@lucern/contracts 0.3.0-alpha.15 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (99) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.d.ts +1 -1
  9. package/dist/function-registry/beliefs.js +7 -19
  10. package/dist/function-registry/beliefs.js.map +1 -1
  11. package/dist/function-registry/coding.d.ts +1 -1
  12. package/dist/function-registry/coding.js +4 -4
  13. package/dist/function-registry/coding.js.map +1 -1
  14. package/dist/function-registry/context.d.ts +1 -1
  15. package/dist/function-registry/context.js +4 -4
  16. package/dist/function-registry/context.js.map +1 -1
  17. package/dist/function-registry/contracts.d.ts +1 -1
  18. package/dist/function-registry/contracts.js +4 -4
  19. package/dist/function-registry/contracts.js.map +1 -1
  20. package/dist/function-registry/coordination.d.ts +1 -1
  21. package/dist/function-registry/coordination.js +4 -4
  22. package/dist/function-registry/coordination.js.map +1 -1
  23. package/dist/function-registry/edges.d.ts +1 -1
  24. package/dist/function-registry/edges.js +4 -4
  25. package/dist/function-registry/edges.js.map +1 -1
  26. package/dist/function-registry/evidence.d.ts +1 -1
  27. package/dist/function-registry/evidence.js +6 -15
  28. package/dist/function-registry/evidence.js.map +1 -1
  29. package/dist/function-registry/graph.d.ts +1 -1
  30. package/dist/function-registry/graph.js +4 -4
  31. package/dist/function-registry/graph.js.map +1 -1
  32. package/dist/function-registry/helpers.js +4 -4
  33. package/dist/function-registry/helpers.js.map +1 -1
  34. package/dist/function-registry/identity.d.ts +1 -1
  35. package/dist/function-registry/identity.js +7 -10
  36. package/dist/function-registry/identity.js.map +1 -1
  37. package/dist/function-registry/index.js +4 -4
  38. package/dist/function-registry/index.js.map +1 -1
  39. package/dist/function-registry/judgments.d.ts +1 -1
  40. package/dist/function-registry/judgments.js +4 -4
  41. package/dist/function-registry/judgments.js.map +1 -1
  42. package/dist/function-registry/legacy.d.ts +1 -1
  43. package/dist/function-registry/legacy.js +4 -4
  44. package/dist/function-registry/legacy.js.map +1 -1
  45. package/dist/function-registry/lenses.d.ts +1 -1
  46. package/dist/function-registry/lenses.js +4 -4
  47. package/dist/function-registry/lenses.js.map +1 -1
  48. package/dist/function-registry/nodes.d.ts +1 -1
  49. package/dist/function-registry/nodes.js +4 -4
  50. package/dist/function-registry/nodes.js.map +1 -1
  51. package/dist/function-registry/ontologies.d.ts +1 -1
  52. package/dist/function-registry/ontologies.js +4 -4
  53. package/dist/function-registry/ontologies.js.map +1 -1
  54. package/dist/function-registry/pipeline.d.ts +1 -1
  55. package/dist/function-registry/pipeline.js +4 -4
  56. package/dist/function-registry/pipeline.js.map +1 -1
  57. package/dist/function-registry/questions.d.ts +1 -1
  58. package/dist/function-registry/questions.js +6 -9
  59. package/dist/function-registry/questions.js.map +1 -1
  60. package/dist/function-registry/tasks.d.ts +1 -1
  61. package/dist/function-registry/tasks.js +4 -4
  62. package/dist/function-registry/tasks.js.map +1 -1
  63. package/dist/function-registry/topics.d.ts +1 -1
  64. package/dist/function-registry/topics.js +4 -4
  65. package/dist/function-registry/topics.js.map +1 -1
  66. package/dist/function-registry/types.d.ts +1 -1
  67. package/dist/function-registry/worktrees.d.ts +1 -1
  68. package/dist/function-registry/worktrees.js +20 -4
  69. package/dist/function-registry/worktrees.js.map +1 -1
  70. package/dist/gateway.contract.d.ts +1 -0
  71. package/dist/gateway.contract.js.map +1 -1
  72. package/dist/generated/convexSchemas.js +2 -2
  73. package/dist/generated/convexSchemas.js.map +1 -1
  74. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  75. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  76. package/dist/index.js +364 -16
  77. package/dist/index.js.map +1 -1
  78. package/dist/infisical-runtime.contract.d.ts +41 -3
