@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.js +4 -4
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.js +4 -4
  11. package/dist/function-registry/coding.js.map +1 -1
  12. package/dist/function-registry/context.js +4 -4
  13. package/dist/function-registry/context.js.map +1 -1
  14. package/dist/function-registry/contracts.js +4 -4
  15. package/dist/function-registry/contracts.js.map +1 -1
  16. package/dist/function-registry/coordination.js +4 -4
  17. package/dist/function-registry/coordination.js.map +1 -1
  18. package/dist/function-registry/edges.js +4 -4
  19. package/dist/function-registry/edges.js.map +1 -1
  20. package/dist/function-registry/evidence.js +4 -4
  21. package/dist/function-registry/evidence.js.map +1 -1
  22. package/dist/function-registry/graph.js +4 -4
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.js +4 -4
  25. package/dist/function-registry/helpers.js.map +1 -1
  26. package/dist/function-registry/identity.js +4 -4
  27. package/dist/function-registry/identity.js.map +1 -1
  28. package/dist/function-registry/index.js +4 -4
  29. package/dist/function-registry/index.js.map +1 -1
  30. package/dist/function-registry/judgments.js +4 -4
  31. package/dist/function-registry/judgments.js.map +1 -1
  32. package/dist/function-registry/legacy.js +4 -4
  33. package/dist/function-registry/legacy.js.map +1 -1
  34. package/dist/function-registry/lenses.js +4 -4
  35. package/dist/function-registry/lenses.js.map +1 -1
  36. package/dist/function-registry/nodes.js +4 -4
  37. package/dist/function-registry/nodes.js.map +1 -1
  38. package/dist/function-registry/ontologies.js +4 -4
  39. package/dist/function-registry/ontologies.js.map +1 -1
  40. package/dist/function-registry/pipeline.js +4 -4
  41. package/dist/function-registry/pipeline.js.map +1 -1
  42. package/dist/function-registry/questions.js +4 -4
  43. package/dist/function-registry/questions.js.map +1 -1
  44. package/dist/function-registry/tasks.js +4 -4
  45. package/dist/function-registry/tasks.js.map +1 -1
  46. package/dist/function-registry/topics.js +4 -4
  47. package/dist/function-registry/topics.js.map +1 -1
  48. package/dist/function-registry/worktrees.js +20 -4
  49. package/dist/function-registry/worktrees.js.map +1 -1
  50. package/dist/gateway.contract.d.ts +1 -0
  51. package/dist/gateway.contract.js.map +1 -1
  52. package/dist/generated/convexSchemas.js +1 -1
  53. package/dist/generated/convexSchemas.js.map +1 -1
  54. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  55. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  56. package/dist/index.js +363 -16
  57. package/dist/index.js.map +1 -1
  58. package/dist/infisical-runtime.contract.d.ts +41 -3
  59. package/dist/infisical-runtime.contract.js +49 -3
  60. package/dist/infisical-runtime.contract.js.map +1 -1
  61. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  62. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  63. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  64. package/dist/permit-principal-projection.contract.js +8 -1
  65. package/dist/permit-principal-projection.contract.js.map +1 -1
  66. package/dist/proof-attestation.json +1 -1
  67. package/dist/schemas/index.js +1 -1
  68. package/dist/schemas/index.js.map +1 -1
  69. package/dist/schemas/manifest.d.ts +5 -5
  70. package/dist/schemas/manifest.js +1 -1
  71. package/dist/schemas/manifest.js.map +1 -1
  72. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  73. package/dist/schemas/tables/mc/tenant.js +1 -1
  74. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  75. package/dist/sdk-tools.contract.js +4 -4
  76. package/dist/sdk-tools.contract.js.map +1 -1
  77. package/dist/tool-contracts.js +4 -4
  78. package/dist/tool-contracts.js.map +1 -1
  79. package/package.json +1 -1
package/dist/index.js CHANGED
@@ -202,7 +202,7 @@ var SESSION_LIFECYCLE_STATUSES = [
202
202
  "revoked"
203
203
  ];
204
204
  function inferSessionPrincipalType(principalId) {
205
- if (principalId.startsWith("user:")) {
205
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
206
206
  return "human";
207
207
  }
208
208
  if (principalId.startsWith("agent:")) {
@@ -2281,7 +2281,7 @@ var auditLog = defineTable({
2281
2281
  shape: z.object({
2282
2282
  "tenantId": idOf("tenants").optional(),
2283
2283
