@lucern/contracts 0.3.0-alpha.12 → 0.3.0-alpha.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (128) hide show
  1. package/dist/auth-context.contract.js +13 -1
  2. package/dist/auth-context.contract.js.map +1 -1
  3. package/dist/auth-session.contract.js +13 -1
  4. package/dist/auth-session.contract.js.map +1 -1
  5. package/dist/auth.contract.d.ts +1 -1
  6. package/dist/auth.contract.js +13 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/component-boundary.contract.js +1 -0
  9. package/dist/component-boundary.contract.js.map +1 -1
  10. package/dist/function-registry/beliefs.d.ts +10 -10
  11. package/dist/function-registry/beliefs.js +53 -2
  12. package/dist/function-registry/beliefs.js.map +1 -1
  13. package/dist/function-registry/coding.d.ts +6 -6
  14. package/dist/function-registry/coding.js +53 -2
  15. package/dist/function-registry/coding.js.map +1 -1
  16. package/dist/function-registry/context.d.ts +3 -3
  17. package/dist/function-registry/context.js +53 -2
  18. package/dist/function-registry/context.js.map +1 -1
  19. package/dist/function-registry/contracts.d.ts +3 -3
  20. package/dist/function-registry/contracts.js +53 -2
  21. package/dist/function-registry/contracts.js.map +1 -1
  22. package/dist/function-registry/coordination.d.ts +9 -9
  23. package/dist/function-registry/coordination.js +53 -2
  24. package/dist/function-registry/coordination.js.map +1 -1
  25. package/dist/function-registry/edges.d.ts +6 -6
  26. package/dist/function-registry/edges.js +53 -2
  27. package/dist/function-registry/edges.js.map +1 -1
  28. package/dist/function-registry/evidence.d.ts +8 -8
  29. package/dist/function-registry/evidence.js +53 -2
  30. package/dist/function-registry/evidence.js.map +1 -1
  31. package/dist/function-registry/graph.d.ts +15 -15
  32. package/dist/function-registry/graph.js +53 -2
  33. package/dist/function-registry/graph.js.map +1 -1
  34. package/dist/function-registry/helpers.d.ts +2 -2
  35. package/dist/function-registry/helpers.js +53 -2
  36. package/dist/function-registry/helpers.js.map +1 -1
  37. package/dist/function-registry/identity.d.ts +56 -16
  38. package/dist/function-registry/identity.js +75 -4
  39. package/dist/function-registry/identity.js.map +1 -1
  40. package/dist/function-registry/index.d.ts +1 -1
  41. package/dist/function-registry/index.js +53 -2
  42. package/dist/function-registry/index.js.map +1 -1
  43. package/dist/function-registry/judgments.d.ts +2 -2
  44. package/dist/function-registry/judgments.js +53 -2
  45. package/dist/function-registry/judgments.js.map +1 -1
  46. package/dist/function-registry/legacy.d.ts +1 -1
  47. package/dist/function-registry/legacy.js +53 -2
  48. package/dist/function-registry/legacy.js.map +1 -1
  49. package/dist/function-registry/lenses.d.ts +4 -4
  50. package/dist/function-registry/lenses.js +53 -2
  51. package/dist/function-registry/lenses.js.map +1 -1
  52. package/dist/function-registry/manifest.d.ts +3 -3
  53. package/dist/function-registry/manifest.js +1 -0
  54. package/dist/function-registry/manifest.js.map +1 -1
  55. package/dist/function-registry/nodes.d.ts +8 -8
  56. package/dist/function-registry/nodes.js +53 -2
  57. package/dist/function-registry/nodes.js.map +1 -1
  58. package/dist/function-registry/ontologies.d.ts +11 -11
  59. package/dist/function-registry/ontologies.js +53 -2
  60. package/dist/function-registry/ontologies.js.map +1 -1
  61. package/dist/function-registry/pipeline.d.ts +3 -3
  62. package/dist/function-registry/pipeline.js +53 -2
  63. package/dist/function-registry/pipeline.js.map +1 -1
  64. package/dist/function-registry/questions.d.ts +12 -12
  65. package/dist/function-registry/questions.js +53 -2
  66. package/dist/function-registry/questions.js.map +1 -1
  67. package/dist/function-registry/tasks.d.ts +4 -4
  68. package/dist/function-registry/tasks.js +53 -2
  69. package/dist/function-registry/tasks.js.map +1 -1
  70. package/dist/function-registry/topics.d.ts +7 -7
  71. package/dist/function-registry/topics.js +53 -2
  72. package/dist/function-registry/topics.js.map +1 -1
  73. package/dist/function-registry/types.d.ts +2 -2
  74. package/dist/function-registry/worktrees.d.ts +11 -11
