@lucern/contracts 0.3.0-alpha.17 → 0.3.0-alpha.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (316) hide show
  1. package/CHANGELOG.md +0 -10
  2. package/dist/api-enums.contract.d.ts +3 -5
  3. package/dist/api-enums.contract.js +12 -14
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +2 -14
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +2 -14
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +2 -14
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/context-pack.contract.d.ts +3 -5
  13. package/dist/context-pack.contract.js.map +1 -1
  14. package/dist/{defineTable-t1wr5wgn.d.ts → defineTable-CBQ03FXl.d.ts} +1 -1
  15. package/dist/{dsl-DVPthQGY.d.ts → dsl-BgpoVOVQ.d.ts} +2 -2
  16. package/dist/dsl.d.ts +2 -2
  17. package/dist/dsl.js +4 -1
  18. package/dist/dsl.js.map +1 -1
  19. package/dist/function-registry/beliefs.d.ts +51 -64
  20. package/dist/function-registry/beliefs.js +57 -817
  21. package/dist/function-registry/beliefs.js.map +1 -1
  22. package/dist/function-registry/coding.d.ts +6 -15
  23. package/dist/function-registry/coding.js +43 -866
  24. package/dist/function-registry/coding.js.map +1 -1
  25. package/dist/function-registry/context.d.ts +16 -22
  26. package/dist/function-registry/context.js +46 -805
  27. package/dist/function-registry/context.js.map +1 -1
  28. package/dist/function-registry/contracts.d.ts +3 -9
  29. package/dist/function-registry/contracts.js +39 -770
  30. package/dist/function-registry/contracts.js.map +1 -1
  31. package/dist/function-registry/coordination.d.ts +9 -21
  32. package/dist/function-registry/coordination.js +39 -770
  33. package/dist/function-registry/coordination.js.map +1 -1
  34. package/dist/function-registry/edges.d.ts +2 -167
  35. package/dist/function-registry/edges.js +71 -978
  36. package/dist/function-registry/edges.js.map +1 -1
  37. package/dist/function-registry/evidence.d.ts +41 -52
  38. package/dist/function-registry/evidence.js +62 -826
  39. package/dist/function-registry/evidence.js.map +1 -1
  40. package/dist/function-registry/graph.d.ts +66 -162
  41. package/dist/function-registry/graph.js +46 -886
  42. package/dist/function-registry/graph.js.map +1 -1
  43. package/dist/function-registry/helpers.d.ts +4 -7
  44. package/dist/function-registry/helpers.js +40 -771
  45. package/dist/function-registry/helpers.js.map +1 -1
  46. package/dist/function-registry/identity.d.ts +16 -62
  47. package/dist/function-registry/identity.js +45 -793
  48. package/dist/function-registry/identity.js.map +1 -1
  49. package/dist/function-registry/index.d.ts +3 -5
  50. package/dist/function-registry/index.js +43 -777
  51. package/dist/function-registry/index.js.map +1 -1
  52. package/dist/function-registry/judgments.d.ts +11 -16
  53. package/dist/function-registry/judgments.js +42 -782
  54. package/dist/function-registry/judgments.js.map +1 -1
  55. package/dist/function-registry/legacy.d.ts +1 -5
  56. package/dist/function-registry/legacy.js +39 -770
  57. package/dist/function-registry/legacy.js.map +1 -1
  58. package/dist/function-registry/lenses.d.ts +21 -28
  59. package/dist/function-registry/lenses.js +42 -793
  60. package/dist/function-registry/lenses.js.map +1 -1
  61. package/dist/function-registry/manifest.d.ts +6 -6
  62. package/dist/function-registry/manifest.js +2 -19
  63. package/dist/function-registry/manifest.js.map +1 -1
  64. package/dist/function-registry/ontologies.d.ts +56 -70
  65. package/dist/function-registry/ontologies.js +45 -788
  66. package/dist/function-registry/ontologies.js.map +1 -1
  67. package/dist/function-registry/pipeline.d.ts +16 -22
  68. package/dist/function-registry/pipeline.js +42 -779
  69. package/dist/function-registry/pipeline.js.map +1 -1
  70. package/dist/function-registry/questions.d.ts +61 -76
  71. package/dist/function-registry/questions.js +52 -869
  72. package/dist/function-registry/questions.js.map +1 -1
  73. package/dist/function-registry/tasks.d.ts +21 -28
  74. package/dist/function-registry/tasks.js +48 -845
  75. package/dist/function-registry/tasks.js.map +1 -1
  76. package/dist/function-registry/topics.d.ts +26 -114
  77. package/dist/function-registry/topics.js +43 -852
  78. package/dist/function-registry/topics.js.map +1 -1
  79. package/dist/function-registry/types.d.ts +3 -7
  80. package/dist/function-registry/worktrees.d.ts +51 -104
  81. package/dist/function-registry/worktrees.js +51 -925
  82. package/dist/function-registry/worktrees.js.map +1 -1
  83. package/dist/gateway.contract.d.ts +0 -6
  84. package/dist/gateway.contract.js.map +1 -1
  85. package/dist/generated/convexSchemas.d.ts +3 -3
  86. package/dist/generated/convexSchemas.js +18 -39
  87. package/dist/generated/convexSchemas.js.map +1 -1
  88. package/dist/generated/schema-manifest.json +98 -1244
  89. package/dist/generated/tableOwnership.d.ts +28 -49
  90. package/dist/generated/tableOwnership.js +26 -68
  91. package/dist/generated/tableOwnership.js.map +1 -1
  92. package/dist/generated/tier-expectations.json +9 -66
  93. package/dist/graph-types/index.d.ts +1 -5
  94. package/dist/graph-types/index.js +4 -15
  95. package/dist/graph-types/index.js.map +1 -1
  96. package/dist/index-CV-0_VWJ.d.ts +25 -0
  97. package/dist/index.d.ts +414 -30
  98. package/dist/index.js +342 -35266
  99. package/dist/index.js.map +1 -1
  100. package/dist/lens-filter.contract.js +3 -4
  101. package/dist/lens-filter.contract.js.map +1 -1
  102. package/dist/lens-workflow.contract.js +3 -4
  103. package/dist/lens-workflow.contract.js.map +1 -1
  104. package/dist/schema-helpers/enumValidation.js +5 -2
  105. package/dist/schema-helpers/enumValidation.js.map +1 -1
  106. package/dist/schema-helpers/spine/nodes/decision.js +1 -2
  107. package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
  108. package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
  109. package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
  110. package/dist/schemas/component-table-manifest.d.ts +6 -6
  111. package/dist/schemas/component-table-manifest.js +2 -2
  112. package/dist/schemas/component-table-manifest.js.map +1 -1
  113. package/dist/schemas/enums.d.ts +2 -5
  114. package/dist/schemas/enums.js +2 -5
  115. package/dist/schemas/enums.js.map +1 -1
  116. package/dist/schemas/index.d.ts +3 -3
  117. package/dist/schemas/index.js +139 -1165
  118. package/dist/schemas/index.js.map +1 -1
  119. package/dist/schemas/manifest.d.ts +932 -3042
  120. package/dist/schemas/manifest.js +137 -1163
  121. package/dist/schemas/manifest.js.map +1 -1
  122. package/dist/schemas/sl-opinion.d.ts +4 -4
  123. package/dist/schemas/tables/{controlPlane → identity}/agent.d.ts +1 -1
  124. package/dist/schemas/tables/{controlPlane → identity}/agent.js +3 -3
  125. package/dist/schemas/tables/identity/agent.js.map +1 -0
  126. package/dist/schemas/tables/{controlPlane → identity}/epistemic.d.ts +1 -1
  127. package/dist/schemas/tables/{controlPlane → identity}/epistemic.js +3 -3
  128. package/dist/schemas/tables/identity/epistemic.js.map +1 -0
  129. package/dist/schemas/tables/{controlPlane → identity}/model.d.ts +1 -1
  130. package/dist/schemas/tables/{controlPlane → identity}/model.js +6 -6
  131. package/dist/schemas/tables/identity/model.js.map +1 -0
  132. package/dist/schemas/tables/{controlPlane → identity}/platform.d.ts +11 -11
  133. package/dist/schemas/tables/{controlPlane → identity}/platform.js +18 -18
  134. package/dist/schemas/tables/identity/platform.js.map +1 -0
  135. package/dist/schemas/tables/{controlPlane → identity}/project.d.ts +1 -1
  136. package/dist/schemas/tables/{controlPlane → identity}/project.js +3 -3
  137. package/dist/schemas/tables/identity/project.js.map +1 -0
  138. package/dist/schemas/tables/{controlPlane → identity}/user.d.ts +1 -1
  139. package/dist/schemas/tables/{controlPlane → identity}/user.js +3 -3
  140. package/dist/schemas/tables/identity/user.js.map +1 -0
  141. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  142. package/dist/schemas/tables/kernel/config.js.map +1 -1
  143. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  144. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  145. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  146. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  147. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  148. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  149. package/dist/schemas/tables/kernel/epistemic.d.ts +7 -7
  150. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  151. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  152. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  153. package/dist/schemas/tables/kernel/infra.d.ts +5 -5
  154. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  155. package/dist/schemas/tables/kernel/intelligence.d.ts +11 -11
  156. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  157. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  158. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  159. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  160. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  161. package/dist/schemas/tables/kernel/platform.d.ts +13 -13
  162. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  163. package/dist/schemas/tables/kernel/spine.d.ts +4 -5
  164. package/dist/schemas/tables/kernel/spine.js +2 -6
  165. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  166. package/dist/schemas/tables/kernel/task.d.ts +43 -43
  167. package/dist/schemas/tables/kernel/task.js.map +1 -1
  168. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  169. package/dist/schemas/tables/kernel/topic.js +1 -5
  170. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  171. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  172. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  173. package/dist/schemas/tables/kernel/worktree.d.ts +55 -55
  174. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  175. package/dist/schemas/tables/mc/identity.d.ts +4 -44
  176. package/dist/schemas/tables/mc/identity.js +1 -66
  177. package/dist/schemas/tables/mc/identity.js.map +1 -1
  178. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  179. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  180. package/dist/schemas/tables/mc/pack.d.ts +21 -21
  181. package/dist/schemas/tables/mc/pack.js.map +1 -1
  182. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  183. package/dist/schemas/tables/mc/policy.js +1 -1
  184. package/dist/schemas/tables/mc/policy.js.map +1 -1
  185. package/dist/schemas/tables/mc/registry.d.ts +5 -5
  186. package/dist/schemas/tables/mc/registry.js.map +1 -1
  187. package/dist/schemas/tables/mc/runtime.d.ts +3 -109
  188. package/dist/schemas/tables/mc/runtime.js +104 -330
  189. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  190. package/dist/schemas/tables/mc/tenant.d.ts +2 -4
  191. package/dist/schemas/tables/mc/tenant.js +1 -3
  192. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  193. package/dist/schemas/tables/mc/workspace.d.ts +5 -28
  194. package/dist/schemas/tables/mc/workspace.js +2 -36
  195. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  196. package/dist/sdk-methods.contract.d.ts +2 -2
  197. package/dist/{sdk-tools.contract-CKmSsrZ2.d.ts → sdk-tools.contract-S4ia0TTo.d.ts} +2 -2
  198. package/dist/sdk-tools.contract.d.ts +2 -2
  199. package/dist/sdk-tools.contract.js +27 -719
  200. package/dist/sdk-tools.contract.js.map +1 -1
  201. package/dist/{tool-contracts-C_xvM9q2.d.ts → tool-contracts-C92-9ueT.d.ts} +2 -38
  202. package/dist/tool-contracts.d.ts +1 -1
  203. package/dist/tool-contracts.js +28 -720
  204. package/dist/tool-contracts.js.map +1 -1
  205. package/package.json +1 -30
  206. package/dist/component-boundary.contract.d.ts +0 -14
  207. package/dist/component-boundary.contract.js +0 -175
  208. package/dist/component-boundary.contract.js.map +0 -1
  209. package/dist/component-host-boundary.contract.d.ts +0 -46
  210. package/dist/component-host-boundary.contract.js +0 -60
  211. package/dist/component-host-boundary.contract.js.map +0 -1
  212. package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +0 -133
  213. package/dist/function-registry/nodes.d.ts +0 -412
  214. package/dist/function-registry/nodes.js +0 -5354
  215. package/dist/function-registry/nodes.js.map +0 -1
  216. package/dist/function-registry-input-audit.d.ts +0 -13
  217. package/dist/function-registry-input-audit.js +0 -166
  218. package/dist/function-registry-input-audit.js.map +0 -1
  219. package/dist/generated/infisicalRuntimeEnv.d.ts +0 -70
  220. package/dist/generated/infisicalRuntimeEnv.js +0 -27345
  221. package/dist/generated/infisicalRuntimeEnv.js.map +0 -1
  222. package/dist/generated/lucernGatewayEnv.d.ts +0 -17
  223. package/dist/generated/lucernGatewayEnv.js +0 -38
  224. package/dist/generated/lucernGatewayEnv.js.map +0 -1
  225. package/dist/generated/lucernWebPublicEnv.d.ts +0 -26
  226. package/dist/generated/lucernWebPublicEnv.js +0 -32
  227. package/dist/generated/lucernWebPublicEnv.js.map +0 -1
  228. package/dist/generated/lucernWebServerEnv.d.ts +0 -33
  229. package/dist/generated/lucernWebServerEnv.js +0 -51
  230. package/dist/generated/lucernWebServerEnv.js.map +0 -1
  231. package/dist/graph-intelligence.contract.d.ts +0 -506
  232. package/dist/graph-intelligence.contract.js +0 -595
  233. package/dist/graph-intelligence.contract.js.map +0 -1
  234. package/dist/index-CM1Pl_vI.d.ts +0 -28
  235. package/dist/infisical-runtime.contract.d.ts +0 -1889
  236. package/dist/infisical-runtime.contract.js +0 -3235
  237. package/dist/infisical-runtime.contract.js.map +0 -1
  238. package/dist/manifests/edge-policy-manifest.d.ts +0 -2
  239. package/dist/manifests/edge-policy-manifest.data.d.ts +0 -13
  240. package/dist/manifests/edge-policy-manifest.data.js +0 -26
  241. package/dist/manifests/edge-policy-manifest.data.js.map +0 -1
  242. package/dist/manifests/edge-policy-manifest.js +0 -92
  243. package/dist/manifests/edge-policy-manifest.js.map +0 -1
  244. package/dist/manifests/infisical-runtime-manifest.d.ts +0 -1792
  245. package/dist/manifests/infisical-runtime-manifest.js +0 -3090
  246. package/dist/manifests/infisical-runtime-manifest.js.map +0 -1
  247. package/dist/manifests/invariant-manifest.d.ts +0 -65
  248. package/dist/manifests/invariant-manifest.js +0 -18
  249. package/dist/manifests/invariant-manifest.js.map +0 -1
  250. package/dist/manifests/invariants/ast-utils.d.ts +0 -14
  251. package/dist/manifests/invariants/ast-utils.js +0 -54
  252. package/dist/manifests/invariants/ast-utils.js.map +0 -1
  253. package/dist/manifests/invariants/index.d.ts +0 -15
  254. package/dist/manifests/invariants/index.js +0 -183
  255. package/dist/manifests/invariants/index.js.map +0 -1
  256. package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +0 -12
  257. package/dist/manifests/invariants/inv-1-beliefs-append-only.js +0 -94
  258. package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +0 -1
  259. package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +0 -12
  260. package/dist/manifests/invariants/inv-14-no-silent-transitions.js +0 -99
  261. package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +0 -1
  262. package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +0 -12
  263. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +0 -42
