@lucern/contracts 0.3.0-alpha.11 → 0.3.0-alpha.13

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (130) hide show
  1. package/dist/auth-context.contract.js +13 -1
  2. package/dist/auth-context.contract.js.map +1 -1
  3. package/dist/auth-session.contract.js +13 -1
  4. package/dist/auth-session.contract.js.map +1 -1
  5. package/dist/auth.contract.d.ts +1 -1
  6. package/dist/auth.contract.js +13 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/component-boundary.contract.js +1 -0
  9. package/dist/component-boundary.contract.js.map +1 -1
  10. package/dist/function-registry/beliefs.d.ts +10 -10
  11. package/dist/function-registry/beliefs.js +53 -2
  12. package/dist/function-registry/beliefs.js.map +1 -1
  13. package/dist/function-registry/coding.d.ts +6 -6
  14. package/dist/function-registry/coding.js +53 -2
  15. package/dist/function-registry/coding.js.map +1 -1
  16. package/dist/function-registry/context.d.ts +3 -3
  17. package/dist/function-registry/context.js +53 -2
  18. package/dist/function-registry/context.js.map +1 -1
  19. package/dist/function-registry/contracts.d.ts +3 -3
  20. package/dist/function-registry/contracts.js +53 -2
  21. package/dist/function-registry/contracts.js.map +1 -1
  22. package/dist/function-registry/coordination.d.ts +9 -9
  23. package/dist/function-registry/coordination.js +53 -2
  24. package/dist/function-registry/coordination.js.map +1 -1
  25. package/dist/function-registry/edges.d.ts +6 -6
  26. package/dist/function-registry/edges.js +53 -2
  27. package/dist/function-registry/edges.js.map +1 -1
  28. package/dist/function-registry/evidence.d.ts +8 -8
  29. package/dist/function-registry/evidence.js +53 -2
  30. package/dist/function-registry/evidence.js.map +1 -1
  31. package/dist/function-registry/graph.d.ts +15 -15
  32. package/dist/function-registry/graph.js +53 -2
  33. package/dist/function-registry/graph.js.map +1 -1
  34. package/dist/function-registry/helpers.d.ts +2 -2
  35. package/dist/function-registry/helpers.js +53 -2
  36. package/dist/function-registry/helpers.js.map +1 -1
  37. package/dist/function-registry/identity.d.ts +56 -16
  38. package/dist/function-registry/identity.js +75 -4
  39. package/dist/function-registry/identity.js.map +1 -1
  40. package/dist/function-registry/index.d.ts +1 -1
  41. package/dist/function-registry/index.js +53 -2
  42. package/dist/function-registry/index.js.map +1 -1
  43. package/dist/function-registry/judgments.d.ts +2 -2
  44. package/dist/function-registry/judgments.js +53 -2
  45. package/dist/function-registry/judgments.js.map +1 -1
  46. package/dist/function-registry/legacy.d.ts +1 -1
  47. package/dist/function-registry/legacy.js +53 -2
  48. package/dist/function-registry/legacy.js.map +1 -1
  49. package/dist/function-registry/lenses.d.ts +4 -4
  50. package/dist/function-registry/lenses.js +53 -2
  51. package/dist/function-registry/lenses.js.map +1 -1
  52. package/dist/function-registry/manifest.d.ts +3 -3
  53. package/dist/function-registry/manifest.js +1 -0
  54. package/dist/function-registry/manifest.js.map +1 -1
  55. package/dist/function-registry/nodes.d.ts +8 -8
  56. package/dist/function-registry/nodes.js +53 -2
  57. package/dist/function-registry/nodes.js.map +1 -1
  58. package/dist/function-registry/ontologies.d.ts +11 -11
  59. package/dist/function-registry/ontologies.js +53 -2
  60. package/dist/function-registry/ontologies.js.map +1 -1
  61. package/dist/function-registry/pipeline.d.ts +3 -3
  62. package/dist/function-registry/pipeline.js +53 -2
  63. package/dist/function-registry/pipeline.js.map +1 -1
  64. package/dist/function-registry/questions.d.ts +12 -12
  65. package/dist/function-registry/questions.js +53 -2
  66. package/dist/function-registry/questions.js.map +1 -1
  67. package/dist/function-registry/tasks.d.ts +4 -4
  68. package/dist/function-registry/tasks.js +53 -2
  69. package/dist/function-registry/tasks.js.map +1 -1
  70. package/dist/function-registry/topics.d.ts +7 -7
  71. package/dist/function-registry/topics.js +53 -2
  72. package/dist/function-registry/topics.js.map +1 -1
  73. package/dist/function-registry/types.d.ts +2 -2
  74. package/dist/function-registry/worktrees.d.ts +11 -11
  75. package/dist/function-registry/worktrees.js +53 -2
  76. package/dist/function-registry/worktrees.js.map +1 -1
  77. package/dist/generated/convexSchemas.js +4 -3
  78. package/dist/generated/convexSchemas.js.map +1 -1
  79. package/dist/generated/infisicalRuntimeEnv.js +357 -0
  80. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  81. package/dist/generated/schema-manifest.json +88 -3
  82. package/dist/generated/tableOwnership.d.ts +2 -1
  83. package/dist/generated/tableOwnership.js +2 -0
  84. package/dist/generated/tableOwnership.js.map +1 -1
  85. package/dist/generated/tier-expectations.json +6 -3
  86. package/dist/index.d.ts +3 -2
  87. package/dist/index.js +726 -19
  88. package/dist/index.js.map +1 -1
  89. package/dist/infisical-runtime.contract.d.ts +44 -0
  90. package/dist/infisical-runtime.contract.js +52 -0
  91. package/dist/infisical-runtime.contract.js.map +1 -1
  92. package/dist/manifests/infisical-runtime-manifest.d.ts +44 -0
  93. package/dist/manifests/infisical-runtime-manifest.js +52 -0
  94. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  95. package/dist/manifests/tenant-client-manifest.d.ts +8 -3
  96. package/dist/manifests/tenant-client-manifest.js +18 -1
  97. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  98. package/dist/permit-principal-projection.contract.d.ts +74 -0
  99. package/dist/permit-principal-projection.contract.js +160 -0
  100. package/dist/permit-principal-projection.contract.js.map +1 -0
  101. package/dist/proof-attestation.json +1 -1
  102. package/dist/schemas/index.js +36 -1
  103. package/dist/schemas/index.js.map +1 -1
  104. package/dist/schemas/manifest.d.ts +85 -10
  105. package/dist/schemas/manifest.js +36 -1
  106. package/dist/schemas/manifest.js.map +1 -1
  107. package/dist/schemas/tables/controlPlane/accessControl.d.ts +2 -2
  108. package/dist/schemas/tables/controlPlane/accessControl.js +6 -1
  109. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -1
  110. package/dist/schemas/tables/kernel/events.d.ts +21 -0
  111. package/dist/schemas/tables/kernel/events.js +43 -0
  112. package/dist/schemas/tables/kernel/events.js.map +1 -0
  113. package/dist/{sdk-tools.contract-BNklQDfB.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
  114. package/dist/sdk-tools.contract.d.ts +2 -2
  115. package/dist/sdk-tools.contract.js +45 -1
  116. package/dist/sdk-tools.contract.js.map +1 -1
  117. package/dist/tenant-bootstrap-seed.contract.d.ts +22 -2
  118. package/dist/tenant-bootstrap-seed.contract.js +15 -2
  119. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  120. package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
  121. package/dist/tenant-bootstrap-seed.defaults.js +30 -12
  122. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  123. package/dist/tenant-client.contract.d.ts +8 -3
  124. package/dist/tenant-client.contract.js +18 -1
  125. package/dist/tenant-client.contract.js.map +1 -1
  126. package/dist/{tool-contracts-BevD9Ho2.d.ts → tool-contracts-C_xvM9q2.d.ts} +4 -2
  127. package/dist/tool-contracts.d.ts +1 -1
  128. package/dist/tool-contracts.js +46 -2
  129. package/dist/tool-contracts.js.map +1 -1
  130. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -189,7 +189,13 @@ var SESSION_AUTH_MODES = [
189
189
  "tenant_api_key",
190
190
  "session_token"
191
191
  ];
192
- var SESSION_PRINCIPAL_TYPES = ["human", "service", "agent"];
192
+ var SESSION_PRINCIPAL_TYPES = [
193
+ "human",
194
+ "service",
195
+ "agent",
196
+ "group",
197
+ "external_viewer"
198
+ ];
193
199
  var SESSION_LIFECYCLE_STATUSES = [
194
200
  "active",
195
201
  "expired",
@@ -202,6 +208,12 @@ function inferSessionPrincipalType(principalId) {
202
208
  if (principalId.startsWith("agent:")) {
203
209
  return "agent";
204
210
  }
211
+ if (principalId.startsWith("group:")) {
212
+ return "group";
213
+ }
214
+ if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
215
+ return "external_viewer";
216
+ }
205
217
  return "service";
206
218
  }
207
219
  function normalizeDelegationChain(args) {
@@ -262,6 +274,7 @@ var TABLE_OWNERSHIP = {
262
274
  "deliberationContributions": "K",
263
275
  "deliberationSessions": "K",
264
276
  "deploymentHosts": "L",
277
+ "domainEvents": "K",
265
278
  "epistemicAudit": "K",
266
279
  "epistemicContracts": "K",
267
280
  "epistemicEdges": "K",
@@ -2491,6 +2504,35 @@ var systemLogs = defineTable({
2491
2504
  { kind: "index", name: "by_source", columns: ["source"] }
2492
2505
  ]
2493
2506
  });
2507
+ var domainEvents = defineTable({
2508
+ name: "domainEvents",
2509
+ component: "kernel",
2510
+ category: "events",
2511
+ shape: z.object({
2512
+ "eventId": z.string(),
