@lucern/contracts 0.3.0-alpha.12 → 0.3.0-alpha.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth-context.contract.js +13 -1
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +13 -1
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.d.ts +1 -1
- package/dist/auth.contract.js +13 -1
- package/dist/auth.contract.js.map +1 -1
- package/dist/component-boundary.contract.js +1 -0
- package/dist/component-boundary.contract.js.map +1 -1
- package/dist/function-registry/beliefs.d.ts +10 -10
- package/dist/function-registry/beliefs.js +53 -2
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +6 -6
- package/dist/function-registry/coding.js +53 -2
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +3 -3
- package/dist/function-registry/context.js +53 -2
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +3 -3
- package/dist/function-registry/contracts.js +53 -2
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +9 -9
- package/dist/function-registry/coordination.js +53 -2
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +6 -6
- package/dist/function-registry/edges.js +53 -2
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +8 -8
- package/dist/function-registry/evidence.js +53 -2
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +15 -15
- package/dist/function-registry/graph.js +53 -2
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +2 -2
- package/dist/function-registry/helpers.js +53 -2
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +56 -16
- package/dist/function-registry/identity.js +75 -4
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +1 -1
- package/dist/function-registry/index.js +53 -2
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +2 -2
- package/dist/function-registry/judgments.js +53 -2
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -1
- package/dist/function-registry/legacy.js +53 -2
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +4 -4
- package/dist/function-registry/lenses.js +53 -2
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +3 -3
- package/dist/function-registry/manifest.js +1 -0
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/nodes.d.ts +8 -8
- package/dist/function-registry/nodes.js +53 -2
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +11 -11
- package/dist/function-registry/ontologies.js +53 -2
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +3 -3
- package/dist/function-registry/pipeline.js +53 -2
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +12 -12
- package/dist/function-registry/questions.js +53 -2
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +4 -4
- package/dist/function-registry/tasks.js +53 -2
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +7 -7
- package/dist/function-registry/topics.js +53 -2
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +2 -2
- package/dist/function-registry/worktrees.d.ts +11 -11
- package/dist/function-registry/worktrees.js +53 -2
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/generated/convexSchemas.js +2 -1
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +111 -0
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/generated/schema-manifest.json +88 -3
- package/dist/generated/tableOwnership.d.ts +2 -1
- package/dist/generated/tableOwnership.js +2 -0
- package/dist/generated/tableOwnership.js.map +1 -1
- package/dist/generated/tier-expectations.json +6 -3
- package/dist/index.d.ts +2 -2
- package/dist/index.js +290 -20
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +18 -0
- package/dist/infisical-runtime.contract.js +21 -0
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +18 -0
- package/dist/manifests/infisical-runtime-manifest.js +21 -0
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/manifests/tenant-client-manifest.d.ts +8 -3
- package/dist/manifests/tenant-client-manifest.js +18 -1
- package/dist/manifests/tenant-client-manifest.js.map +1 -1
- package/dist/permit-principal-projection.contract.js +2 -3
- package/dist/permit-principal-projection.contract.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/index.js +33 -0
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +75 -0
- package/dist/schemas/manifest.js +33 -0
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/tables/controlPlane/accessControl.js +3 -0
- package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -1
- package/dist/schemas/tables/kernel/events.d.ts +21 -0
- package/dist/schemas/tables/kernel/events.js +43 -0
- package/dist/schemas/tables/kernel/events.js.map +1 -0
- package/dist/{sdk-tools.contract-BNklQDfB.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +45 -1