  264. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +0 -1
  265. package/dist/manifests/tenant-client-manifest.d.ts +0 -327
  266. package/dist/manifests/tenant-client-manifest.js +0 -449
  267. package/dist/manifests/tenant-client-manifest.js.map +0 -1
  268. package/dist/mcp-gateway-boundary.contract.d.ts +0 -201
  269. package/dist/mcp-gateway-boundary.contract.js +0 -45
  270. package/dist/mcp-gateway-boundary.contract.js.map +0 -1
  271. package/dist/permit-principal-projection.contract.d.ts +0 -74
  272. package/dist/permit-principal-projection.contract.js +0 -167
  273. package/dist/permit-principal-projection.contract.js.map +0 -1
  274. package/dist/projections/check-convex-args-shape.d.ts +0 -3
  275. package/dist/projections/check-convex-args-shape.js +0 -403
  276. package/dist/projections/check-convex-args-shape.js.map +0 -1
  277. package/dist/projections/create-evidence.projection.d.ts +0 -176
  278. package/dist/projections/create-evidence.projection.js +0 -130
  279. package/dist/projections/create-evidence.projection.js.map +0 -1
  280. package/dist/projections/index.d.ts +0 -102
  281. package/dist/projections/index.js +0 -352
  282. package/dist/projections/index.js.map +0 -1
  283. package/dist/projections/list-beliefs.projection.d.ts +0 -36
  284. package/dist/projections/list-beliefs.projection.js +0 -54
  285. package/dist/projections/list-beliefs.projection.js.map +0 -1
  286. package/dist/projections/list-tasks.projection.d.ts +0 -44
  287. package/dist/projections/list-tasks.projection.js +0 -57
  288. package/dist/projections/list-tasks.projection.js.map +0 -1
  289. package/dist/projections/modulate-confidence.projection.d.ts +0 -219
  290. package/dist/projections/modulate-confidence.projection.js +0 -148
  291. package/dist/projections/modulate-confidence.projection.js.map +0 -1
  292. package/dist/projections/projection-dsl.d.ts +0 -11
  293. package/dist/projections/projection-dsl.js +0 -8
  294. package/dist/projections/projection-dsl.js.map +0 -1
  295. package/dist/proof-attestation.json +0 -45
  296. package/dist/schemas/tables/controlPlane/accessControl.d.ts +0 -260
  297. package/dist/schemas/tables/controlPlane/accessControl.js +0 -658
  298. package/dist/schemas/tables/controlPlane/accessControl.js.map +0 -1
  299. package/dist/schemas/tables/controlPlane/agent.js.map +0 -1
  300. package/dist/schemas/tables/controlPlane/epistemic.js.map +0 -1
  301. package/dist/schemas/tables/controlPlane/model.js.map +0 -1
  302. package/dist/schemas/tables/controlPlane/platform.js.map +0 -1
  303. package/dist/schemas/tables/controlPlane/project.js.map +0 -1
  304. package/dist/schemas/tables/controlPlane/user.js.map +0 -1
  305. package/dist/schemas/tables/kernel/events.d.ts +0 -21
  306. package/dist/schemas/tables/kernel/events.js +0 -43
  307. package/dist/schemas/tables/kernel/events.js.map +0 -1
  308. package/dist/tenant-bootstrap-seed.contract.d.ts +0 -1289
  309. package/dist/tenant-bootstrap-seed.contract.js +0 -764
  310. package/dist/tenant-bootstrap-seed.contract.js.map +0 -1
  311. package/dist/tenant-bootstrap-seed.defaults.d.ts +0 -16
  312. package/dist/tenant-bootstrap-seed.defaults.js +0 -321
  313. package/dist/tenant-bootstrap-seed.defaults.js.map +0 -1
  314. package/dist/tenant-client.contract.d.ts +0 -354
  315. package/dist/tenant-client.contract.js +0 -505
  316. package/dist/tenant-client.contract.js.map +0 -1
@@ -1,3235 +0,0 @@
1
- // src/tenant-client.contract.ts
2
- var TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH = "tenants/shared";
3
- var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4
- {
5
- packageName: "@lucern/access-control",
6
- role: "runtime_entrypoint",
7
- directTenantImport: true
8
- },
9
- {
10
- packageName: "@lucern/agent",
11
- role: "platform_runtime",
12
- directTenantImport: false
13
- },
14
- {
15
- packageName: "@lucern/auth",
16
- role: "sdk_dependency",
17
- directTenantImport: false
18
- },
19
- {
20
- packageName: "@lucern/cli",
21
- role: "developer_tool",
22
- directTenantImport: false
23
- },
24
- {
25
- packageName: "@lucern/client-core",
26
- role: "sdk_dependency",
27
- directTenantImport: false
28
- },
29
- {
30
- packageName: "@lucern/confidence",
31
- role: "sdk_dependency",
32
- directTenantImport: false
33
- },
34
- {
35
- packageName: "@lucern/config",
36
- role: "configuration",
37
- directTenantImport: false
38
- },
39
- {
40
- packageName: "@lucern/contracts",
41
- role: "contract_entrypoint",
42
- directTenantImport: true
43
- },
44
- {
45
- packageName: "@lucern/control-plane",
46
- role: "component_runtime",
47
- directTenantImport: false
48
- },
49
- {
50
- packageName: "@lucern/developer-kit",
51
- role: "developer_tool",
52
- directTenantImport: false
53
- },
54
- {
55
- packageName: "@lucern/events",
56
- role: "sdk_dependency",
57
- directTenantImport: false
58
- },
59
- {
60
- packageName: "@lucern/graph-primitives",
61
- role: "sdk_dependency",
62
- directTenantImport: false
63
- },
64
- {
65
- packageName: "@lucern/graph-sync",
66
- role: "host_addon_runtime",
67
- directTenantImport: true
68
- },
69
- {
70
- packageName: "@lucern/mcp",
71
- role: "runtime_entrypoint",
72
- directTenantImport: true
73
- },
74
- {
75
- packageName: "@lucern/pack-host",
76
- role: "platform_runtime",
77
- directTenantImport: false
78
- },
79
- {
80
- packageName: "@lucern/pack-installer",
81
- role: "developer_tool",
82
- directTenantImport: false
83
- },
84
- {
85
- packageName: "@lucern/proof-compiler",
86
- role: "developer_tool",
87
- directTenantImport: false
88
- },
89
- {
90
- packageName: "@lucern/react",
91
- role: "runtime_entrypoint",
92
- directTenantImport: true
93
- },
94
- {
95
- packageName: "@lucern/reasoning-kernel",
96
- role: "component_runtime",
97
- directTenantImport: false
98
- },
99
- {
100
- packageName: "@lucern/sdk",
101
- role: "runtime_entrypoint",
102
- directTenantImport: true
103
- },
104
- {
105
- packageName: "@lucern/secrets",
106
- role: "sdk_dependency",
107
- directTenantImport: false
108
- },
109
- {
110
- packageName: "@lucern/server-core",
111
- role: "platform_runtime",
112
- directTenantImport: false
113
- },
114
- {
115
- packageName: "@lucern/testing",
116
- role: "test_support",
117
- directTenantImport: false
118
- },
119
- {
120
- packageName: "@lucern/types",
121
- role: "contract_entrypoint",
122
- directTenantImport: true
123
- }
124
- ];
125
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
126
- (entry) => entry.packageName
127
- );
128
-
129
- // src/infisical-runtime.contract.ts
130
- var INFISICAL_RUNTIME_CONTRACT_VERSION = "2026-05-06";
131
- var INFISICAL_RUNTIME_DEFAULT_API_URL = "https://app.infisical.com";
132
- var INFISICAL_RUNTIME_DEFAULT_PROJECT_ID = "344b0526-90df-4606-ba50-22c647a36c65";
133
- var INFISICAL_RUNTIME_ENVIRONMENTS = [
134
- "dev",
135
- "staging",
136
- "prod"
137
- ];
138
- var INFISICAL_RUNTIME_DELIVERY_MODES = [
139
- "vercel_sync",
140
- "runtime_fetch",
141
- "device_auth"
142
- ];
143
- var INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS = [
144
- "development",
145
- "preview",
146
- "staging",
147
- "production"
148
- ];
149
- var INFISICAL_VERCEL_TARGETS = [
150
- "development",
151
- "preview",
152
- "production"
153
- ];
154
- var INFISICAL_CONVEX_TIERS = ["preprod", "prod"];
155
- var INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT = {
156
- development: "preprod",
157
- preview: "preprod",
158
- staging: "preprod",
159
- production: "prod"
160
- };
161
- var INFISICAL_VERCEL_SYNC_RECONCILIATION = {
162
- sourceOfTruth: "infisical",
163
- writer: "vercel_api",
164
- disableSecretDeletion: false,
165
- pruneDestinationKeys: true
166
- };
167
- var INFISICAL_VERCEL_SYNC_DESTINATIONS = [
168
- {
169
- environment: "development",
170
- vercelTarget: "development",
171
- convexTier: "preprod"
172
- },
173
- {
174
- environment: "preview",
175
- vercelTarget: "preview",
176
- convexTier: "preprod"
177
- },
178
- {
179
- environment: "staging",
180
- vercelTarget: "preview",
181
- convexTier: "preprod",
182
- customEnvironmentSlug: "staging",
183
- customEnvironmentIdsByProjectName: {
184
- stackos: "env_RbS0TYRRvWISTje8qR4u2lRg7TC8"
185
- },
186
- domainsByProjectName: {
187
- stackos: "staging.stack.vc"
188
- }
189
- },
190
- {
191
- environment: "production",
192
- vercelTarget: "production",
193
- convexTier: "prod"
194
- }
195
- ];
196
- var INFISICAL_RUNTIME_SURFACE_IDS = [
197
- "lucern-web",
198
- "lucern-gateway",
199
- "lucern-sdk",
200
- "lucern-cli",
201
- "lucern-mcp",
202
- "tenant-client"
203
- ];
204
- var INFISICAL_RUNTIME_BOOTSTRAP_ENV = {
205
- apiUrl: ["INFISICAL_API_URL", "INFISICAL_URL"],
206
- projectId: ["INFISICAL_PROJECT_ID", "INFISICAL_WORKSPACE_ID"],
207
- clientId: [
208
- "INFISICAL_CLIENT_ID",
209
- "INFISICAL_MACHINE_CLIENT_ID",
210
- "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"
211
- ],
212
- clientSecret: [
213
- "INFISICAL_CLIENT_SECRET",
214
- "INFISICAL_MACHINE_CLIENT_SECRET",
215
- "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"
216
- ],
217
- environment: ["INFISICAL_ENV", "LUCERN_INFISICAL_ENV"],
218
- organizationSlug: ["INFISICAL_ORG_SLUG", "INFISICAL_ORGANIZATION_SLUG"],
219
- disabled: ["LUCERN_INFISICAL_DISABLE", "INFISICAL_DISABLE"]
220
- };
221
- var INFISICAL_RUNTIME_CONTROL_ENV = [
222
- {
223
- name: "NODE_ENV",
224
- category: "framework",
225
- description: "Node/Next runtime mode. Framework-owned, not written by Infisical."
226
- },
227
- {
228
- name: "CI",
229
- category: "ci",
230
- description: "CI execution signal. Workflow-owned, not written by Infisical."
231
- },
232
- {
233
- name: "VERCEL",
234
- category: "vercel",
235
- description: "Vercel runtime signal. Platform-owned, not written by Infisical."
236
- },
237
- {
238
- name: "VERCEL_ENV",
239
- category: "vercel",
240
- description: "Vercel environment label used for build/runtime selection."
241
- },
242
- {
243
- name: "VERCEL_URL",
244
- category: "vercel",
245
- description: "Vercel deployment URL supplied by Vercel for previews and builds."
246
- },
247
- {
248
- name: "VERCEL_GIT_COMMIT_SHA",
249
- category: "vercel",
250
- description: "Vercel git metadata used for release labels. Platform-owned, not written by Infisical."
251
- },
252
- {
253
- name: "NEXT_RUNTIME",
254
- category: "nextjs",
255
- description: "Next.js runtime selector for node/edge instrumentation modules."
256
- },
257
- {
258
- name: "PORT",
259
- category: "framework",
260
- description: "Local/server port supplied by the runtime process manager."
261
- },
262
- {
263
- name: "HOST",
264
- category: "framework",
265
- description: "Local/server host supplied by the runtime process manager."
266
- },
267
- {
268
- name: "APP_URL",
269
- category: "compatibility",
270
- description: "Legacy local app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
271
- },
272
- {
273
- name: "NEXT_PUBLIC_APP_URL",
274
- category: "compatibility",
275
- description: "Legacy public app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
276
- },
277
- {
278
- name: "CLAUDE_PROJECT_DIR",
279
- category: "agent_local",
280
- description: "Local agent workspace hint. Agent-runtime-owned, not written by Infisical."
281
- },
282
- {
283
- name: "HOME",
284
- category: "os",
285
- description: "Operating-system home directory used only for local credential discovery."
286
- },
287
- {
288
- name: "USERPROFILE",
289
- category: "os",
290
- description: "Windows home directory used only for local credential discovery."
291
- }
292
- ];
293
- var INFISICAL_RUNTIME_PATHS = [
294
- {
295
- id: "platform-auth",
296
- secretPath: "/platform/auth",
297
- description: "Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.",
298
- variables: [
299
- {
300
- name: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
301
- required: true,
302
- secret: false,
303
- public: true,
304
- description: "Clerk publishable key for the Lucern web origin."
305
- },
306
- {
307
- name: "CLERK_SECRET_KEY",
308
- required: true,
309
- secret: true,
310
- public: false,
311
- description: "Clerk backend secret key for Lucern server runtimes."
312
- },
313
- {
314
- name: "CLERK_JWT_ISSUER_DOMAIN",
315
- required: false,
316
- secret: false,
317
- public: false,
318
- description: "Expected Clerk issuer/JWKS domain for JWT verification."
319
- },
320
- {
321
- name: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
322
- required: false,
323
- secret: false,
324
- public: true,
325
- description: "Public sign-in URL for Lucern-owned web flows."
326
- },
327
- {
328
- name: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
329
- required: false,
330
- secret: false,
331
- public: true,
332
- description: "Public sign-up URL for Lucern-owned web flows."
333
- }
334
- ]
335
- },
336
- {
337
- id: "platform-runtime",
338
- secretPath: "/platform/runtime",
339
- description: "Runtime defaults shared by server-side Lucern clients and operator tooling.",
340
- variables: [
341
- {
342
- name: "LUCERN_API_URL",
343
- required: true,
344
- secret: false,
345
- public: false,
346
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
347
- description: "Canonical Lucern API gateway URL."
348
- },
349
- {
350
- name: "LUCERN_LOGIN_BASE_URL",
351
- required: false,
352
- secret: false,
353
- public: false,
354
- aliases: ["LUCERN_AUTH_BASE_URL"],
355
- description: "Browser login origin used when it differs from the API."
356
- },
357
- {
358
- name: "LUCERN_ENVIRONMENT",
359
- required: false,
360
- secret: false,
361
- public: false,
362
- aliases: ["LUCERN_ENV"],
363
- description: "Lucern environment label consumed by CLI profiles."
364
- },
365
- {
366
- name: "LUCERN_CLI_SESSION_TTL_MS",
367
- required: false,
368
- secret: false,
369
- public: false,
370
- description: "Optional web-issued CLI login session lifetime override in milliseconds."
371
- }
372
- ]
373
- },
374
- {
375
- id: "platform-operator-credentials",
376
- secretPath: "/platform/runtime",
377
- description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
378
- variables: [
379
- {
380
- name: "LUCERN_API_KEY",
381
- required: false,
382
- secret: true,
383
- public: false,
384
- aliases: ["LUCERN_KEY"],
385
- description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
386
- }
387
- ]
388
- },
389
- {
390
- id: "tenant-shared-install",
391
- secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
392
- description: "Tenant package-install secrets. This is install-only and distinct from platform publish credentials.",
393
- variables: [
394
- {
395
- name: "INSTALL_LUCERN_NPM",
396
- required: true,
397
- secret: true,
398
- public: false,
399
- description: "Read-only install token for the published @lucern/* suite."
400
- }
401
- ]
402
- }
403
- ];
404
- var INFISICAL_RUNTIME_SURFACES = [
405
- {
406
- id: "lucern-web",
407
- delivery: "vercel_sync",
408
- sourcePathIds: ["platform-auth", "platform-runtime"],
409
- consumer: "apps/web on Vercel project lucern",
410
- description: "Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs."
411
- },
412
- {
413
- id: "lucern-gateway",
414
- delivery: "vercel_sync",
415
- fallback: "runtime_fetch",
416
- sourcePathIds: ["platform-auth", "platform-runtime"],
417
- consumer: "apps/gateway on Vercel project lucern-gateway",
418
- description: "Lucern gateway consumes platform config via Infisical-to-Vercel syncs and may self-hydrate from Infisical when the host environment has scoped bootstrap credentials."