  "apiKeyId": idOf("apiKeys").optional(),
2284
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
2284
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
2285
2285
  "actorClerkId": z.string(),
2286
2286
  "details": z.any().optional(),
2287
2287
  "createdAt": z.number()
@@ -8172,6 +8172,21 @@ var INFISICAL_RUNTIME_PATHS = [
8172
8172
  }
8173
8173
  ]
8174
8174
  },
8175
+ {
8176
+ id: "platform-operator-credentials",
8177
+ secretPath: "/platform/runtime",
8178
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
8179
+ variables: [
8180
+ {
8181
+ name: "LUCERN_API_KEY",
8182
+ required: false,
8183
+ secret: true,
8184
+ public: false,
8185
+ aliases: ["LUCERN_KEY"],
8186
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
8187
+ }
8188
+ ]
8189
+ },
8175
8190
  {
8176
8191
  id: "tenant-shared-install",
8177
8192
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -8207,7 +8222,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8207
8222
  id: "lucern-sdk",
8208
8223
  packageName: "@lucern/sdk",
8209
8224
  delivery: "runtime_fetch",
8210
- sourcePathIds: ["platform-runtime"],
8225
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8211
8226
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
8212
8227
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
8213
8228
  },
@@ -8216,7 +8231,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8216
8231
  packageName: "@lucern/cli",
8217
8232
  delivery: "runtime_fetch",
8218
8233
  fallback: "device_auth",
8219
- sourcePathIds: ["platform-runtime"],
8234
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8220
8235
  consumer: "developer/operator CLI processes",
8221
8236
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
8222
8237
  },
@@ -8225,7 +8240,7 @@ var INFISICAL_RUNTIME_SURFACES = [
8225
8240
  packageName: "@lucern/mcp",
8226
8241
  delivery: "runtime_fetch",
8227
8242
  fallback: "device_auth",
8228
- sourcePathIds: ["platform-runtime"],
8243
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
8229
8244
  consumer: "MCP server/client processes",
8230
8245
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
8231
8246
  },
@@ -9806,6 +9821,37 @@ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
9806
9821
  ],
9807
9822
  description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
9808
9823
  },
9824
+ {
9825
+ id: "platform.operator.api-key",
9826
+ canonicalName: "LUCERN_API_KEY",
9827
+ aliases: ["LUCERN_KEY"],
9828
+ owner: "lucern_platform",
9829
+ scope: "environment",
9830
+ sourcePath: "/platform/runtime",
9831
+ environmentPolicy: "environment_specific",
9832
+ required: false,
9833
+ secret: true,
9834
+ public: false,
9835
+ consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
9836
+ destinations: [
9837
+ {
9838
+ kind: "runtime_fetch",
9839
+ target: "lucern-cli-mcp-sdk",
9840
+ environmentPolicy: "environment_specific"
9841
+ },
9842
+ {
9843
+ kind: "operator_local",
9844
+ target: "lucern-repo",
9845
+ environmentPolicy: "environment_specific"
9846
+ },
9847
+ {
9848
+ kind: "github_actions",
9849
+ target: "LucernAI/lucern",
9850
+ environmentPolicy: "environment_specific"
9851
+ }
9852
+ ],
9853
+ description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9854
+ },
9809
9855
  {
9810
9856
  id: "platform.graph-sync.proxy",
9811
9857
  canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
@@ -11273,6 +11319,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11273
11319
  "LUCERN_KERNEL_NPM_TOKEN",
11274
11320
  "LUCERN_KERNEL_SCOPE_REGISTRY",
11275
11321
  "LUCERN_KERNEL_SKIP_CONVEX",
11322
+ "LUCERN_KEY",
11276
11323
  "LUCERN_LOGIN_BASE_URL",
11277
11324
  "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
11278
11325
  "LUCERN_MCP_DEBUG",
@@ -11529,6 +11576,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
11529
11576
  "LUCERN_KERNEL_NPM_TOKEN",
11530
11577
  "LUCERN_KERNEL_SCOPE_REGISTRY",
11531
11578
  "LUCERN_KERNEL_SKIP_CONVEX",
11579
+ "LUCERN_KEY",
11532
11580
  "LUCERN_LOGIN_BASE_URL",
11533
11581
  "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
11534
11582
  "LUCERN_MCP_DEBUG",
@@ -13622,13 +13670,15 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13622
13670
  "description": "stack/frontend: Tenant-owned Linear API key for support/slash-command flows. stack/stackos: Tenant-owned Linear API key for support/slash-command flows."