  79. package/dist/infisical-runtime.contract.js +49 -3
  80. package/dist/infisical-runtime.contract.js.map +1 -1
  81. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  82. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  83. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  84. package/dist/permit-principal-projection.contract.js +8 -1
  85. package/dist/permit-principal-projection.contract.js.map +1 -1
  86. package/dist/proof-attestation.json +1 -1
  87. package/dist/schemas/index.js +2 -1
  88. package/dist/schemas/index.js.map +1 -1
  89. package/dist/schemas/manifest.d.ts +10 -5
  90. package/dist/schemas/manifest.js +2 -1
  91. package/dist/schemas/manifest.js.map +1 -1
  92. package/dist/schemas/tables/mc/tenant.d.ts +2 -1
  93. package/dist/schemas/tables/mc/tenant.js +2 -1
  94. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  95. package/dist/sdk-tools.contract.js +4 -4
  96. package/dist/sdk-tools.contract.js.map +1 -1
  97. package/dist/tool-contracts.js +4 -4
  98. package/dist/tool-contracts.js.map +1 -1
  99. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -202,7 +202,7 @@ var SESSION_LIFECYCLE_STATUSES = [
202
202
  "revoked"
203
203
  ];
204
204
  function inferSessionPrincipalType(principalId) {
205
- if (principalId.startsWith("user:")) {
205
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
206
206
  return "human";
207
207
  }
208
208
  if (principalId.startsWith("agent:")) {
@@ -2253,6 +2253,7 @@ var apiKeys = defineTable({
2253
2253
  shape: z.object({
2254
2254
  "tenantId": idOf("tenants"),
2255
2255
  "workspaceId": idOf("workspaces").optional(),
2256
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
2256
2257
  "keyPrefix": z.enum(["luc", "stk"]),
2257
2258
  "keyHash": z.string(),
2258
2259
  "keyHint": z.string(),
@@ -2280,7 +2281,7 @@ var auditLog = defineTable({
2280
2281
  shape: z.object({
2281
2282
  "tenantId": idOf("tenants").optional(),
2282
2283
  "apiKeyId": idOf("apiKeys").optional(),
2283
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
2284
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
2284
2285
  "actorClerkId": z.string(),
2285
2286
  "details": z.any().optional(),
2286
2287
  "createdAt": z.number()
@@ -8171,6 +8172,21 @@ var INFISICAL_RUNTIME_PATHS = [
8171
8172
  }
8172
8173
  ]
8173
8174
  },
8175
+ {
8176
+ id: "platform-operator-credentials",
8177
+ secretPath: "/platform/runtime",
8178
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
8179
+ variables: [
8180
+ {
8181
+ name: "LUCERN_API_KEY",
8182
+ required: false,
8183
+ secret: true,
8184
+ public: false,
8185
+ aliases: ["LUCERN_KEY"],
8186
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
8187
+ }
8188
+ ]
8189
+ },
8174
8190
  {
8175
8191
  id: "tenant-shared-install",
8176
8192
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -8206,7 +8222,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8206
8222
  id: "lucern-sdk",
8207
8223
  packageName: "@lucern/sdk",
8208
8224
  delivery: "runtime_fetch",
8209
- sourcePathIds: ["platform-runtime"],
8225
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8210
8226
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
8211
8227
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
8212
8228
  },
@@ -8215,7 +8231,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8215
8231
  packageName: "@lucern/cli",
8216
8232
  delivery: "runtime_fetch",
8217
8233
  fallback: "device_auth",
8218
- sourcePathIds: ["platform-runtime"],
8234
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8219
8235
  consumer: "developer/operator CLI processes",
8220
8236
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
8221
8237
  },
@@ -8224,7 +8240,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8224
8240
  packageName: "@lucern/mcp",
8225
8241
  delivery: "runtime_fetch",
8226
8242
  fallback: "device_auth",
8227
- sourcePathIds: ["platform-runtime"],
8243
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8228
8244
  consumer: "MCP server/client processes",
8229
8245