  75. package/dist/function-registry/worktrees.js +53 -2
  76. package/dist/function-registry/worktrees.js.map +1 -1
  77. package/dist/generated/convexSchemas.js +2 -1
  78. package/dist/generated/convexSchemas.js.map +1 -1
  79. package/dist/generated/infisicalRuntimeEnv.js +111 -0
  80. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  81. package/dist/generated/schema-manifest.json +88 -3
  82. package/dist/generated/tableOwnership.d.ts +2 -1
  83. package/dist/generated/tableOwnership.js +2 -0
  84. package/dist/generated/tableOwnership.js.map +1 -1
  85. package/dist/generated/tier-expectations.json +6 -3
  86. package/dist/index.d.ts +2 -2
  87. package/dist/index.js +290 -20
  88. package/dist/index.js.map +1 -1
  89. package/dist/infisical-runtime.contract.d.ts +18 -0
  90. package/dist/infisical-runtime.contract.js +21 -0
  91. package/dist/infisical-runtime.contract.js.map +1 -1
  92. package/dist/manifests/infisical-runtime-manifest.d.ts +18 -0
  93. package/dist/manifests/infisical-runtime-manifest.js +21 -0
  94. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  95. package/dist/manifests/tenant-client-manifest.d.ts +8 -3
  96. package/dist/manifests/tenant-client-manifest.js +18 -1
  97. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  98. package/dist/permit-principal-projection.contract.js +2 -3
  99. package/dist/permit-principal-projection.contract.js.map +1 -1
  100. package/dist/proof-attestation.json +1 -1
  101. package/dist/schemas/index.js +33 -0
  102. package/dist/schemas/index.js.map +1 -1
  103. package/dist/schemas/manifest.d.ts +75 -0
  104. package/dist/schemas/manifest.js +33 -0
  105. package/dist/schemas/manifest.js.map +1 -1
  106. package/dist/schemas/tables/controlPlane/accessControl.js +3 -0
  107. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -1
  108. package/dist/schemas/tables/kernel/events.d.ts +21 -0
  109. package/dist/schemas/tables/kernel/events.js +43 -0
  110. package/dist/schemas/tables/kernel/events.js.map +1 -0
  111. package/dist/{sdk-tools.contract-BNklQDfB.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
  112. package/dist/sdk-tools.contract.d.ts +2 -2
  113. package/dist/sdk-tools.contract.js +45 -1
  114. package/dist/sdk-tools.contract.js.map +1 -1
  115. package/dist/tenant-bootstrap-seed.contract.d.ts +22 -2
  116. package/dist/tenant-bootstrap-seed.contract.js +15 -2
  117. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  118. package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
  119. package/dist/tenant-bootstrap-seed.defaults.js +30 -12
  120. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  121. package/dist/tenant-client.contract.d.ts +8 -3
  122. package/dist/tenant-client.contract.js +18 -1
  123. package/dist/tenant-client.contract.js.map +1 -1
  124. package/dist/{tool-contracts-BevD9Ho2.d.ts → tool-contracts-C_xvM9q2.d.ts} +4 -2
  125. package/dist/tool-contracts.d.ts +1 -1
  126. package/dist/tool-contracts.js +46 -2
  127. package/dist/tool-contracts.js.map +1 -1
  128. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -189,7 +189,13 @@ var SESSION_AUTH_MODES = [
189
189
  "tenant_api_key",
190
190
  "session_token"
191
191
  ];
192
- var SESSION_PRINCIPAL_TYPES = ["human", "service", "agent"];
192
+ var SESSION_PRINCIPAL_TYPES = [
193
+ "human",
194
+ "service",
195
+ "agent",
196
+ "group",
197
+ "external_viewer"
198
+ ];
193
199
  var SESSION_LIFECYCLE_STATUSES = [
194
200
  "active",
195
201
  "expired",
@@ -202,6 +208,12 @@ function inferSessionPrincipalType(principalId) {
202
208
  if (principalId.startsWith("agent:")) {
203
209
  return "agent";
204
210
  }
211
+ if (principalId.startsWith("group:")) {
212
+ return "group";
213
+ }
214
+ if (principalId.startsWith("external:") || principalId.startsWith("external_viewer:")) {
215
+ return "external_viewer";
216
+ }
205
217
  return "service";
206
218
  }
207
219
  function normalizeDelegationChain(args) {
@@ -262,6 +274,7 @@ var TABLE_OWNERSHIP = {
262
274
  "deliberationContributions": "K",
263
275
  "deliberationSessions": "K",
264
276
  "deploymentHosts": "L",
277
+ "domainEvents": "K",
265
278
  "epistemicAudit": "K",
266
279
  "epistemicContracts": "K",
267
280
