@lucern/contracts 0.3.0-alpha.17 → 0.3.0-alpha.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (316) hide show
  1. package/CHANGELOG.md +0 -10
  2. package/dist/api-enums.contract.d.ts +3 -5
  3. package/dist/api-enums.contract.js +12 -14
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +2 -14
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +2 -14
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +2 -14
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/component-boundary.contract.d.ts +1 -1
  13. package/dist/component-boundary.contract.js +26 -46
  14. package/dist/component-boundary.contract.js.map +1 -1
  15. package/dist/context-pack.contract.d.ts +3 -5
  16. package/dist/context-pack.contract.js.map +1 -1
  17. package/dist/{defineTable-t1wr5wgn.d.ts → defineTable-CBQ03FXl.d.ts} +1 -1
  18. package/dist/{dsl-DVPthQGY.d.ts → dsl-BgpoVOVQ.d.ts} +2 -2
  19. package/dist/dsl.d.ts +2 -2
  20. package/dist/dsl.js +4 -1
  21. package/dist/dsl.js.map +1 -1
  22. package/dist/function-registry/beliefs.d.ts +51 -64
  23. package/dist/function-registry/beliefs.js +57 -817
  24. package/dist/function-registry/beliefs.js.map +1 -1
  25. package/dist/function-registry/coding.d.ts +6 -15
  26. package/dist/function-registry/coding.js +43 -866
  27. package/dist/function-registry/coding.js.map +1 -1
  28. package/dist/function-registry/context.d.ts +16 -22
  29. package/dist/function-registry/context.js +46 -805
  30. package/dist/function-registry/context.js.map +1 -1
  31. package/dist/function-registry/contracts.d.ts +3 -9
  32. package/dist/function-registry/contracts.js +39 -770
  33. package/dist/function-registry/contracts.js.map +1 -1
  34. package/dist/function-registry/coordination.d.ts +9 -21
  35. package/dist/function-registry/coordination.js +39 -770
  36. package/dist/function-registry/coordination.js.map +1 -1
  37. package/dist/function-registry/edges.d.ts +2 -167
  38. package/dist/function-registry/edges.js +71 -978
  39. package/dist/function-registry/edges.js.map +1 -1
  40. package/dist/function-registry/evidence.d.ts +41 -52
  41. package/dist/function-registry/evidence.js +62 -826
  42. package/dist/function-registry/evidence.js.map +1 -1
  43. package/dist/function-registry/graph.d.ts +66 -162
  44. package/dist/function-registry/graph.js +46 -886
  45. package/dist/function-registry/graph.js.map +1 -1
  46. package/dist/function-registry/helpers.d.ts +4 -7
  47. package/dist/function-registry/helpers.js +40 -771
  48. package/dist/function-registry/helpers.js.map +1 -1
  49. package/dist/function-registry/identity.d.ts +16 -62
  50. package/dist/function-registry/identity.js +45 -793
  51. package/dist/function-registry/identity.js.map +1 -1
  52. package/dist/function-registry/index.d.ts +3 -5
  53. package/dist/function-registry/index.js +43 -777
  54. package/dist/function-registry/index.js.map +1 -1
  55. package/dist/function-registry/judgments.d.ts +11 -16
  56. package/dist/function-registry/judgments.js +42 -782
  57. package/dist/function-registry/judgments.js.map +1 -1
  58. package/dist/function-registry/legacy.d.ts +1 -5
  59. package/dist/function-registry/legacy.js +39 -770
  60. package/dist/function-registry/legacy.js.map +1 -1
  61. package/dist/function-registry/lenses.d.ts +21 -28
  62. package/dist/function-registry/lenses.js +42 -793
  63. package/dist/function-registry/lenses.js.map +1 -1
  64. package/dist/function-registry/manifest.d.ts +6 -6
  65. package/dist/function-registry/manifest.js +2 -19
  66. package/dist/function-registry/manifest.js.map +1 -1
  67. package/dist/function-registry/ontologies.d.ts +56 -70
  68. package/dist/function-registry/ontologies.js +45 -788
  69. package/dist/function-registry/ontologies.js.map +1 -1
  70. package/dist/function-registry/pipeline.d.ts +16 -22
  71. package/dist/function-registry/pipeline.js +42 -779
  72. package/dist/function-registry/pipeline.js.map +1 -1
  73. package/dist/function-registry/questions.d.ts +61 -76
  74. package/dist/function-registry/questions.js +52 -869
  75. package/dist/function-registry/questions.js.map +1 -1
  76. package/dist/function-registry/tasks.d.ts +21 -28
  77. package/dist/function-registry/tasks.js +48 -845
  78. package/dist/function-registry/tasks.js.map +1 -1
  79. package/dist/function-registry/topics.d.ts +26 -114
  80. package/dist/function-registry/topics.js +43 -852
  81. package/dist/function-registry/topics.js.map +1 -1
  82. package/dist/function-registry/types.d.ts +3 -7
  83. package/dist/function-registry/worktrees.d.ts +51 -104
  84. package/dist/function-registry/worktrees.js +51 -925
  85. package/dist/function-registry/worktrees.js.map +1 -1
  86. package/dist/gateway.contract.d.ts +0 -5
  87. package/dist/gateway.contract.js.map +1 -1
  88. package/dist/generated/convexSchemas.d.ts +3 -3
  89. package/dist/generated/convexSchemas.js +18 -38
  90. package/dist/generated/convexSchemas.js.map +1 -1
  91. package/dist/generated/schema-manifest.json +114 -1221
  92. package/dist/generated/tableOwnership.d.ts +28 -48
  93. package/dist/generated/tableOwnership.js +26 -66
  94. package/dist/generated/tableOwnership.js.map +1 -1
  95. package/dist/generated/tier-expectations.json +9 -64
  96. package/dist/graph-types/index.d.ts +1 -5
  97. package/dist/graph-types/index.js +4 -15
  98. package/dist/graph-types/index.js.map +1 -1
  99. package/dist/index-CV-0_VWJ.d.ts +25 -0
  100. package/dist/index.d.ts +669 -28
  101. package/dist/index.js +400 -34707
  102. package/dist/index.js.map +1 -1
  103. package/dist/lens-filter.contract.js +3 -4
  104. package/dist/lens-filter.contract.js.map +1 -1
  105. package/dist/lens-workflow.contract.js +3 -4
  106. package/dist/lens-workflow.contract.js.map +1 -1
  107. package/dist/mcp-gateway-boundary.contract.d.ts +3 -23
  108. package/dist/mcp-gateway-boundary.contract.js +0 -2
  109. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  110. package/dist/schema-helpers/enumValidation.js +5 -2
  111. package/dist/schema-helpers/enumValidation.js.map +1 -1
  112. package/dist/schema-helpers/spine/nodes/decision.js +1 -2
  113. package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
  114. package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
  115. package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
  116. package/dist/schemas/component-table-manifest.d.ts +6 -6
  117. package/dist/schemas/component-table-manifest.js +2 -2
  118. package/dist/schemas/component-table-manifest.js.map +1 -1
