@lucern/contracts 0.3.0-alpha.17 → 0.3.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (316) hide show
  1. package/CHANGELOG.md +0 -10
  2. package/dist/api-enums.contract.d.ts +3 -5
  3. package/dist/api-enums.contract.js +12 -14
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +2 -14
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +2 -14
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +2 -14
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/component-boundary.contract.d.ts +1 -1
  13. package/dist/component-boundary.contract.js +26 -46
  14. package/dist/component-boundary.contract.js.map +1 -1
  15. package/dist/context-pack.contract.d.ts +3 -5
  16. package/dist/context-pack.contract.js.map +1 -1
  17. package/dist/{defineTable-t1wr5wgn.d.ts → defineTable-CBQ03FXl.d.ts} +1 -1
  18. package/dist/{dsl-DVPthQGY.d.ts → dsl-BgpoVOVQ.d.ts} +2 -2
  19. package/dist/dsl.d.ts +2 -2
  20. package/dist/dsl.js +4 -1
  21. package/dist/dsl.js.map +1 -1
  22. package/dist/function-registry/beliefs.d.ts +51 -64
  23. package/dist/function-registry/beliefs.js +57 -817
  24. package/dist/function-registry/beliefs.js.map +1 -1
  25. package/dist/function-registry/coding.d.ts +6 -15
  26. package/dist/function-registry/coding.js +43 -866
  27. package/dist/function-registry/coding.js.map +1 -1
  28. package/dist/function-registry/context.d.ts +16 -22
  29. package/dist/function-registry/context.js +46 -805
  30. package/dist/function-registry/context.js.map +1 -1
  31. package/dist/function-registry/contracts.d.ts +3 -9
  32. package/dist/function-registry/contracts.js +39 -770
  33. package/dist/function-registry/contracts.js.map +1 -1
  34. package/dist/function-registry/coordination.d.ts +9 -21
  35. package/dist/function-registry/coordination.js +39 -770
  36. package/dist/function-registry/coordination.js.map +1 -1
  37. package/dist/function-registry/edges.d.ts +2 -167
  38. package/dist/function-registry/edges.js +71 -978
  39. package/dist/function-registry/edges.js.map +1 -1
  40. package/dist/function-registry/evidence.d.ts +41 -52
  41. package/dist/function-registry/evidence.js +62 -826
  42. package/dist/function-registry/evidence.js.map +1 -1
  43. package/dist/function-registry/graph.d.ts +66 -162
  44. package/dist/function-registry/graph.js +46 -886
  45. package/dist/function-registry/graph.js.map +1 -1
  46. package/dist/function-registry/helpers.d.ts +4 -7
  47. package/dist/function-registry/helpers.js +40 -771
  48. package/dist/function-registry/helpers.js.map +1 -1
  49. package/dist/function-registry/identity.d.ts +16 -62
  50. package/dist/function-registry/identity.js +45 -793
  51. package/dist/function-registry/identity.js.map +1 -1
  52. package/dist/function-registry/index.d.ts +3 -5
  53. package/dist/function-registry/index.js +43 -777
  54. package/dist/function-registry/index.js.map +1 -1
  55. package/dist/function-registry/judgments.d.ts +11 -16
  56. package/dist/function-registry/judgments.js +42 -782
  57. package/dist/function-registry/judgments.js.map +1 -1
  58. package/dist/function-registry/legacy.d.ts +1 -5
  59. package/dist/function-registry/legacy.js +39 -770
  60. package/dist/function-registry/legacy.js.map +1 -1
  61. package/dist/function-registry/lenses.d.ts +21 -28
  62. package/dist/function-registry/lenses.js +42 -793
  63. package/dist/function-registry/lenses.js.map +1 -1
  64. package/dist/function-registry/manifest.d.ts +6 -6
  65. package/dist/function-registry/manifest.js +2 -19
  66. package/dist/function-registry/manifest.js.map +1 -1
  67. package/dist/function-registry/ontologies.d.ts +56 -70
  68. package/dist/function-registry/ontologies.js +45 -788
  69. package/dist/function-registry/ontologies.js.map +1 -1
  70. package/dist/function-registry/pipeline.d.ts +16 -22
  71. package/dist/function-registry/pipeline.js +42 -779
  72. package/dist/function-registry/pipeline.js.map +1 -1
  73. package/dist/function-registry/questions.d.ts +61 -76
  74. package/dist/function-registry/questions.js +52 -869
  75. package/dist/function-registry/questions.js.map +1 -1
  76. package/dist/function-registry/tasks.d.ts +21 -28
  77. package/dist/function-registry/tasks.js +48 -845
  78. package/dist/function-registry/tasks.js.map +1 -1
  79. package/dist/function-registry/topics.d.ts +26 -114
  80. package/dist/function-registry/topics.js +43 -852
  81. package/dist/function-registry/topics.js.map +1 -1
  82. package/dist/function-registry/types.d.ts +3 -7
  83. package/dist/function-registry/worktrees.d.ts +51 -104
  84. package/dist/function-registry/worktrees.js +51 -925
  85. package/dist/function-registry/worktrees.js.map +1 -1
  86. package/dist/gateway.contract.d.ts +0 -5
  87. package/dist/gateway.contract.js.map +1 -1
  88. package/dist/generated/convexSchemas.d.ts +3 -3
  89. package/dist/generated/convexSchemas.js +18 -38
  90. package/dist/generated/convexSchemas.js.map +1 -1
  91. package/dist/generated/schema-manifest.json +114 -1221
  92. package/dist/generated/tableOwnership.d.ts +28 -48
  93. package/dist/generated/tableOwnership.js +26 -66
  94. package/dist/generated/tableOwnership.js.map +1 -1
  95. package/dist/generated/tier-expectations.json +9 -64
  96. package/dist/graph-types/index.d.ts +1 -5
  97. package/dist/graph-types/index.js +4 -15
  98. package/dist/graph-types/index.js.map +1 -1
  99. package/dist/index-CV-0_VWJ.d.ts +25 -0
  100. package/dist/index.d.ts +669 -28
  101. package/dist/index.js +400 -34707
  102. package/dist/index.js.map +1 -1
  103. package/dist/lens-filter.contract.js +3 -4
  104. package/dist/lens-filter.contract.js.map +1 -1
  105. package/dist/lens-workflow.contract.js +3 -4
  106. package/dist/lens-workflow.contract.js.map +1 -1
  107. package/dist/mcp-gateway-boundary.contract.d.ts +3 -23
  108. package/dist/mcp-gateway-boundary.contract.js +0 -2
  109. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  110. package/dist/schema-helpers/enumValidation.js +5 -2
  111. package/dist/schema-helpers/enumValidation.js.map +1 -1
  112. package/dist/schema-helpers/spine/nodes/decision.js +1 -2
  113. package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
  114. package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
  115. package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
  116. package/dist/schemas/component-table-manifest.d.ts +6 -6
  117. package/dist/schemas/component-table-manifest.js +2 -2
  118. package/dist/schemas/component-table-manifest.js.map +1 -1
  119. package/dist/schemas/enums.d.ts +2 -5
  120. package/dist/schemas/enums.js +2 -5
  121. package/dist/schemas/enums.js.map +1 -1
  122. package/dist/schemas/index.d.ts +3 -3
  123. package/dist/schemas/index.js +139 -1130
  124. package/dist/schemas/index.js.map +1 -1
  125. package/dist/schemas/manifest.d.ts +948 -2948
  126. package/dist/schemas/manifest.js +137 -1128
  127. package/dist/schemas/manifest.js.map +1 -1
  128. package/dist/schemas/sl-opinion.d.ts +4 -4
  129. package/dist/schemas/tables/{controlPlane → identity}/agent.d.ts +1 -1
  130. package/dist/schemas/tables/{controlPlane → identity}/agent.js +3 -3
  131. package/dist/schemas/tables/identity/agent.js.map +1 -0
  132. package/dist/schemas/tables/{controlPlane → identity}/epistemic.d.ts +1 -1
  133. package/dist/schemas/tables/{controlPlane → identity}/epistemic.js +3 -3
  134. package/dist/schemas/tables/identity/epistemic.js.map +1 -0
  135. package/dist/schemas/tables/{controlPlane → identity}/model.d.ts +1 -1
  136. package/dist/schemas/tables/{controlPlane → identity}/model.js +6 -6
  137. package/dist/schemas/tables/identity/model.js.map +1 -0
  138. package/dist/schemas/tables/{controlPlane → identity}/platform.d.ts +11 -11
  139. package/dist/schemas/tables/{controlPlane → identity}/platform.js +18 -18
  140. package/dist/schemas/tables/identity/platform.js.map +1 -0
  141. package/dist/schemas/tables/{controlPlane → identity}/project.d.ts +1 -1
  142. package/dist/schemas/tables/{controlPlane → identity}/project.js +3 -3
  143. package/dist/schemas/tables/identity/project.js.map +1 -0
  144. package/dist/schemas/tables/{controlPlane → identity}/user.d.ts +1 -1
  145. package/dist/schemas/tables/{controlPlane → identity}/user.js +3 -3
  146. package/dist/schemas/tables/identity/user.js.map +1 -0
  147. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  148. package/dist/schemas/tables/kernel/config.js.map +1 -1
  149. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  150. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  151. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  152. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  153. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  154. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  155. package/dist/schemas/tables/kernel/epistemic.d.ts +7 -7
  156. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  157. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  158. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  159. package/dist/schemas/tables/kernel/infra.d.ts +5 -5
  160. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  161. package/dist/schemas/tables/kernel/intelligence.d.ts +11 -11
  162. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  163. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  164. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  165. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  166. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  167. package/dist/schemas/tables/kernel/platform.d.ts +13 -13
  168. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  169. package/dist/schemas/tables/kernel/spine.d.ts +4 -5
  170. package/dist/schemas/tables/kernel/spine.js +2 -6
  171. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  172. package/dist/schemas/tables/kernel/task.d.ts +43 -43
  173. package/dist/schemas/tables/kernel/task.js.map +1 -1
  174. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  175. package/dist/schemas/tables/kernel/topic.js +1 -5
  176. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  177. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  178. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  179. package/dist/schemas/tables/kernel/worktree.d.ts +55 -55
  180. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  181. package/dist/schemas/tables/mc/identity.d.ts +4 -21
  182. package/dist/schemas/tables/mc/identity.js +1 -32
  183. package/dist/schemas/tables/mc/identity.js.map +1 -1
  184. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  185. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  186. package/dist/schemas/tables/mc/pack.d.ts +21 -21
  187. package/dist/schemas/tables/mc/pack.js.map +1 -1
  188. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  189. package/dist/schemas/tables/mc/policy.js +1 -1
  190. package/dist/schemas/tables/mc/policy.js.map +1 -1
  191. package/dist/schemas/tables/mc/registry.d.ts +5 -5
  192. package/dist/schemas/tables/mc/registry.js.map +1 -1
  193. package/dist/schemas/tables/mc/runtime.d.ts +3 -109
  194. package/dist/schemas/tables/mc/runtime.js +104 -330
  195. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  196. package/dist/schemas/tables/mc/tenant.d.ts +2 -4
  197. package/dist/schemas/tables/mc/tenant.js +1 -3
  198. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  199. package/dist/schemas/tables/mc/workspace.d.ts +5 -28
  200. package/dist/schemas/tables/mc/workspace.js +2 -36
  201. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  202. package/dist/sdk-methods.contract.d.ts +2 -2
  203. package/dist/{sdk-tools.contract-CKmSsrZ2.d.ts → sdk-tools.contract-S4ia0TTo.d.ts} +2 -2
  204. package/dist/sdk-tools.contract.d.ts +2 -2
  205. package/dist/sdk-tools.contract.js +27 -719
  206. package/dist/sdk-tools.contract.js.map +1 -1
  207. package/dist/tenant-client.contract.d.ts +14 -102
  208. package/dist/tenant-client.contract.js +12 -113
  209. package/dist/tenant-client.contract.js.map +1 -1
  210. package/dist/{tool-contracts-C_xvM9q2.d.ts → tool-contracts-C92-9ueT.d.ts} +2 -38
  211. package/dist/tool-contracts.d.ts +1 -1
  212. package/dist/tool-contracts.js +28 -720
  213. package/dist/tool-contracts.js.map +1 -1
  214. package/package.json +1 -30
  215. package/dist/component-host-boundary.contract.d.ts +0 -46
  216. package/dist/component-host-boundary.contract.js +0 -60
  217. package/dist/component-host-boundary.contract.js.map +0 -1
  218. package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +0 -133
  219. package/dist/function-registry/nodes.d.ts +0 -412
  220. package/dist/function-registry/nodes.js +0 -5354
  221. package/dist/function-registry/nodes.js.map +0 -1
  222. package/dist/function-registry-input-audit.d.ts +0 -13
  223. package/dist/function-registry-input-audit.js +0 -166
  224. package/dist/function-registry-input-audit.js.map +0 -1
  225. package/dist/generated/infisicalRuntimeEnv.d.ts +0 -70
  226. package/dist/generated/infisicalRuntimeEnv.js +0 -27345
  227. package/dist/generated/infisicalRuntimeEnv.js.map +0 -1
  228. package/dist/generated/lucernGatewayEnv.d.ts +0 -17
  229. package/dist/generated/lucernGatewayEnv.js +0 -38
  230. package/dist/generated/lucernGatewayEnv.js.map +0 -1
  231. package/dist/generated/lucernWebPublicEnv.d.ts +0 -26
  232. package/dist/generated/lucernWebPublicEnv.js +0 -32
  233. package/dist/generated/lucernWebPublicEnv.js.map +0 -1
  234. package/dist/generated/lucernWebServerEnv.d.ts +0 -33
  235. package/dist/generated/lucernWebServerEnv.js +0 -51
  236. package/dist/generated/lucernWebServerEnv.js.map +0 -1
  237. package/dist/graph-intelligence.contract.d.ts +0 -506
  238. package/dist/graph-intelligence.contract.js +0 -595
  239. package/dist/graph-intelligence.contract.js.map +0 -1
  240. package/dist/index-CM1Pl_vI.d.ts +0 -28
  241. package/dist/infisical-runtime.contract.d.ts +0 -1889
  242. package/dist/infisical-runtime.contract.js +0 -3235
  243. package/dist/infisical-runtime.contract.js.map +0 -1
  244. package/dist/manifests/edge-policy-manifest.d.ts +0 -2
  245. package/dist/manifests/edge-policy-manifest.data.d.ts +0 -13
  246. package/dist/manifests/edge-policy-manifest.data.js +0 -26
  247. package/dist/manifests/edge-policy-manifest.data.js.map +0 -1
  248. package/dist/manifests/edge-policy-manifest.js +0 -92
  249. package/dist/manifests/edge-policy-manifest.js.map +0 -1
  250. package/dist/manifests/infisical-runtime-manifest.d.ts +0 -1792
  251. package/dist/manifests/infisical-runtime-manifest.js +0 -3090
  252. package/dist/manifests/infisical-runtime-manifest.js.map +0 -1
  253. package/dist/manifests/invariant-manifest.d.ts +0 -65
  254. package/dist/manifests/invariant-manifest.js +0 -18
  255. package/dist/manifests/invariant-manifest.js.map +0 -1
  256. package/dist/manifests/invariants/ast-utils.d.ts +0 -14
  257. package/dist/manifests/invariants/ast-utils.js +0 -54
  258. package/dist/manifests/invariants/ast-utils.js.map +0 -1
  259. package/dist/manifests/invariants/index.d.ts +0 -15
