@lucern/contracts 0.3.0-alpha.12 → 0.3.0-alpha.14
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/auth-context.contract.js +13 -1
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +13 -1
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.d.ts +1 -1
- package/dist/auth.contract.js +13 -1
- package/dist/auth.contract.js.map +1 -1
- package/dist/component-boundary.contract.js +1 -0
- package/dist/component-boundary.contract.js.map +1 -1
- package/dist/function-registry/beliefs.d.ts +10 -10
- package/dist/function-registry/beliefs.js +53 -2
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +6 -6
- package/dist/function-registry/coding.js +53 -2
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +3 -3
- package/dist/function-registry/context.js +53 -2
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +3 -3
- package/dist/function-registry/contracts.js +53 -2
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +9 -9
- package/dist/function-registry/coordination.js +53 -2
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +6 -6
- package/dist/function-registry/edges.js +53 -2
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +8 -8
- package/dist/function-registry/evidence.js +53 -2
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +15 -15
- package/dist/function-registry/graph.js +53 -2
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +2 -2
- package/dist/function-registry/helpers.js +53 -2
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +56 -16
- package/dist/function-registry/identity.js +75 -4
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +1 -1
- package/dist/function-registry/index.js +53 -2
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +2 -2
- package/dist/function-registry/judgments.js +53 -2
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -1
- package/dist/function-registry/legacy.js +53 -2
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +4 -4
- package/dist/function-registry/lenses.js +53 -2
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +3 -3
- package/dist/function-registry/manifest.js +1 -0
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/nodes.d.ts +8 -8
- package/dist/function-registry/nodes.js +53 -2
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +11 -11
- package/dist/function-registry/ontologies.js +53 -2
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +3 -3
- package/dist/function-registry/pipeline.js +53 -2
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +12 -12
- package/dist/function-registry/questions.js +53 -2
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +4 -4
- package/dist/function-registry/tasks.js +53 -2
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +7 -7
- package/dist/function-registry/topics.js +53 -2
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +2 -2
- package/dist/function-registry/worktrees.d.ts +11 -11
- package/dist/function-registry/worktrees.js +53 -2
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/generated/convexSchemas.js +2 -1
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +111 -0
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/generated/schema-manifest.json +88 -3
- package/dist/generated/tableOwnership.d.ts +2 -1
- package/dist/generated/tableOwnership.js +2 -0
- package/dist/generated/tableOwnership.js.map +1 -1
- package/dist/generated/tier-expectations.json +6 -3
- package/dist/index.d.ts +2 -2
- package/dist/index.js +290 -20
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +18 -0
- package/dist/infisical-runtime.contract.js +21 -0
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +18 -0
- package/dist/manifests/infisical-runtime-manifest.js +21 -0
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/manifests/tenant-client-manifest.d.ts +8 -3
- package/dist/manifests/tenant-client-manifest.js +18 -1
- package/dist/manifests/tenant-client-manifest.js.map +1 -1
- package/dist/permit-principal-projection.contract.js +2 -3
- package/dist/permit-principal-projection.contract.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/index.js +33 -0
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +75 -0
- package/dist/schemas/manifest.js +33 -0
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/tables/controlPlane/accessControl.js +3 -0
- package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -1
- package/dist/schemas/tables/kernel/events.d.ts +21 -0
- package/dist/schemas/tables/kernel/events.js +43 -0
- package/dist/schemas/tables/kernel/events.js.map +1 -0
- package/dist/{sdk-tools.contract-BNklQDfB.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +45 -1
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.contract.d.ts +22 -2
- package/dist/tenant-bootstrap-seed.contract.js +15 -2
- package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.defaults.d.ts +1 -1
- package/dist/tenant-bootstrap-seed.defaults.js +30 -12
- package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
- package/dist/tenant-client.contract.d.ts +8 -3
- package/dist/tenant-client.contract.js +18 -1
- package/dist/tenant-client.contract.js.map +1 -1
- package/dist/{tool-contracts-BevD9Ho2.d.ts → tool-contracts-C_xvM9q2.d.ts} +4 -2
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +46 -2
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
|
@@ -33,9 +33,9 @@ declare const TENANT_CLIENT_MANIFEST: {
|
|
|
33
33
|
readonly contractVersion: "2026-04-27";
|
|
34
34
|
readonly auth: {
|
|
35
35
|
readonly modes: readonly ["interactive_user", "service_principal", "tenant_api_key", "session_token"];
|
|
36
|
-
readonly principalTypes: readonly ["human", "service", "agent"];
|
|
36
|
+
readonly principalTypes: readonly ["human", "service", "agent", "group", "external_viewer"];
|
|
37
37
|
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
38
|
-
readonly optionalContextFields: readonly ["principalType", "roles", "sessionId", "delegationChain"];
|
|
38
|
+
readonly optionalContextFields: readonly ["clerkId", "principalType", "roles", "groupIds", "permittedToolNames", "permittedPackKeys", "principalStatus", "tenantStatus", "workspaceStatus", "permit", "sessionId", "delegationChain"];
|
|
39
39
|
};
|
|
40
40
|
readonly installToken: {
|
|
41
41
|
readonly env: "INSTALL_LUCERN_NPM";
|
|
@@ -236,9 +236,14 @@ declare const TENANT_CLIENT_MANIFEST: {
|
|
|
236
236
|
}];
|
|
237
237
|
};
|
|
238
238
|
readonly sdk: {
|
|
239
|
-
readonly requiredNamespaces: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "graphIntel", "graphIntelligence", "graphAnalysis", "graphRecommendations", "orgGraphSearch", "embeddings", "ontologyLinks", "graphStateClassifier", "tools", "identity", "modelRuntime", "events", "jobs", "telemetry"];
|
|
239
|
+
readonly requiredNamespaces: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "graphIntel", "graphIntelligence", "graphAnalysis", "graphRecommendations", "orgGraphSearch", "embeddings", "ontologyLinks", "graphStateClassifier", "tools", "controlPlane", "identity", "modelRuntime", "events", "jobs", "telemetry"];
|
|
240
240
|
};
|
|
241
241
|
readonly capabilities: readonly [{
|
|
242
|
+
readonly id: "identity.resolve_interactive_principal";
|
|
243
|
+
readonly description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.";
|
|
244
|
+
readonly surfaces: readonly ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"];
|
|
245
|
+
readonly requiredContextFields: readonly ["principalId", "tenantId", "scopes"];