419
- },
420
- {
421
- id: "lucern-sdk",
422
- packageName: "@lucern/sdk",
423
- delivery: "runtime_fetch",
424
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
425
- consumer: "server-side SDK operator contexts with a scoped Infisical identity",
426
- description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
427
- },
428
- {
429
- id: "lucern-cli",
430
- packageName: "@lucern/cli",
431
- delivery: "runtime_fetch",
432
- fallback: "device_auth",
433
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
434
- consumer: "developer/operator CLI processes",
435
- description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
436
- },
437
- {
438
- id: "lucern-mcp",
439
- packageName: "@lucern/mcp",
440
- delivery: "runtime_fetch",
441
- fallback: "device_auth",
442
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
443
- consumer: "MCP server/client processes",
444
- description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
445
- },
446
- {
447
- id: "tenant-client",
448
- delivery: "device_auth",
449
- sourcePathIds: ["tenant-shared-install"],
450
- consumer: "tenant-owned apps and coding agents",
451
- description: "Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces."
452
- }
453
- ];
454
- var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
455
- {
456
- id: "stack-frontend",
457
- tenantKey: "stack",
458
- workspaceKey: "frontend",
459
- vercelProjectName: "ai-chatbot-diao",
460
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
461
- vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
462
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
463
- repository: {
464
- owner: "stack-vc",
465
- name: "front-end"
466
- },
467
- sharedSourcePath: "/tenants/stack",
468
- sharedVariablePolicy: "tenant_shared_all_systems",
469
- convex: {
470
- urlEnv: "CONVEX_FRONTEND_URL",
471
- deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
472
- preprodDeployment: "rugged-lobster-664",
473
- prodDeployment: "wonderful-toucan-0"
474
- }
475
- },
476
- {
477
- id: "stackos",
478
- tenantKey: "stack",
479
- workspaceKey: "stackos",
480
- vercelProjectName: "stackos",
481
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
482
- vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
483
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
484
- repository: {
485
- owner: "stack-vc",
486
- name: "stackos"
487
- },
488
- sharedSourcePath: "/tenants/stack",
489
- sharedVariablePolicy: "tenant_shared_all_systems",
490
- convex: {
491
- urlEnv: "CONVEX_STACKOS_URL",
492
- deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
493
- preprodDeployment: "giant-mandrill-761",
494
- prodDeployment: "good-snake-515"
495
- }
496
- },
497
- {
498
- id: "stack-eng",
499
- tenantKey: "stack",
500
- workspaceKey: "engineering",
501
- vercelProjectName: "stackos-engineering-graph",
502
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
503
- vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
504
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
505
- repository: {
506
- owner: "stack-vc",
507
- name: "stackos-engineering-graph"
508
- },
509
- sharedSourcePath: "/tenants/stack/engineering",
510
- sharedVariablePolicy: "tenant_shared_all_systems",
511
- convex: {
512
- urlEnv: "CONVEX_STACK_ENG_URL",
513
- deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
514
- preprodDeployment: "small-oyster-270",
515
- prodDeployment: "bold-cuttlefish-804"
516
- }
517
- },
518
- {
519
- id: "lucern-graph",
520
- tenantKey: "lucern",
521
- workspaceKey: "lucern",
522
- vercelProjectName: "lucern-graph",
523
- vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
524
- vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
525
- vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
526
- repository: {
527
- owner: "LucernAI",
528
- name: "lucern-graph"
529
- },
530
- sharedSourcePath: "/tenants/lucern/shared",
531
- sharedVariablePolicy: "tenant_shared_all_systems",
532
- convex: {
533
- urlEnv: "CONVEX_LUCERN_URL",
534
- deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
535
- preprodDeployment: "good-blackbird-774",
536
- prodDeployment: "precious-dog-365"
537
- }
538
- }
539
- ];
540
- function findInfisicalTenantSoftwareSystem(systemId) {
541
- return INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(
542
- (system) => system.id === systemId
543
- );
544
- }
545
- function tenantSoftwareSystemConvexEnvNames(systemId) {
546
- const system = findInfisicalTenantSoftwareSystem(systemId);
547
- if (!system) {
548
- throw new Error(`Unknown tenant software system: ${systemId}.`);
549
- }
550
- return [system.convex.urlEnv, system.convex.deployKeyEnv];
551
- }
552
- function tenantSoftwareSystemOwnsConvexEnvName(systemId, envName) {
553
- return tenantSoftwareSystemConvexEnvNames(systemId).includes(envName);
554
- }
555
- function convexTierForVercelDestinationEnvironment(environment) {
556
- return INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT[environment];
557
- }
558
- function findInfisicalVercelSyncDestination(environment) {
559
- return INFISICAL_VERCEL_SYNC_DESTINATIONS.find(
560
- (destination) => destination.environment === environment
561
- );
562
- }
563
- function vercelCustomEnvironmentIdForTenantSoftwareSystem(systemId, environment) {
564
- const system = findInfisicalTenantSoftwareSystem(systemId);
565
- const destination = findInfisicalVercelSyncDestination(environment);
566
- if (!system || !destination) {
567
- return void 0;
568
- }
569
- return destination.customEnvironmentIdsByProjectName?.[system.vercelProjectName];
570
- }
571
- function expectedTenantConvexDeploymentForVercelEnvironment(systemId, environment) {
572
- const system = findInfisicalTenantSoftwareSystem(systemId);
573
- if (!system) {
574
- throw new Error(`Unknown tenant software system: ${systemId}.`);
575
- }
576
- return convexTierForVercelDestinationEnvironment(environment) === "prod" ? system.convex.prodDeployment : system.convex.preprodDeployment;
577
- }
578
- function findInfisicalRuntimePath(pathId) {
579
- return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);
580
- }
581
- function findInfisicalRuntimeSurface(surfaceId) {
582
- return INFISICAL_RUNTIME_SURFACES.find((surface) => surface.id === surfaceId);
583
- }
584
- var INFISICAL_SECRET_OWNERS = [
585
- "lucern_platform",
586
- "tenant",
587
- "provider",
588
- "operator_local"
589
- ];
590
- var INFISICAL_SECRET_SCOPES = [
591
- "global",
592
- "environment",
593
- "tenant",
594
- "workspace",
595
- "software_system",
596
- "deployment",
597
- "local"
598
- ];
599
- var INFISICAL_SECRET_ENVIRONMENT_POLICIES = [
600
- "same_all_environments",
601
- "environment_specific",
602
- "preprod_staging_prod_prod",
603
- "local_only"
604
- ];
605
- var INFISICAL_SECRET_CONSUMERS = [
606
- "lucern-web",
607
- "lucern-gateway",
608
- "lucern-mcp",
609
- "lucern-cli",
610
- "lucern-ai-runtime",
611
- "lucern-graph-sync",
612
- "lucern-observability",
613
- "lucern-repo-ci",
614
- "mc-convex",
615
- "mc-operator-tooling",
616
- "tenant-vercel-app",
617
- "tenant-convex-deployment",
618
- "tenant-ai-runtime",
619
- "tenant-graph-sync",
620
- "tenant-observability",
621
- "tenant-vector-store",
622
- "tenant-deploy-tooling",
623
- "tenant-agent-runtime"
624
- ];
625
- var INFISICAL_SECRET_DESTINATION_KINDS = [
626
- "vercel",
627
- "convex",
628
- "github_actions",
629
- "runtime_fetch",
630
- "operator_local"
631
- ];
632
- var PLATFORM_SECRET_DEFINITIONS = [
633
- {
634
- id: "platform.clerk.publishable",
635
- canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
636
- aliases: ["CLERK_PUBLISHABLE_KEY"],
637
- owner: "lucern_platform",
638
- scope: "environment",
639
- sourcePath: "/platform/auth",
640
- environmentPolicy: "environment_specific",
641
- required: true,
642
- secret: false,
643
- public: true,
644
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
645
- destinations: [
646
- {
647
- kind: "vercel",
648
- target: "lucern",
649
- environmentPolicy: "environment_specific"
650
- },
651
- {
652
- kind: "vercel",
653
- target: "lucern-gateway",
654
- environmentPolicy: "environment_specific"
655
- },
656
- {
657
- kind: "runtime_fetch",
658
- target: "hosted-mcp-oauth",
659
- environmentPolicy: "environment_specific"
660
- }
661
- ],
662
- description: "Lucern-owned Clerk browser key for platform web, gateway, and hosted MCP OAuth flows."
663
- },
664
- {
665
- id: "platform.clerk.secret",
666
- canonicalName: "CLERK_SECRET_KEY",
667
- owner: "lucern_platform",
668
- scope: "environment",
669
- sourcePath: "/platform/auth",
670
- environmentPolicy: "environment_specific",
671
- required: true,
672
- secret: true,
673
- public: false,
674
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
675
- destinations: [
676
- {
677
- kind: "vercel",
678
- target: "lucern",
679
- environmentPolicy: "environment_specific"
680
- },
681
- {
682
- kind: "vercel",
683
- target: "lucern-gateway",
684
- environmentPolicy: "environment_specific"
685
- },
686
- {
687
- kind: "runtime_fetch",
688
- target: "hosted-mcp-oauth",
689
- environmentPolicy: "environment_specific"
690
- }
691
- ],
692
- description: "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
693
- },
694
- {
695
- id: "platform.clerk.project",
696
- canonicalName: "CLERK_PROJECT_ID",
697
- aliases: ["LUCERN_CLERK_PROJECT_ID"],
698
- owner: "lucern_platform",
699
- scope: "environment",
700
- sourcePath: "/platform/auth",
701
- environmentPolicy: "environment_specific",
702
- required: true,
703
- secret: false,
704
- public: false,
705
- consumers: ["lucern-gateway", "mc-convex"],
706
- destinations: [
707
- {
708
- kind: "vercel",
709
- target: "lucern-gateway",
710
- environmentPolicy: "environment_specific"
711
- },
712
- {
713
- kind: "convex",
714
- target: "master-control",
715
- environmentPolicy: "environment_specific"
716
- }
717
- ],
718
- description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
719
- },
720
- {
721
- id: "platform.clerk.webhook-secret",
722
- canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
723
- aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
724
- owner: "lucern_platform",
725
- scope: "environment",
726
- sourcePath: "/platform/auth",
727
- environmentPolicy: "environment_specific",
728
- required: true,
729
- secret: true,
730
- public: false,
731
- consumers: ["lucern-gateway"],
732
- destinations: [
733
- {
734
- kind: "vercel",
735
- target: "lucern-gateway",
736
- environmentPolicy: "environment_specific"
737
- }
738
- ],
739
- description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
740
- },
741
- {
742
- id: "platform.clerk.jwks",
743
- canonicalName: "CLERK_JWKS_URL",
744
- aliases: ["CLERK_JWT_ISSUER_DOMAIN"],
745
- owner: "lucern_platform",
746
- scope: "environment",
747
- sourcePath: "/platform/auth",
748
- environmentPolicy: "environment_specific",
749
- required: false,
750
- secret: false,
751
- public: false,
752
- consumers: ["lucern-mcp", "lucern-gateway"],
753
- destinations: [
754
- {
755
- kind: "runtime_fetch",
756
- target: "lucern-mcp",
757
- environmentPolicy: "environment_specific"
758
- },
759
- {
760
- kind: "vercel",
761
- target: "lucern-gateway",
762
- environmentPolicy: "environment_specific"
763
- }
764
- ],
765
- description: "Optional Clerk JWKS/issuer override for server-side token verification."
766
- },
767
- {
768
- id: "platform.runtime.api-base-url",
769
- canonicalName: "LUCERN_API_URL",
770
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
771
- owner: "lucern_platform",
772
- scope: "environment",
773
- sourcePath: "/platform/runtime",
774
- environmentPolicy: "environment_specific",
775
- required: true,
776
- secret: false,
777
- public: false,
778
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
779
- destinations: [
780
- {
781
- kind: "vercel",
782
- target: "lucern",
783
- environmentPolicy: "environment_specific"
784
- },
785
- {
786
- kind: "vercel",
787
- target: "lucern-gateway",
788
- environmentPolicy: "environment_specific"
789
- },
790
- {
791
- kind: "runtime_fetch",
792
- target: "lucern-cli-mcp-sdk",
793
- environmentPolicy: "environment_specific"
794
- }
795
- ],
796
- description: "Canonical Lucern API gateway base URL. Older names remain aliases only."
797
- },
798
- {
799
- id: "platform.runtime.login-base-url",
800
- canonicalName: "LUCERN_LOGIN_BASE_URL",
801
- aliases: ["LUCERN_AUTH_BASE_URL", "LUCERN_WEB_BASE_URL"],
802
- owner: "lucern_platform",
803
- scope: "environment",
804
- sourcePath: "/platform/runtime",
805
- environmentPolicy: "environment_specific",
806
- required: false,
807
- secret: false,
808
- public: false,
809
- consumers: ["lucern-gateway", "lucern-mcp", "lucern-cli"],
810
- destinations: [
811
- {
812
- kind: "vercel",
813
- target: "lucern-gateway",
814
- environmentPolicy: "environment_specific"
815
- },
816
- {
817
- kind: "runtime_fetch",
818
- target: "lucern-cli-mcp-sdk",
819
- environmentPolicy: "environment_specific"
820
- }
821
- ],
822
- description: "Browser login origin used when device/OAuth login is not served by the API base URL."
823
- },
824
- {
825
- id: "platform.runtime.environment",
826
- canonicalName: "LUCERN_ENVIRONMENT",
827
- aliases: ["LUCERN_ENV"],
828
- owner: "lucern_platform",
829
- scope: "environment",
830
- sourcePath: "/platform/runtime",
831
- environmentPolicy: "environment_specific",
832
- required: false,
833
- secret: false,
834
- public: false,
835
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
836
- destinations: [
837
- {
838
- kind: "vercel",
839
- target: "lucern",
840
- environmentPolicy: "environment_specific"
841
- },
842
- {
843
- kind: "vercel",
844
- target: "lucern-gateway",
845
- environmentPolicy: "environment_specific"
846
- },
847
- {
848
- kind: "runtime_fetch",
849
- target: "lucern-cli-mcp-sdk",
850
- environmentPolicy: "environment_specific"
851
- }
852
- ],
853
- description: "Lucern runtime environment label."
854
- },
855
- {
856
- id: "platform.runtime.require-deployment-host-registry",
857
- canonicalName: "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
858
- owner: "lucern_platform",
859
- scope: "environment",
860
- sourcePath: "/platform/runtime",
861
- environmentPolicy: "environment_specific",
862
- required: false,
863
- secret: false,
864
- public: false,
865
- consumers: ["lucern-gateway"],
866
- destinations: [
867
- {
868
- kind: "vercel",
869
- target: "lucern-gateway",
870
- environmentPolicy: "environment_specific"
871
- },
872
- {
873
- kind: "operator_local",
874
- target: "lucern-repo",
875
- environmentPolicy: "environment_specific"
876
- }
877
- ],
878
- description: "Fail-closed gateway toggle that requires MC deployment host registry resolution before routing."
879
- },
880
- {
881
- id: "platform.mc.convex-url",
882
- canonicalName: "CONVEX_MC_URL",
883
- aliases: [
884
- "CONVEX_MC_PROD_URL",
885
- "LUCERN_ADMIN_CONVEX_URL",
886
- "LUCERN_CONVEX_URL",
887
- "MC_CONVEX_URL"
888
- ],
889
- owner: "lucern_platform",
890
- scope: "environment",
891
- sourcePath: "/platform/mc",
892
- environmentPolicy: "environment_specific",
893
- required: true,
894
- secret: false,
895
- public: false,
896
- consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
897
- destinations: [
898
- {
899
- kind: "vercel",
900
- target: "lucern-gateway",
901
- environmentPolicy: "environment_specific"
902
- },
903
- {
904
- kind: "github_actions",
905
- target: "LucernAI/lucern",
906
- environmentPolicy: "environment_specific"
907
- },
908
- {
909
- kind: "operator_local",
910
- target: "lucern-repo",
911
- environmentPolicy: "environment_specific"
912
- }
913
- ],
914
- description: "Master Control Convex URL. Prod must point to successful-clam-833; dev/staging to utmost-ox-403."
915
- },
916
- {
917
- id: "platform.mc.convex-deploy-key",
918
- canonicalName: "CONVEX_MC_DEPLOY_KEY",
919
- aliases: [
920
- "CONVEX_MC_PROD_DEPLOY_KEY",
921
- "LUCERN_ADMIN_DEPLOY_KEY",
922
- "LUCERN_DEPLOY_KEY",
923
- "MC_DEPLOY_KEY",
924
- "MC_PROD_DEPLOY_KEY"
925
- ],
926
- owner: "lucern_platform",
927
- scope: "environment",
928
- sourcePath: "/platform/mc",
929
- environmentPolicy: "environment_specific",
930
- required: true,
931
- secret: true,
932
- public: false,
933
- consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
934
- destinations: [
935
- {
936
- kind: "vercel",
937
- target: "lucern-gateway",
938
- environmentPolicy: "environment_specific"
939
- },
940
- {
941
- kind: "github_actions",
942
- target: "LucernAI/lucern",
943
- environmentPolicy: "environment_specific"
944
- },
945
- {
946
- kind: "operator_local",
947
- target: "lucern-repo",
948
- environmentPolicy: "environment_specific"
949
- }
950
- ],
951
- description: "Master Control deploy/admin key. Never route to tenant Vercel projects or tenant Convex deployments."