  260. package/dist/manifests/invariants/index.js +0 -183
  261. package/dist/manifests/invariants/index.js.map +0 -1
  262. package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +0 -12
  263. package/dist/manifests/invariants/inv-1-beliefs-append-only.js +0 -94
  264. package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +0 -1
  265. package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +0 -12
  266. package/dist/manifests/invariants/inv-14-no-silent-transitions.js +0 -99
  267. package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +0 -1
  268. package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +0 -12
  269. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +0 -42
  270. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +0 -1
  271. package/dist/manifests/tenant-client-manifest.d.ts +0 -327
  272. package/dist/manifests/tenant-client-manifest.js +0 -449
  273. package/dist/manifests/tenant-client-manifest.js.map +0 -1
  274. package/dist/permit-principal-projection.contract.d.ts +0 -74
  275. package/dist/permit-principal-projection.contract.js +0 -167
  276. package/dist/permit-principal-projection.contract.js.map +0 -1
  277. package/dist/projections/check-convex-args-shape.d.ts +0 -3
  278. package/dist/projections/check-convex-args-shape.js +0 -403
  279. package/dist/projections/check-convex-args-shape.js.map +0 -1
  280. package/dist/projections/create-evidence.projection.d.ts +0 -176
  281. package/dist/projections/create-evidence.projection.js +0 -130
  282. package/dist/projections/create-evidence.projection.js.map +0 -1
  283. package/dist/projections/index.d.ts +0 -102
  284. package/dist/projections/index.js +0 -352
  285. package/dist/projections/index.js.map +0 -1
  286. package/dist/projections/list-beliefs.projection.d.ts +0 -36
  287. package/dist/projections/list-beliefs.projection.js +0 -54
  288. package/dist/projections/list-beliefs.projection.js.map +0 -1
  289. package/dist/projections/list-tasks.projection.d.ts +0 -44
  290. package/dist/projections/list-tasks.projection.js +0 -57
  291. package/dist/projections/list-tasks.projection.js.map +0 -1
  292. package/dist/projections/modulate-confidence.projection.d.ts +0 -219
  293. package/dist/projections/modulate-confidence.projection.js +0 -148
  294. package/dist/projections/modulate-confidence.projection.js.map +0 -1
  295. package/dist/projections/projection-dsl.d.ts +0 -11
  296. package/dist/projections/projection-dsl.js +0 -8
  297. package/dist/projections/projection-dsl.js.map +0 -1
  298. package/dist/proof-attestation.json +0 -45
  299. package/dist/schemas/tables/controlPlane/accessControl.d.ts +0 -260
  300. package/dist/schemas/tables/controlPlane/accessControl.js +0 -658
  301. package/dist/schemas/tables/controlPlane/accessControl.js.map +0 -1
  302. package/dist/schemas/tables/controlPlane/agent.js.map +0 -1
  303. package/dist/schemas/tables/controlPlane/epistemic.js.map +0 -1
  304. package/dist/schemas/tables/controlPlane/model.js.map +0 -1
  305. package/dist/schemas/tables/controlPlane/platform.js.map +0 -1
  306. package/dist/schemas/tables/controlPlane/project.js.map +0 -1
  307. package/dist/schemas/tables/controlPlane/user.js.map +0 -1
  308. package/dist/schemas/tables/kernel/events.d.ts +0 -21
  309. package/dist/schemas/tables/kernel/events.js +0 -43
  310. package/dist/schemas/tables/kernel/events.js.map +0 -1
  311. package/dist/tenant-bootstrap-seed.contract.d.ts +0 -1289
  312. package/dist/tenant-bootstrap-seed.contract.js +0 -764
  313. package/dist/tenant-bootstrap-seed.contract.js.map +0 -1
  314. package/dist/tenant-bootstrap-seed.defaults.d.ts +0 -16
  315. package/dist/tenant-bootstrap-seed.defaults.js +0 -321
  316. package/dist/tenant-bootstrap-seed.defaults.js.map +0 -1
@@ -1,3090 +0,0 @@
1
- // src/tenant-client.contract.ts
2
- var TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH = "tenants/shared";
3
- var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4
- {
5
- packageName: "@lucern/access-control",
6
- role: "runtime_entrypoint",
7
- directTenantImport: true
8
- },
9
- {
10
- packageName: "@lucern/agent",
11
- role: "platform_runtime",
12
- directTenantImport: false
13
- },
14
- {
15
- packageName: "@lucern/auth",
16
- role: "sdk_dependency",
17
- directTenantImport: false
18
- },
19
- {
20
- packageName: "@lucern/cli",
21
- role: "developer_tool",
22
- directTenantImport: false
23
- },
24
- {
25
- packageName: "@lucern/client-core",
26
- role: "sdk_dependency",
27
- directTenantImport: false
28
- },
29
- {
30
- packageName: "@lucern/confidence",
31
- role: "sdk_dependency",
32
- directTenantImport: false
33
- },
34
- {
35
- packageName: "@lucern/config",
36
- role: "configuration",
37
- directTenantImport: false
38
- },
39
- {
40
- packageName: "@lucern/contracts",
41
- role: "contract_entrypoint",
42
- directTenantImport: true
43
- },
44
- {
45
- packageName: "@lucern/control-plane",
46
- role: "component_runtime",
47
- directTenantImport: false
48
- },
49
- {
50
- packageName: "@lucern/developer-kit",
51
- role: "developer_tool",
52
- directTenantImport: false
53
- },
54
- {
55
- packageName: "@lucern/events",
56
- role: "sdk_dependency",
57
- directTenantImport: false
58
- },
59
- {
60
- packageName: "@lucern/graph-primitives",
61
- role: "sdk_dependency",
62
- directTenantImport: false
63
- },
64
- {
65
- packageName: "@lucern/graph-sync",
66
- role: "host_addon_runtime",
67
- directTenantImport: true
68
- },
69
- {
70
- packageName: "@lucern/mcp",
71
- role: "runtime_entrypoint",
72
- directTenantImport: true
73
- },
74
- {
75
- packageName: "@lucern/pack-host",
76
- role: "platform_runtime",
77
- directTenantImport: false
78
- },
79
- {
80
- packageName: "@lucern/pack-installer",
81
- role: "developer_tool",
82
- directTenantImport: false
83
- },
84
- {
85
- packageName: "@lucern/proof-compiler",
86
- role: "developer_tool",
87
- directTenantImport: false
88
- },
89
- {
90
- packageName: "@lucern/react",
91
- role: "runtime_entrypoint",
92
- directTenantImport: true
93
- },
94
- {
95
- packageName: "@lucern/reasoning-kernel",
96
- role: "component_runtime",
97
- directTenantImport: false
98
- },
99
- {
100
- packageName: "@lucern/sdk",
101
- role: "runtime_entrypoint",
102
- directTenantImport: true
103
- },
104
- {
105
- packageName: "@lucern/secrets",
106
- role: "sdk_dependency",
107
- directTenantImport: false
108
- },
109
- {
110
- packageName: "@lucern/server-core",
111
- role: "platform_runtime",
112
- directTenantImport: false
113
- },
114
- {
115
- packageName: "@lucern/testing",
116
- role: "test_support",
117
- directTenantImport: false
118
- },
119
- {
120
- packageName: "@lucern/types",
121
- role: "contract_entrypoint",
122
- directTenantImport: true
123
- }
124
- ];
125
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
126
- (entry) => entry.packageName
127
- );
128
-
129
- // src/infisical-runtime.contract.ts
130
- var INFISICAL_RUNTIME_CONTRACT_VERSION = "2026-05-06";
131
- var INFISICAL_RUNTIME_DEFAULT_API_URL = "https://app.infisical.com";
132
- var INFISICAL_RUNTIME_DEFAULT_PROJECT_ID = "344b0526-90df-4606-ba50-22c647a36c65";
133
- var INFISICAL_RUNTIME_ENVIRONMENTS = [
134
- "dev",
135
- "staging",
136
- "prod"
137
- ];
138
- var INFISICAL_RUNTIME_DELIVERY_MODES = [
139
- "vercel_sync",
140
- "runtime_fetch",
141
- "device_auth"
142
- ];
143
- var INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS = [
144
- "development",
145
- "preview",
146
- "staging",
147
- "production"
148
- ];
149
- var INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT = {
150
- development: "preprod",
151
- preview: "preprod",
152
- staging: "preprod",
153
- production: "prod"
154
- };
155
- var INFISICAL_VERCEL_SYNC_RECONCILIATION = {
156
- sourceOfTruth: "infisical",
157
- writer: "vercel_api",
158
- disableSecretDeletion: false,
159
- pruneDestinationKeys: true
160
- };
161
- var INFISICAL_VERCEL_SYNC_DESTINATIONS = [
162
- {
163
- environment: "development",
164
- vercelTarget: "development",
165
- convexTier: "preprod"
166
- },
167
- {
168
- environment: "preview",
169
- vercelTarget: "preview",
170
- convexTier: "preprod"
171
- },
172
- {
173
- environment: "staging",
174
- vercelTarget: "preview",
175
- convexTier: "preprod",
176
- customEnvironmentSlug: "staging",
177
- customEnvironmentIdsByProjectName: {
178
- stackos: "env_RbS0TYRRvWISTje8qR4u2lRg7TC8"
179
- },
180
- domainsByProjectName: {
181
- stackos: "staging.stack.vc"
182
- }
183
- },
184
- {
185
- environment: "production",
186
- vercelTarget: "production",
187
- convexTier: "prod"
188
- }
189
- ];
190
- var INFISICAL_RUNTIME_BOOTSTRAP_ENV = {
191
- apiUrl: ["INFISICAL_API_URL", "INFISICAL_URL"],
192
- projectId: ["INFISICAL_PROJECT_ID", "INFISICAL_WORKSPACE_ID"],
193
- clientId: [
194
- "INFISICAL_CLIENT_ID",
195
- "INFISICAL_MACHINE_CLIENT_ID",
196
- "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"
197
- ],
198
- clientSecret: [
199
- "INFISICAL_CLIENT_SECRET",
200
- "INFISICAL_MACHINE_CLIENT_SECRET",
201
- "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"
202
- ],
203
- environment: ["INFISICAL_ENV", "LUCERN_INFISICAL_ENV"],
204
- organizationSlug: ["INFISICAL_ORG_SLUG", "INFISICAL_ORGANIZATION_SLUG"],
205
- disabled: ["LUCERN_INFISICAL_DISABLE", "INFISICAL_DISABLE"]
206
- };
207
- var INFISICAL_RUNTIME_CONTROL_ENV = [
208
- {
209
- name: "NODE_ENV",
210
- category: "framework",
211
- description: "Node/Next runtime mode. Framework-owned, not written by Infisical."
212
- },
213
- {
214
- name: "CI",
215
- category: "ci",
216
- description: "CI execution signal. Workflow-owned, not written by Infisical."
217
- },
218
- {
219
- name: "VERCEL",
220
- category: "vercel",
221
- description: "Vercel runtime signal. Platform-owned, not written by Infisical."
222
- },
223
- {
224
- name: "VERCEL_ENV",
225
- category: "vercel",
226
- description: "Vercel environment label used for build/runtime selection."
227
- },
228
- {
229
- name: "VERCEL_URL",
230
- category: "vercel",
231
- description: "Vercel deployment URL supplied by Vercel for previews and builds."
232
- },
233
- {
234
- name: "VERCEL_GIT_COMMIT_SHA",
235
- category: "vercel",
236
- description: "Vercel git metadata used for release labels. Platform-owned, not written by Infisical."
237
- },
238
- {
239
- name: "NEXT_RUNTIME",
240
- category: "nextjs",
241
- description: "Next.js runtime selector for node/edge instrumentation modules."
242
- },
243
- {
244
- name: "PORT",
245
- category: "framework",
246
- description: "Local/server port supplied by the runtime process manager."
247
- },
248
- {
249
- name: "HOST",
250
- category: "framework",
251
- description: "Local/server host supplied by the runtime process manager."
252
- },
253
- {
254
- name: "APP_URL",
255
- category: "compatibility",
256
- description: "Legacy local app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
257
- },
258
- {
259
- name: "NEXT_PUBLIC_APP_URL",
260
- category: "compatibility",
261
- description: "Legacy public app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL."
262
- },
263
- {
264
- name: "CLAUDE_PROJECT_DIR",
265
- category: "agent_local",
266
- description: "Local agent workspace hint. Agent-runtime-owned, not written by Infisical."
267
- },
268
- {
269
- name: "HOME",
270
- category: "os",
271
- description: "Operating-system home directory used only for local credential discovery."
272
- },
273
- {
274
- name: "USERPROFILE",
275
- category: "os",
276
- description: "Windows home directory used only for local credential discovery."
277
- }
278
- ];
279
- var INFISICAL_RUNTIME_PATHS = [
280
- {
281
- id: "platform-auth",
282
- secretPath: "/platform/auth",
283
- description: "Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.",
284
- variables: [
285
- {
286
- name: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
287
- required: true,
288
- secret: false,
289
- public: true,
290
- description: "Clerk publishable key for the Lucern web origin."
291
- },
292
- {
293
- name: "CLERK_SECRET_KEY",
294
- required: true,
295
- secret: true,
296
- public: false,
297
- description: "Clerk backend secret key for Lucern server runtimes."
298
- },
299
- {
300
- name: "CLERK_JWT_ISSUER_DOMAIN",
301
- required: false,
302
- secret: false,
303
- public: false,
304
- description: "Expected Clerk issuer/JWKS domain for JWT verification."
305
- },
306
- {
307
- name: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
308
- required: false,
309
- secret: false,
310
- public: true,
311
- description: "Public sign-in URL for Lucern-owned web flows."
312
- },
313
- {
314
- name: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
315
- required: false,
316
- secret: false,
317
- public: true,
318
- description: "Public sign-up URL for Lucern-owned web flows."
319
- }
320
- ]
321
- },
322
- {
323
- id: "platform-runtime",
324
- secretPath: "/platform/runtime",
325
- description: "Runtime defaults shared by server-side Lucern clients and operator tooling.",
326
- variables: [
327
- {
328
- name: "LUCERN_API_URL",
329
- required: true,
330
- secret: false,
331
- public: false,
332
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
333
- description: "Canonical Lucern API gateway URL."
334
- },
335
- {
336
- name: "LUCERN_LOGIN_BASE_URL",
337
- required: false,
338
- secret: false,
339
- public: false,
340
- aliases: ["LUCERN_AUTH_BASE_URL"],
341
- description: "Browser login origin used when it differs from the API."
342
- },
343
- {
344
- name: "LUCERN_ENVIRONMENT",
345
- required: false,
346
- secret: false,
347
- public: false,
348
- aliases: ["LUCERN_ENV"],
349
- description: "Lucern environment label consumed by CLI profiles."
350
- },
351
- {
352
- name: "LUCERN_CLI_SESSION_TTL_MS",
353
- required: false,
354
- secret: false,
355
- public: false,
356
- description: "Optional web-issued CLI login session lifetime override in milliseconds."
357
- }
358
- ]
359
- },
360
- {
361
- id: "platform-operator-credentials",
362
- secretPath: "/platform/runtime",
363
- description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
364
- variables: [
365
- {
366
- name: "LUCERN_API_KEY",
367
- required: false,
368
- secret: true,
369
- public: false,
370
- aliases: ["LUCERN_KEY"],
371
- description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
372
- }
373
- ]
374
- },
375
- {
376
- id: "tenant-shared-install",
377
- secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
378
- description: "Tenant package-install secrets. This is install-only and distinct from platform publish credentials.",
379
- variables: [
380
- {
381
- name: "INSTALL_LUCERN_NPM",
382
- required: true,
383
- secret: true,
384
- public: false,
385
- description: "Read-only install token for the published @lucern/* suite."
386
- }
387
- ]
388
- }
389
- ];
390
- var INFISICAL_RUNTIME_SURFACES = [
391
- {
392
- id: "lucern-web",
393
- delivery: "vercel_sync",
394
- sourcePathIds: ["platform-auth", "platform-runtime"],
395
- consumer: "apps/web on Vercel project lucern",
396
- description: "Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs."