  119. package/dist/schemas/enums.d.ts +2 -5
  120. package/dist/schemas/enums.js +2 -5
  121. package/dist/schemas/enums.js.map +1 -1
  122. package/dist/schemas/index.d.ts +3 -3
  123. package/dist/schemas/index.js +139 -1130
  124. package/dist/schemas/index.js.map +1 -1
  125. package/dist/schemas/manifest.d.ts +948 -2948
  126. package/dist/schemas/manifest.js +137 -1128
  127. package/dist/schemas/manifest.js.map +1 -1
  128. package/dist/schemas/sl-opinion.d.ts +4 -4
  129. package/dist/schemas/tables/{controlPlane → identity}/agent.d.ts +1 -1
  130. package/dist/schemas/tables/{controlPlane → identity}/agent.js +3 -3
  131. package/dist/schemas/tables/identity/agent.js.map +1 -0
  132. package/dist/schemas/tables/{controlPlane → identity}/epistemic.d.ts +1 -1
  133. package/dist/schemas/tables/{controlPlane → identity}/epistemic.js +3 -3
  134. package/dist/schemas/tables/identity/epistemic.js.map +1 -0
  135. package/dist/schemas/tables/{controlPlane → identity}/model.d.ts +1 -1
  136. package/dist/schemas/tables/{controlPlane → identity}/model.js +6 -6
  137. package/dist/schemas/tables/identity/model.js.map +1 -0
  138. package/dist/schemas/tables/{controlPlane → identity}/platform.d.ts +11 -11
  139. package/dist/schemas/tables/{controlPlane → identity}/platform.js +18 -18
  140. package/dist/schemas/tables/identity/platform.js.map +1 -0
  141. package/dist/schemas/tables/{controlPlane → identity}/project.d.ts +1 -1
  142. package/dist/schemas/tables/{controlPlane → identity}/project.js +3 -3
  143. package/dist/schemas/tables/identity/project.js.map +1 -0
  144. package/dist/schemas/tables/{controlPlane → identity}/user.d.ts +1 -1
  145. package/dist/schemas/tables/{controlPlane → identity}/user.js +3 -3
  146. package/dist/schemas/tables/identity/user.js.map +1 -0
  147. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  148. package/dist/schemas/tables/kernel/config.js.map +1 -1
  149. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  150. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  151. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  152. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  153. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  154. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  155. package/dist/schemas/tables/kernel/epistemic.d.ts +7 -7
  156. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  157. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  158. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  159. package/dist/schemas/tables/kernel/infra.d.ts +5 -5
  160. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  161. package/dist/schemas/tables/kernel/intelligence.d.ts +11 -11
  162. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  163. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  164. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  165. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  166. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  167. package/dist/schemas/tables/kernel/platform.d.ts +13 -13
  168. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  169. package/dist/schemas/tables/kernel/spine.d.ts +4 -5
  170. package/dist/schemas/tables/kernel/spine.js +2 -6
  171. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  172. package/dist/schemas/tables/kernel/task.d.ts +43 -43
  173. package/dist/schemas/tables/kernel/task.js.map +1 -1
  174. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  175. package/dist/schemas/tables/kernel/topic.js +1 -5
  176. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  177. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  178. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  179. package/dist/schemas/tables/kernel/worktree.d.ts +55 -55
  180. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  181. package/dist/schemas/tables/mc/identity.d.ts +4 -21
  182. package/dist/schemas/tables/mc/identity.js +1 -32
  183. package/dist/schemas/tables/mc/identity.js.map +1 -1
  184. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  185. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  186. package/dist/schemas/tables/mc/pack.d.ts +21 -21
  187. package/dist/schemas/tables/mc/pack.js.map +1 -1
  188. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  189. package/dist/schemas/tables/mc/policy.js +1 -1
  190. package/dist/schemas/tables/mc/policy.js.map +1 -1
  191. package/dist/schemas/tables/mc/registry.d.ts +5 -5
  192. package/dist/schemas/tables/mc/registry.js.map +1 -1
  193. package/dist/schemas/tables/mc/runtime.d.ts +3 -109
  194. package/dist/schemas/tables/mc/runtime.js +104 -330
  195. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  196. package/dist/schemas/tables/mc/tenant.d.ts +2 -4
  197. package/dist/schemas/tables/mc/tenant.js +1 -3
  198. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  199. package/dist/schemas/tables/mc/workspace.d.ts +5 -28
  200. package/dist/schemas/tables/mc/workspace.js +2 -36
  201. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  202. package/dist/sdk-methods.contract.d.ts +2 -2
  203. package/dist/{sdk-tools.contract-CKmSsrZ2.d.ts → sdk-tools.contract-S4ia0TTo.d.ts} +2 -2
  204. package/dist/sdk-tools.contract.d.ts +2 -2
  205. package/dist/sdk-tools.contract.js +27 -719
  206. package/dist/sdk-tools.contract.js.map +1 -1
  207. package/dist/tenant-client.contract.d.ts +14 -102
  208. package/dist/tenant-client.contract.js +12 -113
  209. package/dist/tenant-client.contract.js.map +1 -1
  210. package/dist/{tool-contracts-C_xvM9q2.d.ts → tool-contracts-C92-9ueT.d.ts} +2 -38
  211. package/dist/tool-contracts.d.ts +1 -1
  212. package/dist/tool-contracts.js +28 -720
  213. package/dist/tool-contracts.js.map +1 -1
  214. package/package.json +1 -30
  215. package/dist/component-host-boundary.contract.d.ts +0 -46
  216. package/dist/component-host-boundary.contract.js +0 -60
  217. package/dist/component-host-boundary.contract.js.map +0 -1
  218. package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +0 -133
  219. package/dist/function-registry/nodes.d.ts +0 -412
  220. package/dist/function-registry/nodes.js +0 -5354
  221. package/dist/function-registry/nodes.js.map +0 -1
  222. package/dist/function-registry-input-audit.d.ts +0 -13
  223. package/dist/function-registry-input-audit.js +0 -166
  224. package/dist/function-registry-input-audit.js.map +0 -1
  225. package/dist/generated/infisicalRuntimeEnv.d.ts +0 -70
  226. package/dist/generated/infisicalRuntimeEnv.js +0 -27345