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.contract.d.ts +22 -2
- package/dist/tenant-bootstrap-seed.contract.js +15 -2
- package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
- package/dist/tenant-bootstrap-seed.defaults.js +30 -12
- package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
- package/dist/tenant-client.contract.d.ts +8 -3
- package/dist/tenant-client.contract.js +18 -1
- package/dist/tenant-client.contract.js.map +1 -1
- package/dist/{tool-contracts-BevD9Ho2.d.ts → tool-contracts-C_xvM9q2.d.ts} +4 -2
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +46 -2
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -189,7 +189,13 @@ var SESSION_AUTH_MODES = [
|
|
|
189
189
|
"tenant_api_key",
|
|
190
190
|
"session_token"
|
|
191
191
|
];
|
|
192
|
-
var SESSION_PRINCIPAL_TYPES = [
|
|
192
|
+
var SESSION_PRINCIPAL_TYPES = [
|
|
193
|
+
"human",
|
|
194
|
+
"service",
|
|
195
|
+
"agent",
|
|
196
|
+
"group",
|
|
197
|
+
"external_viewer"
|
|
198
|
+
];
|
|
193
199
|
var SESSION_LIFECYCLE_STATUSES = [
|
|
194
200
|
"active",
|
|
195
201
|
"expired",
|
|
@@ -202,6 +208,12 @@ function inferSessionPrincipalType(principalId) {
|
|
|
202
208
|
if (principalId.startsWith("agent:")) {
|
|
203
209
|
return "agent";
|
|
204
210
|
}
|
|
211
|
+
if (principalId.startsWith("group:")) {
|
|
212
|
+
return "group";
|
|
213
|
+
}
|
|
214
|
+
if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
|
|
215
|
+
return "external_viewer";
|
|
216
|
+
}
|
|
205
217
|
return "service";
|
|
206
218
|
}
|
|
207
219
|
function normalizeDelegationChain(args) {
|
|
@@ -262,6 +274,7 @@ var TABLE_OWNERSHIP = {
|
|
|
262
274
|
"deliberationContributions": "K",
|
|
263
275
|
"deliberationSessions": "K",
|
|
264
276
|
"deploymentHosts": "L",
|
|
277
|
+
"domainEvents": "K",
|
|
265
278
|
"epistemicAudit": "K",
|
|
266
279
|
"epistemicContracts": "K",
|
|
267
280
|
"epistemicEdges": "K",
|
|
@@ -2491,6 +2504,35 @@ var systemLogs = defineTable({
|
|
|
2491
2504
|
{ kind: "index", name: "by_source", columns: ["source"] }
|
|
2492
2505
|
]
|
|
2493
2506
|
});
|
|
2507
|
+
var domainEvents = defineTable({
|
|
2508
|
+
name: "domainEvents",
|
|
2509
|
+
component: "kernel",
|
|
2510
|
+
category: "events",
|
|
2511
|
+
shape: z.object({
|
|
2512
|
+
"eventId": z.string(),
|
|
2513
|
+
"type": z.string(),
|
|
2514
|
+
"version": z.string(),
|
|
2515
|
+
"timestamp": z.number(),
|
|
2516
|
+
"tenantId": z.string().optional(),
|
|
2517
|
+
"workspaceId": z.string().optional(),
|
|
2518
|
+
"topicId": z.string(),
|
|
2519
|
+
"resourceId": z.string(),
|
|
2520
|
+
"resourceType": z.string(),
|
|
2521
|
+
"actorId": z.string(),
|
|
2522
|
+
"actorType": z.enum(["human", "agent", "service"]),
|
|
2523
|
+
"data": z.record(z.any()),
|
|
2524
|
+
"correlationId": z.string().optional(),
|
|
2525
|
+
"expiresAt": z.number()
|
|
2526
|
+
}),
|
|
2527
|
+
indices: [
|
|
2528
|
+
{ kind: "index", name: "by_eventId", columns: ["eventId"] },
|
|
2529
|
+
{ kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
|
|
2530
|
+
{ kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
|
|
2531
|
+
{ kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
|
|
2532
|
+
{ kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
|
|
2533
|
+
{ kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
|
|
2534
|
+
]
|
|
2535
|
+
});
|
|
2494
2536
|
var beliefConfidence = defineTable({
|
|
2495
2537
|
name: "beliefConfidence",
|
|
2496
2538
|
component: "kernel",
|
|
@@ -5897,7 +5939,10 @@ var permitPrincipalAliases = defineTable({
|
|
|
5897
5939
|
}),
|
|
5898
5940
|
indices: [
|
|
5899
5941
|
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
5942
|
+
{ kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
|
|
5943
|
+
{ kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
|
|
5900
5944
|
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
|
|
5945
|
+
{ kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
|
|
5901
5946
|
{
|
|
5902
5947
|
kind: "index",
|
|
5903
5948
|
name: "by_tenant_provider_alias",
|
|
@@ -7106,6 +7151,7 @@ var KERNEL_TABLE_CONTRACTS = [
|
|
|
7106
7151
|
decisionParticipants,
|
|
7107
7152
|
decisionRiskLedger,
|
|
7108
7153
|
decisionSnapshots,
|
|
7154
|
+
domainEvents,
|
|
7109
7155
|
deliberationContributions,
|
|
7110
7156
|
deliberationSessions,
|
|
7111
7157
|
stakeholderGroups,
|
|
@@ -7389,7 +7435,9 @@ var TENANT_CLIENT_AUTH_MODES = [
|
|
|
7389
7435
|
var TENANT_CLIENT_PRINCIPAL_TYPES = [
|
|
7390
7436
|
"human",
|
|
7391
7437
|
"service",
|
|
7392
|
-
"agent"