952
- },
953
- {
954
- id: "platform.mc.session-token-secret",
955
- canonicalName: "LUCERN_SESSION_TOKEN_SECRET",
956
- owner: "lucern_platform",
957
- scope: "environment",
958
- sourcePath: "/platform/mc",
959
- environmentPolicy: "environment_specific",
960
- required: true,
961
- secret: true,
962
- public: false,
963
- consumers: ["lucern-mcp", "mc-convex", "lucern-gateway"],
964
- destinations: [
965
- {
966
- kind: "convex",
967
- target: "master-control",
968
- environmentPolicy: "environment_specific"
969
- },
970
- {
971
- kind: "runtime_fetch",
972
- target: "hosted-mcp-oauth",
973
- environmentPolicy: "environment_specific"
974
- },
975
- {
976
- kind: "vercel",
977
- target: "lucern-gateway",
978
- environmentPolicy: "environment_specific"
979
- }
980
- ],
981
- description: "Signs Lucern platform session/delegation tokens. This is platform-owned, not tenant-owned."
982
- },
983
- {
984
- id: "platform.mc.tenant-secret-encryption-key",
985
- canonicalName: "LUCERN_TENANT_SECRET_ENCRYPTION_KEY",
986
- aliases: ["LUCERN_SESSION_TOKEN_SECRET"],
987
- owner: "lucern_platform",
988
- scope: "environment",
989
- sourcePath: "/platform/mc",
990
- environmentPolicy: "environment_specific",
991
- required: true,
992
- secret: true,
993
- public: false,
994
- consumers: ["mc-convex", "mc-operator-tooling"],
995
- destinations: [
996
- {
997
- kind: "convex",
998
- target: "master-control",
999
- environmentPolicy: "environment_specific"
1000
- },
1001
- {
1002
- kind: "operator_local",
1003
- target: "mc-credential-maintenance",
1004
- environmentPolicy: "environment_specific"
1005
- }
1006
- ],
1007
- description: "Encrypts tenant deployment credentials stored in MC. Session-token fallback is legacy only."
1008
- },
1009
- {
1010
- id: "platform.permit.api-key",
1011
- canonicalName: "LUCERN_PERMIT_API_KEY",
1012
- aliases: ["PERMIT_API_KEY"],
1013
- owner: "lucern_platform",
1014
- scope: "environment",
1015
- sourcePath: "/platform/permit",
1016
- environmentPolicy: "environment_specific",
1017
- required: true,
1018
- secret: true,
1019
- public: false,
1020
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1021
- destinations: [
1022
- {
1023
- kind: "convex",
1024
- target: "master-control",
1025
- environmentPolicy: "environment_specific"
1026
- },
1027
- {
1028
- kind: "runtime_fetch",
1029
- target: "hosted-mcp-oauth",
1030
- environmentPolicy: "environment_specific"
1031
- },
1032
- {
1033
- kind: "vercel",
1034
- target: "lucern-gateway",
1035
- environmentPolicy: "environment_specific"
1036
- }
1037
- ],
1038
- description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing."
1039
- },
1040
- {
1041
- id: "platform.permit.webhook-secret",
1042
- canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET",
1043
- aliases: ["PERMIT_WEBHOOK_SECRET"],
1044
- owner: "lucern_platform",
1045
- scope: "environment",
1046
- sourcePath: "/platform/permit",
1047
- environmentPolicy: "environment_specific",
1048
- required: true,
1049
- secret: true,
1050
- public: false,
1051
- consumers: ["mc-convex", "lucern-gateway", "mc-operator-tooling"],
1052
- destinations: [
1053
- {
1054
- kind: "convex",
1055
- target: "master-control",
1056
- environmentPolicy: "environment_specific"
1057
- },
1058
- {
1059
- kind: "vercel",
1060
- target: "lucern-gateway",
1061
- environmentPolicy: "environment_specific"
1062
- },
1063
- {
1064
- kind: "operator_local",
1065
- target: "mc-credential-maintenance",
1066
- environmentPolicy: "environment_specific"
1067
- }
1068
- ],
1069
- description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
1070
- },
1071
- {
1072
- id: "platform.permit.pdp-url",
1073
- canonicalName: "LUCERN_PERMIT_PDP_URL",
1074
- aliases: ["PERMIT_PDP_URL"],
1075
- owner: "lucern_platform",
1076
- scope: "environment",
1077
- sourcePath: "/platform/permit",
1078
- environmentPolicy: "environment_specific",
1079
- required: false,
1080
- secret: false,
1081
- public: false,
1082
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1083
- destinations: [
1084
- {
1085
- kind: "convex",
1086
- target: "master-control",
1087
- environmentPolicy: "environment_specific"
1088
- },
1089
- {
1090
- kind: "runtime_fetch",
1091
- target: "hosted-mcp-oauth",
1092
- environmentPolicy: "environment_specific"
1093
- },
1094
- {
1095
- kind: "vercel",
1096
- target: "lucern-gateway",
1097
- environmentPolicy: "environment_specific"
1098
- }
1099
- ],
1100
- description: "Optional Permit PDP URL override."
1101
- },
1102
- {
1103
- id: "platform.permit.api-url",
1104
- canonicalName: "LUCERN_PERMIT_API_URL",
1105
- aliases: ["PERMIT_API_URL"],
1106
- owner: "lucern_platform",
1107
- scope: "environment",
1108
- sourcePath: "/platform/permit",
1109
- environmentPolicy: "environment_specific",
1110
- required: false,
1111
- secret: false,
1112
- public: false,
1113
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1114
- destinations: [
1115
- {
1116
- kind: "convex",
1117
- target: "master-control",
1118
- environmentPolicy: "environment_specific"
1119
- },
1120
- {
1121
- kind: "runtime_fetch",
1122
- target: "hosted-mcp-oauth",
1123
- environmentPolicy: "environment_specific"
1124
- },
1125
- {
1126
- kind: "vercel",
1127
- target: "lucern-gateway",
1128
- environmentPolicy: "environment_specific"
1129
- }
1130
- ],
1131
- description: "Optional Permit API URL override."
1132
- },
1133
- {
1134
- id: "platform.ci.infisical-bootstrap-client-id",
1135
- canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID",
1136
- aliases: ["INFISICAL_CI_CLIENT_ID"],
1137
- owner: "provider",
1138
- scope: "environment",
1139
- sourcePath: "/platform/ci",
1140
- environmentPolicy: "same_all_environments",
1141
- required: true,
1142
- secret: true,
1143
- public: false,
1144
- consumers: ["lucern-repo-ci"],
1145
- destinations: [
1146
- {
1147
- kind: "github_actions",
1148
- target: "LucernAI/lucern",
1149
- environmentPolicy: "same_all_environments"
1150
- }
1151
- ],
1152
- description: "Machine identity client id used by CI to reconcile Infisical desired state."
1153
- },
1154
- {
1155
- id: "platform.ci.infisical-bootstrap-client-secret",
1156
- canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_SECRET",
1157
- aliases: ["INFISICAL_CI_CLIENT_SECRET"],
1158
- owner: "provider",
1159
- scope: "environment",
1160
- sourcePath: "/platform/ci",
1161
- environmentPolicy: "same_all_environments",
1162
- required: true,
1163
- secret: true,
1164
- public: false,
1165
- consumers: ["lucern-repo-ci"],
1166
- destinations: [
1167
- {
1168
- kind: "github_actions",
1169
- target: "LucernAI/lucern",
1170
- environmentPolicy: "same_all_environments"
1171
- }
1172
- ],
1173
- description: "Machine identity client secret used by CI to reconcile Infisical desired state."
1174
- },
1175
- {
1176
- id: "platform.publish.npm-token",
1177
- canonicalName: "NPM_TOKEN",
1178
- aliases: ["NODE_AUTH_TOKEN"],
1179
- owner: "provider",
1180
- scope: "environment",
1181
- sourcePath: "/platform/publish",
1182
- environmentPolicy: "same_all_environments",
1183
- required: true,
1184
- secret: true,
1185
- public: false,
1186
- consumers: ["lucern-repo-ci"],
1187
- destinations: [
1188
- {
1189
- kind: "github_actions",
1190
- target: "LucernAI/lucern",
1191
- environmentPolicy: "same_all_environments"
1192
- }
1193
- ],
1194
- description: "Package publish/install token for @lucern/* release automation."
1195
- }
1196
- ];
1197
- var PLATFORM_AI_SECRET_DEFINITIONS = [
1198
- {
1199
- id: "platform.ai.openai-api-key",
1200
- canonicalName: "OPENAI_API_KEY",
1201
- owner: "lucern_platform",
1202
- scope: "environment",
1203
- sourcePath: "/platform/ai",
1204
- environmentPolicy: "environment_specific",
1205
- required: false,
1206
- secret: true,
1207
- public: false,
1208
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1209
- destinations: [
1210
- {
1211
- kind: "runtime_fetch",
1212
- target: "lucern-ai-runtime",
1213
- environmentPolicy: "environment_specific"
1214
- },
1215
- {
1216
- kind: "github_actions",
1217
- target: "LucernAI/lucern",
1218
- environmentPolicy: "environment_specific"
1219
- }
1220
- ],
1221
- description: "Lucern-owned OpenAI key for platform AI jobs, benchmarks, and controlled operator automation."
1222
- },
1223
- {
1224
- id: "platform.ai.anthropic-api-key",
1225
- canonicalName: "ANTHROPIC_API_KEY",
1226
- owner: "lucern_platform",
1227
- scope: "environment",
1228
- sourcePath: "/platform/ai",
1229
- environmentPolicy: "environment_specific",
1230
- required: false,
1231
- secret: true,
1232
- public: false,
1233
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1234
- destinations: [
1235
- {
1236
- kind: "runtime_fetch",
1237
- target: "lucern-ai-runtime",
1238
- environmentPolicy: "environment_specific"
1239
- },
1240
- {
1241
- kind: "github_actions",
1242
- target: "LucernAI/lucern",
1243
- environmentPolicy: "environment_specific"
1244
- }
1245
- ],
1246
- description: "Lucern-owned Anthropic key for platform AI jobs, benchmarks, and controlled operator automation."
1247
- },
1248
- {
1249
- id: "platform.ai.gemini-api-key",
1250
- canonicalName: "GEMINI_API_KEY",
1251
- aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
1252
- owner: "lucern_platform",
1253
- scope: "environment",
1254
- sourcePath: "/platform/ai",
1255
- environmentPolicy: "environment_specific",
1256
- required: false,
1257
- secret: true,
1258
- public: false,
1259
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1260
- destinations: [
1261
- {
1262
- kind: "runtime_fetch",
1263
- target: "lucern-ai-runtime",
1264
- environmentPolicy: "environment_specific"
1265
- },
1266
- {
1267
- kind: "github_actions",
1268
- target: "LucernAI/lucern",
1269
- environmentPolicy: "environment_specific"
1270
- }
1271
- ],
1272
- description: "Lucern-owned Google/Gemini key. Google alias names are read compatibility only."
1273
- }
1274
- ];
1275
- var PLATFORM_LANGFUSE_SECRET_DEFINITIONS = [
1276
- {
1277
- id: "platform.langfuse.secret-key",
1278
- canonicalName: "LANGFUSE_SECRET_KEY",
1279
- owner: "lucern_platform",
1280
- scope: "environment",
1281
- sourcePath: "/platform/observability/langfuse",
1282
- environmentPolicy: "environment_specific",
1283
- required: false,
1284
- secret: true,
1285
- public: false,
1286
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1287
- destinations: [
1288
- {
1289
- kind: "runtime_fetch",
1290
- target: "lucern-ai-runtime",
1291
- environmentPolicy: "environment_specific"
1292
- },
1293
- {
1294
- kind: "github_actions",
1295
- target: "LucernAI/lucern",
1296
- environmentPolicy: "environment_specific"
1297
- }
1298
- ],
1299
- description: "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
1300
- },
1301
- {
1302
- id: "platform.langfuse.public-key",
1303
- canonicalName: "LANGFUSE_PUBLIC_KEY",
1304
- owner: "lucern_platform",
1305
- scope: "environment",
1306
- sourcePath: "/platform/observability/langfuse",
1307
- environmentPolicy: "environment_specific",
1308
- required: false,
1309
- secret: false,
1310
- public: false,
1311
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1312
- destinations: [
1313
- {
1314
- kind: "runtime_fetch",
1315
- target: "lucern-ai-runtime",
1316
- environmentPolicy: "environment_specific"
1317
- },
1318
- {
1319
- kind: "github_actions",
1320
- target: "LucernAI/lucern",
1321
- environmentPolicy: "environment_specific"
1322
- }
1323
- ],
1324
- description: "Lucern-owned Langfuse public key paired with LANGFUSE_SECRET_KEY."
1325
- },
1326
- {
1327
- id: "platform.langfuse.base-url",
1328
- canonicalName: "LANGFUSE_BASE_URL",
1329
- aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
1330
- owner: "lucern_platform",
1331
- scope: "environment",
1332
- sourcePath: "/platform/observability/langfuse",
1333
- environmentPolicy: "environment_specific",
1334
- required: false,
1335
- secret: false,
1336
- public: false,
1337
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1338
- destinations: [
1339
- {
1340
- kind: "runtime_fetch",
1341
- target: "lucern-ai-runtime",
1342
- environmentPolicy: "environment_specific"
1343
- },
1344
- {
1345
- kind: "github_actions",
1346
- target: "LucernAI/lucern",
1347
- environmentPolicy: "environment_specific"
1348
- }
1349
- ],
1350
- description: "Canonical Langfuse API origin. BASEURL/HOST are compatibility aliases."
1351
- }
1352
- ];
1353
- var PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS = [
1354
- {
1355
- id: "platform.neo4j.uri",
1356
- canonicalName: "NEO4J_URI",
1357
- owner: "lucern_platform",
1358
- scope: "environment",
1359
- sourcePath: "/platform/graph/neo4j",
1360
- environmentPolicy: "environment_specific",
1361
- required: false,
1362
- secret: false,
1363
- public: false,
1364
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1365
- destinations: [
1366
- {
1367
- kind: "runtime_fetch",
1368
- target: "lucern-graph-sync",
1369
- environmentPolicy: "environment_specific"
1370
- },
1371
- {
1372
- kind: "github_actions",
1373
- target: "LucernAI/lucern",
1374
- environmentPolicy: "environment_specific"
1375
- }
1376
- ],
1377
- description: "Lucern-owned Neo4j URI for platform graph-sync surfaces."
1378
- },
1379
- {
1380
- id: "platform.neo4j.user",
1381
- canonicalName: "NEO4J_USER",
1382
- aliases: ["NEO4J_USERNAME"],
1383
- owner: "lucern_platform",
1384
- scope: "environment",
1385
- sourcePath: "/platform/graph/neo4j",
1386
- environmentPolicy: "environment_specific",
1387
- required: false,
1388
- secret: false,
1389
- public: false,
1390
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1391
- destinations: [
1392
- {
1393
- kind: "runtime_fetch",
1394
- target: "lucern-graph-sync",
1395
- environmentPolicy: "environment_specific"
1396
- },
1397
- {
1398
- kind: "github_actions",
1399
- target: "LucernAI/lucern",
1400
- environmentPolicy: "environment_specific"
1401
- }
1402
- ],
1403
- description: "Lucern-owned Neo4j username for platform graph-sync surfaces."
1404
- },
1405
- {
1406
- id: "platform.neo4j.password",
1407
- canonicalName: "NEO4J_PASSWORD",
1408
- owner: "lucern_platform",
1409
- scope: "environment",
1410
- sourcePath: "/platform/graph/neo4j",
1411
- environmentPolicy: "environment_specific",
1412
- required: false,
1413
- secret: true,
1414
- public: false,
1415
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1416
- destinations: [
1417
- {
1418
- kind: "runtime_fetch",
1419
- target: "lucern-graph-sync",
1420
- environmentPolicy: "environment_specific"
1421
- },
1422
- {
1423
- kind: "github_actions",
1424
- target: "LucernAI/lucern",
1425
- environmentPolicy: "environment_specific"
1426
- }
1427
- ],
1428
- description: "Lucern-owned Neo4j password for platform graph-sync surfaces."
