@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +3 -0
- package/dist/auth-context.contract.js +1 -1
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +1 -1
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.js +1 -1
- package/dist/auth.contract.js.map +1 -1
- package/dist/function-registry/beliefs.js +4 -4
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.js +4 -4
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.js +4 -4
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.js +4 -4
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.js +4 -4
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.js +4 -4
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.js +4 -4
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.js +4 -4
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.js +4 -4
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.js +4 -4
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.js +4 -4
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.js +4 -4
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.js +4 -4
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.js +4 -4
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/nodes.js +4 -4
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.js +4 -4
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.js +4 -4
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.js +4 -4
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.js +4 -4
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.js +4 -4
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/worktrees.js +20 -4
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/gateway.contract.d.ts +1 -0
- package/dist/gateway.contract.js.map +1 -1
- package/dist/generated/convexSchemas.js +1 -1
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +300 -6
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/index.js +363 -16
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +41 -3
- package/dist/infisical-runtime.contract.js +49 -3
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
- package/dist/manifests/infisical-runtime-manifest.js +49 -3
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/permit-principal-projection.contract.js +8 -1
- package/dist/permit-principal-projection.contract.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/index.js +1 -1
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +5 -5
- package/dist/schemas/manifest.js +1 -1
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/tables/mc/tenant.d.ts +1 -1
- package/dist/schemas/tables/mc/tenant.js +1 -1
- package/dist/schemas/tables/mc/tenant.js.map +1 -1
- package/dist/sdk-tools.contract.js +4 -4
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tool-contracts.js +4 -4
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -202,7 +202,7 @@ var SESSION_LIFECYCLE_STATUSES = [
|
|
|
202
202
|
"revoked"
|
|
203
203
|
];
|
|
204
204
|
function inferSessionPrincipalType(principalId) {
|
|
205
|
-
if (principalId
|
|
205
|
+
if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
|
|
206
206
|
return "human";
|
|
207
207
|
}
|
|
208
208
|
if (principalId.startsWith("agent:")) {
|
|
@@ -2281,7 +2281,7 @@ var auditLog = defineTable({
|
|
|
2281
2281
|
shape: z.object({
|
|
2282
2282
|
"tenantId": idOf("tenants").optional(),
|
|
2283
2283
|
"apiKeyId": idOf("apiKeys").optional(),
|
|
2284
|
-
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
2284
|
+
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
2285
2285
|
"actorClerkId": z.string(),
|
|
2286
2286
|
"details": z.any().optional(),
|
|
2287
2287
|
"createdAt": z.number()
|
|
@@ -8172,6 +8172,21 @@ var INFISICAL_RUNTIME_PATHS = [
|
|
|
8172
8172
|
}
|
|
8173
8173
|
]
|
|
8174
8174
|
},
|
|
8175
|
+
{
|
|
8176
|
+
id: "platform-operator-credentials",
|
|
8177
|
+
secretPath: "/platform/runtime",
|
|
8178
|
+
description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
|
|
8179
|
+
variables: [
|
|
8180
|
+
{
|
|
8181
|
+
name: "LUCERN_API_KEY",
|
|
8182
|
+
required: false,
|
|
8183
|
+
secret: true,
|
|
8184
|
+
public: false,
|
|
8185
|
+
aliases: ["LUCERN_KEY"],
|
|
8186
|
+