|
|
7438
|
+
"agent",
|
|
7439
|
+
"group",
|
|
7440
|
+
"external_viewer"
|
|
7393
7441
|
];
|
|
7394
7442
|
var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
7395
7443
|
"tenantId",
|
|
@@ -7399,8 +7447,16 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
|
7399
7447
|
"scopes"
|
|
7400
7448
|
];
|
|
7401
7449
|
var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
|
|
7450
|
+
"clerkId",
|
|
7402
7451
|
"principalType",
|
|
7403
7452
|
"roles",
|
|
7453
|
+
"groupIds",
|
|
7454
|
+
"permittedToolNames",
|
|
7455
|
+
"permittedPackKeys",
|
|
7456
|
+
"principalStatus",
|
|
7457
|
+
"tenantStatus",
|
|
7458
|
+
"workspaceStatus",
|
|
7459
|
+
"permit",
|
|
7404
7460
|
"sessionId",
|
|
7405
7461
|
"delegationChain"
|
|
7406
7462
|
];
|
|
@@ -7678,6 +7734,7 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
7678
7734
|
"ontologyLinks",
|
|
7679
7735
|
"graphStateClassifier",
|
|
7680
7736
|
"tools",
|
|
7737
|
+
"controlPlane",
|
|
7681
7738
|
"identity",
|
|
7682
7739
|
"modelRuntime",
|
|
7683
7740
|
"events",
|
|
@@ -7685,6 +7742,12 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
7685
7742
|
"telemetry"
|
|
7686
7743
|
];
|
|
7687
7744
|
var TENANT_CLIENT_CAPABILITIES = [
|
|
7745
|
+
{
|
|
7746
|
+
id: "identity.resolve_interactive_principal",
|
|
7747
|
+
description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
|
|
7748
|
+
surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
|
|
7749
|
+
requiredContextFields: ["principalId", "tenantId", "scopes"]
|
|
7750
|
+
},
|
|
7688
7751
|
{
|
|
7689
7752
|
id: "identity.bootstrap_session",
|
|
7690
7753
|
description: "Start a scoped Lucern session for a tenant principal.",
|
|
@@ -8435,6 +8498,27 @@ var PLATFORM_SECRET_DEFINITIONS = [
|
|
|
8435
8498
|
],
|
|
8436
8499
|
description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
|
|
8437
8500
|
},
|
|
8501
|
+
{
|
|
8502
|
+
id: "platform.clerk.webhook-secret",
|
|
8503
|
+
canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
8504
|
+
aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
|
|
8505
|
+
owner: "lucern_platform",
|
|
8506
|
+
scope: "environment",
|
|
8507
|
+
sourcePath: "/platform/auth",
|
|
8508
|
+
environmentPolicy: "environment_specific",
|
|
8509
|
+
required: true,
|
|
8510
|
+
secret: true,
|
|
8511
|
+
public: false,
|
|
8512
|
+
consumers: ["lucern-gateway"],
|
|
8513
|
+
destinations: [
|
|
8514
|
+
{
|
|
8515
|
+
kind: "vercel",
|
|
8516
|
+
target: "lucern-gateway",
|
|
8517
|
+
environmentPolicy: "environment_specific"
|
|
8518
|
+
}
|
|
8519
|
+
],
|
|
8520
|
+
description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
|
|
8521
|
+
},
|
|
8438
8522
|
{
|
|
8439
8523
|
id: "platform.clerk.jwks",
|
|
8440
8524
|
canonicalName: "CLERK_JWKS_URL",
|
|
@@ -11048,6 +11132,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11048
11132
|
"CLERK_PROJECT_ID",
|
|
11049
11133
|
"CLERK_PUBLISHABLE_KEY",
|
|
11050
11134
|
"CLERK_SECRET_KEY",
|
|
11135
|
+
"CLERK_WEBHOOK_SECRET",
|
|
11136
|
+
"CLERK_WEBHOOK_SIGNING_SECRET",
|
|
11051
11137
|
"CONVEX_CLOUD_URL",
|
|
11052
11138
|
"CONVEX_DEPLOY_KEY",
|
|
11053
11139
|
"CONVEX_DEPLOYMENT",
|
|
@@ -11111,6 +11197,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11111
11197
|
"LUCERN_AUTH_BASE_URL",
|
|
11112
11198
|
"LUCERN_BASE_URL",
|
|
11113
11199
|
"LUCERN_CLERK_PROJECT_ID",
|
|
11200
|
+
"LUCERN_CLERK_WEBHOOK_SECRET",
|
|
11114
11201
|
"LUCERN_CLI_SESSION_TTL_MS",
|
|
11115
11202
|
"LUCERN_CONTRACTS_SKIP_DTS",
|
|
11116
11203
|
"LUCERN_CONVEX_DEPLOY_KEY",
|
|
@@ -11283,6 +11370,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11283
11370
|
"CLERK_PROJECT_ID",
|
|
11284
11371
|
"CLERK_PUBLISHABLE_KEY",
|
|
11285
11372
|
"CLERK_SECRET_KEY",
|
|
11373
|
+
"CLERK_WEBHOOK_SECRET",
|
|
11374
|
+
"CLERK_WEBHOOK_SIGNING_SECRET",
|
|
11286
11375
|
"CONVEX_CLOUD_URL",
|
|
11287
11376
|
"CONVEX_DEPLOY_KEY",
|
|
11288
11377
|
"CONVEX_DEPLOYMENT",
|
|
@@ -11360,6 +11449,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11360
11449
|
"LUCERN_AUTH_BASE_URL",
|
|
11361
11450
|
"LUCERN_BASE_URL",
|
|
11362
11451
|
"LUCERN_CLERK_PROJECT_ID",
|
|
11452
|
+
"LUCERN_CLERK_WEBHOOK_SECRET",
|
|
11363
11453
|
"LUCERN_CLI_SESSION_TTL_MS",
|
|
11364
11454
|
"LUCERN_CONTRACTS_SKIP_DTS",
|
|
11365
11455
|
"LUCERN_CONVEX_DEPLOY_KEY",
|
|
@@ -13672,6 +13762,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
13672
13762
|
],
|
|
13673
13763
|
"description": "stack/frontend: Lucern/MC gateway base URL used by tenant product apps. stack/stackos: Lucern/MC gateway base URL used by tenant product apps."
