@lucern/contracts 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (79) hide show
  1. package/CHANGELOG.md +3 -0
  2. package/dist/auth-context.contract.js +1 -1
  3. package/dist/auth-context.contract.js.map +1 -1
  4. package/dist/auth-session.contract.js +1 -1
  5. package/dist/auth-session.contract.js.map +1 -1
  6. package/dist/auth.contract.js +1 -1
  7. package/dist/auth.contract.js.map +1 -1
  8. package/dist/function-registry/beliefs.js +4 -4
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.js +4 -4
  11. package/dist/function-registry/coding.js.map +1 -1
  12. package/dist/function-registry/context.js +4 -4
  13. package/dist/function-registry/context.js.map +1 -1
  14. package/dist/function-registry/contracts.js +4 -4
  15. package/dist/function-registry/contracts.js.map +1 -1
  16. package/dist/function-registry/coordination.js +4 -4
  17. package/dist/function-registry/coordination.js.map +1 -1
  18. package/dist/function-registry/edges.js +4 -4
  19. package/dist/function-registry/edges.js.map +1 -1
  20. package/dist/function-registry/evidence.js +4 -4
  21. package/dist/function-registry/evidence.js.map +1 -1
  22. package/dist/function-registry/graph.js +4 -4
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.js +4 -4
  25. package/dist/function-registry/helpers.js.map +1 -1
  26. package/dist/function-registry/identity.js +4 -4
  27. package/dist/function-registry/identity.js.map +1 -1
  28. package/dist/function-registry/index.js +4 -4
  29. package/dist/function-registry/index.js.map +1 -1
  30. package/dist/function-registry/judgments.js +4 -4
  31. package/dist/function-registry/judgments.js.map +1 -1
  32. package/dist/function-registry/legacy.js +4 -4
  33. package/dist/function-registry/legacy.js.map +1 -1
  34. package/dist/function-registry/lenses.js +4 -4
  35. package/dist/function-registry/lenses.js.map +1 -1
  36. package/dist/function-registry/nodes.js +4 -4
  37. package/dist/function-registry/nodes.js.map +1 -1
  38. package/dist/function-registry/ontologies.js +4 -4
  39. package/dist/function-registry/ontologies.js.map +1 -1
  40. package/dist/function-registry/pipeline.js +4 -4
  41. package/dist/function-registry/pipeline.js.map +1 -1
  42. package/dist/function-registry/questions.js +4 -4
  43. package/dist/function-registry/questions.js.map +1 -1
  44. package/dist/function-registry/tasks.js +4 -4
  45. package/dist/function-registry/tasks.js.map +1 -1
  46. package/dist/function-registry/topics.js +4 -4
  47. package/dist/function-registry/topics.js.map +1 -1
  48. package/dist/function-registry/worktrees.js +20 -4
  49. package/dist/function-registry/worktrees.js.map +1 -1
  50. package/dist/gateway.contract.d.ts +1 -0
  51. package/dist/gateway.contract.js.map +1 -1
  52. package/dist/generated/convexSchemas.js +1 -1
  53. package/dist/generated/convexSchemas.js.map +1 -1
  54. package/dist/generated/infisicalRuntimeEnv.js +300 -6
  55. package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
  56. package/dist/index.js +363 -16
  57. package/dist/index.js.map +1 -1
  58. package/dist/infisical-runtime.contract.d.ts +41 -3
  59. package/dist/infisical-runtime.contract.js +49 -3
  60. package/dist/infisical-runtime.contract.js.map +1 -1
  61. package/dist/manifests/infisical-runtime-manifest.d.ts +41 -3
  62. package/dist/manifests/infisical-runtime-manifest.js +49 -3
  63. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  64. package/dist/permit-principal-projection.contract.js +8 -1
  65. package/dist/permit-principal-projection.contract.js.map +1 -1
  66. package/dist/proof-attestation.json +1 -1
  67. package/dist/schemas/index.js +1 -1
  68. package/dist/schemas/index.js.map +1 -1