13623
13671
  },
13624
13672
  "LUCERN_API_KEY": {
13625
- "secretId": "tenant.stack-frontend.lucern.gateway-api-key",
13673
+ "secretId": "platform.operator.api-key",
13626
13674
  "canonicalName": "LUCERN_API_KEY",
13627
13675
  "envNames": [
13628
13676
  "LUCERN_API_KEY",
13677
+ "LUCERN_KEY",
13629
13678
  "STACK_API_KEY"
13630
13679
  ],
13631
13680
  "aliases": [
13681
+ "LUCERN_KEY",
13632
13682
  "STACK_API_KEY"
13633
13683
  ],
13634
13684
  "writeNames": [
@@ -13637,13 +13687,38 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13637
13687
  "required": false,
13638
13688
  "secret": true,
13639
13689
  "public": false,
13640
- "sourcePath": "/tenants/stack",
13690
+ "sourcePath": "/platform/runtime",
13641
13691
  "environmentPolicy": "environment_specific",
13642
13692
  "consumers": [
13693
+ "lucern-cli",
13694
+ "lucern-mcp",
13695
+ "lucern-repo-ci",
13696
+ "lucern-sdk",
13643
13697
  "tenant-agent-runtime",
13644
13698
  "tenant-vercel-app"
13645
13699
  ],
13646
13700
  "destinations": [
13701
+ {
13702
+ "kind": "runtime_fetch",
13703
+ "target": "lucern-cli-mcp-sdk",
13704
+ "writeNames": [
13705
+ "LUCERN_API_KEY"
13706
+ ]
13707
+ },
13708
+ {
13709
+ "kind": "operator_local",
13710
+ "target": "lucern-repo",
13711
+ "writeNames": [
13712
+ "LUCERN_API_KEY"
13713
+ ]
13714
+ },
13715
+ {
13716
+ "kind": "github_actions",
13717
+ "target": "LucernAI/lucern",
13718
+ "writeNames": [
13719
+ "LUCERN_API_KEY"
13720
+ ]
13721
+ },
13647
13722
  {
13648
13723
  "kind": "vercel",
13649
13724
  "target": "ai-chatbot-diao",
@@ -13687,7 +13762,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
13687
13762
  ]
13688
13763
  }
13689
13764
  ],
13690
- "description": "stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls."
13765
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files. stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling."
13691
13766
  },
13692
13767
  "LUCERN_API_URL": {
13693
13768
  "secretId": "platform.runtime.api-base-url",
@@ -17166,6 +17241,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
17166
17241
  "LANGFUSE_SECRET_KEY": "LANGFUSE_SECRET_KEY",
17167
17242
  "LINEAR_API_KEY": "LINEAR_API_KEY",
17168
17243
  "LUCERN_API_KEY": "LUCERN_API_KEY",
17244
+ "LUCERN_KEY": "LUCERN_API_KEY",
17169
17245
  "STACK_API_KEY": "LUCERN_API_KEY",
17170
17246
  "LUCERN_API_BASE_URL": "LUCERN_BASE_URL",
17171
17247
  "LUCERN_API_URL": "LUCERN_API_URL",
@@ -18901,9 +18977,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
18901
18977
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
18902
18978
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
18903
18979
  "sourcePathIds": [
18904
- "platform-runtime"
18980
+ "platform-runtime",
18981
+ "platform-operator-credentials"
18905
18982
  ],
18906
18983
  "variables": [
18984
+ {
18985
+ "canonicalName": "LUCERN_API_KEY",
18986
+ "envNames": [
18987
+ "LUCERN_API_KEY",
18988
+ "LUCERN_KEY"
18989
+ ],
18990
+ "aliases": [
18991
+ "LUCERN_KEY"
18992
+ ],
18993
+ "writeNames": [
18994
+ "LUCERN_API_KEY"
18995
+ ],
18996
+ "required": false,
18997
+ "secret": true,
18998
+ "public": false,
18999
+ "sourcePath": "/platform/runtime",
19000
+ "environmentPolicy": "environment_specific",
19001
+ "consumers": [
19002
+ "lucern-sdk"
19003
+ ],
19004
+ "destinations": [],
19005
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
19006
+ },
18907
19007
  {
18908
19008
  "canonicalName": "LUCERN_API_URL",
18909
19009
  "envNames": [
@@ -19004,9 +19104,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19004
19104
  "consumer": "developer/operator CLI processes",
19005
19105
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
19006
19106
  "sourcePathIds": [
19007
- "platform-runtime"
