@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.js +4 -4
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.js +4 -4
  11. package/dist/function-registry/coding.js.map +1 -1
  12. package/dist/function-registry/context.js +4 -4
  13. package/dist/function-registry/context.js.map +1 -1
  14. package/dist/function-registry/contracts.js +4 -4
  15. package/dist/function-registry/contracts.js.map +1 -1
  16. package/dist/function-registry/coordination.js +4 -4
  17. package/dist/function-registry/coordination.js.map +1 -1
  18. package/dist/function-registry/edges.js +4 -4
  19. package/dist/function-registry/edges.js.map +1 -1
  20. package/dist/function-registry/evidence.js +4 -4
  21. package/dist/function-registry/evidence.js.map +1 -1
  22. package/dist/function-registry/graph.js +4 -4
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.js +4 -4
  25. package/dist/function-registry/helpers.js.map +1 -1
  26. package/dist/function-registry/identity.js +4 -4
  27. package/dist/function-registry/identity.js.map +1 -1
  28. package/dist/function-registry/index.js +4 -4
  29. package/dist/function-registry/index.js.map +1 -1
  30. package/dist/function-registry/judgments.js +4 -4
  31. package/dist/function-registry/judgments.js.map +1 -1
  32. package/dist/function-registry/legacy.js +4 -4
  33. package/dist/function-registry/legacy.js.map +1 -1
  34. package/dist/function-registry/lenses.js +4 -4
  35. package/dist/function-registry/lenses.js.map +1 -1
  36. package/dist/function-registry/nodes.js +4 -4
  37. package/dist/function-registry/nodes.js.map +1 -1
  38. package/dist/function-registry/ontologies.js +4 -4
  39. package/dist/function-registry/ontologies.js.map +1 -1
  40. package/dist/function-registry/pipeline.js +4 -4
  41. package/dist/function-registry/pipeline.js.map +1 -1
  42. package/dist/function-registry/questions.js +4 -4
  43. package/dist/function-registry/questions.js.map +1 -1
  44. package/dist/function-registry/tasks.js +4 -4
  45. package/dist/function-registry/tasks.js.map +1 -1
  46. package/dist/function-registry/topics.js +4 -4
  47. package/dist/function-registry/topics.js.map +1 -1
  48. package/dist/function-registry/worktrees.js +20 -4
  49. package/dist/function-registry/worktrees.js.map +1 -1
  50. package/dist/gateway.contract.d.ts +1 -0
  51. package/dist/gateway.contract.js.map +1 -1
  52. package/dist/generated/convexSchemas.js +1 -1
  53. package/dist/generated/convexSchemas.js.map +1 -1
  54. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  55. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  56. package/dist/index.js +363 -16
  57. package/dist/index.js.map +1 -1
  58. package/dist/infisical-runtime.contract.d.ts +41 -3
  59. package/dist/infisical-runtime.contract.js +49 -3
  60. package/dist/infisical-runtime.contract.js.map +1 -1
  61. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  62. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  63. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  64. package/dist/permit-principal-projection.contract.js +8 -1
  65. package/dist/permit-principal-projection.contract.js.map +1 -1
  66. package/dist/proof-attestation.json +1 -1
  67. package/dist/schemas/index.js +1 -1
  68. package/dist/schemas/index.js.map +1 -1
  69. package/dist/schemas/manifest.d.ts +5 -5
  70. package/dist/schemas/manifest.js +1 -1
  71. package/dist/schemas/manifest.js.map +1 -1
  72. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  73. package/dist/schemas/tables/mc/tenant.js +1 -1
  74. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  75. package/dist/sdk-tools.contract.js +4 -4
  76. package/dist/sdk-tools.contract.js.map +1 -1
  77. package/dist/tool-contracts.js +4 -4
  78. package/dist/tool-contracts.js.map +1 -1
  79. package/package.json +1 -1
package/CHANGELOG.md CHANGED
@@ -8,3 +8,6 @@ All notable changes to `@lucern/contracts` are tracked in this repository.
8
8
 
9
9
  ## [0.3.0-alpha.7] - 2026-05-03
10
10
  - Rebuild the coherent Lucern package line after Campaign 1 SDK hardening fixes.
11
+
12
+ ## [0.3.0-alpha.17] - 2026-05-19
13
+ - Release notes pending.