  227. package/dist/generated/infisicalRuntimeEnv.js.map +0 -1
  228. package/dist/generated/lucernGatewayEnv.d.ts +0 -17
  229. package/dist/generated/lucernGatewayEnv.js +0 -38
  230. package/dist/generated/lucernGatewayEnv.js.map +0 -1
  231. package/dist/generated/lucernWebPublicEnv.d.ts +0 -26
  232. package/dist/generated/lucernWebPublicEnv.js +0 -32
  233. package/dist/generated/lucernWebPublicEnv.js.map +0 -1
  234. package/dist/generated/lucernWebServerEnv.d.ts +0 -33
  235. package/dist/generated/lucernWebServerEnv.js +0 -51
  236. package/dist/generated/lucernWebServerEnv.js.map +0 -1
  237. package/dist/graph-intelligence.contract.d.ts +0 -506
  238. package/dist/graph-intelligence.contract.js +0 -595
  239. package/dist/graph-intelligence.contract.js.map +0 -1
  240. package/dist/index-CM1Pl_vI.d.ts +0 -28
  241. package/dist/infisical-runtime.contract.d.ts +0 -1889
  242. package/dist/infisical-runtime.contract.js +0 -3235
  243. package/dist/infisical-runtime.contract.js.map +0 -1
  244. package/dist/manifests/edge-policy-manifest.d.ts +0 -2
  245. package/dist/manifests/edge-policy-manifest.data.d.ts +0 -13
  246. package/dist/manifests/edge-policy-manifest.data.js +0 -26
  247. package/dist/manifests/edge-policy-manifest.data.js.map +0 -1
  248. package/dist/manifests/edge-policy-manifest.js +0 -92
  249. package/dist/manifests/edge-policy-manifest.js.map +0 -1
  250. package/dist/manifests/infisical-runtime-manifest.d.ts +0 -1792
  251. package/dist/manifests/infisical-runtime-manifest.js +0 -3090
  252. package/dist/manifests/infisical-runtime-manifest.js.map +0 -1
  253. package/dist/manifests/invariant-manifest.d.ts +0 -65
  254. package/dist/manifests/invariant-manifest.js +0 -18
  255. package/dist/manifests/invariant-manifest.js.map +0 -1
  256. package/dist/manifests/invariants/ast-utils.d.ts +0 -14
  257. package/dist/manifests/invariants/ast-utils.js +0 -54
  258. package/dist/manifests/invariants/ast-utils.js.map +0 -1
  259. package/dist/manifests/invariants/index.d.ts +0 -15
  260. package/dist/manifests/invariants/index.js +0 -183
  261. package/dist/manifests/invariants/index.js.map +0 -1
  262. package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +0 -12
  263. package/dist/manifests/invariants/inv-1-beliefs-append-only.js +0 -94
  264. package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +0 -1
  265. package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +0 -12
  266. package/dist/manifests/invariants/inv-14-no-silent-transitions.js +0 -99
  267. package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +0 -1
  268. package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +0 -12
  269. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +0 -42
  270. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +0 -1
  271. package/dist/manifests/tenant-client-manifest.d.ts +0 -327
  272. package/dist/manifests/tenant-client-manifest.js +0 -449
  273. package/dist/manifests/tenant-client-manifest.js.map +0 -1
  274. package/dist/permit-principal-projection.contract.d.ts +0 -74
  275. package/dist/permit-principal-projection.contract.js +0 -167
  276. package/dist/permit-principal-projection.contract.js.map +0 -1
  277. package/dist/projections/check-convex-args-shape.d.ts +0 -3
  278. package/dist/projections/check-convex-args-shape.js +0 -403
  279. package/dist/projections/check-convex-args-shape.js.map +0 -1
  280. package/dist/projections/create-evidence.projection.d.ts +0 -176
  281. package/dist/projections/create-evidence.projection.js +0 -130
  282. package/dist/projections/create-evidence.projection.js.map +0 -1
  283. package/dist/projections/index.d.ts +0 -102
  284. package/dist/projections/index.js +0 -352
  285. package/dist/projections/index.js.map +0 -1
  286. package/dist/projections/list-beliefs.projection.d.ts +0 -36
  287. package/dist/projections/list-beliefs.projection.js +0 -54
  288. package/dist/projections/list-beliefs.projection.js.map +0 -1
  289. package/dist/projections/list-tasks.projection.d.ts +0 -44
  290. package/dist/projections/list-tasks.projection.js +0 -57
  291. package/dist/projections/list-tasks.projection.js.map +0 -1
  292. package/dist/projections/modulate-confidence.projection.d.ts +0 -219
  293. package/dist/projections/modulate-confidence.projection.js +0 -148
  294. package/dist/projections/modulate-confidence.projection.js.map +0 -1
  295. package/dist/projections/projection-dsl.d.ts +0 -11
  296. package/dist/projections/projection-dsl.js +0 -8
  297. package/dist/projections/projection-dsl.js.map +0 -1
  298. package/dist/proof-attestation.json +0 -45
  299. package/dist/schemas/tables/controlPlane/accessControl.d.ts +0 -260
  300. package/dist/schemas/tables/controlPlane/accessControl.js +0 -658
  301. package/dist/schemas/tables/controlPlane/accessControl.js.map +0 -1
  302. package/dist/schemas/tables/controlPlane/agent.js.map +0 -1
  303. package/dist/schemas/tables/controlPlane/epistemic.js.map +0 -1
  304. package/dist/schemas/tables/controlPlane/model.js.map +0 -1
  305. package/dist/schemas/tables/controlPlane/platform.js.map +0 -1
  306. package/dist/schemas/tables/controlPlane/project.js.map +0 -1
  307. package/dist/schemas/tables/controlPlane/user.js.map +0 -1
  308. package/dist/schemas/tables/kernel/events.d.ts +0 -21
  309. package/dist/schemas/tables/kernel/events.js +0 -43
  310. package/dist/schemas/tables/kernel/events.js.map +0 -1
  311. package/dist/tenant-bootstrap-seed.contract.d.ts +0 -1289
  312. package/dist/tenant-bootstrap-seed.contract.js +0 -764
  313. package/dist/tenant-bootstrap-seed.contract.js.map +0 -1
  314. package/dist/tenant-bootstrap-seed.defaults.d.ts +0 -16
  315. package/dist/tenant-bootstrap-seed.defaults.js +0 -321
  316. package/dist/tenant-bootstrap-seed.defaults.js.map +0 -1
@@ -9,11 +9,11 @@
9
9
  declare const TENANT_CLIENT_CONTRACT_VERSION: "2026-04-27";
10
10
  declare const TENANT_CLIENT_AUTH_MODES: readonly ["interactive_user", "service_principal", "tenant_api_key", "session_token"];
11
11
  type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];
12
- declare const TENANT_CLIENT_PRINCIPAL_TYPES: readonly ["human", "service", "agent", "group", "external_viewer"];
12
+ declare const TENANT_CLIENT_PRINCIPAL_TYPES: readonly ["human", "service", "agent"];
13
13
  type TenantClientPrincipalType = (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];
14
14
  declare const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
15
15
  type TenantClientRequiredContextField = (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];