19107
+ "platform-runtime",
19108
+ "platform-operator-credentials"
19008
19109
  ],
19009
19110
  "variables": [
19111
+ {
19112
+ "canonicalName": "LUCERN_API_KEY",
19113
+ "envNames": [
19114
+ "LUCERN_API_KEY",
19115
+ "LUCERN_KEY"
19116
+ ],
19117
+ "aliases": [
19118
+ "LUCERN_KEY"
19119
+ ],
19120
+ "writeNames": [
19121
+ "LUCERN_API_KEY"
19122
+ ],
19123
+ "required": false,
19124
+ "secret": true,
19125
+ "public": false,
19126
+ "sourcePath": "/platform/runtime",
19127
+ "environmentPolicy": "environment_specific",
19128
+ "consumers": [
19129
+ "lucern-cli",
19130
+ "lucern-mcp",
19131
+ "lucern-repo-ci"
19132
+ ],
19133
+ "destinations": [
19134
+ {
19135
+ "kind": "runtime_fetch",
19136
+ "target": "lucern-cli-mcp-sdk",
19137
+ "writeNames": [
19138
+ "LUCERN_API_KEY"
19139
+ ]
19140
+ },
19141
+ {
19142
+ "kind": "operator_local",
19143
+ "target": "lucern-repo",
19144
+ "writeNames": [
19145
+ "LUCERN_API_KEY"
19146
+ ]
19147
+ },
19148
+ {
19149
+ "kind": "github_actions",
19150
+ "target": "LucernAI/lucern",
19151
+ "writeNames": [
19152
+ "LUCERN_API_KEY"
19153
+ ]
19154
+ }
19155
+ ],
19156
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
19157
+ },
19010
19158
  {
19011
19159
  "canonicalName": "LUCERN_API_URL",
19012
19160
  "envNames": [
@@ -19345,7 +19493,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19345
19493
  "consumer": "MCP server/client processes",
19346
19494
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
19347
19495
  "sourcePathIds": [
19348
- "platform-runtime"
19496
+ "platform-runtime",
19497
+ "platform-operator-credentials"
19349
19498
  ],
19350
19499
  "variables": [
19351
19500
  {
@@ -19433,6 +19582,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
19433
19582
  ],
19434
19583
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
19435
19584
  },
19585
+ {
19586
+ "canonicalName": "LUCERN_API_KEY",
19587
+ "envNames": [
19588
+ "LUCERN_API_KEY",
19589
+ "LUCERN_KEY"
19590
+ ],
19591
+ "aliases": [
19592
+ "LUCERN_KEY"
19593
+ ],
19594
+ "writeNames": [
19595
+ "LUCERN_API_KEY"
19596
+ ],
19597
+ "required": false,
19598
+ "secret": true,
19599
+ "public": false,
19600
+ "sourcePath": "/platform/runtime",
19601
+ "environmentPolicy": "environment_specific",
19602
+ "consumers": [
19603
+ "lucern-cli",
19604
+ "lucern-mcp",
19605
+ "lucern-repo-ci"
19606
+ ],
19607
+ "destinations": [
19608
+ {
19609
+ "kind": "runtime_fetch",
19610
+ "target": "lucern-cli-mcp-sdk",
19611
+ "writeNames": [
19612
+ "LUCERN_API_KEY"
19613
+ ]
19614
+ },
19615
+ {
19616
+ "kind": "operator_local",
19617
+ "target": "lucern-repo",
19618
+ "writeNames": [
19619
+ "LUCERN_API_KEY"
19620
+ ]
19621
+ },
19622
+ {
19623
+ "kind": "github_actions",
19624
+ "target": "LucernAI/lucern",
19625
+ "writeNames": [
19626
+ "LUCERN_API_KEY"
19627
+ ]
19628
+ }
19629
+ ],
19630
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
19631
+ },
19436
19632
  {
19437
19633
  "canonicalName": "LUCERN_API_URL",
19438
19634
  "envNames": [
@@ -25154,6 +25350,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
25154
25350
  ],
25155
25351
  "description": "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
25156
25352
  },
25353
+ {
25354
+ "secretId": "platform.operator.api-key",
25355
+ "canonicalName": "LUCERN_API_KEY",
25356
+ "envNames": [
25357
+ "LUCERN_API_KEY",
25358
+ "LUCERN_KEY"
25359
+ ],
25360
+ "aliases": [
25361
+ "LUCERN_KEY"
25362
+ ],
25363
+ "writeNames": [
25364
+ "LUCERN_API_KEY"
25365
+ ],
25366
+ "required": false,
25367
+ "secret": true,
25368
+ "public": false,
25369
+ "sourcePath": "/platform/runtime",
25370
+ "environmentPolicy": "environment_specific",
25371
+ "consumers": [
25372
+ "lucern-cli",
25373
+ "lucern-mcp",