|
|
13674
13764
|
},
|
|
13765
|
+
"LUCERN_CLERK_WEBHOOK_SECRET": {
|
|
13766
|
+
"secretId": "platform.clerk.webhook-secret",
|
|
13767
|
+
"canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
13768
|
+
"envNames": [
|
|
13769
|
+
"CLERK_WEBHOOK_SECRET",
|
|
13770
|
+
"CLERK_WEBHOOK_SIGNING_SECRET",
|
|
13771
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
13772
|
+
],
|
|
13773
|
+
"aliases": [
|
|
13774
|
+
"CLERK_WEBHOOK_SECRET",
|
|
13775
|
+
"CLERK_WEBHOOK_SIGNING_SECRET"
|
|
13776
|
+
],
|
|
13777
|
+
"writeNames": [
|
|
13778
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
13779
|
+
],
|
|
13780
|
+
"required": true,
|
|
13781
|
+
"secret": true,
|
|
13782
|
+
"public": false,
|
|
13783
|
+
"sourcePath": "/platform/auth",
|
|
13784
|
+
"environmentPolicy": "environment_specific",
|
|
13785
|
+
"consumers": [
|
|
13786
|
+
"lucern-gateway"
|
|
13787
|
+
],
|
|
13788
|
+
"destinations": [
|
|
13789
|
+
{
|
|
13790
|
+
"kind": "vercel",
|
|
13791
|
+
"target": "lucern-gateway",
|
|
13792
|
+
"writeNames": [
|
|
13793
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
13794
|
+
]
|
|
13795
|
+
}
|
|
13796
|
+
],
|
|
13797
|
+
"description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
|
|
13798
|
+
},
|
|
13675
13799
|
"LUCERN_CLI_SESSION_TTL_MS": {
|
|
13676
13800
|
"canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
|
|
13677
13801
|
"envNames": [
|
|
@@ -16940,6 +17064,9 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
16940
17064
|
"LUCERN_API_URL": "LUCERN_API_URL",
|
|
16941
17065
|
"LUCERN_BASE_URL": "LUCERN_BASE_URL",
|
|
16942
17066
|
"LUCERN_GATEWAY_BASE_URL": "LUCERN_BASE_URL",
|
|
17067
|
+
"CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
17068
|
+
"CLERK_WEBHOOK_SIGNING_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
17069
|
+
"LUCERN_CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
16943
17070
|
"LUCERN_CLI_SESSION_TTL_MS": "LUCERN_CLI_SESSION_TTL_MS",
|
|
16944
17071
|
"CONVEX_DEPLOYMENT": "LUCERN_CONVEX_DEPLOYMENT_NAME",
|
|
16945
17072
|
"CONVEX_DEV_DEPLOYMENT_NAME": "LUCERN_CONVEX_DEPLOYMENT_NAME",
|
|
@@ -17954,6 +18081,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
17954
18081
|
],
|
|
17955
18082
|
"description": "Canonical Lucern API gateway URL. Canonical Lucern API gateway base URL. Older names remain aliases only."
|
|
17956
18083
|
},
|
|
18084
|
+
{
|
|
18085
|
+
"secretId": "platform.clerk.webhook-secret",
|
|
18086
|
+
"canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
18087
|
+
"envNames": [
|
|
18088
|
+
"CLERK_WEBHOOK_SECRET",
|
|
18089
|
+
"CLERK_WEBHOOK_SIGNING_SECRET",
|
|
18090
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
18091
|
+
],
|
|
18092
|
+
"aliases": [
|
|
18093
|
+
"CLERK_WEBHOOK_SECRET",
|
|
18094
|
+
"CLERK_WEBHOOK_SIGNING_SECRET"
|
|
18095
|
+
],
|
|
18096
|
+
"writeNames": [
|
|
18097
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
18098
|
+
],
|
|
18099
|
+
"required": true,
|
|
18100
|
+
"secret": true,
|
|
18101
|
+
"public": false,
|
|
18102
|
+
"sourcePath": "/platform/auth",
|
|
18103
|
+
"environmentPolicy": "environment_specific",
|
|
18104
|
+
"consumers": [
|
|
18105
|
+
"lucern-gateway"
|
|
18106
|
+
],
|
|
18107
|
+
"destinations": [
|
|
18108
|
+
{
|
|
18109
|
+
"kind": "vercel",
|
|
18110
|
+
"target": "lucern-gateway",
|
|
18111
|
+
"writeNames": [
|
|
18112
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
18113
|
+
]
|
|
18114
|
+
}
|
|
18115
|
+
],
|
|
18116
|
+
"description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
|
|
18117
|
+
},
|
|
17957
18118
|
{
|
|
17958
18119
|
"canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
|
|
17959
18120
|
"envNames": [
|
|
@@ -33942,6 +34103,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
33942
34103
|
],
|
|
33943
34104
|
"description": "Canonical Lucern API gateway base URL. Older names remain aliases only."