397
- },
398
- {
399
- id: "lucern-gateway",
400
- delivery: "vercel_sync",
401
- fallback: "runtime_fetch",
402
- sourcePathIds: ["platform-auth", "platform-runtime"],
403
- consumer: "apps/gateway on Vercel project lucern-gateway",
404
- description: "Lucern gateway consumes platform config via Infisical-to-Vercel syncs and may self-hydrate from Infisical when the host environment has scoped bootstrap credentials."
405
- },
406
- {
407
- id: "lucern-sdk",
408
- packageName: "@lucern/sdk",
409
- delivery: "runtime_fetch",
410
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
411
- consumer: "server-side SDK operator contexts with a scoped Infisical identity",
412
- description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
413
- },
414
- {
415
- id: "lucern-cli",
416
- packageName: "@lucern/cli",
417
- delivery: "runtime_fetch",
418
- fallback: "device_auth",
419
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
420
- consumer: "developer/operator CLI processes",
421
- description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
422
- },
423
- {
424
- id: "lucern-mcp",
425
- packageName: "@lucern/mcp",
426
- delivery: "runtime_fetch",
427
- fallback: "device_auth",
428
- sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
429
- consumer: "MCP server/client processes",
430
- description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
431
- },
432
- {
433
- id: "tenant-client",
434
- delivery: "device_auth",
435
- sourcePathIds: ["tenant-shared-install"],
436
- consumer: "tenant-owned apps and coding agents",
437
- description: "Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces."
438
- }
439
- ];
440
- var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
441
- {
442
- id: "stack-frontend",
443
- tenantKey: "stack",
444
- workspaceKey: "frontend",
445
- vercelProjectName: "ai-chatbot-diao",
446
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
447
- vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
448
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
449
- repository: {
450
- owner: "stack-vc",
451
- name: "front-end"
452
- },
453
- sharedSourcePath: "/tenants/stack",
454
- sharedVariablePolicy: "tenant_shared_all_systems",
455
- convex: {
456
- urlEnv: "CONVEX_FRONTEND_URL",
457
- deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
458
- preprodDeployment: "rugged-lobster-664",
459
- prodDeployment: "wonderful-toucan-0"
460
- }
461
- },
462
- {
463
- id: "stackos",
464
- tenantKey: "stack",
465
- workspaceKey: "stackos",
466
- vercelProjectName: "stackos",
467
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
468
- vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
469
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
470
- repository: {
471
- owner: "stack-vc",
472
- name: "stackos"
473
- },
474
- sharedSourcePath: "/tenants/stack",
475
- sharedVariablePolicy: "tenant_shared_all_systems",
476
- convex: {
477
- urlEnv: "CONVEX_STACKOS_URL",
478
- deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
479
- preprodDeployment: "giant-mandrill-761",
480
- prodDeployment: "good-snake-515"
481
- }
482
- },
483
- {
484
- id: "stack-eng",
485
- tenantKey: "stack",
486
- workspaceKey: "engineering",
487
- vercelProjectName: "stackos-engineering-graph",
488
- vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
489
- vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
490
- vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
491
- repository: {
492
- owner: "stack-vc",
493
- name: "stackos-engineering-graph"
494
- },
495
- sharedSourcePath: "/tenants/stack/engineering",
496
- sharedVariablePolicy: "tenant_shared_all_systems",
497
- convex: {
498
- urlEnv: "CONVEX_STACK_ENG_URL",
499
- deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
500
- preprodDeployment: "small-oyster-270",
501
- prodDeployment: "bold-cuttlefish-804"
502
- }
503
- },
504
- {
505
- id: "lucern-graph",
506
- tenantKey: "lucern",
507
- workspaceKey: "lucern",
508
- vercelProjectName: "lucern-graph",
509
- vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
510
- vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
511
- vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
512
- repository: {
513
- owner: "LucernAI",
514
- name: "lucern-graph"
515
- },
516
- sharedSourcePath: "/tenants/lucern/shared",
517
- sharedVariablePolicy: "tenant_shared_all_systems",
518
- convex: {
519
- urlEnv: "CONVEX_LUCERN_URL",
520
- deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
521
- preprodDeployment: "good-blackbird-774",
522
- prodDeployment: "precious-dog-365"
523
- }
524
- }
525
- ];
526
- var PLATFORM_SECRET_DEFINITIONS = [
527
- {
528
- id: "platform.clerk.publishable",
529
- canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
530
- aliases: ["CLERK_PUBLISHABLE_KEY"],
531
- owner: "lucern_platform",
532
- scope: "environment",
533
- sourcePath: "/platform/auth",
534
- environmentPolicy: "environment_specific",
535
- required: true,
536
- secret: false,
537
- public: true,
538
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
539
- destinations: [
540
- {
541
- kind: "vercel",
542
- target: "lucern",
543
- environmentPolicy: "environment_specific"
544
- },
545
- {
546
- kind: "vercel",
547
- target: "lucern-gateway",
548
- environmentPolicy: "environment_specific"
549
- },
550
- {
551
- kind: "runtime_fetch",
552
- target: "hosted-mcp-oauth",
553
- environmentPolicy: "environment_specific"
554
- }
555
- ],
556
- description: "Lucern-owned Clerk browser key for platform web, gateway, and hosted MCP OAuth flows."
557
- },
558
- {
559
- id: "platform.clerk.secret",
560
- canonicalName: "CLERK_SECRET_KEY",
561
- owner: "lucern_platform",
562
- scope: "environment",
563
- sourcePath: "/platform/auth",
564
- environmentPolicy: "environment_specific",
565
- required: true,
566
- secret: true,
567
- public: false,
568
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
569
- destinations: [
570
- {
571
- kind: "vercel",
572
- target: "lucern",
573
- environmentPolicy: "environment_specific"
574
- },
575
- {
576
- kind: "vercel",
577
- target: "lucern-gateway",
578
- environmentPolicy: "environment_specific"
579
- },
580
- {
581
- kind: "runtime_fetch",
582
- target: "hosted-mcp-oauth",
583
- environmentPolicy: "environment_specific"
584
- }
585
- ],
586
- description: "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
587
- },
588
- {
589
- id: "platform.clerk.project",
590
- canonicalName: "CLERK_PROJECT_ID",
591
- aliases: ["LUCERN_CLERK_PROJECT_ID"],
592
- owner: "lucern_platform",
593
- scope: "environment",
594
- sourcePath: "/platform/auth",
595
- environmentPolicy: "environment_specific",
596
- required: true,
597
- secret: false,
598
- public: false,
599
- consumers: ["lucern-gateway", "mc-convex"],
600
- destinations: [
601
- {
602
- kind: "vercel",
603
- target: "lucern-gateway",
604
- environmentPolicy: "environment_specific"
605
- },
606
- {
607
- kind: "convex",
608
- target: "master-control",
609
- environmentPolicy: "environment_specific"
610
- }
611
- ],
612
- description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
613
- },
614
- {
615
- id: "platform.clerk.webhook-secret",
616
- canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
617
- aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
618
- owner: "lucern_platform",
619
- scope: "environment",
620
- sourcePath: "/platform/auth",
621
- environmentPolicy: "environment_specific",
622
- required: true,
623
- secret: true,
624
- public: false,
625
- consumers: ["lucern-gateway"],
626
- destinations: [
627
- {
628
- kind: "vercel",
629
- target: "lucern-gateway",
630
- environmentPolicy: "environment_specific"
631
- }
632
- ],
633
- description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
634
- },
635
- {
636
- id: "platform.clerk.jwks",
637
- canonicalName: "CLERK_JWKS_URL",
638
- aliases: ["CLERK_JWT_ISSUER_DOMAIN"],
639
- owner: "lucern_platform",
640
- scope: "environment",
641
- sourcePath: "/platform/auth",
642
- environmentPolicy: "environment_specific",
643
- required: false,
644
- secret: false,
645
- public: false,
646
- consumers: ["lucern-mcp", "lucern-gateway"],
647
- destinations: [
648
- {
649
- kind: "runtime_fetch",
650
- target: "lucern-mcp",
651
- environmentPolicy: "environment_specific"
652
- },
653
- {
654
- kind: "vercel",
655
- target: "lucern-gateway",
656
- environmentPolicy: "environment_specific"
657
- }
658
- ],
659
- description: "Optional Clerk JWKS/issuer override for server-side token verification."
660
- },
661
- {
662
- id: "platform.runtime.api-base-url",
663
- canonicalName: "LUCERN_API_URL",
664
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
665
- owner: "lucern_platform",
666
- scope: "environment",
667
- sourcePath: "/platform/runtime",
668
- environmentPolicy: "environment_specific",
669
- required: true,
670
- secret: false,
671
- public: false,
672
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
673
- destinations: [
674
- {
675
- kind: "vercel",
676
- target: "lucern",
677
- environmentPolicy: "environment_specific"
678
- },
679
- {
680
- kind: "vercel",
681
- target: "lucern-gateway",
682
- environmentPolicy: "environment_specific"
683
- },
684
- {
685
- kind: "runtime_fetch",
686
- target: "lucern-cli-mcp-sdk",
687
- environmentPolicy: "environment_specific"
688
- }
689
- ],
690
- description: "Canonical Lucern API gateway base URL. Older names remain aliases only."
691
- },
692
- {
693
- id: "platform.runtime.login-base-url",
694
- canonicalName: "LUCERN_LOGIN_BASE_URL",
695
- aliases: ["LUCERN_AUTH_BASE_URL", "LUCERN_WEB_BASE_URL"],
696
- owner: "lucern_platform",
697
- scope: "environment",
698
- sourcePath: "/platform/runtime",
699
- environmentPolicy: "environment_specific",
700
- required: false,
701
- secret: false,
702
- public: false,
703
- consumers: ["lucern-gateway", "lucern-mcp", "lucern-cli"],
704
- destinations: [
705
- {
706
- kind: "vercel",
707
- target: "lucern-gateway",
708
- environmentPolicy: "environment_specific"
709
- },
710
- {
711
- kind: "runtime_fetch",
712
- target: "lucern-cli-mcp-sdk",
713
- environmentPolicy: "environment_specific"
714
- }
715
- ],
716
- description: "Browser login origin used when device/OAuth login is not served by the API base URL."
717
- },
718
- {
719
- id: "platform.runtime.environment",
720
- canonicalName: "LUCERN_ENVIRONMENT",
721
- aliases: ["LUCERN_ENV"],
722
- owner: "lucern_platform",
723
- scope: "environment",
724
- sourcePath: "/platform/runtime",
725
- environmentPolicy: "environment_specific",
726
- required: false,
727
- secret: false,
728
- public: false,
729
- consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
730
- destinations: [
731
- {
732
- kind: "vercel",
733
- target: "lucern",
734
- environmentPolicy: "environment_specific"
735
- },
736
- {
737
- kind: "vercel",
738
- target: "lucern-gateway",
739
- environmentPolicy: "environment_specific"
740
- },
741
- {
742
- kind: "runtime_fetch",
743
- target: "lucern-cli-mcp-sdk",
744
- environmentPolicy: "environment_specific"
745
- }
746
- ],
747
- description: "Lucern runtime environment label."
748
- },
749
- {
750
- id: "platform.runtime.require-deployment-host-registry",
751
- canonicalName: "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
752
- owner: "lucern_platform",
753
- scope: "environment",
754
- sourcePath: "/platform/runtime",
755
- environmentPolicy: "environment_specific",
756
- required: false,
757
- secret: false,
758
- public: false,
759
- consumers: ["lucern-gateway"],
760
- destinations: [
761
- {
762
- kind: "vercel",
763
- target: "lucern-gateway",
764
- environmentPolicy: "environment_specific"
765
- },
766
- {
767
- kind: "operator_local",
768
- target: "lucern-repo",
769
- environmentPolicy: "environment_specific"
770
- }
771
- ],
772
- description: "Fail-closed gateway toggle that requires MC deployment host registry resolution before routing."
773
- },
774
- {
775
- id: "platform.mc.convex-url",
776
- canonicalName: "CONVEX_MC_URL",
777
- aliases: [
778
- "CONVEX_MC_PROD_URL",
779
- "LUCERN_ADMIN_CONVEX_URL",
780
- "LUCERN_CONVEX_URL",
781
- "MC_CONVEX_URL"
782
- ],
783
- owner: "lucern_platform",
784
- scope: "environment",
785
- sourcePath: "/platform/mc",
786
- environmentPolicy: "environment_specific",
787
- required: true,
788
- secret: false,
789
- public: false,
790
- consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
791
- destinations: [
792
- {
793
- kind: "vercel",
794
- target: "lucern-gateway",
795
- environmentPolicy: "environment_specific"
796
- },
797
- {
798
- kind: "github_actions",
799
- target: "LucernAI/lucern",
800
- environmentPolicy: "environment_specific"
801
- },
802
- {
803
- kind: "operator_local",
804
- target: "lucern-repo",
805
- environmentPolicy: "environment_specific"
806
- }
807
- ],
808
- description: "Master Control Convex URL. Prod must point to successful-clam-833; dev/staging to utmost-ox-403."
809
- },
810
- {
811
- id: "platform.mc.convex-deploy-key",
812
- canonicalName: "CONVEX_MC_DEPLOY_KEY",
813
- aliases: [
814
- "CONVEX_MC_PROD_DEPLOY_KEY",
815
- "LUCERN_ADMIN_DEPLOY_KEY",
816
- "LUCERN_DEPLOY_KEY",
817
- "MC_DEPLOY_KEY",
818
- "MC_PROD_DEPLOY_KEY"
819
- ],
820
- owner: "lucern_platform",
821
- scope: "environment",
822
- sourcePath: "/platform/mc",
823
- environmentPolicy: "environment_specific",
824
- required: true,
825
- secret: true,
826
- public: false,
827
- consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
828
- destinations: [
829
- {
830
- kind: "vercel",
831
- target: "lucern-gateway",
832
- environmentPolicy: "environment_specific"
833
- },
834
- {
835
- kind: "github_actions",
836
- target: "LucernAI/lucern",
837
- environmentPolicy: "environment_specific"
838
- },
839
- {
840
- kind: "operator_local",
841
- target: "lucern-repo",
842
- environmentPolicy: "environment_specific"
843
- }
844
- ],
845
- description: "Master Control deploy/admin key. Never route to tenant Vercel projects or tenant Convex deployments."
846
- },
847
- {
848
- id: "platform.mc.session-token-secret",
849
- canonicalName: "LUCERN_SESSION_TOKEN_SECRET",
850
- owner: "lucern_platform",
851
- scope: "environment",
852
- sourcePath: "/platform/mc",
853
- environmentPolicy: "environment_specific",
854
- required: true,
855
- secret: true,
856
- public: false,
857
- consumers: ["lucern-mcp", "mc-convex", "lucern-gateway"],
858
- destinations: [
859
- {
860
- kind: "convex",
861
- target: "master-control",
862
- environmentPolicy: "environment_specific"
863
- },
864
- {
865
- kind: "runtime_fetch",
866
- target: "hosted-mcp-oauth",
867
- environmentPolicy: "environment_specific"
868
- },
869
- {
870
- kind: "vercel",
871
- target: "lucern-gateway",
872
- environmentPolicy: "environment_specific"
873
- }
874
- ],
875
- description: "Signs Lucern platform session/delegation tokens. This is platform-owned, not tenant-owned."