|
|
246
|
+
}, {
|
|
242
247
|
readonly id: "identity.bootstrap_session";
|
|
243
248
|
readonly description: "Start a scoped Lucern session for a tenant principal.";
|
|
244
249
|
readonly surfaces: readonly ["@lucern/sdk", "@lucern/mcp"];
|
|
@@ -9,7 +9,9 @@ var TENANT_CLIENT_AUTH_MODES = [
|
|
|
9
9
|
var TENANT_CLIENT_PRINCIPAL_TYPES = [
|
|
10
10
|
"human",
|
|
11
11
|
"service",
|
|
12
|
-
"agent"
|
|
12
|
+
"agent",
|
|
13
|
+
"group",
|
|
14
|
+
"external_viewer"
|
|
13
15
|
];
|
|
14
16
|
var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
15
17
|
"tenantId",
|
|
@@ -19,8 +21,16 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
|
19
21
|
"scopes"
|
|
20
22
|
];
|
|
21
23
|
var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
|
|
24
|
+
"clerkId",
|
|
22
25
|
"principalType",
|
|
23
26
|
"roles",
|
|
27
|
+
"groupIds",
|
|
28
|
+
"permittedToolNames",
|
|
29
|
+
"permittedPackKeys",
|
|
30
|
+
"principalStatus",
|
|
31
|
+
"tenantStatus",
|
|
32
|
+
"workspaceStatus",
|
|
33
|
+
"permit",
|
|
24
34
|
"sessionId",
|
|
25
35
|
"delegationChain"
|
|
26
36
|
];
|
|
@@ -290,6 +300,7 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
290
300
|
"ontologyLinks",
|
|
291
301
|
"graphStateClassifier",
|
|
292
302
|
"tools",
|
|
303
|
+
"controlPlane",
|
|
293
304
|
"identity",
|
|
294
305
|
"modelRuntime",
|
|
295
306
|
"events",
|
|
@@ -297,6 +308,12 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
297
308
|
"telemetry"
|
|
298
309
|
];
|
|
299
310
|
var TENANT_CLIENT_CAPABILITIES = [
|
|
311
|
+
{
|
|
312
|
+
id: "identity.resolve_interactive_principal",
|
|
313
|
+
description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
|
|
314
|
+
surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
|
|
315
|
+
requiredContextFields: ["principalId", "tenantId", "scopes"]
|
|
316
|
+
},
|
|
300
317
|
{
|
|
301
318
|
id: "identity.bootstrap_session",
|
|
302
319
|
description: "Start a scoped Lucern session for a tenant principal.",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/tenant-client.contract.ts","../../src/manifests/tenant-client-manifest.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC,YAAA;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,eAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,+BAAA,GAAkC,oBAAA;AACxC,IAAM,0CAAA,GACX,gBAAA;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF,CAAA;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW,CAAA;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAwBO,IAAM,yCACX,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB,CAAA;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,WAAA,EACE,iGAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACtD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,eAAA,EAAiB,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACvE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,kGAAA;AAAA,IACF,YAAA,EAAc,CAAC,uBAAA,EAAyB,0BAA0B,CAAA;AAAA,IAClE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EACE,yIAAA;AAAA,IACF,YAAA,EAAc,CAAC,oBAAoB,CAAA;AAAA,IACnC,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,aAAA;AAAA,IACJ,WAAA,EACE,sFAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,qBAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,YAAA,EAAc,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,IACnD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EACE,2JAAA;AAAA,IACF,YAAA,EAAc,sCAAA;AAAA,IACd,eAAA,EAAiB;AAAA;AAErB,CAAA;AAUO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB,CAAA;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,UAAA,EAAY,qCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN,CAAA;AAmBO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,mBAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,sEAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kCAAA;AAAA,IACJ,WAAA,EACE,kFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mCAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,QAAA,EAAU,CAAC,oBAAA,EAAsB,aAAa,CAAA;AAAA,IAC9C,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B,CAAA;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN,CAAA;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN,CAAA;;;ACvdO,IAAM,sBAAA,GAAyB;AAAA,EACpC,eAAA,EAAiB,OAAA;AAAA,EACjB,eAAA,EAAiB,8BAAA;AAAA,EACjB,IAAA,EAAM;AAAA,IACJ,KAAA,EAAO,wBAAA;AAAA,IACP,cAAA,EAAgB,6BAAA;AAAA,IAChB,qBAAA,EAAuB,qCAAA;AAAA,IACvB,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,GAAA,EAAK,+BAAA;AAAA,IACL,aAAA,EAAe,0CAAA;AAAA,IACf,uBAAA,EAAyB,qDAAA;AAAA,IACzB,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA,QAAA,EAAU;AAAA,IACR,WAAA,EAAa,kCAAA;AAAA,IACb,eAAA,EAAiB,8BAAA;AAAA,IACjB,aAAA,EAAe,4BAAA;AAAA,IACf,sBAAA,EAAwB;AAAA,GAC1B;AAAA,EACA,GAAA,EAAK;AAAA,IACH,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA,YAAA,EAAc,0BAAA;AAAA,EACd,cAAA,EAAgB,6BAAA;AAAA,EAChB,uBAAA,EAAyB;AAC3B","file":"tenant-client-manifest.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","import {\n TENANT_CLIENT_AUTH_MODES,\n TENANT_CLIENT_CAPABILITIES,\n TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS,\n TENANT_CLIENT_CONTRACT_VERSION,\n TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS,\n TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS,\n TENANT_CLIENT_FORBIDDEN_SECRET_ENV,\n TENANT_CLIENT_INSTALLABLE_PACKAGES,\n TENANT_CLIENT_INSTALL_PROFILES,\n TENANT_CLIENT_INSTALL_TOKEN_ENV,\n TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n TENANT_CLIENT_ISOLATION_RULES,\n TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS,\n TENANT_CLIENT_PRINCIPAL_TYPES,\n TENANT_CLIENT_PUBLIC_IMPORTS,\n TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n TENANT_CLIENT_REQUIRED_SDK_NAMESPACES,\n} from \"../tenant-client.contract\";\n\nexport type TenantClientManifest = {\n readonly manifestVersion: \"1.0.0\";\n readonly contractVersion: typeof TENANT_CLIENT_CONTRACT_VERSION;\n readonly auth: {\n readonly modes: typeof TENANT_CLIENT_AUTH_MODES;\n readonly principalTypes: typeof TENANT_CLIENT_PRINCIPAL_TYPES;\n readonly requiredContextFields: typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS;\n readonly optionalContextFields: typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS;\n };\n readonly installToken: {\n readonly env: typeof TENANT_CLIENT_INSTALL_TOKEN_ENV;\n readonly infisicalPath: typeof TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH;\n readonly forbiddenInfisicalPaths: typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS;\n readonly forbiddenSecretEnv: typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV;\n };\n readonly packages: {\n readonly installable: typeof TENANT_CLIENT_INSTALLABLE_PACKAGES;\n readonly installProfiles: typeof TENANT_CLIENT_INSTALL_PROFILES;\n readonly directImports: typeof TENANT_CLIENT_PUBLIC_IMPORTS;\n readonly componentConfigImports: typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS;\n };\n readonly sdk: {\n readonly requiredNamespaces: typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES;\n };\n readonly capabilities: typeof TENANT_CLIENT_CAPABILITIES;\n readonly isolationRules: typeof TENANT_CLIENT_ISOLATION_RULES;\n readonly forbiddenImportPatterns: typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS;\n};\n\nexport const TENANT_CLIENT_MANIFEST = {\n manifestVersion: \"1.0.0\",\n contractVersion: TENANT_CLIENT_CONTRACT_VERSION,\n auth: {\n modes: TENANT_CLIENT_AUTH_MODES,\n principalTypes: TENANT_CLIENT_PRINCIPAL_TYPES,\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n optionalContextFields: TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS,\n },\n installToken: {\n env: TENANT_CLIENT_INSTALL_TOKEN_ENV,\n infisicalPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n forbiddenInfisicalPaths: TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS,\n forbiddenSecretEnv: TENANT_CLIENT_FORBIDDEN_SECRET_ENV,\n },\n packages: {\n installable: TENANT_CLIENT_INSTALLABLE_PACKAGES,\n installProfiles: TENANT_CLIENT_INSTALL_PROFILES,\n directImports: TENANT_CLIENT_PUBLIC_IMPORTS,\n componentConfigImports: TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS,\n },\n sdk: {\n requiredNamespaces: TENANT_CLIENT_REQUIRED_SDK_NAMESPACES,\n },\n capabilities: TENANT_CLIENT_CAPABILITIES,\n isolationRules: TENANT_CLIENT_ISOLATION_RULES,\n forbiddenImportPatterns: TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS,\n} as const satisfies TenantClientManifest;\n"]}