|
|
33944
34105
|
},
|
|
34106
|
+
{
|
|
34107
|
+
"secretId": "platform.clerk.webhook-secret",
|
|
34108
|
+
"canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
|
|
34109
|
+
"envNames": [
|
|
34110
|
+
"CLERK_WEBHOOK_SECRET",
|
|
34111
|
+
"CLERK_WEBHOOK_SIGNING_SECRET",
|
|
34112
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
34113
|
+
],
|
|
34114
|
+
"aliases": [
|
|
34115
|
+
"CLERK_WEBHOOK_SECRET",
|
|
34116
|
+
"CLERK_WEBHOOK_SIGNING_SECRET"
|
|
34117
|
+
],
|
|
34118
|
+
"writeNames": [
|
|
34119
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
34120
|
+
],
|
|
34121
|
+
"required": true,
|
|
34122
|
+
"secret": true,
|
|
34123
|
+
"public": false,
|
|
34124
|
+
"sourcePath": "/platform/auth",
|
|
34125
|
+
"environmentPolicy": "environment_specific",
|
|
34126
|
+
"consumers": [
|
|
34127
|
+
"lucern-gateway"
|
|
34128
|
+
],
|
|
34129
|
+
"destinations": [
|
|
34130
|
+
{
|
|
34131
|
+
"kind": "vercel",
|
|
34132
|
+
"target": "lucern-gateway",
|
|
34133
|
+
"writeNames": [
|
|
34134
|
+
"LUCERN_CLERK_WEBHOOK_SECRET"
|
|
34135
|
+
]
|
|
34136
|
+
}
|
|
34137
|
+
],
|
|
34138
|
+
"description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
|
|
34139
|
+
},
|
|
33945
34140
|
{
|
|
33946
34141
|
"secretId": "platform.gateway.device-verification-base-url",
|
|
33947
34142
|
"canonicalName": "LUCERN_DEVICE_VERIFICATION_BASE_URL",
|
|
@@ -38303,6 +38498,7 @@ __export(tool_contracts_exports, {
|
|
|
38303
38498
|
REMOVE_EDGES_BETWEEN: () => REMOVE_EDGES_BETWEEN,
|
|
38304
38499
|
REMOVE_LENS_FROM_TOPIC: () => REMOVE_LENS_FROM_TOPIC,
|
|
38305
38500
|
RESOLVE_EFFECTIVE_ONTOLOGY: () => RESOLVE_EFFECTIVE_ONTOLOGY,
|
|
38501
|
+
RESOLVE_INTERACTIVE_PRINCIPAL: () => RESOLVE_INTERACTIVE_PRINCIPAL,
|
|
38306
38502
|
RUN_GRAPH_INTELLIGENCE_QUERY: () => RUN_GRAPH_INTELLIGENCE_QUERY,
|
|
38307
38503
|
SEARCH_BELIEFS: () => SEARCH_BELIEFS,
|
|
38308
38504
|
SEARCH_EVIDENCE: () => SEARCH_EVIDENCE,
|
|
@@ -40636,7 +40832,7 @@ var IDENTITY_WHOAMI = {
|
|
|
40636
40832
|
description: "Canonical identity summary for the current session",
|
|
40637
40833
|
fields: {
|
|
40638
40834
|
principalId: "string \u2014 canonical federated principal identifier",
|
|
40639
|
-
principalType: "string \u2014 human, service, or
|
|
40835
|
+
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
40640
40836
|
tenantId: "string | undefined \u2014 resolved tenant scope",
|
|
40641
40837
|
workspaceId: "string | undefined \u2014 resolved workspace scope",
|
|
40642
40838
|
scopes: "string[] | undefined \u2014 granted scopes for this session",
|
|
@@ -40647,6 +40843,49 @@ var IDENTITY_WHOAMI = {
|
|
|
40647
40843
|
ontologyPrimitive: "identity",
|
|
40648
40844
|
tier: "workhorse"
|
|
40649
40845
|
};
|
|
40846
|
+
var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
40847
|
+
name: "resolve_interactive_principal",
|
|
40848
|
+
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
|
|
40849
|
+
parameters: {
|
|
40850
|
+
clerkId: {
|
|
40851
|
+
type: "string",
|
|
40852
|
+
description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
|
|
40853
|
+
},
|
|
40854
|
+
tenantId: {
|
|
40855
|
+
type: "string",
|
|
40856
|
+
description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
|
|
40857
|
+
},
|
|
40858
|
+
workspaceId: {
|
|
40859
|
+
type: "string",
|
|
40860
|
+
description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
|
|
40861
|
+
},
|
|
40862
|
+
providerProjectId: {
|
|
40863
|
+
type: "string",
|
|
40864
|
+
description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
|
|
40865
|
+
}
|
|
40866
|
+
},
|
|
40867
|
+
required: ["clerkId"],
|
|
40868
|
+
response: {
|
|
40869
|
+
description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
|
|
40870
|
+
fields: {
|
|
40871
|
+
principalId: "string \u2014 canonical Lucern principal identifier",
|
|
40872
|
+
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
40873
|
+
clerkId: "string \u2014 authenticated Clerk subject alias",
|
|
40874
|
+
tenantId: "string \u2014 resolved tenant scope",