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
8230
8246
  },
@@ -9805,6 +9821,37 @@ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
9805
9821
  ],
9806
9822
  description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
9807
9823
  },
9824
+ {
9825
+ id: "platform.operator.api-key",
9826
+ canonicalName: "LUCERN_API_KEY",
9827
+ aliases: ["LUCERN_KEY"],
9828
+ owner: "lucern_platform",
9829
+ scope: "environment",
9830
+ sourcePath: "/platform/runtime",
9831
+ environmentPolicy: "environment_specific",
9832
+ required: false,
9833
+ secret: true,
9834
+ public: false,
9835
+ consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
9836
+ destinations: [
9837
+ {
9838
+ kind: "runtime_fetch",
9839
+ target: "lucern-cli-mcp-sdk",
9840
+ environmentPolicy: "environment_specific"
9841
+ },
9842
+ {
9843
+ kind: "operator_local",
9844
+ target: "lucern-repo",
9845
+ environmentPolicy: "environment_specific"
9846
+ },
9847
+ {
9848
+ kind: "github_actions",
9849
+ target: "LucernAI/lucern",
9850
+ environmentPolicy: "environment_specific"
9851
+ }
9852
+ ],
9853
+ description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9854
+ },
9808
9855
  {
9809
9856
  id: "platform.graph-sync.proxy",
9810
9857
  canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
@@ -11272,6 +11319,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11272
11319
  "LUCERN_KERNEL_NPM_TOKEN",
11273
11320
  "LUCERN_KERNEL_SCOPE_REGISTRY",
11274
11321
  "LUCERN_KERNEL_SKIP_CONVEX",
11322
+ "LUCERN_KEY",
11275
11323
  "LUCERN_LOGIN_BASE_URL",
11276
11324
  "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
11277
11325
  "LUCERN_MCP_DEBUG",
@@ -11528,6 +11576,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11528
11576
  "LUCERN_KERNEL_NPM_TOKEN",
11529
11577
  "LUCERN_KERNEL_SCOPE_REGISTRY",
11530
11578
  "LUCERN_KERNEL_SKIP_CONVEX",
11579
+ "LUCERN_KEY",
11531
11580
  "LUCERN_LOGIN_BASE_URL",
11532
11581
  "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
11533
11582
  "LUCERN_MCP_DEBUG",
@@ -13621,13 +13670,15 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13621
13670
  "description": "stack/frontend: Tenant-owned Linear API key for support/slash-command flows. stack/stackos: Tenant-owned Linear API key for support/slash-command flows."
13622
13671
  },
13623
13672
  "LUCERN_API_KEY": {
13624
- "secretId": "tenant.stack-frontend.lucern.gateway-api-key",
13673
+ "secretId": "platform.operator.api-key",
13625
13674
  "canonicalName": "LUCERN_API_KEY",
13626
13675
  "envNames": [
13627
13676
  "LUCERN_API_KEY",
13677
+ "LUCERN_KEY",
13628
13678
  "STACK_API_KEY"
13629
13679
  ],
13630
13680
  "aliases": [
13681
+ "LUCERN_KEY",
13631
13682
  "STACK_API_KEY"
13632
13683
  ],
13633
13684
  "writeNames": [
@@ -13636,13 +13687,38 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13636
13687
  "required": false,
13637
13688
  "secret": true,
13638
13689
  "public": false,
13639
- "sourcePath": "/tenants/stack",
13690
+ "sourcePath": "/platform/runtime",
13640
13691
  "environmentPolicy": "environment_specific",
13641
13692
  "consumers": [
13693
+ "lucern-cli",
13694
+ "lucern-mcp",
13695
+ "lucern-repo-ci",
13696
+ "lucern-sdk",
13642
13697
  "tenant-agent-runtime",
13643
13698
  "tenant-vercel-app"
13644
13699
  ],
13645
13700
  "destinations": [
13701
+ {
13702
+ "kind": "runtime_fetch",
13703
+ "target": "lucern-cli-mcp-sdk",
13704
+ "writeNames": [
13705
+ "LUCERN_API_KEY"
13706
+ ]
13707
+ },
13708
+ {
13709
+ "kind": "operator_local",
13710
+ "target": "lucern-repo",
13711
+ "writeNames": [
13712
+ "LUCERN_API_KEY"
13713
+ ]
13714
+ },
13715
+ {
13716
+ "kind": "github_actions",
13717
+ "target": "LucernAI/lucern",
13718
+ "writeNames": [
13719
+ "LUCERN_API_KEY"
13720
+ ]
13721
+ },
13646
13722
  {
13647
13723
  "kind": "vercel",
13648
13724
  "target": "ai-chatbot-diao",
@@ -13686,7 +13762,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13686
13762
  ]
13687
13763
  }
13688
13764
  ],
13689
- "description": "stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls."