  69. package/dist/schemas/manifest.d.ts +5 -5
  70. package/dist/schemas/manifest.js +1 -1
  71. package/dist/schemas/manifest.js.map +1 -1
  72. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  73. package/dist/schemas/tables/mc/tenant.js +1 -1
  74. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  75. package/dist/sdk-tools.contract.js +4 -4
  76. package/dist/sdk-tools.contract.js.map +1 -1
  77. package/dist/tool-contracts.js +4 -4
  78. package/dist/tool-contracts.js.map +1 -1
  79. package/package.json +1 -1
@@ -162,6 +162,18 @@ declare const INFISICAL_RUNTIME_MANIFEST: {
162
162
  readonly public: false;
163
163
  readonly description: "Optional web-issued CLI login session lifetime override in milliseconds.";
164
164
  }];
165
+ }, {
166
+ readonly id: "platform-operator-credentials";
167
+ readonly secretPath: "/platform/runtime";
168
+ readonly description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.";
169
+ readonly variables: readonly [{
170
+ readonly name: "LUCERN_API_KEY";
171
+ readonly required: false;
172
+ readonly secret: true;
173
+ readonly public: false;
174
+ readonly aliases: readonly ["LUCERN_KEY"];
175
+ readonly description: "Lucern-owned operator API key for gateway calls from trusted local tooling.";
176
+ }];
165
177
  }, {
166
178
  readonly id: "tenant-shared-install";
167
179
  readonly secretPath: "tenants/shared";
@@ -191,7 +203,7 @@ declare const INFISICAL_RUNTIME_MANIFEST: {
191
203
  readonly id: "lucern-sdk";
192
204
  readonly packageName: "@lucern/sdk";
193
205
  readonly delivery: "runtime_fetch";
194
- readonly sourcePathIds: readonly ["platform-runtime"];
206
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
195
207
  readonly consumer: "server-side SDK operator contexts with a scoped Infisical identity";
196
208
  readonly description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.";
197
209
  }, {
@@ -199,7 +211,7 @@ declare const INFISICAL_RUNTIME_MANIFEST: {
199
211
  readonly packageName: "@lucern/cli";
200
212
  readonly delivery: "runtime_fetch";
201
213
  readonly fallback: "device_auth";
202
- readonly sourcePathIds: readonly ["platform-runtime"];
214
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
203
215
  readonly consumer: "developer/operator CLI processes";
204
216
  readonly description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.";
205
217
  }, {
@@ -207,7 +219,7 @@ declare const INFISICAL_RUNTIME_MANIFEST: {
207
219
  readonly packageName: "@lucern/mcp";
208
220
  readonly delivery: "runtime_fetch";
209
221
  readonly fallback: "device_auth";
210
- readonly sourcePathIds: readonly ["platform-runtime"];
222
+ readonly sourcePathIds: readonly ["platform-runtime", "platform-operator-credentials"];
211
223
  readonly consumer: "MCP server/client processes";
212
224
  readonly description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.";
213
225
  }, {
@@ -1354,6 +1366,32 @@ declare const INFISICAL_RUNTIME_MANIFEST: {
1354
1366
  readonly environmentPolicy: "environment_specific";
1355
1367
  }];
1356
1368
  readonly description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead.";
1369
+ }, {
1370
+ readonly id: "platform.operator.api-key";
1371
+ readonly canonicalName: "LUCERN_API_KEY";
1372
+ readonly aliases: readonly ["LUCERN_KEY"];
1373
+ readonly owner: "lucern_platform";
1374
+ readonly scope: "environment";
1375
+ readonly sourcePath: "/platform/runtime";
1376
+ readonly environmentPolicy: "environment_specific";
1377
+ readonly required: false;
1378
+ readonly secret: true;
1379
+ readonly public: false;
1380
+ readonly consumers: readonly ["lucern-cli", "lucern-mcp", "lucern-repo-ci"];
1381
+ readonly destinations: readonly [{