876
- },
877
- {
878
- id: "platform.mc.tenant-secret-encryption-key",
879
- canonicalName: "LUCERN_TENANT_SECRET_ENCRYPTION_KEY",
880
- aliases: ["LUCERN_SESSION_TOKEN_SECRET"],
881
- owner: "lucern_platform",
882
- scope: "environment",
883
- sourcePath: "/platform/mc",
884
- environmentPolicy: "environment_specific",
885
- required: true,
886
- secret: true,
887
- public: false,
888
- consumers: ["mc-convex", "mc-operator-tooling"],
889
- destinations: [
890
- {
891
- kind: "convex",
892
- target: "master-control",
893
- environmentPolicy: "environment_specific"
894
- },
895
- {
896
- kind: "operator_local",
897
- target: "mc-credential-maintenance",
898
- environmentPolicy: "environment_specific"
899
- }
900
- ],
901
- description: "Encrypts tenant deployment credentials stored in MC. Session-token fallback is legacy only."
902
- },
903
- {
904
- id: "platform.permit.api-key",
905
- canonicalName: "LUCERN_PERMIT_API_KEY",
906
- aliases: ["PERMIT_API_KEY"],
907
- owner: "lucern_platform",
908
- scope: "environment",
909
- sourcePath: "/platform/permit",
910
- environmentPolicy: "environment_specific",
911
- required: true,
912
- secret: true,
913
- public: false,
914
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
915
- destinations: [
916
- {
917
- kind: "convex",
918
- target: "master-control",
919
- environmentPolicy: "environment_specific"
920
- },
921
- {
922
- kind: "runtime_fetch",
923
- target: "hosted-mcp-oauth",
924
- environmentPolicy: "environment_specific"
925
- },
926
- {
927
- kind: "vercel",
928
- target: "lucern-gateway",
929
- environmentPolicy: "environment_specific"
930
- }
931
- ],
932
- description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing."
933
- },
934
- {
935
- id: "platform.permit.webhook-secret",
936
- canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET",
937
- aliases: ["PERMIT_WEBHOOK_SECRET"],
938
- owner: "lucern_platform",
939
- scope: "environment",
940
- sourcePath: "/platform/permit",
941
- environmentPolicy: "environment_specific",
942
- required: true,
943
- secret: true,
944
- public: false,
945
- consumers: ["mc-convex", "lucern-gateway", "mc-operator-tooling"],
946
- destinations: [
947
- {
948
- kind: "convex",
949
- target: "master-control",
950
- environmentPolicy: "environment_specific"
951
- },
952
- {
953
- kind: "vercel",
954
- target: "lucern-gateway",
955
- environmentPolicy: "environment_specific"
956
- },
957
- {
958
- kind: "operator_local",
959
- target: "mc-credential-maintenance",
960
- environmentPolicy: "environment_specific"
961
- }
962
- ],
963
- description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
964
- },
965
- {
966
- id: "platform.permit.pdp-url",
967
- canonicalName: "LUCERN_PERMIT_PDP_URL",
968
- aliases: ["PERMIT_PDP_URL"],
969
- owner: "lucern_platform",
970
- scope: "environment",
971
- sourcePath: "/platform/permit",
972
- environmentPolicy: "environment_specific",
973
- required: false,
974
- secret: false,
975
- public: false,
976
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
977
- destinations: [
978
- {
979
- kind: "convex",
980
- target: "master-control",
981
- environmentPolicy: "environment_specific"
982
- },
983
- {
984
- kind: "runtime_fetch",
985
- target: "hosted-mcp-oauth",
986
- environmentPolicy: "environment_specific"
987
- },
988
- {
989
- kind: "vercel",
990
- target: "lucern-gateway",
991
- environmentPolicy: "environment_specific"
992
- }
993
- ],
994
- description: "Optional Permit PDP URL override."
995
- },
996
- {
997
- id: "platform.permit.api-url",
998
- canonicalName: "LUCERN_PERMIT_API_URL",
999
- aliases: ["PERMIT_API_URL"],
1000
- owner: "lucern_platform",
1001
- scope: "environment",
1002
- sourcePath: "/platform/permit",
1003
- environmentPolicy: "environment_specific",
1004
- required: false,
1005
- secret: false,
1006
- public: false,
1007
- consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
1008
- destinations: [
1009
- {
1010
- kind: "convex",
1011
- target: "master-control",
1012
- environmentPolicy: "environment_specific"
1013
- },
1014
- {
1015
- kind: "runtime_fetch",
1016
- target: "hosted-mcp-oauth",
1017
- environmentPolicy: "environment_specific"
1018
- },
1019
- {
1020
- kind: "vercel",
1021
- target: "lucern-gateway",
1022
- environmentPolicy: "environment_specific"
1023
- }
1024
- ],
1025
- description: "Optional Permit API URL override."
1026
- },
1027
- {
1028
- id: "platform.ci.infisical-bootstrap-client-id",
1029
- canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID",
1030
- aliases: ["INFISICAL_CI_CLIENT_ID"],
1031
- owner: "provider",
1032
- scope: "environment",
1033
- sourcePath: "/platform/ci",
1034
- environmentPolicy: "same_all_environments",
1035
- required: true,
1036
- secret: true,
1037
- public: false,
1038
- consumers: ["lucern-repo-ci"],
1039
- destinations: [
1040
- {
1041
- kind: "github_actions",
1042
- target: "LucernAI/lucern",
1043
- environmentPolicy: "same_all_environments"
1044
- }
1045
- ],
1046
- description: "Machine identity client id used by CI to reconcile Infisical desired state."
1047
- },
1048
- {
1049
- id: "platform.ci.infisical-bootstrap-client-secret",
1050
- canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_SECRET",
1051
- aliases: ["INFISICAL_CI_CLIENT_SECRET"],
1052
- owner: "provider",
1053
- scope: "environment",
1054
- sourcePath: "/platform/ci",
1055
- environmentPolicy: "same_all_environments",
1056
- required: true,
1057
- secret: true,
1058
- public: false,
1059
- consumers: ["lucern-repo-ci"],
1060
- destinations: [
1061
- {
1062
- kind: "github_actions",
1063
- target: "LucernAI/lucern",
1064
- environmentPolicy: "same_all_environments"
1065
- }
1066
- ],
1067
- description: "Machine identity client secret used by CI to reconcile Infisical desired state."
1068
- },
1069
- {
1070
- id: "platform.publish.npm-token",
1071
- canonicalName: "NPM_TOKEN",
1072
- aliases: ["NODE_AUTH_TOKEN"],
1073
- owner: "provider",
1074
- scope: "environment",
1075
- sourcePath: "/platform/publish",
1076
- environmentPolicy: "same_all_environments",
1077
- required: true,
1078
- secret: true,
1079
- public: false,
1080
- consumers: ["lucern-repo-ci"],
1081
- destinations: [
1082
- {
1083
- kind: "github_actions",
1084
- target: "LucernAI/lucern",
1085
- environmentPolicy: "same_all_environments"
1086
- }
1087
- ],
1088
- description: "Package publish/install token for @lucern/* release automation."
1089
- }
1090
- ];
1091
- var PLATFORM_AI_SECRET_DEFINITIONS = [
1092
- {
1093
- id: "platform.ai.openai-api-key",
1094
- canonicalName: "OPENAI_API_KEY",
1095
- owner: "lucern_platform",
1096
- scope: "environment",
1097
- sourcePath: "/platform/ai",
1098
- environmentPolicy: "environment_specific",
1099
- required: false,
1100
- secret: true,
1101
- public: false,
1102
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1103
- destinations: [
1104
- {
1105
- kind: "runtime_fetch",
1106
- target: "lucern-ai-runtime",
1107
- environmentPolicy: "environment_specific"
1108
- },
1109
- {
1110
- kind: "github_actions",
1111
- target: "LucernAI/lucern",
1112
- environmentPolicy: "environment_specific"
1113
- }
1114
- ],
1115
- description: "Lucern-owned OpenAI key for platform AI jobs, benchmarks, and controlled operator automation."
1116
- },
1117
- {
1118
- id: "platform.ai.anthropic-api-key",
1119
- canonicalName: "ANTHROPIC_API_KEY",
1120
- owner: "lucern_platform",
1121
- scope: "environment",
1122
- sourcePath: "/platform/ai",
1123
- environmentPolicy: "environment_specific",
1124
- required: false,
1125
- secret: true,
1126
- public: false,
1127
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1128
- destinations: [
1129
- {
1130
- kind: "runtime_fetch",
1131
- target: "lucern-ai-runtime",
1132
- environmentPolicy: "environment_specific"
1133
- },
1134
- {
1135
- kind: "github_actions",
1136
- target: "LucernAI/lucern",
1137
- environmentPolicy: "environment_specific"
1138
- }
1139
- ],
1140
- description: "Lucern-owned Anthropic key for platform AI jobs, benchmarks, and controlled operator automation."
1141
- },
1142
- {
1143
- id: "platform.ai.gemini-api-key",
1144
- canonicalName: "GEMINI_API_KEY",
1145
- aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
1146
- owner: "lucern_platform",
1147
- scope: "environment",
1148
- sourcePath: "/platform/ai",
1149
- environmentPolicy: "environment_specific",
1150
- required: false,
1151
- secret: true,
1152
- public: false,
1153
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1154
- destinations: [
1155
- {
1156
- kind: "runtime_fetch",
1157
- target: "lucern-ai-runtime",
1158
- environmentPolicy: "environment_specific"
1159
- },
1160
- {
1161
- kind: "github_actions",
1162
- target: "LucernAI/lucern",
1163
- environmentPolicy: "environment_specific"
1164
- }
1165
- ],
1166
- description: "Lucern-owned Google/Gemini key. Google alias names are read compatibility only."
1167
- }
1168
- ];
1169
- var PLATFORM_LANGFUSE_SECRET_DEFINITIONS = [
1170
- {
1171
- id: "platform.langfuse.secret-key",
1172
- canonicalName: "LANGFUSE_SECRET_KEY",
1173
- owner: "lucern_platform",
1174
- scope: "environment",
1175
- sourcePath: "/platform/observability/langfuse",
1176
- environmentPolicy: "environment_specific",
1177
- required: false,
1178
- secret: true,
1179
- public: false,
1180
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1181
- destinations: [
1182
- {
1183
- kind: "runtime_fetch",
1184
- target: "lucern-ai-runtime",
1185
- environmentPolicy: "environment_specific"
1186
- },
1187
- {
1188
- kind: "github_actions",
1189
- target: "LucernAI/lucern",
1190
- environmentPolicy: "environment_specific"
1191
- }
1192
- ],
1193
- description: "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
1194
- },
1195
- {
1196
- id: "platform.langfuse.public-key",
1197
- canonicalName: "LANGFUSE_PUBLIC_KEY",
1198
- owner: "lucern_platform",
1199
- scope: "environment",
1200
- sourcePath: "/platform/observability/langfuse",
1201
- environmentPolicy: "environment_specific",
1202
- required: false,
1203
- secret: false,
1204
- public: false,
1205
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1206
- destinations: [
1207
- {
1208
- kind: "runtime_fetch",
1209
- target: "lucern-ai-runtime",
1210
- environmentPolicy: "environment_specific"
1211
- },
1212
- {
1213
- kind: "github_actions",
1214
- target: "LucernAI/lucern",
1215
- environmentPolicy: "environment_specific"
1216
- }
1217
- ],
1218
- description: "Lucern-owned Langfuse public key paired with LANGFUSE_SECRET_KEY."
1219
- },
1220
- {
1221
- id: "platform.langfuse.base-url",
1222
- canonicalName: "LANGFUSE_BASE_URL",
1223
- aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
1224
- owner: "lucern_platform",
1225
- scope: "environment",
1226
- sourcePath: "/platform/observability/langfuse",
1227
- environmentPolicy: "environment_specific",
1228
- required: false,
1229
- secret: false,
1230
- public: false,
1231
- consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
1232
- destinations: [
1233
- {
1234
- kind: "runtime_fetch",
1235
- target: "lucern-ai-runtime",
1236
- environmentPolicy: "environment_specific"
1237
- },
1238
- {
1239
- kind: "github_actions",
1240
- target: "LucernAI/lucern",
1241
- environmentPolicy: "environment_specific"
1242
- }
1243
- ],
1244
- description: "Canonical Langfuse API origin. BASEURL/HOST are compatibility aliases."
1245
- }
1246
- ];
1247
- var PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS = [
1248
- {
1249
- id: "platform.neo4j.uri",
1250
- canonicalName: "NEO4J_URI",
1251
- owner: "lucern_platform",
1252
- scope: "environment",
1253
- sourcePath: "/platform/graph/neo4j",
1254
- environmentPolicy: "environment_specific",
1255
- required: false,
1256
- secret: false,
1257
- public: false,
1258
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1259
- destinations: [
1260
- {
1261
- kind: "runtime_fetch",
1262
- target: "lucern-graph-sync",
1263
- environmentPolicy: "environment_specific"
1264
- },
1265
- {
1266
- kind: "github_actions",
1267
- target: "LucernAI/lucern",
1268
- environmentPolicy: "environment_specific"
1269
- }
1270
- ],
1271
- description: "Lucern-owned Neo4j URI for platform graph-sync surfaces."
1272
- },
1273
- {
1274
- id: "platform.neo4j.user",
1275
- canonicalName: "NEO4J_USER",
1276
- aliases: ["NEO4J_USERNAME"],
1277
- owner: "lucern_platform",
1278
- scope: "environment",
1279
- sourcePath: "/platform/graph/neo4j",
1280
- environmentPolicy: "environment_specific",
1281
- required: false,
1282
- secret: false,
1283
- public: false,
1284
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1285
- destinations: [
1286
- {
1287
- kind: "runtime_fetch",
1288
- target: "lucern-graph-sync",
1289
- environmentPolicy: "environment_specific"
1290
- },
1291
- {
1292
- kind: "github_actions",
1293
- target: "LucernAI/lucern",
1294
- environmentPolicy: "environment_specific"
1295
- }
1296
- ],
1297
- description: "Lucern-owned Neo4j username for platform graph-sync surfaces."
1298
- },
1299
- {
1300
- id: "platform.neo4j.password",
1301
- canonicalName: "NEO4J_PASSWORD",
1302
- owner: "lucern_platform",
1303
- scope: "environment",
1304
- sourcePath: "/platform/graph/neo4j",
1305
- environmentPolicy: "environment_specific",
1306
- required: false,
1307
- secret: true,
1308
- public: false,
1309
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1310
- destinations: [
1311
- {
1312
- kind: "runtime_fetch",
1313
- target: "lucern-graph-sync",
1314
- environmentPolicy: "environment_specific"
1315
- },
1316
- {
1317
- kind: "github_actions",
1318
- target: "LucernAI/lucern",
1319
- environmentPolicy: "environment_specific"
1320
- }
1321
- ],
1322
- description: "Lucern-owned Neo4j password for platform graph-sync surfaces."
1323
- },
1324
- {
1325
- id: "platform.neo4j.sync-secret",
1326
- canonicalName: "NEO4J_SYNC_SECRET",
1327
- owner: "lucern_platform",
1328
- scope: "environment",
1329
- sourcePath: "/platform/graph/neo4j",
1330
- environmentPolicy: "environment_specific",
1331
- required: false,
1332
- secret: true,
1333
- public: false,
1334
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1335
- destinations: [
1336
- {
1337
- kind: "runtime_fetch",
1338
- target: "lucern-graph-sync",
1339
- environmentPolicy: "environment_specific"
1340
- },
1341
- {
1342
- kind: "github_actions",
1343
- target: "LucernAI/lucern",
1344
- environmentPolicy: "environment_specific"
1345
- }
1346
- ],
1347
- description: "Shared secret protecting Lucern-owned graph-sync HTTP/query proxy calls."
1348
- },
1349
- {
1350
- id: "platform.neo4j.database",
1351
- canonicalName: "NEO4J_DATABASE",
1352
- owner: "lucern_platform",
1353
- scope: "environment",
1354
- sourcePath: "/platform/graph/neo4j",
1355
- environmentPolicy: "environment_specific",
1356
- required: false,
1357
- secret: false,
1358
- public: false,
1359
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1360
- destinations: [
1361
- {
1362
- kind: "runtime_fetch",
1363
- target: "lucern-graph-sync",
1364
- environmentPolicy: "environment_specific"
1365
- },
1366
- {
1367
- kind: "github_actions",
1368
- target: "LucernAI/lucern",
1369
- environmentPolicy: "environment_specific"
1370
- }
1371
- ],
1372
- description: "Optional Neo4j database name for Lucern-owned graph-sync surfaces."