description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
|
|
8187
|
+
}
|
|
8188
|
+
]
|
|
8189
|
+
},
|
|
8175
8190
|
{
|
|
8176
8191
|
id: "tenant-shared-install",
|
|
8177
8192
|
secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
|
|
@@ -8207,7 +8222,7 @@ var INFISICAL_RUNTIME_SURFACES = [
|
|
|
8207
8222
|
id: "lucern-sdk",
|
|
8208
8223
|
packageName: "@lucern/sdk",
|
|
8209
8224
|
delivery: "runtime_fetch",
|
|
8210
|
-
sourcePathIds: ["platform-runtime"],
|
|
8225
|
+
sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
|
|
8211
8226
|
consumer: "server-side SDK operator contexts with a scoped Infisical identity",
|
|
8212
8227
|
description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
|
|
8213
8228
|
},
|
|
@@ -8216,7 +8231,7 @@ var INFISICAL_RUNTIME_SURFACES = [
|
|
|
8216
8231
|
packageName: "@lucern/cli",
|
|
8217
8232
|
delivery: "runtime_fetch",
|
|
8218
8233
|
fallback: "device_auth",
|
|
8219
|
-
sourcePathIds: ["platform-runtime"],
|
|
8234
|
+
sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
|
|
8220
8235
|
consumer: "developer/operator CLI processes",
|
|
8221
8236
|
description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
|
|
8222
8237
|
},
|
|
@@ -8225,7 +8240,7 @@ var INFISICAL_RUNTIME_SURFACES = [
|
|
|
8225
8240
|
packageName: "@lucern/mcp",
|
|
8226
8241
|
delivery: "runtime_fetch",
|
|
8227
8242
|
fallback: "device_auth",
|
|
8228
|
-
sourcePathIds: ["platform-runtime"],
|
|
8243
|
+
sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
|
|
8229
8244
|
consumer: "MCP server/client processes",
|
|
8230
8245
|
description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
|
|
8231
8246
|
},
|
|
@@ -9806,6 +9821,37 @@ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
|
|
|
9806
9821
|
],
|
|
9807
9822
|
description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
|
|
9808
9823
|
},
|
|
9824
|
+
{
|
|
9825
|
+
id: "platform.operator.api-key",
|
|
9826
|
+
canonicalName: "LUCERN_API_KEY",
|
|
9827
|
+
aliases: ["LUCERN_KEY"],
|
|
9828
|
+
owner: "lucern_platform",
|
|
9829
|
+
scope: "environment",
|
|
9830
|
+
sourcePath: "/platform/runtime",
|
|
9831
|
+
environmentPolicy: "environment_specific",
|
|
9832
|
+
required: false,
|
|
9833
|
+
secret: true,
|
|
9834
|
+
public: false,
|
|
9835
|
+
consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
|
|
9836
|
+
destinations: [
|
|
9837
|
+
{
|
|
9838
|
+
kind: "runtime_fetch",
|
|
9839
|
+
target: "lucern-cli-mcp-sdk",
|
|
9840
|
+
environmentPolicy: "environment_specific"
|
|
9841
|
+
},
|
|
9842
|
+
{
|
|
9843
|
+
kind: "operator_local",
|
|
9844
|
+
target: "lucern-repo",
|
|
9845
|
+
environmentPolicy: "environment_specific"
|
|
9846
|
+
},
|
|
9847
|
+
{
|
|
9848
|
+
kind: "github_actions",
|
|
9849
|
+
target: "LucernAI/lucern",
|
|
9850
|
+
environmentPolicy: "environment_specific"
|
|
9851
|
+
}
|
|
9852
|
+
],
|
|
9853
|
+
description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
9854
|
+
},
|
|
9809
9855
|
{
|
|
9810
9856
|
id: "platform.graph-sync.proxy",
|
|
9811
9857
|
canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
|
|
@@ -11273,6 +11319,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11273
11319
|
"LUCERN_KERNEL_NPM_TOKEN",
|
|
11274
11320
|
"LUCERN_KERNEL_SCOPE_REGISTRY",
|
|
11275
11321
|
"LUCERN_KERNEL_SKIP_CONVEX",
|
|
11322
|
+
"LUCERN_KEY",
|
|
11276
11323
|
"LUCERN_LOGIN_BASE_URL",
|
|
11277
11324
|
"LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
|
|
11278
11325
|
"LUCERN_MCP_DEBUG",
|
|
@@ -11529,6 +11576,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
11529
11576
|
"LUCERN_KERNEL_NPM_TOKEN",
|
|
11530
11577
|
"LUCERN_KERNEL_SCOPE_REGISTRY",
|
|
11531
11578
|
"LUCERN_KERNEL_SKIP_CONVEX",
|
|
11579
|
+
"LUCERN_KEY",
|
|
11532
11580
|
"LUCERN_LOGIN_BASE_URL",
|
|
11533
11581
|
"LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
|
|
11534
11582
|
"LUCERN_MCP_DEBUG",
|
|
@@ -13622,13 +13670,15 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
13622
13670
|
"description": "stack/frontend: Tenant-owned Linear API key for support/slash-command flows. stack/stackos: Tenant-owned Linear API key for support/slash-command flows."