  "epistemicEdges": "K",
@@ -2491,6 +2504,35 @@ var systemLogs = defineTable({
2491
2504
  { kind: "index", name: "by_source", columns: ["source"] }
2492
2505
  ]
2493
2506
  });
2507
+ var domainEvents = defineTable({
2508
+ name: "domainEvents",
2509
+ component: "kernel",
2510
+ category: "events",
2511
+ shape: z.object({
2512
+ "eventId": z.string(),
2513
+ "type": z.string(),
2514
+ "version": z.string(),
2515
+ "timestamp": z.number(),
2516
+ "tenantId": z.string().optional(),
2517
+ "workspaceId": z.string().optional(),
2518
+ "topicId": z.string(),
2519
+ "resourceId": z.string(),
2520
+ "resourceType": z.string(),
2521
+ "actorId": z.string(),
2522
+ "actorType": z.enum(["human", "agent", "service"]),
2523
+ "data": z.record(z.any()),
2524
+ "correlationId": z.string().optional(),
2525
+ "expiresAt": z.number()
2526
+ }),
2527
+ indices: [
2528
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
2529
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
2530
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
2531
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
2532
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
2533
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
2534
+ ]
2535
+ });
2494
2536
  var beliefConfidence = defineTable({
2495
2537
  name: "beliefConfidence",
2496
2538
  component: "kernel",
@@ -5897,7 +5939,10 @@ var permitPrincipalAliases = defineTable({
5897
5939
  }),
5898
5940
  indices: [
5899
5941
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
5942
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
5943
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
5900
5944
  { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
5945
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
5901
5946
  {
5902
5947
  kind: "index",
5903
5948
  name: "by_tenant_provider_alias",
@@ -7106,6 +7151,7 @@ var KERNEL_TABLE_CONTRACTS = [
7106
7151
  decisionParticipants,
7107
7152
  decisionRiskLedger,
7108
7153
  decisionSnapshots,
7154
+ domainEvents,
7109
7155
  deliberationContributions,
7110
7156
  deliberationSessions,
7111
7157
  stakeholderGroups,
@@ -7389,7 +7435,9 @@ var TENANT_CLIENT_AUTH_MODES = [
7389
7435
  var TENANT_CLIENT_PRINCIPAL_TYPES = [
7390
7436
  "human",
7391
7437
  "service",
7392
- "agent"
7438
+ "agent",
7439
+ "group",
7440
+ "external_viewer"
7393
7441
  ];
7394
7442
  var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
7395
7443
  "tenantId",
@@ -7399,8 +7447,16 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
7399
7447
  "scopes"
7400
7448
  ];
7401
7449
  var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
7450
+ "clerkId",
7402
7451
  "principalType",
7403
7452
  "roles",
7453
+ "groupIds",
7454
+ "permittedToolNames",
7455
+ "permittedPackKeys",
7456
+ "principalStatus",
7457
+ "tenantStatus",
7458
+ "workspaceStatus",
7459
+ "permit",
7404
7460
  "sessionId",
7405
7461
  "delegationChain"
7406
7462
  ];
@@ -7678,6 +7734,7 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
7678
7734
  "ontologyLinks",
7679
7735
  "graphStateClassifier",
7680
7736
  "tools",
7737
+ "controlPlane",
7681
7738
  "identity",
7682
7739
  "modelRuntime",
7683
7740
  "events",
@@ -7685,6 +7742,12 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
7685
7742
  "telemetry"
7686
7743
  ];
7687
7744
  var TENANT_CLIENT_CAPABILITIES = [
7745
+ {
7746
+ id: "identity.resolve_interactive_principal",
7747
+ description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
7748
+ surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
7749
+ requiredContextFields: ["principalId", "tenantId", "scopes"]
7750
+ },
7688
7751
  {
7689
7752
  id: "identity.bootstrap_session",
7690
7753
  description: "Start a scoped Lucern session for a tenant principal.",
@@ -8435,6 +8498,27 @@ var PLATFORM_SECRET_DEFINITIONS = [
8435
8498
  ],
8436
8499
  description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
8437
8500
  },
8501
+ {
8502
+ id: "platform.clerk.webhook-secret",
8503
+ canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
8504
+ aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
8505
+ owner: "lucern_platform",
8506
+ scope: "environment",
8507
+ sourcePath: "/platform/auth",
8508