1373
- }
1374
- ];
1375
- var PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS = [
1376
- {
1377
- id: "platform.pinecone.api-key",
1378
- canonicalName: "PINECONE_API_KEY",
1379
- owner: "lucern_platform",
1380
- scope: "environment",
1381
- sourcePath: "/platform/vector/pinecone",
1382
- environmentPolicy: "environment_specific",
1383
- required: false,
1384
- secret: true,
1385
- public: false,
1386
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1387
- destinations: [
1388
- {
1389
- kind: "runtime_fetch",
1390
- target: "lucern-ai-runtime",
1391
- environmentPolicy: "environment_specific"
1392
- },
1393
- {
1394
- kind: "github_actions",
1395
- target: "LucernAI/lucern",
1396
- environmentPolicy: "environment_specific"
1397
- }
1398
- ],
1399
- description: "Lucern-owned Pinecone API key for platform vector search."
1400
- },
1401
- {
1402
- id: "platform.pinecone.index-name",
1403
- canonicalName: "PINECONE_INDEX_NAME",
1404
- aliases: ["PINECONE_INDEX"],
1405
- owner: "lucern_platform",
1406
- scope: "environment",
1407
- sourcePath: "/platform/vector/pinecone",
1408
- environmentPolicy: "environment_specific",
1409
- required: false,
1410
- secret: false,
1411
- public: false,
1412
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1413
- destinations: [
1414
- {
1415
- kind: "runtime_fetch",
1416
- target: "lucern-ai-runtime",
1417
- environmentPolicy: "environment_specific"
1418
- },
1419
- {
1420
- kind: "github_actions",
1421
- target: "LucernAI/lucern",
1422
- environmentPolicy: "environment_specific"
1423
- }
1424
- ],
1425
- description: "Lucern-owned Pinecone index name."
1426
- },
1427
- {
1428
- id: "platform.pinecone.host",
1429
- canonicalName: "PINECONE_HOST",
1430
- aliases: ["PINECONE_INDEX_HOST"],
1431
- owner: "lucern_platform",
1432
- scope: "environment",
1433
- sourcePath: "/platform/vector/pinecone",
1434
- environmentPolicy: "environment_specific",
1435
- required: false,
1436
- secret: false,
1437
- public: false,
1438
- consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
1439
- destinations: [
1440
- {
1441
- kind: "runtime_fetch",
1442
- target: "lucern-ai-runtime",
1443
- environmentPolicy: "environment_specific"
1444
- },
1445
- {
1446
- kind: "github_actions",
1447
- target: "LucernAI/lucern",
1448
- environmentPolicy: "environment_specific"
1449
- }
1450
- ],
1451
- description: "Lucern-owned Pinecone host/index host."
1452
- }
1453
- ];
1454
- var PLATFORM_SENTRY_SECRET_DEFINITIONS = [
1455
- {
1456
- id: "platform.sentry.dsn",
1457
- canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
1458
- aliases: ["SENTRY_DSN", "NEXT_PUBLIC_SENTRY_DSN_NEXTJS"],
1459
- owner: "provider",
1460
- scope: "environment",
1461
- sourcePath: "/platform/observability/sentry",
1462
- environmentPolicy: "environment_specific",
1463
- required: false,
1464
- secret: false,
1465
- public: true,
1466
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1467
- destinations: [
1468
- {
1469
- kind: "vercel",
1470
- target: "lucern",
1471
- environmentPolicy: "environment_specific"
1472
- },
1473
- {
1474
- kind: "vercel",
1475
- target: "lucern-gateway",
1476
- environmentPolicy: "environment_specific"
1477
- }
1478
- ],
1479
- description: "Lucern-owned Sentry DSN for browser/server error telemetry."
1480
- },
1481
- {
1482
- id: "platform.sentry.auth-token",
1483
- canonicalName: "SENTRY_AUTH_TOKEN",
1484
- owner: "provider",
1485
- scope: "environment",
1486
- sourcePath: "/platform/observability/sentry",
1487
- environmentPolicy: "same_all_environments",
1488
- required: false,
1489
- secret: true,
1490
- public: false,
1491
- consumers: ["lucern-repo-ci", "lucern-observability"],
1492
- destinations: [
1493
- {
1494
- kind: "github_actions",
1495
- target: "LucernAI/lucern",
1496
- environmentPolicy: "same_all_environments"
1497
- },
1498
- {
1499
- kind: "vercel",
1500
- target: "lucern",
1501
- environmentPolicy: "same_all_environments"
1502
- }
1503
- ],
1504
- description: "Sentry release-upload token. Runtime services must not use it for authorization."
1505
- },
1506
- {
1507
- id: "platform.sentry.org",
1508
- canonicalName: "SENTRY_ORG",
1509
- aliases: ["SENTRY_ORG_SLUG"],
1510
- owner: "provider",
1511
- scope: "global",
1512
- sourcePath: "/platform/observability/sentry",
1513
- environmentPolicy: "same_all_environments",
1514
- required: false,
1515
- secret: false,
1516
- public: false,
1517
- consumers: ["lucern-repo-ci", "lucern-observability"],
1518
- destinations: [
1519
- {
1520
- kind: "github_actions",
1521
- target: "LucernAI/lucern",
1522
- environmentPolicy: "same_all_environments"
1523
- },
1524
- {
1525
- kind: "vercel",
1526
- target: "lucern",
1527
- environmentPolicy: "same_all_environments"
1528
- }
1529
- ],
1530
- description: "Sentry organization slug for Lucern release uploads."
1531
- },
1532
- {
1533
- id: "platform.sentry.project",
1534
- canonicalName: "SENTRY_PROJECT",
1535
- aliases: ["SENTRY_PROJECT_NEXTJS"],
1536
- owner: "provider",
1537
- scope: "global",
1538
- sourcePath: "/platform/observability/sentry",
1539
- environmentPolicy: "same_all_environments",
1540
- required: false,
1541
- secret: false,
1542
- public: false,
1543
- consumers: ["lucern-repo-ci", "lucern-observability"],
1544
- destinations: [
1545
- {
1546
- kind: "github_actions",
1547
- target: "LucernAI/lucern",
1548
- environmentPolicy: "same_all_environments"
1549
- },
1550
- {
1551
- kind: "vercel",
1552
- target: "lucern",
1553
- environmentPolicy: "same_all_environments"
1554
- }
1555
- ],
1556
- description: "Sentry project slug for Lucern release uploads."
1557
- },
1558
- {
1559
- id: "platform.sentry.environment",
1560
- canonicalName: "SENTRY_ENVIRONMENT",
1561
- aliases: ["NEXT_PUBLIC_SENTRY_ENVIRONMENT"],
1562
- owner: "provider",
1563
- scope: "environment",
1564
- sourcePath: "/platform/observability/sentry",
1565
- environmentPolicy: "environment_specific",
1566
- required: false,
1567
- secret: false,
1568
- public: false,
1569
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1570
- destinations: [
1571
- {
1572
- kind: "vercel",
1573
- target: "lucern",
1574
- environmentPolicy: "environment_specific",
1575
- writeNames: ["SENTRY_ENVIRONMENT", "NEXT_PUBLIC_SENTRY_ENVIRONMENT"]
1576
- },
1577
- {
1578
- kind: "vercel",
1579
- target: "lucern-gateway",
1580
- environmentPolicy: "environment_specific"
1581
- }
1582
- ],
1583
- description: "Lucern-owned Sentry environment label."
1584
- },
1585
- {
1586
- id: "platform.sentry.release",
1587
- canonicalName: "SENTRY_RELEASE",
1588
- aliases: ["NEXT_PUBLIC_SENTRY_RELEASE"],
1589
- owner: "provider",
1590
- scope: "environment",
1591
- sourcePath: "/platform/observability/sentry",
1592
- environmentPolicy: "environment_specific",
1593
- required: false,
1594
- secret: false,
1595
- public: false,
1596
- consumers: ["lucern-web", "lucern-gateway", "lucern-observability"],
1597
- destinations: [
1598
- {
1599
- kind: "vercel",
1600
- target: "lucern",
1601
- environmentPolicy: "environment_specific",
1602
- writeNames: ["SENTRY_RELEASE", "NEXT_PUBLIC_SENTRY_RELEASE"]
1603
- },
1604
- {
1605
- kind: "vercel",
1606
- target: "lucern-gateway",
1607
- environmentPolicy: "environment_specific"
1608
- }
1609
- ],
1610
- description: "Lucern-owned Sentry release name."
1611
- }
1612
- ];
1613
- var PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS = [
1614
- {
1615
- id: "platform.deploy.vercel-token",
1616
- canonicalName: "VERCEL_TOKEN",
1617
- owner: "provider",
1618
- scope: "global",
1619
- sourcePath: "/platform/deploy/vercel",
1620
- environmentPolicy: "same_all_environments",
1621
- required: false,
1622
- secret: true,
1623
- public: false,
1624
- consumers: ["lucern-repo-ci"],
1625
- destinations: [
1626
- {
1627
- kind: "github_actions",
1628
- target: "LucernAI/lucern",
1629
- environmentPolicy: "same_all_environments"
1630
- },
1631
- {
1632
- kind: "operator_local",
1633
- target: "secret-sync-writer",
1634
- environmentPolicy: "same_all_environments"
1635
- }
1636
- ],
1637
- description: "Vercel API token for the future reviewed live writer. Never copy into tenant apps."
1638
- },
1639
- {
1640
- id: "platform.deploy.vercel-token.stack",
1641
- canonicalName: "STACK_VERCEL_TOKEN",
1642
- owner: "provider",
1643
- scope: "global",
1644
- sourcePath: "/platform/deploy/vercel",
1645
- environmentPolicy: "same_all_environments",
1646
- required: false,
1647
- secret: true,
1648
- public: false,
1649
- consumers: ["lucern-repo-ci"],
1650
- destinations: [
1651
- {
1652
- kind: "operator_local",
1653
- target: "secret-sync-writer",
1654
- environmentPolicy: "same_all_environments"
1655
- }
1656
- ],
1657
- description: "Stack Vercel API token for manifest-scoped Stack tenant Vercel secret sync. Never copy into tenant apps."
1658
- },
1659
- {
1660
- id: "platform.deploy.vercel-token.lucern",
1661
- canonicalName: "LUCERN_VERCEL_TOKEN",
1662
- owner: "provider",
1663
- scope: "global",
1664
- sourcePath: "/platform/deploy/vercel",
1665
- environmentPolicy: "same_all_environments",
1666
- required: false,
1667
- secret: true,
1668
- public: false,
1669
- consumers: ["lucern-repo-ci"],
1670
- destinations: [
1671
- {
1672
- kind: "operator_local",
1673
- target: "secret-sync-writer",
1674
- environmentPolicy: "same_all_environments"
1675
- }
1676
- ],
1677
- description: "Lucern Vercel API token for manifest-scoped Lucern tenant Vercel secret sync. Never copy into tenant apps."
1678
- },
1679
- {
1680
- id: "platform.deploy.vercel-org-id",
1681
- canonicalName: "VERCEL_ORG_ID",
1682
- owner: "provider",
1683
- scope: "global",
1684
- sourcePath: "/platform/deploy/vercel",
1685
- environmentPolicy: "same_all_environments",
1686
- required: false,
1687
- secret: false,
1688
- public: false,
1689
- consumers: ["lucern-repo-ci"],
1690
- destinations: [
1691
- {
1692
- kind: "github_actions",
1693
- target: "LucernAI/lucern",
1694
- environmentPolicy: "same_all_environments"
1695
- },
1696
- {
1697
- kind: "operator_local",
1698
- target: "secret-sync-writer",
1699
- environmentPolicy: "same_all_environments"
1700
- }
1701
- ],
1702
- description: "Vercel team/org id used by deployment and sync automation."
1703
- }
1704
- ];
1705
- var PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS = [
1706
- {
1707
- id: "platform.docs.gap-audit-api-key",
1708
- canonicalName: "DOC_GAP_AUDIT_API_KEY",
1709
- owner: "lucern_platform",
1710
- scope: "environment",
1711
- sourcePath: "/platform/docs",
1712
- environmentPolicy: "environment_specific",
1713
- required: false,
1714
- secret: true,
1715
- public: false,
1716
- consumers: ["lucern-repo-ci"],
1717
- destinations: [
1718
- {
1719
- kind: "github_actions",
1720
- target: "LucernAI/lucern",
1721
- environmentPolicy: "environment_specific"
1722
- },
1723
- {
1724
- kind: "operator_local",
1725
- target: "lucern-repo",
1726
- environmentPolicy: "environment_specific"
1727
- }
1728
- ],
1729
- description: "Optional model key for docs gap audits."
1730
- },
1731
- {
1732
- id: "platform.docs.gap-audit-provider",
1733
- canonicalName: "DOC_GAP_AUDIT_PROVIDER",
1734
- owner: "lucern_platform",
1735
- scope: "environment",
1736
- sourcePath: "/platform/docs",
1737
- environmentPolicy: "environment_specific",
1738
- required: false,
1739
- secret: false,
1740
- public: false,
1741
- consumers: ["lucern-repo-ci"],
1742
- destinations: [
1743
- {
1744
- kind: "github_actions",
1745
- target: "LucernAI/lucern",
1746
- environmentPolicy: "environment_specific"
1747
- },
1748
- {
1749
- kind: "operator_local",
1750
- target: "lucern-repo",
1751
- environmentPolicy: "environment_specific"
1752
- }
1753
- ],
1754
- description: "Optional docs gap audit provider selector."
1755
- },
1756
- {
1757
- id: "platform.docs.gap-audit-model",
1758
- canonicalName: "DOC_GAP_AUDIT_MODEL",
1759
- owner: "lucern_platform",
1760
- scope: "environment",
1761
- sourcePath: "/platform/docs",
1762
- environmentPolicy: "environment_specific",
1763
- required: false,
1764
- secret: false,
1765
- public: false,
1766
- consumers: ["lucern-repo-ci"],
1767
- destinations: [
1768
- {
1769
- kind: "github_actions",
1770
- target: "LucernAI/lucern",
1771
- environmentPolicy: "environment_specific"
1772
- },
1773
- {
1774
- kind: "operator_local",
1775
- target: "lucern-repo",
1776
- environmentPolicy: "environment_specific"
1777
- }
1778
- ],
1779
- description: "Optional docs gap audit model selector."
1780
- },
1781
- {
1782
- id: "platform.infisical.local-cli",
1783
- canonicalName: "INFISICAL_BIN",
1784
- aliases: ["INFISICAL_API_URL", "INFISICAL_URL"],
1785
- owner: "lucern_platform",
1786
- scope: "global",
1787
- sourcePath: "/platform/infisical",
1788
- environmentPolicy: "same_all_environments",
1789
- required: false,
1790
- secret: false,
1791
- public: false,
1792
- consumers: ["mc-operator-tooling", "lucern-repo-ci"],
1793
- destinations: [
1794
- {
1795
- kind: "operator_local",
1796
- target: "lucern-repo",
1797
- environmentPolicy: "same_all_environments"
1798
- }
1799
- ],
1800
- description: "Operator-only Infisical CLI/API location knobs. Machine credentials are handled by the bootstrap contract."