|
|
1
|
+
{"version":3,"sources":["../../src/tenant-client.contract.ts","../../src/manifests/tenant-client-manifest.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC,YAAA;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF,CAAA;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,SAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,oBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,+BAAA,GAAkC,oBAAA;AACxC,IAAM,0CAAA,GACX,gBAAA;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF,CAAA;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW,CAAA;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAwBO,IAAM,yCACX,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB,CAAA;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,WAAA,EACE,iGAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACtD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,eAAA,EAAiB,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACvE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,kGAAA;AAAA,IACF,YAAA,EAAc,CAAC,uBAAA,EAAyB,0BAA0B,CAAA;AAAA,IAClE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EACE,yIAAA;AAAA,IACF,YAAA,EAAc,CAAC,oBAAoB,CAAA;AAAA,IACnC,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,aAAA;AAAA,IACJ,WAAA,EACE,sFAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,qBAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,YAAA,EAAc,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,IACnD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EACE,2JAAA;AAAA,IACF,YAAA,EAAc,sCAAA;AAAA,IACd,eAAA,EAAiB;AAAA;AAErB,CAAA;AAUO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB,CAAA;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,UAAA,EAAY,qCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN,CAAA;AAmBO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,mBAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,wCAAA;AAAA,IACJ,WAAA,EACE,mFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB,CAAC,aAAA,EAAe,UAAA,EAAY,QAAQ;AAAA,GAC7D;AAAA,EACA;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,sEAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kCAAA;AAAA,IACJ,WAAA,EACE,kFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mCAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,QAAA,EAAU,CAAC,oBAAA,EAAsB,aAAa,CAAA;AAAA,IAC9C,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B,CAAA;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN,CAAA;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN,CAAA;;;ACzeO,IAAM,sBAAA,GAAyB;AAAA,EACpC,eAAA,EAAiB,OAAA;AAAA,EACjB,eAAA,EAAiB,8BAAA;AAAA,EACjB,IAAA,EAAM;AAAA,IACJ,KAAA,EAAO,wBAAA;AAAA,IACP,cAAA,EAAgB,6BAAA;AAAA,IAChB,qBAAA,EAAuB,qCAAA;AAAA,IACvB,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,GAAA,EAAK,+BAAA;AAAA,IACL,aAAA,EAAe,0CAAA;AAAA,IACf,uBAAA,EAAyB,qDAAA;AAAA,IACzB,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA,QAAA,EAAU;AAAA,IACR,WAAA,EAAa,kCAAA;AAAA,IACb,eAAA,EAAiB,8BAAA;AAAA,IACjB,aAAA,EAAe,4BAAA;AAAA,IACf,sBAAA,EAAwB;AAAA,GAC1B;AAAA,EACA,GAAA,EAAK;AAAA,IACH,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA,YAAA,EAAc,0BAAA;AAAA,EACd,cAAA,EAAgB,6BAAA;AAAA,EAChB,uBAAA,EAAyB;AAC3B","file":"tenant-client-manifest.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"clerkId\",\n \"principalType\",\n \"roles\",\n \"groupIds\",\n \"permittedToolNames\",\n \"permittedPackKeys\",\n \"principalStatus\",\n \"tenantStatus\",\n \"workspaceStatus\",\n \"permit\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"controlPlane\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.resolve_interactive_principal\",\n description:\n \"Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: [\"principalId\", \"tenantId\", \"scopes\"],\n },\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","import {\n TENANT_CLIENT_AUTH_MODES,\n TENANT_CLIENT_CAPABILITIES,\n TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS,\n TENANT_CLIENT_CONTRACT_VERSION,\n TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS,\n TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS,\n TENANT_CLIENT_FORBIDDEN_SECRET_ENV,\n TENANT_CLIENT_INSTALLABLE_PACKAGES,\n TENANT_CLIENT_INSTALL_PROFILES,\n TENANT_CLIENT_INSTALL_TOKEN_ENV,\n TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n TENANT_CLIENT_ISOLATION_RULES,\n TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS,\n TENANT_CLIENT_PRINCIPAL_TYPES,\n TENANT_CLIENT_PUBLIC_IMPORTS,\n TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n TENANT_CLIENT_REQUIRED_SDK_NAMESPACES,\n} from \"../tenant-client.contract\";\n\nexport type TenantClientManifest = {\n readonly manifestVersion: \"1.0.0\";\n readonly contractVersion: typeof TENANT_CLIENT_CONTRACT_VERSION;\n readonly auth: {\n readonly modes: typeof TENANT_CLIENT_AUTH_MODES;\n readonly principalTypes: typeof TENANT_CLIENT_PRINCIPAL_TYPES;\n readonly requiredContextFields: typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS;\n readonly optionalContextFields: typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS;\n };\n readonly installToken: {\n readonly env: typeof TENANT_CLIENT_INSTALL_TOKEN_ENV;\n readonly infisicalPath: typeof TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH;\n readonly forbiddenInfisicalPaths: typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS;\n readonly forbiddenSecretEnv: typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV;\n };\n readonly packages: {\n readonly installable: typeof TENANT_CLIENT_INSTALLABLE_PACKAGES;\n readonly installProfiles: typeof TENANT_CLIENT_INSTALL_PROFILES;\n readonly directImports: typeof TENANT_CLIENT_PUBLIC_IMPORTS;\n readonly componentConfigImports: typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS;\n };\n readonly sdk: {\n readonly requiredNamespaces: typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES;\n };\n readonly capabilities: typeof TENANT_CLIENT_CAPABILITIES;\n readonly isolationRules: typeof TENANT_CLIENT_ISOLATION_RULES;\n readonly forbiddenImportPatterns: typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS;\n};\n\nexport const TENANT_CLIENT_MANIFEST = {\n manifestVersion: \"1.0.0\",\n contractVersion: TENANT_CLIENT_CONTRACT_VERSION,\n auth: {\n modes: TENANT_CLIENT_AUTH_MODES,\n principalTypes: TENANT_CLIENT_PRINCIPAL_TYPES,\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n optionalContextFields: TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS,\n },\n installToken: {\n env: TENANT_CLIENT_INSTALL_TOKEN_ENV,\n infisicalPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n forbiddenInfisicalPaths: TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS,\n forbiddenSecretEnv: TENANT_CLIENT_FORBIDDEN_SECRET_ENV,\n },\n packages: {\n installable: TENANT_CLIENT_INSTALLABLE_PACKAGES,\n installProfiles: TENANT_CLIENT_INSTALL_PROFILES,\n directImports: TENANT_CLIENT_PUBLIC_IMPORTS,\n componentConfigImports: TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS,\n },\n sdk: {\n requiredNamespaces: TENANT_CLIENT_REQUIRED_SDK_NAMESPACES,\n },\n capabilities: TENANT_CLIENT_CAPABILITIES,\n isolationRules: TENANT_CLIENT_ISOLATION_RULES,\n forbiddenImportPatterns: TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS,\n} as const satisfies TenantClientManifest;\n"]}