2513
+ "type": z.string(),
2514
+ "version": z.string(),
2515
+ "timestamp": z.number(),
2516
+ "tenantId": z.string().optional(),
2517
+ "workspaceId": z.string().optional(),
2518
+ "topicId": z.string(),
2519
+ "resourceId": z.string(),
2520
+ "resourceType": z.string(),
2521
+ "actorId": z.string(),
2522
+ "actorType": z.enum(["human", "agent", "service"]),
2523
+ "data": z.record(z.any()),
2524
+ "correlationId": z.string().optional(),
2525
+ "expiresAt": z.number()
2526
+ }),
2527
+ indices: [
2528
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
2529
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
2530
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
2531
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
2532
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
2533
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
2534
+ ]
2535
+ });
2494
2536
  var beliefConfidence = defineTable({
2495
2537
  name: "beliefConfidence",
2496
2538
  component: "kernel",
@@ -5789,7 +5831,9 @@ var permitObjectType = z.enum([
5789
5831
  "group",
5790
5832
  "resource_instance",
5791
5833
  "relationship_tuple",
5792
- "role_assignment"
5834
+ "role_assignment",
5835
+ "attribute_binding",
5836
+ "policy_bundle"
5793
5837
  ]);
5794
5838
  var permitOutboxOperation = z.enum([
5795
5839
  "upsert",
@@ -5895,7 +5939,10 @@ var permitPrincipalAliases = defineTable({
5895
5939
  }),
5896
5940
  indices: [
5897
5941
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
5942
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
5943
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
5898
5944
  { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
5945
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
5899
5946
  {
5900
5947
  kind: "index",
5901
5948
  name: "by_tenant_provider_alias",
@@ -7104,6 +7151,7 @@ var KERNEL_TABLE_CONTRACTS = [
7104
7151
  decisionParticipants,
7105
7152
  decisionRiskLedger,
7106
7153
  decisionSnapshots,
7154
+ domainEvents,
7107
7155
  deliberationContributions,
7108
7156
  deliberationSessions,
7109
7157
  stakeholderGroups,
@@ -7387,7 +7435,9 @@ var TENANT_CLIENT_AUTH_MODES = [
7387
7435
  var TENANT_CLIENT_PRINCIPAL_TYPES = [
7388
7436
  "human",
7389
7437
  "service",
7390
- "agent"
7438
+ "agent",
7439
+ "group",
7440
+ "external_viewer"
7391
7441
  ];
7392
7442
  var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
7393
7443
  "tenantId",
@@ -7397,8 +7447,16 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
7397
7447
  "scopes"
7398
7448
  ];
7399
7449
  var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
7450
+ "clerkId",
7400
7451
  "principalType",
7401
7452
  "roles",
7453
+ "groupIds",
7454
+ "permittedToolNames",
7455
+ "permittedPackKeys",
7456
+ "principalStatus",
7457
+ "tenantStatus",
7458
+ "workspaceStatus",
7459
+ "permit",
7402
7460
  "sessionId",
7403
7461
  "delegationChain"
7404
7462
  ];
@@ -7676,6 +7734,7 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
7676
7734
  "ontologyLinks",
7677
7735
  "graphStateClassifier",
7678
7736
  "tools",
7737
+ "controlPlane",
7679
7738
  "identity",
7680
7739
  "modelRuntime",
7681
7740
  "events",
@@ -7683,6 +7742,12 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
7683
7742
  "telemetry"
7684
7743
  ];
7685
7744
  var TENANT_CLIENT_CAPABILITIES = [
7745
+ {
7746
+ id: "identity.resolve_interactive_principal",
7747
+ description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
7748
+ surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
7749
+ requiredContextFields: ["principalId", "tenantId", "scopes"]
7750
+ },
7686
7751
  {
7687
7752
  id: "identity.bootstrap_session",
7688
7753
  description: "Start a scoped Lucern session for a tenant principal.",
@@ -8433,6 +8498,27 @@ var PLATFORM_SECRET_DEFINITIONS = [
8433
8498
  ],
8434
8499
  description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
8435
8500
  },
8501
+ {
8502
+ id: "platform.clerk.webhook-secret",
8503
+ canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
8504
+ aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
8505
+ owner: "lucern_platform",
8506
+ scope: "environment",
8507
+ sourcePath: "/platform/auth",
8508
+ environmentPolicy: "environment_specific",
8509
+ required: true,
8510
+ secret: true,
8511
+ public: false,
8512
+ consumers: ["lucern-gateway"],
8513
+ destinations: [
8514
+ {
8515
+ kind: "vercel",
8516
+ target: "lucern-gateway",
8517
+ environmentPolicy: "environment_specific"
8518
+ }
8519
+ ],
8520
+ description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
8521
+ },
8436
8522
  {
8437
8523
  id: "platform.clerk.jwks",
8438
8524
  canonicalName: "CLERK_JWKS_URL",
@@ -8732,6 +8818,37 @@ var PLATFORM_SECRET_DEFINITIONS = [
8732
8818
  ],
8733
8819
  description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing."
8734
8820
  },
8821
+ {
8822
+ id: "platform.permit.webhook-secret",
8823
+ canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET",
8824
+ aliases: ["PERMIT_WEBHOOK_SECRET"],
8825
+ owner: "lucern_platform",
8826
+ scope: "environment",
8827
+ sourcePath: "/platform/permit",
8828
+ environmentPolicy: "environment_specific",
8829
+ required: true,
8830
+ secret: true,
8831
+ public: false,
8832
+ consumers: ["mc-convex", "lucern-gateway", "mc-operator-tooling"],
8833
+ destinations: [
8834
+ {
8835
+ kind: "convex",
8836
+ target: "master-control",
8837
+ environmentPolicy: "environment_specific"
8838
+ },
8839
+ {
8840
+ kind: "vercel",
8841
+ target: "lucern-gateway",
8842
+ environmentPolicy: "environment_specific"
8843
+ },
8844
+ {
8845
+ kind: "operator_local",
8846
+ target: "mc-credential-maintenance",
8847
+ environmentPolicy: "environment_specific"
8848
+ }
8849
+ ],
8850
+ description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
8851
+ },
8735
8852
  {
8736
8853
  id: "platform.permit.pdp-url",
8737
8854
  canonicalName: "LUCERN_PERMIT_PDP_URL",
@@ -11015,6 +11132,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11015
11132
  "CLERK_PROJECT_ID",
11016
11133
  "CLERK_PUBLISHABLE_KEY",
11017
11134
  "CLERK_SECRET_KEY",
11135
+ "CLERK_WEBHOOK_SECRET",
11136
+ "CLERK_WEBHOOK_SIGNING_SECRET",
11018
11137
  "CONVEX_CLOUD_URL",
11019
11138
  "CONVEX_DEPLOY_KEY",
11020
11139
  "CONVEX_DEPLOYMENT",
@@ -11078,6 +11197,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11078
11197
  "LUCERN_AUTH_BASE_URL",
11079
11198
  "LUCERN_BASE_URL",
11080
11199
  "LUCERN_CLERK_PROJECT_ID",
11200
+ "LUCERN_CLERK_WEBHOOK_SECRET",
11081
11201
  "LUCERN_CLI_SESSION_TTL_MS",
11082
11202
  "LUCERN_CONTRACTS_SKIP_DTS",
11083
11203
  "LUCERN_CONVEX_DEPLOY_KEY",
@@ -11127,6 +11247,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11127
11247
  "LUCERN_PERMIT_API_KEY",
11128
11248
  "LUCERN_PERMIT_API_URL",
11129
11249
  "LUCERN_PERMIT_PDP_URL",
11250
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
11130
11251
  "LUCERN_PROD_DEPLOY_KEY",
11131
11252
  "LUCERN_PROD_URL",
11132
11253
  "LUCERN_PROFILE",
@@ -11197,6 +11318,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11197
11318
  "PERMIT_API_KEY",
11198
11319
  "PERMIT_API_URL",
11199
11320
  "PERMIT_PDP_URL",
11321
+ "PERMIT_WEBHOOK_SECRET",
11200
11322
  "PINECONE_API_KEY",
11201
11323
  "PINECONE_HOST",
11202
11324
  "PINECONE_INDEX",
@@ -11248,6 +11370,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11248
11370
  "CLERK_PROJECT_ID",
11249
11371
  "CLERK_PUBLISHABLE_KEY",
11250
11372
  "CLERK_SECRET_KEY",
11373
+ "CLERK_WEBHOOK_SECRET",
11374
+ "CLERK_WEBHOOK_SIGNING_SECRET",
11251
11375
  "CONVEX_CLOUD_URL",
11252
11376
  "CONVEX_DEPLOY_KEY",
11253
11377
  "CONVEX_DEPLOYMENT",
@@ -11325,6 +11449,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11325
11449
  "LUCERN_AUTH_BASE_URL",
11326
11450
  "LUCERN_BASE_URL",
11327
11451
  "LUCERN_CLERK_PROJECT_ID",
11452
+ "LUCERN_CLERK_WEBHOOK_SECRET",
11328
11453
  "LUCERN_CLI_SESSION_TTL_MS",
11329
11454
  "LUCERN_CONTRACTS_SKIP_DTS",
11330
11455
  "LUCERN_CONVEX_DEPLOY_KEY",
@@ -11376,6 +11501,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11376
11501
  "LUCERN_PERMIT_API_KEY",
11377
11502
  "LUCERN_PERMIT_API_URL",
11378
11503
  "LUCERN_PERMIT_PDP_URL",
11504
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
11379
11505
  "LUCERN_PROD_DEPLOY_KEY",
11380
11506
  "LUCERN_PROD_URL",
11381
11507
  "LUCERN_PROFILE",
@@ -11449,6 +11575,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11449
11575
  "PERMIT_API_KEY",
11450
11576
  "PERMIT_API_URL",
11451
11577
  "PERMIT_PDP_URL",
11578
+ "PERMIT_WEBHOOK_SECRET",
11452
11579
  "PINECONE_API_KEY",
11453
11580
  "PINECONE_HOST",
11454
11581
  "PINECONE_INDEX",
@@ -13635,6 +13762,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13635
13762
  ],
13636
13763
  "description": "stack/frontend: Lucern/MC gateway base URL used by tenant product apps. stack/stackos: Lucern/MC gateway base URL used by tenant product apps."