1801
- },
1802
- {
1803
- id: "platform.gateway.device-verification-base-url",
1804
- canonicalName: "LUCERN_DEVICE_VERIFICATION_BASE_URL",
1805
- owner: "lucern_platform",
1806
- scope: "environment",
1807
- sourcePath: "/platform/runtime",
1808
- environmentPolicy: "environment_specific",
1809
- required: false,
1810
- secret: false,
1811
- public: false,
1812
- consumers: ["lucern-gateway"],
1813
- destinations: [
1814
- {
1815
- kind: "vercel",
1816
- target: "lucern-gateway",
1817
- environmentPolicy: "environment_specific"
1818
- }
1819
- ],
1820
- description: "Base URL shown during Lucern CLI/device authentication."
1821
- },
1822
- {
1823
- id: "platform.gateway.mode",
1824
- canonicalName: "LUCERN_GATEWAY_MODE",
1825
- aliases: ["LUCERN_GATEWAY_ENV"],
1826
- owner: "lucern_platform",
1827
- scope: "environment",
1828
- sourcePath: "/platform/runtime",
1829
- environmentPolicy: "environment_specific",
1830
- required: false,
1831
- secret: false,
1832
- public: false,
1833
- consumers: ["lucern-gateway", "lucern-repo-ci"],
1834
- destinations: [
1835
- {
1836
- kind: "vercel",
1837
- target: "lucern-gateway",
1838
- environmentPolicy: "environment_specific"
1839
- },
1840
- {
1841
- kind: "github_actions",
1842
- target: "LucernAI/lucern",
1843
- environmentPolicy: "environment_specific"
1844
- }
1845
- ],
1846
- description: "Gateway runtime mode/environment label."
1847
- },
1848
- {
1849
- id: "platform.mcp.runtime",
1850
- canonicalName: "LUCERN_MCP_URL",
1851
- aliases: [
1852
- "LUCERN_AGENT_IDENTITY",
1853
- "LUCERN_HTTP_HOST",
1854
- "LUCERN_HTTP_PORT",
1855
- "LUCERN_MCP_ALLOW_API_KEY_PASSTHROUGH",
1856
- "LUCERN_MCP_DEBUG",
1857
- "LUCERN_MCP_DIAGNOSTICS_FILE",
1858
- "LUCERN_MCP_HEALTH_PATH",
1859
- "LUCERN_MCP_HEALTH_URL",
1860
- "LUCERN_MCP_HOST",
1861
- "LUCERN_MCP_PATH",
1862
- "LUCERN_MCP_PORT",
1863
- "LUCERN_MCP_QUIET",
1864
- "LUCERN_MCP_TRANSPORT",
1865
- "LUCERN_PROFILE",
1866
- "LUCERN_PUBLIC_URL",
1867
- "MCP_SERVER_URL"
1868
- ],
1869
- owner: "lucern_platform",
1870
- scope: "environment",
1871
- sourcePath: "/platform/runtime",
1872
- environmentPolicy: "environment_specific",
1873
- required: false,
1874
- secret: false,
1875
- public: false,
1876
- consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
1877
- destinations: [
1878
- {
1879
- kind: "runtime_fetch",
1880
- target: "lucern-cli-mcp-sdk",
1881
- environmentPolicy: "environment_specific"
1882
- },
1883
- {
1884
- kind: "operator_local",
1885
- target: "lucern-repo",
1886
- environmentPolicy: "environment_specific"
1887
- }
1888
- ],
1889
- description: "Lucern MCP/CLI runtime knobs. Aliases are compatibility names and not Vercel write names."
1890
- },
1891
- {
1892
- id: "platform.mcp.auth-token",
1893
- canonicalName: "LUCERN_MCP_SERVER_AUTH_TOKEN",
1894
- aliases: ["LUCERN_USER_TOKEN", "MCP_SERVER_TOKEN"],
1895
- owner: "lucern_platform",
1896
- scope: "environment",
1897
- sourcePath: "/platform/runtime",
1898
- environmentPolicy: "environment_specific",
1899
- required: false,
1900
- secret: true,
1901
- public: false,
1902
- consumers: ["lucern-mcp", "lucern-cli", "lucern-repo-ci"],
1903
- destinations: [
1904
- {
1905
- kind: "runtime_fetch",
1906
- target: "lucern-cli-mcp-sdk",
1907
- environmentPolicy: "environment_specific"
1908
- },
1909
- {
1910
- kind: "operator_local",
1911
- target: "lucern-repo",
1912
- environmentPolicy: "environment_specific"
1913
- }
1914
- ],
1915
- description: "Local/hosted MCP auth token material. Tenant apps must use MC/API-key sessions instead."
1916
- },
1917
- {
1918
- id: "platform.operator.api-key",
1919
- canonicalName: "LUCERN_API_KEY",
1920
- aliases: ["LUCERN_KEY"],
1921
- owner: "lucern_platform",
1922
- scope: "environment",
1923
- sourcePath: "/platform/runtime",
1924
- environmentPolicy: "environment_specific",
1925
- required: false,
1926
- secret: true,
1927
- public: false,
1928
- consumers: ["lucern-cli", "lucern-mcp", "lucern-repo-ci"],
1929
- destinations: [
1930
- {
1931
- kind: "runtime_fetch",
1932
- target: "lucern-cli-mcp-sdk",
1933
- environmentPolicy: "environment_specific"
1934
- },
1935
- {
1936
- kind: "operator_local",
1937
- target: "lucern-repo",
1938
- environmentPolicy: "environment_specific"
1939
- },
1940
- {
1941
- kind: "github_actions",
1942
- target: "LucernAI/lucern",
1943
- environmentPolicy: "environment_specific"
1944
- }
1945
- ],
1946
- description: "Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
1947
- },
1948
- {
1949
- id: "platform.graph-sync.proxy",
1950
- canonicalName: "LUCERN_GRAPH_SYNC_QUERY_BASE_URL",
1951
- aliases: [
1952
- "LUCERN_DEFAULT_TENANT_ID",
1953
- "LUCERN_GRAPH_SYNC_ALLOWED_PROXY_HOSTS"
1954
- ],
1955
- owner: "lucern_platform",
1956
- scope: "environment",
1957
- sourcePath: "/platform/graph/neo4j",
1958
- environmentPolicy: "environment_specific",
1959
- required: false,
1960
- secret: false,
1961
- public: false,
1962
- consumers: ["lucern-graph-sync", "lucern-repo-ci"],
1963
- destinations: [
1964
- {
1965
- kind: "runtime_fetch",
1966
- target: "lucern-graph-sync",
1967
- environmentPolicy: "environment_specific"
1968
- },
1969
- {
1970
- kind: "github_actions",
1971
- target: "LucernAI/lucern",
1972
- environmentPolicy: "environment_specific"
1973
- }
1974
- ],
1975
- description: "Graph-sync proxy URL, tenant filter, and allowed host list."
1976
- },
1977
- {
1978
- id: "platform.package-smoke.local",
1979
- canonicalName: "LUCERN_SDK_NPM_TOKEN",
1980
- aliases: [
1981
- "LUCERN_KERNEL_INSTALL_SPEC",
1982
- "LUCERN_KERNEL_KEEP_CLEANROOM",
1983
- "LUCERN_KERNEL_LOCAL_TARBALL",
1984
- "LUCERN_KERNEL_NPM_TOKEN",
1985
- "LUCERN_KERNEL_SCOPE_REGISTRY",
1986
- "LUCERN_KERNEL_SKIP_CONVEX",
1987
- "LUCERN_SDK_INSTALL_SPEC",
1988
- "LUCERN_SDK_KEEP_CLEANROOM",
1989
- "LUCERN_SDK_LOCAL_TARBALL",
1990
- "LUCERN_SDK_SCOPE_REGISTRY",
1991
- "LUCERN_SDK_SKIP_LIVE"
1992
- ],
1993
- owner: "lucern_platform",
1994
- scope: "global",
1995
- sourcePath: "/platform/package-publish",
1996
- environmentPolicy: "same_all_environments",
1997
- required: false,
1998
- secret: true,
1999
- public: false,
2000
- consumers: ["lucern-repo-ci"],
2001
- destinations: [
2002
- {
2003
- kind: "github_actions",
2004
- target: "LucernAI/lucern",
2005
- environmentPolicy: "same_all_environments"
2006
- },
2007
- {
2008
- kind: "operator_local",
2009
- target: "lucern-repo",
2010
- environmentPolicy: "same_all_environments"
2011
- }
2012
- ],
2013
- description: "Private package install smoke-test knobs. Values are not tenant runtime variables."
2014
- },
2015
- {
2016
- id: "platform.convex-deploy.local-names",
2017
- canonicalName: "LUCERN_CONVEX_DEPLOYMENT_NAME",
2018
- aliases: [
2019
- "CONVEX_DEPLOYMENT",
2020
- "CONVEX_DEV_DEPLOYMENT_NAME",
2021
- "CONVEX_PROD_DEPLOYMENT_NAME"
2022
- ],
2023
- owner: "lucern_platform",
2024
- scope: "environment",
2025
- sourcePath: "/platform/deploy/convex",
2026
- environmentPolicy: "environment_specific",
2027
- required: false,
2028
- secret: false,
2029
- public: false,
2030
- consumers: ["mc-operator-tooling", "lucern-repo-ci"],
2031
- destinations: [
2032
- {
2033
- kind: "operator_local",
2034
- target: "lucern-repo",
2035
- environmentPolicy: "environment_specific"
2036
- }
2037
- ],
2038
- description: "Operator-only Convex deployment name hints. Deploy keys and URLs remain separately scoped."
2039
- },
2040
- {
2041
- id: "platform.sdk.local-context",
2042
- canonicalName: "LUCERN_TENANT_ID",
2043
- aliases: [
2044
- "LUCERN_AGENT_DISPLAY_NAME",
2045
- "LUCERN_AGENT_ID",
2046
- "LUCERN_API_ENVIRONMENT",
2047
- "LUCERN_PACK_KEY",
2048
- "LUCERN_PROJECT_ID",
2049
- "LUCERN_TOPIC_ID",
2050
- "LUCERN_WORKSPACE_ID",
2051
- "LUCERN_WORKTREE_ID"
2052
- ],
2053
- owner: "lucern_platform",
2054
- scope: "environment",
2055
- sourcePath: "/platform/runtime",
2056
- environmentPolicy: "environment_specific",
2057
- required: false,
2058
- secret: false,
2059
- public: false,
2060
- consumers: ["lucern-cli", "lucern-mcp", "tenant-agent-runtime"],
2061
- destinations: [
2062
- {
2063
- kind: "runtime_fetch",
2064
- target: "lucern-cli-mcp-sdk",
2065
- environmentPolicy: "environment_specific"
2066
- },
2067
- {
2068
- kind: "operator_local",
2069
- target: "lucern-repo",
2070
- environmentPolicy: "environment_specific"
2071
- }
2072
- ],
2073
- description: "SDK, CLI, and agent context selectors. These identify scope and must not grant access by themselves."
2074
- },
2075
- {
2076
- id: "platform.debug.local-flags",
2077
- canonicalName: "LUCERN_FUNCTIONAL_DEBUG",
2078
- aliases: [
2079
- "LUCERN_CONTRACTS_SKIP_DTS",
2080
- "LUCERN_DEPLOY_RECONCILIATION_DEBUG",
2081
- "LUCERN_ENABLE_ADAPTIVE_LEARNING",
2082
- "LUCERN_ENV_FILE",
2083
- "LUCERN_EXAMPLE_DEBUG",
2084
- "LUCERN_HTTP_SMOKE_DEBUG",
2085
- "LUCERN_MULTI_TENANT",
2086
- "LUCERN_PACK_ACTION_DEBUG",
2087
- "LUCERN_RUN_LIVE_MCP"
2088
- ],
2089
- owner: "lucern_platform",
2090
- scope: "environment",
2091
- sourcePath: "/platform/runtime/debug",
2092
- environmentPolicy: "environment_specific",
2093
- required: false,
2094
- secret: false,
2095
- public: false,
2096
- consumers: ["lucern-repo-ci", "mc-operator-tooling"],
2097
- destinations: [
2098
- {
2099
- kind: "operator_local",
2100
- target: "lucern-repo",
2101
- environmentPolicy: "environment_specific"
2102
- }
2103
- ],
2104
- description: "Local or CI debug toggles. They are manifest-known but not tenant runtime secrets."
2105
- },
2106
- {
2107
- id: "tenant.stackos.deploy-guard.local",
2108
- canonicalName: "STACKOS_DEPLOY_TARGET",
2109
- aliases: [
2110
- "STACKOS_DEPLOY_ENTRYPOINT",
2111
- "STACKOS_EXPECTED_STAGING_COMMIT",
2112
- "STACKOS_PROD_CUTOVER_APPROVED",
2113
- "STACKOS_REPO_PATH",
2114
- "STACKOS_REQUIRE_CHAT_RUNTIME",
2115
- "STACKOS_SLOP_SCAN_BASELINE",
2116
- "STACKOS_STAGING_API_KEY",
2117
- "STACKOS_STAGING_BASE_URL",
2118
- "STACK_DEPLOY_RECONCILIATION_SCHEMA_JSON"
2119
- ],
2120
- owner: "tenant",
2121
- scope: "software_system",
2122
- sourcePath: "/tenants/stack",
2123
- environmentPolicy: "environment_specific",
2124
- required: false,
2125
- secret: true,
2126
- public: false,
2127
- consumers: ["tenant-deploy-tooling", "lucern-repo-ci"],
2128
- destinations: [
2129
- {
2130
- kind: "operator_local",
2131
- target: "stackos-deploy-guard",
2132
- environmentPolicy: "environment_specific"
2133
- },
2134
- {
2135
- kind: "github_actions",
2136
- target: "stack-vc/stackos",
2137
- environmentPolicy: "environment_specific"
2138
- }
2139
- ],
2140
- description: "StackOS deploy/test guard variables. These are not written into the StackOS Vercel runtime."
2141
- }
2142
- ];
2143
- var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
2144
- {
2145
- idSuffix: "clerk.publishable",
2146
- canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
2147
- aliases: ["CLERK_PUBLISHABLE_KEY"],
2148
- required: true,
2149
- secret: false,
2150
- public: true,
2151
- description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
2152
- },
2153
- {
2154
- idSuffix: "clerk.secret",
2155
- canonicalName: "CLERK_SECRET_KEY",
2156
- required: true,
2157
- secret: true,
2158
- public: false,
2159
- description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
2160
- },
2161
- {
2162
- idSuffix: "clerk.project",
2163
- canonicalName: "CLERK_PROJECT_ID",
2164
- required: true,
2165
- secret: false,
2166
- public: false,
2167
- description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
2168
- },
2169
- {
2170
- idSuffix: "clerk.jwks",
2171
- canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
2172
- aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
2173
- required: false,
2174
- secret: false,
2175
- public: false,
2176
- description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
2177
- },
2178
- {
2179
- idSuffix: "clerk.jwt-key",
2180
- canonicalName: "CLERK_JWT_KEY",
2181
- required: false,
2182
- secret: true,
2183
- public: false,
2184
- description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
2185
- },
2186
- {
2187
- idSuffix: "clerk.authorized-parties",
2188
- canonicalName: "CLERK_AUTHORIZED_PARTIES",
2189
- aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
2190
- required: false,
2191
- secret: false,
2192
- public: false,
2193
- description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
2194
- },
2195
- {
2196
- idSuffix: "clerk.sign-in-url",
2197
- canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
2198
- required: false,
2199
- secret: false,
2200
- public: true,
2201
- description: "Tenant Clerk sign-in route for custom app login surfaces."
2202
- },
2203
- {
2204
- idSuffix: "clerk.sign-up-url",
2205
- canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
2206
- required: false,
2207
- secret: false,
2208
- public: true,
2209
- description: "Tenant Clerk sign-up route for custom app login surfaces."
