }, {
1059
- readonly component: "identity";
1227
+ readonly component: "control-plane";
1060
1228
  readonly table: "tenantSandboxAuditEvents";
1061
1229
  readonly prepopulation: "runtime_log";
1062
1230
  readonly copyMode: "none";
1063
1231
  readonly description: "Sandbox audit rows are runtime security logs.";
1064
1232
  }, {
1065
- readonly component: "identity";
1233
+ readonly component: "control-plane";
1066
1234
  readonly table: "tenantSecrets";
1067
1235
  readonly prepopulation: "runtime_secret";
1068
1236
  readonly copyMode: "none";
1069
1237
  readonly description: "Tenant secrets are credentials and must never be copied.";
1070
1238
  }, {
1071
- readonly component: "identity";
1239
+ readonly component: "control-plane";
1072
1240
  readonly table: "toolAcls";
1073
1241
  readonly prepopulation: "required_template";
1074
1242
  readonly copyMode: "template_global";
@@ -1076,7 +1244,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1076
1244
  readonly uniqueKey: readonly ["role", "toolName"];
1077
1245
  readonly description: "Default role-to-tool grants are required for SDK/MCP tool access.";
1078
1246
  }, {
1079
- readonly component: "identity";
1247
+ readonly component: "control-plane";
1080
1248
  readonly table: "toolRegistry";
1081
1249
  readonly prepopulation: "required_template";
1082
1250
  readonly copyMode: "template_global";
@@ -1084,7 +1252,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1084
1252
  readonly uniqueKey: readonly ["toolName"];
1085
1253
  readonly description: "Core tool catalog rows are required before pack or tenant tools exist.";
1086
1254
  }, {
1087
- readonly component: "identity";
1255
+ readonly component: "control-plane";
1088
1256
  readonly table: "users";
1089
1257
  readonly prepopulation: "runtime_bootstrap";
1090
1258
  readonly copyMode: "none";