+ environmentPolicy: "environment_specific",
8509
+ required: true,
8510
+ secret: true,
8511
+ public: false,
8512
+ consumers: ["lucern-gateway"],
8513
+ destinations: [
8514
+ {
8515
+ kind: "vercel",
8516
+ target: "lucern-gateway",
8517
+ environmentPolicy: "environment_specific"
8518
+ }
8519
+ ],
8520
+ description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
8521
+ },
8438
8522
  {
8439
8523
  id: "platform.clerk.jwks",
8440
8524
  canonicalName: "CLERK_JWKS_URL",
@@ -11048,6 +11132,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11048
11132
  "CLERK_PROJECT_ID",
11049
11133
  "CLERK_PUBLISHABLE_KEY",
11050
11134
  "CLERK_SECRET_KEY",
11135
+ "CLERK_WEBHOOK_SECRET",
11136
+ "CLERK_WEBHOOK_SIGNING_SECRET",
11051
11137
  "CONVEX_CLOUD_URL",
11052
11138
  "CONVEX_DEPLOY_KEY",
11053
11139
  "CONVEX_DEPLOYMENT",
@@ -11111,6 +11197,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11111
11197
  "LUCERN_AUTH_BASE_URL",
11112
11198
  "LUCERN_BASE_URL",
11113
11199
  "LUCERN_CLERK_PROJECT_ID",
11200
+ "LUCERN_CLERK_WEBHOOK_SECRET",
11114
11201
  "LUCERN_CLI_SESSION_TTL_MS",
11115
11202
  "LUCERN_CONTRACTS_SKIP_DTS",
11116
11203
  "LUCERN_CONVEX_DEPLOY_KEY",
@@ -11283,6 +11370,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11283
11370
  "CLERK_PROJECT_ID",
11284
11371
  "CLERK_PUBLISHABLE_KEY",
11285
11372
  "CLERK_SECRET_KEY",
11373
+ "CLERK_WEBHOOK_SECRET",
11374
+ "CLERK_WEBHOOK_SIGNING_SECRET",
11286
11375
  "CONVEX_CLOUD_URL",
11287
11376
  "CONVEX_DEPLOY_KEY",
11288
11377
  "CONVEX_DEPLOYMENT",
@@ -11360,6 +11449,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11360
11449
  "LUCERN_AUTH_BASE_URL",
11361
11450
  "LUCERN_BASE_URL",
11362
11451
  "LUCERN_CLERK_PROJECT_ID",
11452
+ "LUCERN_CLERK_WEBHOOK_SECRET",
11363
11453
  "LUCERN_CLI_SESSION_TTL_MS",
11364
11454
  "LUCERN_CONTRACTS_SKIP_DTS",
11365
11455
  "LUCERN_CONVEX_DEPLOY_KEY",
@@ -13672,6 +13762,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13672
13762
  ],
13673
13763
  "description": "stack/frontend: Lucern/MC gateway base URL used by tenant product apps. stack/stackos: Lucern/MC gateway base URL used by tenant product apps."
13674
13764
  },
13765
+ "LUCERN_CLERK_WEBHOOK_SECRET": {
13766
+ "secretId": "platform.clerk.webhook-secret",
13767
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
13768
+ "envNames": [
13769
+ "CLERK_WEBHOOK_SECRET",
13770
+ "CLERK_WEBHOOK_SIGNING_SECRET",
13771
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13772
+ ],
13773
+ "aliases": [
13774
+ "CLERK_WEBHOOK_SECRET",
13775
+ "CLERK_WEBHOOK_SIGNING_SECRET"
13776
+ ],
13777
+ "writeNames": [
13778
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13779
+ ],
13780
+ "required": true,
13781
+ "secret": true,
13782
+ "public": false,
13783
+ "sourcePath": "/platform/auth",
13784
+ "environmentPolicy": "environment_specific",
13785
+ "consumers": [
13786
+ "lucern-gateway"
13787
+ ],
13788
+ "destinations": [
13789
+ {
13790
+ "kind": "vercel",
13791
+ "target": "lucern-gateway",
13792
+ "writeNames": [
13793
+ "LUCERN_CLERK_WEBHOOK_SECRET"
13794
+ ]
13795
+ }
13796
+ ],
13797
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
13798
+ },
13675
13799
  "LUCERN_CLI_SESSION_TTL_MS": {
13676
13800
  "canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
13677
13801
  "envNames": [
@@ -16940,6 +17064,9 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
16940
17064
  "LUCERN_API_URL": "LUCERN_API_URL",
16941
17065
  "LUCERN_BASE_URL": "LUCERN_BASE_URL",
16942
17066
  "LUCERN_GATEWAY_BASE_URL": "LUCERN_BASE_URL",
17067
+ "CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
17068
+ "CLERK_WEBHOOK_SIGNING_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
17069
+ "LUCERN_CLERK_WEBHOOK_SECRET": "LUCERN_CLERK_WEBHOOK_SECRET",
16943
17070
  "LUCERN_CLI_SESSION_TTL_MS": "LUCERN_CLI_SESSION_TTL_MS",
16944
17071
  "CONVEX_DEPLOYMENT": "LUCERN_CONVEX_DEPLOYMENT_NAME",
16945
17072
  "CONVEX_DEV_DEPLOYMENT_NAME": "LUCERN_CONVEX_DEPLOYMENT_NAME",
@@ -17954,6 +18081,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
17954
18081
  ],
17955
18082
  "description": "Canonical Lucern API gateway URL. Canonical Lucern API gateway base URL. Older names remain aliases only."