2210
- }
2211
- ];
2212
- var TENANT_SHARED_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2213
- (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
2214
- (template) => ({
2215
- id: `tenant.${system.id}.${template.idSuffix}`,
2216
- canonicalName: template.canonicalName,
2217
- aliases: "aliases" in template ? template.aliases : void 0,
2218
- owner: "tenant",
2219
- scope: "tenant",
2220
- sourcePath: system.sharedSourcePath,
2221
- environmentPolicy: "environment_specific",
2222
- required: template.required,
2223
- secret: template.secret,
2224
- public: template.public,
2225
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2226
- destinations: [
2227
- {
2228
- kind: "vercel",
2229
- target: system.vercelProjectName,
2230
- environmentPolicy: "preprod_staging_prod_prod"
2231
- },
2232
- {
2233
- kind: "convex",
2234
- target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2235
- environmentPolicy: "preprod_staging_prod_prod"
2236
- }
2237
- ],
2238
- description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2239
- })
2240
- )
2241
- );
2242
- var TENANT_INSTALL_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
2243
- (system) => ({
2244
- id: `tenant.${system.id}.install-lucern-npm`,
2245
- canonicalName: "INSTALL_LUCERN_NPM",
2246
- owner: "provider",
2247
- scope: "global",
2248
- sourcePath: "/tenants/shared",
2249
- environmentPolicy: "same_all_environments",
2250
- required: true,
2251
- secret: true,
2252
- public: false,
2253
- consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2254
- destinations: [
2255
- {
2256
- kind: "vercel",
2257
- target: system.vercelProjectName,
2258
- environmentPolicy: "same_all_environments"
2259
- },
2260
- {
2261
- kind: "github_actions",
2262
- target: `${system.repository.owner}/${system.repository.name}`,
2263
- environmentPolicy: "same_all_environments"
2264
- }
2265
- ],
2266
- description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
2267
- })
2268
- );
2269
- var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
2270
- var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
2271
- {
2272
- idSuffix: "ai.openai-api-key",
2273
- canonicalName: "OPENAI_API_KEY",
2274
- required: false,
2275
- secret: true,
2276
- public: false,
2277
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2278
- description: "Tenant-owned OpenAI key for product runtime LLM calls."
2279
- },
2280
- {
2281
- idSuffix: "ai.anthropic-api-key",
2282
- canonicalName: "ANTHROPIC_API_KEY",
2283
- required: false,
2284
- secret: true,
2285
- public: false,
2286
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2287
- description: "Tenant-owned Anthropic key for product runtime LLM calls."
2288
- },
2289
- {
2290
- idSuffix: "ai.gemini-api-key",
2291
- canonicalName: "GEMINI_API_KEY",
2292
- aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
2293
- required: false,
2294
- secret: true,
2295
- public: false,
2296
- consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
2297
- description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
2298
- },
2299
- {
2300
- idSuffix: "langfuse.secret-key",
2301
- canonicalName: "LANGFUSE_SECRET_KEY",
2302
- required: false,
2303
- secret: true,
2304
- public: false,
2305
- consumers: [
2306
- "tenant-vercel-app",
2307
- "tenant-convex-deployment",
2308
- "tenant-observability"
2309
- ],
2310
- description: "Tenant-owned Langfuse secret key for product AI tracing."
2311
- },
2312
- {
2313
- idSuffix: "langfuse.public-key",
2314
- canonicalName: "LANGFUSE_PUBLIC_KEY",
2315
- required: false,
2316
- secret: false,
2317
- public: false,
2318
- consumers: [
2319
- "tenant-vercel-app",
2320
- "tenant-convex-deployment",
2321
- "tenant-observability"
2322
- ],
2323
- description: "Tenant-owned Langfuse public key for product AI tracing."
2324
- },
2325
- {
2326
- idSuffix: "langfuse.base-url",
2327
- canonicalName: "LANGFUSE_BASE_URL",
2328
- aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
2329
- required: false,
2330
- secret: false,
2331
- public: false,
2332
- consumers: [
2333
- "tenant-vercel-app",
2334
- "tenant-convex-deployment",
2335
- "tenant-observability"
2336
- ],
2337
- description: "Tenant-owned Langfuse API origin."
2338
- },
2339
- {
2340
- idSuffix: "graph.neo4j-uri",
2341
- canonicalName: "NEO4J_URI",
2342
- required: false,
2343
- secret: false,
2344
- public: false,
2345
- consumers: [
2346
- "tenant-vercel-app",
2347
- "tenant-convex-deployment",
2348
- "tenant-graph-sync"
2349
- ],
2350
- description: "Tenant-owned Neo4j URI for product graph-sync."
2351
- },
2352
- {
2353
- idSuffix: "graph.neo4j-user",
2354
- canonicalName: "NEO4J_USER",
2355
- aliases: ["NEO4J_USERNAME"],
2356
- required: false,
2357
- secret: false,
2358
- public: false,
2359
- consumers: [
2360
- "tenant-vercel-app",
2361
- "tenant-convex-deployment",
2362
- "tenant-graph-sync"
2363
- ],
2364
- description: "Tenant-owned Neo4j user for product graph-sync."
2365
- },
2366
- {
2367
- idSuffix: "graph.neo4j-password",
2368
- canonicalName: "NEO4J_PASSWORD",
2369
- required: false,
2370
- secret: true,
2371
- public: false,
2372
- consumers: [
2373
- "tenant-vercel-app",
2374
- "tenant-convex-deployment",
2375
- "tenant-graph-sync"
2376
- ],
2377
- description: "Tenant-owned Neo4j password for product graph-sync."
2378
- },
2379
- {
2380
- idSuffix: "graph.neo4j-sync-secret",
2381
- canonicalName: "NEO4J_SYNC_SECRET",
2382
- required: false,
2383
- secret: true,
2384
- public: false,
2385
- consumers: [
2386
- "tenant-vercel-app",
2387
- "tenant-convex-deployment",
2388
- "tenant-graph-sync"
2389
- ],
2390
- description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
2391
- },
2392
- {
2393
- idSuffix: "graph.neo4j-database",
2394
- canonicalName: "NEO4J_DATABASE",
2395
- required: false,
2396
- secret: false,
2397
- public: false,
2398
- consumers: [
2399
- "tenant-vercel-app",
2400
- "tenant-convex-deployment",
2401
- "tenant-graph-sync"
2402
- ],
2403
- description: "Tenant-owned Neo4j database name for product graph-sync."
2404
- },
2405
- {
2406
- idSuffix: "vector.pinecone-api-key",
2407
- canonicalName: "PINECONE_API_KEY",
2408
- required: false,
2409
- secret: true,
2410
- public: false,
2411
- consumers: [
2412
- "tenant-vercel-app",
2413
- "tenant-convex-deployment",
2414
- "tenant-vector-store"
2415
- ],
2416
- description: "Tenant-owned Pinecone API key for product vector search."
2417
- },
2418
- {
2419
- idSuffix: "vector.pinecone-index-name",
2420
- canonicalName: "PINECONE_INDEX_NAME",
2421
- aliases: ["PINECONE_INDEX"],
2422
- required: false,
2423
- secret: false,
2424
- public: false,
2425
- consumers: [
2426
- "tenant-vercel-app",
2427
- "tenant-convex-deployment",
2428
- "tenant-vector-store"
2429
- ],
2430
- description: "Tenant-owned Pinecone index name for product vector search."
2431
- },
2432
- {
2433
- idSuffix: "vector.pinecone-host",
2434
- canonicalName: "PINECONE_HOST",
2435
- aliases: ["PINECONE_INDEX_HOST"],
2436
- required: false,
2437
- secret: false,
2438
- public: false,
2439
- consumers: [
2440
- "tenant-vercel-app",
2441
- "tenant-convex-deployment",
2442
- "tenant-vector-store"
2443
- ],
2444
- description: "Tenant-owned Pinecone host for product vector search."
2445
- },
2446
- {
2447
- idSuffix: "vector.pinecone-namespace",
2448
- canonicalName: "PINECONE_NAMESPACE",
2449
- required: false,
2450
- secret: false,
2451
- public: false,
2452
- consumers: [
2453
- "tenant-vercel-app",
2454
- "tenant-convex-deployment",
2455
- "tenant-vector-store"
2456
- ],
2457
- description: "Tenant-owned Pinecone namespace for product vector search isolation."
2458
- },
2459
- {
2460
- idSuffix: "storage.aws-access-key-id",
2461
- canonicalName: "AWS_ACCESS_KEY_ID",
2462
- required: false,
2463
- secret: true,
2464
- public: false,
2465
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2466
- description: "Tenant-owned AWS access key id for document/file ingestion."
2467
- },
2468
- {
2469
- idSuffix: "storage.aws-secret-access-key",
2470
- canonicalName: "AWS_SECRET_ACCESS_KEY",
2471
- required: false,
2472
- secret: true,
2473
- public: false,
2474
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2475
- description: "Tenant-owned AWS secret access key for document/file ingestion."
2476
- },
2477
- {
2478
- idSuffix: "storage.aws-region",
2479
- canonicalName: "AWS_REGION",
2480
- required: false,
2481
- secret: false,
2482
- public: false,
2483
- consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
2484
- description: "Tenant-owned AWS region for document/file ingestion."
2485
- },
2486
- {
2487
- idSuffix: "observability.sentry-dsn",
2488
- canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
2489
- aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
2490
- required: false,
2491
- secret: false,
2492
- public: true,
2493
- consumers: ["tenant-vercel-app", "tenant-observability"],
2494
- description: "Tenant-owned Sentry DSN for app telemetry."
2495
- },
2496
- {
2497
- idSuffix: "observability.sentry-auth-token",
2498
- canonicalName: "SENTRY_AUTH_TOKEN",
2499
- required: false,
2500
- secret: true,
2501
- public: false,
2502
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2503
- description: "Tenant-owned Sentry release token for app deployments."
2504
- },
2505
- {
2506
- idSuffix: "observability.sentry-org",
2507
- canonicalName: "SENTRY_ORG",
2508
- aliases: ["SENTRY_ORG_SLUG"],
2509
- required: false,
2510
- secret: false,
2511
- public: false,
2512
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2513
- description: "Tenant-owned Sentry org slug for release uploads."
2514
- },
2515
- {
2516
- idSuffix: "observability.sentry-project",
2517
- canonicalName: "SENTRY_PROJECT",
2518
- aliases: ["SENTRY_PROJECT_NEXTJS"],
2519
- required: false,
2520
- secret: false,
2521
- public: false,
2522
- consumers: ["tenant-deploy-tooling", "tenant-observability"],
2523
- description: "Tenant-owned Sentry project slug for release uploads."
2524
- },
2525
- {
2526
- idSuffix: "observability.sentry-environment",
2527
- canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
2528
- aliases: ["SENTRY_ENVIRONMENT"],
2529
- required: false,
2530
- secret: false,
2531
- public: true,
2532
- consumers: ["tenant-vercel-app", "tenant-observability"],
2533
- description: "Tenant-owned Sentry environment label."
2534
- },
2535
- {
2536
- idSuffix: "observability.sentry-release",
2537
- canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
2538
- aliases: ["SENTRY_RELEASE"],
2539
- required: false,
2540
- secret: false,
2541
- public: true,
2542
- consumers: ["tenant-vercel-app", "tenant-observability"],
2543
- description: "Tenant-owned Sentry release label."
2544
- },
2545
- {
2546
- idSuffix: "observability.sentry-client-options",
2547
- canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
2548
- aliases: [
2549
- "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
2550
- "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
2551
- "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
2552
- "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
2553
- "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
2554
- "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
2555
- "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
2556
- "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
2557
- "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
2558
- "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
2559
- "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
2560
- ],
2561
- required: false,
2562
- secret: false,
2563
- public: true,
2564
- consumers: ["tenant-vercel-app", "tenant-observability"],
2565
- description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
2566
- },
2567
- {
2568
- idSuffix: "observability.sentry-webhook-secret",
2569
- canonicalName: "SENTRY_WEBHOOK_SECRET",
2570
- required: false,
2571
- secret: true,
2572
- public: false,
2573
- consumers: ["tenant-convex-deployment", "tenant-observability"],
2574
- description: "Tenant-owned Sentry webhook verification secret."
2575
- },
2576
- {
2577
- idSuffix: "lucern.gateway-api-key",
2578
- canonicalName: "LUCERN_API_KEY",
2579
- aliases: ["STACK_API_KEY"],
2580
- required: false,
2581
- secret: true,
2582
- public: false,
2583
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2584
- description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
2585
- },
2586
- {
2587
- idSuffix: "lucern.gateway-base-url",
2588
- canonicalName: "LUCERN_BASE_URL",
2589
- aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
2590
- required: false,
2591
- secret: false,
2592
- public: false,
2593
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2594
- description: "Lucern/MC gateway base URL used by tenant product apps."
2595
- },
2596
- {
2597
- idSuffix: "lucern.proxy-token-secret",
2598
- canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
2599
- required: false,
2600
- secret: true,
2601
- public: false,
2602
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2603
- description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
2604
- },
2605
- {
2606
- idSuffix: "tenant.integrations.linear-api-key",
2607
- canonicalName: "LINEAR_API_KEY",
2608
- required: false,
2609
- secret: true,
2610
- public: false,
2611
- consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
2612
- description: "Tenant-owned Linear API key for support/slash-command flows."
2613
- },
2614
- {
2615
- idSuffix: "tenant.vercel.bypass-token",
2616
- canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
2617
- aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
2618
- required: false,
2619
- secret: true,
2620
- public: false,
2621
- consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
2622
- description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
2623
- }
2624
- ];
2625
- var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
2626
- (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
2627
- ).flatMap(
2628
- (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
2629
- (template) => ({
2630
- id: `tenant.${system.id}.${template.idSuffix}`,
2631
- canonicalName: template.canonicalName,
2632
- aliases: "aliases" in template ? template.aliases : void 0,
2633
- owner: "tenant",
2634
- scope: "tenant",
2635
- sourcePath: system.sharedSourcePath,
2636
- environmentPolicy: "environment_specific",
2637
- required: template.required,
2638
- secret: template.secret,
2639
- public: template.public,
2640
- consumers: template.consumers,
2641
- destinations: [
2642
- {
2643
- kind: "vercel",
2644
- target: system.vercelProjectName,
2645
- environmentPolicy: "preprod_staging_prod_prod"
2646
- },
2647
- {
2648
- kind: "convex",
2649
- target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
2650
- environmentPolicy: "preprod_staging_prod_prod"
2651
- },
2652
- {
2653
- kind: "github_actions",
2654
- target: `${system.repository.owner}/${system.repository.name}`,
2655
- environmentPolicy: "preprod_staging_prod_prod"
2656
- }
2657
- ],
2658
- description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
2659
- })
2660
- )
2661
- );
2662
- function tenantVercelConvexUrlWriteNames(system) {
2663
- const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
2664
- if (system.id === "stack-eng") {
2665
- return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2666
- }
2667
- return names;
2668
- }
2669
- function tenantRepositoryConvexUrlWriteNames(system) {
2670
- if (system.id === "stack-eng") {
2671
- return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2672
- }
2673
- return [system.convex.urlEnv];
2674
- }
2675
- function tenantRepositoryConvexDeployKeyWriteNames(system) {
2676
- if (system.id === "stack-eng") {
2677
- return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2678
- }
2679
- return [system.convex.deployKeyEnv];
2680
- }
2681
- function tenantConvexUrlAliases(system) {
2682
- if (system.id === "stack-frontend") {
2683
- return [
2684
- "CONVEX_PROD_URL",
2685
- "CONVEX_STACK_V2_PROD_URL",
2686
- "CONVEX_STACK_V2_STAGING_URL",
2687
- "STACK_CONVEX_URL"
2688
- ];
2689
- }
2690
- if (system.id === "stackos") {
2691
- return [
2692
- "CONVEX_CLOUD_URL",
2693
- "CONVEX_STACK_URL",
2694
- "CONVEX_URL",
2695
- "CONVEX_URL_DEVELOPMENT",
2696
- "CONVEX_URL_PRODUCTION",
2697
- "STACK_CONVEX_URL"
2698
- ];
2699
- }
2700
- if (system.id === "stack-eng") {
2701
- return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
2702
- }
2703
- if (system.id === "lucern-graph") {
2704
- return [
2705
- "CONVEX_GRAPH_URL",
2706
- "LUCERN_PROD_URL",
2707
- "NEXT_PUBLIC_LUCERN_GRAPH_URL"
2708
- ];
2709
- }
2710
- return void 0;
2711
- }
2712
- function tenantConvexDeployKeyAliases(system) {
2713
- if (system.id === "stack-frontend") {
2714
- return [
2715
- "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
2716
- "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
2717
- "STACK_DEPLOY_KEY"
2718
- ];
2719
- }
2720
- if (system.id === "stackos") {
2721
- return [
2722
- "CONVEX_DEPLOY_KEY",
2723
- "CONVEX_DEV_DEPLOY_KEY",
2724
- "CONVEX_PROD_DEPLOY_KEY",
2725
- "CONVEX_STACK_DEPLOY_KEY",
2726
- "STACK_DEPLOY_KEY"
2727
- ];
2728
- }
2729
- if (system.id === "stack-eng") {
2730
- return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
2731
- }
2732
- if (system.id === "lucern-graph") {
2733
- return [
2734
- "CONVEX_DEPLOY_KEY",
2735
- "CONVEX_GRAPH_DEPLOY_KEY",
2736
- "LUCERN_CONVEX_DEPLOY_KEY",
2737
- "LUCERN_DEV_DEPLOY_KEY",
2738
- "LUCERN_PROD_DEPLOY_KEY"
2739
- ];
2740
- }
2741
- return void 0;
2742
- }
2743
- var TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
2744
- (system) => {
2745
- if (system.id === "lucern-graph") {
2746
- return [
2747
- {
2748
- id: "tenant.lucern-graph.public.tenant-id",
2749
- canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
2750
- aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
2751
- owner: "tenant",
2752
- scope: "workspace",
2753
- sourcePath: system.sharedSourcePath,
2754
- environmentPolicy: "environment_specific",
2755
- required: false,
2756
- secret: false,
2757
- public: true,
2758
- consumers: ["tenant-vercel-app"],
2759
- destinations: [
2760
- {
2761
- kind: "vercel",
2762
- target: system.vercelProjectName,
2763
- environmentPolicy: "preprod_staging_prod_prod"
2764
- }
2765
- ],
2766
- description: "Lucern graph public tenant id used by the standalone graph explorer."