1429
- },
1430
- {
1431
- id: "platform.neo4j.sync-secret",
1432
- canonicalName: "NEO4J_SYNC_SECRET",
1433
- owner: "lucern_platform",
1434
- scope: "environment",
1435
- sourcePath: "/platform/graph/neo4j",
1436
- environmentPolicy: "environment_specific",
1437
- required: false,
1438
- secret: true,
1439
- public: false,
1440
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1441
- destinations: [
1442
- {
1443
- kind: "runtime_fetch",
1444
- target: "lucern-graph-sync",
1445
- environmentPolicy: "environment_specific"
1446
- },
1447
- {
1448
- kind: "github_actions",
1449
- target: "LucernAI/lucern",
1450
- environmentPolicy: "environment_specific"
1451
- }
1452
- ],
1453
- description: "Shared secret protecting Lucern-owned graph-sync HTTP/query proxy calls."
1454
- },
1455
- {
1456
- id: "platform.neo4j.database",
1457
- canonicalName: "NEO4J_DATABASE",
1458
- owner: "lucern_platform",
1459
- scope: "environment",
1460
- sourcePath: "/platform/graph/neo4j",
1461
- environmentPolicy: "environment_specific",
1462
- required: false,
1463
- secret: false,
1464
- public: false,
1465
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1466
- destinations: [
1467
- {
1468
- kind: "runtime_fetch",
1469
- target: "lucern-graph-sync",
1470
- environmentPolicy: "environment_specific"
1471
- },
1472
- {
1473
- kind: "github_actions",
1474
- target: "LucernAI/lucern",
1475
- environmentPolicy: "environment_specific"
1476
- }
1477
- ],
1478
- description: "Optional Neo4j database name for Lucern-owned graph-sync surfaces."
1479
- }
1480
- ];
1481
- var PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS = [
1482
- {
1483
- id: "platform.pinecone.api-key",
1484
- canonicalName: "PINECONE_API_KEY",
1485
- owner: "lucern_platform",
1486
- scope: "environment",
1487
- sourcePath: "/platform/vector/pinecone",
1488
- environmentPolicy: "environment_specific",
1489
- required: false,
1490
- secret: true,
1491
- public: false,
1492
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1493
- destinations: [
1494
- {
1495
- kind: "runtime_fetch",
1496
- target: "lucern-ai-runtime",
1497
- environmentPolicy: "environment_specific"
1498
- },
1499
- {
1500
- kind: "github_actions",
1501
- target: "LucernAI/lucern",
1502
- environmentPolicy: "environment_specific"
1503
- }
1504
- ],
1505
- description: "Lucern-owned Pinecone API key for platform vector search."
1506
- },
1507
- {
1508
- id: "platform.pinecone.index-name",
1509
- canonicalName: "PINECONE_INDEX_NAME",
1510
- aliases: ["PINECONE_INDEX"],
1511
- owner: "lucern_platform",
1512
- scope: "environment",
1513
- sourcePath: "/platform/vector/pinecone",
1514
- environmentPolicy: "environment_specific",
1515
- required: false,
1516
- secret: false,
1517
- public: false,
1518
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1519
- destinations: [
1520
- {
1521
- kind: "runtime_fetch",
1522
- target: "lucern-ai-runtime",
1523
- environmentPolicy: "environment_specific"
1524
- },
1525
- {
1526
- kind: "github_actions",
1527
- target: "LucernAI/lucern",
1528
- environmentPolicy: "environment_specific"
1529
- }
1530
- ],
1531
- description: "Lucern-owned Pinecone index name."
1532
- },
1533
- {
1534
- id: "platform.pinecone.host",
1535
- canonicalName: "PINECONE_HOST",
1536
- aliases: ["PINECONE_INDEX_HOST"],
1537
- owner: "lucern_platform",
1538
- scope: "environment",
1539
- sourcePath: "/platform/vector/pinecone",
1540
- environmentPolicy: "environment_specific",
1541
- required: false,
1542
- secret: false,
1543
- public: false,
1544
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1545
- destinations: [
1546
- {
1547
- kind: "runtime_fetch",
1548
- target: "lucern-ai-runtime",
1549
- environmentPolicy: "environment_specific"
1550
- },
1551
- {
1552
- kind: "github_actions",
1553
- target: "LucernAI/lucern",
1554
- environmentPolicy: "environment_specific"
1555
- }
1556
- ],
1557
- description: "Lucern-owned Pinecone host/index host."
1558
- }
1559
- ];
1560
- var PLATFORM_SENTRY_SECRET_DEFINITIONS = [
1561
- {
1562
- id: "platform.sentry.dsn",
1563
- canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
1564
- aliases: ["SENTRY_DSN", "NEXT_PUBLIC_SENTRY_DSN_NEXTJS"],
1565
- owner: "provider",
1566
- scope: "environment",
1567
- sourcePath: "/platform/observability/sentry",
1568
- environmentPolicy: "environment_specific",
1569
- required: false,
1570
- secret: false,
1571
- public: true,
1572
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1573
- destinations: [
1574
- {
1575
- kind: "vercel",
1576
- target: "lucern",
1577
- environmentPolicy: "environment_specific"
1578
- },
1579
- {
1580
- kind: "vercel",
1581
- target: "lucern-gateway",
1582
- environmentPolicy: "environment_specific"
1583
- }
1584
- ],
1585
- description: "Lucern-owned Sentry DSN for browser/server error telemetry."
1586
- },
1587
- {
1588
- id: "platform.sentry.auth-token",
1589
- canonicalName: "SENTRY_AUTH_TOKEN",
1590
- owner: "provider",
1591
- scope: "environment",
1592
- sourcePath: "/platform/observability/sentry",
1593
- environmentPolicy: "same_all_environments",
1594
- required: false,
1595
- secret: true,
1596
- public: false,
1597
- consumers: ["lucern-repo-ci", "lucern-observability"],
1598
- destinations: [
1599
- {
1600
- kind: "github_actions",
1601
- target: "LucernAI/lucern",
1602
- environmentPolicy: "same_all_environments"
1603
- },
1604
- {
1605
- kind: "vercel",
1606
- target: "lucern",
1607
- environmentPolicy: "same_all_environments"
1608
- }
1609
- ],
1610
- description: "Sentry release-upload token. Runtime services must not use it for authorization."
1611
- },
1612
- {
1613
- id: "platform.sentry.org",
1614
- canonicalName: "SENTRY_ORG",
1615
- aliases: ["SENTRY_ORG_SLUG"],
1616
- owner: "provider",
1617
- scope: "global",
1618
- sourcePath: "/platform/observability/sentry",
1619
- environmentPolicy: "same_all_environments",
1620
- required: false,
1621
- secret: false,
1622
- public: false,
1623
- consumers: ["lucern-repo-ci", "lucern-observability"],
1624
- destinations: [
1625
- {
1626
- kind: "github_actions",
1627
- target: "LucernAI/lucern",
1628
- environmentPolicy: "same_all_environments"
1629
- },
1630
- {
1631
- kind: "vercel",
1632
- target: "lucern",
1633
- environmentPolicy: "same_all_environments"
1634
- }
1635
- ],
1636
- description: "Sentry organization slug for Lucern release uploads."
1637
- },
1638
- {
1639
- id: "platform.sentry.project",
1640
- canonicalName: "SENTRY_PROJECT",
1641
- aliases: ["SENTRY_PROJECT_NEXTJS"],
1642
- owner: "provider",
1643
- scope: "global",
1644
- sourcePath: "/platform/observability/sentry",
1645
- environmentPolicy: "same_all_environments",
1646
- required: false,
1647
- secret: false,
1648
- public: false,
1649
- consumers: ["lucern-repo-ci", "lucern-observability"],
1650
- destinations: [
1651
- {
1652
- kind: "github_actions",
1653
- target: "LucernAI/lucern",
1654
- environmentPolicy: "same_all_environments"
1655
- },
1656
- {
1657
- kind: "vercel",
1658
- target: "lucern",
1659
- environmentPolicy: "same_all_environments"
1660
- }
1661
- ],
1662
- description: "Sentry project slug for Lucern release uploads."
1663
- },
1664
- {
1665
- id: "platform.sentry.environment",
1666
- canonicalName: "SENTRY_ENVIRONMENT",
1667
- aliases: ["NEXT_PUBLIC_SENTRY_ENVIRONMENT"],
1668
- owner: "provider",
1669
- scope: "environment",
1670
- sourcePath: "/platform/observability/sentry",
1671
- environmentPolicy: "environment_specific",
1672
- required: false,
1673
- secret: false,
1674
- public: false,
1675
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1676
- destinations: [
1677
- {
1678
- kind: "vercel",
1679
- target: "lucern",
1680
- environmentPolicy: "environment_specific",
1681
- writeNames: ["SENTRY_ENVIRONMENT", "NEXT_PUBLIC_SENTRY_ENVIRONMENT"]
1682
- },
1683
- {
1684
- kind: "vercel",
1685
- target: "lucern-gateway",
1686
- environmentPolicy: "environment_specific"
1687
- }
1688
- ],
1689
- description: "Lucern-owned Sentry environment label."
1690
- },
1691
- {
1692
- id: "platform.sentry.release",
1693
- canonicalName: "SENTRY_RELEASE",
1694
- aliases: ["NEXT_PUBLIC_SENTRY_RELEASE"],
1695
- owner: "provider",
1696
- scope: "environment",
1697
- sourcePath: "/platform/observability/sentry",
1698
- environmentPolicy: "environment_specific",
1699
- required: false,
1700
- secret: false,
1701
- public: false,
1702
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1703
- destinations: [
1704
- {
1705
- kind: "vercel",
1706
- target: "lucern",
1707
- environmentPolicy: "environment_specific",
1708
- writeNames: ["SENTRY_RELEASE", "NEXT_PUBLIC_SENTRY_RELEASE"]
1709
- },
1710
- {
1711
- kind: "vercel",
1712
- target: "lucern-gateway",
1713
- environmentPolicy: "environment_specific"
1714
- }
1715
- ],
1716
- description: "Lucern-owned Sentry release name."
1717
- }
1718
- ];
1719
- var PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS = [
1720
- {
1721
- id: "platform.deploy.vercel-token",
1722
- canonicalName: "VERCEL_TOKEN",
1723
- owner: "provider",
1724
- scope: "global",
1725
- sourcePath: "/platform/deploy/vercel",
1726
- environmentPolicy: "same_all_environments",
1727
- required: false,
1728
- secret: true,
1729
- public: false,
1730
- consumers: ["lucern-repo-ci"],
1731
- destinations: [
1732
- {
1733
- kind: "github_actions",
1734
- target: "LucernAI/lucern",
1735
- environmentPolicy: "same_all_environments"
1736
- },
1737
- {
1738
- kind: "operator_local",
1739
- target: "secret-sync-writer",
1740
- environmentPolicy: "same_all_environments"
1741
- }
1742
- ],
1743
- description: "Vercel API token for the future reviewed live writer. Never copy into tenant apps."
1744
- },
1745
- {
1746
- id: "platform.deploy.vercel-token.stack",
1747
- canonicalName: "STACK_VERCEL_TOKEN",
1748
- owner: "provider",
1749
- scope: "global",
1750
- sourcePath: "/platform/deploy/vercel",
1751
- environmentPolicy: "same_all_environments",
1752
- required: false,
1753
- secret: true,
1754
- public: false,
1755
- consumers: ["lucern-repo-ci"],
1756
- destinations: [
1757
- {
1758
- kind: "operator_local",
1759
- target: "secret-sync-writer",
1760
- environmentPolicy: "same_all_environments"
1761
- }
1762
- ],
1763
- description: "Stack Vercel API token for manifest-scoped Stack tenant Vercel secret sync. Never copy into tenant apps."
1764
- },
1765
- {
1766
- id: "platform.deploy.vercel-token.lucern",
1767
- canonicalName: "LUCERN_VERCEL_TOKEN",
1768
- owner: "provider",
1769
- scope: "global",
1770
- sourcePath: "/platform/deploy/vercel",
1771
- environmentPolicy: "same_all_environments",
1772
- required: false,
1773
- secret: true,
1774
- public: false,
1775
- consumers: ["lucern-repo-ci"],
1776
- destinations: [
1777
- {
1778
- kind: "operator_local",
1779
- target: "secret-sync-writer",
1780
- environmentPolicy: "same_all_environments"
1781
- }
1782
- ],
1783
- description: "Lucern Vercel API token for manifest-scoped Lucern tenant Vercel secret sync. Never copy into tenant apps."
1784
- },
1785
- {
1786
- id: "platform.deploy.vercel-org-id",
1787
- canonicalName: "VERCEL_ORG_ID",
1788
- owner: "provider",
1789
- scope: "global",
1790
- sourcePath: "/platform/deploy/vercel",
1791
- environmentPolicy: "same_all_environments",
1792
- required: false,
1793
- secret: false,
1794
- public: false,
1795
- consumers: ["lucern-repo-ci"],
1796
- destinations: [
1797
- {
1798
- kind: "github_actions",
1799
- target: "LucernAI/lucern",
1800
- environmentPolicy: "same_all_environments"
1801
- },
1802
- {
1803
- kind: "operator_local",
1804
- target: "secret-sync-writer",
1805
- environmentPolicy: "same_all_environments"
1806
- }
1807
- ],
1808
- description: "Vercel team/org id used by deployment and sync automation."
1809
- }
1810
- ];
1811
- var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
1812
- {
1813
- id: "platform.docs.gap-audit-api-key",
1814
- canonicalName: "DOC_GAP_AUDIT_API_KEY",
1815
- owner: "lucern_platform",
1816
- scope: "environment",
1817
- sourcePath: "/platform/docs",
1818
- environmentPolicy: "environment_specific",
1819
- required: false,
1820
- secret: true,
1821
- public: false,
1822
- consumers: ["lucern-repo-ci"],
1823
- destinations: [
1824
- {
1825
- kind: "github_actions",
1826
- target: "LucernAI/lucern",
1827
- environmentPolicy: "environment_specific"
1828
- },
1829
- {
1830
- kind: "operator_local",
1831
- target: "lucern-repo",
1832
- environmentPolicy: "environment_specific"
1833
- }
1834
- ],
1835
- description: "Optional model key for docs gap audits."
1836
- },
1837
- {
1838
- id: "platform.docs.gap-audit-provider",
1839
- canonicalName: "DOC_GAP_AUDIT_PROVIDER",
1840
- owner: "lucern_platform",
1841
- scope: "environment",
1842
- sourcePath: "/platform/docs",
1843
- environmentPolicy: "environment_specific",
1844
- required: false,
1845
- secret: false,
1846
- public: false,
1847
- consumers: ["lucern-repo-ci"],
1848
- destinations: [
1849
- {
1850
- kind: "github_actions",
1851
- target: "LucernAI/lucern",
1852
- environmentPolicy: "environment_specific"
1853
- },
1854
- {
1855
- kind: "operator_local",
1856
- target: "lucern-repo",
1857
- environmentPolicy: "environment_specific"
1858
- }
1859
- ],
1860
- description: "Optional docs gap audit provider selector."
1861
- },
1862
- {
1863
- id: "platform.docs.gap-audit-model",
1864
- canonicalName: "DOC_GAP_AUDIT_MODEL",
1865
- owner: "lucern_platform",
1866
- scope: "environment",
1867
- sourcePath: "/platform/docs",
1868
- environmentPolicy: "environment_specific",
1869
- required: false,
1870
- secret: false,
1871
- public: false,
1872
- consumers: ["lucern-repo-ci"],
1873
- destinations: [
1874
- {
1875
- kind: "github_actions",
1876
- target: "LucernAI/lucern",
1877
- environmentPolicy: "environment_specific"
1878
- },
1879
- {
1880
- kind: "operator_local",
1881
- target: "lucern-repo",
1882
- environmentPolicy: "environment_specific"
1883
- }
1884
- ],
1885
- description: "Optional docs gap audit model selector."