17956
18083
  },
18084
+ {
18085
+ "secretId": "platform.clerk.webhook-secret",
18086
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
18087
+ "envNames": [
18088
+ "CLERK_WEBHOOK_SECRET",
18089
+ "CLERK_WEBHOOK_SIGNING_SECRET",
18090
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18091
+ ],
18092
+ "aliases": [
18093
+ "CLERK_WEBHOOK_SECRET",
18094
+ "CLERK_WEBHOOK_SIGNING_SECRET"
18095
+ ],
18096
+ "writeNames": [
18097
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18098
+ ],
18099
+ "required": true,
18100
+ "secret": true,
18101
+ "public": false,
18102
+ "sourcePath": "/platform/auth",
18103
+ "environmentPolicy": "environment_specific",
18104
+ "consumers": [
18105
+ "lucern-gateway"
18106
+ ],
18107
+ "destinations": [
18108
+ {
18109
+ "kind": "vercel",
18110
+ "target": "lucern-gateway",
18111
+ "writeNames": [
18112
+ "LUCERN_CLERK_WEBHOOK_SECRET"
18113
+ ]
18114
+ }
18115
+ ],
18116
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
18117
+ },
17957
18118
  {
17958
18119
  "canonicalName": "LUCERN_CLI_SESSION_TTL_MS",
17959
18120
  "envNames": [
@@ -33942,6 +34103,40 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
33942
34103
  ],
33943
34104
  "description": "Canonical Lucern API gateway base URL. Older names remain aliases only."
33944
34105
  },
34106
+ {
34107
+ "secretId": "platform.clerk.webhook-secret",
34108
+ "canonicalName": "LUCERN_CLERK_WEBHOOK_SECRET",
34109
+ "envNames": [
34110
+ "CLERK_WEBHOOK_SECRET",
34111
+ "CLERK_WEBHOOK_SIGNING_SECRET",
34112
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34113
+ ],
34114
+ "aliases": [
34115
+ "CLERK_WEBHOOK_SECRET",
34116
+ "CLERK_WEBHOOK_SIGNING_SECRET"
34117
+ ],
34118
+ "writeNames": [
34119
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34120
+ ],
34121
+ "required": true,
34122
+ "secret": true,
34123
+ "public": false,
34124
+ "sourcePath": "/platform/auth",
34125
+ "environmentPolicy": "environment_specific",
34126
+ "consumers": [
34127
+ "lucern-gateway"
34128
+ ],
34129
+ "destinations": [
34130
+ {
34131
+ "kind": "vercel",
34132
+ "target": "lucern-gateway",
34133
+ "writeNames": [
34134
+ "LUCERN_CLERK_WEBHOOK_SECRET"
34135
+ ]
34136
+ }
34137
+ ],
34138
+ "description": "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
34139
+ },
33945
34140
  {
33946
34141
  "secretId": "platform.gateway.device-verification-base-url",
33947
34142
  "canonicalName": "LUCERN_DEVICE_VERIFICATION_BASE_URL",
@@ -38303,6 +38498,7 @@ __export(tool_contracts_exports, {
38303
38498
  REMOVE_EDGES_BETWEEN: () => REMOVE_EDGES_BETWEEN,
38304
38499
  REMOVE_LENS_FROM_TOPIC: () => REMOVE_LENS_FROM_TOPIC,
38305
38500
  RESOLVE_EFFECTIVE_ONTOLOGY: () => RESOLVE_EFFECTIVE_ONTOLOGY,
38501
+ RESOLVE_INTERACTIVE_PRINCIPAL: () => RESOLVE_INTERACTIVE_PRINCIPAL,
38306
38502
  RUN_GRAPH_INTELLIGENCE_QUERY: () => RUN_GRAPH_INTELLIGENCE_QUERY,
38307
38503
  SEARCH_BELIEFS: () => SEARCH_BELIEFS,
38308
38504
  SEARCH_EVIDENCE: () => SEARCH_EVIDENCE,
@@ -40636,7 +40832,7 @@ var IDENTITY_WHOAMI = {
40636
40832
  description: "Canonical identity summary for the current session",
40637
40833
  fields: {
40638
40834
  principalId: "string \u2014 canonical federated principal identifier",
40639
- principalType: "string \u2014 human, service, or agent",
40835
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
40640
40836
  tenantId: "string | undefined \u2014 resolved tenant scope",
40641
40837
  workspaceId: "string | undefined \u2014 resolved workspace scope",
40642
40838
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -40647,6 +40843,49 @@ var IDENTITY_WHOAMI = {
40647
40843
  ontologyPrimitive: "identity",
40648
40844
  tier: "workhorse"
40649
40845
  };
40846
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
40847
+ name: "resolve_interactive_principal",
40848
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
40849
+ parameters: {
40850
+ clerkId: {
40851
+ type: "string",
40852
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
40853
+ },
40854
+ tenantId: {
40855
+ type: "string",
40856
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
40857
+ },
40858
+ workspaceId: {
40859
+ type: "string",
40860
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