|
|
13623
13671
|
},
|
|
13624
13672
|
"LUCERN_API_KEY": {
|
|
13625
|
-
"secretId": "
|
|
13673
|
+
"secretId": "platform.operator.api-key",
|
|
13626
13674
|
"canonicalName": "LUCERN_API_KEY",
|
|
13627
13675
|
"envNames": [
|
|
13628
13676
|
"LUCERN_API_KEY",
|
|
13677
|
+
"LUCERN_KEY",
|
|
13629
13678
|
"STACK_API_KEY"
|
|
13630
13679
|
],
|
|
13631
13680
|
"aliases": [
|
|
13681
|
+
"LUCERN_KEY",
|
|
13632
13682
|
"STACK_API_KEY"
|
|
13633
13683
|
],
|
|
13634
13684
|
"writeNames": [
|
|
@@ -13637,13 +13687,38 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
13637
13687
|
"required": false,
|
|
13638
13688
|
"secret": true,
|
|
13639
13689
|
"public": false,
|
|
13640
|
-
"sourcePath": "/
|
|
13690
|
+
"sourcePath": "/platform/runtime",
|
|
13641
13691
|
"environmentPolicy": "environment_specific",
|
|
13642
13692
|
"consumers": [
|
|
13693
|
+
"lucern-cli",
|
|
13694
|
+
"lucern-mcp",
|
|
13695
|
+
"lucern-repo-ci",
|
|
13696
|
+
"lucern-sdk",
|
|
13643
13697
|
"tenant-agent-runtime",
|
|
13644
13698
|
"tenant-vercel-app"
|
|
13645
13699
|
],
|
|
13646
13700
|
"destinations": [
|
|
13701
|
+
{
|
|
13702
|
+
"kind": "runtime_fetch",
|
|
13703
|
+
"target": "lucern-cli-mcp-sdk",
|
|
13704
|
+
"writeNames": [
|
|
13705
|
+
"LUCERN_API_KEY"
|
|
13706
|
+
]
|
|
13707
|
+
},
|
|
13708
|
+
{
|
|
13709
|
+
"kind": "operator_local",
|
|
13710
|
+
"target": "lucern-repo",
|
|
13711
|
+
"writeNames": [
|
|
13712
|
+
"LUCERN_API_KEY"
|
|
13713
|
+
]
|
|
13714
|
+
},
|
|
13715
|
+
{
|
|
13716
|
+
"kind": "github_actions",
|
|
13717
|
+
"target": "LucernAI/lucern",
|
|
13718
|
+
"writeNames": [
|
|
13719
|
+
"LUCERN_API_KEY"
|
|
13720
|
+
]
|
|
13721
|
+
},
|
|
13647
13722
|
{
|
|
13648
13723
|
"kind": "vercel",
|
|
13649
13724
|
"target": "ai-chatbot-diao",
|
|
@@ -13687,7 +13762,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
13687
13762
|
]
|
|
13688
13763
|
}
|
|
13689
13764
|
],
|
|
13690
|
-
"description": "stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls."
|
|
13765
|
+
"description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files. stack/frontend: Tenant-scoped Lucern/MC gateway API key for product front-door calls. stack/stackos: Tenant-scoped Lucern/MC gateway API key for product front-door calls. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for gateway calls from trusted local tooling."