13765
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files. stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling."
13690
13766
  },
13691
13767
  "LUCERN_API_URL": {
13692
13768
  "secretId": "platform.runtime.api-base-url",
@@ -17165,6 +17241,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
17165
17241
  "LANGFUSE_SECRET_KEY": "LANGFUSE_SECRET_KEY",
17166
17242
  "LINEAR_API_KEY": "LINEAR_API_KEY",
17167
17243
  "LUCERN_API_KEY": "LUCERN_API_KEY",
17244
+ "LUCERN_KEY": "LUCERN_API_KEY",
17168
17245
  "STACK_API_KEY": "LUCERN_API_KEY",
17169
17246
  "LUCERN_API_BASE_URL": "LUCERN_BASE_URL",
17170
17247
  "LUCERN_API_URL": "LUCERN_API_URL",
@@ -18900,9 +18977,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
18900
18977
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
18901
18978
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
18902
18979
  "sourcePathIds": [
18903
- "platform-runtime"
18980
+ "platform-runtime",
18981
+ "platform-operator-credentials"
18904
18982
  ],
18905
18983
  "variables": [
18984
+ {
18985
+ "canonicalName": "LUCERN_API_KEY",
18986
+ "envNames": [
18987
+ "LUCERN_API_KEY",
18988
+ "LUCERN_KEY"
18989
+ ],
18990
+ "aliases": [
18991
+ "LUCERN_KEY"
18992
+ ],
18993
+ "writeNames": [
18994
+ "LUCERN_API_KEY"
18995
+ ],
18996
+ "required": false,
18997
+ "secret": true,
18998
+ "public": false,
18999
+ "sourcePath": "/platform/runtime",
19000
+ "environmentPolicy": "environment_specific",
19001
+ "consumers": [
19002
+ "lucern-sdk"
19003
+ ],
19004
+ "destinations": [],
19005
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
19006
+ },
18906
19007
  {
18907
19008
  "canonicalName": "LUCERN_API_URL",
18908
19009
  "envNames": [
@@ -19003,9 +19104,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19003
19104
  "consumer": "developer/operator CLI processes",
19004
19105
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
19005
19106
  "sourcePathIds": [
19006
- "platform-runtime"
19107
+ "platform-runtime",
19108
+ "platform-operator-credentials"
19007
19109
  ],
19008
19110
  "variables": [
19111
+ {
19112
+ "canonicalName": "LUCERN_API_KEY",
19113
+ "envNames": [
19114
+ "LUCERN_API_KEY",
19115
+ "LUCERN_KEY"
19116
+ ],
19117
+ "aliases": [
19118
+ "LUCERN_KEY"
19119
+ ],
19120
+ "writeNames": [
19121
+ "LUCERN_API_KEY"
19122
+ ],
19123
+ "required": false,
19124
+ "secret": true,
19125
+ "public": false,
19126
+ "sourcePath": "/platform/runtime",
19127
+ "environmentPolicy": "environment_specific",
19128
+ "consumers": [
19129
+ "lucern-cli",
19130
+ "lucern-mcp",
19131
+ "lucern-repo-ci"
19132
+ ],
19133
+ "destinations": [
19134
+ {
19135
+ "kind": "runtime_fetch",
19136
+ "target": "lucern-cli-mcp-sdk",
19137
+ "writeNames": [
19138
+ "LUCERN_API_KEY"
19139
+ ]
19140
+ },
19141
+ {
19142
+ "kind": "operator_local",
19143
+ "target": "lucern-repo",
19144
+ "writeNames": [
19145
+ "LUCERN_API_KEY"
19146
+ ]
19147
+ },
19148
+ {
19149
+ "kind": "github_actions",
19150
+ "target": "LucernAI/lucern",
19151
+ "writeNames": [
19152
+ "LUCERN_API_KEY"
19153
+ ]
19154
+ }
19155
+ ],
19156
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
19157
+ },
19009
19158
  {
19010
19159
  "canonicalName": "LUCERN_API_URL",
19011
19160
  "envNames": [
