@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.js +4 -4
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.js +4 -4
  11. package/dist/function-registry/coding.js.map +1 -1
  12. package/dist/function-registry/context.js +4 -4
  13. package/dist/function-registry/context.js.map +1 -1
  14. package/dist/function-registry/contracts.js +4 -4
  15. package/dist/function-registry/contracts.js.map +1 -1
  16. package/dist/function-registry/coordination.js +4 -4
  17. package/dist/function-registry/coordination.js.map +1 -1
  18. package/dist/function-registry/edges.js +4 -4
  19. package/dist/function-registry/edges.js.map +1 -1
  20. package/dist/function-registry/evidence.js +4 -4
  21. package/dist/function-registry/evidence.js.map +1 -1
  22. package/dist/function-registry/graph.js +4 -4
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.js +4 -4
  25. package/dist/function-registry/helpers.js.map +1 -1
  26. package/dist/function-registry/identity.js +4 -4
  27. package/dist/function-registry/identity.js.map +1 -1
  28. package/dist/function-registry/index.js +4 -4
  29. package/dist/function-registry/index.js.map +1 -1
  30. package/dist/function-registry/judgments.js +4 -4
  31. package/dist/function-registry/judgments.js.map +1 -1
  32. package/dist/function-registry/legacy.js +4 -4
  33. package/dist/function-registry/legacy.js.map +1 -1
  34. package/dist/function-registry/lenses.js +4 -4
  35. package/dist/function-registry/lenses.js.map +1 -1
  36. package/dist/function-registry/nodes.js +4 -4
  37. package/dist/function-registry/nodes.js.map +1 -1
  38. package/dist/function-registry/ontologies.js +4 -4
  39. package/dist/function-registry/ontologies.js.map +1 -1
  40. package/dist/function-registry/pipeline.js +4 -4
  41. package/dist/function-registry/pipeline.js.map +1 -1
  42. package/dist/function-registry/questions.js +4 -4
  43. package/dist/function-registry/questions.js.map +1 -1
  44. package/dist/function-registry/tasks.js +4 -4
  45. package/dist/function-registry/tasks.js.map +1 -1
  46. package/dist/function-registry/topics.js +4 -4
  47. package/dist/function-registry/topics.js.map +1 -1
  48. package/dist/function-registry/worktrees.js +20 -4
  49. package/dist/function-registry/worktrees.js.map +1 -1
  50. package/dist/gateway.contract.d.ts +1 -0
  51. package/dist/gateway.contract.js.map +1 -1
  52. package/dist/generated/convexSchemas.js +1 -1
  53. package/dist/generated/convexSchemas.js.map +1 -1
  54. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  55. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  56. package/dist/index.js +363 -16
  57. package/dist/index.js.map +1 -1
  58. package/dist/infisical-runtime.contract.d.ts +41 -3
  59. package/dist/infisical-runtime.contract.js +49 -3
  60. package/dist/infisical-runtime.contract.js.map +1 -1
  61. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  62. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  63. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  64. package/dist/permit-principal-projection.contract.js +8 -1
  65. package/dist/permit-principal-projection.contract.js.map +1 -1
  66. package/dist/proof-attestation.json +1 -1
  67. package/dist/schemas/index.js +1 -1
  68. package/dist/schemas/index.js.map +1 -1
  69. package/dist/schemas/manifest.d.ts +5 -5
  70. package/dist/schemas/manifest.js +1 -1
  71. package/dist/schemas/manifest.js.map +1 -1
  72. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  73. package/dist/schemas/tables/mc/tenant.js +1 -1
  74. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  75. package/dist/sdk-tools.contract.js +4 -4
  76. package/dist/sdk-tools.contract.js.map +1 -1
  77. package/dist/tool-contracts.js +4 -4
  78. package/dist/tool-contracts.js.map +1 -1
  79. package/package.json +1 -1
@@ -216,6 +216,18 @@ declare const INFISICAL_RUNTIME_PATHS: readonly [{
216
216
  readonly public: false;
217
217
  readonly description: "Optional web-issued CLI login session lifetime override in milliseconds.";
218
218
  }];
219
+ }, {
220
+ readonly id: "platform-operator-credentials";
221
+ readonly secretPath: "/platform/runtime";
222
+ readonly description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.";
223
+ readonly variables: readonly [{
224
+ readonly name: "LUCERN_API_KEY";
225
+ readonly required: false;
226
+ readonly secret: true;
227
+ readonly public: false;
228
+ readonly aliases: readonly ["LUCERN_KEY"];
229
+ readonly description: "Lucern-owned operator API key for gateway calls from trusted local tooling.";
230
+ }];
219
231
  }, {
220
232
  readonly id: "tenant-shared-install";
221
233
  readonly secretPath: "tenants/shared";
@@ -256,7 +268,7 @@ declare const INFISICAL_RUNTIME_SURFACES: readonly [{
256
268
  readonly id: "lucern-sdk";
257
269
  readonly packageName: "@lucern/sdk";
258
270
  readonly delivery: "runtime_fetch";
259
- readonly sourcePathIds: readonly ["platform-runtime"];
271
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
260
272
  readonly consumer: "server-side SDK operator contexts with a scoped Infisical identity";
261
273
  readonly description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.";
262
274
  }, {
@@ -264,7 +276,7 @@ declare const INFISICAL_RUNTIME_SURFACES: readonly [{
264
276
  readonly packageName: "@lucern/cli";
265
277