|
|
@@ -31,6 +31,7 @@ function mapPermitRoleToPlatformRole(role) {
|
|
|
31
31
|
case "evidence_contributor":
|
|
32
32
|
case "question_resolver":
|
|
33
33
|
case "theme_promoter":
|
|
34
|
+
case "topic_promoter":
|
|
34
35
|
return "editor";
|
|
35
36
|
case "auditor":
|
|
36
37
|
return "auditor";
|
|
@@ -81,9 +82,7 @@ function rolesForPrincipal(assignments, principal, groupIds) {
|
|
|
81
82
|
(assignment) => isActivePermitProjectionStatus(assignment.status) && readPermitProjectionString(assignment.tenantId) === tenantId && (readPermitProjectionString(assignment.targetType) === "principal" && readPermitProjectionString(assignment.targetId) === principalId || readPermitProjectionString(assignment.targetType) === "group" && groupIds.includes(
|
|
82
83
|
readPermitProjectionString(assignment.targetId) ?? ""
|
|
83
84
|
))
|
|
84
|
-
).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter(
|
|
85
|
-
(role) => Boolean(role)
|
|
86
|
-
);
|
|
85
|
+
).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter((role) => Boolean(role));
|
|
87
86
|
if (readPermitProjectionString(principal.principalType) === "agent" || readPermitProjectionString(principal.principalType) === "service_principal") {
|
|
88
87
|
roles.push("service_agent");
|
|
89
88
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/permit-principal-projection.contract.ts"],"names":["alias"],"mappings":";AAgFA,IAAM,sBAAA,GAAuE;AAAA,EAC3E,cAAA,EAAgB,EAAA;AAAA,EAChB,YAAA,EAAc,EAAA;AAAA,EACd,eAAA,EAAiB,EAAA;AAAA,EACjB,MAAA,EAAQ,EAAA;AAAA,EACR,OAAA,EAAS,EAAA;AAAA,EACT,MAAA,EAAQ,EAAA;AAAA,EACR,aAAA,EAAe;AACjB,CAAA;AAEO,SAAS,2BAA2B,KAAA,EAAoC;AAC7E,EAAA,OAAO,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,MAAK,GAAI,KAAA,CAAM,MAAK,GAAI,MAAA;AACpE;AAEO,SAAS,+BAA+B,KAAA,EAAyB;AACtE,EAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,KAAK,CAAA,EAAG,WAAA,EAAY;AAC9D,EAAA,OAAO,CAAC,MAAA,IAAU,MAAA,KAAW,QAAA,IAAY,MAAA,KAAW,QAAA;AACtD;AAEO,SAAS,4BACd,IAAA,EAC0C;AAC1C,EAAA,QAAQ,0BAAA,CAA2B,IAAI,CAAA,EAAG,WAAA,EAAY;AAAG,IACvD,KAAK,gBAAA;AACH,MAAA,OAAO,gBAAA;AAAA,IACT,KAAK,cAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,iBAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,aAAA;AACH,MAAA,OAAO,iBAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,sBAAA;AAAA,IACL,KAAK,mBAAA;AAAA,IACL,KAAK,gBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,SAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,oBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,eAAA;AAAA,IACL,KAAK,cAAA;AACH,MAAA,OAAO,eAAA;AAAA,IACT;AACE,MAAA,OAAO,MAAA;AAAA;AAEb;AAEA,SAAS,oBACP,KAAA,EAC8B;AAC9B,EAAA,OAAO,KAAA,CAAM,MAAA;AAAA,IACX,CAAC,MAAM,IAAA,KACL,sBAAA,CAAuB,IAAI,CAAA,GAAI,sBAAA,CAAuB,IAAI,CAAA,GAAI,IAAA,GAAO,IAAA;AAAA,IACvE;AAAA,GACF;AACF;AAEA,SAAS,eAAA,CAAgB,OAA8B,OAAA,EAA0B;AAC/E,EAAA,OACE,+BAA+B,KAAA,CAAM,MAAM,KAC3C,0BAAA,CAA2B,KAAA,CAAM,QAAQ,CAAA,EAAG,WAAA,OAAkB,OAAA,KAC7D,0BAAA,CAA2B,MAAM,iBAAiB,CAAA,KAAM,WACvD,0BAAA,CAA2B,KAAA,CAAM,KAAK,CAAA,KAAM,OAAA,CAAA;AAElD;AAEA,SAAS,cAAA,CACP,SACA,SAAA,EACoB;AACpB,EAAA,OACE,OAAA,CAAQ,IAAA;AAAA,IACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,SAAS,CAAA,EAAG,aAAY,KAAM;AAAA,GACnE,EAAG,KAAA,IAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,KAAK,CAAA;AAEpE;AAEA,SAAS,oBAAA,CACP,aACA,SAAA,EACU;AACV,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,IAAI,CAAC,WAAA,EAAa,OAAO,EAAC;AAC1B,EAAA,OAAO;AAAA,IACL,GAAG,IAAI,GAAA;AAAA,MACL,WAAA,CACG,MAAA;AAAA,QACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA,IAC/C,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,KACrD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,WAAW,CAAA,KAAM,WAAA;AAAA,OAC7D,CACC,GAAA,CAAI,CAAC,UAAA,KAAe,2BAA2B,UAAA,CAAW,OAAO,CAAC,CAAA,CAClE,MAAA,CAAO,CAAC,OAAA,KAA+B,OAAA,CAAQ,OAAO,CAAC;AAAA;AAC5D,GACF;AACF;AAEA,SAAS,iBAAA,CACP,WAAA,EACA,SAAA,EACA,QAAA,EACgC;AAChC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,MAAM,QAAQ,WAAA,CACX,MAAA;AAAA,IACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,QAAA,KAClD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,IACtD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,OAAA,IACrD,QAAA,CAAS,QAAA;AAAA,MACP,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,IAAK;AAAA,KACrD;AAAA,GACR,CACC,IAAI,CAAC,UAAA,KAAe,4BAA4B,UAAA,CAAW,IAAI,CAAC,CAAA,CAChE,MAAA;AAAA,IACC,CAAC,IAAA,KAA+C,OAAA,CAAQ,IAAI;AAAA,GAC9D;AAEF,EAAA,IACE,0BAAA,CAA2B,UAAU,aAAa,CAAA,KAAM,WACxD,0BAAA,CAA2B,SAAA,CAAU,aAAa,CAAA,KAAM,mBAAA,EACxD;AACA,IAAA,KAAA,CAAM,KAAK,eAAe,CAAA;AAAA,EAC5B;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,KAAK,CAAC,CAAA;AAC3B;AAEA,SAAS,6BAAA,CACP,SAAA,EACA,KAAA,EACA,WAAA,EACoB;AACpB,EAAA,OACE,2BAA2B,SAAA,CAAU,WAAW,KAChD,0BAAA,CAA2B,KAAA,EAAO,WAAW,CAAA,IAC7C,0BAAA;AAAA,IACE,WAAA,CAAY,IAAA;AAAA,MACV,CAAC,UAAA,KACC,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA,IAClD,0BAAA,CAA2B,UAAA,CAAW,YAAY,CAAA,KAAM;AAAA,KAC5D,EAAG;AAAA,GACL,IACA,0BAAA;AAAA,IACE,YAAY,IAAA,CAAK,CAAC,UAAA,KAAe,UAAA,CAAW,WAAW,CAAA,EAAG;AAAA,GAC5D;AAEJ;AAEO,SAAS,sCACd,IAAA,EACA,SAAA,EACA,eACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,IACE,CAAC,eACD,CAAC,QAAA,IACD,CAAC,8BAAA,CAA+B,SAAA,CAAU,MAAM,CAAA,EAChD;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,KAAK,OAAA,CAAQ,MAAA;AAAA,IAC3B,CAACA,MAAAA,KACC,0BAAA,CAA2BA,MAAAA,CAAM,QAAQ,CAAA,KAAM,QAAA,IAC/C,0BAAA,CAA2BA,MAAAA,CAAM,WAAW,CAAA,KAAM,WAAA,IAClD,8BAAA,CAA+BA,OAAM,MAAM;AAAA,GAC/C;AACA,EAAA,MAAM,QAAA,GAAW,oBAAA,CAAqB,IAAA,CAAK,gBAAA,EAAkB,SAAS,CAAA;AACtE,EAAA,MAAM,KAAA,GAAQ,iBAAA,CAAkB,IAAA,CAAK,eAAA,EAAiB,WAAW,QAAQ,CAAA;AACzE,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAA,IAAiB,OAAA,CAAQ,CAAC,CAAA;AACxC,EAAA,MAAM,OAAA,GACJ,0BAAA;AAAA,IACE,OAAA,CAAQ,IAAA;AAAA,MACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,QAAQ,CAAA,EAAG,aAAY,KAAM;AAAA,KAClE,EAAG;AAAA,GACL,IAAK,WAAA;AAEP,EAAA,OAAO;AAAA,IACL,OAAA;AAAA,IACA,OAAO,cAAA,CAAe,OAAA,EAAS,SAAS,CAAA,IAAK,GAAG,WAAW,CAAA,aAAA,CAAA;AAAA,IAC3D,IAAA,EAAM,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AAAA,IACtD,UAAA,EAAY,SAAA,CAAU,UAAA,IAAc,SAAA,CAAU,SAAA,IAAa,GAAA;AAAA,IAC3D,SAAA,EAAW,CAAA;AAAA,IACX,YAAA,EAAc,CAAA;AAAA,IACd,MAAA,EAAQ,oBAAoB,KAAK,CAAA;AAAA,IACjC,cAAA,EAAgB,UAAU,SAAA,IAAa,GAAA;AAAA,IACvC,eAAA,EAAiB,QAAA;AAAA,IACjB,oBACE,6BAAA,CAA8B,SAAA,EAAW,KAAA,EAAO,IAAA,CAAK,eAAe,CAAA,IACpE,QAAA;AAAA,IACF,kBAAA,EAAoB,WAAA;AAAA,IACpB,iBAAA,EAAmB,QAAA;AAAA,IACnB,wBAAA,EAA0B,UAAU,SAAA,IAAa,GAAA;AAAA,IACjD,SAAA,EAAW,UAAU,SAAA,IAAa,GAAA;AAAA,IAClC,SAAA,EAAW,UAAU,SAAA,IAAa;AAAA,GACpC;AACF;AAEO,SAAS,qCACd,IAAA,EACA,WAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,qBAAA,GAAwB,YAAY,IAAA,EAAK;AAC/C,EAAA,MAAM,SAAA,GAAY,KAAK,UAAA,CAAW,IAAA;AAAA,IAChC,CAAC,QACC,8BAAA,CAA+B,GAAA,CAAI,MAAM,CAAA,IACzC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM;AAAA,GACpD;AACA,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,MAAA,EAAW,GAAG,CAAA,GACrE,IAAA;AACN;AAEO,SAAS,iCACd,IAAA,EACA,OAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,iBAAA,GAAoB,QAAQ,IAAA,EAAK;AACvC,EAAA,MAAM,aAAA,GAAgB,KAAK,OAAA,CAAQ,IAAA;AAAA,IAAK,CAAC,KAAA,KACvC,eAAA,CAAgB,KAAA,EAAO,iBAAiB;AAAA,GAC1C;AACA,EAAA,MAAM,SAAA,GAAY,aAAA,GACd,IAAA,CAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,QAAQ,MACrC,0BAAA,CAA2B,aAAA,CAAc,QAAQ,CAAA,IACnD,2BAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,0BAAA,CAA2B,cAAc,WAAW;AAAA,GAC1D,GACA,KAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM,iBAAA,IAChD,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,CAAA,KAAA,EAAQ,iBAAiB,CAAA;AAAA,GAC/B;AACJ,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,aAAA,EAAe,GAAG,CAAA,GACzE,IAAA;AACN","file":"permit-principal-projection.contract.js","sourcesContent":["export