@lucern/contracts 0.3.0-alpha.17 → 0.3.0-alpha.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +0 -10
- package/dist/api-enums.contract.d.ts +3 -5
- package/dist/api-enums.contract.js +12 -14
- package/dist/api-enums.contract.js.map +1 -1
- package/dist/auth-context.contract.js +2 -14
- package/dist/auth-context.contract.js.map +1 -1
- package/dist/auth-session.contract.js +2 -14
- package/dist/auth-session.contract.js.map +1 -1
- package/dist/auth.contract.d.ts +1 -1
- package/dist/auth.contract.js +2 -14
- package/dist/auth.contract.js.map +1 -1
- package/dist/component-boundary.contract.d.ts +1 -1
- package/dist/component-boundary.contract.js +26 -46
- package/dist/component-boundary.contract.js.map +1 -1
- package/dist/context-pack.contract.d.ts +3 -5
- package/dist/context-pack.contract.js.map +1 -1
- package/dist/{defineTable-t1wr5wgn.d.ts → defineTable-CBQ03FXl.d.ts} +1 -1
- package/dist/{dsl-DVPthQGY.d.ts → dsl-BgpoVOVQ.d.ts} +2 -2
- package/dist/dsl.d.ts +2 -2
- package/dist/dsl.js +4 -1
- package/dist/dsl.js.map +1 -1
- package/dist/function-registry/beliefs.d.ts +51 -64
- package/dist/function-registry/beliefs.js +57 -817
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +6 -15
- package/dist/function-registry/coding.js +43 -866
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +16 -22
- package/dist/function-registry/context.js +46 -805
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +3 -9
- package/dist/function-registry/contracts.js +39 -770
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +9 -21
- package/dist/function-registry/coordination.js +39 -770
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +2 -167
- package/dist/function-registry/edges.js +71 -978
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +41 -52
- package/dist/function-registry/evidence.js +62 -826
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +66 -162
- package/dist/function-registry/graph.js +46 -886
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +4 -7
- package/dist/function-registry/helpers.js +40 -771
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +16 -62
- package/dist/function-registry/identity.js +45 -793
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +3 -5
- package/dist/function-registry/index.js +43 -777
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +11 -16
- package/dist/function-registry/judgments.js +42 -782
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -5
- package/dist/function-registry/legacy.js +39 -770
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +21 -28
- package/dist/function-registry/lenses.js +42 -793
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +6 -6
- package/dist/function-registry/manifest.js +2 -19
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +56 -70
- package/dist/function-registry/ontologies.js +45 -788
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +16 -22
- package/dist/function-registry/pipeline.js +42 -779
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +61 -76
- package/dist/function-registry/questions.js +52 -869
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +21 -28
- package/dist/function-registry/tasks.js +48 -845
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +26 -114
- package/dist/function-registry/topics.js +43 -852
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +3 -7
- package/dist/function-registry/worktrees.d.ts +51 -104
- package/dist/function-registry/worktrees.js +51 -925
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/gateway.contract.d.ts +0 -5
- package/dist/gateway.contract.js.map +1 -1
- package/dist/generated/convexSchemas.d.ts +3 -3
- package/dist/generated/convexSchemas.js +18 -38
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/generated/schema-manifest.json +114 -1221
- package/dist/generated/tableOwnership.d.ts +28 -48
- package/dist/generated/tableOwnership.js +26 -66
- package/dist/generated/tableOwnership.js.map +1 -1
- package/dist/generated/tier-expectations.json +9 -64
- package/dist/graph-types/index.d.ts +1 -5
- package/dist/graph-types/index.js +4 -15
- package/dist/graph-types/index.js.map +1 -1
- package/dist/index-CV-0_VWJ.d.ts +25 -0
- package/dist/index.d.ts +669 -28
- package/dist/index.js +400 -34707
- package/dist/index.js.map +1 -1
- package/dist/lens-filter.contract.js +3 -4
- package/dist/lens-filter.contract.js.map +1 -1
- package/dist/lens-workflow.contract.js +3 -4
- package/dist/lens-workflow.contract.js.map +1 -1
- package/dist/mcp-gateway-boundary.contract.d.ts +3 -23
- package/dist/mcp-gateway-boundary.contract.js +0 -2
- package/dist/mcp-gateway-boundary.contract.js.map +1 -1
- package/dist/schema-helpers/enumValidation.js +5 -2
- package/dist/schema-helpers/enumValidation.js.map +1 -1
- package/dist/schema-helpers/spine/nodes/decision.js +1 -2
- package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
- package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
- package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
