@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.js +4 -4
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.js +4 -4
  11. package/dist/function-registry/coding.js.map +1 -1
  12. package/dist/function-registry/context.js +4 -4
  13. package/dist/function-registry/context.js.map +1 -1
  14. package/dist/function-registry/contracts.js +4 -4
  15. package/dist/function-registry/contracts.js.map +1 -1
  16. package/dist/function-registry/coordination.js +4 -4
  17. package/dist/function-registry/coordination.js.map +1 -1
  18. package/dist/function-registry/edges.js +4 -4
  19. package/dist/function-registry/edges.js.map +1 -1
  20. package/dist/function-registry/evidence.js +4 -4
  21. package/dist/function-registry/evidence.js.map +1 -1
  22. package/dist/function-registry/graph.js +4 -4
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.js +4 -4
  25. package/dist/function-registry/helpers.js.map +1 -1
  26. package/dist/function-registry/identity.js +4 -4
  27. package/dist/function-registry/identity.js.map +1 -1
  28. package/dist/function-registry/index.js +4 -4
  29. package/dist/function-registry/index.js.map +1 -1
  30. package/dist/function-registry/judgments.js +4 -4
  31. package/dist/function-registry/judgments.js.map +1 -1
  32. package/dist/function-registry/legacy.js +4 -4
  33. package/dist/function-registry/legacy.js.map +1 -1
  34. package/dist/function-registry/lenses.js +4 -4
  35. package/dist/function-registry/lenses.js.map +1 -1
  36. package/dist/function-registry/nodes.js +4 -4
  37. package/dist/function-registry/nodes.js.map +1 -1
  38. package/dist/function-registry/ontologies.js +4 -4
  39. package/dist/function-registry/ontologies.js.map +1 -1
  40. package/dist/function-registry/pipeline.js +4 -4
  41. package/dist/function-registry/pipeline.js.map +1 -1
  42. package/dist/function-registry/questions.js +4 -4
  43. package/dist/function-registry/questions.js.map +1 -1
  44. package/dist/function-registry/tasks.js +4 -4
  45. package/dist/function-registry/tasks.js.map +1 -1
  46. package/dist/function-registry/topics.js +4 -4
  47. package/dist/function-registry/topics.js.map +1 -1
  48. package/dist/function-registry/worktrees.js +20 -4
  49. package/dist/function-registry/worktrees.js.map +1 -1
  50. package/dist/gateway.contract.d.ts +1 -0
  51. package/dist/gateway.contract.js.map +1 -1
  52. package/dist/generated/convexSchemas.js +1 -1
  53. package/dist/generated/convexSchemas.js.map +1 -1
  54. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  55. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  56. package/dist/index.js +363 -16
  57. package/dist/index.js.map +1 -1
  58. package/dist/infisical-runtime.contract.d.ts +41 -3
  59. package/dist/infisical-runtime.contract.js +49 -3
  60. package/dist/infisical-runtime.contract.js.map +1 -1
  61. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  62. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  63. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  64. package/dist/permit-principal-projection.contract.js +8 -1
  65. package/dist/permit-principal-projection.contract.js.map +1 -1
  66. package/dist/proof-attestation.json +1 -1
  67. package/dist/schemas/index.js +1 -1
  68. package/dist/schemas/index.js.map +1 -1
  69. package/dist/schemas/manifest.d.ts +5 -5
  70. package/dist/schemas/manifest.js +1 -1
  71. package/dist/schemas/manifest.js.map +1 -1
  72. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  73. package/dist/schemas/tables/mc/tenant.js +1 -1
  74. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  75. package/dist/sdk-tools.contract.js +4 -4
  76. package/dist/sdk-tools.contract.js.map +1 -1
  77. package/dist/tool-contracts.js +4 -4
  78. package/dist/tool-contracts.js.map +1 -1
  79. package/package.json +1 -1
@@ -41,6 +41,7 @@ type GatewayAuthContext = {
41
41
  principalId?: string;
42
42
  principalType?: SessionPrincipalType;
43
43
  tenantId?: string;
44
+ canonicalTenantId?: string;
44
45
  tenantSlug?: string;
45
46
  workspaceId?: string;
46
47
  workspaceSlug?: string;
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AAgJO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n tenantSlug?: string;\n workspaceId?: string;\n workspaceSlug?: string;\n workspaceKey?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
1