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
18
18
  "revoked"
19
19
  ];
20
20
  function inferSessionPrincipalType(principalId) {
21
- if (principalId.startsWith("user:")) {
21
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
22
22
  return "human";
23
23
  }
24
24
  if (principalId.startsWith("agent:")) {
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-context.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
1
+ {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-context.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
18
18
  "revoked"
19
19
  ];
20
20
  function inferSessionPrincipalType(principalId) {
21
- if (principalId.startsWith("user:")) {
21
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
22
22
  return "human";
23
23
  }
24
24
  if (principalId.startsWith("agent:")) {
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-session.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
1
+ {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth-session.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
@@ -18,7 +18,7 @@ var SESSION_LIFECYCLE_STATUSES = [
18
18
  "revoked"
19
19
  ];
20
20
  function inferSessionPrincipalType(principalId) {
21
- if (principalId.startsWith("user:")) {
21
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
22
22
  return "human";
23
23
  }
24
24
  if (principalId.startsWith("agent:")) {
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,OAAO,CAAA,EAAG;AACnC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (principalId.startsWith(\"user:\")) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
1
+ {"version":3,"sources":["../src/auth.contract.ts"],"names":[],"mappings":";AAgBO,IAAM,kBAAA,GAAqB;AAAA,EAChC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAGO,IAAM,0BAAA,GAA6B;AAAA,EACxC,QAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AA2CO,SAAS,0BACd,WAAA,EACsB;AACtB,EAAA,IAAI,qBAAA,CAAsB,IAAA,CAAK,WAAW,CAAA,EAAG;AAC3C,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IAAI,WAAA,CAAY,UAAA,CAAW,QAAQ,CAAA,EAAG;AACpC,IAAA,OAAO,OAAA;AAAA,EACT;AACA,EAAA,IACE,YAAY,UAAA,CAAW,WAAW,KAClC,WAAA,CAAY,UAAA,CAAW,kBAAkB,CAAA,EACzC;AACA,IAAA,OAAO,iBAAA;AAAA,EACT;AACA,EAAA,OAAO,SAAA;AACT;AAEO,SAAS,yBAAyB,IAAA,EAMF;AACrC,EAAA,IAAI,IAAA,CAAK,eAAA,IAAmB,IAAA,CAAK,eAAA,CAAgB,SAAS,CAAA,EAAG;AAC3D,IAAA,OAAO,CAAC,GAAG,IAAA,CAAK,eAAe,CAAA;AAAA,EACjC;AACA,EAAA,IAAI,CAAC,KAAK,WAAA,EAAa;AACrB,IAAA;AAAA,EACF;AACA,EAAA,OAAO;AAAA,IACL;AAAA,MACE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,aAAA,EACE,IAAA,CAAK,eAAA,IAAmB,yBAAA,CAA0B,KAAK,WAAW,CAAA;AAAA,MACpE,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,QAAQ,IAAA,CAAK;AAAA;AACf,GACF;AACF;AAEO,SAAS,cACd,eAAA,EACoB;AACpB,EAAA,IAAI,CAAC,eAAA,IAAmB,eAAA,CAAgB,MAAA,KAAW,CAAA,EAAG;AACpD,IAAA;AAAA,EACF;AACA,EAAA,OAAO,eAAA,CAAgB,eAAA,CAAgB,MAAA,GAAS,CAAC,CAAA,EAAG,WAAA;AACtD","file":"auth.contract.js","sourcesContent":["/**\n * @lucern/contracts — auth (canonical support contract)\n *\n * Consolidated flat support surface for Lucern authentication:\n * - Session primitives (auth modes, principal types, lifecycle)\n * - AuthContext shape + McpTransportKind + LucernSdkClient alias\n *\n * Consolidated from src/auth-session.contract.ts and src/auth-context.contract.ts\n * in EK-16 T1 PR 3a. Compat shims remain at both old paths until Lucern 1.0.0 (D12).\n */\n\n// =============================================================================\n// SESSION PRIMITIVES\n// (Formerly src/auth-session.contract.ts)\n// =============================================================================\n\nexport const SESSION_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const;\nexport type SessionAuthMode = (typeof SESSION_AUTH_MODES)[number];\n\nexport const SESSION_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const;\nexport type SessionPrincipalType = (typeof SESSION_PRINCIPAL_TYPES)[number];\n\nexport const SESSION_LIFECYCLE_STATUSES = [\n \"active\",\n \"expired\",\n \"revoked\",\n] as const;\nexport type SessionLifecycleStatus =\n (typeof SESSION_LIFECYCLE_STATUSES)[number];\n\nexport type SessionDelegationHop = {\n principalId: string;\n principalType: SessionPrincipalType;\n authMode?: SessionAuthMode;\n sessionId?: string;\n delegatedAt?: number;\n reason?: string;\n};\n\nexport type SessionAuditOutcome =\n | \"accepted\"\n | \"rejected\"\n | \"revoked\"\n | \"expired\";\n\nexport type SessionAuditEnvelope = {\n sessionId: string;\n authMode: SessionAuthMode;\n principalId: string;\n principalType: SessionPrincipalType;\n tenantId: string;\n workspaceId?: string;\n apiKeyId?: string;\n scopes: readonly string[];\n roles?: readonly string[];\n delegationChain?: readonly SessionDelegationHop[];\n sourceSessionId?: string;\n expiresAt?: number;\n request?: {\n endpoint?: string;\n method?: string;\n correlationId?: string;\n };\n result?: {\n outcome: SessionAuditOutcome;\n reason?: string;\n };\n};\n\nexport function inferSessionPrincipalType(\n principalId: string\n): SessionPrincipalType {\n if (/^user_[A-Za-z0-9]+$/.test(principalId)) {\n return \"human\";\n }\n if (principalId.startsWith(\"agent:\")) {\n return \"agent\";\n }\n if (principalId.startsWith(\"group:\")) {\n return \"group\";\n }\n if (\n principalId.startsWith(\"external:\") ||\n principalId.startsWith(\"external_viewer:\")\n ) {\n return \"external_viewer\";\n }\n return \"service\";\n}\n\nexport function normalizeDelegationChain(args: {\n delegationChain?: readonly SessionDelegationHop[];\n delegatedBy?: string;\n delegatedByType?: SessionPrincipalType;\n delegatedAt?: number;\n reason?: string;\n}): SessionDelegationHop[] | undefined {\n if (args.delegationChain && args.delegationChain.length > 0) {\n return [...args.delegationChain];\n }\n if (!args.delegatedBy) {\n return;\n }\n return [\n {\n principalId: args.delegatedBy,\n principalType:\n args.delegatedByType ?? inferSessionPrincipalType(args.delegatedBy),\n delegatedAt: args.delegatedAt,\n reason: args.reason,\n },\n ];\n}\n\nexport function lastDelegator(\n delegationChain?: readonly SessionDelegationHop[]\n): string | undefined {\n if (!delegationChain || delegationChain.length === 0) {\n return;\n }\n return delegationChain[delegationChain.length - 1]?.principalId;\n}\n\n// =============================================================================\n// AUTH CONTEXT\n// (Formerly src/auth-context.contract.ts)\n// =============================================================================\n\nimport type { ConvexAdminClient } from \"./convex-admin.contract\";\n\nexport type McpTransportKind = \"stdio\" | \"hosted\";\n\nexport type LucernSdkClient = unknown;\n\n/**\n * Session authentication context — injected by withAuth() middleware.\n *\n * Built from TenantConfig at dispatch time. Agent sessions get\n * AGENT_IDENTITY + \"agent:internal\" role + unrestricted access.\n * User sessions get Clerk userId + resolved role + tool ACLs.\n */\nexport type AuthContext = {\n sessionType: \"agent\" | \"user\";\n userId: string; // AGENT_IDENTITY for agents, Clerk userId for users\n tenantId: string;\n role: string; // \"agent:internal\" | \"platform_admin\" | \"tenant_admin\" | \"editor\" | \"viewer\" | ...\n allowedTopics: string[] | null; // null = unrestricted (agents, admins). Block 11D populates this.\n // Layer 2a: Group-pack binding — resolved at boot from MC resolveUserPackAccess\n groupIds: string[]; // Groups this user belongs to (empty for agents)\n permittedPackKeys: string[]; // Packs accessible via group assignments (empty = no pack filtering)\n sessionId: string; // S2-13K: MCP process session UUID for audit attribution\n principalId?: string;\n principalType?: SessionPrincipalType;\n workspaceId?: string;\n scopes?: string[];\n authMode?: SessionAuthMode;\n roles?: string[];\n transportKind?: McpTransportKind;\n lucernClient?: LucernSdkClient;\n convex?: ConvexAdminClient;\n setDefaultScopeContext?: (scopeId: string) => Promise<unknown>;\n matchesWorkspaceReasoningScope?: (\n node: unknown,\n scope: unknown\n ) => boolean;\n};\n"]}
@@ -2328,7 +2328,7 @@ var IDENTITY_WHOAMI = {
2328
2328
  response: {
2329
2329
  description: "Canonical identity summary for the current session",
2330
2330
  fields: {
2331
- principalId: "string \u2014 canonical federated principal identifier",
2331
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
2332
2332
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
2333
2333
  tenantId: "string | undefined \u2014 resolved tenant scope",
2334
2334
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -2342,7 +2342,7 @@ var IDENTITY_WHOAMI = {
2342
2342
  };
2343
2343
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
2344
2344
  name: "resolve_interactive_principal",
2345
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
2345
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
2346
2346
  parameters: {
2347
2347
  clerkId: {
2348
2348
  type: "string",
@@ -2365,7 +2365,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
2365
2365
  response: {
2366
2366
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
2367
2367
  fields: {
2368
- principalId: "string \u2014 canonical Lucern principal identifier",
2368
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
2369
2369
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
2370
2370
  clerkId: "string \u2014 authenticated Clerk subject alias",
2371
2371
  tenantId: "string \u2014 resolved tenant scope",
@@ -3193,7 +3193,7 @@ var MANAGE_WRITE_POLICY = {
3193
3193
  },
3194
3194
  role: {
3195
3195
  type: "string",
3196
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
3196
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
3197
3197
  },
3198
3198
  permission: {
3199
3199
  type: "string",