1886
- },
1887
- {
1888
- id: "platform.infisical.local-cli",
1889
- canonicalName: "INFISICAL_BIN",
1890
- aliases: ["INFISICAL_API_URL", "INFISICAL_URL"],
1891
- owner: "lucern_platform",
1892
- scope: "global",
1893
- sourcePath: "/platform/infisical",
1894
- environmentPolicy: "same_all_environments",
1895
- required: false,
1896
- secret: false,
1897
- public: false,
1898
- consumers: ["mc-operator-tooling", "lucern-repo-ci"],
1899
- destinations: [
1900
- {
1901
- kind: "operator_local",
1902
- target: "lucern-repo",
1903
- environmentPolicy: "same_all_environments"
1904
- }
1905
- ],
1906
- description: "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
1907
- },
1908
- {
1909
- id: "platform.gateway.device-verification-base-url",
1910
- canonicalName: "LUCERN_DEVICE_VERIFICATION_BASE_URL",
1911
- owner: "lucern_platform",
1912
- scope: "environment",
1913
- sourcePath: "/platform/runtime",
1914
- environmentPolicy: "environment_specific",
1915
- required: false,
1916
- secret: false,
1917
- public: false,
1918
- consumers: ["lucern-gateway"],
1919
- destinations: [
1920
- {
1921
- kind: "vercel",
1922
- target: "lucern-gateway",
1923
- environmentPolicy: "environment_specific"
1924
- }
1925
- ],
1926
- description: "Base URL shown during Lucern CLI/device authentication."
1927
- },
1928
- {
1929
- id: "platform.gateway.mode",
1930
- canonicalName: "LUCERN_GATEWAY_MODE",
1931
- aliases: ["LUCERN_GATEWAY_ENV"],
1932
- owner: "lucern_platform",
1933
- scope: "environment",
1934
- sourcePath: "/platform/runtime",
1935
- environmentPolicy: "environment_specific",
1936
- required: false,
1937
- secret: false,
1938
- public: false,
1939
- consumers: ["lucern-gateway", "lucern-repo-ci"],
1940
- destinations: [
1941
- {
1942
- kind: "vercel",
1943
- target: "lucern-gateway",
1944
- environmentPolicy: "environment_specific"
1945
- },
1946
- {
1947
- kind: "github_actions",
1948
- target: "LucernAI/lucern",
1949
- environmentPolicy: "environment_specific"
1950
- }
1951
- ],
1952
- description: "Gateway runtime mode/environment label."
1953
- },
1954
- {
1955
- id: "platform.mcp.runtime",
1956
- canonicalName: "LUCERN_MCP_URL",
1957
- aliases: [
1958
- "LUCERN_AGENT_IDENTITY",
1959
- "LUCERN_HTTP_HOST",
1960
- "LUCERN_HTTP_PORT",
1961
- "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
1962
- "LUCERN_MCP_DEBUG",
1963
- "LUCERN_MCP_DIAGNOSTICS_FILE",
1964
- "LUCERN_MCP_HEALTH_PATH",
1965
- "LUCERN_MCP_HEALTH_URL",
1966
- "LUCERN_MCP_HOST",
1967
- "LUCERN_MCP_PATH",
1968
- "LUCERN_MCP_PORT",
1969
- "LUCERN_MCP_QUIET",
1970
- "LUCERN_MCP_TRANSPORT",
1971
- "LUCERN_PROFILE",
1972
- "LUCERN_PUBLIC_URL",
1973
- "MCP_SERVER_URL"
1974
- ],
1975
- owner: "lucern_platform",
1976
- scope: "environment",
1977
- sourcePath: "/platform/runtime",
1978
- environmentPolicy: "environment_specific",
1979
- required: false,
1980
- secret: false,
1981
- public: false,
1982
- consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
1983
- destinations: [
1984
- {
1985
- kind: "runtime_fetch",
1986
- target: "lucern-cli-mcp-sdk",
1987
- environmentPolicy: "environment_specific"
1988
- },
1989
- {
1990
- kind: "operator_local",
1991
- target: "lucern-repo",
1992
- environmentPolicy: "environment_specific"
1993
- }
1994
- ],
1995
- description: "Lucern MCP/CLI runtime knobs. Aliases are compatibility names and not Vercel write names."
1996
- },
1997
- {
1998
- id: "platform.mcp.auth-token",
1999
- canonicalName: "LUCERN_MCP_SERVER_AUTH_TOKEN",
2000
- aliases: ["LUCERN_USER_TOKEN", "MCP_SERVER_TOKEN"],
2001
- owner: "lucern_platform",
2002
- scope: "environment",
2003
- sourcePath: "/platform/runtime",
2004
- environmentPolicy: "environment_specific",
2005
- required: false,
2006
- secret: true,
2007
- public: false,
2008
- consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
2009
- destinations: [
2010
- {
2011
- kind: "runtime_fetch",
2012
- target: "lucern-cli-mcp-sdk",
2013
- environmentPolicy: "environment_specific"
2014
- },
2015
- {
2016
- kind: "operator_local",
2017
- target: "lucern-repo",
2018
- environmentPolicy: "environment_specific"
2019
- }
2020
- ],
2021
- description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
2022
- },
2023
- {
2024
- id: "platform.operator.api-key",
2025
- canonicalName: "LUCERN_API_KEY",
2026
- aliases: ["LUCERN_KEY"],
2027
- owner: "lucern_platform",
2028
- scope: "environment",
2029
- sourcePath: "/platform/runtime",
2030
- environmentPolicy: "environment_specific",
2031
- required: false,
2032
- secret: true,
2033
- public: false,
2034
- consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
2035
- destinations: [
2036
- {
2037
- kind: "runtime_fetch",
2038
- target: "lucern-cli-mcp-sdk",
2039
- environmentPolicy: "environment_specific"
2040
- },
2041
- {
2042
- kind: "operator_local",
2043
- target: "lucern-repo",
2044
- environmentPolicy: "environment_specific"
2045
- },
2046
- {
2047
- kind: "github_actions",
2048
- target: "LucernAI/lucern",
2049
- environmentPolicy: "environment_specific"
2050
- }
2051
- ],
2052
- description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
2053
- },
2054
- {
2055
- id: "platform.graph-sync.proxy",
2056
- canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
2057
- aliases: [
2058
- "LUCERN_DEFAULT_TENANT_ID",
2059
- "LUCERN_GRAPH_SYNC_ALLOWED_PROXY_HOSTS"
2060
- ],
2061
- owner: "lucern_platform",
2062
- scope: "environment",
2063
- sourcePath: "/platform/graph/neo4j",
2064
- environmentPolicy: "environment_specific",
2065
- required: false,
2066
- secret: false,
2067
- public: false,
2068
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
2069
- destinations: [
2070
- {
2071
- kind: "runtime_fetch",
2072
- target: "lucern-graph-sync",
2073
- environmentPolicy: "environment_specific"
2074
- },
2075
- {
2076
- kind: "github_actions",
2077
- target: "LucernAI/lucern",
2078
- environmentPolicy: "environment_specific"
2079
- }
2080
- ],
2081
- description: "Graph-sync proxy URL, tenant filter, and allowed host list."
2082
- },
2083
- {
2084
- id: "platform.package-smoke.local",
2085
- canonicalName: "LUCERN_SDK_NPM_TOKEN",
2086
- aliases: [
2087
- "LUCERN_KERNEL_INSTALL_SPEC",
2088
- "LUCERN_KERNEL_KEEP_CLEANROOM",
2089
- "LUCERN_KERNEL_LOCAL_TARBALL",
2090
- "LUCERN_KERNEL_NPM_TOKEN",
2091
- "LUCERN_KERNEL_SCOPE_REGISTRY",
2092
- "LUCERN_KERNEL_SKIP_CONVEX",
2093
- "LUCERN_SDK_INSTALL_SPEC",
2094
- "LUCERN_SDK_KEEP_CLEANROOM",
2095
- "LUCERN_SDK_LOCAL_TARBALL",
2096
- "LUCERN_SDK_SCOPE_REGISTRY",
2097
- "LUCERN_SDK_SKIP_LIVE"
2098
- ],
2099
- owner: "lucern_platform",
2100
- scope: "global",
2101
- sourcePath: "/platform/package-publish",
2102
- environmentPolicy: "same_all_environments",
2103
- required: false,
2104
- secret: true,
2105
- public: false,
2106
- consumers: ["lucern-repo-ci"],
2107
- destinations: [
2108
- {
2109
- kind: "github_actions",
2110
- target: "LucernAI/lucern",
2111
- environmentPolicy: "same_all_environments"
2112
- },
2113
- {
2114
- kind: "operator_local",
2115
- target: "lucern-repo",
2116
- environmentPolicy: "same_all_environments"
2117
- }
2118
- ],
2119
- description: "Private package install smoke-test knobs. Values are not tenant runtime variables."
2120
- },
2121
- {
2122
- id: "platform.convex-deploy.local-names",
2123
- canonicalName: "LUCERN_CONVEX_DEPLOYMENT_NAME",
2124
- aliases: [
2125
- "CONVEX_DEPLOYMENT",
2126
- "CONVEX_DEV_DEPLOYMENT_NAME",
2127
- "CONVEX_PROD_DEPLOYMENT_NAME"
2128
- ],
2129
- owner: "lucern_platform",
2130
- scope: "environment",
2131
- sourcePath: "/platform/deploy/convex",
2132
- environmentPolicy: "environment_specific",
2133
- required: false,
2134
- secret: false,
2135
- public: false,
2136
- consumers: ["mc-operator-tooling", "lucern-repo-ci"],
2137
- destinations: [
2138
- {
2139
- kind: "operator_local",
2140
- target: "lucern-repo",
2141
- environmentPolicy: "environment_specific"
2142
- }
2143
- ],
2144
- description: "Operator-only Convex deployment name hints. Deploy keys and URLs remain separately scoped."
2145
- },
2146
- {
2147
- id: "platform.sdk.local-context",
2148
- canonicalName: "LUCERN_TENANT_ID",
2149
- aliases: [
2150
- "LUCERN_AGENT_DISPLAY_NAME",
2151
- "LUCERN_AGENT_ID",
2152
- "LUCERN_API_ENVIRONMENT",
2153
- "LUCERN_PACK_KEY",
2154
- "LUCERN_PROJECT_ID",
2155
- "LUCERN_TOPIC_ID",
2156
- "LUCERN_WORKSPACE_ID",
2157
- "LUCERN_WORKTREE_ID"
2158
- ],
2159
- owner: "lucern_platform",
2160
- scope: "environment",
2161
- sourcePath: "/platform/runtime",
2162
- environmentPolicy: "environment_specific",
2163
- required: false,
2164
- secret: false,
2165
- public: false,
2166
- consumers: ["lucern-cli", "lucern-mcp", "tenant-agent-runtime"],
2167
- destinations: [
2168
- {
2169
- kind: "runtime_fetch",
2170
- target: "lucern-cli-mcp-sdk",
2171
- environmentPolicy: "environment_specific"
2172
- },
2173
- {
2174
- kind: "operator_local",
2175
- target: "lucern-repo",
2176
- environmentPolicy: "environment_specific"
2177
- }
2178
- ],
2179
- description: "SDK, CLI, and agent context selectors. These identify scope and must not grant access by themselves."
2180
- },
2181
- {
2182
- id: "platform.debug.local-flags",
2183
- canonicalName: "LUCERN_FUNCTIONAL_DEBUG",
2184
- aliases: [
2185
- "LUCERN_CONTRACTS_SKIP_DTS",
2186
- "LUCERN_DEPLOY_RECONCILIATION_DEBUG",
2187
- "LUCERN_ENABLE_ADAPTIVE_LEARNING",
2188
- "LUCERN_ENV_FILE",
2189
- "LUCERN_EXAMPLE_DEBUG",
2190
- "LUCERN_HTTP_SMOKE_DEBUG",
2191
- "LUCERN_MULTI_TENANT",
2192
- "LUCERN_PACK_ACTION_DEBUG",
2193
- "LUCERN_RUN_LIVE_MCP"
2194
- ],
2195
- owner: "lucern_platform",
2196
- scope: "environment",
2197
- sourcePath: "/platform/runtime/debug",
2198
- environmentPolicy: "environment_specific",
2199
- required: false,
2200
- secret: false,
2201
- public: false,
2202
- consumers: ["lucern-repo-ci", "mc-operator-tooling"],
2203
- destinations: [
2204
- {
2205
- kind: "operator_local",
2206
- target: "lucern-repo",
2207
- environmentPolicy: "environment_specific"
2208
- }
2209
- ],
2210
- description: "Local or CI debug toggles. They are manifest-known but not tenant runtime secrets."
2211
- },
2212
- {
2213
- id: "tenant.stackos.deploy-guard.local",
2214
- canonicalName: "STACKOS_DEPLOY_TARGET",
2215
- aliases: [
2216
- "STACKOS_DEPLOY_ENTRYPOINT",
2217
- "STACKOS_EXPECTED_STAGING_COMMIT",
2218
- "STACKOS_PROD_CUTOVER_APPROVED",
2219
- "STACKOS_REPO_PATH",
2220
- "STACKOS_REQUIRE_CHAT_RUNTIME",
2221
- "STACKOS_SLOP_SCAN_BASELINE",
2222
- "STACKOS_STAGING_API_KEY",
2223
- "STACKOS_STAGING_BASE_URL",
2224
- "STACK_DEPLOY_RECONCILIATION_SCHEMA_JSON"
2225
- ],
2226
- owner: "tenant",
2227
- scope: "software_system",
2228
- sourcePath: "/tenants/stack",
2229
- environmentPolicy: "environment_specific",
2230
- required: false,
2231
- secret: true,
2232
- public: false,
2233
- consumers: ["tenant-deploy-tooling", "lucern-repo-ci"],
2234
- destinations: [
2235
- {
2236
- kind: "operator_local",
2237
- target: "stackos-deploy-guard",
2238
- environmentPolicy: "environment_specific"
2239
- },
2240
- {
2241
- kind: "github_actions",
2242
- target: "stack-vc/stackos",
2243
- environmentPolicy: "environment_specific"
2244
- }
2245
- ],
2246
- description: "StackOS deploy/test guard variables. These are not written into the StackOS Vercel runtime."
2247
- }
2248
- ];
2249
- var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
2250
- {
2251
- idSuffix: "clerk.publishable",
2252
- canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
2253
- aliases: ["CLERK_PUBLISHABLE_KEY"],
2254
- required: true,
2255
- secret: false,
2256
- public: true,
2257
- description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
2258
- },
2259
- {
2260
- idSuffix: "clerk.secret",
2261
- canonicalName: "CLERK_SECRET_KEY",
2262
- required: true,
2263
- secret: true,
2264
- public: false,
2265
- description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
2266
- },
2267
- {
2268
- idSuffix: "clerk.project",
2269
- canonicalName: "CLERK_PROJECT_ID",
2270
- required: true,
2271
- secret: false,
2272
- public: false,
2273
- description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
2274
- },
2275
- {
2276
- idSuffix: "clerk.jwks",
2277
- canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
2278
- aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
2279
- required: false,
2280
- secret: false,
2281
- public: false,
2282
- description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
2283
- },
2284
- {
2285
- idSuffix: "clerk.jwt-key",
2286
- canonicalName: "CLERK_JWT_KEY",
2287
- required: false,
2288
- secret: true,
2289
- public: false,
2290
- description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
2291
- },
2292
- {
2293
- idSuffix: "clerk.authorized-parties",
2294
- canonicalName: "CLERK_AUTHORIZED_PARTIES",
2295
- aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
2296
- required: false,
2297
- secret: false,
2298
- public: false,
2299
- description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
2300
- },
2301
- {
2302
- idSuffix: "clerk.sign-in-url",
2303
- canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
2304
- required: false,
2305
- secret: false,
2306
- public: true,
2307
- description: "Tenant Clerk sign-in route for custom app login surfaces."
2308
- },
2309
- {
2310
- idSuffix: "clerk.sign-up-url",
2311
- canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
2312
- required: false,
2313
- secret: false,
2314
- public: true,
2315
- description: "Tenant Clerk sign-up route for custom app login surfaces."