40861
+ },
40862
+ providerProjectId: {
40863
+ type: "string",
40864
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
40865
+ }
40866
+ },
40867
+ required: ["clerkId"],
40868
+ response: {
40869
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
40870
+ fields: {
40871
+ principalId: "string \u2014 canonical Lucern principal identifier",
40872
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
40873
+ clerkId: "string \u2014 authenticated Clerk subject alias",
40874
+ tenantId: "string \u2014 resolved tenant scope",
40875
+ workspaceId: "string | null \u2014 resolved workspace scope",
40876
+ roles: "string[] \u2014 effective Permit roles",
40877
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
40878
+ groupIds: "string[] \u2014 active Permit group memberships",
40879
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
40880
+ tenantStatus: "string \u2014 projected tenant resource status",
40881
+ workspaceStatus: "string \u2014 projected workspace resource status",
40882
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
40883
+ }
40884
+ },
40885
+ ownerModule: "control-plane",
40886
+ ontologyPrimitive: "identity",
40887
+ tier: "workhorse"
40888
+ };
40650
40889
  var COMPILE_CONTEXT = {
40651
40890
  name: "compile_context",
40652
40891
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -42549,6 +42788,7 @@ var MCP_TOOL_CONTRACTS = {
42549
42788
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
42550
42789
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
42551
42790
  identity_whoami: IDENTITY_WHOAMI,
42791
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
42552
42792
  compile_context: COMPILE_CONTEXT,
42553
42793
  record_scope_learning: RECORD_SCOPE_LEARNING,
42554
42794
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -43025,6 +43265,7 @@ function mapPermitRoleToPlatformRole(role) {
43025
43265
  case "evidence_contributor":
43026
43266
  case "question_resolver":
43027
43267
  case "theme_promoter":
43268
+ case "topic_promoter":
43028
43269
  return "editor";
43029
43270
  case "auditor":
43030
43271
  return "auditor";
@@ -43075,9 +43316,7 @@ function rolesForPrincipal(assignments, principal, groupIds) {
43075
43316
  (assignment) => isActivePermitProjectionStatus(assignment.status) && readPermitProjectionString(assignment.tenantId) === tenantId && (readPermitProjectionString(assignment.targetType) === "principal" && readPermitProjectionString(assignment.targetId) === principalId || readPermitProjectionString(assignment.targetType) === "group" && groupIds.includes(
43076
43317
  readPermitProjectionString(assignment.targetId) ?? ""
43077
43318
  ))
43078
- ).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter(
43079
- (role) => Boolean(role)
43080
- );
43319
+ ).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter((role) => Boolean(role));
43081
43320
  if (readPermitProjectionString(principal.principalType) === "agent" || readPermitProjectionString(principal.principalType) === "service_principal") {
43082
43321
  roles.push("service_agent");
43083
43322
  }
@@ -44411,6 +44650,8 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
44411
44650
  kernel: {
44412
44651
  componentName: "lucern",
44413
44652
  migrationModule: "adapters/migration",
44653
+ templateMigrationModule: "dist/adapters/migration",
44654
+ tenantMigrationModule: "adapters/migration",
44414
44655
  templateService: "services/kernel-template",
44415
44656
  templateDeployments: {
44416
44657
  staging: "kindly-goldfish-162",
@@ -44419,7 +44660,9 @@ var TENANT_BOOTSTRAP_SEED_COMPONENTS = {
44419
44660
  },
44420
44661
  "control-plane": {
44421
44662
  componentName: "controlPlane",
44422
- migrationModule: "dist/migration",
44663
+ migrationModule: "migration",
44664
+ templateMigrationModule: "dist/migration",
44665
+ tenantMigrationModule: "migration",
44423
44666
  templateService: "services/control-plane-template",
44424
44667
  templateDeployments: {
44425
44668
  staging: "industrious-cheetah-864",
@@ -44580,6 +44823,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
44580
44823
  copyMode: "none",
44581
44824
  description: "Deliberation sessions are created by tenant workflows."