|
|
13691
13766
|
},
|
|
13692
13767
|
"LUCERN_API_URL": {
|
|
13693
13768
|
"secretId": "platform.runtime.api-base-url",
|
|
@@ -17166,6 +17241,7 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
17166
17241
|
"LANGFUSE_SECRET_KEY": "LANGFUSE_SECRET_KEY",
|
|
17167
17242
|
"LINEAR_API_KEY": "LINEAR_API_KEY",
|
|
17168
17243
|
"LUCERN_API_KEY": "LUCERN_API_KEY",
|
|
17244
|
+
"LUCERN_KEY": "LUCERN_API_KEY",
|
|
17169
17245
|
"STACK_API_KEY": "LUCERN_API_KEY",
|
|
17170
17246
|
"LUCERN_API_BASE_URL": "LUCERN_BASE_URL",
|
|
17171
17247
|
"LUCERN_API_URL": "LUCERN_API_URL",
|
|
@@ -18901,9 +18977,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
18901
18977
|
"consumer": "server-side SDK operator contexts with a scoped Infisical identity",
|
|
18902
18978
|
"description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
|
|
18903
18979
|
"sourcePathIds": [
|
|
18904
|
-
"platform-runtime"
|
|
18980
|
+
"platform-runtime",
|
|
18981
|
+
"platform-operator-credentials"
|
|
18905
18982
|
],
|
|
18906
18983
|
"variables": [
|
|
18984
|
+
{
|
|
18985
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
18986
|
+
"envNames": [
|
|
18987
|
+
"LUCERN_API_KEY",
|
|
18988
|
+
"LUCERN_KEY"
|
|
18989
|
+
],
|
|
18990
|
+
"aliases": [
|
|
18991
|
+
"LUCERN_KEY"
|
|
18992
|
+
],
|
|
18993
|
+
"writeNames": [
|
|
18994
|
+
"LUCERN_API_KEY"
|
|
18995
|
+
],
|
|
18996
|
+
"required": false,
|
|
18997
|
+
"secret": true,
|
|
18998
|
+
"public": false,
|
|
18999
|
+
"sourcePath": "/platform/runtime",
|
|
19000
|
+
"environmentPolicy": "environment_specific",
|
|
19001
|
+
"consumers": [
|
|
19002
|
+
"lucern-sdk"
|
|
19003
|
+
],
|
|
19004
|
+
"destinations": [],
|
|
19005
|
+
"description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
|
|
19006
|
+
},
|
|
18907
19007
|
{
|
|
18908
19008
|
"canonicalName": "LUCERN_API_URL",
|
|
18909
19009
|
"envNames": [
|
|
@@ -19004,9 +19104,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
19004
19104
|
"consumer": "developer/operator CLI processes",
|
|
19005
19105
|
"description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
|
|
19006
19106
|
"sourcePathIds": [
|
|
19007
|
-
"platform-runtime"
|
|
19107
|
+
"platform-runtime",
|
|
19108
|
+
"platform-operator-credentials"
|
|
19008
19109
|
],
|
|
19009
19110
|
"variables": [
|
|
19111
|
+
{
|
|
19112
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
19113
|
+
"envNames": [
|
|
19114
|
+
"LUCERN_API_KEY",
|
|
19115
|
+
"LUCERN_KEY"
|
|
19116
|
+
],
|
|
19117
|
+
"aliases": [
|
|
19118
|
+
"LUCERN_KEY"
|
|
19119
|
+
],
|
|
19120
|
+
"writeNames": [
|
|
19121
|
+
"LUCERN_API_KEY"
|
|
19122
|
+
],
|
|
19123
|
+
"required": false,
|
|
19124
|
+
"secret": true,
|
|
19125
|
+
"public": false,
|
|
19126
|
+
"sourcePath": "/platform/runtime",
|
|
19127
|
+
"environmentPolicy": "environment_specific",
|
|
19128
|
+
"consumers": [
|
|
19129
|
+
"lucern-cli",
|
|
19130
|
+
"lucern-mcp",
|
|
19131
|
+
"lucern-repo-ci"
|
|
19132
|
+
],
|
|
19133
|
+
"destinations": [
|
|
19134
|
+
{
|
|
19135
|
+
"kind": "runtime_fetch",
|
|
19136
|
+