13637
13764
  },
13765
+ "LUCERN_CLERK_WEBHOOK_SECRET": {
13766
+ "secretId": "platform.clerk.webhook-secret",
13767
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
13768
+ "envNames": [
13769
+ "CLERK_WEBHOOK_SECRET",
13770
+ "CLERK_WEBHOOK_SIGNING_SECRET",
13771
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13772
+ ],
13773
+ "aliases": [
13774
+ "CLERK_WEBHOOK_SECRET",
13775
+ "CLERK_WEBHOOK_SIGNING_SECRET"
13776
+ ],
13777
+ "writeNames": [
13778
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13779
+ ],
13780
+ "required": true,
13781
+ "secret": true,
13782
+ "public": false,
13783
+ "sourcePath": "/platform/auth",
13784
+ "environmentPolicy": "environment_specific",
13785
+ "consumers": [
13786
+ "lucern-gateway"
13787
+ ],
13788
+ "destinations": [
13789
+ {
13790
+ "kind": "vercel",
13791
+ "target": "lucern-gateway",
13792
+ "writeNames": [
13793
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13794
+ ]
13795
+ }
13796
+ ],
13797
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
13798
+ },
13638
13799
  "LUCERN_CLI_SESSION_TTL_MS": {
13639
13800
  "canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
13640
13801
  "envNames": [
@@ -14209,6 +14370,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
14209
14370
  ],
14210
14371
  "description": "Optional Permit PDP URL override."
14211
14372
  },
14373
+ "LUCERN_PERMIT_WEBHOOK_SECRET": {
14374
+ "secretId": "platform.permit.webhook-secret",
14375
+ "canonicalName": "LUCERN_PERMIT_WEBHOOK_SECRET",
14376
+ "envNames": [
14377
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
14378
+ "PERMIT_WEBHOOK_SECRET"
14379
+ ],
14380
+ "aliases": [
14381
+ "PERMIT_WEBHOOK_SECRET"
14382
+ ],
14383
+ "writeNames": [
14384
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
14385
+ ],
14386
+ "required": true,
14387
+ "secret": true,
14388
+ "public": false,
14389
+ "sourcePath": "/platform/permit",
14390
+ "environmentPolicy": "environment_specific",
14391
+ "consumers": [
14392
+ "mc-convex",
14393
+ "lucern-gateway",
14394
+ "mc-operator-tooling"
14395
+ ],
14396
+ "destinations": [
14397
+ {
14398
+ "kind": "convex",
14399
+ "target": "master-control",
14400
+ "writeNames": [
14401
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
14402
+ ]
14403
+ },
14404
+ {
14405
+ "kind": "vercel",
14406
+ "target": "lucern-gateway",
14407
+ "writeNames": [
14408
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
14409
+ ]
14410
+ },
14411
+ {
14412
+ "kind": "operator_local",
14413
+ "target": "mc-credential-maintenance",
14414
+ "writeNames": [
14415
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
14416
+ ]
14417
+ }
14418
+ ],
14419
+ "description": "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
14420
+ },
14212
14421
  "LUCERN_PROXY_TOKEN_SECRET": {
14213
14422
  "secretId": "tenant.stack-frontend.lucern.proxy-token-secret",
14214
14423
  "canonicalName": "LUCERN_PROXY_TOKEN_SECRET",
@@ -16855,6 +17064,9 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
16855
17064
  "LUCERN_API_URL": "LUCERN_API_URL",
16856
17065
  "LUCERN_BASE_URL": "LUCERN_BASE_URL",
16857
17066
  "LUCERN_GATEWAY_BASE_URL": "LUCERN_BASE_URL",
17067
+ "CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
17068
+ "CLERK_WEBHOOK_SIGNING_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
17069
+ "LUCERN_CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
16858
17070
  "LUCERN_CLI_SESSION_TTL_MS": "LUCERN_CLI_SESSION_TTL_MS",
16859
17071
  "CONVEX_DEPLOYMENT": "LUCERN_CONVEX_DEPLOYMENT_NAME",
16860
17072
  "CONVEX_DEV_DEPLOYMENT_NAME": "LUCERN_CONVEX_DEPLOYMENT_NAME",
@@ -16907,6 +17119,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
16907
17119
  "PERMIT_API_URL": "LUCERN_PERMIT_API_URL",
16908
17120
  "LUCERN_PERMIT_PDP_URL": "LUCERN_PERMIT_PDP_URL",
16909
17121
  "PERMIT_PDP_URL": "LUCERN_PERMIT_PDP_URL",
17122
+ "LUCERN_PERMIT_WEBHOOK_SECRET": "LUCERN_PERMIT_WEBHOOK_SECRET",
17123
+ "PERMIT_WEBHOOK_SECRET": "LUCERN_PERMIT_WEBHOOK_SECRET",
16910
17124
  "LUCERN_PROXY_TOKEN_SECRET": "LUCERN_PROXY_TOKEN_SECRET",
16911
17125
  "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY": "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
16912
17126
  "LUCERN_KERNEL_INSTALL_SPEC": "LUCERN_SDK_NPM_TOKEN",
@@ -17867,6 +18081,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
17867
18081
  ],
17868
18082
  "description": "Canonical Lucern API gateway URL. Canonical Lucern API gateway base URL. Older names remain aliases only."
17869
18083
  },
18084
+ {
18085
+ "secretId": "platform.clerk.webhook-secret",
18086
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
18087
+ "envNames": [
18088
+ "CLERK_WEBHOOK_SECRET",
18089
+ "CLERK_WEBHOOK_SIGNING_SECRET",
18090
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18091
+ ],
18092
+ "aliases": [
18093
+ "CLERK_WEBHOOK_SECRET",
18094
+ "CLERK_WEBHOOK_SIGNING_SECRET"
18095
+ ],
18096
+ "writeNames": [
18097
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18098
+ ],
18099
+ "required": true,
18100
+ "secret": true,
18101
+ "public": false,
18102
+ "sourcePath": "/platform/auth",
18103
+ "environmentPolicy": "environment_specific",
18104
+ "consumers": [
18105
+ "lucern-gateway"
18106
+ ],
18107
+ "destinations": [
18108
+ {
18109
+ "kind": "vercel",
18110
+ "target": "lucern-gateway",
18111
+ "writeNames": [
18112
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18113
+ ]
18114
+ }
18115
+ ],
18116
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
18117
+ },
17870
18118
  {
17871
18119
  "canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
17872
18120
  "envNames": [
@@ -18190,6 +18438,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
18190
18438
  ],
18191
18439
  "description": "Optional Permit PDP URL override."
18192
18440
  },
18441
+ {
18442
+ "secretId": "platform.permit.webhook-secret",
18443
+ "canonicalName": "LUCERN_PERMIT_WEBHOOK_SECRET",
18444
+ "envNames": [
18445
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
18446
+ "PERMIT_WEBHOOK_SECRET"
18447
+ ],
18448
+ "aliases": [
18449
+ "PERMIT_WEBHOOK_SECRET"
18450
+ ],
18451
+ "writeNames": [
18452
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
18453
+ ],
18454
+ "required": true,
18455
+ "secret": true,
18456
+ "public": false,
18457
+ "sourcePath": "/platform/permit",
18458
+ "environmentPolicy": "environment_specific",
18459
+ "consumers": [
18460
+ "mc-convex",
18461
+ "lucern-gateway",
18462
+ "mc-operator-tooling"
18463
+ ],
18464
+ "destinations": [
18465
+ {
18466
+ "kind": "convex",
18467
+ "target": "master-control",
18468
+ "writeNames": [
18469
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
18470
+ ]
18471
+ },
18472
+ {
18473
+ "kind": "vercel",
18474
+ "target": "lucern-gateway",
18475
+ "writeNames": [
18476
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
18477
+ ]
18478
+ },
18479
+ {
18480
+ "kind": "operator_local",
18481
+ "target": "mc-credential-maintenance",
18482
+ "writeNames": [
18483
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
18484
+ ]
18485
+ }
18486
+ ],
18487
+ "description": "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
18488
+ },
18193
18489
  {
18194
18490
  "secretId": "platform.runtime.require-deployment-host-registry",
18195
18491
  "canonicalName": "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
@@ -21882,6 +22178,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
21882
22178
  ],
21883
22179
  "description": "Optional Permit PDP URL override."