type PermitProjectionPlatformRole =\n | \"platform_admin\"\n | \"tenant_admin\"\n | \"workspace_admin\"\n | \"editor\"\n | \"viewer\"\n | \"auditor\"\n | \"service_agent\";\n\nexport type PermitPrincipalProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n principalType?: string;\n status?: string;\n displayName?: string;\n metadata?: Record<string, unknown>;\n createdAt?: number;\n updatedAt?: number;\n lastSeenAt?: number;\n};\n\nexport type PermitAliasProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n provider?: string;\n providerSubjectId?: string;\n alias?: string;\n aliasKind?: string;\n status?: string;\n metadata?: Record<string, unknown>;\n};\n\nexport type PermitRoleAssignmentProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n role?: string;\n targetType?: string;\n targetId?: string;\n resourceType?: string;\n resourceKey?: string;\n status?: string;\n};\n\nexport type PermitGroupMembershipProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n groupId?: string;\n memberType?: string;\n memberId?: string;\n principalId?: string;\n status?: string;\n};\n\nexport type PermitProjectedUserRecord = {\n clerkId: string;\n email: string;\n name?: string;\n lastSeenAt: number;\n chatCount: number;\n messageCount: number;\n mcRole: PermitProjectionPlatformRole;\n mcRoleSyncedAt: number;\n defaultTenantId: string;\n defaultWorkspaceId: string;\n defaultPrincipalId: string;\n principalGroupIds: string[];\n governanceGrantsSyncedAt: number;\n createdAt: number;\n updatedAt: number;\n};\n\nexport type PermitProjectionRows = {\n principals: PermitPrincipalProjection[];\n aliases: PermitAliasProjection[];\n roleAssignments: PermitRoleAssignmentProjection[];\n groupMemberships: PermitGroupMembershipProjection[];\n};\n\nconst PLATFORM_ROLE_PRIORITY: Record<PermitProjectionPlatformRole, number> = {\n platform_admin: 70,\n tenant_admin: 60,\n workspace_admin: 50,\n editor: 40,\n auditor: 30,\n viewer: 20,\n service_agent: 10,\n};\n\nexport function readPermitProjectionString(value: unknown): string | undefined {\n return typeof value === \"string\" && value.trim() ? value.trim() : undefined;\n}\n\nexport function isActivePermitProjectionStatus(value: unknown): boolean {\n const status = readPermitProjectionString(value)?.toLowerCase();\n return !status || status === \"active\" || status === \"synced\";\n}\n\nexport function mapPermitRoleToPlatformRole(\n role: unknown\n): PermitProjectionPlatformRole | undefined {\n switch (readPermitProjectionString(role)?.toLowerCase()) {\n case \"platform_admin\":\n return \"platform_admin\";\n case \"tenant_admin\":\n return \"tenant_admin\";\n case \"workspace_admin\":\n case \"deployment_admin\":\n case \"graph_admin\":\n return \"workspace_admin\";\n case \"editor\":\n case \"workspace_member\":\n case \"graph_editor\":\n case \"evidence_contributor\":\n case \"question_resolver\":\n case \"theme_promoter\":\n return \"editor\";\n case \"auditor\":\n return \"auditor\";\n case \"viewer\":\n case \"graph_viewer\":\n case \"stakeholder_viewer\":\n case \"stakeholder_summarizer\":\n case \"source_drilldown_viewer\":\n case \"restricted_data_viewer\":\n case \"proprietary_data_viewer\":\n return \"viewer\";\n case \"service_agent\":\n case \"agent_runner\":\n return \"service_agent\";\n default:\n return undefined;\n }\n}\n\nfunction highestPlatformRole(\n roles: PermitProjectionPlatformRole[]\n): PermitProjectionPlatformRole {\n return roles.reduce<PermitProjectionPlatformRole>(\n (best, role) =>\n PLATFORM_ROLE_PRIORITY[role] > PLATFORM_ROLE_PRIORITY[best] ? role : best,\n \"viewer\"\n );\n}\n\nfunction isClerkAliasFor(alias: PermitAliasProjection, clerkId: string): boolean {\n return (\n isActivePermitProjectionStatus(alias.status) &&\n readPermitProjectionString(alias.provider)?.toLowerCase() === \"clerk\" &&\n (readPermitProjectionString(alias.providerSubjectId) === clerkId ||\n readPermitProjectionString(alias.alias) === clerkId)\n );\n}\n\nfunction emailFromAlias(\n aliases: PermitAliasProjection[],\n principal: PermitPrincipalProjection\n): string | undefined {\n return (\n aliases.find(\n (alias) =>\n readPermitProjectionString(alias.aliasKind)?.toLowerCase() === \"email\"\n )?.alias ?? readPermitProjectionString(principal.metadata?.email)\n );\n}\n\nfunction groupIdsForPrincipal(\n memberships: PermitGroupMembershipProjection[],\n principal: PermitPrincipalProjection\n): string[] {\n const principalId = readPermitProjectionString(principal.principalId);\n if (!principalId) return [];\n return [\n ...new Set(\n memberships\n .filter(\n (membership) =>\n isActivePermitProjectionStatus(membership.status) &&\n readPermitProjectionString(membership.tenantId) ===\n readPermitProjectionString(principal.tenantId) &&\n readPermitProjectionString(membership.memberType) === \"principal\" &&\n (readPermitProjectionString(membership.memberId) === principalId ||\n readPermitProjectionString(membership.principalId) === principalId)\n )\n .map((membership) => readPermitProjectionString(membership.groupId))\n .filter((groupId): groupId is string => Boolean(groupId))\n ),\n ];\n}\n\nfunction rolesForPrincipal(\n assignments: PermitRoleAssignmentProjection[],\n principal: PermitPrincipalProjection,\n groupIds: string[]\n): PermitProjectionPlatformRole[] {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n const roles = assignments\n .filter(\n (assignment) =>\n isActivePermitProjectionStatus(assignment.status) &&\n readPermitProjectionString(assignment.tenantId) === tenantId &&\n ((readPermitProjectionString(assignment.targetType) === \"principal\" &&\n readPermitProjectionString(assignment.targetId) === principalId) ||\n (readPermitProjectionString(assignment.targetType) === \"group\" &&\n groupIds.includes(\n readPermitProjectionString(assignment.targetId) ?? \"\"\n )))\n )\n .map((assignment) => mapPermitRoleToPlatformRole(assignment.role))\n .filter(\n (role): role is PermitProjectionPlatformRole => Boolean(role)\n );\n\n if (\n readPermitProjectionString(principal.principalType) === \"agent\" ||\n readPermitProjectionString(principal.principalType) === \"service_principal\"\n ) {\n roles.push(\"service_agent\");\n }\n\n return [...new Set(roles)];\n}\n\nfunction workspaceFromPermitProjection(\n principal: PermitPrincipalProjection,\n alias: PermitAliasProjection | undefined,\n assignments: PermitRoleAssignmentProjection[]\n): string | undefined {\n return (\n readPermitProjectionString(principal.workspaceId) ??