@lucern/contracts 0.3.0-alpha.12 → 0.3.0-alpha.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth-context.contract.js +13 -1
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +13 -1
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.d.ts +1 -1
- package/dist/auth.contract.js +13 -1
- package/dist/auth.contract.js.map +1 -1
- package/dist/component-boundary.contract.js +1 -0
- package/dist/component-boundary.contract.js.map +1 -1
- package/dist/function-registry/beliefs.d.ts +10 -10
- package/dist/function-registry/beliefs.js +53 -2
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +6 -6
- package/dist/function-registry/coding.js +53 -2
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +3 -3
- package/dist/function-registry/context.js +53 -2
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +3 -3
- package/dist/function-registry/contracts.js +53 -2
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +9 -9
- package/dist/function-registry/coordination.js +53 -2
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +6 -6
- package/dist/function-registry/edges.js +53 -2
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +8 -8
- package/dist/function-registry/evidence.js +53 -2
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +15 -15
- package/dist/function-registry/graph.js +53 -2
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +2 -2
- package/dist/function-registry/helpers.js +53 -2
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +56 -16
- package/dist/function-registry/identity.js +75 -4
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +1 -1
- package/dist/function-registry/index.js +53 -2
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +2 -2
- package/dist/function-registry/judgments.js +53 -2
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -1
- package/dist/function-registry/legacy.js +53 -2
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +4 -4
- package/dist/function-registry/lenses.js +53 -2
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +3 -3
- package/dist/function-registry/manifest.js +1 -0
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/nodes.d.ts +8 -8
- package/dist/function-registry/nodes.js +53 -2
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +11 -11
- package/dist/function-registry/ontologies.js +53 -2
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +3 -3
- package/dist/function-registry/pipeline.js +53 -2
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +12 -12
- package/dist/function-registry/questions.js +53 -2
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +4 -4
- package/dist/function-registry/tasks.js +53 -2
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +7 -7
- package/dist/function-registry/topics.js +53 -2
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +2 -2
- package/dist/function-registry/worktrees.d.ts +11 -11
- package/dist/function-registry/worktrees.js +53 -2
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/generated/convexSchemas.js +2 -1
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +111 -0
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/generated/schema-manifest.json +88 -3
- package/dist/generated/tableOwnership.d.ts +2 -1
- package/dist/generated/tableOwnership.js +2 -0
- package/dist/generated/tableOwnership.js.map +1 -1
- package/dist/generated/tier-expectations.json +6 -3
- package/dist/index.d.ts +2 -2
- package/dist/index.js +290 -20
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +18 -0
- package/dist/infisical-runtime.contract.js +21 -0
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +18 -0
- package/dist/manifests/infisical-runtime-manifest.js +21 -0
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/manifests/tenant-client-manifest.d.ts +8 -3
- package/dist/manifests/tenant-client-manifest.js +18 -1
- package/dist/manifests/tenant-client-manifest.js.map +1 -1
- package/dist/permit-principal-projection.contract.js +2 -3
- package/dist/permit-principal-projection.contract.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/index.js +33 -0
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +75 -0
- package/dist/schemas/manifest.js +33 -0
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/tables/controlPlane/accessControl.js +3 -0
- package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -1
- package/dist/schemas/tables/kernel/events.d.ts +21 -0
- package/dist/schemas/tables/kernel/events.js +43 -0
- package/dist/schemas/tables/kernel/events.js.map +1 -0
- package/dist/{sdk-tools.contract-BNklQDfB.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +45 -1
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.contract.d.ts +22 -2
- package/dist/tenant-bootstrap-seed.contract.js +15 -2
- package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
- package/dist/tenant-bootstrap-seed.defaults.js +30 -12
- package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
- package/dist/tenant-client.contract.d.ts +8 -3
- package/dist/tenant-client.contract.js +18 -1
- package/dist/tenant-client.contract.js.map +1 -1
- package/dist/{tool-contracts-BevD9Ho2.d.ts → tool-contracts-C_xvM9q2.d.ts} +4 -2
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +46 -2
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
|
@@ -5,7 +5,13 @@ var SESSION_AUTH_MODES = [
|
|
|
5
5
|
"tenant_api_key",
|
|
6
6
|
"session_token"
|
|
7
7
|
];
|
|
8
|
-
var SESSION_PRINCIPAL_TYPES = [
|
|
8
|
+
var SESSION_PRINCIPAL_TYPES = [
|
|
9
|
+
"human",
|
|
10
|
+
"service",
|
|
11
|
+
"agent",
|
|
12
|
+
"group",
|
|
13
|
+
"external_viewer"
|
|
14
|
+
];
|
|
9
15
|
var SESSION_LIFECYCLE_STATUSES = [
|
|
10
16
|
"active",
|
|
11
17
|
"expired",
|
|
@@ -18,6 +24,12 @@ function inferSessionPrincipalType(principalId) {
|
|
|
18
24
|
if (principalId.startsWith("agent:")) {
|
|
19
25
|
return "agent";
|
|
20
26
|
}
|
|
27
|
+
if (principalId.startsWith("group:")) {
|
|
28
|
+
return "group";
|
|
29
|
+
}
|
|
30
|
+
if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