21884
22180
  },
22181
+ {
22182
+ "secretId": "platform.permit.webhook-secret",
22183
+ "canonicalName": "LUCERN_PERMIT_WEBHOOK_SECRET",
22184
+ "envNames": [
22185
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
22186
+ "PERMIT_WEBHOOK_SECRET"
22187
+ ],
22188
+ "aliases": [
22189
+ "PERMIT_WEBHOOK_SECRET"
22190
+ ],
22191
+ "writeNames": [
22192
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
22193
+ ],
22194
+ "required": true,
22195
+ "secret": true,
22196
+ "public": false,
22197
+ "sourcePath": "/platform/permit",
22198
+ "environmentPolicy": "environment_specific",
22199
+ "consumers": [
22200
+ "mc-convex",
22201
+ "lucern-gateway",
22202
+ "mc-operator-tooling"
22203
+ ],
22204
+ "destinations": [
22205
+ {
22206
+ "kind": "convex",
22207
+ "target": "master-control",
22208
+ "writeNames": [
22209
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
22210
+ ]
22211
+ },
22212
+ {
22213
+ "kind": "vercel",
22214
+ "target": "lucern-gateway",
22215
+ "writeNames": [
22216
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
22217
+ ]
22218
+ },
22219
+ {
22220
+ "kind": "operator_local",
22221
+ "target": "mc-credential-maintenance",
22222
+ "writeNames": [
22223
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
22224
+ ]
22225
+ }
22226
+ ],
22227
+ "description": "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
22228
+ },
21885
22229
  {
21886
22230
  "secretId": "platform.mc.session-token-secret",
21887
22231
  "canonicalName": "LUCERN_SESSION_TOKEN_SECRET",
@@ -29694,6 +30038,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
29694
30038
  }
29695
30039
  ],
29696
30040
  "operator_local:mc-credential-maintenance": [
30041
+ {
30042
+ "secretId": "platform.permit.webhook-secret",
30043
+ "canonicalName": "LUCERN_PERMIT_WEBHOOK_SECRET",
30044
+ "envNames": [
30045
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
30046
+ "PERMIT_WEBHOOK_SECRET"
30047
+ ],
30048
+ "aliases": [
30049
+ "PERMIT_WEBHOOK_SECRET"
30050
+ ],
30051
+ "writeNames": [
30052
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
30053
+ ],
30054
+ "required": true,
30055
+ "secret": true,
30056
+ "public": false,
30057
+ "sourcePath": "/platform/permit",
30058
+ "environmentPolicy": "environment_specific",
30059
+ "consumers": [
30060
+ "mc-convex",
30061
+ "lucern-gateway",
30062
+ "mc-operator-tooling"
30063
+ ],
30064
+ "destinations": [
30065
+ {
30066
+ "kind": "convex",
30067
+ "target": "master-control",
30068
+ "writeNames": [
30069
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
30070
+ ]
30071
+ },
30072
+ {
30073
+ "kind": "vercel",
30074
+ "target": "lucern-gateway",
30075
+ "writeNames": [
30076
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
30077
+ ]
30078
+ },
30079
+ {
30080
+ "kind": "operator_local",
30081
+ "target": "mc-credential-maintenance",
30082
+ "writeNames": [
30083
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
30084
+ ]
30085
+ }
30086
+ ],
30087
+ "description": "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
30088
+ },
29697
30089
  {
29698
30090
  "secretId": "platform.mc.tenant-secret-encryption-key",
29699
30091
  "canonicalName": "LUCERN_TENANT_SECRET_ENCRYPTION_KEY",
@@ -33711,6 +34103,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
33711
34103
  ],
33712
34104
  "description": "Canonical Lucern API gateway base URL. Older names remain aliases only."
33713
34105
  },
34106
+ {
34107
+ "secretId": "platform.clerk.webhook-secret",
34108
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
34109
+ "envNames": [
34110
+ "CLERK_WEBHOOK_SECRET",
34111
+ "CLERK_WEBHOOK_SIGNING_SECRET",
34112
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34113
+ ],
34114
+ "aliases": [
34115
+ "CLERK_WEBHOOK_SECRET",
34116
+ "CLERK_WEBHOOK_SIGNING_SECRET"
34117
+ ],
34118
+ "writeNames": [
34119
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34120
+ ],
34121
+ "required": true,
34122
+ "secret": true,
34123
+ "public": false,
34124
+ "sourcePath": "/platform/auth",
34125
+ "environmentPolicy": "environment_specific",
34126
+ "consumers": [
34127
+ "lucern-gateway"
34128
+ ],
34129
+ "destinations": [
34130
+ {
34131
+ "kind": "vercel",
34132
+ "target": "lucern-gateway",
34133
+ "writeNames": [
34134
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34135
+ ]
34136
+ }
34137
+ ],
34138
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
34139
+ },
33714
34140
  {
33715
34141
  "secretId": "platform.gateway.device-verification-base-url",
33716
34142
  "canonicalName": "LUCERN_DEVICE_VERIFICATION_BASE_URL",
@@ -34016,6 +34442,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
34016
34442
  ],
34017
34443
  "description": "Optional Permit PDP URL override."
34018
34444
  },
34445
+ {
34446
+ "secretId": "platform.permit.webhook-secret",
34447
+ "canonicalName": "LUCERN_PERMIT_WEBHOOK_SECRET",
34448
+ "envNames": [
34449
+ "LUCERN_PERMIT_WEBHOOK_SECRET",
34450
+ "PERMIT_WEBHOOK_SECRET"
34451
+ ],
34452
+ "aliases": [
34453
+ "PERMIT_WEBHOOK_SECRET"
34454
+ ],
34455
+ "writeNames": [
34456
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
34457
+ ],
34458
+ "required": true,
34459
+ "secret": true,
34460
+ "public": false,
34461
+ "sourcePath": "/platform/permit",
34462
+ "environmentPolicy": "environment_specific",
34463
+ "consumers": [
34464
+ "mc-convex",
34465
+ "lucern-gateway",
34466
+ "mc-operator-tooling"
34467
+ ],
34468
+ "destinations": [
34469
+ {
34470
+ "kind": "convex",
34471
+ "target": "master-control",
34472
+ "writeNames": [
34473
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
34474
+ ]
34475
+ },
34476
+ {
34477
+ "kind": "vercel",
34478
+ "target": "lucern-gateway",
34479
+ "writeNames": [
34480
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
34481
+ ]
34482
+ },
34483
+ {
34484
+ "kind": "operator_local",
34485
+ "target": "mc-credential-maintenance",
34486
+ "writeNames": [
34487
+ "LUCERN_PERMIT_WEBHOOK_SECRET"
34488
+ ]
34489
+ }
34490
+ ],
34491
+ "description": "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
34492
+ },
34019
34493
  {
34020
34494
  "secretId": "platform.runtime.require-deployment-host-registry",
34021
34495
  "canonicalName": "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
@@ -38024,6 +38498,7 @@ __export(tool_contracts_exports, {
38024
38498
  REMOVE_EDGES_BETWEEN: () => REMOVE_EDGES_BETWEEN,
38025
38499
  REMOVE_LENS_FROM_TOPIC: () => REMOVE_LENS_FROM_TOPIC,
38026
38500
  RESOLVE_EFFECTIVE_ONTOLOGY: () => RESOLVE_EFFECTIVE_ONTOLOGY,
38501
+ RESOLVE_INTERACTIVE_PRINCIPAL: () => RESOLVE_INTERACTIVE_PRINCIPAL,
38027
38502
  RUN_GRAPH_INTELLIGENCE_QUERY: () => RUN_GRAPH_INTELLIGENCE_QUERY,
38028
38503
  SEARCH_BELIEFS: () => SEARCH_BELIEFS,
38029
38504
  SEARCH_EVIDENCE: () => SEARCH_EVIDENCE,
@@ -40357,7 +40832,7 @@ var IDENTITY_WHOAMI = {
40357
40832
  description: "Canonical identity summary for the current session",
40358
40833
  fields: {
40359
40834
  principalId: "string \u2014 canonical federated principal identifier",
40360
- principalType: "string \u2014 human, service, or agent",
40835
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
40361
40836
  tenantId: "string | undefined \u2014 resolved tenant scope",
40362
40837
  workspaceId: "string | undefined \u2014 resolved workspace scope",
40363
40838
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -40368,6 +40843,49 @@ var IDENTITY_WHOAMI = {
40368
40843
  ontologyPrimitive: "identity",
40369
40844
  tier: "workhorse"
40370
40845
  };
40846
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
40847
+ name: "resolve_interactive_principal",
40848
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
40849
+ parameters: {
40850
+ clerkId: {
40851
+ type: "string",
40852
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
40853
+ },
40854
+ tenantId: {
40855
+ type: "string",
40856
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
40857
+ },
40858
+ workspaceId: {
40859
+ type: "string",
40860
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
40861
+ },
40862
+ providerProjectId: {
40863
+ type: "string",
40864
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
40865
+ }
40866
+ },
40867
+ required: ["clerkId"],
40868
+ response: {
40869
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
40870
+ fields: {
40871
+ principalId: "string \u2014 canonical Lucern principal identifier",
40872
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
40873
+ clerkId: "string \u2014 authenticated Clerk subject alias",
40874
+ tenantId: "string \u2014 resolved tenant scope",
40875
+ workspaceId: "string | null \u2014 resolved workspace scope",
40876
+ roles: "string[] \u2014 effective Permit roles",
40877
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
40878
+ groupIds: "string[] \u2014 active Permit group memberships",
40879
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
40880
+ tenantStatus: "string \u2014 projected tenant resource status",
40881
+ workspaceStatus: "string \u2014 projected workspace resource status",
40882
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
40883
+ }
40884
+ },
40885
+ ownerModule: "control-plane",
40886
+ ontologyPrimitive: "identity",
40887
+ tier: "workhorse"
40888
+ };
40371
40889
  var COMPILE_CONTEXT = {
40372
40890
  name: "compile_context",
40373
40891
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -42270,6 +42788,7 @@ var MCP_TOOL_CONTRACTS = {
42270
42788
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
42271
42789
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
42272
42790
  identity_whoami: IDENTITY_WHOAMI,
42791
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
42273
42792
  compile_context: COMPILE_CONTEXT,
42274
42793
