@lucern/contracts 0.3.0-alpha.15 → 0.3.0-alpha.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/dist/auth-context.contract.js +1 -1
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +1 -1
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.js +1 -1
- package/dist/auth.contract.js.map +1 -1
- package/dist/function-registry/beliefs.d.ts +1 -1
- package/dist/function-registry/beliefs.js +7 -19
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +1 -1
- package/dist/function-registry/coding.js +4 -4
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +1 -1
- package/dist/function-registry/context.js +4 -4
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +1 -1
- package/dist/function-registry/contracts.js +4 -4
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +1 -1
- package/dist/function-registry/coordination.js +4 -4
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +1 -1
- package/dist/function-registry/edges.js +4 -4
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +1 -1
- package/dist/function-registry/evidence.js +6 -15
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +1 -1
- package/dist/function-registry/graph.js +4 -4
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.js +4 -4
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +1 -1
- package/dist/function-registry/identity.js +7 -10
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.js +4 -4
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +1 -1
- package/dist/function-registry/judgments.js +4 -4
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -1
- package/dist/function-registry/legacy.js +4 -4
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +1 -1
- package/dist/function-registry/lenses.js +4 -4
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/nodes.d.ts +1 -1
- package/dist/function-registry/nodes.js +4 -4
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +1 -1
- package/dist/function-registry/ontologies.js +4 -4
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +1 -1
- package/dist/function-registry/pipeline.js +4 -4
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +1 -1
- package/dist/function-registry/questions.js +6 -9
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +1 -1
- package/dist/function-registry/tasks.js +4 -4
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +1 -1
- package/dist/function-registry/topics.js +4 -4
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +1 -1
- package/dist/function-registry/worktrees.d.ts +1 -1
- package/dist/function-registry/worktrees.js +20 -4
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/gateway.contract.d.ts +1 -0
- package/dist/gateway.contract.js.map +1 -1
- package/dist/generated/convexSchemas.js +2 -2
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +300 -6
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/index.js +364 -16
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +41 -3
- package/dist/infisical-runtime.contract.js +49 -3
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
- package/dist/manifests/infisical-runtime-manifest.js +49 -3
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/permit-principal-projection.contract.js +8 -1
- package/dist/permit-principal-projection.contract.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/index.js +2 -1
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +10 -5
- package/dist/schemas/manifest.js +2 -1
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/tables/mc/tenant.d.ts +2 -1
- package/dist/schemas/tables/mc/tenant.js +2 -1
- package/dist/schemas/tables/mc/tenant.js.map +1 -1
- package/dist/sdk-tools.contract.js +4 -4
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tool-contracts.js +4 -4
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,12 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to `@lucern/contracts` are tracked in this repository.
|
|
4
4
|
|
|
5
|
+
## [0.3.0-alpha.16] - 2026-05-14
|
|
6
|
+
- Adds the exact-row reasoning-kernel migration surface required for tenant identity/scope repairs.
|
|
7
|
+
- Keeps the coherent Lucern package line aligned for StackOS and reasoning-environment adoption.
|
|
8
|
+
|
|
5
9
|
## [0.3.0-alpha.7] - 2026-05-03
|
|
6
10
|
- Rebuild the coherent Lucern package line after Campaign 1 SDK hardening fixes.
|
|
7
11
|
|
|
12
|
+
## [0.3.0-alpha.17] - 2026-05-19
|
|
13
|
+
- Release notes pending.