@@ -19344,7 +19493,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19344
19493
  "consumer": "MCP server/client processes",
19345
19494
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
19346
19495
  "sourcePathIds": [
19347
- "platform-runtime"
19496
+ "platform-runtime",
19497
+ "platform-operator-credentials"
19348
19498
  ],
19349
19499
  "variables": [
19350
19500
  {
@@ -19432,6 +19582,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19432
19582
  ],
19433
19583
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
19434
19584
  },
19585
+ {
19586
+ "canonicalName": "LUCERN_API_KEY",
19587
+ "envNames": [
19588
+ "LUCERN_API_KEY",
19589
+ "LUCERN_KEY"
19590
+ ],
19591
+ "aliases": [
19592
+ "LUCERN_KEY"
19593
+ ],
19594
+ "writeNames": [
19595
+ "LUCERN_API_KEY"
19596
+ ],
19597
+ "required": false,
19598
+ "secret": true,
19599
+ "public": false,
19600
+ "sourcePath": "/platform/runtime",
19601
+ "environmentPolicy": "environment_specific",
19602
+ "consumers": [
19603
+ "lucern-cli",
19604
+ "lucern-mcp",
19605
+ "lucern-repo-ci"
19606
+ ],
19607
+ "destinations": [
19608
+ {
19609
+ "kind": "runtime_fetch",
19610
+ "target": "lucern-cli-mcp-sdk",
19611
+ "writeNames": [
19612
+ "LUCERN_API_KEY"
19613
+ ]
19614
+ },
19615
+ {
19616
+ "kind": "operator_local",
19617
+ "target": "lucern-repo",
19618
+ "writeNames": [
19619
+ "LUCERN_API_KEY"
19620
+ ]
19621
+ },
19622
+ {
19623
+ "kind": "github_actions",
19624
+ "target": "LucernAI/lucern",
19625
+ "writeNames": [
19626
+ "LUCERN_API_KEY"
19627
+ ]
19628
+ }
19629
+ ],
19630
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
19631
+ },
19435
19632
  {
19436
19633
  "canonicalName": "LUCERN_API_URL",
19437
19634
  "envNames": [
@@ -25153,6 +25350,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
25153
25350
  ],
25154
25351
  "description": "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
25155
25352
  },
25353
+ {
25354
+ "secretId": "platform.operator.api-key",
25355
+ "canonicalName": "LUCERN_API_KEY",
25356
+ "envNames": [
25357
+ "LUCERN_API_KEY",
25358
+ "LUCERN_KEY"
25359
+ ],
25360
+ "aliases": [
25361
+ "LUCERN_KEY"
25362
+ ],
25363
+ "writeNames": [
25364
+ "LUCERN_API_KEY"
25365
+ ],
25366
+ "required": false,
25367
+ "secret": true,
25368
+ "public": false,
25369
+ "sourcePath": "/platform/runtime",
25370
+ "environmentPolicy": "environment_specific",
25371
+ "consumers": [
25372
+ "lucern-cli",
25373
+ "lucern-mcp",
25374
+ "lucern-repo-ci"
25375
+ ],
25376
+ "destinations": [
25377
+ {
25378
+ "kind": "runtime_fetch",
25379
+ "target": "lucern-cli-mcp-sdk",
25380
+ "writeNames": [
25381
+ "LUCERN_API_KEY"
25382
+ ]
25383
+ },
25384
+ {
25385
+ "kind": "operator_local",
25386
+ "target": "lucern-repo",
25387
+ "writeNames": [
25388
+ "LUCERN_API_KEY"
25389
+ ]
25390
+ },
25391
+ {
25392
+ "kind": "github_actions",
25393
+ "target": "LucernAI/lucern",
25394
+ "writeNames": [
25395
+ "LUCERN_API_KEY"
25396
+ ]
25397
+ }
25398
+ ],
25399
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
25400
+ },
25156
25401
  {
25157
25402
  "secretId": "platform.gateway.mode",
25158
25403
  "canonicalName": "LUCERN_GATEWAY_MODE",
@@ -29794,6 +30039,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
29794
30039
  ],
29795
30040
  "description": "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