16
- declare const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS: readonly ["clerkId", "principalType", "roles", "groupIds", "permittedToolNames", "permittedPackKeys", "principalStatus", "tenantStatus", "workspaceStatus", "permit", "sessionId", "delegationChain"];
16
+ declare const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS: readonly ["principalType", "roles", "sessionId", "delegationChain"];
17
17
  type TenantClientOptionalContextField = (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];
18
18
  declare const TENANT_CLIENT_INSTALL_TOKEN_ENV: "INSTALL_LUCERN_NPM";
19
19
  declare const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH: "tenants/shared";
@@ -23,8 +23,8 @@ type TenantClientForbiddenInstallTokenInfisicalPath = (typeof TENANT_CLIENT_FORB
23
23
  type TenantClientForbiddenSecretEnv = (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];
24
24
  declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
25
25
  readonly packageName: "@lucern/access-control";
26
- readonly role: "runtime_entrypoint";
27
- readonly directTenantImport: true;
26
+ readonly role: "sdk_dependency";
27
+ readonly directTenantImport: false;
28
28
  }, {
29
29
  readonly packageName: "@lucern/agent";
30
30
  readonly role: "platform_runtime";
@@ -55,7 +55,7 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
55
55
  readonly directTenantImport: true;
56
56
  }, {
57
57
  readonly packageName: "@lucern/control-plane";
58
- readonly role: "component_runtime";
58
+ readonly role: "platform_runtime";
59
59
  readonly directTenantImport: false;
60
60
  }, {
61
61
  readonly packageName: "@lucern/developer-kit";
@@ -70,9 +70,9 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
70
70
  readonly role: "sdk_dependency";
71
71
  readonly directTenantImport: false;
72
72
  }, {
73
- readonly packageName: "@lucern/graph-sync";
74
- readonly role: "host_addon_runtime";
75
- readonly directTenantImport: true;
73
+ readonly packageName: "@lucern/identity";
74
+ readonly role: "component_runtime";
75
+ readonly directTenantImport: false;
76
76
  }, {
77
77
  readonly packageName: "@lucern/mcp";
78
78
  readonly role: "runtime_entrypoint";
@@ -101,10 +101,6 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
101
101
  readonly packageName: "@lucern/sdk";
102
102
  readonly role: "runtime_entrypoint";
103
103
  readonly directTenantImport: true;
104
- }, {
105
- readonly packageName: "@lucern/secrets";
106
- readonly role: "sdk_dependency";
107
- readonly directTenantImport: false;
108
104
  }, {
109
105
  readonly packageName: "@lucern/server-core";
110
106
  readonly role: "platform_runtime";
@@ -121,65 +117,6 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
121
117
  type TenantClientInstallablePackage = (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];
122
118
  type TenantClientPackageRole = TenantClientInstallablePackage["role"];
123
119
  type TenantClientInstallablePackageName = TenantClientInstallablePackage["packageName"];
124
- /**
125
- * Direct package installs are package.json entries owned by the tenant repo.
126
- * Direct imports are source-code imports that tenant application code may use.
127
- *
128
- * These concepts intentionally differ: `@lucern/cli` is a direct install when a
129
- * tenant repo needs the `lucern` binary, but it is not a direct application
130
- * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs
131
- * for Convex component binding, while tenant app code should only import their
132
- * explicit component config subpaths.
133
- */
134
- type TenantClientInstallProfile = {
135
- id: string;
136
- description: string;
137
- packageNames: readonly TenantClientInstallablePackageName[];
138
- dependencyField: "dependencies" | "devDependencies" | "mixed";
139
- };
140
- declare const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES: readonly TenantClientInstallablePackageName[];
141
- declare const TENANT_CLIENT_INSTALL_PROFILES: readonly [{
142
- readonly id: "core_app_runtime";
143
- readonly description: "Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.";
144
- readonly packageNames: readonly ["@lucern/sdk", "@lucern/access-control"];
145
- readonly dependencyField: "dependencies";
146
- }, {
147
- readonly id: "react_app_runtime";
148
- readonly description: "React tenant app install for hooks, provider, curated graph components, and direct SDK calls.";
149
- readonly packageNames: readonly ["@lucern/react", "@lucern/sdk", "@lucern/access-control"];
150
- readonly dependencyField: "dependencies";
151
- }, {
152
- readonly id: "convex_components";
153
- readonly description: "Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.";
154
- readonly packageNames: readonly ["@lucern/control-plane", "@lucern/reasoning-kernel"];
155
- readonly dependencyField: "dependencies";
156
- }, {
157
- readonly id: "graph_mirroring_addon";
158
- readonly description: "Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.";
159
- readonly packageNames: readonly ["@lucern/graph-sync"];
160
- readonly dependencyField: "dependencies";
161
- }, {
162
- readonly id: "operator_cli";
163
- readonly description: "Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.";
164
- readonly packageNames: readonly ["@lucern/cli"];
165
- readonly dependencyField: "devDependencies";
166
- }, {
167
- readonly id: "mcp_runtime";
168
- readonly description: "Agent runtime install for the standalone Lucern MCP server and hosted route helpers.";
169
- readonly packageNames: readonly ["@lucern/mcp"];
170
- readonly dependencyField: "dependencies";
171
- }, {
172
- readonly id: "contracts_and_types";
173
- readonly description: "Compile-time contract/type install for codegen, audits, and tenant integration validation.";
174
- readonly packageNames: readonly ["@lucern/contracts", "@lucern/types"];
175
- readonly dependencyField: "dependencies";
176
- }, {
177
- readonly id: "full_suite";
178
- readonly description: "Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.";
179
- readonly packageNames: readonly ("@lucern/access-control" | "@lucern/agent" | "@lucern/auth" | "@lucern/cli" | "@lucern/client-core" | "@lucern/confidence" | "@lucern/config" | "@lucern/contracts" | "@lucern/control-plane" | "@lucern/developer-kit" | "@lucern/events" | "@lucern/graph-primitives" | "@lucern/graph-sync" | "@lucern/mcp" | "@lucern/pack-host" | "@lucern/pack-installer" | "@lucern/proof-compiler" | "@lucern/react" | "@lucern/reasoning-kernel" | "@lucern/sdk" | "@lucern/secrets" | "@lucern/server-core" | "@lucern/testing" | "@lucern/types")[];