"target": "lucern-cli-mcp-sdk",
|
|
19137
|
+
"writeNames": [
|
|
19138
|
+
"LUCERN_API_KEY"
|
|
19139
|
+
]
|
|
19140
|
+
},
|
|
19141
|
+
{
|
|
19142
|
+
"kind": "operator_local",
|
|
19143
|
+
"target": "lucern-repo",
|
|
19144
|
+
"writeNames": [
|
|
19145
|
+
"LUCERN_API_KEY"
|
|
19146
|
+
]
|
|
19147
|
+
},
|
|
19148
|
+
{
|
|
19149
|
+
"kind": "github_actions",
|
|
19150
|
+
"target": "LucernAI/lucern",
|
|
19151
|
+
"writeNames": [
|
|
19152
|
+
"LUCERN_API_KEY"
|
|
19153
|
+
]
|
|
19154
|
+
}
|
|
19155
|
+
],
|
|
19156
|
+
"description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
19157
|
+
},
|
|
19010
19158
|
{
|
|
19011
19159
|
"canonicalName": "LUCERN_API_URL",
|
|
19012
19160
|
"envNames": [
|
|
@@ -19345,7 +19493,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
19345
19493
|
"consumer": "MCP server/client processes",
|
|
19346
19494
|
"description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
|
|
19347
19495
|
"sourcePathIds": [
|
|
19348
|
-
"platform-runtime"
|
|
19496
|
+
"platform-runtime",
|
|
19497
|
+
"platform-operator-credentials"
|
|
19349
19498
|
],
|
|
19350
19499
|
"variables": [
|
|
19351
19500
|
{
|
|
@@ -19433,6 +19582,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
19433
19582
|
],
|
|
19434
19583
|
"description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
|
|
19435
19584
|
},
|
|
19585
|
+
{
|
|
19586
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
19587
|
+
"envNames": [
|
|
19588
|
+
"LUCERN_API_KEY",
|
|
19589
|
+
"LUCERN_KEY"
|
|
19590
|
+
],
|
|
19591
|
+
"aliases": [
|
|
19592
|
+
"LUCERN_KEY"
|
|
19593
|
+
],
|
|
19594
|
+
"writeNames": [
|
|
19595
|
+
"LUCERN_API_KEY"
|
|
19596
|
+
],
|
|
19597
|
+
"required": false,
|
|
19598
|
+
"secret": true,
|
|
19599
|
+
"public": false,
|
|
19600
|
+
"sourcePath": "/platform/runtime",
|
|
19601
|
+
"environmentPolicy": "environment_specific",
|
|
19602
|
+
"consumers": [
|
|
19603
|
+
"lucern-cli",
|
|
19604
|
+
"lucern-mcp",
|
|
19605
|
+
"lucern-repo-ci"
|
|
19606
|
+
],
|
|
19607
|
+
"destinations": [
|
|
19608
|
+
{
|
|
19609
|
+
"kind": "runtime_fetch",
|
|
19610
|
+
"target": "lucern-cli-mcp-sdk",
|
|
19611
|
+
"writeNames": [
|
|
19612
|
+
"LUCERN_API_KEY"
|
|
19613
|
+
]
|
|
19614
|
+
},
|
|
19615
|
+
{
|
|
19616
|
+
"kind": "operator_local",
|
|
19617
|
+
"target": "lucern-repo",
|
|
19618
|
+
"writeNames": [
|
|
19619
|
+
"LUCERN_API_KEY"
|
|
19620
|
+
]
|
|
19621
|
+
},
|
|
19622
|
+
{
|
|
19623
|
+
"kind": "github_actions",
|
|
19624
|
+
"target": "LucernAI/lucern",
|
|
19625
|
+
"writeNames": [
|
|
19626
|
+
"LUCERN_API_KEY"
|
|
19627
|
+
]
|
|
19628
|
+
}
|
|
19629
|
+
],
|
|
19630
|
+
"description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
19631
|
+
},
|
|
19436
19632
|
{
|
|
19437
19633
|
"canonicalName": "LUCERN_API_URL",
|
|
19438
19634
|
"envNames": [
|
|
@@ -25154,6 +25350,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
25154
25350
|
],
|
|
25155
25351
|
"description": "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
|
|
25156
25352
|
},
|
|
25353
|
+
{
|
|
25354
|
+