|
|
40875
|
+
workspaceId: "string | null \u2014 resolved workspace scope",
|
|
40876
|
+
roles: "string[] \u2014 effective Permit roles",
|
|
40877
|
+
scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
|
|
40878
|
+
groupIds: "string[] \u2014 active Permit group memberships",
|
|
40879
|
+
principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
|
|
40880
|
+
tenantStatus: "string \u2014 projected tenant resource status",
|
|
40881
|
+
workspaceStatus: "string \u2014 projected workspace resource status",
|
|
40882
|
+
permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
|
|
40883
|
+
}
|
|
40884
|
+
},
|
|
40885
|
+
ownerModule: "control-plane",
|
|
40886
|
+
ontologyPrimitive: "identity",
|
|
40887
|
+
tier: "workhorse"
|
|
40888
|
+
};
|
|
40650
40889
|
var COMPILE_CONTEXT = {
|
|
40651
40890
|
name: "compile_context",
|
|
40652
40891
|
description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
|
|
@@ -42549,6 +42788,7 @@ var MCP_TOOL_CONTRACTS = {
|
|
|
42549
42788
|
update_worktree_targets: UPDATE_WORKTREE_TARGETS,
|
|
42550
42789
|
update_worktree_metadata: UPDATE_WORKTREE_METADATA,
|
|
42551
42790
|
identity_whoami: IDENTITY_WHOAMI,
|
|
42791
|
+
resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
|
|
42552
42792
|
compile_context: COMPILE_CONTEXT,
|
|
42553
42793
|
record_scope_learning: RECORD_SCOPE_LEARNING,
|
|
42554
42794
|
pipeline_snapshot: PIPELINE_SNAPSHOT,
|
|
@@ -43025,6 +43265,7 @@ function mapPermitRoleToPlatformRole(role) {
|
|
|
43025
43265
|
case "evidence_contributor":
|
|
43026
43266
|
case "question_resolver":
|
|
43027
43267
|
case "theme_promoter":
|
|
43268
|
+
case "topic_promoter":
|
|
43028
43269
|
return "editor";
|
|
43029
43270
|
case "auditor":
|
|
43030
43271
|
return "auditor";
|
|
@@ -43075,9 +43316,7 @@ function rolesForPrincipal(assignments, principal, groupIds) {
|
|
|
43075
43316
|
(assignment) => isActivePermitProjectionStatus(assignment.status) && readPermitProjectionString(assignment.tenantId) === tenantId && (readPermitProjectionString(assignment.targetType) === "principal" && readPermitProjectionString(assignment.targetId) === principalId || readPermitProjectionString(assignment.targetType) === "group" && groupIds.includes(
|
|
43076
43317
|
readPermitProjectionString(assignment.targetId) ?? ""
|
|
43077
43318
|
))
|
|
43078
|
-
).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter(
|
|
43079
|
-
(role) => Boolean(role)
|
|
43080
|
-
);
|
|
43319
|
+
).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter((role) => Boolean(role));
|
|
43081
43320
|
if (readPermitProjectionString(principal.principalType) === "agent" || readPermitProjectionString(principal.principalType) === "service_principal") {
|
|
43082
43321
|
roles.push("service_agent");
|
|
43083
43322
|
}
|
|
@@ -44411,6 +44650,8 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
|
|
|
44411
44650
|
kernel: {
|
|
44412
44651
|
componentName: "lucern",
|
|
44413
44652
|
migrationModule: "adapters/migration",
|
|
44653
|
+
templateMigrationModule: "dist/adapters/migration",
|
|
44654
|
+
tenantMigrationModule: "adapters/migration",
|
|
44414
44655
|
templateService: "services/kernel-template",
|
|
44415
44656
|
templateDeployments: {
|
|
44416
44657
|
staging: "kindly-goldfish-162",
|
|
@@ -44419,7 +44660,9 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
|
|
|
44419
44660
|
},
|
|
44420
44661
|
"control-plane": {
|
|
44421
44662
|
componentName: "controlPlane",
|
|
44422
|
-
migrationModule: "
|
|
44663
|
+
migrationModule: "migration",
|
|
44664
|
+
templateMigrationModule: "dist/migration",
|
|
44665
|
+
tenantMigrationModule: "migration",
|
|
44423
44666
|
templateService: "services/control-plane-template",
|
|
44424
44667
|
templateDeployments: {
|
|
44425
44668
|
staging: "industrious-cheetah-864",
|
|
@@ -44580,6 +44823,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
44580
44823
|
copyMode: "none",
|
|
44581
44824
|
description: "Deliberation sessions are created by tenant workflows."