|
|
31
|
+
return "external_viewer";
|
|
32
|
+
}
|
|
21
33
|
return "service";
|
|
22
34
|
}
|
|
23
35
|
function normalizeDelegationChain(args) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-context.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
|
@@ -5,7 +5,13 @@ var SESSION_AUTH_MODES = [
|
|
|
5
5
|
"tenant_api_key",
|
|
6
6
|
"session_token"
|
|
7
7
|
];
|
|
8
|
-
var SESSION_PRINCIPAL_TYPES = [
|
|
8
|
+
var SESSION_PRINCIPAL_TYPES = [
|
|
9
|
+
"human",
|
|
10
|
+
"service",
|
|
11
|
+
"agent",
|
|
12
|
+
"group",
|
|
13
|
+
"external_viewer"
|
|
14
|
+
];
|
|
9
15
|
var SESSION_LIFECYCLE_STATUSES = [
|
|
10
16
|
"active",
|
|
11
17
|
"expired",
|
|
@@ -18,6 +24,12 @@ function inferSessionPrincipalType(principalId) {
|
|
|
18
24
|
if (principalId.startsWith("agent:")) {
|
|
19
25
|
return "agent";
|
|
20
26
|
}
|
|
27
|
+
if (principalId.startsWith("group:")) {
|
|
28
|
+
return "group";
|
|
29
|
+
}
|
|
30
|
+
if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
|
|
31
|
+
return "external_viewer";
|
|
32
|
+
}
|
|
21
33
|
return "service";
|
|
22
34
|
}
|
|
23
35
|
function normalizeDelegationChain(args) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-session.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
package/dist/auth.contract.d.ts
CHANGED
|
@@ -12,7 +12,7 @@ import { ConvexAdminClient } from './convex-admin.contract.js';
|
|
|
12
12
|
*/
|
|
13
13
|
declare const SESSION_AUTH_MODES: readonly ["interactive_user", "service_principal", "tenant_api_key", "session_token"];
|
|
14
14
|
type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];
|
|
15
|
-
declare const SESSION_PRINCIPAL_TYPES: readonly ["human", "service", "agent"];
|
|
15
|
+
declare const SESSION_PRINCIPAL_TYPES: readonly ["human", "service", "agent", "group", "external_viewer"];
|
|
16
16
|
type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];
|
|
17
17
|
declare const SESSION_LIFECYCLE_STATUSES: readonly ["active", "expired", "revoked"];
|
|
18
18
|
type SessionLifecycleStatus = (typeof SESSION_LIFECYCLE_STATUSES)[number];
|
package/dist/auth.contract.js
CHANGED
|
@@ -5,7 +5,13 @@ var SESSION_AUTH_MODES = [
|
|
|
5
5
|
"tenant_api_key",
|
|
6
6
|
"session_token"
|
|
7
7
|
];
|
|
8
|
-
var SESSION_PRINCIPAL_TYPES = [
|
|
8
|
+
var SESSION_PRINCIPAL_TYPES = [
|
|
9
|
+
"human",
|
|
10
|
+
"service",
|
|
11
|
+
"agent",
|
|
12
|
+
"group",
|
|
13
|
+
"external_viewer"
|
|
14
|
+
];
|
|
9
15
|
var SESSION_LIFECYCLE_STATUSES = [
|
|
10
16
|
"active",
|
|
11
17
|
"expired",
|
|
@@ -18,6 +24,12 @@ function inferSessionPrincipalType(principalId) {
|
|
|
18
24
|
if (principalId.startsWith("agent:")) {
|
|
19
25
|
return "agent";
|
|
20
26
|
}
|
|
27
|
+
if (principalId.startsWith("group:")) {
|
|
28
|
+
return "group";
|
|
29
|
+
}
|
|
30
|
+
if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
|
|
31
|
+
return "external_viewer";
|
|
32
|
+
}
|
|
21
33
|
return "service";
|
|
22
34
|
}
|
|
23
35
|
function normalizeDelegationChain(args) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/generated/tableOwnership.ts","../src/component-boundary.contract.ts"],"names":[],"mappings":";AAkJO,IAAM,eAAA,GAAkB;AAAA,EAC7B,eAAA,EAAiB,GAAA;AAAA,EACjB,sBAAA,EAAwB,GAAA;AAAA,EACxB,QAAA,EAAU,GAAA;AAAA,EACV,eAAA,EAAiB,GAAA;AAAA,EACjB,SAAA,EAAW,GAAA;AAAA,EACX,UAAA,EAAY,GAAA;AAAA,EACZ,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,qBAAA,EAAuB,GAAA;AAAA,EACvB,eAAA,EAAiB,GAAA;AAAA,EACjB,iBAAA,EAAmB,GAAA;AAAA,EACnB,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,oBAAA,EAAsB,GAAA;AAAA,EACtB,qBAAA,EAAuB,GAAA;AAAA,EACvB,gBAAA,EAAkB,GAAA;AAAA,EAClB,qCAAA,EAAuC,GAAA;AAAA,EACvC,mCAAA,EAAqC,GAAA;AAAA,EACrC,qCAAA,EAAuC,GAAA;AAAA,EACvC,oCAAA,EAAsC,GAAA;AAAA,EACtC,sBAAA,EAAwB,GAAA;AAAA,EACxB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,cAAA,EAAgB,GAAA;AAAA,EAChB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,gBAAA,EAAkB,GAAA;AAAA,EAClB,sBAAA,EAAwB,GAAA;AAAA,EACxB,oBAAA,EAAsB,GAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,sBAAA,EAAwB,GAAA;AAAA,EACxB,iBAAA,EAAmB,GAAA;AAAA,EACnB,gBAAA,EAAkB,GAAA;AAAA,EAClB,oBAAA,EAAsB,GAAA;AAAA,EACtB,gBAAA,EAAkB,GAAA;AAAA,EAClB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,gBAAA,EAAkB,GAAA;AAAA,EAClB,oBAAA,EAAsB,GAAA;AAAA,EACtB,sBAAA,EAAwB,GAAA;AAAA,EACxB,kBAAA,EAAoB,GAAA;AAAA,EACpB,kBAAA,EAAoB,GAAA;AAAA,EACpB,QAAA,EAAU,GAAA;AAAA,EACV,gBAAA,EAAkB,GAAA;AAAA,EAClB,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,QAAA,EAAU,GAAA;AAAA,EACV,mBAAA,EAAqB,GAAA;AAAA,EACrB,gBAAA,EAAkB,GAAA;AAAA,EAClB,aAAA,EAAe,GAAA;AAAA,EACf,kBAAA,EAAoB,GAAA;AAAA,EACpB,eAAA,EAAiB,GAAA;AAAA,EACjB,oBAAA,EAAsB,GAAA;AAAA,EACtB,eAAA,EAAiB,GAAA;AAAA,EACjB,kBAAA,EAAoB,GAAA;AAAA,EACpB,gBAAA,EAAkB,GAAA;AAAA,EAClB,kBAAA,EAAoB,GAAA;AAAA,EACpB,qBAAA,EAAuB,GAAA;AAAA,EACvB,kBAAA,EAAoB,GAAA;AAAA,EACpB,iBAAA,EAAmB,GAAA;AAAA,EACnB,iBAAA,EAAmB,GAAA;AAAA,EACnB,kBAAA,EAAoB,GAAA;AAAA,EACpB,sBAAA,EAAwB,GAAA;AAAA,EACxB,mBAAA,EAAqB,GAAA;AAAA,EACrB,cAAA,EAAgB,GAAA;AAAA,EAChB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,qBAAA,EAAuB,GAAA;AAAA,EACvB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,8BAAA,EAAgC,GAAA;AAAA,EAChC,wBAAA,EAA0B,GAAA;AAAA,EAC1B,kBAAA,EAAoB,GAAA;AAAA,EACpB,wBAAA,EAA0B,GAAA;AAAA,EAC1B,0BAAA,EAA4B,GAAA;AAAA,EAC5B,yBAAA,EAA2B,GAAA;AAAA,EAC3B,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,iCAAA,EAAmC,GAAA;AAAA,EACnC,mCAAA,EAAqC,GAAA;AAAA,EACrC,mBAAA,EAAqB,GAAA;AAAA,EACrB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,mBAAA,EAAqB,GAAA;AAAA,EACrB,4BAAA,EAA8B,GAAA;AAAA,EAC9B,4BAAA,EAA8B,GAAA;AAAA,EAC9B,eAAA,EAAiB,GAAA;AAAA,EACjB,oBAAA,EAAsB,GAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,0BAAA,EAA4B,GAAA;AAAA,EAC5B,YAAA,EAAc,GAAA;AAAA,EACd,eAAA,EAAiB,GAAA;AAAA,EACjB,kBAAA,EAAoB,GAAA;AAAA,EACpB,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,sBAAA,EAAwB,GAAA;AAAA,EACxB,cAAA,EAAgB,GAAA;AAAA,EAChB,kBAAA,EAAoB,GAAA;AAAA,EACpB,wBAAA,EAA0B,GAAA;AAAA,EAC1B,sBAAA,EAAwB,GAAA;AAAA,EACxB,mBAAA,EAAqB,GAAA;AAAA,EACrB,YAAA,EAAc,GAAA;AAAA,EACd,OAAA,EAAS,GAAA;AAAA,EACT,eAAA,EAAiB,GAAA;AAAA,EACjB,cAAA,EAAgB,GAAA;AAAA,EAChB,6BAAA,EAA+B,GAAA;AAAA,EAC/B,oBAAA,EAAsB,GAAA;AAAA,EACtB,8BAAA,EAAgC,GAAA;AAAA,EAChC,yBAAA,EAA2B,GAAA;AAAA,EAC3B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,gBAAA,EAAkB,GAAA;AAAA,EAClB,uBAAA,EAAyB,GAAA;AAAA,EACzB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,uBAAA,EAAyB,GAAA;AAAA,EACzB,SAAA,EAAW,GAAA;AAAA,EACX,0BAAA,EAA4B,GAAA;AAAA,EAC5B,eAAA,EAAiB,GAAA;AAAA,EACjB,UAAA,EAAY,GAAA;AAAA,EACZ,aAAA,EAAe,GAAA;AAAA,EACf,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,QAAA,EAAU,GAAA;AAAA,EACV,OAAA,EAAS,GAAA;AAAA,EACT,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,sBAAA,EAAwB,GAAA;AAAA,EACxB,gBAAA,EAAkB,GAAA;AAAA,EAClB,YAAA,EAAc,GAAA;AAAA,EACd,uBAAA,EAAyB,GAAA;AAAA,EACzB,WAAA,EAAa;AACf,CAAA;;;ACjRO,IAAM,mCAAA,GAAsC;AAE5C,IAAM,mCAAA,GAAsC;AAAA,EACjD,GAAA;AAAA,EACA;AACF;AAIO,IAAM,oCAAA,GAAuC;AAAA,EAClD,QAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF;AAIO,IAAM,oCAAA,GAAuC;AAAA,EAClD,UAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAEO,IAAM,mCAAA,GAAsC;AAAA,EACjD,mBAAA;AAAA,EACA,uBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,4BAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,SAAS,+BACd,SAAA,EACiC;AACjC,EAAA,OAAO,gBAAgB,SAAyC,CAAA;AAClE;AAEO,SAAS,uCACd,SAAA,EAC2C;AAC3C,EAAA,MAAM,KAAA,GAAQ,+BAA+B,SAAS,CAAA;AACtD,EAAA,OACE,KAAA,KAAU,OACV,KAAA,KAAU,GAAA;AAEd","file":"component-boundary.contract.js","sourcesContent":["/* GENERATED by scripts/generate-contract-schema.ts. DO NOT EDIT. */\n\nexport type TableOwnershipLayer = \"L\" | \"C\" | \"K\" | \"D\" | \"A\";\n\nexport const TABLES_BY_LAYER = {\n \"L\": [\n \"agentRegistryEntries\",\n \"apiKeys\",\n \"auditLog\",\n \"compatibilityShims\",\n \"controlPlaneTenantModelSlotBindings\",\n \"controlPlaneTenantProviderSecrets\",\n \"controlPlaneTenantProxyGatewayUsage\",\n \"controlPlaneTenantProxyTokenLeases\",\n \"controlPlaneToolAcls\",\n \"cutoverFlags\",\n \"deploymentHosts\",\n \"groupMemberships\",\n \"groups\",\n \"memberships\",\n \"methodologyPacks\",\n \"oauthDeviceCodes\",\n \"packAssignments\",\n \"packDefinitions\",\n \"packEntitlements\",\n \"packGroupAssignments\",\n \"packInstallations\",\n \"packVersions\",\n \"permitSyncStates\",\n \"policyBundles\",\n \"policyDecisionLogs\",\n \"policySimulations\",\n \"principalIdentityAliases\",\n \"principals\",\n \"rateLimitWindows\",\n \"secretSyncDriftReports\",\n \"servicePrincipalKeys\",\n \"tenantDeploymentCredentials\",\n \"tenantMethodologyAssignments\",\n \"tenants\",\n \"toolCatalog\",\n \"toolRegistryEntries\",\n \"userSessions\",\n \"workspaces\"\n ],\n \"C\": [\n \"agents\",\n \"mcpWritePolicy\",\n \"modelCallLogs\",\n \"modelFunctionSlots\",\n \"modelRegistry\",\n \"modelSlotConfigs\",\n \"permitAccessReviewItems\",\n \"permitAccessReviews\",\n \"permitAttributeBindings\",\n \"permitGroupMemberships\",\n \"permitGroups\",\n \"permitPolicyBundles\",\n \"permitPolicyDecisionReceipts\",\n \"permitPrincipalAliases\",\n \"permitPrincipals\",\n \"permitProjectionOutbox\",\n \"permitRelationshipTuples\",\n \"permitResourceInstances\",\n \"permitRoleAssignments\",\n \"platformAudienceGrants\",\n \"platformAudiences\",\n \"platformPolicyDecisionLogs\",\n \"projectGrants\",\n \"reasoningPermissions\",\n \"tenantApiKeys\",\n \"tenantConfig\",\n \"tenantIntegrations\",\n \"tenantModelSlotBindings\",\n \"tenantPermitSyncStates\",\n \"tenantPolicies\",\n \"tenantProviderSecrets\",\n \"tenantProxyGatewayUsage\",\n \"tenantProxyTokenMints\",\n \"tenantSandboxAuditEvents\",\n \"tenantSecrets\",\n \"toolAcls\",\n \"toolRegistry\",\n \"users\"\n ],\n \"K\": [\n \"agentMessages\",\n \"agentSessions\",\n \"autofixJobs\",\n \"backgroundJobRuns\",\n \"backgroundJobSettings\",\n \"beliefConfidence\",\n \"beliefEvidenceLinks\",\n \"beliefHistory\",\n \"beliefScenarios\",\n \"beliefVotes\",\n \"calibrationScores\",\n \"contractEvaluations\",\n \"contradictions\",\n \"crossProjectConnections\",\n \"decisionComputedSummaries\",\n \"decisionEvents\",\n \"decisionParticipants\",\n \"decisionRiskLedger\",\n \"decisionSnapshots\",\n \"deliberationContributions\",\n \"deliberationSessions\",\n \"epistemicAudit\",\n \"epistemicContracts\",\n \"epistemicEdges\",\n \"epistemicNodeEmbeddings\",\n \"epistemicNodes\",\n \"graphAnalysisCache\",\n \"graphAnalysisResults\",\n \"graphSuggestions\",\n \"harnessReplays\",\n \"harnessRuns\",\n \"idempotencyTokens\",\n \"lenses\",\n \"lensTopicBindings\",\n \"neo4jSyncQueue\",\n \"ontologyDefinitions\",\n \"ontologyVersions\",\n \"platformAgentRunPolicyDecisions\",\n \"platformAgentRunPromptResolutions\",\n \"platformAgentRuns\",\n \"platformAgentRunToolCalls\",\n \"platformHarnessShadowAudit\",\n \"publicationRules\",\n \"questionEvidenceLinks\",\n \"researchJobs\",\n \"schemaEnumConfig\",\n \"stakeholderGroups\",\n \"systemLogs\",\n \"tasks\",\n \"topics\",\n \"workflowDefinitions\",\n \"workflowPullRequests\",\n \"workflowStages\",\n \"worktreeBeliefCluster\",\n \"worktrees\"\n ],\n \"D\": [],\n \"A\": []\n} as const;\n\nexport const TABLE_OWNERSHIP = {\n \"agentMessages\": \"K\",\n \"agentRegistryEntries\": \"L\",\n \"agents\": \"C\",\n \"agentSessions\": \"K\",\n \"apiKeys\": \"L\",\n \"auditLog\": \"L\",\n \"autofixJobs\": \"K\",\n \"backgroundJobRuns\": \"K\",\n \"backgroundJobSettings\": \"K\",\n \"beliefConfidence\": \"K\",\n \"beliefEvidenceLinks\": \"K\",\n \"beliefHistory\": \"K\",\n \"beliefScenarios\": \"K\",\n \"beliefVotes\": \"K\",\n \"calibrationScores\": \"K\",\n \"compatibilityShims\": \"L\",\n \"contractEvaluations\": \"K\",\n \"contradictions\": \"K\",\n \"controlPlaneTenantModelSlotBindings\": \"L\",\n \"controlPlaneTenantProviderSecrets\": \"L\",\n \"controlPlaneTenantProxyGatewayUsage\": \"L\",\n \"controlPlaneTenantProxyTokenLeases\": \"L\",\n \"controlPlaneToolAcls\": \"L\",\n \"crossProjectConnections\": \"K\",\n \"cutoverFlags\": \"L\",\n \"decisionComputedSummaries\": \"K\",\n \"decisionEvents\": \"K\",\n \"decisionParticipants\": \"K\",\n \"decisionRiskLedger\": \"K\",\n \"decisionSnapshots\": \"K\",\n \"deliberationContributions\": \"K\",\n \"deliberationSessions\": \"K\",\n \"deploymentHosts\": \"L\",\n \"epistemicAudit\": \"K\",\n \"epistemicContracts\": \"K\",\n \"epistemicEdges\": \"K\",\n \"epistemicNodeEmbeddings\": \"K\",\n \"epistemicNodes\": \"K\",\n \"graphAnalysisCache\": \"K\",\n \"graphAnalysisResults\": \"K\",\n \"graphSuggestions\": \"K\",\n \"groupMemberships\": \"L\",\n \"groups\": \"L\",\n \"harnessReplays\": \"K\",\n \"harnessRuns\": \"K\",\n \"idempotencyTokens\": \"K\",\n \"lenses\": \"K\",\n \"lensTopicBindings\": \"K\",\n \"mcpWritePolicy\": \"C\",\n \"memberships\": \"L\",\n \"methodologyPacks\": \"L\",\n \"modelCallLogs\": \"C\",\n \"modelFunctionSlots\": \"C\",\n \"modelRegistry\": \"C\",\n \"modelSlotConfigs\": \"C\",\n \"neo4jSyncQueue\": \"K\",\n \"oauthDeviceCodes\": \"L\",\n \"ontologyDefinitions\": \"K\",\n \"ontologyVersions\": \"K\",\n \"packAssignments\": \"L\",\n \"packDefinitions\": \"L\",\n \"packEntitlements\": \"L\",\n \"packGroupAssignments\": \"L\",\n \"packInstallations\": \"L\",\n \"packVersions\": \"L\",\n \"permitAccessReviewItems\": \"C\",\n \"permitAccessReviews\": \"C\",\n \"permitAttributeBindings\": \"C\",\n \"permitGroupMemberships\": \"C\",\n \"permitGroups\": \"C\",\n \"permitPolicyBundles\": \"C\",\n \"permitPolicyDecisionReceipts\": \"C\",\n \"permitPrincipalAliases\": \"C\",\n \"permitPrincipals\": \"C\",\n \"permitProjectionOutbox\": \"C\",\n \"permitRelationshipTuples\": \"C\",\n \"permitResourceInstances\": \"C\",\n \"permitRoleAssignments\": \"C\",\n \"permitSyncStates\": \"L\",\n \"platformAgentRunPolicyDecisions\": \"K\",\n \"platformAgentRunPromptResolutions\": \"K\",\n \"platformAgentRuns\": \"K\",\n \"platformAgentRunToolCalls\": \"K\",\n \"platformAudienceGrants\": \"C\",\n \"platformAudiences\": \"C\",\n \"platformHarnessShadowAudit\": \"K\",\n \"platformPolicyDecisionLogs\": \"C\",\n \"policyBundles\": \"L\",\n \"policyDecisionLogs\": \"L\",\n \"policySimulations\": \"L\",\n \"principalIdentityAliases\": \"L\",\n \"principals\": \"L\",\n \"projectGrants\": \"C\",\n \"publicationRules\": \"K\",\n \"questionEvidenceLinks\": \"K\",\n \"rateLimitWindows\": \"L\",\n \"reasoningPermissions\": \"C\",\n \"researchJobs\": \"K\",\n \"schemaEnumConfig\": \"K\",\n \"secretSyncDriftReports\": \"L\",\n \"servicePrincipalKeys\": \"L\",\n \"stakeholderGroups\": \"K\",\n \"systemLogs\": \"K\",\n \"tasks\": \"K\",\n \"tenantApiKeys\": \"C\",\n \"tenantConfig\": \"C\",\n \"tenantDeploymentCredentials\": \"L\",\n \"tenantIntegrations\": \"C\",\n \"tenantMethodologyAssignments\": \"L\",\n \"tenantModelSlotBindings\": \"C\",\n \"tenantPermitSyncStates\": \"C\",\n \"tenantPolicies\": \"C\",\n \"tenantProviderSecrets\": \"C\",\n \"tenantProxyGatewayUsage\": \"C\",\n \"tenantProxyTokenMints\": \"C\",\n \"tenants\": \"L\",\n \"tenantSandboxAuditEvents\": \"C\",\n \"tenantSecrets\": \"C\",\n \"toolAcls\": \"C\",\n \"toolCatalog\": \"L\",\n \"toolRegistry\": \"C\",\n \"toolRegistryEntries\": \"L\",\n \"topics\": \"K\",\n \"users\": \"C\",\n \"userSessions\": \"L\",\n \"workflowDefinitions\": \"K\",\n \"workflowPullRequests\": \"K\",\n \"workflowStages\": \"K\",\n \"workspaces\": \"L\",\n \"worktreeBeliefCluster\": \"K\",\n \"worktrees\": \"K\",\n} as const satisfies Readonly<Record<string, TableOwnershipLayer>>;\n\nexport type GeneratedTableName = keyof typeof TABLE_OWNERSHIP;\n\nexport function classifyTableOwnership(\n tableName: string\n): TableOwnershipLayer | null {\n return TABLE_OWNERSHIP[tableName as GeneratedTableName] ?? null;\n}\n\nexport function listTablesByOwnership(\n layer: TableOwnershipLayer\n): readonly string[] {\n return TABLES_BY_LAYER[layer];\n}\n\nexport function summarizeTableOwnership(\n tableNames: readonly string[]\n): Record<TableOwnershipLayer, number> {\n const summary: Record<TableOwnershipLayer, number> = {\n L: 0,\n C: 0,\n K: 0,\n D: 0,\n A: 0,\n };\n for (const name of tableNames) {\n const layer = classifyTableOwnership(name);\n if (layer) {\n summary[layer] += 1;\n }\n }\n return summary;\n}\n\nexport function assertTableOwnershipCoverage(tableNames: readonly string[]): void {\n const missing = tableNames.filter((name) => !classifyTableOwnership(name));\n const tableNameSet = new Set(tableNames);\n const extras = Object.keys(TABLE_OWNERSHIP).filter(\n (name) => !tableNameSet.has(name)\n );\n if (missing.length > 0 || extras.length > 0) {\n const lines: string[] = [];\n if (missing.length > 0) {\n lines.push(`Missing ownership classification: ${missing.join(\", \")}`);\n }\n if (extras.length > 0) {\n lines.push(`Ownership map contains unknown tables: ${extras.join(\", \")}`);\n }\n throw new Error(lines.join(\"\\n\"));\n }\n}\n","import {\n TABLE_OWNERSHIP,\n type TableOwnershipLayer,\n} from \"./generated/tableOwnership.js\";\n\nexport const COMPONENT_BOUNDARY_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const COMPONENT_BOUNDARY_COMPONENT_LAYERS = [\n \"C\",\n \"K\",\n] as const satisfies readonly TableOwnershipLayer[];\nexport type ComponentBoundaryComponentLayer =\n (typeof COMPONENT_BOUNDARY_COMPONENT_LAYERS)[number];\n\nexport const COMPONENT_BOUNDARY_DIRECT_DB_METHODS = [\n \"insert\",\n \"patch\",\n \"replace\",\n \"delete\",\n \"query\",\n] as const;\nexport type ComponentBoundaryDirectDbMethod =\n (typeof COMPONENT_BOUNDARY_DIRECT_DB_METHODS)[number];\n\nexport const COMPONENT_BOUNDARY_HOST_SOURCE_ROOTS = [\n \"services\",\n \"apps\",\n \"convex\",\n] as const;\n\nexport const COMPONENT_BOUNDARY_HIGH_RISK_TABLES = [\n \"backgroundJobRuns\",\n \"backgroundJobSettings\",\n \"systemLogs\",\n \"epistemicAudit\",\n \"platformPolicyDecisionLogs\",\n \"tenantApiKeys\",\n \"projectGrants\",\n \"userSessions\",\n] as const;\nexport type ComponentBoundaryHighRiskTable =\n (typeof COMPONENT_BOUNDARY_HIGH_RISK_TABLES)[number];\n\nexport function getComponentBoundaryTableLayer(\n tableName: string\n): TableOwnershipLayer | undefined {\n return TABLE_OWNERSHIP[tableName as keyof typeof TABLE_OWNERSHIP];\n}\n\nexport function isComponentBoundaryComponentOwnedTable(\n tableName: string\n): tableName is keyof typeof TABLE_OWNERSHIP {\n const layer = getComponentBoundaryTableLayer(tableName);\n return (\n layer === \"C\" ||\n layer === \"K\"\n );\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/generated/tableOwnership.ts","../src/component-boundary.contract.ts"],"names":[],"mappings":";AAmJO,IAAM,eAAA,GAAkB;AAAA,EAC7B,eAAA,EAAiB,GAAA;AAAA,EACjB,sBAAA,EAAwB,GAAA;AAAA,EACxB,QAAA,EAAU,GAAA;AAAA,EACV,eAAA,EAAiB,GAAA;AAAA,EACjB,SAAA,EAAW,GAAA;AAAA,EACX,UAAA,EAAY,GAAA;AAAA,EACZ,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,qBAAA,EAAuB,GAAA;AAAA,EACvB,eAAA,EAAiB,GAAA;AAAA,EACjB,iBAAA,EAAmB,GAAA;AAAA,EACnB,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,oBAAA,EAAsB,GAAA;AAAA,EACtB,qBAAA,EAAuB,GAAA;AAAA,EACvB,gBAAA,EAAkB,GAAA;AAAA,EAClB,qCAAA,EAAuC,GAAA;AAAA,EACvC,mCAAA,EAAqC,GAAA;AAAA,EACrC,qCAAA,EAAuC,GAAA;AAAA,EACvC,oCAAA,EAAsC,GAAA;AAAA,EACtC,sBAAA,EAAwB,GAAA;AAAA,EACxB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,cAAA,EAAgB,GAAA;AAAA,EAChB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,gBAAA,EAAkB,GAAA;AAAA,EAClB,sBAAA,EAAwB,GAAA;AAAA,EACxB,oBAAA,EAAsB,GAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,sBAAA,EAAwB,GAAA;AAAA,EACxB,iBAAA,EAAmB,GAAA;AAAA,EACnB,cAAA,EAAgB,GAAA;AAAA,EAChB,gBAAA,EAAkB,GAAA;AAAA,EAClB,oBAAA,EAAsB,GAAA;AAAA,EACtB,gBAAA,EAAkB,GAAA;AAAA,EAClB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,gBAAA,EAAkB,GAAA;AAAA,EAClB,oBAAA,EAAsB,GAAA;AAAA,EACtB,sBAAA,EAAwB,GAAA;AAAA,EACxB,kBAAA,EAAoB,GAAA;AAAA,EACpB,kBAAA,EAAoB,GAAA;AAAA,EACpB,QAAA,EAAU,GAAA;AAAA,EACV,gBAAA,EAAkB,GAAA;AAAA,EAClB,aAAA,EAAe,GAAA;AAAA,EACf,mBAAA,EAAqB,GAAA;AAAA,EACrB,QAAA,EAAU,GAAA;AAAA,EACV,mBAAA,EAAqB,GAAA;AAAA,EACrB,gBAAA,EAAkB,GAAA;AAAA,EAClB,aAAA,EAAe,GAAA;AAAA,EACf,kBAAA,EAAoB,GAAA;AAAA,EACpB,eAAA,EAAiB,GAAA;AAAA,EACjB,oBAAA,EAAsB,GAAA;AAAA,EACtB,eAAA,EAAiB,GAAA;AAAA,EACjB,kBAAA,EAAoB,GAAA;AAAA,EACpB,gBAAA,EAAkB,GAAA;AAAA,EAClB,kBAAA,EAAoB,GAAA;AAAA,EACpB,qBAAA,EAAuB,GAAA;AAAA,EACvB,kBAAA,EAAoB,GAAA;AAAA,EACpB,iBAAA,EAAmB,GAAA;AAAA,EACnB,iBAAA,EAAmB,GAAA;AAAA,EACnB,kBAAA,EAAoB,GAAA;AAAA,EACpB,sBAAA,EAAwB,GAAA;AAAA,EACxB,mBAAA,EAAqB,GAAA;AAAA,EACrB,cAAA,EAAgB,GAAA;AAAA,EAChB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,qBAAA,EAAuB,GAAA;AAAA,EACvB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,8BAAA,EAAgC,GAAA;AAAA,EAChC,wBAAA,EAA0B,GAAA;AAAA,EAC1B,kBAAA,EAAoB,GAAA;AAAA,EACpB,wBAAA,EAA0B,GAAA;AAAA,EAC1B,0BAAA,EAA4B,GAAA;AAAA,EAC5B,yBAAA,EAA2B,GAAA;AAAA,EAC3B,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,iCAAA,EAAmC,GAAA;AAAA,EACnC,mCAAA,EAAqC,GAAA;AAAA,EACrC,mBAAA,EAAqB,GAAA;AAAA,EACrB,2BAAA,EAA6B,GAAA;AAAA,EAC7B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,mBAAA,EAAqB,GAAA;AAAA,EACrB,4BAAA,EAA8B,GAAA;AAAA,EAC9B,4BAAA,EAA8B,GAAA;AAAA,EAC9B,eAAA,EAAiB,GAAA;AAAA,EACjB,oBAAA,EAAsB,GAAA;AAAA,EACtB,mBAAA,EAAqB,GAAA;AAAA,EACrB,0BAAA,EAA4B,GAAA;AAAA,EAC5B,YAAA,EAAc,GAAA;AAAA,EACd,eAAA,EAAiB,GAAA;AAAA,EACjB,kBAAA,EAAoB,GAAA;AAAA,EACpB,uBAAA,EAAyB,GAAA;AAAA,EACzB,kBAAA,EAAoB,GAAA;AAAA,EACpB,sBAAA,EAAwB,GAAA;AAAA,EACxB,cAAA,EAAgB,GAAA;AAAA,EAChB,kBAAA,EAAoB,GAAA;AAAA,EACpB,wBAAA,EAA0B,GAAA;AAAA,EAC1B,sBAAA,EAAwB,GAAA;AAAA,EACxB,mBAAA,EAAqB,GAAA;AAAA,EACrB,YAAA,EAAc,GAAA;AAAA,EACd,OAAA,EAAS,GAAA;AAAA,EACT,eAAA,EAAiB,GAAA;AAAA,EACjB,cAAA,EAAgB,GAAA;AAAA,EAChB,6BAAA,EAA+B,GAAA;AAAA,EAC/B,oBAAA,EAAsB,GAAA;AAAA,EACtB,8BAAA,EAAgC,GAAA;AAAA,EAChC,yBAAA,EAA2B,GAAA;AAAA,EAC3B,wBAAA,EAA0B,GAAA;AAAA,EAC1B,gBAAA,EAAkB,GAAA;AAAA,EAClB,uBAAA,EAAyB,GAAA;AAAA,EACzB,yBAAA,EAA2B,GAAA;AAAA,EAC3B,uBAAA,EAAyB,GAAA;AAAA,EACzB,SAAA,EAAW,GAAA;AAAA,EACX,0BAAA,EAA4B,GAAA;AAAA,EAC5B,eAAA,EAAiB,GAAA;AAAA,EACjB,UAAA,EAAY,GAAA;AAAA,EACZ,aAAA,EAAe,GAAA;AAAA,EACf,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,QAAA,EAAU,GAAA;AAAA,EACV,OAAA,EAAS,GAAA;AAAA,EACT,cAAA,EAAgB,GAAA;AAAA,EAChB,qBAAA,EAAuB,GAAA;AAAA,EACvB,sBAAA,EAAwB,GAAA;AAAA,EACxB,gBAAA,EAAkB,GAAA;AAAA,EAClB,YAAA,EAAc,GAAA;AAAA,EACd,uBAAA,EAAyB,GAAA;AAAA,EACzB,WAAA,EAAa;AACf,CAAA;;;ACnRO,IAAM,mCAAA,GAAsC;AAE5C,IAAM,mCAAA,GAAsC;AAAA,EACjD,GAAA;AAAA,EACA;AACF;AAIO,IAAM,oCAAA,GAAuC;AAAA,EAClD,QAAA;AAAA,EACA,OAAA;AAAA,EACA,SAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF;AAIO,IAAM,oCAAA,GAAuC;AAAA,EAClD,UAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAEO,IAAM,mCAAA,GAAsC;AAAA,EACjD,mBAAA;AAAA,EACA,uBAAA;AAAA,EACA,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,4BAAA;AAAA,EACA,eAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,SAAS,+BACd,SAAA,EACiC;AACjC,EAAA,OAAO,gBAAgB,SAAyC,CAAA;AAClE;AAEO,SAAS,uCACd,SAAA,EAC2C;AAC3C,EAAA,MAAM,KAAA,GAAQ,+BAA+B,SAAS,CAAA;AACtD,EAAA,OACE,KAAA,KAAU,OACV,KAAA,KAAU,GAAA;AAEd","file":"component-boundary.contract.js","sourcesContent":["/* GENERATED by scripts/generate-contract-schema.ts. DO NOT EDIT. */\n\nexport type TableOwnershipLayer = \"L\" | \"C\" | \"K\" | \"D\" | \"A\";\n\nexport const TABLES_BY_LAYER = {\n \"L\": [\n \"agentRegistryEntries\",\n \"apiKeys\",\n \"auditLog\",\n \"compatibilityShims\",\n \"controlPlaneTenantModelSlotBindings\",\n \"controlPlaneTenantProviderSecrets\",\n \"controlPlaneTenantProxyGatewayUsage\",\n \"controlPlaneTenantProxyTokenLeases\",\n \"controlPlaneToolAcls\",\n \"cutoverFlags\",\n \"deploymentHosts\",\n \"groupMemberships\",\n \"groups\",\n \"memberships\",\n \"methodologyPacks\",\n \"oauthDeviceCodes\",\n \"packAssignments\",\n \"packDefinitions\",\n \"packEntitlements\",\n \"packGroupAssignments\",\n \"packInstallations\",\n \"packVersions\",\n \"permitSyncStates\",\n \"policyBundles\",\n \"policyDecisionLogs\",\n \"policySimulations\",\n \"principalIdentityAliases\",\n \"principals\",\n \"rateLimitWindows\",\n \"secretSyncDriftReports\",\n \"servicePrincipalKeys\",\n \"tenantDeploymentCredentials\",\n \"tenantMethodologyAssignments\",\n \"tenants\",\n \"toolCatalog\",\n \"toolRegistryEntries\",\n \"userSessions\",\n \"workspaces\"\n ],\n \"C\": [\n \"agents\",\n \"mcpWritePolicy\",\n \"modelCallLogs\",\n \"modelFunctionSlots\",\n \"modelRegistry\",\n \"modelSlotConfigs\",\n \"permitAccessReviewItems\",\n \"permitAccessReviews\",\n \"permitAttributeBindings\",\n \"permitGroupMemberships\",\n \"permitGroups\",\n \"permitPolicyBundles\",\n \"permitPolicyDecisionReceipts\",\n \"permitPrincipalAliases\",\n \"permitPrincipals\",\n \"permitProjectionOutbox\",\n \"permitRelationshipTuples\",\n \"permitResourceInstances\",\n \"permitRoleAssignments\",\n \"platformAudienceGrants\",\n \"platformAudiences\",\n \"platformPolicyDecisionLogs\",\n \"projectGrants\",\n \"reasoningPermissions\",\n \"tenantApiKeys\",\n \"tenantConfig\",\n \"tenantIntegrations\",\n \"tenantModelSlotBindings\",\n \"tenantPermitSyncStates\",\n \"tenantPolicies\",\n \"tenantProviderSecrets\",\n \"tenantProxyGatewayUsage\",\n \"tenantProxyTokenMints\",\n \"tenantSandboxAuditEvents\",\n \"tenantSecrets\",\n \"toolAcls\",\n \"toolRegistry\",\n \"users\"\n ],\n \"K\": [\n \"agentMessages\",\n \"agentSessions\",\n \"autofixJobs\",\n \"backgroundJobRuns\",\n \"backgroundJobSettings\",\n \"beliefConfidence\",\n \"beliefEvidenceLinks\",\n \"beliefHistory\",\n \"beliefScenarios\",\n \"beliefVotes\",\n \"calibrationScores\",\n \"contractEvaluations\",\n \"contradictions\",\n \"crossProjectConnections\",\n \"decisionComputedSummaries\",\n \"decisionEvents\",\n \"decisionParticipants\",\n \"decisionRiskLedger\",\n \"decisionSnapshots\",\n \"deliberationContributions\",\n \"deliberationSessions\",\n \"domainEvents\",\n \"epistemicAudit\",\n \"epistemicContracts\",\n \"epistemicEdges\",\n \"epistemicNodeEmbeddings\",\n \"epistemicNodes\",\n \"graphAnalysisCache\",\n \"graphAnalysisResults\",\n \"graphSuggestions\",\n \"harnessReplays\",\n \"harnessRuns\",\n \"idempotencyTokens\",\n \"lenses\",\n \"lensTopicBindings\",\n \"neo4jSyncQueue\",\n \"ontologyDefinitions\",\n \"ontologyVersions\",\n \"platformAgentRunPolicyDecisions\",\n \"platformAgentRunPromptResolutions\",\n \"platformAgentRuns\",\n \"platformAgentRunToolCalls\",\n \"platformHarnessShadowAudit\",\n \"publicationRules\",\n \"questionEvidenceLinks\",\n \"researchJobs\",\n \"schemaEnumConfig\",\n \"stakeholderGroups\",\n \"systemLogs\",\n \"tasks\",\n \"topics\",\n \"workflowDefinitions\",\n \"workflowPullRequests\",\n \"workflowStages\",\n \"worktreeBeliefCluster\",\n \"worktrees\"\n ],\n \"D\": [],\n \"A\": []\n} as const;\n\nexport const TABLE_OWNERSHIP = {\n \"agentMessages\": \"K\",\n \"agentRegistryEntries\": \"L\",\n \"agents\": \"C\",\n \"agentSessions\": \"K\",\n \"apiKeys\": \"L\",\n \"auditLog\": \"L\",\n \"autofixJobs\": \"K\",\n \"backgroundJobRuns\": \"K\",\n \"backgroundJobSettings\": \"K\",\n \"beliefConfidence\": \"K\",\n \"beliefEvidenceLinks\": \"K\",\n \"beliefHistory\": \"K\",\n \"beliefScenarios\": \"K\",\n \"beliefVotes\": \"K\",\n \"calibrationScores\": \"K\",\n \"compatibilityShims\": \"L\",\n \"contractEvaluations\": \"K\",\n \"contradictions\": \"K\",\n \"controlPlaneTenantModelSlotBindings\": \"L\",\n \"controlPlaneTenantProviderSecrets\": \"L\",\n \"controlPlaneTenantProxyGatewayUsage\": \"L\",\n \"controlPlaneTenantProxyTokenLeases\": \"L\",\n \"controlPlaneToolAcls\": \"L\",\n \"crossProjectConnections\": \"K\",\n \"cutoverFlags\": \"L\",\n \"decisionComputedSummaries\": \"K\",\n \"decisionEvents\": \"K\",\n \"decisionParticipants\": \"K\",\n \"decisionRiskLedger\": \"K\",\n \"decisionSnapshots\": \"K\",\n \"deliberationContributions\": \"K\",\n \"deliberationSessions\": \"K\",\n \"deploymentHosts\": \"L\",\n \"domainEvents\": \"K\",\n \"epistemicAudit\": \"K\",\n \"epistemicContracts\": \"K\",\n \"epistemicEdges\": \"K\",\n \"epistemicNodeEmbeddings\": \"K\",\n \"epistemicNodes\": \"K\",\n \"graphAnalysisCache\": \"K\",\n \"graphAnalysisResults\": \"K\",\n \"graphSuggestions\": \"K\",\n \"groupMemberships\": \"L\",\n \"groups\": \"L\",\n \"harnessReplays\": \"K\",\n \"harnessRuns\": \"K\",\n \"idempotencyTokens\": \"K\",\n \"lenses\": \"K\",\n \"lensTopicBindings\": \"K\",\n \"mcpWritePolicy\": \"C\",\n \"memberships\": \"L\",\n \"methodologyPacks\": \"L\",\n \"modelCallLogs\": \"C\",\n \"modelFunctionSlots\": \"C\",\n \"modelRegistry\": \"C\",\n \"modelSlotConfigs\": \"C\",\n \"neo4jSyncQueue\": \"K\",\n \"oauthDeviceCodes\": \"L\",\n \"ontologyDefinitions\": \"K\",\n \"ontologyVersions\": \"K\",\n \"packAssignments\": \"L\",\n \"packDefinitions\": \"L\",\n \"packEntitlements\": \"L\",\n \"packGroupAssignments\": \"L\",\n \"packInstallations\": \"L\",\n \"packVersions\": \"L\",\n \"permitAccessReviewItems\": \"C\",\n \"permitAccessReviews\": \"C\",\n \"permitAttributeBindings\": \"C\",\n \"permitGroupMemberships\": \"C\",\n \"permitGroups\": \"C\",\n \"permitPolicyBundles\": \"C\",\n \"permitPolicyDecisionReceipts\": \"C\",\n \"permitPrincipalAliases\": \"C\",\n \"permitPrincipals\": \"C\",\n \"permitProjectionOutbox\": \"C\",\n \"permitRelationshipTuples\": \"C\",\n \"permitResourceInstances\": \"C\",\n \"permitRoleAssignments\": \"C\",\n \"permitSyncStates\": \"L\",\n \"platformAgentRunPolicyDecisions\": \"K\",\n \"platformAgentRunPromptResolutions\": \"K\",\n \"platformAgentRuns\": \"K\",\n \"platformAgentRunToolCalls\": \"K\",\n \"platformAudienceGrants\": \"C\",\n \"platformAudiences\": \"C\",\n \"platformHarnessShadowAudit\": \"K\",\n \"platformPolicyDecisionLogs\": \"C\",\n \"policyBundles\": \"L\",\n \"policyDecisionLogs\": \"L\",\n \"policySimulations\": \"L\",\n \"principalIdentityAliases\": \"L\",\n \"principals\": \"L\",\n \"projectGrants\": \"C\",\n \"publicationRules\": \"K\",\n \"questionEvidenceLinks\": \"K\",\n \"rateLimitWindows\": \"L\",\n \"reasoningPermissions\": \"C\",\n \"researchJobs\": \"K\",\n \"schemaEnumConfig\": \"K\",\n \"secretSyncDriftReports\": \"L\",\n \"servicePrincipalKeys\": \"L\",\n \"stakeholderGroups\": \"K\",\n \"systemLogs\": \"K\",\n \"tasks\": \"K\",\n \"tenantApiKeys\": \"C\",\n \"tenantConfig\": \"C\",\n \"tenantDeploymentCredentials\": \"L\",\n \"tenantIntegrations\": \"C\",\n \"tenantMethodologyAssignments\": \"L\",\n \"tenantModelSlotBindings\": \"C\",\n \"tenantPermitSyncStates\": \"C\",\n \"tenantPolicies\": \"C\",\n \"tenantProviderSecrets\": \"C\",\n \"tenantProxyGatewayUsage\": \"C\",\n \"tenantProxyTokenMints\": \"C\",\n \"tenants\": \"L\",\n \"tenantSandboxAuditEvents\": \"C\",\n \"tenantSecrets\": \"C\",\n \"toolAcls\": \"C\",\n \"toolCatalog\": \"L\",\n \"toolRegistry\": \"C\",\n \"toolRegistryEntries\": \"L\",\n \"topics\": \"K\",\n \"users\": \"C\",\n \"userSessions\": \"L\",\n \"workflowDefinitions\": \"K\",\n \"workflowPullRequests\": \"K\",\n \"workflowStages\": \"K\",\n \"workspaces\": \"L\",\n \"worktreeBeliefCluster\": \"K\",\n \"worktrees\": \"K\",\n} as const satisfies Readonly<Record<string, TableOwnershipLayer>>;\n\nexport type GeneratedTableName = keyof typeof TABLE_OWNERSHIP;\n\nexport function classifyTableOwnership(\n tableName: string\n): TableOwnershipLayer | null {\n return TABLE_OWNERSHIP[tableName as GeneratedTableName] ?? null;\n}\n\nexport function listTablesByOwnership(\n layer: TableOwnershipLayer\n): readonly string[] {\n return TABLES_BY_LAYER[layer];\n}\n\nexport function summarizeTableOwnership(\n tableNames: readonly string[]\n): Record<TableOwnershipLayer, number> {\n const summary: Record<TableOwnershipLayer, number> = {\n L: 0,\n C: 0,\n K: 0,\n D: 0,\n A: 0,\n };\n for (const name of tableNames) {\n const layer = classifyTableOwnership(name);\n if (layer) {\n summary[layer] += 1;\n }\n }\n return summary;\n}\n\nexport function assertTableOwnershipCoverage(tableNames: readonly string[]): void {\n const missing = tableNames.filter((name) => !classifyTableOwnership(name));\n const tableNameSet = new Set(tableNames);\n const extras = Object.keys(TABLE_OWNERSHIP).filter(\n (name) => !tableNameSet.has(name)\n );\n if (missing.length > 0 || extras.length > 0) {\n const lines: string[] = [];\n if (missing.length > 0) {\n lines.push(`Missing ownership classification: ${missing.join(\", \")}`);\n }\n if (extras.length > 0) {\n lines.push(`Ownership map contains unknown tables: ${extras.join(\", \")}`);\n }\n throw new Error(lines.join(\"\\n\"));\n }\n}\n","import {\n TABLE_OWNERSHIP,\n type TableOwnershipLayer,\n} from \"./generated/tableOwnership.js\";\n\nexport const COMPONENT_BOUNDARY_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const COMPONENT_BOUNDARY_COMPONENT_LAYERS = [\n \"C\",\n \"K\",\n] as const satisfies readonly TableOwnershipLayer[];\nexport type ComponentBoundaryComponentLayer =\n (typeof COMPONENT_BOUNDARY_COMPONENT_LAYERS)[number];\n\nexport const COMPONENT_BOUNDARY_DIRECT_DB_METHODS = [\n \"insert\",\n \"patch\",\n \"replace\",\n \"delete\",\n \"query\",\n] as const;\nexport type ComponentBoundaryDirectDbMethod =\n (typeof COMPONENT_BOUNDARY_DIRECT_DB_METHODS)[number];\n\nexport const COMPONENT_BOUNDARY_HOST_SOURCE_ROOTS = [\n \"services\",\n \"apps\",\n \"convex\",\n] as const;\n\nexport const COMPONENT_BOUNDARY_HIGH_RISK_TABLES = [\n \"backgroundJobRuns\",\n \"backgroundJobSettings\",\n \"systemLogs\",\n \"epistemicAudit\",\n \"platformPolicyDecisionLogs\",\n \"tenantApiKeys\",\n \"projectGrants\",\n \"userSessions\",\n] as const;\nexport type ComponentBoundaryHighRiskTable =\n (typeof COMPONENT_BOUNDARY_HIGH_RISK_TABLES)[number];\n\nexport function getComponentBoundaryTableLayer(\n tableName: string\n): TableOwnershipLayer | undefined {\n return TABLE_OWNERSHIP[tableName as keyof typeof TABLE_OWNERSHIP];\n}\n\nexport function isComponentBoundaryComponentOwnedTable(\n tableName: string\n): tableName is keyof typeof TABLE_OWNERSHIP {\n const layer = getComponentBoundaryTableLayer(tableName);\n return (\n layer === \"C\" ||\n layer === \"K\"\n );\n}\n"]}
|
|
@@ -115,7 +115,7 @@ declare const beliefsContracts: readonly [{
|
|
|
115
115
|
};
|
|
116
116
|
auth: {
|
|
117
117
|
scopes: string[];
|
|
118
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
118
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
119
119
|
};
|
|
120
120
|
convex: FunctionConvexTarget | undefined;
|
|
121
121
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -155,7 +155,7 @@ declare const beliefsContracts: readonly [{
|
|
|
155
155
|
};
|
|
156
156
|
auth: {
|
|
157
157
|
scopes: string[];
|
|
158
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
158
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
159
159
|
};
|
|
160
160
|
convex: FunctionConvexTarget | undefined;
|
|
161
161
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -195,7 +195,7 @@ declare const beliefsContracts: readonly [{
|
|
|
195
195
|
};
|
|
196
196
|
auth: {
|
|
197
197
|
scopes: string[];
|
|
198
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
198
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
199
199
|
};
|
|
200
200
|
convex: FunctionConvexTarget | undefined;
|
|
201
201
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -235,7 +235,7 @@ declare const beliefsContracts: readonly [{
|
|
|
235
235
|
};
|
|
236
236
|
auth: {
|
|
237
237
|
scopes: string[];
|
|
238
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
238
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
239
239
|
};
|
|
240
240
|
convex: FunctionConvexTarget | undefined;
|
|
241
241
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -275,7 +275,7 @@ declare const beliefsContracts: readonly [{
|
|
|
275
275
|
};
|
|
276
276
|
auth: {
|
|
277
277
|
scopes: string[];
|
|
278
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
278
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
279
279
|
};
|
|
280
280
|
convex: FunctionConvexTarget | undefined;
|
|
281
281
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -315,7 +315,7 @@ declare const beliefsContracts: readonly [{
|
|
|
315
315
|
};
|
|
316
316
|
auth: {
|
|
317
317
|
scopes: string[];
|
|
318
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
318
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
319
319
|
};
|
|