  record_scope_learning: RECORD_SCOPE_LEARNING,
42275
42794
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -42713,6 +43232,163 @@ function rankEntityConnections(nodeText, candidates, options) {
42713
43232
  ).filter((m) => m.score >= minScore).sort((a, b) => b.score - a.score).slice(0, limit);
42714
43233
  }
42715
43234
 
43235
+ // src/permit-principal-projection.contract.ts
43236
+ var PLATFORM_ROLE_PRIORITY = {
43237
+ platform_admin: 70,
43238
+ tenant_admin: 60,
43239
+ workspace_admin: 50,
43240
+ editor: 40,
43241
+ auditor: 30,
43242
+ viewer: 20,
43243
+ service_agent: 10
43244
+ };
43245
+ function readPermitProjectionString(value) {
43246
+ return typeof value === "string" && value.trim() ? value.trim() : void 0;
43247
+ }
43248
+ function isActivePermitProjectionStatus(value) {
43249
+ const status = readPermitProjectionString(value)?.toLowerCase();
43250
+ return !status || status === "active" || status === "synced";
43251
+ }
43252
+ function mapPermitRoleToPlatformRole(role) {
43253
+ switch (readPermitProjectionString(role)?.toLowerCase()) {
43254
+ case "platform_admin":
43255
+ return "platform_admin";
43256
+ case "tenant_admin":
43257
+ return "tenant_admin";
43258
+ case "workspace_admin":
43259
+ case "deployment_admin":
43260
+ case "graph_admin":
43261
+ return "workspace_admin";
43262
+ case "editor":
43263
+ case "workspace_member":
43264
+ case "graph_editor":
43265
+ case "evidence_contributor":
43266
+ case "question_resolver":
43267
+ case "theme_promoter":
43268
+ case "topic_promoter":
43269
+ return "editor";
43270
+ case "auditor":
43271
+ return "auditor";
43272
+ case "viewer":
43273
+ case "graph_viewer":
43274
+ case "stakeholder_viewer":
43275
+ case "stakeholder_summarizer":
43276
+ case "source_drilldown_viewer":
43277
+ case "restricted_data_viewer":
43278
+ case "proprietary_data_viewer":
43279
+ return "viewer";
43280
+ case "service_agent":
43281
+ case "agent_runner":
43282
+ return "service_agent";
43283
+ default:
43284
+ return void 0;
43285
+ }
43286
+ }
43287
+ function highestPlatformRole(roles) {
43288
+ return roles.reduce(
43289
+ (best, role) => PLATFORM_ROLE_PRIORITY[role] > PLATFORM_ROLE_PRIORITY[best] ? role : best,
43290
+ "viewer"
43291
+ );
43292
+ }
43293
+ function isClerkAliasFor(alias, clerkId) {
43294
+ return isActivePermitProjectionStatus(alias.status) && readPermitProjectionString(alias.provider)?.toLowerCase() === "clerk" && (readPermitProjectionString(alias.providerSubjectId) === clerkId || readPermitProjectionString(alias.alias) === clerkId);
43295
+ }
43296
+ function emailFromAlias(aliases, principal) {
43297
+ return aliases.find(
43298
+ (alias) => readPermitProjectionString(alias.aliasKind)?.toLowerCase() === "email"
43299
+ )?.alias ?? readPermitProjectionString(principal.metadata?.email);
43300
+ }
43301
+ function groupIdsForPrincipal(memberships2, principal) {
43302
+ const principalId = readPermitProjectionString(principal.principalId);
43303
+ if (!principalId) return [];
43304
+ return [
43305
+ ...new Set(
43306
+ memberships2.filter(
43307
+ (membership) => isActivePermitProjectionStatus(membership.status) && readPermitProjectionString(membership.tenantId) === readPermitProjectionString(principal.tenantId) && readPermitProjectionString(membership.memberType) === "principal" && (readPermitProjectionString(membership.memberId) === principalId || readPermitProjectionString(membership.principalId) === principalId)
43308
+ ).map((membership) => readPermitProjectionString(membership.groupId)).filter((groupId) => Boolean(groupId))
43309
+ )
43310
+ ];
43311
+ }
43312
+ function rolesForPrincipal(assignments, principal, groupIds) {
43313
+ const principalId = readPermitProjectionString(principal.principalId);
43314
+ const tenantId = readPermitProjectionString(principal.tenantId);
43315
+ const roles = assignments.filter(
43316
+ (assignment) => isActivePermitProjectionStatus(assignment.status) && readPermitProjectionString(assignment.tenantId) === tenantId && (readPermitProjectionString(assignment.targetType) === "principal" && readPermitProjectionString(assignment.targetId) === principalId || readPermitProjectionString(assignment.targetType) === "group" && groupIds.includes(
43317
+ readPermitProjectionString(assignment.targetId) ?? ""
43318
+ ))
43319
+ ).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter((role) => Boolean(role));
43320
+ if (readPermitProjectionString(principal.principalType) === "agent" || readPermitProjectionString(principal.principalType) === "service_principal") {
43321
+ roles.push("service_agent");
43322
+ }
43323
+ return [...new Set(roles)];
43324
+ }
43325
+ function workspaceFromPermitProjection(principal, alias, assignments) {
43326
+ return readPermitProjectionString(principal.workspaceId) ?? readPermitProjectionString(alias?.workspaceId) ?? readPermitProjectionString(
43327
+ assignments.find(
43328
+ (assignment) => readPermitProjectionString(assignment.targetId) === readPermitProjectionString(principal.principalId) && readPermitProjectionString(assignment.resourceType) === "workspace"
43329
+ )?.resourceKey
43330
+ ) ?? readPermitProjectionString(
43331
+ assignments.find((assignment) => assignment.workspaceId)?.workspaceId
43332
+ );
43333
+ }
43334
+ function buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now = Date.now()) {
43335
+ const principalId = readPermitProjectionString(principal.principalId);
43336
+ const tenantId = readPermitProjectionString(principal.tenantId);
43337
+ if (!principalId || !tenantId || !isActivePermitProjectionStatus(principal.status)) {
43338
+ return null;
43339
+ }
43340
+ const aliases = rows.aliases.filter(
43341
+ (alias2) => readPermitProjectionString(alias2.tenantId) === tenantId && readPermitProjectionString(alias2.principalId) === principalId && isActivePermitProjectionStatus(alias2.status)
43342
+ );
43343
+ const groupIds = groupIdsForPrincipal(rows.groupMemberships, principal);
43344
+ const roles = rolesForPrincipal(rows.roleAssignments, principal, groupIds);
43345
+ if (roles.length === 0) {
43346
+ return null;
43347
+ }
43348
+ const alias = matchingAlias ?? aliases[0];
43349
+ const clerkId = readPermitProjectionString(
43350
+ aliases.find(
43351
+ (entry) => readPermitProjectionString(entry.provider)?.toLowerCase() === "clerk"
43352
+ )?.providerSubjectId
43353
+ ) ?? principalId;
43354
+ return {
43355
+ clerkId,
43356
+ email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,
43357
+ name: readPermitProjectionString(principal.displayName),
43358
+ lastSeenAt: principal.lastSeenAt ?? principal.updatedAt ?? now,
43359
+ chatCount: 0,
43360
+ messageCount: 0,
43361
+ mcRole: highestPlatformRole(roles),
43362
+ mcRoleSyncedAt: principal.updatedAt ?? now,
43363
+ defaultTenantId: tenantId,
43364
+ defaultWorkspaceId: workspaceFromPermitProjection(principal, alias, rows.roleAssignments) ?? tenantId,
43365
+ defaultPrincipalId: principalId,
43366
+ principalGroupIds: groupIds,
43367
+ governanceGrantsSyncedAt: principal.updatedAt ?? now,
43368
+ createdAt: principal.createdAt ?? now,
43369
+ updatedAt: principal.updatedAt ?? now
43370
+ };
43371
+ }
43372
+ function findProjectedUserByPermitPrincipalId(rows, principalId, now = Date.now()) {
43373
+ const normalizedPrincipalId = principalId.trim();
43374
+ const principal = rows.principals.find(
43375
+ (row) => isActivePermitProjectionStatus(row.status) && readPermitProjectionString(row.principalId) === normalizedPrincipalId
43376
+ );
43377
+ return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, void 0, now) : null;
43378
+ }
43379
+ function findProjectedUserByPermitClerkId(rows, clerkId, now = Date.now()) {
43380
+ const normalizedClerkId = clerkId.trim();
43381
+ const matchingAlias = rows.aliases.find(
43382
+ (alias) => isClerkAliasFor(alias, normalizedClerkId)
43383
+ );
43384
+ const principal = matchingAlias ? rows.principals.find(
43385
+ (row) => readPermitProjectionString(row.tenantId) === readPermitProjectionString(matchingAlias.tenantId) && readPermitProjectionString(row.principalId) === readPermitProjectionString(matchingAlias.principalId)
43386
+ ) : rows.principals.find(
43387
+ (row) => readPermitProjectionString(row.principalId) === normalizedClerkId || readPermitProjectionString(row.principalId) === `user:${normalizedClerkId}`
43388
+ );
43389
+ return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now) : null;
43390
+ }
43391
+
42716
43392
  // src/prompt.contract.ts
42717
43393
  function isLucernPrompt(value) {
42718
43394
  if (!value || typeof value !== "object") {
@@ -43974,6 +44650,8 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
43974
44650
  kernel: {
43975
44651
  componentName: "lucern",
43976
44652
  migrationModule: "adapters/migration",
44653
+ templateMigrationModule: "dist/adapters/migration",
44654
+ tenantMigrationModule: "adapters/migration",
43977
44655
  templateService: "services/kernel-template",
43978
44656
  templateDeployments: {
43979
44657
  staging: "kindly-goldfish-162",
@@ -43982,7 +44660,9 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
43982
44660
  },
43983
44661
  "control-plane": {
43984
44662
  componentName: "controlPlane",
43985
- migrationModule: "dist/migration",
44663
+ migrationModule: "migration",
44664
+ templateMigrationModule: "dist/migration",
44665
+ tenantMigrationModule: "migration",
43986
44666
  templateService: "services/control-plane-template",
43987
44667
  templateDeployments: {
43988
44668
  staging: "industrious-cheetah-864",
@@ -44143,6 +44823,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
44143
44823
  copyMode: "none",
44144
44824
  description: "Deliberation sessions are created by tenant workflows."