\n readPermitProjectionString(alias?.workspaceId) ??\n readPermitProjectionString(\n assignments.find(\n (assignment) =>\n readPermitProjectionString(assignment.targetId) ===\n readPermitProjectionString(principal.principalId) &&\n readPermitProjectionString(assignment.resourceType) === \"workspace\"\n )?.resourceKey\n ) ??\n readPermitProjectionString(\n assignments.find((assignment) => assignment.workspaceId)?.workspaceId\n )\n );\n}\n\nexport function buildProjectedUserFromPermitPrincipal(\n rows: PermitProjectionRows,\n principal: PermitPrincipalProjection,\n matchingAlias?: PermitAliasProjection,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n if (\n !principalId ||\n !tenantId ||\n !isActivePermitProjectionStatus(principal.status)\n ) {\n return null;\n }\n\n const aliases = rows.aliases.filter(\n (alias) =>\n readPermitProjectionString(alias.tenantId) === tenantId &&\n readPermitProjectionString(alias.principalId) === principalId &&\n isActivePermitProjectionStatus(alias.status)\n );\n const groupIds = groupIdsForPrincipal(rows.groupMemberships, principal);\n const roles = rolesForPrincipal(rows.roleAssignments, principal, groupIds);\n if (roles.length === 0) {\n return null;\n }\n\n const alias = matchingAlias ?? aliases[0];\n const clerkId =\n readPermitProjectionString(\n aliases.find(\n (entry) =>\n readPermitProjectionString(entry.provider)?.toLowerCase() === \"clerk\"\n )?.providerSubjectId\n ) ?? principalId;\n\n return {\n clerkId,\n email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,\n name: readPermitProjectionString(principal.displayName),\n lastSeenAt: principal.lastSeenAt ?? principal.updatedAt ?? now,\n chatCount: 0,\n messageCount: 0,\n mcRole: highestPlatformRole(roles),\n mcRoleSyncedAt: principal.updatedAt ?? now,\n defaultTenantId: tenantId,\n defaultWorkspaceId:\n workspaceFromPermitProjection(principal, alias, rows.roleAssignments) ??\n tenantId,\n defaultPrincipalId: principalId,\n principalGroupIds: groupIds,\n governanceGrantsSyncedAt: principal.updatedAt ?? now,\n createdAt: principal.createdAt ?? now,\n updatedAt: principal.updatedAt ?? now,\n };\n}\n\nexport function findProjectedUserByPermitPrincipalId(\n rows: PermitProjectionRows,\n principalId: string,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const normalizedPrincipalId = principalId.trim();\n const principal = rows.principals.find(\n (row) =>\n isActivePermitProjectionStatus(row.status) &&\n readPermitProjectionString(row.principalId) === normalizedPrincipalId\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, undefined, now)\n : null;\n}\n\nexport function findProjectedUserByPermitClerkId(\n rows: PermitProjectionRows,\n clerkId: string,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const normalizedClerkId = clerkId.trim();\n const matchingAlias = rows.aliases.find((alias) =>\n isClerkAliasFor(alias, normalizedClerkId)\n );\n const principal = matchingAlias\n ? rows.principals.find(\n (row) =>\n readPermitProjectionString(row.tenantId) ===\n readPermitProjectionString(matchingAlias.tenantId) &&\n readPermitProjectionString(row.principalId) ===\n readPermitProjectionString(matchingAlias.principalId)\n )\n : rows.principals.find(\n (row) =>\n readPermitProjectionString(row.principalId) === normalizedClerkId ||\n readPermitProjectionString(row.principalId) ===\n `user:${normalizedClerkId}`\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now)\n : null;\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/permit-principal-projection.contract.ts"],"names":["alias"],"mappings":";AAgFA,IAAM,sBAAA,GAAuE;AAAA,EAC3E,cAAA,EAAgB,EAAA;AAAA,EAChB,YAAA,EAAc,EAAA;AAAA,EACd,eAAA,EAAiB,EAAA;AAAA,EACjB,MAAA,EAAQ,EAAA;AAAA,EACR,OAAA,EAAS,EAAA;AAAA,EACT,MAAA,EAAQ,EAAA;AAAA,EACR,aAAA,EAAe;AACjB,CAAA;AAEO,SAAS,2BAA2B,KAAA,EAAoC;AAC7E,EAAA,OAAO,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,MAAK,GAAI,KAAA,CAAM,MAAK,GAAI,MAAA;AACpE;AAEO,SAAS,+BAA+B,KAAA,EAAyB;AACtE,EAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,KAAK,CAAA,EAAG,WAAA,EAAY;AAC9D,EAAA,OAAO,CAAC,MAAA,IAAU,MAAA,KAAW,QAAA,IAAY,MAAA,KAAW,QAAA;AACtD;AAEO,SAAS,4BACd,IAAA,EAC0C;AAC1C,EAAA,QAAQ,0BAAA,CAA2B,IAAI,CAAA,EAAG,WAAA,EAAY;AAAG,IACvD,KAAK,gBAAA;AACH,MAAA,OAAO,gBAAA;AAAA,IACT,KAAK,cAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,iBAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,aAAA;AACH,MAAA,OAAO,iBAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,sBAAA;AAAA,IACL,KAAK,mBAAA;AAAA,IACL,KAAK,gBAAA;AAAA,IACL,KAAK,gBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,SAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,oBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,eAAA;AAAA,IACL,KAAK,cAAA;AACH,MAAA,OAAO,eAAA;AAAA,IACT;AACE,MAAA,OAAO,MAAA;AAAA;AAEb;AAEA,SAAS,oBACP,KAAA,EAC8B;AAC9B,EAAA,OAAO,KAAA,CAAM,MAAA;AAAA,IACX,CAAC,MAAM,IAAA,KACL,sBAAA,CAAuB,IAAI,CAAA,GAAI,sBAAA,CAAuB,IAAI,CAAA,GAAI,IAAA,GAAO,IAAA;AAAA,IACvE;AAAA,GACF;AACF;AAEA,SAAS,eAAA,CACP,OACA,OAAA,EACS;AACT,EAAA,OACE,+BAA+B,KAAA,CAAM,MAAM,KAC3C,0BAAA,CAA2B,KAAA,CAAM,QAAQ,CAAA,EAAG,WAAA,OAAkB,OAAA,KAC7D,0BAAA,CAA2B,MAAM,iBAAiB,CAAA,KAAM,WACvD,0BAAA,CAA2B,KAAA,CAAM,KAAK,CAAA,KAAM,OAAA,CAAA;AAElD;AAEA,SAAS,cAAA,CACP,SACA,SAAA,EACoB;AACpB,EAAA,OACE,OAAA,CAAQ,IAAA;AAAA,IACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,SAAS,CAAA,EAAG,aAAY,KAAM;AAAA,GACnE,EAAG,KAAA,IAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,KAAK,CAAA;AAEpE;AAEA,SAAS,oBAAA,CACP,aACA,SAAA,EACU;AACV,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,IAAI,CAAC,WAAA,EAAa,OAAO,EAAC;AAC1B,EAAA,OAAO;AAAA,IACL,GAAG,IAAI,GAAA;AAAA,MACL,WAAA,CACG,MAAA;AAAA,QACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA,IAC/C,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,KACrD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,WAAW,CAAA,KAC/C,WAAA;AAAA,OACR,CACC,GAAA,CAAI,CAAC,UAAA,KAAe,2BAA2B,UAAA,CAAW,OAAO,CAAC,CAAA,CAClE,MAAA,CAAO,CAAC,OAAA,KAA+B,OAAA,CAAQ,OAAO,CAAC;AAAA;AAC5D,GACF;AACF;AAEA,SAAS,iBAAA,CACP,WAAA,EACA,SAAA,EACA,QAAA,EACgC;AAChC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,MAAM,QAAQ,WAAA,CACX,MAAA;AAAA,IACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,QAAA,KAClD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,IACtD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,OAAA,IACrD,QAAA,CAAS,QAAA;AAAA,MACP,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,IAAK;AAAA,KACrD;AAAA,GACR,CACC,GAAA,CAAI,CAAC,UAAA,KAAe,4BAA4B,UAAA,CAAW,IAAI,CAAC,CAAA,CAChE,MAAA,CAAO,CAAC,IAAA,KAA+C,OAAA,CAAQ,IAAI,CAAC,CAAA;AAEvE,EAAA,IACE,0BAAA,CAA2B,UAAU,aAAa,CAAA,KAAM,WACxD,0BAAA,CAA2B,SAAA,CAAU,aAAa,CAAA,KAAM,mBAAA,EACxD;AACA,IAAA,KAAA,CAAM,KAAK,eAAe,CAAA;AAAA,EAC5B;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,KAAK,CAAC,CAAA;AAC3B;AAEA,SAAS,6BAAA,CACP,SAAA,EACA,KAAA,EACA,WAAA,EACoB;AACpB,EAAA,OACE,2BAA2B,SAAA,CAAU,WAAW,KAChD,0BAAA,CAA2B,KAAA,EAAO,WAAW,CAAA,IAC7C,0BAAA;AAAA,IACE,WAAA,CAAY,IAAA;AAAA,MACV,CAAC,UAAA,KACC,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA,IAClD,0BAAA,CAA2B,UAAA,CAAW,YAAY,CAAA,KAAM;AAAA,KAC5D,EAAG;AAAA,GACL,IACA,0BAAA;AAAA,IACE,YAAY,IAAA,CAAK,CAAC,UAAA,KAAe,UAAA,CAAW,WAAW,CAAA,EAAG;AAAA,GAC5D;AAEJ;AAEO,SAAS,sCACd,IAAA,EACA,SAAA,EACA,eACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,IACE,CAAC,eACD,CAAC,QAAA,IACD,CAAC,8BAAA,CAA+B,SAAA,CAAU,MAAM,CAAA,EAChD;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,KAAK,OAAA,CAAQ,MAAA;AAAA,IAC3B,CAACA,MAAAA,KACC,0BAAA,CAA2BA,MAAAA,CAAM,QAAQ,CAAA,KAAM,QAAA,