29796
30041
  },
30042
+ {
30043
+ "secretId": "platform.operator.api-key",
30044
+ "canonicalName": "LUCERN_API_KEY",
30045
+ "envNames": [
30046
+ "LUCERN_API_KEY",
30047
+ "LUCERN_KEY"
30048
+ ],
30049
+ "aliases": [
30050
+ "LUCERN_KEY"
30051
+ ],
30052
+ "writeNames": [
30053
+ "LUCERN_API_KEY"
30054
+ ],
30055
+ "required": false,
30056
+ "secret": true,
30057
+ "public": false,
30058
+ "sourcePath": "/platform/runtime",
30059
+ "environmentPolicy": "environment_specific",
30060
+ "consumers": [
30061
+ "lucern-cli",
30062
+ "lucern-mcp",
30063
+ "lucern-repo-ci"
30064
+ ],
30065
+ "destinations": [
30066
+ {
30067
+ "kind": "runtime_fetch",
30068
+ "target": "lucern-cli-mcp-sdk",
30069
+ "writeNames": [
30070
+ "LUCERN_API_KEY"
30071
+ ]
30072
+ },
30073
+ {
30074
+ "kind": "operator_local",
30075
+ "target": "lucern-repo",
30076
+ "writeNames": [
30077
+ "LUCERN_API_KEY"
30078
+ ]
30079
+ },
30080
+ {
30081
+ "kind": "github_actions",
30082
+ "target": "LucernAI/lucern",
30083
+ "writeNames": [
30084
+ "LUCERN_API_KEY"
30085
+ ]
30086
+ }
30087
+ ],
30088
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
30089
+ },
29797
30090
  {
29798
30091
  "secretId": "platform.convex-deploy.local-names",
29799
30092
  "canonicalName": "LUCERN_CONVEX_DEPLOYMENT_NAME",
@@ -31064,6 +31357,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
31064
31357
  }
31065
31358
  ],
31066
31359
  "runtime_fetch:lucern-cli-mcp-sdk": [
31360
+ {
31361
+ "secretId": "platform.operator.api-key",
31362
+ "canonicalName": "LUCERN_API_KEY",
31363
+ "envNames": [
31364
+ "LUCERN_API_KEY",
31365
+ "LUCERN_KEY"
31366
+ ],
31367
+ "aliases": [
31368
+ "LUCERN_KEY"
31369
+ ],
31370
+ "writeNames": [
31371
+ "LUCERN_API_KEY"
31372
+ ],
31373
+ "required": false,
31374
+ "secret": true,
31375
+ "public": false,
31376
+ "sourcePath": "/platform/runtime",
31377
+ "environmentPolicy": "environment_specific",
31378
+ "consumers": [
31379
+ "lucern-cli",
31380
+ "lucern-mcp",
31381
+ "lucern-repo-ci"
31382
+ ],
31383
+ "destinations": [
31384
+ {
31385
+ "kind": "runtime_fetch",
31386
+ "target": "lucern-cli-mcp-sdk",
31387
+ "writeNames": [
31388
+ "LUCERN_API_KEY"
31389
+ ]
31390
+ },
31391
+ {
31392
+ "kind": "operator_local",
31393
+ "target": "lucern-repo",
31394
+ "writeNames": [
31395
+ "LUCERN_API_KEY"
31396
+ ]
31397
+ },
31398
+ {
31399
+ "kind": "github_actions",
31400
+ "target": "LucernAI/lucern",
31401
+ "writeNames": [
31402
+ "LUCERN_API_KEY"
31403
+ ]
31404
+ }
31405
+ ],
31406
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
31407
+ },
31067
31408
  {
31068
31409
  "secretId": "platform.runtime.api-base-url",
31069
31410
  "canonicalName": "LUCERN_API_URL",
@@ -40997,7 +41338,7 @@ var IDENTITY_WHOAMI = {
40997
41338
  response: {
40998
41339
  description: "Canonical identity summary for the current session",
40999
41340
  fields: {
41000
- principalId: "string \u2014 canonical federated principal identifier",
41341
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
41001
41342
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
41002
41343
  tenantId: "string | undefined \u2014 resolved tenant scope",
41003
41344
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -41011,7 +41352,7 @@ var IDENTITY_WHOAMI = {
41011
41352
  };
41012
41353
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
41013
41354
  name: "resolve_interactive_principal",
41014
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
41355
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
41015
41356
  parameters: {
41016
41357
  clerkId: {
41017
41358
  type: "string",
@@ -41034,7 +41375,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
41034
41375
  response: {
41035
41376
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
41036
41377
  fields: {
41037
- principalId: "string \u2014 canonical Lucern principal identifier",
41378
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
41038
41379
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
41039
41380
  clerkId: "string \u2014 authenticated Clerk subject alias",
41040
41381
  tenantId: "string \u2014 resolved tenant scope",
@@ -41862,7 +42203,7 @@ var MANAGE_WRITE_POLICY = {
41862
42203
  },
41863
42204
  role: {
41864
42205
  type: "string",
41865
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
42206
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
41866
42207
  },
41867
42208
  permission: {
41868
42209
  type: "string",
@@ -43459,6 +43800,10 @@ function highestPlatformRole(roles) {
43459
43800
  function isClerkAliasFor(alias, clerkId) {
43460
43801
  return isActivePermitProjectionStatus(alias.status) && readPermitProjectionString(alias.provider)?.toLowerCase() === "clerk" && (readPermitProjectionString(alias.providerSubjectId) === clerkId || readPermitProjectionString(alias.alias) === clerkId);
43461
43802
  }
43803
+ function isHumanPermitPrincipal(principal) {
43804
+ const principalType = readPermitProjectionString(principal.principalType)?.toLowerCase();
43805
+ return !principalType || principalType === "human" || principalType === "user";
43806
+ }
43462
43807
  function emailFromAlias(aliases, principal) {
43463
43808
  return aliases.find(
43464
43809
  (alias) => readPermitProjectionString(alias.aliasKind)?.toLowerCase() === "email"
@@ -43517,6 +43862,9 @@ function buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, n
43517
43862
  (entry) => readPermitProjectionString(entry.provider)?.toLowerCase() === "clerk"
43518
43863
  )?.providerSubjectId
43519
43864
  ) ?? principalId;
43865
+ if (isHumanPermitPrincipal(principal) && principalId !== clerkId) {
43866
+ return null;
43867
+ }
43520
43868
  return {
43521
43869
  clerkId,
43522
43870
  email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,
@@ -43550,7 +43898,7 @@ function findProjectedUserByPermitClerkId(rows, clerkId, now = Date.now()) {
43550
43898
  const principal = matchingAlias ? rows.principals.find(
43551
43899
  (row) => readPermitProjectionString(row.tenantId) === readPermitProjectionString(matchingAlias.tenantId) && readPermitProjectionString(row.principalId) === readPermitProjectionString(matchingAlias.principalId)
43552
43900
  ) : rows.principals.find(
43553
- (row) => readPermitProjectionString(row.principalId) === normalizedClerkId || readPermitProjectionString(row.principalId) === `user:${normalizedClerkId}`
43901
+ (row) => readPermitProjectionString(row.principalId) === normalizedClerkId
43554
43902
  );
43555
43903
  return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now) : null;
43556
43904
  }