1382
+ readonly kind: "runtime_fetch";
1383
+ readonly target: "lucern-cli-mcp-sdk";
1384
+ readonly environmentPolicy: "environment_specific";
1385
+ }, {
1386
+ readonly kind: "operator_local";
1387
+ readonly target: "lucern-repo";
1388
+ readonly environmentPolicy: "environment_specific";
1389
+ }, {
1390
+ readonly kind: "github_actions";
1391
+ readonly target: "LucernAI/lucern";
1392
+ readonly environmentPolicy: "environment_specific";
1393
+ }];
1394
+ readonly description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files.";
1357
1395
  }, {
1358
1396
  readonly id: "platform.graph-sync.proxy";
1359
1397
  readonly canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL";
@@ -357,6 +357,21 @@ var INFISICAL_RUNTIME_PATHS = [
357
357
  }
358
358
  ]
359
359
  },
360
+ {
361
+ id: "platform-operator-credentials",
362
+ secretPath: "/platform/runtime",
363
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
364
+ variables: [
365
+ {
366
+ name: "LUCERN_API_KEY",
367
+ required: false,
368
+ secret: true,
369
+ public: false,
370
+ aliases: ["LUCERN_KEY"],
371
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
372
+ }
373
+ ]
374
+ },
360
375
  {
361
376
  id: "tenant-shared-install",
362
377
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -392,7 +407,7 @@ var INFISICAL_RUNTIME_SURFACES = [
392
407
  id: "lucern-sdk",
393
408
  packageName: "@lucern/sdk",
394
409
  delivery: "runtime_fetch",
395
- sourcePathIds: ["platform-runtime"],
410
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
396
411
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
397
412
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
398
413
  },
@@ -401,7 +416,7 @@ var INFISICAL_RUNTIME_SURFACES = [
401
416
  packageName: "@lucern/cli",
402
417
  delivery: "runtime_fetch",
403
418
  fallback: "device_auth",
404
- sourcePathIds: ["platform-runtime"],
419
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
405
420
  consumer: "developer/operator CLI processes",
406
421
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
407
422
  },
@@ -410,7 +425,7 @@ var INFISICAL_RUNTIME_SURFACES = [
410
425
  packageName: "@lucern/mcp",
411
426
  delivery: "runtime_fetch",
412
427
  fallback: "device_auth",
413
- sourcePathIds: ["platform-runtime"],
428
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
414
429
  consumer: "MCP server/client processes",
415
430
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
416
431
  },
@@ -1899,6 +1914,37 @@ var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
1899
1914
  ],
1900
1915
  description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
1901
1916
  },
1917
+ {
1918
+ id: "platform.operator.api-key",
1919
+ canonicalName: "LUCERN_API_KEY",
1920
+ aliases: ["LUCERN_KEY"],
1921
+ owner: "lucern_platform",
1922
+ scope: "environment",
1923
+ sourcePath: "/platform/runtime",
1924
+ environmentPolicy: "environment_specific",
1925
+ required: false,
1926
+ secret: true,
1927
+ public: false,
1928
+ consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
1929
+ destinations: [
1930
+ {
1931
+ kind: "runtime_fetch",
1932
+ target: "lucern-cli-mcp-sdk",
1933
+ environmentPolicy: "environment_specific"
1934
+ },
1935
+ {
1936
+ kind: "operator_local",
1937
+ target: "lucern-repo",
1938
+ environmentPolicy: "environment_specific"
1939
+ },
1940
+ {
1941
+ kind: "github_actions",
1942
+ target: "LucernAI/lucern",
1943
+ environmentPolicy: "environment_specific"
1944
+ }
1945
+ ],
1946
+ description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
1947
+ },
1902
1948
  {
1903
1949
  id: "platform.graph-sync.proxy",
1904
1950
  canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",