2316
- }
2317
- ];
2318
- var TENANT_SHARED_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2319
- (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
2320
- (template) => ({
2321
- id: `tenant.${system.id}.${template.idSuffix}`,
2322
- canonicalName: template.canonicalName,
2323
- aliases: "aliases" in template ? template.aliases : void 0,
2324
- owner: "tenant",
2325
- scope: "tenant",
2326
- sourcePath: system.sharedSourcePath,
2327
- environmentPolicy: "environment_specific",
2328
- required: template.required,
2329
- secret: template.secret,
2330
- public: template.public,
2331
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2332
- destinations: [
2333
- {
2334
- kind: "vercel",
2335
- target: system.vercelProjectName,
2336
- environmentPolicy: "preprod_staging_prod_prod"
2337
- },
2338
- {
2339
- kind: "convex",
2340
- target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2341
- environmentPolicy: "preprod_staging_prod_prod"
2342
- }
2343
- ],
2344
- description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2345
- })
2346
- )
2347
- );
2348
- var TENANT_INSTALL_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
2349
- (system) => ({
2350
- id: `tenant.${system.id}.install-lucern-npm`,
2351
- canonicalName: "INSTALL_LUCERN_NPM",
2352
- owner: "provider",
2353
- scope: "global",
2354
- sourcePath: "/tenants/shared",
2355
- environmentPolicy: "same_all_environments",
2356
- required: true,
2357
- secret: true,
2358
- public: false,
2359
- consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2360
- destinations: [
2361
- {
2362
- kind: "vercel",
2363
- target: system.vercelProjectName,
2364
- environmentPolicy: "same_all_environments"
2365
- },
2366
- {
2367
- kind: "github_actions",
2368
- target: `${system.repository.owner}/${system.repository.name}`,
2369
- environmentPolicy: "same_all_environments"
2370
- }
2371
- ],
2372
- description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
2373
- })
2374
- );
2375
- var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
2376
- var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
2377
- {
2378
- idSuffix: "ai.openai-api-key",
2379
- canonicalName: "OPENAI_API_KEY",
2380
- required: false,
2381
- secret: true,
2382
- public: false,
2383
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2384
- description: "Tenant-owned OpenAI key for product runtime LLM calls."
2385
- },
2386
- {
2387
- idSuffix: "ai.anthropic-api-key",
2388
- canonicalName: "ANTHROPIC_API_KEY",
2389
- required: false,
2390
- secret: true,
2391
- public: false,
2392
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2393
- description: "Tenant-owned Anthropic key for product runtime LLM calls."
2394
- },
2395
- {
2396
- idSuffix: "ai.gemini-api-key",
2397
- canonicalName: "GEMINI_API_KEY",
2398
- aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
2399
- required: false,
2400
- secret: true,
2401
- public: false,
2402
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2403
- description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
2404
- },
2405
- {
2406
- idSuffix: "langfuse.secret-key",
2407
- canonicalName: "LANGFUSE_SECRET_KEY",
2408
- required: false,
2409
- secret: true,
2410
- public: false,
2411
- consumers: [
2412
- "tenant-vercel-app",
2413
- "tenant-convex-deployment",
2414
- "tenant-observability"
2415
- ],
2416
- description: "Tenant-owned Langfuse secret key for product AI tracing."
2417
- },
2418
- {
2419
- idSuffix: "langfuse.public-key",
2420
- canonicalName: "LANGFUSE_PUBLIC_KEY",
2421
- required: false,
2422
- secret: false,
2423
- public: false,
2424
- consumers: [
2425
- "tenant-vercel-app",
2426
- "tenant-convex-deployment",
2427
- "tenant-observability"
2428
- ],
2429
- description: "Tenant-owned Langfuse public key for product AI tracing."
2430
- },
2431
- {
2432
- idSuffix: "langfuse.base-url",
2433
- canonicalName: "LANGFUSE_BASE_URL",
2434
- aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
2435
- required: false,
2436
- secret: false,
2437
- public: false,
2438
- consumers: [
2439
- "tenant-vercel-app",
2440
- "tenant-convex-deployment",
2441
- "tenant-observability"
2442
- ],
2443
- description: "Tenant-owned Langfuse API origin."
2444
- },
2445
- {
2446
- idSuffix: "graph.neo4j-uri",
2447
- canonicalName: "NEO4J_URI",
2448
- required: false,
2449
- secret: false,
2450
- public: false,
2451
- consumers: [
2452
- "tenant-vercel-app",
2453
- "tenant-convex-deployment",
2454
- "tenant-graph-sync"
2455
- ],
2456
- description: "Tenant-owned Neo4j URI for product graph-sync."
2457
- },
2458
- {
2459
- idSuffix: "graph.neo4j-user",
2460
- canonicalName: "NEO4J_USER",
2461
- aliases: ["NEO4J_USERNAME"],
2462
- required: false,
2463
- secret: false,
2464
- public: false,
2465
- consumers: [
2466
- "tenant-vercel-app",
2467
- "tenant-convex-deployment",
2468
- "tenant-graph-sync"
2469
- ],
2470
- description: "Tenant-owned Neo4j user for product graph-sync."
2471
- },
2472
- {
2473
- idSuffix: "graph.neo4j-password",
2474
- canonicalName: "NEO4J_PASSWORD",
2475
- required: false,
2476
- secret: true,
2477
- public: false,
2478
- consumers: [
2479
- "tenant-vercel-app",
2480
- "tenant-convex-deployment",
2481
- "tenant-graph-sync"
2482
- ],
2483
- description: "Tenant-owned Neo4j password for product graph-sync."
2484
- },
2485
- {
2486
- idSuffix: "graph.neo4j-sync-secret",
2487
- canonicalName: "NEO4J_SYNC_SECRET",
2488
- required: false,
2489
- secret: true,
2490
- public: false,
2491
- consumers: [
2492
- "tenant-vercel-app",
2493
- "tenant-convex-deployment",
2494
- "tenant-graph-sync"
2495
- ],
2496
- description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
2497
- },
2498
- {
2499
- idSuffix: "graph.neo4j-database",
2500
- canonicalName: "NEO4J_DATABASE",
2501
- required: false,
2502
- secret: false,
2503
- public: false,
2504
- consumers: [
2505
- "tenant-vercel-app",
2506
- "tenant-convex-deployment",
2507
- "tenant-graph-sync"
2508
- ],
2509
- description: "Tenant-owned Neo4j database name for product graph-sync."
2510
- },
2511
- {
2512
- idSuffix: "vector.pinecone-api-key",
2513
- canonicalName: "PINECONE_API_KEY",
2514
- required: false,
2515
- secret: true,
2516
- public: false,
2517
- consumers: [
2518
- "tenant-vercel-app",
2519
- "tenant-convex-deployment",
2520
- "tenant-vector-store"
2521
- ],
2522
- description: "Tenant-owned Pinecone API key for product vector search."
2523
- },
2524
- {
2525
- idSuffix: "vector.pinecone-index-name",
2526
- canonicalName: "PINECONE_INDEX_NAME",
2527
- aliases: ["PINECONE_INDEX"],
2528
- required: false,
2529
- secret: false,
2530
- public: false,
2531
- consumers: [
2532
- "tenant-vercel-app",
2533
- "tenant-convex-deployment",
2534
- "tenant-vector-store"
2535
- ],
2536
- description: "Tenant-owned Pinecone index name for product vector search."
2537
- },
2538
- {
2539
- idSuffix: "vector.pinecone-host",
2540
- canonicalName: "PINECONE_HOST",
2541
- aliases: ["PINECONE_INDEX_HOST"],
2542
- required: false,
2543
- secret: false,
2544
- public: false,
2545
- consumers: [
2546
- "tenant-vercel-app",
2547
- "tenant-convex-deployment",
2548
- "tenant-vector-store"
2549
- ],
2550
- description: "Tenant-owned Pinecone host for product vector search."
2551
- },
2552
- {
2553
- idSuffix: "vector.pinecone-namespace",
2554
- canonicalName: "PINECONE_NAMESPACE",
2555
- required: false,
2556
- secret: false,
2557
- public: false,
2558
- consumers: [
2559
- "tenant-vercel-app",
2560
- "tenant-convex-deployment",
2561
- "tenant-vector-store"
2562
- ],
2563
- description: "Tenant-owned Pinecone namespace for product vector search isolation."
2564
- },
2565
- {
2566
- idSuffix: "storage.aws-access-key-id",
2567
- canonicalName: "AWS_ACCESS_KEY_ID",
2568
- required: false,
2569
- secret: true,
2570
- public: false,
2571
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2572
- description: "Tenant-owned AWS access key id for document/file ingestion."
2573
- },
2574
- {
2575
- idSuffix: "storage.aws-secret-access-key",
2576
- canonicalName: "AWS_SECRET_ACCESS_KEY",
2577
- required: false,
2578
- secret: true,
2579
- public: false,
2580
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2581
- description: "Tenant-owned AWS secret access key for document/file ingestion."
2582
- },
2583
- {
2584
- idSuffix: "storage.aws-region",
2585
- canonicalName: "AWS_REGION",
2586
- required: false,
2587
- secret: false,
2588
- public: false,
2589
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2590
- description: "Tenant-owned AWS region for document/file ingestion."
2591
- },
2592
- {
2593
- idSuffix: "observability.sentry-dsn",
2594
- canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
2595
- aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
2596
- required: false,
2597
- secret: false,
2598
- public: true,
2599
- consumers: ["tenant-vercel-app", "tenant-observability"],
2600
- description: "Tenant-owned Sentry DSN for app telemetry."
2601
- },
2602
- {
2603
- idSuffix: "observability.sentry-auth-token",
2604
- canonicalName: "SENTRY_AUTH_TOKEN",
2605
- required: false,
2606
- secret: true,
2607
- public: false,
2608
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2609
- description: "Tenant-owned Sentry release token for app deployments."
2610
- },
2611
- {
2612
- idSuffix: "observability.sentry-org",
2613
- canonicalName: "SENTRY_ORG",
2614
- aliases: ["SENTRY_ORG_SLUG"],
2615
- required: false,
2616
- secret: false,
2617
- public: false,
2618
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2619
- description: "Tenant-owned Sentry org slug for release uploads."
2620
- },
2621
- {
2622
- idSuffix: "observability.sentry-project",
2623
- canonicalName: "SENTRY_PROJECT",
2624
- aliases: ["SENTRY_PROJECT_NEXTJS"],
2625
- required: false,
2626
- secret: false,
2627
- public: false,
2628
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2629
- description: "Tenant-owned Sentry project slug for release uploads."
2630
- },
2631
- {
2632
- idSuffix: "observability.sentry-environment",
2633
- canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
2634
- aliases: ["SENTRY_ENVIRONMENT"],
2635
- required: false,
2636
- secret: false,
2637
- public: true,
2638
- consumers: ["tenant-vercel-app", "tenant-observability"],
2639
- description: "Tenant-owned Sentry environment label."
2640
- },
2641
- {
2642
- idSuffix: "observability.sentry-release",
2643
- canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
2644
- aliases: ["SENTRY_RELEASE"],
2645
- required: false,
2646
- secret: false,
2647
- public: true,
2648
- consumers: ["tenant-vercel-app", "tenant-observability"],
2649
- description: "Tenant-owned Sentry release label."
2650
- },
2651
- {
2652
- idSuffix: "observability.sentry-client-options",
2653
- canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
2654
- aliases: [
2655
- "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
2656
- "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
2657
- "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
2658
- "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
2659
- "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
2660
- "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
2661
- "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
2662
- "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
2663
- "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
2664
- "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
2665
- "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
2666
- ],
2667
- required: false,
2668
- secret: false,
2669
- public: true,
2670
- consumers: ["tenant-vercel-app", "tenant-observability"],
2671
- description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
2672
- },
2673
- {
2674
- idSuffix: "observability.sentry-webhook-secret",
2675
- canonicalName: "SENTRY_WEBHOOK_SECRET",
2676
- required: false,
2677
- secret: true,
2678
- public: false,
2679
- consumers: ["tenant-convex-deployment", "tenant-observability"],
2680
- description: "Tenant-owned Sentry webhook verification secret."
2681
- },
2682
- {
2683
- idSuffix: "lucern.gateway-api-key",
2684
- canonicalName: "LUCERN_API_KEY",
2685
- aliases: ["STACK_API_KEY"],
2686
- required: false,
2687
- secret: true,
2688
- public: false,
2689
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2690
- description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
2691
- },
2692
- {
2693
- idSuffix: "lucern.gateway-base-url",
2694
- canonicalName: "LUCERN_BASE_URL",
2695
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
2696
- required: false,
2697
- secret: false,
2698
- public: false,
2699
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2700
- description: "Lucern/MC gateway base URL used by tenant product apps."
2701
- },
2702
- {
2703
- idSuffix: "lucern.proxy-token-secret",
2704
- canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
2705
- required: false,
2706
- secret: true,
2707
- public: false,
2708
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2709
- description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
2710
- },
2711
- {
2712
- idSuffix: "tenant.integrations.linear-api-key",
2713
- canonicalName: "LINEAR_API_KEY",
2714
- required: false,
2715
- secret: true,
2716
- public: false,
2717
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2718
- description: "Tenant-owned Linear API key for support/slash-command flows."
2719
- },
2720
- {
2721
- idSuffix: "tenant.vercel.bypass-token",
2722
- canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
2723
- aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
2724
- required: false,
2725
- secret: true,
2726
- public: false,
2727
- consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2728
- description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
2729
- }
2730
- ];
2731
- var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
2732
- (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
2733
- ).flatMap(
2734
- (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
2735
- (template) => ({
2736
- id: `tenant.${system.id}.${template.idSuffix}`,
2737
- canonicalName: template.canonicalName,
2738
- aliases: "aliases" in template ? template.aliases : void 0,
2739
- owner: "tenant",
2740
- scope: "tenant",
2741
- sourcePath: system.sharedSourcePath,
2742
- environmentPolicy: "environment_specific",
2743
- required: template.required,
2744
- secret: template.secret,
2745
- public: template.public,
2746
- consumers: template.consumers,
2747
- destinations: [
2748
- {
2749
- kind: "vercel",
2750
- target: system.vercelProjectName,
2751
- environmentPolicy: "preprod_staging_prod_prod"
2752
- },
2753
- {
2754
- kind: "convex",
2755
- target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2756
- environmentPolicy: "preprod_staging_prod_prod"
2757
- },
2758
- {
2759
- kind: "github_actions",
2760
- target: `${system.repository.owner}/${system.repository.name}`,
2761
- environmentPolicy: "preprod_staging_prod_prod"
2762
- }
2763
- ],
2764
- description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2765
- })
2766
- )
2767
- );
2768
- function tenantVercelConvexUrlWriteNames(system) {
2769
- const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
2770
- if (system.id === "stack-eng") {
2771
- return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2772
- }
2773
- return names;
2774
- }
2775
- function tenantRepositoryConvexUrlWriteNames(system) {
2776
- if (system.id === "stack-eng") {
2777
- return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2778
- }
2779
- return [system.convex.urlEnv];
2780
- }
2781
- function tenantRepositoryConvexDeployKeyWriteNames(system) {
2782
- if (system.id === "stack-eng") {
2783
- return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2784
- }
2785
- return [system.convex.deployKeyEnv];
2786
- }
2787
- function tenantConvexUrlAliases(system) {
2788
- if (system.id === "stack-frontend") {
2789
- return [
2790
- "CONVEX_PROD_URL",
2791
- "CONVEX_STACK_V2_PROD_URL",
2792
- "CONVEX_STACK_V2_STAGING_URL",
2793
- "STACK_CONVEX_URL"
2794
- ];
2795
- }
2796
- if (system.id === "stackos") {
2797
- return [
2798
- "CONVEX_CLOUD_URL",
2799
- "CONVEX_STACK_URL",
2800
- "CONVEX_URL",
2801
- "CONVEX_URL_DEVELOPMENT",
2802
- "CONVEX_URL_PRODUCTION",
2803
- "STACK_CONVEX_URL"
2804
- ];
2805
- }
2806
- if (system.id === "stack-eng") {
2807
- return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2808
- }
2809
- if (system.id === "lucern-graph") {
2810
- return [
2811
- "CONVEX_GRAPH_URL",
2812
- "LUCERN_PROD_URL",
2813
- "NEXT_PUBLIC_LUCERN_GRAPH_URL"
2814
- ];
2815
- }
2816
- return void 0;
2817
- }
2818
- function tenantConvexDeployKeyAliases(system) {
2819
- if (system.id === "stack-frontend") {
2820
- return [
2821
- "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
2822
- "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
2823
- "STACK_DEPLOY_KEY"
2824
- ];
2825
- }
2826
- if (system.id === "stackos") {
2827
- return [
2828
- "CONVEX_DEPLOY_KEY",
2829
- "CONVEX_DEV_DEPLOY_KEY",
2830
- "CONVEX_PROD_DEPLOY_KEY",
2831
- "CONVEX_STACK_DEPLOY_KEY",
2832
- "STACK_DEPLOY_KEY"
2833
- ];
2834
- }
2835
- if (system.id === "stack-eng") {
2836
- return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2837
- }
2838
- if (system.id === "lucern-graph") {
2839
- return [
2840
- "CONVEX_DEPLOY_KEY",
2841
- "CONVEX_GRAPH_DEPLOY_KEY",
2842
- "LUCERN_CONVEX_DEPLOY_KEY",
2843
- "LUCERN_DEV_DEPLOY_KEY",
2844
- "LUCERN_PROD_DEPLOY_KEY"
2845
- ];
2846
- }
2847
- return void 0;
2848
- }
2849
- var TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2850
- (system) => {
2851
- if (system.id === "lucern-graph") {
2852
- return [
2853
- {
2854
- id: "tenant.lucern-graph.public.tenant-id",
2855
- canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
2856
- aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
2857
- owner: "tenant",
2858
- scope: "workspace",
2859
- sourcePath: system.sharedSourcePath,
2860
- environmentPolicy: "environment_specific",
2861
- required: false,
2862
- secret: false,
2863
- public: true,
2864
- consumers: ["tenant-vercel-app"],
2865
- destinations: [
2866
- {
2867
- kind: "vercel",
2868
- target: system.vercelProjectName,
2869
- environmentPolicy: "preprod_staging_prod_prod"
2870
- }
2871
- ],
2872
- description: "Lucern graph public tenant id used by the standalone graph explorer."