44145
44825
  },
44826
+ {
44827
+ component: "kernel",
44828
+ table: "domainEvents",
44829
+ prepopulation: "runtime_log",
44830
+ copyMode: "none",
44831
+ description: "Domain event rows are append-only runtime audit/exhaust data."
44832
+ },
44146
44833
  {
44147
44834
  component: "kernel",
44148
44835
  table: "epistemicAudit",
@@ -44704,12 +45391,15 @@ function isTenantBootstrapSeedTable(table) {
44704
45391
  return Boolean(findTenantBootstrapSeedTable(table));
44705
45392
  }
44706
45393
  function isTenantBootstrapForbiddenSeedTable(table) {
44707
- return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some((entry) => entry === table);
45394
+ return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some(
45395
+ (entry) => entry === table
45396
+ );
44708
45397
  }
44709
- var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-04-30.1";
45398
+ var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-05-11";
44710
45399
  var TENANT_BOOTSTRAP_TEMPLATE_TENANT_ID = "tenant_template";
44711
45400
  var TENANT_BOOTSTRAP_TEMPLATE_ACTOR = "system:lucern-template-seed";
44712
45401
  var DEFAULT_SEED_TIME = Date.UTC(2026, 3, 30);
45402
+ var TEMPLATE_SEED_METADATA_SOURCE = "lucern-template";
44713
45403
  var ROLE_GRANTS = {
44714
45404
  viewer: ["viewer", "auditor", "editor", "workspace_admin", "tenant_admin", "platform_admin", "service_agent"],
44715
45405
  auditor: ["auditor", "tenant_admin", "platform_admin", "service_agent"],
@@ -44720,7 +45410,7 @@ var ROLE_GRANTS = {
44720
45410
  service_agent: ["service_agent"]
44721
45411
  };
44722
45412
  var ENUM_VALUES = {
44723
- topic_type: ["domain", "theme", "deal", "strategy", "constitution", "project", "portfolio", "architecture", "capability", "runtime", "interface", "governance", "operations", "security", "data"],
45413
+ topic_type: ["generic"],
44724
45414
  branch_schema: ["pillar", "track", "dimension", "axis", "phase"],
44725
45415
  belief_type: ["belief", "hypothesis", "principle", "invariant", "assumption", "tenet", "prior", "preference", "goal", "forecast", "decision", "constraint", "tradeoff", "policy", "implementation_choice", "implementation_decision", "interface_contract", "migration_state", "code_pattern", "deprecation_notice"],
44726
45416
  edge_type: ["supports", "informs", "depends_on", "derived_from", "contains", "tests", "supersedes", "responds_to", "belongs_to", "relates_to_thesis", "works_at", "invested_in", "competes_with", "participates_in", "founded_by", "evaluates", "performs", "function_in", "impacts", "raised_from", "mentioned_in", "perspective_on", "plays_theme"],
@@ -44764,6 +45454,13 @@ var MODEL_SLOTS = [
44764
45454
  function labelFor(value) {
44765
45455
  return value.split(/[_-]/).map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join(" ");
44766
45456
  }
45457
+ function templateSeedMetadata(version) {
45458
+ return {
45459
+ seedSource: TEMPLATE_SEED_METADATA_SOURCE,
45460
+ seedVersion: version,
45461
+ seedType: "template-default"
45462
+ };
45463
+ }
44767
45464
  function seedContext(options) {
44768
45465
  return {
44769
45466
  now: options.now ?? DEFAULT_SEED_TIME,
@@ -44903,7 +45600,7 @@ function modelRegistryRows(now) {
44903
45600
  updatedAt: now
44904
45601
  }));
44905
45602
  }
44906
- function modelFunctionSlotRows(now) {
45603
+ function modelFunctionSlotRows(now, version) {
44907
45604
  return MODEL_SLOTS.map(([slot, category, description, modelKey, promptName, temperature, maxTokens, requiredCapabilities]) => ({
44908
45605
  slot,
44909
45606
  category,
@@ -44915,24 +45612,24 @@ function modelFunctionSlotRows(now) {
44915
45612
  requiredCapabilities,
44916
45613
  enabled: true,
44917
45614
  isDefault: true,
44918
- notes: `Seeded by ${TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION}.`,
45615
+ notes: `Seeded by ${version}.`,
44919
45616
  createdAt: now,
44920
45617
  updatedAt: now
44921
45618
  }));
44922
45619
  }
44923
- function modelSlotConfigRows(now) {
45620
+ function modelSlotConfigRows(now, version) {
44924
45621
  return MODEL_SLOTS.map(([slot, , , modelKey, , temperature, maxTokens]) => ({
44925
45622
  slot,
44926
45623
  modelKey,
44927
45624
  temperature,
44928
45625
  maxTokens,
44929
45626
  enabled: true,
44930
- notes: `Default routing for ${slot}.`,
45627
+ notes: `Default routing for ${slot}. Seeded by ${version}.`,
44931
45628
  createdAt: now,
44932
45629
  updatedAt: now
44933
45630
  }));
44934
45631
  }
44935
- function schemaEnumRows(now) {
45632
+ function schemaEnumRows(now, version) {
44936
45633
  return Object.entries(ENUM_VALUES).flatMap(
44937
45634
  ([category, values]) => values.map((value, index) => ({
44938
45635
  category,
@@ -44940,7 +45637,7 @@ function schemaEnumRows(now) {
44940
45637
  label: labelFor(value),
44941
45638
  description: `${labelFor(value)} ${category} value.`,
44942
45639
  tier: "platform",
44943
- metadata: { seedVersion: TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION },
45640
+ metadata: templateSeedMetadata(version),
44944
45641
  isDefault: index === 0,
44945
45642
  sortOrder: index + 1,
44946
45643
  status: "active",
@@ -44978,18 +45675,28 @@ function buildTenantBootstrapTemplateSeedRows(options = {}) {
44978
45675
  publicationRules: [
44979
45676
  { tenantId: ctx.templateTenantId, name: "publish-high-confidence-beliefs", description: "Publish high-confidence beliefs to tenant-level consumers.", conditionType: "confidence_threshold", conditions: { minConfidence: 0.85 }, enabled: true, priority: 100, createdBy: ctx.actor, createdAt: ctx.now, updatedAt: ctx.now }
44980
45677
  ],
44981
- schemaEnumConfig: schemaEnumRows(ctx.now)
45678
+ schemaEnumConfig: schemaEnumRows(ctx.now, ctx.version)
44982
45679
  },
44983
45680
  "control-plane": {
44984
45681
  mcpWritePolicy: buildMcpWritePolicy(ctx.now, ctx.actor),
44985
- modelFunctionSlots: modelFunctionSlotRows(ctx.now),
45682
+ modelFunctionSlots: modelFunctionSlotRows(ctx.now, ctx.version),
44986
45683
  modelRegistry: modelRegistryRows(ctx.now),
44987
- modelSlotConfigs: modelSlotConfigRows(ctx.now),
45684
+ modelSlotConfigs: modelSlotConfigRows(ctx.now, ctx.version),
44988
45685
  platformAudiences: [
44989
45686
  ["internal", "Internal", "internal"],
44990
45687
  ["lp", "Limited Partners", "restricted_external"],
44991
45688
  ["public", "Public", "public"]
44992
- ].map(([audienceKey, audienceLabel, audienceClass]) => ({ tenantId: ctx.templateTenantId, audienceKey, audienceLabel, audienceClass, status: "active", metadata: { seedVersion: ctx.version }, createdBy: ctx.actor, createdAt: ctx.now, updatedAt: ctx.now })),
45689
+ ].map(([audienceKey, audienceLabel, audienceClass]) => ({
45690
+ tenantId: ctx.templateTenantId,
45691
+ audienceKey,
45692
+ audienceLabel,
45693
+ audienceClass,
45694
+ status: "active",
45695
+ metadata: templateSeedMetadata(ctx.version),
45696
+ createdBy: ctx.actor,
45697
+ createdAt: ctx.now,
45698
+ updatedAt: ctx.now
45699
+ })),