25374
+ "lucern-repo-ci"
25375
+ ],
25376
+ "destinations": [
25377
+ {
25378
+ "kind": "runtime_fetch",
25379
+ "target": "lucern-cli-mcp-sdk",
25380
+ "writeNames": [
25381
+ "LUCERN_API_KEY"
25382
+ ]
25383
+ },
25384
+ {
25385
+ "kind": "operator_local",
25386
+ "target": "lucern-repo",
25387
+ "writeNames": [
25388
+ "LUCERN_API_KEY"
25389
+ ]
25390
+ },
25391
+ {
25392
+ "kind": "github_actions",
25393
+ "target": "LucernAI/lucern",
25394
+ "writeNames": [
25395
+ "LUCERN_API_KEY"
25396
+ ]
25397
+ }
25398
+ ],
25399
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
25400
+ },
25157
25401
  {
25158
25402
  "secretId": "platform.gateway.mode",
25159
25403
  "canonicalName": "LUCERN_GATEWAY_MODE",
@@ -29795,6 +30039,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
29795
30039
  ],
29796
30040
  "description": "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
29797
30041
  },
30042
+ {
30043
+ "secretId": "platform.operator.api-key",
30044
+ "canonicalName": "LUCERN_API_KEY",
30045
+ "envNames": [
30046
+ "LUCERN_API_KEY",
30047
+ "LUCERN_KEY"
30048
+ ],
30049
+ "aliases": [
30050
+ "LUCERN_KEY"
30051
+ ],
30052
+ "writeNames": [
30053
+ "LUCERN_API_KEY"
30054
+ ],
30055
+ "required": false,
30056
+ "secret": true,
30057
+ "public": false,
30058
+ "sourcePath": "/platform/runtime",
30059
+ "environmentPolicy": "environment_specific",
30060
+ "consumers": [
30061
+ "lucern-cli",
30062
+ "lucern-mcp",
30063
+ "lucern-repo-ci"
30064
+ ],
30065
+ "destinations": [
30066
+ {
30067
+ "kind": "runtime_fetch",
30068
+ "target": "lucern-cli-mcp-sdk",
30069
+ "writeNames": [
30070
+ "LUCERN_API_KEY"
30071
+ ]
30072
+ },
30073
+ {
30074
+ "kind": "operator_local",
30075
+ "target": "lucern-repo",
30076
+ "writeNames": [
30077
+ "LUCERN_API_KEY"
30078
+ ]
30079
+ },
30080
+ {
30081
+ "kind": "github_actions",
30082
+ "target": "LucernAI/lucern",
30083
+ "writeNames": [
30084
+ "LUCERN_API_KEY"
30085
+ ]
30086
+ }
30087
+ ],
30088
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
30089
+ },
29798
30090
  {
29799
30091
  "secretId": "platform.convex-deploy.local-names",
29800
30092
  "canonicalName": "LUCERN_CONVEX_DEPLOYMENT_NAME",
@@ -31065,6 +31357,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
31065
31357
  }
31066
31358
  ],
31067
31359
  "runtime_fetch:lucern-cli-mcp-sdk": [
31360
+ {
31361
+ "secretId": "platform.operator.api-key",
31362
+ "canonicalName": "LUCERN_API_KEY",
31363
+ "envNames": [
31364
+ "LUCERN_API_KEY",
31365
+ "LUCERN_KEY"
31366
+ ],
31367
+ "aliases": [
31368
+ "LUCERN_KEY"
31369
+ ],
31370
+ "writeNames": [
31371
+ "LUCERN_API_KEY"
31372
+ ],
31373
+ "required": false,
31374
+ "secret": true,
31375
+ "public": false,
31376
+ "sourcePath": "/platform/runtime",
31377
+ "environmentPolicy": "environment_specific",
31378
+ "consumers": [
31379
+ "lucern-cli",
31380
+ "lucern-mcp",
31381
+ "lucern-repo-ci"
31382
+ ],
31383
+ "destinations": [
31384
+ {
31385
+ "kind": "runtime_fetch",
31386
+ "target": "lucern-cli-mcp-sdk",
31387
+ "writeNames": [
31388
+ "LUCERN_API_KEY"
31389
+ ]
31390
+ },
31391
+ {
31392
+ "kind": "operator_local",
31393
+ "target": "lucern-repo",
31394
+ "writeNames": [
31395
+ "LUCERN_API_KEY"
31396
+ ]
31397
+ },
31398
+ {
31399
+ "kind": "github_actions",
31400
+ "target": "LucernAI/lucern",
31401
+ "writeNames": [
31402
+ "LUCERN_API_KEY"
31403
+ ]
31404
+ }
31405
+ ],
31406
+ "description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
31407
+ },
31068
31408
  {
31069
31409
  "secretId": "platform.runtime.api-base-url",
31070
31410
  "canonicalName": "LUCERN_API_URL",
@@ -40998,7 +41338,7 @@ var IDENTITY_WHOAMI = {
40998
41338
  response: {
40999
41339
  description: "Canonical identity summary for the current session",