2873
- },
2874
- {
2875
- id: "tenant.lucern-graph.public.tenant-label",
2876
- canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
2877
- owner: "tenant",
2878
- scope: "workspace",
2879
- sourcePath: system.sharedSourcePath,
2880
- environmentPolicy: "environment_specific",
2881
- required: false,
2882
- secret: false,
2883
- public: true,
2884
- consumers: ["tenant-vercel-app"],
2885
- destinations: [
2886
- {
2887
- kind: "vercel",
2888
- target: system.vercelProjectName,
2889
- environmentPolicy: "preprod_staging_prod_prod"
2890
- }
2891
- ],
2892
- description: "Lucern graph public tenant label used by the standalone graph explorer."
2893
- }
2894
- ];
2895
- }
2896
- if (system.id === "stack-eng") {
2897
- return [
2898
- {
2899
- id: "tenant.stack-eng.public.tenant-id",
2900
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
2901
- owner: "tenant",
2902
- scope: "workspace",
2903
- sourcePath: system.sharedSourcePath,
2904
- environmentPolicy: "environment_specific",
2905
- required: false,
2906
- secret: false,
2907
- public: true,
2908
- consumers: ["tenant-vercel-app"],
2909
- destinations: [
2910
- {
2911
- kind: "vercel",
2912
- target: system.vercelProjectName,
2913
- environmentPolicy: "preprod_staging_prod_prod"
2914
- }
2915
- ],
2916
- description: "Stack engineering graph public tenant id used by the graph explorer."
2917
- },
2918
- {
2919
- id: "tenant.stack-eng.public.tenant-label",
2920
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
2921
- owner: "tenant",
2922
- scope: "workspace",
2923
- sourcePath: system.sharedSourcePath,
2924
- environmentPolicy: "environment_specific",
2925
- required: false,
2926
- secret: false,
2927
- public: true,
2928
- consumers: ["tenant-vercel-app"],
2929
- destinations: [
2930
- {
2931
- kind: "vercel",
2932
- target: system.vercelProjectName,
2933
- environmentPolicy: "preprod_staging_prod_prod"
2934
- }
2935
- ],
2936
- description: "Stack engineering graph public tenant label used by the graph explorer."
2937
- },
2938
- {
2939
- id: "tenant.stack-eng.public.environment",
2940
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
2941
- owner: "tenant",
2942
- scope: "workspace",
2943
- sourcePath: system.sharedSourcePath,
2944
- environmentPolicy: "environment_specific",
2945
- required: false,
2946
- secret: false,
2947
- public: true,
2948
- consumers: ["tenant-vercel-app"],
2949
- destinations: [
2950
- {
2951
- kind: "vercel",
2952
- target: system.vercelProjectName,
2953
- environmentPolicy: "preprod_staging_prod_prod"
2954
- }
2955
- ],
2956
- description: "Stack engineering graph public environment label used by the graph explorer."
2957
- }
2958
- ];
2959
- }
2960
- return [];
2961
- }
2962
- );
2963
- var STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS = [
2964
- {
2965
- id: "tenant.stack-eng.neo4j.uri",
2966
- canonicalName: "NEO4J_URI",
2967
- aliases: ["NEO4J_ENG_URI"],
2968
- owner: "tenant",
2969
- scope: "workspace",
2970
- sourcePath: "/tenants/stack/engineering",
2971
- environmentPolicy: "environment_specific",
2972
- required: false,
2973
- secret: false,
2974
- public: false,
2975
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2976
- destinations: [
2977
- {
2978
- kind: "convex",
2979
- target: "small-oyster-270|bold-cuttlefish-804",
2980
- environmentPolicy: "preprod_staging_prod_prod"
2981
- },
2982
- {
2983
- kind: "vercel",
2984
- target: "stackos-engineering-graph",
2985
- environmentPolicy: "preprod_staging_prod_prod"
2986
- },
2987
- {
2988
- kind: "github_actions",
2989
- target: "stack-vc/stackos-engineering-graph",
2990
- environmentPolicy: "preprod_staging_prod_prod"
2991
- }
2992
- ],
2993
- description: "Stack engineering graph Neo4j runtime URI. NEO4J_ENG_URI is the source alias used to avoid StackOS front-office collisions."
2994
- },
2995
- {
2996
- id: "tenant.stack-eng.neo4j.user",
2997
- canonicalName: "NEO4J_USER",
2998
- aliases: ["NEO4J_ENG_USER"],
2999
- owner: "tenant",
3000
- scope: "workspace",
3001
- sourcePath: "/tenants/stack/engineering",
3002
- environmentPolicy: "environment_specific",
3003
- required: false,
3004
- secret: false,
3005
- public: false,
3006
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
3007
- destinations: [
3008
- {
3009
- kind: "convex",
3010
- target: "small-oyster-270|bold-cuttlefish-804",
3011
- environmentPolicy: "preprod_staging_prod_prod"
3012
- },
3013
- {
3014
- kind: "vercel",
3015
- target: "stackos-engineering-graph",
3016
- environmentPolicy: "preprod_staging_prod_prod"
3017
- },
3018
- {
3019
- kind: "github_actions",
3020
- target: "stack-vc/stackos-engineering-graph",
3021
- environmentPolicy: "preprod_staging_prod_prod"
3022
- }
3023
- ],
3024
- description: "Stack engineering graph Neo4j runtime user."
3025
- },
3026
- {
3027
- id: "tenant.stack-eng.neo4j.password",
3028
- canonicalName: "NEO4J_PASSWORD",
3029
- aliases: ["NEO4J_ENG_PASSWORD"],
3030
- owner: "tenant",
3031
- scope: "workspace",
3032
- sourcePath: "/tenants/stack/engineering",
3033
- environmentPolicy: "environment_specific",
3034
- required: false,
3035
- secret: true,
3036
- public: false,
3037
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
3038
- destinations: [
3039
- {
3040
- kind: "convex",
3041
- target: "small-oyster-270|bold-cuttlefish-804",
3042
- environmentPolicy: "preprod_staging_prod_prod"
3043
- },
3044
- {
3045
- kind: "vercel",
3046
- target: "stackos-engineering-graph",
3047
- environmentPolicy: "preprod_staging_prod_prod"
3048
- },
3049
- {
3050
- kind: "github_actions",
3051
- target: "stack-vc/stackos-engineering-graph",
3052
- environmentPolicy: "preprod_staging_prod_prod"
3053
- }
3054
- ],
3055
- description: "Stack engineering graph Neo4j runtime password."
3056
- },
3057
- {
3058
- id: "tenant.stack-eng.neo4j.sync-secret",
3059
- canonicalName: "NEO4J_SYNC_SECRET",
3060
- owner: "tenant",
3061
- scope: "workspace",
3062
- sourcePath: "/tenants/stack/engineering",
3063
- environmentPolicy: "environment_specific",
3064
- required: false,
3065
- secret: true,
3066
- public: false,
3067
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
3068
- destinations: [
3069
- {
3070
- kind: "convex",
3071
- target: "small-oyster-270|bold-cuttlefish-804",
3072
- environmentPolicy: "preprod_staging_prod_prod"
3073
- },
3074
- {
3075
- kind: "vercel",
3076
- target: "stackos-engineering-graph",
3077
- environmentPolicy: "preprod_staging_prod_prod"
3078
- },
3079
- {
3080
- kind: "github_actions",
3081
- target: "stack-vc/stackos-engineering-graph",
3082
- environmentPolicy: "preprod_staging_prod_prod"
3083
- }
3084
- ],
3085
- description: "Stack engineering graph sync secret for Convex-to-HTTP graph query/sync calls."
3086
- }
3087
- ];
3088
- var TENANT_CONVEX_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
3089
- {
3090
- id: `tenant.${system.id}.convex.url`,
3091
- canonicalName: system.convex.urlEnv,
3092
- aliases: tenantConvexUrlAliases(system),
3093
- owner: "tenant",
3094
- scope: "software_system",
3095
- sourcePath: system.sharedSourcePath,
3096
- environmentPolicy: "preprod_staging_prod_prod",
3097
- required: true,
3098
- secret: false,
3099
- public: false,
3100
- consumers: [
3101
- "tenant-vercel-app",
3102
- "tenant-agent-runtime",
3103
- "mc-operator-tooling"
3104
- ],
3105
- destinations: [
3106
- {
3107
- kind: "vercel",
3108
- target: system.vercelProjectName,
3109
- environmentPolicy: "preprod_staging_prod_prod",
3110
- writeNames: tenantVercelConvexUrlWriteNames(system)
3111
- },
3112
- {
3113
- kind: "github_actions",
3114
- target: `${system.repository.owner}/${system.repository.name}`,
3115
- environmentPolicy: "preprod_staging_prod_prod",
3116
- writeNames: tenantRepositoryConvexUrlWriteNames(system),
3117
- notes: "Only if that repository deploy/test workflow owns this software system."
3118
- }
3119
- ],
3120
- description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
3121
- },
3122
- {
3123
- id: `tenant.${system.id}.convex.deploy-key`,
3124
- canonicalName: system.convex.deployKeyEnv,
3125
- aliases: tenantConvexDeployKeyAliases(system),
3126
- owner: "tenant",
3127
- scope: "software_system",
3128
- sourcePath: system.sharedSourcePath,
3129
- environmentPolicy: "preprod_staging_prod_prod",
3130
- required: true,
3131
- secret: true,
3132
- public: false,
3133
- consumers: [
3134
- "tenant-vercel-app",
3135
- "tenant-agent-runtime",
3136
- "mc-operator-tooling"
3137
- ],
3138
- destinations: [
3139
- {
3140
- kind: "vercel",
3141
- target: system.vercelProjectName,
3142
- environmentPolicy: "preprod_staging_prod_prod"
3143
- },
3144
- {
3145
- kind: "github_actions",
3146
- target: `${system.repository.owner}/${system.repository.name}`,
3147
- environmentPolicy: "preprod_staging_prod_prod",
3148
- writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
3149
- notes: "Only if that repository deploy/test workflow owns this software system."
3150
- }
3151
- ],
3152
- description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
3153
- }
3154
- ]);
3155
- var INFISICAL_SECRET_DEFINITIONS = [
3156
- ...PLATFORM_SECRET_DEFINITIONS,
3157
- ...PLATFORM_AI_SECRET_DEFINITIONS,
3158
- ...PLATFORM_LANGFUSE_SECRET_DEFINITIONS,
3159
- ...PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS,
3160
- ...PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS,
3161
- ...PLATFORM_SENTRY_SECRET_DEFINITIONS,
3162
- ...PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS,
3163
- ...PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS,
3164
- ...TENANT_SHARED_SECRET_DEFINITIONS,
3165
- ...TENANT_INSTALL_SECRET_DEFINITIONS,
3166
- ...TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS,
3167
- ...TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS,
3168
- ...STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS,
3169
- ...TENANT_CONVEX_SECRET_DEFINITIONS
3170
- ];
3171
- function findInfisicalSecretDefinition(secretId) {
3172
- return INFISICAL_SECRET_DEFINITIONS.find((secret) => secret.id === secretId);
3173
- }
3174
- function infisicalSecretDefinitionsForConsumer(consumer) {
3175
- return INFISICAL_SECRET_DEFINITIONS.filter(
3176
- (secret) => secret.consumers.includes(consumer)
3177
- );
3178
- }
3179
- function infisicalSecretDefinitionsForDestination(kind, target) {
3180
- return INFISICAL_SECRET_DEFINITIONS.filter(
3181
- (secret) => secret.destinations.some(
3182
- (destination) => destination.kind === kind && destination.target === target
3183
- )
3184
- );
3185
- }
3186
- function validateInfisicalSecretDefinitions(definitions = INFISICAL_SECRET_DEFINITIONS) {
3187
- const errors = [];
3188
- const ids = /* @__PURE__ */ new Set();
3189
- const platformOnlyNames = /* @__PURE__ */ new Set(["CONVEX_MC_URL", "CONVEX_MC_DEPLOY_KEY"]);
3190
- for (const definition of definitions) {
3191
- if (ids.has(definition.id)) {
3192
- errors.push(`Duplicate secret definition id: ${definition.id}`);
3193
- }
3194
- ids.add(definition.id);
3195
- if (!definition.canonicalName.startsWith("CONVEX_")) {
3196
- continue;
3197
- }
3198
- if (platformOnlyNames.has(definition.canonicalName)) {
3199
- if (definition.owner !== "lucern_platform") {
3200
- errors.push(`${definition.canonicalName} must be Lucern platform-owned.`);
3201
- }
3202
- for (const destination of definition.destinations) {
3203
- if (destination.kind === "vercel" && INFISICAL_TENANT_SOFTWARE_SYSTEMS.some(
3204
- (system) => system.vercelProjectName === destination.target
3205
- )) {
3206
- errors.push(
3207
- `${definition.canonicalName} must not route to tenant Vercel project ${destination.target}.`
3208
- );
3209
- }
3210
- }
3211
- continue;
3212
- }
3213
- const owner = INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(
3214
- (system) => system.convex.urlEnv === definition.canonicalName || system.convex.deployKeyEnv === definition.canonicalName
3215
- );
3216
- if (!owner) {
3217
- errors.push(
3218
- `${definition.canonicalName} is a Convex variable without a tenant software owner.`
3219
- );
3220
- continue;
3221
- }
3222
- for (const destination of definition.destinations) {
3223
- if (destination.kind === "vercel" && destination.target !== owner.vercelProjectName) {
3224
- errors.push(
3225
- `${definition.canonicalName} routes to ${destination.target}; expected ${owner.vercelProjectName}.`
3226
- );
3227
- }
3228
- }
3229
- }
3230
- return errors;
3231
- }
3232
-
3233
- export { INFISICAL_CONVEX_TIERS, INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT, INFISICAL_RUNTIME_BOOTSTRAP_ENV, INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_CONTROL_ENV, INFISICAL_RUNTIME_DEFAULT_API_URL, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DELIVERY_MODES, INFISICAL_RUNTIME_ENVIRONMENTS, INFISICAL_RUNTIME_PATHS, INFISICAL_RUNTIME_SURFACES, INFISICAL_RUNTIME_SURFACE_IDS, INFISICAL_SECRET_CONSUMERS, INFISICAL_SECRET_DEFINITIONS, INFISICAL_SECRET_DESTINATION_KINDS, INFISICAL_SECRET_ENVIRONMENT_POLICIES, INFISICAL_SECRET_OWNERS, INFISICAL_SECRET_SCOPES, INFISICAL_TENANT_SOFTWARE_SYSTEMS, INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS, INFISICAL_VERCEL_SYNC_DESTINATIONS, INFISICAL_VERCEL_SYNC_RECONCILIATION, INFISICAL_VERCEL_TARGETS, convexTierForVercelDestinationEnvironment, expectedTenantConvexDeploymentForVercelEnvironment, findInfisicalRuntimePath, findInfisicalRuntimeSurface, findInfisicalSecretDefinition, findInfisicalTenantSoftwareSystem, findInfisicalVercelSyncDestination, infisicalSecretDefinitionsForConsumer, infisicalSecretDefinitionsForDestination, tenantSoftwareSystemConvexEnvNames, tenantSoftwareSystemOwnsConvexEnvName, validateInfisicalSecretDefinitions, vercelCustomEnvironmentIdForTenantSoftwareSystem };
3234
- //# sourceMappingURL=infisical-runtime.contract.js.map
3235
- //# sourceMappingURL=infisical-runtime.contract.js.map