"secretId": "platform.operator.api-key",
|
|
25355
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
25356
|
+
"envNames": [
|
|
25357
|
+
"LUCERN_API_KEY",
|
|
25358
|
+
"LUCERN_KEY"
|
|
25359
|
+
],
|
|
25360
|
+
"aliases": [
|
|
25361
|
+
"LUCERN_KEY"
|
|
25362
|
+
],
|
|
25363
|
+
"writeNames": [
|
|
25364
|
+
"LUCERN_API_KEY"
|
|
25365
|
+
],
|
|
25366
|
+
"required": false,
|
|
25367
|
+
"secret": true,
|
|
25368
|
+
"public": false,
|
|
25369
|
+
"sourcePath": "/platform/runtime",
|
|
25370
|
+
"environmentPolicy": "environment_specific",
|
|
25371
|
+
"consumers": [
|
|
25372
|
+
"lucern-cli",
|
|
25373
|
+
"lucern-mcp",
|
|
25374
|
+
"lucern-repo-ci"
|
|
25375
|
+
],
|
|
25376
|
+
"destinations": [
|
|
25377
|
+
{
|
|
25378
|
+
"kind": "runtime_fetch",
|
|
25379
|
+
"target": "lucern-cli-mcp-sdk",
|
|
25380
|
+
"writeNames": [
|
|
25381
|
+
"LUCERN_API_KEY"
|
|
25382
|
+
]
|
|
25383
|
+
},
|
|
25384
|
+
{
|
|
25385
|
+
"kind": "operator_local",
|
|
25386
|
+
"target": "lucern-repo",
|
|
25387
|
+
"writeNames": [
|
|
25388
|
+
"LUCERN_API_KEY"
|
|
25389
|
+
]
|
|
25390
|
+
},
|
|
25391
|
+
{
|
|
25392
|
+
"kind": "github_actions",
|
|
25393
|
+
"target": "LucernAI/lucern",
|
|
25394
|
+
"writeNames": [
|
|
25395
|
+
"LUCERN_API_KEY"
|
|
25396
|
+
]
|
|
25397
|
+
}
|
|
25398
|
+
],
|
|
25399
|
+
"description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
25400
|
+
},
|
|
25157
25401
|
{
|
|
25158
25402
|
"secretId": "platform.gateway.mode",
|
|
25159
25403
|
"canonicalName": "LUCERN_GATEWAY_MODE",
|
|
@@ -29795,6 +30039,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
29795
30039
|
],
|
|
29796
30040
|
"description": "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
|
|
29797
30041
|
},
|
|
30042
|
+
{
|
|
30043
|
+
"secretId": "platform.operator.api-key",
|
|
30044
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
30045
|
+
"envNames": [
|
|
30046
|
+
"LUCERN_API_KEY",
|
|
30047
|
+
"LUCERN_KEY"
|
|
30048
|
+
],
|
|
30049
|
+
"aliases": [
|
|
30050
|
+
"LUCERN_KEY"
|
|
30051
|
+
],
|
|
30052
|
+
"writeNames": [
|
|
30053
|
+
"LUCERN_API_KEY"
|
|
30054
|
+
],
|
|
30055
|
+
"required": false,
|
|
30056
|
+
"secret": true,
|
|
30057
|
+
"public": false,
|
|
30058
|
+
"sourcePath": "/platform/runtime",
|
|
30059
|
+
"environmentPolicy": "environment_specific",
|
|
30060
|
+
"consumers": [
|
|
30061
|
+
"lucern-cli",
|
|
30062
|
+
"lucern-mcp",
|
|
30063
|
+
"lucern-repo-ci"
|
|
30064
|
+
],
|
|
30065
|
+
"destinations": [
|
|
30066
|
+
{
|
|
30067
|
+
"kind": "runtime_fetch",
|
|
30068
|
+
"target": "lucern-cli-mcp-sdk",
|
|
30069
|
+
"writeNames": [
|
|
30070
|
+
"LUCERN_API_KEY"
|
|
30071
|
+
]
|
|
30072
|
+
},
|
|
30073
|
+
{
|
|
30074
|
+
"kind": "operator_local",
|
|
30075
|
+
"target": "lucern-repo",
|
|
30076
|
+
"writeNames": [
|
|
30077
|
+
"LUCERN_API_KEY"
|
|
30078
|
+
]
|
|
30079
|
+
},
|
|
30080
|
+
{
|
|
30081
|
+
"kind": "github_actions",
|
|
30082
|
+
"target": "LucernAI/lucern",
|
|
30083
|
+
"writeNames": [
|
|
30084
|
+
"LUCERN_API_KEY"
|
|
30085
|
+
]
|
|
30086
|
+
}
|
|
30087
|
+
],
|
|
30088