44582
44825
  },
44826
+ {
44827
+ component: "kernel",
44828
+ table: "domainEvents",
44829
+ prepopulation: "runtime_log",
44830
+ copyMode: "none",
44831
+ description: "Domain event rows are append-only runtime audit/exhaust data."
44832
+ },
44583
44833
  {
44584
44834
  component: "kernel",
44585
44835
  table: "epistemicAudit",
@@ -45141,12 +45391,15 @@ function isTenantBootstrapSeedTable(table) {
45141
45391
  return Boolean(findTenantBootstrapSeedTable(table));
45142
45392
  }
45143
45393
  function isTenantBootstrapForbiddenSeedTable(table) {
45144
- return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some((entry) => entry === table);
45394
+ return TENANT_BOOTSTRAP_FORBIDDEN_SEED_TABLES.some(
45395
+ (entry) => entry === table
45396
+ );
45145
45397
  }
45146
- var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-04-30.1";
45398
+ var TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION = "2026-05-11";
45147
45399
  var TENANT_BOOTSTRAP_TEMPLATE_TENANT_ID = "tenant_template";
45148
45400
  var TENANT_BOOTSTRAP_TEMPLATE_ACTOR = "system:lucern-template-seed";
45149
45401
  var DEFAULT_SEED_TIME = Date.UTC(2026, 3, 30);
45402
+ var TEMPLATE_SEED_METADATA_SOURCE = "lucern-template";
45150
45403
  var ROLE_GRANTS = {
45151
45404
  viewer: ["viewer", "auditor", "editor", "workspace_admin", "tenant_admin", "platform_admin", "service_agent"],
45152
45405
  auditor: ["auditor", "tenant_admin", "platform_admin", "service_agent"],
@@ -45157,7 +45410,7 @@ var ROLE_GRANTS = {
45157
45410
  service_agent: ["service_agent"]
45158
45411
  };
45159
45412
  var ENUM_VALUES = {
45160
- topic_type: ["domain", "theme", "deal", "strategy", "constitution", "project", "portfolio", "architecture", "capability", "runtime", "interface", "governance", "operations", "security", "data"],
45413
+ topic_type: ["generic"],
45161
45414
  branch_schema: ["pillar", "track", "dimension", "axis", "phase"],
45162
45415
  belief_type: ["belief", "hypothesis", "principle", "invariant", "assumption", "tenet", "prior", "preference", "goal", "forecast", "decision", "constraint", "tradeoff", "policy", "implementation_choice", "implementation_decision", "interface_contract", "migration_state", "code_pattern", "deprecation_notice"],
45163
45416
  edge_type: ["supports", "informs", "depends_on", "derived_from", "contains", "tests", "supersedes", "responds_to", "belongs_to", "relates_to_thesis", "works_at", "invested_in", "competes_with", "participates_in", "founded_by", "evaluates", "performs", "function_in", "impacts", "raised_from", "mentioned_in", "perspective_on", "plays_theme"],
@@ -45201,6 +45454,13 @@ var MODEL_SLOTS = [
45201
45454
  function labelFor(value) {
45202
45455
  return value.split(/[_-]/).map((part) => part.charAt(0).toUpperCase() + part.slice(1)).join(" ");
45203
45456
  }
45457
+ function templateSeedMetadata(version) {
45458
+ return {
45459
+ seedSource: TEMPLATE_SEED_METADATA_SOURCE,
45460
+ seedVersion: version,
45461
+ seedType: "template-default"
45462
+ };
45463
+ }
45204
45464
  function seedContext(options) {
45205
45465
  return {
45206
45466
  now: options.now ?? DEFAULT_SEED_TIME,
@@ -45340,7 +45600,7 @@ function modelRegistryRows(now) {
45340
45600
  updatedAt: now
45341
45601
  }));
45342
45602
  }
45343
- function modelFunctionSlotRows(now) {
45603
+ function modelFunctionSlotRows(now, version) {
45344
45604
  return MODEL_SLOTS.map(([slot, category, description, modelKey, promptName, temperature, maxTokens, requiredCapabilities]) => ({
45345
45605
  slot,
45346
45606
  category,
@@ -45352,24 +45612,24 @@ function modelFunctionSlotRows(now) {
45352
45612
  requiredCapabilities,