+ {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AAiJO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n canonicalTenantId?: string;\n tenantSlug?: string;\n workspaceId?: string;\n workspaceSlug?: string;\n workspaceKey?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
@@ -103,7 +103,7 @@ var CONTROL_PLANE_SCHEMA_TABLES = {
103
103
  var MC_SCHEMA_TABLES = {
104
104
  "agentRegistryEntries": defineTable(v.object({ "agentDefinitionId": v.string(), "agentKey": v.string(), "createdAt": v.number(), "createdBy": v.string(), "description": v.string(), "displayName": v.string(), "exampleInvocations": v.array(v.object({ "expectedOutput": v.optional(v.record(v.string(), v.any())), "input": v.record(v.string(), v.any()) })), "executionAdapter": v.union(v.literal("convex_mutation"), v.literal("convex_action"), v.literal("http_callback"), v.literal("mcp_tool"), v.literal("sdk_invocation"), v.literal("external_observed")), "guardrails": v.optional(v.object({ "allowedOrigins": v.optional(v.array(v.string())), "allowNetworkEgress": v.optional(v.boolean()), "heartbeatIntervalMs": v.optional(v.number()), "isolationMode": v.optional(v.union(v.literal("direct"), v.literal("sandbox"))), "maxExecutionMs": v.optional(v.number()), "maxToolCalls": v.optional(v.number()) })), "metadata": v.optional(v.record(v.string(), v.any())), "modelSlot": v.optional(v.string()), "outputSchema": v.optional(v.record(v.string(), v.any())), "parameterSchema": v.record(v.string(), v.any()), "promptName": v.optional(v.string()), "promptReleaseChannel": v.union(v.literal("dev"), v.literal("staging"), v.literal("prod")), "requiredModelCapabilities": v.optional(v.array(v.string())), "runtimeConfig": v.optional(v.object({ "auditMode": v.optional(v.union(v.literal("harness"), v.literal("master_control"))), "callbackUrl": v.optional(v.string()), "entryPoint": v.optional(v.string()), "modelRouting": v.optional(v.union(v.literal("model_machine"), v.literal("tenant_proxy"), v.literal("bring_your_own"))) })), "scopeRequirements": v.array(v.string()), "status": v.union(v.literal("active"), v.literal("deprecated"), v.literal("disabled")), "systemPrompt": v.optional(v.string()), "tenantId": v.id("tenants"), "toolIds": v.optional(v.array(v.string())), "updatedAt": v.number(), "version": v.string(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_agentDefinitionId", ["agentDefinitionId"]).index("by_tenant_agentDefinitionId", ["tenantId", "agentDefinitionId"]).index("by_tenant_agentDefinitionId_version", ["tenantId", "agentDefinitionId", "version"]).index("by_tenant_agentKey", ["tenantId", "agentKey"]).index("by_tenant_agentKey_version", ["tenantId", "agentKey", "version"]).index("by_workspace_agentKey_version", ["workspaceId", "agentKey", "version"]).index("by_tenant_status", ["tenantId", "status"]),
105
105
  "apiKeys": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.string(), "environment": v.optional(v.union(v.literal("dev"), v.literal("staging"), v.literal("prod"))), "expiresAt": v.optional(v.number()), "keyHash": v.string(), "keyHint": v.string(), "keyPrefix": v.union(v.literal("luc"), v.literal("stk")), "label": v.optional(v.string()), "lastUsedAt": v.optional(v.number()), "revokedAt": v.optional(v.number()), "revokedBy": v.optional(v.string()), "status": v.union(v.literal("active"), v.literal("revoked"), v.literal("expired")), "tenantId": v.id("tenants"), "updatedAt": v.number(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_tenantId", ["tenantId"]).index("by_keyHash", ["keyHash"]).index("by_tenant_prefix", ["tenantId", "keyPrefix"]).index("by_status", ["status"]),
106
- "auditLog": defineTable(v.object({ "action": v.union(v.literal("key_created"), v.literal("key_revoked"), v.literal("key_expired"), v.literal("key_used"), v.literal("tenant_secret_created"), v.literal("tenant_secret_rotated"), v.literal("tenant_secret_revoked"), v.literal("tenant_slot_binding_upserted"), v.literal("tenant_slot_binding_revoked"), v.literal("proxy_token_minted"), v.literal("proxy_token_lease_issued"), v.literal("proxy_token_lease_renewed"), v.literal("proxy_token_lease_revoked"), v.literal("proxy_request_recorded"), v.literal("tenant_created"), v.literal("tenant_updated"), v.literal("tenant_suspended"), v.literal("tenant_archived"), v.literal("tenant_reactivated"), v.literal("principal_created"), v.literal("principal_updated"), v.literal("principal_suspended"), v.literal("principal_identity_alias_upserted"), v.