|
+
"description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
30089
|
+
},
|
|
29798
30090
|
{
|
|
29799
30091
|
"secretId": "platform.convex-deploy.local-names",
|
|
29800
30092
|
"canonicalName": "LUCERN_CONVEX_DEPLOYMENT_NAME",
|
|
@@ -31065,6 +31357,54 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
|
|
|
31065
31357
|
}
|
|
31066
31358
|
],
|
|
31067
31359
|
"runtime_fetch:lucern-cli-mcp-sdk": [
|
|
31360
|
+
{
|
|
31361
|
+
"secretId": "platform.operator.api-key",
|
|
31362
|
+
"canonicalName": "LUCERN_API_KEY",
|
|
31363
|
+
"envNames": [
|
|
31364
|
+
"LUCERN_API_KEY",
|
|
31365
|
+
"LUCERN_KEY"
|
|
31366
|
+
],
|
|
31367
|
+
"aliases": [
|
|
31368
|
+
"LUCERN_KEY"
|
|
31369
|
+
],
|
|
31370
|
+
"writeNames": [
|
|
31371
|
+
"LUCERN_API_KEY"
|
|
31372
|
+
],
|
|
31373
|
+
"required": false,
|
|
31374
|
+
"secret": true,
|
|
31375
|
+
"public": false,
|
|
31376
|
+
"sourcePath": "/platform/runtime",
|
|
31377
|
+
"environmentPolicy": "environment_specific",
|
|
31378
|
+
"consumers": [
|
|
31379
|
+
"lucern-cli",
|
|
31380
|
+
"lucern-mcp",
|
|
31381
|
+
"lucern-repo-ci"
|
|
31382
|
+
],
|
|
31383
|
+
"destinations": [
|
|
31384
|
+
{
|
|
31385
|
+
"kind": "runtime_fetch",
|
|
31386
|
+
"target": "lucern-cli-mcp-sdk",
|
|
31387
|
+
"writeNames": [
|
|
31388
|
+
"LUCERN_API_KEY"
|
|
31389
|
+
]
|
|
31390
|
+
},
|
|
31391
|
+
{
|
|
31392
|
+
"kind": "operator_local",
|
|
31393
|
+
"target": "lucern-repo",
|
|
31394
|
+
"writeNames": [
|
|
31395
|
+
"LUCERN_API_KEY"
|
|
31396
|
+
]
|
|
31397
|
+
},
|
|
31398
|
+
{
|
|
31399
|
+
"kind": "github_actions",
|
|
31400
|
+
"target": "LucernAI/lucern",
|
|
31401
|
+
"writeNames": [
|
|
31402
|
+
"LUCERN_API_KEY"
|
|
31403
|
+
]
|
|
31404
|
+
}
|
|
31405
|
+
],
|
|
31406
|
+
"description": "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
|
|
31407
|
+
},
|
|
31068
31408
|
{
|
|
31069
31409
|
"secretId": "platform.runtime.api-base-url",
|
|
31070
31410
|
"canonicalName": "LUCERN_API_URL",
|
|
@@ -40998,7 +41338,7 @@ var IDENTITY_WHOAMI = {
|
|
|
40998
41338
|
response: {
|
|
40999
41339
|
description: "Canonical identity summary for the current session",
|
|
41000
41340
|
fields: {
|
|
41001
|
-
principalId: "string \u2014 canonical
|
|
41341
|
+
principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
|
|
41002
41342
|
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
41003
41343
|
tenantId: "string | undefined \u2014 resolved tenant scope",
|
|
41004
41344
|
workspaceId: "string | undefined \u2014 resolved workspace scope",
|
|
@@ -41012,7 +41352,7 @@ var IDENTITY_WHOAMI = {
|
|
|
41012
41352
|
};
|
|
41013
41353
|
var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
41014
41354
|
name: "resolve_interactive_principal",
|
|
41015
|
-
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the
|
|
41355
|
+
description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
|
|
41016
41356
|
parameters: {
|
|
41017
41357
|
clerkId: {
|
|
41018
41358
|
type: "string",
|
|
@@ -41035,7 +41375,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
|
|
|
41035
41375