|
|
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
|
|
|
18
18
|
"revoked"
|
|
19
19
|
];
|
|
20
20
|
function inferSessionPrincipalType(principalId) {
|
|
21
|
-
if (principalId
|
|
21
|
+
if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
|
|
22
22
|
return "human";
|
|
23
23
|
}
|
|
24
24
|
if (principalId.startsWith("agent:")) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-context.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
|
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
|
|
|
18
18
|
"revoked"
|
|
19
19
|
];
|
|
20
20
|
function inferSessionPrincipalType(principalId) {
|
|
21
|
-
if (principalId
|
|
21
|
+
if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
|
|
22
22
|
return "human";
|
|
23
23
|
}
|
|
24
24
|
if (principalId.startsWith("agent:")) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-session.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
package/dist/auth.contract.js
CHANGED
|
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
|
|
|
18
18
|
"revoked"
|
|
19
19
|
];
|
|
20
20
|
function inferSessionPrincipalType(principalId) {
|
|
21
|
-
if (principalId
|
|
21
|
+
if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
|
|
22
22
|
return "human";
|
|
23
23
|
}
|
|
24
24
|
if (principalId.startsWith("agent:")) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,
|
|
1
|
+
{"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
|
|
@@ -84,7 +84,7 @@ type FunctionConvexTarget = {
|
|
|
84
84
|
outputProjection?: ContractOutputProjection;
|
|
85
85
|
};
|
|
86
86
|
type FunctionGatewayTarget = {
|
|
87
|
-
handler: "tasks.create" | "tasks.list" | "tasks.update" | "tasks.complete";
|
|
87
|
+
handler: "identity.whoami" | "beliefs.list" | "evidence.list" | "questions.list" | "tasks.create" | "tasks.list" | "tasks.update" | "tasks.complete";
|
|
88
88
|
};
|
|
89
89
|
|
|
90
90
|
declare const beliefsContracts: readonly [{
|
|
@@ -2328,7 +2328,7 @@ var IDENTITY_WHOAMI = {
|
|
|
2328
2328
|
response: {
|
|
2329
2329
|
description: "Canonical identity summary for the current session",
|
|
2330
2330
|
fields: {
|
|
2331
|
-
principalId: "string \u2014 canonical
|
|
2331
|
+
principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
|
|
2332
2332
|
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
2333
2333
|
tenantId: "string | undefined \u2014 resolved tenant scope",
|
|
2334
2334
|
workspaceId: "string | undefined \u2014 resolved workspace scope",
|
|
@@ -2342,7 +2342,7 @@ var IDENTITY_WHOAMI = {
|
|
|
2342
2342
|
};
|
|
2343
2343
|
var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
2344
2344
|
name: "resolve_interactive_principal",
|
|
2345
|
-
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the
|
|
2345
|
+
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
|
|
2346
2346
|
parameters: {
|
|
2347
2347
|
clerkId: {
|
|
2348
2348
|
type: "string",
|
|
@@ -2365,7 +2365,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
|
2365
2365
|
response: {
|
|
2366
2366
|
description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
|
|
2367
2367
|
fields: {
|
|
2368
|
-
principalId: "string \u2014 canonical
|
|
2368
|
+
principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
|
|
2369
2369
|
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
2370
2370
|
clerkId: "string \u2014 authenticated Clerk subject alias",
|
|
2371
2371
|
tenantId: "string \u2014 resolved tenant scope",
|
|
@@ -3193,7 +3193,7 @@ var MANAGE_WRITE_POLICY = {
|
|
|
3193
3193
|
},
|
|
3194
3194
|
role: {
|
|
3195
3195
|
type: "string",
|
|
3196
|
-
description: "Role to set policy for (required for 'set'). E.g. 'agent:internal'
|
|
3196
|
+
description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
|
|
3197
3197
|
},
|
|
3198
3198
|
permission: {
|
|
3199
3199
|
type: "string",
|
|
@@ -4999,7 +4999,7 @@ function compactRecord2(input) {
|
|
|
4999
4999
|
Object.entries(input).filter(([, value]) => value !== void 0)
|
|
5000
5000
|
);
|
|
5001
5001
|
}
|
|
5002
|
-
|
|
5002
|
+
defineProjection({
|
|
5003
5003
|
contractName: "list_beliefs",
|
|
5004
5004
|
inputSchema: listBeliefsInputSchema,
|
|
5005
5005
|
project: (input) => compactRecord2({
|
|
@@ -5202,15 +5202,6 @@ var beliefLookupInput = (input) => compactRecord({
|
|
|
5202
5202
|
var beliefNodeInput = (input) => compactRecord({
|
|
5203
5203
|
nodeId: input.nodeId ?? input.id ?? input.beliefId
|
|
5204
5204
|
});
|
|
5205
|
-
var beliefTopicInput = (input) => {
|
|
5206
|
-
const parsed = listBeliefsProjection.inputSchema.safeParse(input);
|
|
5207
|
-
if (!parsed.success) {
|
|
5208
|
-
throw new Error(
|
|
5209
|
-
`list_beliefs projection input rejected: ${parsed.error.message}`
|
|
5210
|
-
);
|
|
5211
|
-
}
|
|
5212
|
-
return compactRecord(listBeliefsProjection.project(parsed.data));
|
|
5213
|
-
};
|
|
5214
5205
|
var createBeliefInput = (input, context) => {
|
|
5215
5206
|
return withUserId(
|
|
5216
5207
|
compactRecord({
|
|
@@ -5299,11 +5290,8 @@ var beliefsContracts = [
|
|
|
5299
5290
|
sdkNamespace: "beliefs",
|
|
5300
5291
|
sdkMethod: "listBeliefs",
|
|
5301
5292
|
summary: "List beliefs for a topic.",
|
|
5302
|
-
|
|
5303
|
-
|
|
5304
|
-
functionName: "getByTopic",
|
|
5305
|
-
kind: "query",
|
|
5306
|
-
inputProjection: beliefTopicInput
|
|
5293
|
+
gateway: {
|
|
5294
|
+
handler: "beliefs.list"
|
|
5307
5295
|
},
|
|
5308
5296
|
args: listBeliefsInputSchema
|
|
5309
5297
|
}),
|