44993
45700
  tenantConfig: [
44994
45701
  { tenantId: ctx.templateTenantId, authPolicyMode: "open", defaultSessionTTL: 28800, defaultTopicVisibility: "tenant", featureFlags: { sdkBootstrapSeeds: true, interactiveRoleAuth: true }, maxWorkspaceCount: 25, defaultModelSlotOverrides: {}, updatedAt: ctx.now, updatedBy: ctx.actor }
44995
45702
  ],
@@ -45296,6 +46003,6 @@ var CANONICAL_WORKFLOW_DEFINITIONS = [
45296
46003
  }
45297
46004
  ];
45298
46005
 
45299
- export { BELIEF_STATUSES, BELIEF_TYPE_BONUS, BRANCH_STATUSES, CANONICAL_WORKFLOW_DEFINITIONS, COMPONENT_BOUNDARY_COMPONENT_LAYERS, COMPONENT_BOUNDARY_CONTRACT_VERSION, COMPONENT_BOUNDARY_DIRECT_DB_METHODS, COMPONENT_BOUNDARY_HIGH_RISK_TABLES, COMPONENT_BOUNDARY_HOST_SOURCE_ROOTS, COMPONENT_HOST_BOUNDARY_CONTRACT_VERSION, COMPONENT_HOST_DB_READ_OPERATIONS, COMPONENT_HOST_DB_WRITE_OPERATIONS, COMPONENT_HOST_PROTECTED_TABLES, COMPONENT_HOST_PROTECTED_TABLE_OWNERS, COMPONENT_HOST_WRITE_ALLOWED_EXCEPTIONS, COMPONENT_HOST_WRITE_AUDIT_ROOTS, CONFIDENCE_TRIGGERS, CONTEXT_PACK_SCHEMA_VERSION, CONTEXT_PACK_SECTION_KEYS, CONTEXT_RANKING_PROFILES, CONTRADICTION_SEVERITIES, CONTRADICTION_STATUSES, ComponentTableManifestSchema, DEFAULT_BELIEF_TYPE_BONUS, DEFAULT_COMPILATION_MODE, DEFAULT_ENTITY_LIMIT, DEFAULT_PRIORITY_SCORE, DEFAULT_RANKING_PROFILE, DEFAULT_SECTION_LIMIT, DEFAULT_SEVERITY_SCORE, DEFAULT_TIER_APPROVAL_MODE, DEFAULT_TOKEN_BUDGET, DEFAULT_WORKFLOW_AUTO_FIX_POLICY, DEFEAT_TYPES, DOMAIN_EVENT_TYPES, DOMAIN_EVENT_VERSION, ENTITY_RANKING_WEIGHTS, EPISTEMIC_LAYERS, EVENT_RETENTION_DEFAULT_DAYS, EdgePolicyEntrySchema, EdgePolicyManifestSchema, EpistemicNodeTypeSchema, FORK_REASONS, GENERATED_INFISICAL_BOOTSTRAP_ENV_NAMES, GENERATED_INFISICAL_CONTROL_ENV_NAMES, GENERATED_INFISICAL_KNOWN_ENV_NAMES, GENERATED_INFISICAL_MANAGED_ENV_NAMES, GENERATED_INFISICAL_RUNTIME_ENV, GENERATED_LUCERN_GATEWAY_ENV_NAMES, GENERATED_LUCERN_WEB_PUBLIC_ENV_NAMES, GENERATED_LUCERN_WEB_SERVER_ENV_NAMES, GRAPH_INTELLIGENCE_MODE_TOOL_NAMES, GRAPH_INTELLIGENCE_PUBLIC_TOOL_NAMES, GRAPH_INTELLIGENCE_QUERIES, GRAPH_INTELLIGENCE_QUERIES_WITH_TOOLS, GRAPH_INTELLIGENCE_QUERY_CATALOG_VERSION, GRAPH_INTELLIGENCE_QUERY_CATEGORIES, GRAPH_INTELLIGENCE_QUERY_MODES, GRAPH_INTELLIGENCE_QUICK_QUERIES, GRAPH_REF_NODE_TYPES, GraphRefSchema, INFISICAL_CONVEX_TIERS, INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT, INFISICAL_RUNTIME_BOOTSTRAP_ENV, INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_CONTROL_ENV, INFISICAL_RUNTIME_DEFAULT_API_URL, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DELIVERY_MODES, INFISICAL_RUNTIME_ENVIRONMENTS, INFISICAL_RUNTIME_MANIFEST, INFISICAL_RUNTIME_PATHS, INFISICAL_RUNTIME_SURFACES, INFISICAL_RUNTIME_SURFACE_IDS, INFISICAL_SECRET_CONSUMERS, INFISICAL_SECRET_DEFINITIONS, INFISICAL_SECRET_DESTINATION_KINDS, INFISICAL_SECRET_ENVIRONMENT_POLICIES, INFISICAL_SECRET_OWNERS, INFISICAL_SECRET_SCOPES, INFISICAL_TENANT_SOFTWARE_SYSTEMS, INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS, INFISICAL_VERCEL_SYNC_DESTINATIONS, INFISICAL_VERCEL_SYNC_RECONCILIATION, INFISICAL_VERCEL_TARGETS, INTEGRATION_EDGE_TYPES, InvariantManifestSchema, JUDGMENT_TYPES, MAX_ENTITY_LIMIT, MAX_SECTION_LIMIT, MAX_TOKEN_BUDGET, MERGE_OUTCOMES, MIN_CONTRADICTION_BUDGET, MIN_TOKEN_BUDGET, MIN_TOKEN_ESTIMATE, MORNING_BRIEF_WORKFLOW_ID, NIGHTLY_RECONCILIATION_WORKFLOW_ID, PRIORITY_SCORES, PULL_REQUEST_STATUSES, RANKING_WEIGHTS, REASONING_METHODS, RECENCY_HALF_LIFE_DAYS, RESOLVED_QUESTION_STATUSES, ROOT_TOPIC_ID, SECTION_BUDGET_RATIOS, SESSION_AUTH_MODES, SESSION_LIFECYCLE_STATUSES, SESSION_PRINCIPAL_TYPES, SEVERITY_SCORES, SLOpinionInputSchema, TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES, TENANT_BOOTSTRAP_SEED_AUTH_METADATA_FIELDS, TENANT_BOOTSTRAP_SEED_COMPONENTS, TENANT_BOOTSTRAP_SEED_CONTRACT_VERSION, TENANT_BOOTSTRAP_SEED_MANIFEST, TENANT_BOOTSTRAP_SEED_TABLES, TENANT_BOOTSTRAP_TABLE_REQUIREMENTS, TENANT_BOOTSTRAP_TEMPLATE_ACTOR, TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION, TENANT_BOOTSTRAP_TEMPLATE_TENANT_ID, TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_PROFILES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_MANIFEST, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, TOKENS_PER_WORD, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_RETRY_DELAYS_MS, WORKFLOW_ACTION_KINDS, WORKFLOW_APPROVAL_MODES, WORKFLOW_AUTO_FIX_MODES, WORKFLOW_HOOK_EVENTS, WORKFLOW_INTEGRITY_CHECKS, WORKFLOW_MUTATION_TIERS, WORKFLOW_OUTPUT_KINDS, WORKFLOW_PROOF_ARTIFACT_KINDS, WORKFLOW_RUNTIME_SCHEMA_VERSION, WORKFLOW_RUN_STATUSES, WORKFLOW_STAFFING_HINTS, WORKFLOW_TRIGGER_KINDS, WORKTREE_PHASES, assertEdgePolicyAllowed, assertTenantClientImportAllowed, bigramTokenize, buildDomainEvent, buildTenantBootstrapTemplateSeedRows, canonicalGeneratedInfisicalEnvName, classifyTenantClientImport, collectTopicNeighborhood, compareEventCursor, dsl_exports as contractDsl, convexTierForVercelDestinationEnvironment, createEventId, createEvidenceProjection, decodeEventCursor, decodePrefixedId, defineProjection, edgePolicyManifest, emitDomainEvent, encodeEventCursor, encodePrefixedId, expectedTenantConvexDeploymentForVercelEnvironment, fillGraphIntelligencePromptTemplate, findEdgePolicy, findInfisicalRuntimePath, findInfisicalRuntimeSurface, findInfisicalSecretDefinition, findInfisicalTenantSoftwareSystem, findInfisicalVercelSyncDestination, findTenantBootstrapSeedTable, findTenantBootstrapTableRequirement, findTenantClientInstallablePackage, formatTenantClientImportViolation, generatedInfisicalVariableForName, getComponentBoundaryTableLayer, getGraphIntelligenceQuery, hasPrefixedIdPrefix, inferActorType, inferSessionPrincipalType, infisicalSecretDefinitionsForConsumer, infisicalSecretDefinitionsForDestination, isAfterCursor, isComponentBoundaryComponentOwnedTable, isGeneratedInfisicalKnownEnvName, isGeneratedInfisicalManagedEnvName, isGraphIntelligenceQueryMode, isLucernPrompt, isTenantBootstrapForbiddenSeedTable, isTenantBootstrapSeedTable, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport, jaccardSimilarity, lastDelegator, listBeliefsProjection, listGraphIntelligenceQueries, listTasksProjection, tool_contracts_exports as mcpToolsContract, modulateConfidenceProjection, normalizeDelegationChain, normalizeRetentionDays, prepareLexicalQuery, projections, rankEntityConnections, rankEntityTypeMatches, rankWindowScore, readGeneratedInfisicalDestinationEnv, readGeneratedInfisicalEnvValue, readGeneratedInfisicalRuntimeEnvSurface, readGeneratedLucernGatewayEnv, readGeneratedLucernWebPublicEnv, readGeneratedLucernWebServerEnv, requireActorPrincipalId, rerankLexicalWindow, schemas_exports as schemaContracts, scoreEntityConnection, scoreEntityTypeMatch, scoreLexicalSignal, scoreLexicalSignals, sdk_tools_contract_exports as sdkToolsContract, sortEventsByCursor, stemToken, tenantSoftwareSystemConvexEnvNames, tenantSoftwareSystemOwnsConvexEnvName, tokenOverlapScore, tokenizeSearchText, validateInfisicalSecretDefinitions, vercelCustomEnvironmentIdForTenantSoftwareSystem, wordOverlapScore, wordTokenize };