|
|
44582
44825
|
},
|
|
44826
|
+
{
|
|
44827
|
+
component: "kernel",
|
|
44828
|
+
table: "domainEvents",
|
|
44829
|
+
prepopulation: "runtime_log",
|
|
44830
|
+
copyMode: "none",
|
|
44831
|
+
description: "Domain event rows are append-only runtime audit/exhaust data."
|
|
44832
|
+
},
|
|
44583
44833
|
{
|
|
44584
44834
|
component: "kernel",
|
|
44585
44835
|
table: "epistemicAudit",
|
|
@@ -45141,12 +45391,15 @@ function isTenantBootstrapSeedTable(table) {
|
|
|
45141
45391
|
return Boolean(findTenantBootstrapSeedTable(table));
|
|
45142
45392
|
}
|
|
45143
45393
|
function isTenantBootstrapForbiddenSeedTable(table) {
|
|
45144
|
-
return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some(
|
|
45394
|
+
return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some(
|
|
45395
|
+
(entry) => entry === table
|
|
45396
|
+
);
|
|
45145
45397
|
}
|
|
45146
|
-
var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-
|
|
45398
|
+
var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-05-11";
|
|
45147
45399
|
var TENANT_BOOTSTRAP_TEMPLATE_TENANT_ID = "tenant_template";
|
|
45148
45400
|
var TENANT_BOOTSTRAP_TEMPLATE_ACTOR = "system:lucern-template-seed";
|
|
45149
45401
|
var DEFAULT_SEED_TIME = Date.UTC(2026, 3, 30);
|
|
45402
|
+
var TEMPLATE_SEED_METADATA_SOURCE = "lucern-template";
|
|
45150
45403
|
var ROLE_GRANTS = {
|
|
45151
45404
|
viewer: ["viewer", "auditor", "editor", "workspace_admin", "tenant_admin", "platform_admin", "service_agent"],
|
|
45152
45405
|
auditor: ["auditor", "tenant_admin", "platform_admin", "service_agent"],
|
|
@@ -45157,7 +45410,7 @@ var ROLE_GRANTS = {
|
|
|
45157
45410
|
service_agent: ["service_agent"]
|
|
45158
45411
|
};
|
|
45159
45412
|
var ENUM_VALUES = {
|
|
45160
|
-
topic_type: ["
|
|
45413
|
+
topic_type: ["generic"],
|
|
45161
45414
|
branch_schema: ["pillar", "track", "dimension", "axis", "phase"],
|
|
45162
45415
|
belief_type: ["belief", "hypothesis", "principle", "invariant", "assumption", "tenet", "prior", "preference", "goal", "forecast", "decision", "constraint", "tradeoff", "policy", "implementation_choice", "implementation_decision", "interface_contract", "migration_state", "code_pattern", "deprecation_notice"],
|
|
45163
45416
|
edge_type: ["supports", "informs", "depends_on", "derived_from", "contains", "tests", "supersedes", "responds_to", "belongs_to", "relates_to_thesis", "works_at", "invested_in", "competes_with", "participates_in", "founded_by", "evaluates", "performs", "function_in", "impacts", "raised_from", "mentioned_in", "perspective_on", "plays_theme"],
|
|
@@ -45201,6 +45454,13 @@ var MODEL_SLOTS = [
|
|
|
45201
45454
|
function labelFor(value) {
|
|
45202
45455
|
return value.split(/[_-]/).map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join(" ");
|
|
45203
45456
|
}
|
|
45457
|
+
function templateSeedMetadata(version) {
|
|
45458
|
+
return {
|
|
45459
|
+
seedSource: TEMPLATE_SEED_METADATA_SOURCE,
|
|
45460
|
+
seedVersion: version,
|
|
45461
|
+
seedType: "template-default"
|
|
45462
|
+
};
|
|
45463
|
+
}
|
|
45204
45464
|
function seedContext(options) {
|
|
45205
45465
|
return {
|
|
45206
45466
|
now: options.now ?? DEFAULT_SEED_TIME,
|
|
@@ -45340,7 +45600,7 @@ function modelRegistryRows(now) {
|
|
|
45340
45600
|
updatedAt: now
|
|
45341
45601
|
}));
|
|
45342
45602
|
}
|
|
45343
|
-
function modelFunctionSlotRows(now) {
|
|
45603
|
+
function modelFunctionSlotRows(now, version) {
|
|
45344
45604
|
return MODEL_SLOTS.map(([slot, category, description, modelKey, promptName, temperature, maxTokens, requiredCapabilities]) => ({
|
|
45345
45605
|
slot,
|
|
45346
45606
|
category,
|
|
@@ -45352,24 +45612,24 @@ function modelFunctionSlotRows(now) {