2767
- },
2768
- {
2769
- id: "tenant.lucern-graph.public.tenant-label",
2770
- canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
2771
- owner: "tenant",
2772
- scope: "workspace",
2773
- sourcePath: system.sharedSourcePath,
2774
- environmentPolicy: "environment_specific",
2775
- required: false,
2776
- secret: false,
2777
- public: true,
2778
- consumers: ["tenant-vercel-app"],
2779
- destinations: [
2780
- {
2781
- kind: "vercel",
2782
- target: system.vercelProjectName,
2783
- environmentPolicy: "preprod_staging_prod_prod"
2784
- }
2785
- ],
2786
- description: "Lucern graph public tenant label used by the standalone graph explorer."
2787
- }
2788
- ];
2789
- }
2790
- if (system.id === "stack-eng") {
2791
- return [
2792
- {
2793
- id: "tenant.stack-eng.public.tenant-id",
2794
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
2795
- owner: "tenant",
2796
- scope: "workspace",
2797
- sourcePath: system.sharedSourcePath,
2798
- environmentPolicy: "environment_specific",
2799
- required: false,
2800
- secret: false,
2801
- public: true,
2802
- consumers: ["tenant-vercel-app"],
2803
- destinations: [
2804
- {
2805
- kind: "vercel",
2806
- target: system.vercelProjectName,
2807
- environmentPolicy: "preprod_staging_prod_prod"
2808
- }
2809
- ],
2810
- description: "Stack engineering graph public tenant id used by the graph explorer."
2811
- },
2812
- {
2813
- id: "tenant.stack-eng.public.tenant-label",
2814
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
2815
- owner: "tenant",
2816
- scope: "workspace",
2817
- sourcePath: system.sharedSourcePath,
2818
- environmentPolicy: "environment_specific",
2819
- required: false,
2820
- secret: false,
2821
- public: true,
2822
- consumers: ["tenant-vercel-app"],
2823
- destinations: [
2824
- {
2825
- kind: "vercel",
2826
- target: system.vercelProjectName,
2827
- environmentPolicy: "preprod_staging_prod_prod"
2828
- }
2829
- ],
2830
- description: "Stack engineering graph public tenant label used by the graph explorer."
2831
- },
2832
- {
2833
- id: "tenant.stack-eng.public.environment",
2834
- canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
2835
- owner: "tenant",
2836
- scope: "workspace",
2837
- sourcePath: system.sharedSourcePath,
2838
- environmentPolicy: "environment_specific",
2839
- required: false,
2840
- secret: false,
2841
- public: true,
2842
- consumers: ["tenant-vercel-app"],
2843
- destinations: [
2844
- {
2845
- kind: "vercel",
2846
- target: system.vercelProjectName,
2847
- environmentPolicy: "preprod_staging_prod_prod"
2848
- }
2849
- ],
2850
- description: "Stack engineering graph public environment label used by the graph explorer."
2851
- }
2852
- ];
2853
- }
2854
- return [];
2855
- }
2856
- );
2857
- var STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS = [
2858
- {
2859
- id: "tenant.stack-eng.neo4j.uri",
2860
- canonicalName: "NEO4J_URI",
2861
- aliases: ["NEO4J_ENG_URI"],
2862
- owner: "tenant",
2863
- scope: "workspace",
2864
- sourcePath: "/tenants/stack/engineering",
2865
- environmentPolicy: "environment_specific",
2866
- required: false,
2867
- secret: false,
2868
- public: false,
2869
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2870
- destinations: [
2871
- {
2872
- kind: "convex",
2873
- target: "small-oyster-270|bold-cuttlefish-804",
2874
- environmentPolicy: "preprod_staging_prod_prod"
2875
- },
2876
- {
2877
- kind: "vercel",
2878
- target: "stackos-engineering-graph",
2879
- environmentPolicy: "preprod_staging_prod_prod"
2880
- },
2881
- {
2882
- kind: "github_actions",
2883
- target: "stack-vc/stackos-engineering-graph",
2884
- environmentPolicy: "preprod_staging_prod_prod"
2885
- }
2886
- ],
2887
- description: "Stack engineering graph Neo4j runtime URI. NEO4J_ENG_URI is the source alias used to avoid StackOS front-office collisions."
2888
- },
2889
- {
2890
- id: "tenant.stack-eng.neo4j.user",
2891
- canonicalName: "NEO4J_USER",
2892
- aliases: ["NEO4J_ENG_USER"],
2893
- owner: "tenant",
2894
- scope: "workspace",
2895
- sourcePath: "/tenants/stack/engineering",
2896
- environmentPolicy: "environment_specific",
2897
- required: false,
2898
- secret: false,
2899
- public: false,
2900
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2901
- destinations: [
2902
- {
2903
- kind: "convex",
2904
- target: "small-oyster-270|bold-cuttlefish-804",
2905
- environmentPolicy: "preprod_staging_prod_prod"
2906
- },
2907
- {
2908
- kind: "vercel",
2909
- target: "stackos-engineering-graph",
2910
- environmentPolicy: "preprod_staging_prod_prod"
2911
- },
2912
- {
2913
- kind: "github_actions",
2914
- target: "stack-vc/stackos-engineering-graph",
2915
- environmentPolicy: "preprod_staging_prod_prod"
2916
- }
2917
- ],
2918
- description: "Stack engineering graph Neo4j runtime user."
2919
- },
2920
- {
2921
- id: "tenant.stack-eng.neo4j.password",
2922
- canonicalName: "NEO4J_PASSWORD",
2923
- aliases: ["NEO4J_ENG_PASSWORD"],
2924
- owner: "tenant",
2925
- scope: "workspace",
2926
- sourcePath: "/tenants/stack/engineering",
2927
- environmentPolicy: "environment_specific",
2928
- required: false,
2929
- secret: true,
2930
- public: false,
2931
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2932
- destinations: [
2933
- {
2934
- kind: "convex",
2935
- target: "small-oyster-270|bold-cuttlefish-804",
2936
- environmentPolicy: "preprod_staging_prod_prod"
2937
- },
2938
- {
2939
- kind: "vercel",
2940
- target: "stackos-engineering-graph",
2941
- environmentPolicy: "preprod_staging_prod_prod"
2942
- },
2943
- {
2944
- kind: "github_actions",
2945
- target: "stack-vc/stackos-engineering-graph",
2946
- environmentPolicy: "preprod_staging_prod_prod"
2947
- }
2948
- ],
2949
- description: "Stack engineering graph Neo4j runtime password."
2950
- },
2951
- {
2952
- id: "tenant.stack-eng.neo4j.sync-secret",
2953
- canonicalName: "NEO4J_SYNC_SECRET",
2954
- owner: "tenant",
2955
- scope: "workspace",
2956
- sourcePath: "/tenants/stack/engineering",
2957
- environmentPolicy: "environment_specific",
2958
- required: false,
2959
- secret: true,
2960
- public: false,
2961
- consumers: ["tenant-graph-sync", "tenant-convex-deployment"],
2962
- destinations: [
2963
- {
2964
- kind: "convex",
2965
- target: "small-oyster-270|bold-cuttlefish-804",
2966
- environmentPolicy: "preprod_staging_prod_prod"
2967
- },
2968
- {
2969
- kind: "vercel",
2970
- target: "stackos-engineering-graph",
2971
- environmentPolicy: "preprod_staging_prod_prod"
2972
- },
2973
- {
2974
- kind: "github_actions",
2975
- target: "stack-vc/stackos-engineering-graph",
2976
- environmentPolicy: "preprod_staging_prod_prod"
2977
- }
2978
- ],
2979
- description: "Stack engineering graph sync secret for Convex-to-HTTP graph query/sync calls."
2980
- }
2981
- ];
2982
- var TENANT_CONVEX_SECRET_DEFINITIONS = INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
2983
- {
2984
- id: `tenant.${system.id}.convex.url`,
2985
- canonicalName: system.convex.urlEnv,
2986
- aliases: tenantConvexUrlAliases(system),
2987
- owner: "tenant",
2988
- scope: "software_system",
2989
- sourcePath: system.sharedSourcePath,
2990
- environmentPolicy: "preprod_staging_prod_prod",
2991
- required: true,
2992
- secret: false,
2993
- public: false,
2994
- consumers: [
2995
- "tenant-vercel-app",
2996
- "tenant-agent-runtime",
2997
- "mc-operator-tooling"
2998
- ],
2999
- destinations: [
3000
- {
3001
- kind: "vercel",
3002
- target: system.vercelProjectName,
3003
- environmentPolicy: "preprod_staging_prod_prod",
3004
- writeNames: tenantVercelConvexUrlWriteNames(system)
3005
- },
3006
- {
3007
- kind: "github_actions",
3008
- target: `${system.repository.owner}/${system.repository.name}`,
3009
- environmentPolicy: "preprod_staging_prod_prod",
3010
- writeNames: tenantRepositoryConvexUrlWriteNames(system),
3011
- notes: "Only if that repository deploy/test workflow owns this software system."
3012
- }
3013
- ],
3014
- description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
3015
- },
3016
- {
3017
- id: `tenant.${system.id}.convex.deploy-key`,
3018
- canonicalName: system.convex.deployKeyEnv,
3019
- aliases: tenantConvexDeployKeyAliases(system),
3020
- owner: "tenant",
3021
- scope: "software_system",
3022
- sourcePath: system.sharedSourcePath,
3023
- environmentPolicy: "preprod_staging_prod_prod",
3024
- required: true,
3025
- secret: true,
3026
- public: false,
3027
- consumers: [
3028
- "tenant-vercel-app",
3029
- "tenant-agent-runtime",
3030
- "mc-operator-tooling"
3031
- ],
3032
- destinations: [
3033
- {
3034
- kind: "vercel",
3035
- target: system.vercelProjectName,
3036
- environmentPolicy: "preprod_staging_prod_prod"
3037
- },
3038
- {
3039
- kind: "github_actions",
3040
- target: `${system.repository.owner}/${system.repository.name}`,
3041
- environmentPolicy: "preprod_staging_prod_prod",
3042
- writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
3043
- notes: "Only if that repository deploy/test workflow owns this software system."
3044
- }
3045
- ],
3046
- description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
3047
- }
3048
- ]);
3049
- var INFISICAL_SECRET_DEFINITIONS = [
3050
- ...PLATFORM_SECRET_DEFINITIONS,
3051
- ...PLATFORM_AI_SECRET_DEFINITIONS,
3052
- ...PLATFORM_LANGFUSE_SECRET_DEFINITIONS,
3053
- ...PLATFORM_GRAPH_STORE_SECRET_DEFINITIONS,
3054
- ...PLATFORM_VECTOR_STORE_SECRET_DEFINITIONS,
3055
- ...PLATFORM_SENTRY_SECRET_DEFINITIONS,
3056
- ...PLATFORM_DEPLOY_AUTOMATION_SECRET_DEFINITIONS,
3057
- ...PLATFORM_LOCAL_OPERATOR_CONFIG_SECRET_DEFINITIONS,
3058
- ...TENANT_SHARED_SECRET_DEFINITIONS,
3059
- ...TENANT_INSTALL_SECRET_DEFINITIONS,
3060
- ...TENANT_PRODUCT_RUNTIME_SECRET_DEFINITIONS,
3061
- ...TENANT_GRAPH_PUBLIC_CONFIG_SECRET_DEFINITIONS,
3062
- ...STACK_ENG_GRAPH_STORE_SECRET_DEFINITIONS,
3063
- ...TENANT_CONVEX_SECRET_DEFINITIONS
3064
- ];
3065
-
3066
- // src/manifests/infisical-runtime-manifest.ts
3067
- var INFISICAL_RUNTIME_MANIFEST = {
3068
- manifestVersion: "1.0.0",
3069
- contractVersion: INFISICAL_RUNTIME_CONTRACT_VERSION,
3070
- project: {
3071
- id: INFISICAL_RUNTIME_DEFAULT_PROJECT_ID,
3072
- apiUrl: INFISICAL_RUNTIME_DEFAULT_API_URL
3073
- },
3074
- environments: INFISICAL_RUNTIME_ENVIRONMENTS,
3075
- deliveryModes: INFISICAL_RUNTIME_DELIVERY_MODES,
3076
- bootstrapEnv: INFISICAL_RUNTIME_BOOTSTRAP_ENV,
3077
- controlEnv: INFISICAL_RUNTIME_CONTROL_ENV,
3078
- paths: INFISICAL_RUNTIME_PATHS,
3079
- surfaces: INFISICAL_RUNTIME_SURFACES,
3080
- secretDefinitions: INFISICAL_SECRET_DEFINITIONS,
3081
- vercelDestinationEnvironments: INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS,
3082
- convexTierByVercelEnvironment: INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT,
3083
- vercelSyncReconciliation: INFISICAL_VERCEL_SYNC_RECONCILIATION,
3084
- vercelSyncDestinations: INFISICAL_VERCEL_SYNC_DESTINATIONS,
3085
- tenantSoftwareSystems: INFISICAL_TENANT_SOFTWARE_SYSTEMS
3086
- };
3087
-
3088
- export { INFISICAL_RUNTIME_MANIFEST };
3089
- //# sourceMappingURL=infisical-runtime-manifest.js.map
3090
- //# sourceMappingURL=infisical-runtime-manifest.js.map