  readonly delivery: "runtime_fetch";
266
278
  readonly fallback: "device_auth";
267
- readonly sourcePathIds: readonly ["platform-runtime"];
279
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
268
280
  readonly consumer: "developer/operator CLI processes";
269
281
  readonly description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.";
270
282
  }, {
@@ -272,7 +284,7 @@ declare const INFISICAL_RUNTIME_SURFACES: readonly [{
272
284
  readonly packageName: "@lucern/mcp";
273
285
  readonly delivery: "runtime_fetch";
274
286
  readonly fallback: "device_auth";
275
- readonly sourcePathIds: readonly ["platform-runtime"];
287
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
276
288
  readonly consumer: "MCP server/client processes";
277
289
  readonly description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.";
278
290
  }, {
@@ -1565,6 +1577,32 @@ declare const INFISICAL_SECRET_DEFINITIONS: readonly [{
1565
1577
  readonly environmentPolicy: "environment_specific";
1566
1578
  }];
1567
1579
  readonly description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead.";
1580
+ }, {
1581
+ readonly id: "platform.operator.api-key";
1582
+ readonly canonicalName: "LUCERN_API_KEY";
1583
+ readonly aliases: readonly ["LUCERN_KEY"];
1584
+ readonly owner: "lucern_platform";
1585
+ readonly scope: "environment";
1586
+ readonly sourcePath: "/platform/runtime";
1587
+ readonly environmentPolicy: "environment_specific";
1588
+ readonly required: false;
1589
+ readonly secret: true;
1590
+ readonly public: false;
1591
+ readonly consumers: readonly ["lucern-cli", "lucern-mcp", "lucern-repo-ci"];
1592
+ readonly destinations: readonly [{
1593
+ readonly kind: "runtime_fetch";
1594
+ readonly target: "lucern-cli-mcp-sdk";
1595
+ readonly environmentPolicy: "environment_specific";
1596
+ }, {
1597
+ readonly kind: "operator_local";
1598
+ readonly target: "lucern-repo";
1599
+ readonly environmentPolicy: "environment_specific";
1600
+ }, {
1601
+ readonly kind: "github_actions";
1602
+ readonly target: "LucernAI/lucern";
1603
+ readonly environmentPolicy: "environment_specific";
1604
+ }];
1605
+ readonly description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files.";
1568
1606
  }, {
1569
1607
  readonly id: "platform.graph-sync.proxy";
1570
1608
  readonly canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL";
@@ -371,6 +371,21 @@ var INFISICAL_RUNTIME_PATHS = [
371
371
  }
372
372
  ]
373
373
  },
374
+ {
375
+ id: "platform-operator-credentials",
376
+ secretPath: "/platform/runtime",
377
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
378
+ variables: [
379
+ {
380
+ name: "LUCERN_API_KEY",
381
+ required: false,
382
+ secret: true,
383
+ public: false,
384
+ aliases: ["LUCERN_KEY"],
385
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
386
+ }
387
+ ]
388
+ },
374
389
  {
375
390
  id: "tenant-shared-install",
376
391
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -406,7 +421,7 @@ var INFISICAL_RUNTIME_SURFACES = [
406
421
  id: "lucern-sdk",
407
422
  packageName: "@lucern/sdk",
408
423
  delivery: "runtime_fetch",
409
- sourcePathIds: ["platform-runtime"],
424
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
410
425
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
411
426
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
412
427
  },
@@ -415,7 +430,7 @@ var INFISICAL_RUNTIME_SURFACES = [
415
430
  packageName: "@lucern/cli",
416
431
  delivery: "runtime_fetch",
417
432
  fallback: "device_auth",
418
- sourcePathIds: ["platform-runtime"],
433
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
419
434
  consumer: "developer/operator CLI processes",
420
435
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
421
436
  },
@@ -424,7 +439,7 @@ var INFISICAL_RUNTIME_SURFACES = [
424
439
  packageName: "@lucern/mcp",
425
440
  delivery: "runtime_fetch",
426
441
  fallback: "device_auth",
427
- sourcePathIds: ["platform-runtime"],
442
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
428
443
  consumer: "MCP server/client processes",
429
444
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
430
445
  },
@@ -2005,6 +2020,37 @@ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
2005
2020
  ],
2006
2021
  description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
2007
2022
  },
2023
+ {
2024
+ id: "platform.operator.api-key",
2025
+ canonicalName: "LUCERN_API_KEY",
2026
+ aliases: ["LUCERN_KEY"],
2027
+ owner: "lucern_platform",
2028
+ scope: "environment",
2029
+ sourcePath: "/platform/runtime",
2030
+ environmentPolicy: "environment_specific",
2031
+ required: false,
2032
+ secret: true,
2033
+ public: false,
2034
+ consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
2035
+ destinations: [
2036
+ {
2037
+ kind: "runtime_fetch",
2038
+ target: "lucern-cli-mcp-sdk",
2039
+ environmentPolicy: "environment_specific"
2040
+ },
2041
+ {
2042
+ kind: "operator_local",
2043
+ target: "lucern-repo",
2044
+ environmentPolicy: "environment_specific"
2045
+ },
2046
+ {
2047
+ kind: "github_actions",
2048
+ target: "LucernAI/lucern",
2049
+ environmentPolicy: "environment_specific"
2050
+ }
2051
+ ],
2052
+ description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
2053
+ },
2008
2054
  {
2009
2055
  id: "platform.graph-sync.proxy",
2010
2056
  canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",