41000
41340
  fields: {
41001
- principalId: "string \u2014 canonical federated principal identifier",
41341
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
41002
41342
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
41003
41343
  tenantId: "string | undefined \u2014 resolved tenant scope",
41004
41344
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -41012,7 +41352,7 @@ var IDENTITY_WHOAMI = {
41012
41352
  };
41013
41353
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
41014
41354
  name: "resolve_interactive_principal",
41015
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
41355
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
41016
41356
  parameters: {
41017
41357
  clerkId: {
41018
41358
  type: "string",
@@ -41035,7 +41375,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
41035
41375
  response: {
41036
41376
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
41037
41377
  fields: {
41038
- principalId: "string \u2014 canonical Lucern principal identifier",
41378
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
41039
41379
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
41040
41380
  clerkId: "string \u2014 authenticated Clerk subject alias",
41041
41381
  tenantId: "string \u2014 resolved tenant scope",
@@ -41863,7 +42203,7 @@ var MANAGE_WRITE_POLICY = {
41863
42203
  },
41864
42204
  role: {
41865
42205
  type: "string",
41866
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
42206
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
41867
42207
  },
41868
42208
  permission: {
41869
42209
  type: "string",
@@ -43460,6 +43800,10 @@ function highestPlatformRole(roles) {
43460
43800
  function isClerkAliasFor(alias, clerkId) {
43461
43801
  return isActivePermitProjectionStatus(alias.status) && readPermitProjectionString(alias.provider)?.toLowerCase() === "clerk" && (readPermitProjectionString(alias.providerSubjectId) === clerkId || readPermitProjectionString(alias.alias) === clerkId);
43462
43802
  }
43803
+ function isHumanPermitPrincipal(principal) {
43804
+ const principalType = readPermitProjectionString(principal.principalType)?.toLowerCase();
43805
+ return !principalType || principalType === "human" || principalType === "user";
43806
+ }
43463
43807
  function emailFromAlias(aliases, principal) {
43464
43808
  return aliases.find(
43465
43809
  (alias) => readPermitProjectionString(alias.aliasKind)?.toLowerCase() === "email"
@@ -43518,6 +43862,9 @@ function buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, n
43518
43862
  (entry) => readPermitProjectionString(entry.provider)?.toLowerCase() === "clerk"
43519
43863
  )?.providerSubjectId
43520
43864
  ) ?? principalId;
43865
+ if (isHumanPermitPrincipal(principal) && principalId !== clerkId) {
43866
+ return null;
43867
+ }
43521
43868
  return {
43522
43869
  clerkId,
43523
43870
  email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,
@@ -43551,7 +43898,7 @@ function findProjectedUserByPermitClerkId(rows, clerkId, now = Date.now()) {
43551
43898
  const principal = matchingAlias ? rows.principals.find(
43552
43899
  (row) => readPermitProjectionString(row.tenantId) === readPermitProjectionString(matchingAlias.tenantId) && readPermitProjectionString(row.principalId) === readPermitProjectionString(matchingAlias.principalId)
43553
43900
  ) : rows.principals.find(
43554
- (row) => readPermitProjectionString(row.principalId) === normalizedClerkId || readPermitProjectionString(row.principalId) === `user:${normalizedClerkId}`
43901
+ (row) => readPermitProjectionString(row.principalId) === normalizedClerkId
43555
43902
  );
43556
43903
  return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now) : null;
43557
43904
  }