|
|
|
45352
45612
|
requiredCapabilities,
|
|
45353
45613
|
enabled: true,
|
|
45354
45614
|
isDefault: true,
|
|
45355
|
-
notes: `Seeded by ${
|
|
45615
|
+
notes: `Seeded by ${version}.`,
|
|
45356
45616
|
createdAt: now,
|
|
45357
45617
|
updatedAt: now
|
|
45358
45618
|
}));
|
|
45359
45619
|
}
|
|
45360
|
-
function modelSlotConfigRows(now) {
|
|
45620
|
+
function modelSlotConfigRows(now, version) {
|
|
45361
45621
|
return MODEL_SLOTS.map(([slot, , , modelKey, , temperature, maxTokens]) => ({
|
|
45362
45622
|
slot,
|
|
45363
45623
|
modelKey,
|
|
45364
45624
|
temperature,
|
|
45365
45625
|
maxTokens,
|
|
45366
45626
|
enabled: true,
|
|
45367
|
-
notes: `Default routing for ${slot}.`,
|
|
45627
|
+
notes: `Default routing for ${slot}. Seeded by ${version}.`,
|
|
45368
45628
|
createdAt: now,
|
|
45369
45629
|
updatedAt: now
|
|
45370
45630
|
}));
|
|
45371
45631
|
}
|
|
45372
|
-
function schemaEnumRows(now) {
|
|
45632
|
+
function schemaEnumRows(now, version) {
|
|
45373
45633
|
return Object.entries(ENUM_VALUES).flatMap(
|
|
45374
45634
|
([category, values]) => values.map((value, index) => ({
|
|
45375
45635
|
category,
|
|
@@ -45377,7 +45637,7 @@ function schemaEnumRows(now) {
|
|
|
45377
45637
|
label: labelFor(value),
|
|
45378
45638
|
description: `${labelFor(value)} ${category} value.`,
|
|
45379
45639
|
tier: "platform",
|
|
45380
|
-
metadata:
|
|
45640
|
+
metadata: templateSeedMetadata(version),
|
|
45381
45641
|
isDefault: index === 0,
|
|
45382
45642
|
sortOrder: index + 1,
|
|
45383
45643
|
status: "active",
|
|
@@ -45415,18 +45675,28 @@ function buildTenantBootstrapTemplateSeedRows(options = {}) {
|
|
|
45415
45675
|
publicationRules: [
|
|
45416
45676
|
{ tenantId: ctx.templateTenantId, name: "publish-high-confidence-beliefs", description: "Publish high-confidence beliefs to tenant-level consumers.", conditionType: "confidence_threshold", conditions: { minConfidence: 0.85 }, enabled: true, priority: 100, createdBy: ctx.actor, createdAt: ctx.now, updatedAt: ctx.now }
|
|
45417
45677
|
],
|
|
45418
|
-
schemaEnumConfig: schemaEnumRows(ctx.now)
|
|
45678
|
+
schemaEnumConfig: schemaEnumRows(ctx.now, ctx.version)
|
|
45419
45679
|
},
|
|
45420
45680
|
"control-plane": {
|
|
45421
45681
|
mcpWritePolicy: buildMcpWritePolicy(ctx.now, ctx.actor),
|
|
45422
|
-
modelFunctionSlots: modelFunctionSlotRows(ctx.now),
|
|
45682
|
+
modelFunctionSlots: modelFunctionSlotRows(ctx.now, ctx.version),
|
|
45423
45683
|
modelRegistry: modelRegistryRows(ctx.now),
|
|
45424
|
-
modelSlotConfigs: modelSlotConfigRows(ctx.now),
|
|
45684
|
+
modelSlotConfigs: modelSlotConfigRows(ctx.now, ctx.version),
|
|
45425
45685
|
platformAudiences: [
|
|
45426
45686
|
["internal", "Internal", "internal"],
|
|
45427
45687
|
["lp", "Limited Partners", "restricted_external"],
|
|
45428
45688
|
["public", "Public", "public"]
|
|
45429
|
-
].map(([audienceKey, audienceLabel, audienceClass]) => ({
|
|
45689
|
+
].map(([audienceKey, audienceLabel, audienceClass]) => ({
|
|
45690
|
+
tenantId: ctx.templateTenantId,
|
|
45691
|
+
audienceKey,
|
|
45692
|
+
audienceLabel,
|
|
45693
|
+
audienceClass,
|
|
45694
|
+
status: "active",
|
|
45695
|
+
metadata: templateSeedMetadata(ctx.version),
|
|
45696
|
+
createdBy: ctx.actor,
|
|
45697
|
+
createdAt: ctx.now,
|
|
45698
|
+
updatedAt: ctx.now
|
|
45699
|
+
})),
|
|
45430
45700
|
tenantConfig: [
|
|
45431
45701
|
{ tenantId: ctx.templateTenantId, authPolicyMode: "open", defaultSessionTTL: 28800, defaultTopicVisibility: "tenant", featureFlags: { sdkBootstrapSeeds: true, interactiveRoleAuth: true }, maxWorkspaceCount: 25, defaultModelSlotOverrides: {}, updatedAt: ctx.now, updatedBy: ctx.actor }
|
|
45432
45702
|
],
|