literal("principal_identity_alias_revoked"), v.literal("membership_created"), v.literal("membership_updated"), v.literal("membership_revoked"), v.literal("group_created"), v.literal("group_updated"), v.literal("group_deleted"), v.literal("group_member_added"), v.literal("group_member_removed"), v.literal("workspace_created"), v.literal("workspace_updated"), v.literal("workspace_archived"), v.literal("workspace_deployment_set"), v.literal("workspace_deployment_removed"), v.literal("deployment_host_registered"), v.literal("deployment_host_revoked"), v.literal("service_key_created"), v.literal("service_key_rotated"), v.literal("service_key_revoked"), v.literal("service_key_used"), v.literal("service_key_auth_failed"), v.literal("session_created"), v.literal("session_validated"), v.literal("session_revoked"), v.literal("session_cascade_revoked"), v.literal("session_expired"), v.literal("sandbox_created"), v.literal("sandbox_secret_injected"), v.literal("sandbox_execution_started"), v.literal("sandbox_execution_completed"), v.literal("sandbox_limit_violated"), v.literal("policy_created"), v.literal("policy_updated"), v.literal("policy_enforced"), v.literal("policy_archived"), v.literal("permit_sync_enqueued"), v.literal("permit_sync_succeeded"), v.literal("permit_sync_failed"), v.literal("permit_sync_skipped"), v.literal("agent_registered"), v.literal("agent_updated"), v.literal("tool_registered"), v.literal("tool_updated"), v.literal("pack_entitled"), v.literal("pack_installed"), v.literal("pack_enabled"), v.literal("pack_disabled"), v.literal("pack_entitlement_revoked"), v.literal("pack_upgraded"), v.literal("pack_upgrade_committed"), v.literal("pack_upgrade_rolled_back"), v.literal("pack_group_assigned"), v.literal("pack_group_unassigned"), v.literal("methodology_pack_created"), v.literal("methodology_pack_updated"), v.literal("methodology_pack_assigned"), v.literal("methodology_pack_removed"), v.literal("pack_assigned_to_group"), v.literal("pack_revoked_from_group"), v.literal("pack_ontology_materialized"), v.literal("pack_ontology_topic_bound"), v.literal("cutover_flag_set"), v.literal("cutover_flag_cleared")), "actorClerkId": v.string(), "apiKeyId": v.optional(v.id("apiKeys")), "createdAt": v.number(), "details": v.optional(v.any()), "tenantId": v.optional(v.id("tenants")) })).index("by_tenantId", ["tenantId", "createdAt"]).index("by_apiKeyId", ["apiKeyId", "createdAt"]).index("by_action", ["action", "createdAt"]),
106
+ "auditLog": defineTable(v.object({ "action": v.union(v.literal("key_created"), v.literal("key_revoked"), v.literal("key_expired"), v.literal("key_used"), v.literal("tenant_secret_created"), v.literal("tenant_secret_rotated"), v.literal("tenant_secret_revoked"), v.literal("tenant_slot_binding_upserted"), v.literal("tenant_slot_binding_revoked"), v.literal("proxy_token_minted"), v.literal("proxy_token_lease_issued"), v.literal("proxy_token_lease_renewed"), v.literal("proxy_token_lease_revoked"), v.literal("proxy_request_recorded"), v.literal("tenant_created"), v.literal("tenant_updated"), v.literal("tenant_suspended"), v.literal("tenant_archived"), v.literal("tenant_reactivated"), v.literal("tenant_clerk_organization_linked"), v.literal("principal_created"), v.literal("principal_updated"), v.literal("principal_suspended"), v.literal("principal_identity_alias_upserted"), v.literal("principal_identity_alias_revoked"), v.literal("membership_created"), v.literal("membership_updated"), v.literal("membership_revoked"), v.literal("group_created"), v.literal("group_updated"), v.literal("group_deleted"), v.literal("group_member_added"), v.literal("group_member_removed"), v.literal("workspace_created"), v.literal("workspace_updated"), v.literal("workspace_archived"), v.literal("workspace_deployment_set"), v.literal("workspace_deployment_removed"), v.literal("deployment_host_registered"), v.literal("deployment_host_revoked"), v.literal("service_key_created"), v.literal("service_key_rotated"), v.literal("service_key_revoked"), v.literal("service_key_used"), v.literal("service_key_auth_failed"), v.literal("session_created"), v.literal("session_validated"), v.literal("session_revoked"), v.literal("session_cascade_revoked"), v.literal("session_expired"), v.literal("sandbox_created"), v.literal("sandbox_secret_injected"), v.literal("sandbox_execution_started"), v.literal("sandbox_execution_completed"), v.literal("sandbox_limit_violated"), v.literal("policy_created"), v.literal("policy_updated"), v.literal("policy_enforced"), v.literal("policy_archived"), v.literal("permit_sync_enqueued"), v.literal("permit_sync_succeeded"), v.literal("permit_sync_failed"), v.literal("permit_sync_skipped"), v.literal("agent_registered"), v.literal("agent_updated"), v.literal("tool_registered"), v.literal("tool_updated"), v.literal("pack_entitled"), v.literal("pack_installed"), v.literal("pack_enabled"), v.literal("pack_disabled"), v.literal("pack_entitlement_revoked"), v.literal("pack_upgraded"), v.literal("pack_upgrade_committed"), v.literal("pack_upgrade_rolled_back"), v.literal("pack_group_assigned"), v.literal("pack_group_unassigned"), v.literal("methodology_pack_created"), v.literal("methodology_pack_updated"), v.literal("methodology_pack_assigned"), v.literal("methodology_pack_removed"), v.literal("pack_assigned_to_group"), v.literal("pack_revoked_from_group"), v.literal("pack_ontology_materialized"), v.literal("pack_ontology_topic_bound"), v.literal("cutover_flag_set"), v.literal("cutover_flag_cleared")), "actorClerkId": v.string(), "apiKeyId": v.optional(v.id("apiKeys")), "createdAt": v.number(), "details": v.optional(v.any()), "tenantId": v.optional(v.id("tenants")) })).index("by_tenantId", ["tenantId", "createdAt"]).index("by_apiKeyId", ["apiKeyId", "createdAt"]).index("by_action", ["action", "createdAt"]),
107
107
  "compatibilityShims": defineTable(v.object({ "bridgeTarget": v.object({ "harnessPath": v.string(), "legacyPath": v.string(), "type": v.union(v.literal("tool"), v.literal("agent")) }), "bridgeType": v.union(v.literal("tool"), v.literal("agent")), "createdAt": v.string(), "description": v.string(), "gateId": v.string(), "lastAuditedAt": v.number(), "metadata": v.optional(v.record(v.string(), v.any())), "owner": v.string(), "producesLedgerEntries": v.boolean(), "removalDate": v.string(), "removalPriority": v.union(v.literal("P1"), v.literal("P2"), v.literal("P3")), "shimBehavior": v.union(v.literal("passthrough_with_logging"), v.literal("adapter"), v.literal("feature_flag_gate")), "shimId": v.string(), "status": v.union(v.literal("active"), v.literal("overdue"), v.literal("removed")) })).index("by_shimId", ["shimId"]).index("by_status", ["status"]).index("by_bridgeType_status", ["bridgeType", "status"]),
108
108
  "controlPlaneTenantModelSlotBindings": defineTable(v.object({ "bindingId": v.string(), "createdAt": v.number(), "createdBy": v.string(), "environment": v.optional(v.union(v.literal("dev"), v.literal("staging"), v.literal("prod"))), "metadata": v.optional(v.record(v.string(), v.any())), "modelSlotId": v.string(), "passThroughOnly": v.boolean(), "providerId": v.string(), "revokedAt": v.optional(v.number()), "revokedBy": v.optional(v.string()), "secretRef": v.string(), "status": v.union(v.literal("active"), v.literal("revoked")), "tenantId": v.id("tenants"), "updatedAt": v.number(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_bindingId", ["bindingId"]).index("by_tenantId", ["tenantId"]).index("by_tenant_slot", ["tenantId", "modelSlotId"]).index("by_tenant_provider_slot", ["tenantId", "providerId", "modelSlotId"]).index("by_secretRef", ["secretRef"]).index("by_status", ["status"]),
109
109
  "controlPlaneTenantProviderSecrets": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.string(), "encryptedSecret": v.optional(v.string()), "encryptionVersion": v.string(), "environment": v.optional(v.union(v.literal("dev"), v.literal("staging"), v.literal("prod"))), "infisicalPath": v.optional(v.string()), "infisicalProjectId": v.optional(v.string()), "infisicalSecretKey": v.optional(v.string()), "keyHint": v.string(), "label": v.optional(v.string()), "lastUsedAt": v.optional(v.number()), "metadata": v.optional(v.record(v.string(), v.any())), "providerId": v.string(), "revokedAt": v.optional(v.number()), "revokedBy": v.optional(v.string()), "rotatedFromSecretRef": v.optional(v.string()), "secretFingerprint": v.string(), "secretRef": v.string(), "status": v.union(v.literal("active"), v.literal("revoked")), "tenantId": v.id("tenants"), "updatedAt": v.number(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_secretRef", ["secretRef"]).index("by_tenantId", ["tenantId"]).index("by_tenant_provider", ["tenantId", "providerId"]).index("by_tenant_provider_status", ["tenantId", "providerId", "status"]).index("by_status", ["status"]),