180
- readonly dependencyField: "mixed";
181
- }];
182
- type TenantClientInstallProfileId = (typeof TENANT_CLIENT_INSTALL_PROFILES)[number]["id"];
183
120
  /**
184
121
  * Direct imports tenant-owned product code may use. This is intentionally
185
122
  * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages
@@ -201,21 +138,11 @@ declare const TENANT_CLIENT_PUBLIC_IMPORTS: readonly [{
201
138
  readonly surface: "runtime";
202
139
  readonly subpaths: "published_exports";
203
140
  readonly description: "MCP client/server entry points and hosted route helpers.";
204
- }, {
205
- readonly packageName: "@lucern/graph-sync";
206
- readonly surface: "runtime";
207
- readonly subpaths: "published_exports";
208
- readonly description: "Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.";
209
141
  }, {
210
142
  readonly packageName: "@lucern/contracts";
211
143
  readonly surface: "contract";
212
144
  readonly subpaths: "published_exports";
213
145
  readonly description: "Published type and manifest contracts.";
214
- }, {
215
- readonly packageName: "@lucern/access-control";
216
- readonly surface: "runtime";
217
- readonly subpaths: "published_exports";
218
- readonly description: "Tenant runtime access-control helpers, including effective tool access.";
219
146
  }, {
220
147
  readonly packageName: "@lucern/types";
221
148
  readonly surface: "contract";
@@ -226,10 +153,10 @@ type TenantClientPublicImport = (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];
226
153
  type TenantClientPublicPackage = TenantClientPublicImport["packageName"];
227
154
  type TenantClientPublicSurface = TenantClientPublicImport["surface"];
228
155
  declare const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS: readonly [{
229
- readonly packageName: "@lucern/control-plane";
230
- readonly importPath: "@lucern/control-plane/convex.config";
156
+ readonly packageName: "@lucern/identity";
157
+ readonly importPath: "@lucern/identity/convex.config";
231
158
  readonly surface: "component_config";
232
- readonly description: "Convex component binding config for tenant deployments that install the Lucern control plane.";
159
+ readonly description: "Convex component binding config for tenant deployments that install Lucern identity.";
233
160
  }, {
234
161
  readonly packageName: "@lucern/reasoning-kernel";
235
162
  readonly importPath: "@lucern/reasoning-kernel/convex.config";
@@ -245,14 +172,9 @@ type TenantClientComponentConfigImport = (typeof TENANT_CLIENT_COMPONENT_CONFIG_
245
172
  type TenantClientAllowedImport = TenantClientPublicImport | TenantClientComponentConfigImport;
246
173
  declare function findTenantClientInstallablePackage(packageName: string): TenantClientInstallablePackage | undefined;
247
174
  declare function isTenantClientInstallablePackage(packageName: string): boolean;
248
- declare const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "graphIntel", "graphIntelligence", "graphAnalysis", "graphRecommendations", "orgGraphSearch", "embeddings", "ontologyLinks", "graphStateClassifier", "tools", "controlPlane", "identity", "modelRuntime", "events", "jobs", "telemetry"];
175
+ declare const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "graphAnalysis", "graphRecommendations", "orgGraphSearch", "embeddings", "ontologyLinks", "graphStateClassifier", "tools", "identity", "modelRuntime", "events", "jobs", "telemetry"];
249
176
  type TenantClientRequiredSdkNamespace = (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];
250
177
  declare const TENANT_CLIENT_CAPABILITIES: readonly [{
251
- readonly id: "identity.resolve_interactive_principal";
252
- readonly description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.";
253
- readonly surfaces: readonly ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"];
254
- readonly requiredContextFields: readonly ["principalId", "tenantId", "scopes"];
255
- }, {
256
178
  readonly id: "identity.bootstrap_session";
257
179
  readonly description: "Start a scoped Lucern session for a tenant principal.";
258
180
  readonly surfaces: readonly ["@lucern/sdk", "@lucern/mcp"];
@@ -264,7 +186,7 @@ declare const TENANT_CLIENT_CAPABILITIES: readonly [{
264
186
  readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
265
187
  }, {
266
188
  readonly id: "reasoning.graph.read";
267
- readonly description: "Read beliefs, evidence, questions, topics, graph edges, and lineage.";
189
+ readonly description: "Read beliefs, evidence, questions, topics, and lineage.";
268
190
  readonly surfaces: readonly ["@lucern/sdk", "@lucern/react", "@lucern/mcp"];
269
191
  readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
270
192
  }, {
@@ -272,16 +194,6 @@ declare const TENANT_CLIENT_CAPABILITIES: readonly [{
272
194
  readonly description: "Create and update graph objects through authorized APIs.";
273
195
  readonly surfaces: readonly ["@lucern/sdk", "@lucern/mcp"];
274
196
  readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
275
- }, {
276
- readonly id: "reasoning.graph_intelligence.run";
277
- readonly description: "Discover and run Graph Intelligence query recipes for structural graph analysis.";
278
- readonly surfaces: readonly ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"];
279
- readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
280
- }, {
281
- readonly id: "reasoning.graph_mirroring.install";
282
- readonly description: "Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.";
283
- readonly surfaces: readonly ["@lucern/graph-sync", "@lucern/cli"];
284
- readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
285
197
  }, {
286
198
  readonly id: "workflow.worktree_lifecycle";
287
199
  readonly description: "Create, review, merge, and close scoped worktrees.";
@@ -351,4 +263,4 @@ declare function isTenantClientAllowedImport(importPath: string): boolean;
351
263
  declare function assertTenantClientImportAllowed(importPath: string): void;
352
264
  declare function formatTenantClientImportViolation(classification: TenantClientImportClassification): string;
353
265
 
354