46006
+ export { BELIEF_STATUSES, BELIEF_TYPE_BONUS, BRANCH_STATUSES, CANONICAL_WORKFLOW_DEFINITIONS, COMPONENT_BOUNDARY_COMPONENT_LAYERS, COMPONENT_BOUNDARY_CONTRACT_VERSION, COMPONENT_BOUNDARY_DIRECT_DB_METHODS, COMPONENT_BOUNDARY_HIGH_RISK_TABLES, COMPONENT_BOUNDARY_HOST_SOURCE_ROOTS, COMPONENT_HOST_BOUNDARY_CONTRACT_VERSION, COMPONENT_HOST_DB_READ_OPERATIONS, COMPONENT_HOST_DB_WRITE_OPERATIONS, COMPONENT_HOST_PROTECTED_TABLES, COMPONENT_HOST_PROTECTED_TABLE_OWNERS, COMPONENT_HOST_WRITE_ALLOWED_EXCEPTIONS, COMPONENT_HOST_WRITE_AUDIT_ROOTS, CONFIDENCE_TRIGGERS, CONTEXT_PACK_SCHEMA_VERSION, CONTEXT_PACK_SECTION_KEYS, CONTEXT_RANKING_PROFILES, CONTRADICTION_SEVERITIES, CONTRADICTION_STATUSES, ComponentTableManifestSchema, DEFAULT_BELIEF_TYPE_BONUS, DEFAULT_COMPILATION_MODE, DEFAULT_ENTITY_LIMIT, DEFAULT_PRIORITY_SCORE, DEFAULT_RANKING_PROFILE, DEFAULT_SECTION_LIMIT, DEFAULT_SEVERITY_SCORE, DEFAULT_TIER_APPROVAL_MODE, DEFAULT_TOKEN_BUDGET, DEFAULT_WORKFLOW_AUTO_FIX_POLICY, DEFEAT_TYPES, DOMAIN_EVENT_TYPES, DOMAIN_EVENT_VERSION, ENTITY_RANKING_WEIGHTS, EPISTEMIC_LAYERS, EVENT_RETENTION_DEFAULT_DAYS, EdgePolicyEntrySchema, EdgePolicyManifestSchema, EpistemicNodeTypeSchema, FORK_REASONS, GENERATED_INFISICAL_BOOTSTRAP_ENV_NAMES, GENERATED_INFISICAL_CONTROL_ENV_NAMES, GENERATED_INFISICAL_KNOWN_ENV_NAMES, GENERATED_INFISICAL_MANAGED_ENV_NAMES, GENERATED_INFISICAL_RUNTIME_ENV, GENERATED_LUCERN_GATEWAY_ENV_NAMES, GENERATED_LUCERN_WEB_PUBLIC_ENV_NAMES, GENERATED_LUCERN_WEB_SERVER_ENV_NAMES, GRAPH_INTELLIGENCE_MODE_TOOL_NAMES, GRAPH_INTELLIGENCE_PUBLIC_TOOL_NAMES, GRAPH_INTELLIGENCE_QUERIES, GRAPH_INTELLIGENCE_QUERIES_WITH_TOOLS, GRAPH_INTELLIGENCE_QUERY_CATALOG_VERSION, GRAPH_INTELLIGENCE_QUERY_CATEGORIES, GRAPH_INTELLIGENCE_QUERY_MODES, GRAPH_INTELLIGENCE_QUICK_QUERIES, GRAPH_REF_NODE_TYPES, GraphRefSchema, INFISICAL_CONVEX_TIERS, INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT, INFISICAL_RUNTIME_BOOTSTRAP_ENV, INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_CONTROL_ENV, INFISICAL_RUNTIME_DEFAULT_API_URL, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DELIVERY_MODES, INFISICAL_RUNTIME_ENVIRONMENTS, INFISICAL_RUNTIME_MANIFEST, INFISICAL_RUNTIME_PATHS, INFISICAL_RUNTIME_SURFACES, INFISICAL_RUNTIME_SURFACE_IDS, INFISICAL_SECRET_CONSUMERS, INFISICAL_SECRET_DEFINITIONS, INFISICAL_SECRET_DESTINATION_KINDS, INFISICAL_SECRET_ENVIRONMENT_POLICIES, INFISICAL_SECRET_OWNERS, INFISICAL_SECRET_SCOPES, INFISICAL_TENANT_SOFTWARE_SYSTEMS, INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS, INFISICAL_VERCEL_SYNC_DESTINATIONS, INFISICAL_VERCEL_SYNC_RECONCILIATION, INFISICAL_VERCEL_TARGETS, INTEGRATION_EDGE_TYPES, InvariantManifestSchema, JUDGMENT_TYPES, MAX_ENTITY_LIMIT, MAX_SECTION_LIMIT, MAX_TOKEN_BUDGET, MERGE_OUTCOMES, MIN_CONTRADICTION_BUDGET, MIN_TOKEN_BUDGET, MIN_TOKEN_ESTIMATE, MORNING_BRIEF_WORKFLOW_ID, NIGHTLY_RECONCILIATION_WORKFLOW_ID, PRIORITY_SCORES, PULL_REQUEST_STATUSES, RANKING_WEIGHTS, REASONING_METHODS, RECENCY_HALF_LIFE_DAYS, RESOLVED_QUESTION_STATUSES, ROOT_TOPIC_ID, SECTION_BUDGET_RATIOS, SESSION_AUTH_MODES, SESSION_LIFECYCLE_STATUSES, SESSION_PRINCIPAL_TYPES, SEVERITY_SCORES, SLOpinionInputSchema, TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES, TENANT_BOOTSTRAP_SEED_AUTH_METADATA_FIELDS, TENANT_BOOTSTRAP_SEED_COMPONENTS, TENANT_BOOTSTRAP_SEED_CONTRACT_VERSION, TENANT_BOOTSTRAP_SEED_MANIFEST, TENANT_BOOTSTRAP_SEED_TABLES, TENANT_BOOTSTRAP_TABLE_REQUIREMENTS, TENANT_BOOTSTRAP_TEMPLATE_ACTOR, TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION, TENANT_BOOTSTRAP_TEMPLATE_TENANT_ID, TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_PROFILES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_MANIFEST, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, TOKENS_PER_WORD, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_RETRY_DELAYS_MS, WORKFLOW_ACTION_KINDS, WORKFLOW_APPROVAL_MODES, WORKFLOW_AUTO_FIX_MODES, WORKFLOW_HOOK_EVENTS, WORKFLOW_INTEGRITY_CHECKS, WORKFLOW_MUTATION_TIERS, WORKFLOW_OUTPUT_KINDS, WORKFLOW_PROOF_ARTIFACT_KINDS, WORKFLOW_RUNTIME_SCHEMA_VERSION, WORKFLOW_RUN_STATUSES, WORKFLOW_STAFFING_HINTS, WORKFLOW_TRIGGER_KINDS, WORKTREE_PHASES, assertEdgePolicyAllowed, assertTenantClientImportAllowed, bigramTokenize, buildDomainEvent, buildProjectedUserFromPermitPrincipal, buildTenantBootstrapTemplateSeedRows, canonicalGeneratedInfisicalEnvName, classifyTenantClientImport, collectTopicNeighborhood, compareEventCursor, dsl_exports as contractDsl, convexTierForVercelDestinationEnvironment, createEventId, createEvidenceProjection, decodeEventCursor, decodePrefixedId, defineProjection, edgePolicyManifest, emitDomainEvent, encodeEventCursor, encodePrefixedId, expectedTenantConvexDeploymentForVercelEnvironment, fillGraphIntelligencePromptTemplate, findEdgePolicy, findInfisicalRuntimePath, findInfisicalRuntimeSurface, findInfisicalSecretDefinition, findInfisicalTenantSoftwareSystem, findInfisicalVercelSyncDestination, findProjectedUserByPermitClerkId, findProjectedUserByPermitPrincipalId, findTenantBootstrapSeedTable, findTenantBootstrapTableRequirement, findTenantClientInstallablePackage, formatTenantClientImportViolation, generatedInfisicalVariableForName, getComponentBoundaryTableLayer, getGraphIntelligenceQuery, hasPrefixedIdPrefix, inferActorType, inferSessionPrincipalType, infisicalSecretDefinitionsForConsumer, infisicalSecretDefinitionsForDestination, isActivePermitProjectionStatus, isAfterCursor, isComponentBoundaryComponentOwnedTable, isGeneratedInfisicalKnownEnvName, isGeneratedInfisicalManagedEnvName, isGraphIntelligenceQueryMode, isLucernPrompt, isTenantBootstrapForbiddenSeedTable, isTenantBootstrapSeedTable, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport, jaccardSimilarity, lastDelegator, listBeliefsProjection, listGraphIntelligenceQueries, listTasksProjection, mapPermitRoleToPlatformRole, tool_contracts_exports as mcpToolsContract, modulateConfidenceProjection, normalizeDelegationChain, normalizeRetentionDays, prepareLexicalQuery, projections, rankEntityConnections, rankEntityTypeMatches, rankWindowScore, readGeneratedInfisicalDestinationEnv, readGeneratedInfisicalEnvValue, readGeneratedInfisicalRuntimeEnvSurface, readGeneratedLucernGatewayEnv, readGeneratedLucernWebPublicEnv, readGeneratedLucernWebServerEnv, readPermitProjectionString, requireActorPrincipalId, rerankLexicalWindow, schemas_exports as schemaContracts, scoreEntityConnection, scoreEntityTypeMatch, scoreLexicalSignal, scoreLexicalSignals, sdk_tools_contract_exports as sdkToolsContract, sortEventsByCursor, stemToken, tenantSoftwareSystemConvexEnvNames, tenantSoftwareSystemOwnsConvexEnvName, tokenOverlapScore, tokenizeSearchText, validateInfisicalSecretDefinitions, vercelCustomEnvironmentIdForTenantSoftwareSystem, wordOverlapScore, wordTokenize };
45300
46007
  //# sourceMappingURL=index.js.map
45301
46008
  //# sourceMappingURL=index.js.map