45353
45613
  enabled: true,
45354
45614
  isDefault: true,
45355
- notes: `Seeded by ${TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION}.`,
45615
+ notes: `Seeded by ${version}.`,
45356
45616
  createdAt: now,
45357
45617
  updatedAt: now
45358
45618
  }));
45359
45619
  }
45360
- function modelSlotConfigRows(now) {
45620
+ function modelSlotConfigRows(now, version) {
45361
45621
  return MODEL_SLOTS.map(([slot, , , modelKey, , temperature, maxTokens]) => ({
45362
45622
  slot,
45363
45623
  modelKey,
45364
45624
  temperature,
45365
45625
  maxTokens,
45366
45626
  enabled: true,
45367
- notes: `Default routing for ${slot}.`,
45627
+ notes: `Default routing for ${slot}. Seeded by ${version}.`,
45368
45628
  createdAt: now,
45369
45629
  updatedAt: now
45370
45630
  }));
45371
45631
  }
45372
- function schemaEnumRows(now) {
45632
+ function schemaEnumRows(now, version) {
45373
45633
  return Object.entries(ENUM_VALUES).flatMap(
45374
45634
  ([category, values]) => values.map((value, index) => ({
45375
45635
  category,
@@ -45377,7 +45637,7 @@ function schemaEnumRows(now) {
45377
45637
  label: labelFor(value),
45378
45638
  description: `${labelFor(value)} ${category} value.`,
45379
45639
  tier: "platform",
45380
- metadata: { seedVersion: TENANT_BOOTSTRAP_TEMPLATE_SEED_VERSION },
45640
+ metadata: templateSeedMetadata(version),
45381
45641
  isDefault: index === 0,
45382
45642
  sortOrder: index + 1,
45383
45643
  status: "active",
@@ -45415,18 +45675,28 @@ function buildTenantBootstrapTemplateSeedRows(options = {}) {
45415
45675
  publicationRules: [
45416
45676
  { tenantId: ctx.templateTenantId, name: "publish-high-confidence-beliefs", description: "Publish high-confidence beliefs to tenant-level consumers.", conditionType: "confidence_threshold", conditions: { minConfidence: 0.85 }, enabled: true, priority: 100, createdBy: ctx.actor, createdAt: ctx.now, updatedAt: ctx.now }
45417
45677
  ],
45418
- schemaEnumConfig: schemaEnumRows(ctx.now)
45678
+ schemaEnumConfig: schemaEnumRows(ctx.now, ctx.version)
45419
45679
  },
45420
45680
  "control-plane": {
45421
45681
  mcpWritePolicy: buildMcpWritePolicy(ctx.now, ctx.actor),
45422
- modelFunctionSlots: modelFunctionSlotRows(ctx.now),
45682
+ modelFunctionSlots: modelFunctionSlotRows(ctx.now, ctx.version),
45423
45683
  modelRegistry: modelRegistryRows(ctx.now),
45424
- modelSlotConfigs: modelSlotConfigRows(ctx.now),
45684
+ modelSlotConfigs: modelSlotConfigRows(ctx.now, ctx.version),
45425
45685
  platformAudiences: [
45426
45686
  ["internal", "Internal", "internal"],
45427
45687
  ["lp", "Limited Partners", "restricted_external"],
45428
45688
  ["public", "Public", "public"]
45429
- ].map(([audienceKey, audienceLabel, audienceClass]) => ({ tenantId: ctx.templateTenantId, audienceKey, audienceLabel, audienceClass, status: "active", metadata: { seedVersion: ctx.version }, createdBy: ctx.actor, createdAt: ctx.now, updatedAt: ctx.now })),
45689
+ ].map(([audienceKey, audienceLabel, audienceClass]) => ({
45690
+ tenantId: ctx.templateTenantId,
45691
+ audienceKey,
45692
+ audienceLabel,
45693
+ audienceClass,
45694
+ status: "active",
45695
+ metadata: templateSeedMetadata(ctx.version),
45696
+ createdBy: ctx.actor,
45697
+ createdAt: ctx.now,
45698
+ updatedAt: ctx.now
45699
+ })),
45430
45700
  tenantConfig: [
45431
45701
  { tenantId: ctx.templateTenantId, authPolicyMode: "open", defaultSessionTTL: 28800, defaultTopicVisibility: "tenant", featureFlags: { sdkBootstrapSeeds: true, interactiveRoleAuth: true }, maxWorkspaceCount: 25, defaultModelSlotOverrides: {}, updatedAt: ctx.now, updatedBy: ctx.actor }
45432
45702
  ],