|
response: {
|
|
41036
41376
|
description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
|
|
41037
41377
|
fields: {
|
|
41038
|
-
principalId: "string \u2014 canonical
|
|
41378
|
+
principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
|
|
41039
41379
|
principalType: "string \u2014 human, service, agent, group, or external_viewer",
|
|
41040
41380
|
clerkId: "string \u2014 authenticated Clerk subject alias",
|
|
41041
41381
|
tenantId: "string \u2014 resolved tenant scope",
|
|
@@ -41863,7 +42203,7 @@ var MANAGE_WRITE_POLICY = {
|
|
|
41863
42203
|
},
|
|
41864
42204
|
role: {
|
|
41865
42205
|
type: "string",
|
|
41866
|
-
description: "Role to set policy for (required for 'set'). E.g. 'agent:internal'
|
|
42206
|
+
description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
|
|
41867
42207
|
},
|
|
41868
42208
|
permission: {
|
|
41869
42209
|
type: "string",
|
|
@@ -43460,6 +43800,10 @@ function highestPlatformRole(roles) {
|
|
|
43460
43800
|
function isClerkAliasFor(alias, clerkId) {
|
|
43461
43801
|
return isActivePermitProjectionStatus(alias.status) && readPermitProjectionString(alias.provider)?.toLowerCase() === "clerk" && (readPermitProjectionString(alias.providerSubjectId) === clerkId || readPermitProjectionString(alias.alias) === clerkId);
|
|
43462
43802
|
}
|
|
43803
|
+
function isHumanPermitPrincipal(principal) {
|
|
43804
|
+
const principalType = readPermitProjectionString(principal.principalType)?.toLowerCase();
|
|
43805
|
+
return !principalType || principalType === "human" || principalType === "user";
|
|
43806
|
+
}
|
|
43463
43807
|
function emailFromAlias(aliases, principal) {
|
|
43464
43808
|
return aliases.find(
|
|
43465
43809
|
(alias) => readPermitProjectionString(alias.aliasKind)?.toLowerCase() === "email"
|
|
@@ -43518,6 +43862,9 @@ function buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, n
|
|
|
43518
43862
|
(entry) => readPermitProjectionString(entry.provider)?.toLowerCase() === "clerk"
|
|
43519
43863
|
)?.providerSubjectId
|
|
43520
43864
|
) ?? principalId;
|
|
43865
|
+
if (isHumanPermitPrincipal(principal) && principalId !== clerkId) {
|
|
43866
|
+
return null;
|
|
43867
|
+
}
|
|
43521
43868
|
return {
|
|
43522
43869
|
clerkId,
|
|
43523
43870
|
email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,
|
|
@@ -43551,7 +43898,7 @@ function findProjectedUserByPermitClerkId(rows, clerkId, now = Date.now()) {
|
|
|
43551
43898
|
const principal = matchingAlias ? rows.principals.find(
|
|
43552
43899
|
(row) => readPermitProjectionString(row.tenantId) === readPermitProjectionString(matchingAlias.tenantId) && readPermitProjectionString(row.principalId) === readPermitProjectionString(matchingAlias.principalId)
|
|
43553
43900
|
) : rows.principals.find(
|
|
43554
|
-
(row) => readPermitProjectionString(row.principalId) === normalizedClerkId
|
|
43901
|
+
(row) => readPermitProjectionString(row.principalId) === normalizedClerkId
|
|
43555
43902
|
);
|
|
43556
43903
|
return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now) : null;
|
|
43557
43904
|
}
|