- export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_PROFILES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, type TenantClientAllowedImport, type TenantClientAuthMode, type TenantClientCapability, type TenantClientCapabilityId, type TenantClientComponentConfigImport, type TenantClientForbiddenImportPattern, type TenantClientForbiddenImportPatternId, type TenantClientForbiddenInstallTokenInfisicalPath, type TenantClientForbiddenSecretEnv, type TenantClientImportClassification, type TenantClientImportDecision, type TenantClientInstallProfile, type TenantClientInstallProfileId, type TenantClientInstallablePackage, type TenantClientInstallablePackageName, type TenantClientIsolationRule, type TenantClientOptionalContextField, type TenantClientPackageRole, type TenantClientPrincipalType, type TenantClientPublicImport, type TenantClientPublicPackage, type TenantClientPublicSurface, type TenantClientRequiredContextField, type TenantClientRequiredSdkNamespace, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
266
+ export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, type TenantClientAllowedImport, type TenantClientAuthMode, type TenantClientCapability, type TenantClientCapabilityId, type TenantClientComponentConfigImport, type TenantClientForbiddenImportPattern, type TenantClientForbiddenImportPatternId, type TenantClientForbiddenInstallTokenInfisicalPath, type TenantClientForbiddenSecretEnv, type TenantClientImportClassification, type TenantClientImportDecision, type TenantClientInstallablePackage, type TenantClientInstallablePackageName, type TenantClientIsolationRule, type TenantClientOptionalContextField, type TenantClientPackageRole, type TenantClientPrincipalType, type TenantClientPublicImport, type TenantClientPublicPackage, type TenantClientPublicSurface, type TenantClientRequiredContextField, type TenantClientRequiredSdkNamespace, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
@@ -9,9 +9,7 @@ var TENANT_CLIENT_AUTH_MODES = [
9
9
  var TENANT_CLIENT_PRINCIPAL_TYPES = [
10
10
  "human",
11
11
  "service",
12
- "agent",
13
- "group",
14
- "external_viewer"
12
+ "agent"
15
13
  ];
16
14
  var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
17
15
  "tenantId",
@@ -21,16 +19,8 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
21
19
  "scopes"
22
20
  ];
23
21
  var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
24
- "clerkId",
25
22
  "principalType",
26
23
  "roles",
27
- "groupIds",
28
- "permittedToolNames",
29
- "permittedPackKeys",
30
- "principalStatus",
31
- "tenantStatus",
32
- "workspaceStatus",
33
- "permit",
34
24
  "sessionId",
35
25
  "delegationChain"
36
26
  ];
@@ -43,8 +33,8 @@ var TENANT_CLIENT_FORBIDDEN_SECRET_ENV = ["NPM_TOKEN"];
43
33
  var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
44
34
  {
45
35
  packageName: "@lucern/access-control",
46
- role: "runtime_entrypoint",
47
- directTenantImport: true
36
+ role: "sdk_dependency",
37
+ directTenantImport: false
48
38
  },
49
39
  {
50
40
  packageName: "@lucern/agent",
@@ -83,7 +73,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
83
73
  },
84
74
  {
85
75
  packageName: "@lucern/control-plane",
86
- role: "component_runtime",
76
+ role: "platform_runtime",
87
77
  directTenantImport: false
88
78
  },
89
79
  {
@@ -102,9 +92,9 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
102
92
  directTenantImport: false
103
93
  },
104
94
  {
105
- packageName: "@lucern/graph-sync",
106
- role: "host_addon_runtime",
107
- directTenantImport: true
95
+ packageName: "@lucern/identity",
96
+ role: "component_runtime",
97
+ directTenantImport: false
108
98
  },
109
99
  {
110
100
  packageName: "@lucern/mcp",
@@ -141,11 +131,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
141
131
  role: "runtime_entrypoint",
142
132
  directTenantImport: true
143
133
  },
144
- {
145
- packageName: "@lucern/secrets",
146
- role: "sdk_dependency",
147
- directTenantImport: false
148
- },
149
134
  {
150
135
  packageName: "@lucern/server-core",
151
136
  role: "platform_runtime",
@@ -162,59 +147,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
162
147
  directTenantImport: true
163
148
  }
164
149
  ];
165
- var TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES = TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
166
- (entry) => entry.packageName
167
- );
168
- var TENANT_CLIENT_INSTALL_PROFILES = [
169
- {
170
- id: "core_app_runtime",
171
- description: "Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.",
172
- packageNames: ["@lucern/sdk", "@lucern/access-control"],
173
- dependencyField: "dependencies"
174
- },
175
- {
176
- id: "react_app_runtime",
177
- description: "React tenant app install for hooks, provider, curated graph components, and direct SDK calls.",
178
- packageNames: ["@lucern/react", "@lucern/sdk", "@lucern/access-control"],
179
- dependencyField: "dependencies"
180
- },
181
- {
182
- id: "convex_components",
183
- description: "Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.",
184
- packageNames: ["@lucern/control-plane", "@lucern/reasoning-kernel"],
185
- dependencyField: "dependencies"
186
- },
187
- {
188
- id: "graph_mirroring_addon",
189
- description: "Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.",
190
- packageNames: ["@lucern/graph-sync"],
191
- dependencyField: "dependencies"
192
- },
193
- {
194
- id: "operator_cli",
195
- description: "Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.",
196
- packageNames: ["@lucern/cli"],
197
- dependencyField: "devDependencies"
198
- },
199
- {
200
- id: "mcp_runtime",
201
- description: "Agent runtime install for the standalone Lucern MCP server and hosted route helpers.",
202
- packageNames: ["@lucern/mcp"],
203
- dependencyField: "dependencies"
204
- },
205
- {
206
- id: "contracts_and_types",
207
- description: "Compile-time contract/type install for codegen, audits, and tenant integration validation.",
208
- packageNames: ["@lucern/contracts", "@lucern/types"],
209
- dependencyField: "dependencies"
210
- },
211
- {
212
- id: "full_suite",
213
- description: "Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.",
214
- packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,
215
- dependencyField: "mixed"
216
- }
217
- ];
218
150
  var TENANT_CLIENT_PUBLIC_IMPORTS = [
219
151
  {
220
152
  packageName: "@lucern/sdk",
@@ -234,24 +166,12 @@ var TENANT_CLIENT_PUBLIC_IMPORTS = [
234
166
  subpaths: "published_exports",
235
167
  description: "MCP client/server entry points and hosted route helpers."
236
168
  },
237
- {
238
- packageName: "@lucern/graph-sync",
239
- surface: "runtime",
240
- subpaths: "published_exports",
241
- description: "Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers."
242
- },
243
169
  {
244
170
  packageName: "@lucern/contracts",
245
171
  surface: "contract",
246
172
  subpaths: "published_exports",
247
173
  description: "Published type and manifest contracts."