320
320
|
convex: FunctionConvexTarget | undefined;
|
|
321
321
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -355,7 +355,7 @@ declare const beliefsContracts: readonly [{
|
|
|
355
355
|
};
|
|
356
356
|
auth: {
|
|
357
357
|
scopes: string[];
|
|
358
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
358
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
359
359
|
};
|
|
360
360
|
convex: FunctionConvexTarget | undefined;
|
|
361
361
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -395,7 +395,7 @@ declare const beliefsContracts: readonly [{
|
|
|
395
395
|
};
|
|
396
396
|
auth: {
|
|
397
397
|
scopes: string[];
|
|
398
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
398
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
399
399
|
};
|
|
400
400
|
convex: FunctionConvexTarget | undefined;
|
|
401
401
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -435,7 +435,7 @@ declare const beliefsContracts: readonly [{
|
|
|
435
435
|
};
|
|
436
436
|
auth: {
|
|
437
437
|
scopes: string[];
|
|
438
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
438
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
439
439
|
};
|
|
440
440
|
convex: FunctionConvexTarget | undefined;
|
|
441
441
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -475,7 +475,7 @@ declare const beliefsContracts: readonly [{
|
|
|
475
475
|
};
|
|
476
476
|
auth: {
|
|
477
477
|
scopes: string[];
|
|
478
|
-
allowedPrincipalTypes: ("user" | "service" | "agent")[];
|
|
478
|
+
allowedPrincipalTypes: ("user" | "service" | "agent" | "group" | "external_viewer")[];
|
|
479
479
|
};
|
|
480
480
|
convex: FunctionConvexTarget | undefined;
|
|
481
481
|
gateway: FunctionGatewayTarget | undefined;
|
|
@@ -2329,7 +2329,7 @@ var IDENTITY_WHOAMI = {
|
|
|
2329
2329
|
description: "Canonical identity summary for the current session",
|
|
2330
2330
|
fields: {
|
|
2331
2331
|
principalId: "string \u2014 canonical federated principal identifier",
|
|
2332
|
-
principalType: "string \u2014 human, service, or
|
|
2332
|
+
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
2333
2333
|
tenantId: "string | undefined \u2014 resolved tenant scope",
|
|
2334
2334
|
workspaceId: "string | undefined \u2014 resolved workspace scope",
|
|
2335
2335
|
scopes: "string[] | undefined \u2014 granted scopes for this session",
|
|
@@ -2340,6 +2340,49 @@ var IDENTITY_WHOAMI = {
|
|
|
2340
2340
|
ontologyPrimitive: "identity",
|
|
2341
2341
|
tier: "workhorse"
|
|
2342
2342
|
};
|
|
2343
|
+
var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
2344
|
+
name: "resolve_interactive_principal",
|
|
2345
|
+
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
|
|
2346
|
+
parameters: {
|
|
2347
|
+
clerkId: {
|
|
2348
|
+
type: "string",
|
|
2349
|
+
description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
|
|
2350
|
+
},
|
|
2351
|
+
tenantId: {
|
|
2352
|
+
type: "string",
|
|
2353
|
+
description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
|
|
2354
|
+
},
|
|
2355
|
+
workspaceId: {
|
|
2356
|
+
type: "string",
|
|
2357
|
+
description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
|
|
2358
|
+
},
|
|
2359
|
+
providerProjectId: {
|
|
2360
|
+
type: "string",
|
|
2361
|
+
description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
|
|
2362
|
+
}
|
|
2363
|
+
},
|
|
2364
|
+
required: ["clerkId"],
|
|
2365
|
+
response: {
|
|
2366
|
+
description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
|
|
2367
|
+
fields: {
|
|
2368
|
+
principalId: "string \u2014 canonical Lucern principal identifier",
|
|
2369
|
+
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
2370
|
+
clerkId: "string \u2014 authenticated Clerk subject alias",
|
|
2371
|
+
tenantId: "string \u2014 resolved tenant scope",
|
|
2372
|
+
workspaceId: "string | null \u2014 resolved workspace scope",
|
|
2373
|
+
roles: "string[] \u2014 effective Permit roles",
|
|
2374
|
+
scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
|
|
2375
|
+
groupIds: "string[] \u2014 active Permit group memberships",
|
|
2376
|
+
principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
|
|
2377
|
+
tenantStatus: "string \u2014 projected tenant resource status",
|
|
2378
|
+
workspaceStatus: "string \u2014 projected workspace resource status",
|
|
2379
|
+
permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
|
|
2380
|
+
}
|
|
2381
|
+
},
|
|
2382
|
+
ownerModule: "control-plane",
|
|
2383
|
+
ontologyPrimitive: "identity",
|
|
2384
|
+
tier: "workhorse"
|
|
2385
|
+
};
|
|
2343
2386
|
var COMPILE_CONTEXT = {
|
|
2344
2387
|
name: "compile_context",
|
|
2345
2388
|
description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
|
|
@@ -4242,6 +4285,7 @@ var MCP_TOOL_CONTRACTS = {
|
|
|
4242
4285
|
update_worktree_targets: UPDATE_WORKTREE_TARGETS,
|
|
4243
4286
|
update_worktree_metadata: UPDATE_WORKTREE_METADATA,
|
|
4244
4287
|
identity_whoami: IDENTITY_WHOAMI,
|
|
4288
|
+
resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
|
|
4245
4289
|
compile_context: COMPILE_CONTEXT,
|
|
4246
4290
|
record_scope_learning: RECORD_SCOPE_LEARNING,
|
|
4247
4291
|
pipeline_snapshot: PIPELINE_SNAPSHOT,
|
|
@@ -4359,6 +4403,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
|
|
|
4359
4403
|
var MCP_CORE_OPERATION_NAMES = [
|
|
4360
4404
|
"compile_context",
|
|
4361
4405
|
"identity_whoami",
|
|
4406
|
+
"resolve_interactive_principal",
|
|
4362
4407
|
"check_permission",
|
|
4363
4408
|
"filter_by_permission",
|
|
4364
4409
|
"create_belief",
|
|
@@ -4910,7 +4955,13 @@ function surfaceContract(args) {
|
|
|
4910
4955
|
scopes: args.scopes ?? [
|
|
4911
4956
|
args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
|
|
4912
4957
|
],
|
|
4913
|
-
allowedPrincipalTypes: [
|
|
4958
|
+
allowedPrincipalTypes: [
|
|
4959
|
+
"user",
|
|
4960
|
+
"service",
|
|
4961
|
+
"agent",
|
|
4962
|
+
"group",
|
|
4963
|
+
"external_viewer"
|
|
4964
|
+
]
|
|
4914
4965
|
},
|
|
4915
4966
|
convex: args.convex,
|
|
4916
4967
|
gateway: args.gateway,
|