IAC/C,0BAAA,CAA2BA,MAAAA,CAAM,WAAW,CAAA,KAAM,WAAA,IAClD,8BAAA,CAA+BA,OAAM,MAAM;AAAA,GAC/C;AACA,EAAA,MAAM,QAAA,GAAW,oBAAA,CAAqB,IAAA,CAAK,gBAAA,EAAkB,SAAS,CAAA;AACtE,EAAA,MAAM,KAAA,GAAQ,iBAAA,CAAkB,IAAA,CAAK,eAAA,EAAiB,WAAW,QAAQ,CAAA;AACzE,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAA,IAAiB,OAAA,CAAQ,CAAC,CAAA;AACxC,EAAA,MAAM,OAAA,GACJ,0BAAA;AAAA,IACE,OAAA,CAAQ,IAAA;AAAA,MACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,QAAQ,CAAA,EAAG,aAAY,KAAM;AAAA,KAClE,EAAG;AAAA,GACL,IAAK,WAAA;AAEP,EAAA,OAAO;AAAA,IACL,OAAA;AAAA,IACA,OAAO,cAAA,CAAe,OAAA,EAAS,SAAS,CAAA,IAAK,GAAG,WAAW,CAAA,aAAA,CAAA;AAAA,IAC3D,IAAA,EAAM,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AAAA,IACtD,UAAA,EAAY,SAAA,CAAU,UAAA,IAAc,SAAA,CAAU,SAAA,IAAa,GAAA;AAAA,IAC3D,SAAA,EAAW,CAAA;AAAA,IACX,YAAA,EAAc,CAAA;AAAA,IACd,MAAA,EAAQ,oBAAoB,KAAK,CAAA;AAAA,IACjC,cAAA,EAAgB,UAAU,SAAA,IAAa,GAAA;AAAA,IACvC,eAAA,EAAiB,QAAA;AAAA,IACjB,oBACE,6BAAA,CAA8B,SAAA,EAAW,KAAA,EAAO,IAAA,CAAK,eAAe,CAAA,IACpE,QAAA;AAAA,IACF,kBAAA,EAAoB,WAAA;AAAA,IACpB,iBAAA,EAAmB,QAAA;AAAA,IACnB,wBAAA,EAA0B,UAAU,SAAA,IAAa,GAAA;AAAA,IACjD,SAAA,EAAW,UAAU,SAAA,IAAa,GAAA;AAAA,IAClC,SAAA,EAAW,UAAU,SAAA,IAAa;AAAA,GACpC;AACF;AAEO,SAAS,qCACd,IAAA,EACA,WAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,qBAAA,GAAwB,YAAY,IAAA,EAAK;AAC/C,EAAA,MAAM,SAAA,GAAY,KAAK,UAAA,CAAW,IAAA;AAAA,IAChC,CAAC,QACC,8BAAA,CAA+B,GAAA,CAAI,MAAM,CAAA,IACzC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM;AAAA,GACpD;AACA,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,MAAA,EAAW,GAAG,CAAA,GACrE,IAAA;AACN;AAEO,SAAS,iCACd,IAAA,EACA,OAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,iBAAA,GAAoB,QAAQ,IAAA,EAAK;AACvC,EAAA,MAAM,aAAA,GAAgB,KAAK,OAAA,CAAQ,IAAA;AAAA,IAAK,CAAC,KAAA,KACvC,eAAA,CAAgB,KAAA,EAAO,iBAAiB;AAAA,GAC1C;AACA,EAAA,MAAM,SAAA,GAAY,aAAA,GACd,IAAA,CAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,QAAQ,MACrC,0BAAA,CAA2B,aAAA,CAAc,QAAQ,CAAA,IACnD,2BAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,0BAAA,CAA2B,cAAc,WAAW;AAAA,GAC1D,GACA,KAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM,iBAAA,IAChD,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,CAAA,KAAA,EAAQ,iBAAiB,CAAA;AAAA,GAC/B;AACJ,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,aAAA,EAAe,GAAG,CAAA,GACzE,IAAA;AACN","file":"permit-principal-projection.contract.js","sourcesContent":["export type PermitProjectionPlatformRole =\n | \"platform_admin\"\n | \"tenant_admin\"\n | \"workspace_admin\"\n | \"editor\"\n | \"viewer\"\n | \"auditor\"\n | \"service_agent\";\n\nexport type PermitPrincipalProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n principalType?: string;\n status?: string;\n displayName?: string;\n metadata?: Record<string, unknown>;\n createdAt?: number;\n updatedAt?: number;\n lastSeenAt?: number;\n};\n\nexport type PermitAliasProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n provider?: string;\n providerSubjectId?: string;\n alias?: string;\n aliasKind?: string;\n status?: string;\n metadata?: Record<string, unknown>;\n};\n\nexport type PermitRoleAssignmentProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n role?: string;\n targetType?: string;\n targetId?: string;\n resourceType?: string;\n resourceKey?: string;\n status?: string;\n};\n\nexport type PermitGroupMembershipProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n groupId?: string;\n memberType?: string;\n memberId?: string;\n principalId?: string;\n status?: string;\n};\n\nexport type PermitProjectedUserRecord = {\n clerkId: string;\n email: string;\n name?: string;\n lastSeenAt: number;\n chatCount: number;\n messageCount: number;\n mcRole: PermitProjectionPlatformRole;\n mcRoleSyncedAt: number;\n defaultTenantId: string;\n defaultWorkspaceId: string;\n defaultPrincipalId: string;\n principalGroupIds: string[];\n governanceGrantsSyncedAt: number;\n createdAt: number;\n updatedAt: number;\n};\n\nexport type PermitProjectionRows = {\n principals: PermitPrincipalProjection[];\n aliases: PermitAliasProjection[];\n roleAssignments: PermitRoleAssignmentProjection[];\n groupMemberships: PermitGroupMembershipProjection[];\n};\n\nconst PLATFORM_ROLE_PRIORITY: Record<PermitProjectionPlatformRole, number> = {\n platform_admin: 70,\n tenant_admin: 60,\n workspace_admin: 50,\n editor: 40,\n auditor: 30,\n viewer: 20,\n service_agent: 10,\n};\n\nexport function readPermitProjectionString(value: unknown): string | undefined {\n return typeof value === \"string\" && value.trim() ? value.trim() : undefined;\n}\n\nexport function isActivePermitProjectionStatus(value: unknown): boolean {\n const status = readPermitProjectionString(value)?.toLowerCase();\n return !status || status === \"active\" || status === \"synced\";\n}\n\nexport function mapPermitRoleToPlatformRole(\n role: unknown,\n): PermitProjectionPlatformRole | undefined {\n switch (readPermitProjectionString(role)?.toLowerCase()) {\n case \"platform_admin\":\n return \"platform_admin\";\n case \"tenant_admin\":\n return \"tenant_admin\";\n case \"workspace_admin\":\n case \"deployment_admin\":\n case \"graph_admin\":\n return \"workspace_admin\";\n case \"editor\":\n case \"workspace_member\":\n case \"graph_editor\":\n case \"evidence_contributor\":\n case \"question_resolver\":\n case \"theme_promoter\":\n case \"topic_promoter\":\n return \"editor\";\n case \"auditor\":\n return \"auditor\";\n case \"viewer\":\n case \"graph_viewer\":\n case \"stakeholder_viewer\":\n case \"stakeholder_summarizer\":\n case \"source_drilldown_viewer\":\n case \"restricted_data_viewer\":\n case \"proprietary_data_viewer\":\n return \"viewer\";\n case \"service_agent\":\n case \"agent_runner\":\n return \"service_agent\";\n default:\n return undefined;\n }\n}\n\nfunction highestPlatformRole(\n roles: PermitProjectionPlatformRole[],\n): PermitProjectionPlatformRole {\n return roles.reduce<PermitProjectionPlatformRole>(\n (best, role) =>\n PLATFORM_ROLE_PRIORITY[role] > PLATFORM_ROLE_PRIORITY[best] ? role : best,\n \"viewer\",\n );\n}\n\nfunction isClerkAliasFor(\n alias: PermitAliasProjection,\n clerkId: string,\n): boolean {\n return (\n isActivePermitProjectionStatus(alias.status) &&\n readPermitProjectionString(alias.provider)?.toLowerCase() === \"clerk\" &&\n (readPermitProjectionString(alias.providerSubjectId) === clerkId ||\n readPermitProjectionString(alias.alias) === clerkId)\n );\n}\n\nfunction emailFromAlias(\n aliases: PermitAliasProjection[],\n principal: PermitPrincipalProjection,\n): string | undefined {\n return (\n aliases.find(\n (alias) =>\n readPermitProjectionString(alias.aliasKind)?.toLowerCase() === \"email\",\n )?.alias ?? readPermitProjectionString(principal.metadata?.email)\n );\n}\n\nfunction groupIdsForPrincipal(\n memberships: PermitGroupMembershipProjection[],\n principal: PermitPrincipalProjection,\n): string[] {\n const principalId = readPermitProjectionString(principal.principalId);\n if (!principalId) return [];\n return [\n ...new Set(\n memberships\n .filter(\n (membership) =>\n isActivePermitProjectionStatus(membership.status) &&\n readPermitProjectionString(membership.tenantId) ===\n readPermitProjectionString(principal.tenantId) &&\n readPermitProjectionString(membership.memberType) === \"principal\" &&\n (readPermitProjectionString(membership.memberId) === principalId ||\n readPermitProjectionString(membership.principalId) ===\n principalId),\n )\n .map((membership) => readPermitProjectionString(membership.groupId))\n .filter((groupId): groupId is string => Boolean(groupId)),\n ),\n ];\n}\n\nfunction rolesForPrincipal(\n assignments: PermitRoleAssignmentProjection[],\n principal: PermitPrincipalProjection,\n groupIds: string[],\n): PermitProjectionPlatformRole[] {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n const roles = assignments\n .filter(\n (assignment) =>\n isActivePermitProjectionStatus(assignment.status) &&\n readPermitProjectionString(assignment.tenantId) === tenantId &&\n ((readPermitProjectionString(assignment.targetType) === \"principal\" &&\n readPermitProjectionString(assignment.targetId) === principalId) ||\n (readPermitProjectionString(assignment.targetType) === \"group\" &&\n groupIds.includes(\n readPermitProjectionString(assignment.targetId) ?? \"\",\n ))),\n )\n .map((assignment) => mapPermitRoleToPlatformRole(assignment.role))\n .filter((role): role is PermitProjectionPlatformRole => Boolean(role));\n\n if (\n readPermitProjectionString(principal.principalType) === \"agent\" ||\n readPermitProjectionString(principal.principalType) === \"service_principal\"\n ) {\n roles.push(\"service_agent\");\n }\n\n return [...new Set(roles)];\n}\n\nfunction workspaceFromPermitProjection(\n principal: PermitPrincipalProjection,\n alias: PermitAliasProjection | undefined,\n assignments: PermitRoleAssignmentProjection[],\n): string | undefined {\n return (\n readPermitProjectionString(principal.workspaceId) ??\n readPermitProjectionString(alias?.workspaceId) ??\n readPermitProjectionString(\n assignments.find(\n (assignment) =>\n readPermitProjectionString(assignment.targetId) ===\n readPermitProjectionString(principal.principalId) &&\n readPermitProjectionString(assignment.resourceType) === \"workspace\",\n )?.resourceKey,\n ) ??\n readPermitProjectionString(\n assignments.find((assignment) => assignment.workspaceId)?.workspaceId,\n )\n );\n}\n\nexport function buildProjectedUserFromPermitPrincipal(\n rows: PermitProjectionRows,\n principal: PermitPrincipalProjection,\n matchingAlias?: PermitAliasProjection,\n now = Date.now(),\n): PermitProjectedUserRecord | null {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n if (\n !principalId ||\n !tenantId ||\n !isActivePermitProjectionStatus(principal.status)\n ) {\n return null;\n }\n\n const aliases = rows.aliases.filter(\n (alias) =>\n readPermitProjectionString(alias.tenantId) === tenantId &&\n readPermitProjectionString(alias.principalId) === principalId &&\n isActivePermitProjectionStatus(alias.status),\n );\n const groupIds = groupIdsForPrincipal(rows.groupMemberships, principal);\n const roles = rolesForPrincipal(rows.roleAssignments, principal, groupIds);\n if (roles.length === 0) {\n return null;\n }\n\n const alias = matchingAlias ?? aliases[0];\n const clerkId =\n readPermitProjectionString(\n aliases.find(\n (entry) =>\n readPermitProjectionString(entry.provider)?.toLowerCase() === \"clerk\",\n )?.providerSubjectId,\n ) ?? principalId;\n\n return {\n clerkId,\n email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,\n name: readPermitProjectionString(principal.displayName),\n lastSeenAt: principal.lastSeenAt ?? principal.updatedAt ?? now,\n chatCount: 0,\n messageCount: 0,\n mcRole: highestPlatformRole(roles),\n mcRoleSyncedAt: principal.updatedAt ?? now,\n defaultTenantId: tenantId,\n defaultWorkspaceId:\n workspaceFromPermitProjection(principal, alias, rows.roleAssignments) ??\n tenantId,\n defaultPrincipalId: principalId,\n principalGroupIds: groupIds,\n governanceGrantsSyncedAt: principal.updatedAt ?? now,\n createdAt: principal.createdAt ?? now,\n updatedAt: principal.updatedAt ?? now,\n };\n}\n\nexport function findProjectedUserByPermitPrincipalId(\n rows: PermitProjectionRows,\n principalId: string,\n now = Date.now(),\n): PermitProjectedUserRecord | null {\n const normalizedPrincipalId = principalId.trim();\n const principal = rows.principals.find(\n (row) =>\n isActivePermitProjectionStatus(row.status) &&\n readPermitProjectionString(row.principalId) === normalizedPrincipalId,\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, undefined, now)\n : null;\n}\n\nexport function findProjectedUserByPermitClerkId(\n rows: PermitProjectionRows,\n clerkId: string,\n now = Date.now(),\n): PermitProjectedUserRecord | null {\n const normalizedClerkId = clerkId.trim();\n const matchingAlias = rows.aliases.find((alias) =>\n isClerkAliasFor(alias, normalizedClerkId),\n );\n const principal = matchingAlias\n ? rows.principals.find(\n (row) =>\n readPermitProjectionString(row.tenantId) ===\n readPermitProjectionString(matchingAlias.tenantId) &&\n readPermitProjectionString(row.principalId) ===\n readPermitProjectionString(matchingAlias.principalId),\n )\n : rows.principals.find(\n (row) =>\n readPermitProjectionString(row.principalId) === normalizedClerkId ||\n readPermitProjectionString(row.principalId) ===\n `user:${normalizedClerkId}`,\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now)\n : null;\n}\n"]}
|
package/dist/schemas/index.js
CHANGED
|
@@ -493,6 +493,35 @@ var systemLogs = defineTable({
|
|
|
493
493
|
{ kind: "index", name: "by_source", columns: ["source"] }
|
|
494
494
|
]
|
|
495
495
|
});
|
|
496
|
+
var domainEvents = defineTable({
|
|
497
|
+
name: "domainEvents",
|
|
498
|
+
component: "kernel",
|
|
499
|
+
category: "events",
|
|
500
|
+
shape: z.object({
|
|
501
|
+
"eventId": z.string(),
|
|
502
|
+
"type": z.string(),
|
|
503
|
+
"version": z.string(),
|
|
504
|
+
"timestamp": z.number(),
|
|
505
|
+
"tenantId": z.string().optional(),
|
|
506
|
+
"workspaceId": z.string().optional(),
|
|
507
|
+
"topicId": z.string(),
|
|
508
|
+
"resourceId": z.string(),
|
|
509
|
+
"resourceType": z.string(),
|
|
510
|
+
"actorId": z.string(),
|
|
511
|
+
"actorType": z.enum(["human", "agent", "service"]),
|
|
512
|
+
"data": z.record(z.any()),
|
|
513
|
+
"correlationId": z.string().optional(),
|
|
514
|
+
"expiresAt": z.number()
|
|
515
|
+
}),
|
|
516
|
+
indices: [
|
|
517
|
+
{ kind: "index", name: "by_eventId", columns: ["eventId"] },
|
|
518
|
+
{ kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
|
|
519
|
+
{ kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
|
|
520
|
+
{ kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
|
|
521
|
+
{ kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
|
|
522
|
+
{ kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
|
|
523
|
+
]
|
|
524
|
+
});
|
|
496
525
|
var beliefConfidence = defineTable({
|
|
497
526
|
name: "beliefConfidence",
|
|
498
527
|
component: "kernel",
|
|
@@ -3899,7 +3928,10 @@ var permitPrincipalAliases = defineTable({
|
|
|
3899
3928
|
}),
|
|
3900
3929
|
indices: [
|
|
3901
3930
|
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
3931
|
+
{ kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
|
|
3932
|
+
{ kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
|
|
3902
3933
|
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
|
|
3934
|
+
{ kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
|
|
3903
3935
|
{
|
|
3904
3936
|
kind: "index",
|
|
3905
3937
|
name: "by_tenant_provider_alias",
|
|
@@ -5108,6 +5140,7 @@ var KERNEL_TABLE_CONTRACTS = [
|
|
|
5108
5140
|
decisionParticipants,
|
|
5109
5141
|
decisionRiskLedger,
|
|
5110
5142
|
decisionSnapshots,
|
|
5143
|
+
domainEvents,
|
|
5111
5144
|
deliberationContributions,
|
|
5112
5145
|
deliberationSessions,
|
|
5113
5146
|
stakeholderGroups,
|