248
174
  },
249
- {
250
- packageName: "@lucern/access-control",
251
- surface: "runtime",
252
- subpaths: "published_exports",
253
- description: "Tenant runtime access-control helpers, including effective tool access."
254
- },
255
175
  {
256
176
  packageName: "@lucern/types",
257
177
  surface: "contract",
@@ -261,10 +181,10 @@ var TENANT_CLIENT_PUBLIC_IMPORTS = [
261
181
  ];
262
182
  var TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [
263
183
  {
264
- packageName: "@lucern/control-plane",
265
- importPath: "@lucern/control-plane/convex.config",
184
+ packageName: "@lucern/identity",
185
+ importPath: "@lucern/identity/convex.config",
266
186
  surface: "component_config",
267
- description: "Convex component binding config for tenant deployments that install the Lucern control plane."
187
+ description: "Convex component binding config for tenant deployments that install Lucern identity."
268
188
  },
269
189
  {
270
190
  packageName: "@lucern/reasoning-kernel",
@@ -299,8 +219,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
299
219
  "edges",
300
220
  "contradictions",
301
221
  "contracts",
302
- "graphIntel",
303
- "graphIntelligence",
304
222
  "graphAnalysis",
305
223
  "graphRecommendations",
306
224
  "orgGraphSearch",
@@ -308,7 +226,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
308
226
  "ontologyLinks",
309
227
  "graphStateClassifier",
310
228
  "tools",
311
- "controlPlane",
312
229
  "identity",
313
230
  "modelRuntime",
314
231
  "events",
@@ -316,12 +233,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
316
233
  "telemetry"
317
234
  ];
318
235
  var TENANT_CLIENT_CAPABILITIES = [
319
- {
320
- id: "identity.resolve_interactive_principal",
321
- description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
322
- surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
323
- requiredContextFields: ["principalId", "tenantId", "scopes"]
324
- },
325
236
  {
326
237
  id: "identity.bootstrap_session",
327
238
  description: "Start a scoped Lucern session for a tenant principal.",
@@ -336,7 +247,7 @@ var TENANT_CLIENT_CAPABILITIES = [
336
247
  },
337
248
  {
338
249
  id: "reasoning.graph.read",
339
- description: "Read beliefs, evidence, questions, topics, graph edges, and lineage.",
250
+ description: "Read beliefs, evidence, questions, topics, and lineage.",
340
251
  surfaces: ["@lucern/sdk", "@lucern/react", "@lucern/mcp"],
341
252
  requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
342
253
  },
@@ -346,18 +257,6 @@ var TENANT_CLIENT_CAPABILITIES = [
346
257
  surfaces: ["@lucern/sdk", "@lucern/mcp"],
347
258
  requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
348
259
  },
349
- {
350
- id: "reasoning.graph_intelligence.run",
351
- description: "Discover and run Graph Intelligence query recipes for structural graph analysis.",
352
- surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
353
- requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
354
- },
355
- {
356
- id: "reasoning.graph_mirroring.install",
357
- description: "Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.",
358
- surfaces: ["@lucern/graph-sync", "@lucern/cli"],
359
- requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
360
- },
361
260
  {
362
261
  id: "workflow.worktree_lifecycle",
363
262
  description: "Create, review, merge, and close scoped worktrees.",
@@ -500,6 +399,6 @@ function formatTenantClientImportViolation(classification) {
500
399
  return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;
501
400
  }
502
401
 
503
- export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_PROFILES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
402
+ export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
504
403
  //# sourceMappingURL=tenant-client.contract.js.map
505
404
  //# sourceMappingURL=tenant-client.contract.js.map
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/tenant-client.contract.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,SAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,oBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AACxC,IAAM,0CAAA,GACX;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB;AAwBO,IAAM,yCACX,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,WAAA,EACE,iGAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACtD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,eAAA,EAAiB,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACvE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,kGAAA;AAAA,IACF,YAAA,EAAc,CAAC,uBAAA,EAAyB,0BAA0B,CAAA;AAAA,IAClE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EACE,yIAAA;AAAA,IACF,YAAA,EAAc,CAAC,oBAAoB,CAAA;AAAA,IACnC,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,aAAA;AAAA,IACJ,WAAA,EACE,sFAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,qBAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,YAAA,EAAc,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,IACnD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EACE,2JAAA;AAAA,IACF,YAAA,EAAc,sCAAA;AAAA,IACd,eAAA,EAAiB;AAAA;AAErB;AAUO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,UAAA,EAAY,qCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAOO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,KAAA,KAAU,KAAA,CAAM,WAAA,KAAgB;AAAA,GACnC;AACF;AAEO,SAAS,iCAAiC,WAAA,EAA8B;AAC7E,EAAA,OAAO,OAAA,CAAQ,kCAAA,CAAmC,WAAW,CAAC,CAAA;AAChE;AAEO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,mBAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,wCAAA;AAAA,IACJ,WAAA,EACE,mFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB,CAAC,aAAA,EAAe,UAAA,EAAY,QAAQ;AAAA,GAC7D;AAAA,EACA;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,sEAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kCAAA;AAAA,IACJ,WAAA,EACE,kFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mCAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,QAAA,EAAU,CAAC,oBAAA,EAAsB,aAAa,CAAA;AAAA,IAC9C,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAoBA,SAAS,oBACP,UAAA,EACuC;AACvC,EAAA,MAAM,kBAAkB,sCAAA,CAAuC,IAAA;AAAA,IAC7D,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACA,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,OAAO,eAAA;AAAA,EACT;AAEA,EAAA,OAAO,4BAAA,CAA6B,IAAA;AAAA,IAClC,CAAC,KAAA,KACC,UAAA,KAAe,KAAA,CAAM,WAAA,IACrB,WAAW,UAAA,CAAW,CAAA,EAAG,KAAA,CAAM,WAAW,CAAA,CAAA,CAAG;AAAA,GACjD;AACF;AAEA,SAAS,wBACP,UAAA,EACgD;AAChD,EAAA,OAAO,uCAAA,CAAwC,IAAA;AAAA,IAAK,CAAC,UACnD,IAAI,MAAA,CAAO,MAAM,OAAA,EAAS,GAAG,CAAA,CAAE,IAAA,CAAK,UAAU;AAAA,GAChD;AACF;AAEO,SAAS,2BACd,UAAA,EACkC;AAClC,EAAA,MAAM,oBAAA,GAAuB,WAAW,IAAA,EAAK;AAC7C,EAAA,MAAM,OAAA,GAAU,wBAAwB,oBAAoB,CAAA;AAE5D,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,OAAA;AAAA,MACA,QAAQ,OAAA,CAAQ;AAAA,KAClB;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,oBAAoB,oBAAoB,CAAA;AAC7D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,QAAA;AAAA,MACV,YAAA;AAAA,MACA,QAAQ,YAAA,CAAa;AAAA,KACvB;AAAA,EACF;AAEA,EAAA,IAAI,oBAAA,CAAqB,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/C,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,MAAA,EACE;AAAA,KACJ;AAAA,EACF;AAEA,EAAA,IACE,qBAAqB,UAAA,CAAW,IAAI,KACpC,oBAAA,CAAqB,UAAA,CAAW,KAAK,CAAA,EACrC;AACA,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,oBAAA;AAAA,IACZ,QAAA,EAAU,UAAA;AAAA,IACV,MAAA,EAAQ;AAAA,GACV;AACF;AAEO,SAAS,2BAA2B,UAAA,EAA6B;AACtE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,oCACd,UAAA,EACS;AACT,EAAA,OAAO,sCAAA,CAAuC,IAAA;AAAA,IAC5C,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACF;AAEO,SAAS,4BAA4B,UAAA,EAA6B;AACvE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,gCAAgC,UAAA,EAA0B;AACxE,EAAA,MAAM,cAAA,GAAiB,2BAA2B,UAAU,CAAA;AAC5D,EAAA,IAAI,cAAA,CAAe,aAAa,WAAA,EAAa;AAC3C,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,iCAAA,CAAkC,cAAc,CAAC,CAAA;AACnE;AAEO,SAAS,kCACd,cAAA,EACQ;AACR,EAAA,MAAM,YAAY,cAAA,CAAe,OAAA,GAC7B,KAAK,cAAA,CAAe,OAAA,CAAQ,EAAE,CAAA,CAAA,CAAA,GAC9B,EAAA;AACJ,EAAA,OAAO,sCAAsC,SAAS,CAAA,EAAA,EAAK,eAAe,UAAU,CAAA,EAAA,EAAK,eAAe,MAAM,CAAA,CAAA;AAChH","file":"tenant-client.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"clerkId\",\n \"principalType\",\n \"roles\",\n \"groupIds\",\n \"permittedToolNames\",\n \"permittedPackKeys\",\n \"principalStatus\",\n \"tenantStatus\",\n \"workspaceStatus\",\n \"permit\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"controlPlane\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.resolve_interactive_principal\",\n description:\n \"Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: [\"principalId\", \"tenantId\", \"scopes\"],\n },\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n"]}
1
+ {"version":3,"sources":["../src/tenant-client.contract.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,eAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AACxC,IAAM,0CAAA,GACX;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB;AAaO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,UAAA,EAAY,gCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAOO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,KAAA,KAAU,KAAA,CAAM,WAAA,KAAgB;AAAA,GACnC;AACF;AAEO,SAAS,iCAAiC,WAAA,EAA8B;AAC7E,EAAA,OAAO,OAAA,CAAQ,kCAAA,CAAmC,WAAW,CAAC,CAAA;AAChE;AAEO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,yDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAoBA,SAAS,oBACP,UAAA,EACuC;AACvC,EAAA,MAAM,kBAAkB,sCAAA,CAAuC,IAAA;AAAA,IAC7D,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACA,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,OAAO,eAAA;AAAA,EACT;AAEA,EAAA,OAAO,4BAAA,CAA6B,IAAA;AAAA,IAClC,CAAC,KAAA,KACC,UAAA,KAAe,KAAA,CAAM,WAAA,IACrB,WAAW,UAAA,CAAW,CAAA,EAAG,KAAA,CAAM,WAAW,CAAA,CAAA,CAAG;AAAA,GACjD;AACF;AAEA,SAAS,wBACP,UAAA,EACgD;AAChD,EAAA,OAAO,uCAAA,CAAwC,IAAA;AAAA,IAAK,CAAC,UACnD,IAAI,MAAA,CAAO,MAAM,OAAA,EAAS,GAAG,CAAA,CAAE,IAAA,CAAK,UAAU;AAAA,GAChD;AACF;AAEO,SAAS,2BACd,UAAA,EACkC;AAClC,EAAA,MAAM,oBAAA,GAAuB,WAAW,IAAA,EAAK;AAC7C,EAAA,MAAM,OAAA,GAAU,wBAAwB,oBAAoB,CAAA;AAE5D,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,OAAA;AAAA,MACA,QAAQ,OAAA,CAAQ;AAAA,KAClB;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,oBAAoB,oBAAoB,CAAA;AAC7D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,QAAA;AAAA,MACV,YAAA;AAAA,MACA,QAAQ,YAAA,CAAa;AAAA,KACvB;AAAA,EACF;AAEA,EAAA,IAAI,oBAAA,CAAqB,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/C,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,MAAA,EACE;AAAA,KACJ;AAAA,EACF;AAEA,EAAA,IACE,qBAAqB,UAAA,CAAW,IAAI,KACpC,oBAAA,CAAqB,UAAA,CAAW,KAAK,CAAA,EACrC;AACA,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,oBAAA;AAAA,IACZ,QAAA,EAAU,UAAA;AAAA,IACV,MAAA,EAAQ;AAAA,GACV;AACF;AAEO,SAAS,2BAA2B,UAAA,EAA6B;AACtE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,oCACd,UAAA,EACS;AACT,EAAA,OAAO,sCAAA,CAAuC,IAAA;AAAA,IAC5C,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACF;AAEO,SAAS,4BAA4B,UAAA,EAA6B;AACvE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,gCAAgC,UAAA,EAA0B;AACxE,EAAA,MAAM,cAAA,GAAiB,2BAA2B,UAAU,CAAA;AAC5D,EAAA,IAAI,cAAA,CAAe,aAAa,WAAA,EAAa;AAC3C,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,iCAAA,CAAkC,cAAc,CAAC,CAAA;AACnE;AAEO,SAAS,kCACd,cAAA,EACQ;AACR,EAAA,MAAM,YAAY,cAAA,CAAe,OAAA,GAC7B,KAAK,cAAA,CAAe,OAAA,CAAQ,EAAE,CAAA,CAAA,CAAA,GAC9B,EAAA;AACJ,EAAA,OAAO,sCAAsC,SAAS,CAAA,EAAA,EAAK,eAAe,UAAU,CAAA,EAAA,EAAK,eAAe,MAAM,CAAA,CAAA;AAChH","file":"tenant-client.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n"]}