- package/dist/schemas/component-table-manifest.d.ts +6 -6
- package/dist/schemas/component-table-manifest.js +2 -2
- package/dist/schemas/component-table-manifest.js.map +1 -1
- package/dist/schemas/enums.d.ts +2 -5
- package/dist/schemas/enums.js +2 -5
- package/dist/schemas/enums.js.map +1 -1
- package/dist/schemas/index.d.ts +3 -3
- package/dist/schemas/index.js +139 -1130
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +948 -2948
- package/dist/schemas/manifest.js +137 -1128
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/sl-opinion.d.ts +4 -4
- package/dist/schemas/tables/{controlPlane → identity}/agent.d.ts +1 -1
- package/dist/schemas/tables/{controlPlane → identity}/agent.js +3 -3
- package/dist/schemas/tables/identity/agent.js.map +1 -0
- package/dist/schemas/tables/{controlPlane → identity}/epistemic.d.ts +1 -1
- package/dist/schemas/tables/{controlPlane → identity}/epistemic.js +3 -3
- package/dist/schemas/tables/identity/epistemic.js.map +1 -0
- package/dist/schemas/tables/{controlPlane → identity}/model.d.ts +1 -1
- package/dist/schemas/tables/{controlPlane → identity}/model.js +6 -6
- package/dist/schemas/tables/identity/model.js.map +1 -0
- package/dist/schemas/tables/{controlPlane → identity}/platform.d.ts +11 -11
- package/dist/schemas/tables/{controlPlane → identity}/platform.js +18 -18
- package/dist/schemas/tables/identity/platform.js.map +1 -0
- package/dist/schemas/tables/{controlPlane → identity}/project.d.ts +1 -1
- package/dist/schemas/tables/{controlPlane → identity}/project.js +3 -3
- package/dist/schemas/tables/identity/project.js.map +1 -0
- package/dist/schemas/tables/{controlPlane → identity}/user.d.ts +1 -1
- package/dist/schemas/tables/{controlPlane → identity}/user.js +3 -3
- package/dist/schemas/tables/identity/user.js.map +1 -0
- package/dist/schemas/tables/kernel/config.d.ts +1 -1
- package/dist/schemas/tables/kernel/config.js.map +1 -1
- package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
- package/dist/schemas/tables/kernel/coordination.js.map +1 -1
- package/dist/schemas/tables/kernel/decision.d.ts +1 -1
- package/dist/schemas/tables/kernel/decision.js.map +1 -1
- package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
- package/dist/schemas/tables/kernel/embedding.js.map +1 -1
- package/dist/schemas/tables/kernel/epistemic.d.ts +7 -7
- package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
- package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
- package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
- package/dist/schemas/tables/kernel/infra.d.ts +5 -5
- package/dist/schemas/tables/kernel/infra.js.map +1 -1
- package/dist/schemas/tables/kernel/intelligence.d.ts +11 -11
- package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
- package/dist/schemas/tables/kernel/lens.d.ts +5 -5
- package/dist/schemas/tables/kernel/lens.js.map +1 -1
- package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
- package/dist/schemas/tables/kernel/ontology.js.map +1 -1
- package/dist/schemas/tables/kernel/platform.d.ts +13 -13
- package/dist/schemas/tables/kernel/platform.js.map +1 -1
- package/dist/schemas/tables/kernel/spine.d.ts +4 -5
- package/dist/schemas/tables/kernel/spine.js +2 -6
- package/dist/schemas/tables/kernel/spine.js.map +1 -1
- package/dist/schemas/tables/kernel/task.d.ts +43 -43
- package/dist/schemas/tables/kernel/task.js.map +1 -1
- package/dist/schemas/tables/kernel/topic.d.ts +1 -1
- package/dist/schemas/tables/kernel/topic.js +1 -5
- package/dist/schemas/tables/kernel/topic.js.map +1 -1
- package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
- package/dist/schemas/tables/kernel/workflow.js.map +1 -1
- package/dist/schemas/tables/kernel/worktree.d.ts +55 -55
- package/dist/schemas/tables/kernel/worktree.js.map +1 -1
- package/dist/schemas/tables/mc/identity.d.ts +4 -21
- package/dist/schemas/tables/mc/identity.js +1 -32
- package/dist/schemas/tables/mc/identity.js.map +1 -1
- package/dist/schemas/tables/mc/methodology.d.ts +1 -1
- package/dist/schemas/tables/mc/methodology.js.map +1 -1
- package/dist/schemas/tables/mc/pack.d.ts +21 -21
- package/dist/schemas/tables/mc/pack.js.map +1 -1
- package/dist/schemas/tables/mc/policy.d.ts +2 -2
- package/dist/schemas/tables/mc/policy.js +1 -1
- package/dist/schemas/tables/mc/policy.js.map +1 -1
- package/dist/schemas/tables/mc/registry.d.ts +5 -5
- package/dist/schemas/tables/mc/registry.js.map +1 -1
- package/dist/schemas/tables/mc/runtime.d.ts +3 -109
- package/dist/schemas/tables/mc/runtime.js +104 -330
- package/dist/schemas/tables/mc/runtime.js.map +1 -1
- package/dist/schemas/tables/mc/tenant.d.ts +2 -4
- package/dist/schemas/tables/mc/tenant.js +1 -3
- package/dist/schemas/tables/mc/tenant.js.map +1 -1
- package/dist/schemas/tables/mc/workspace.d.ts +5 -28
- package/dist/schemas/tables/mc/workspace.js +2 -36
- package/dist/schemas/tables/mc/workspace.js.map +1 -1
- package/dist/sdk-methods.contract.d.ts +2 -2
- package/dist/{sdk-tools.contract-CKmSsrZ2.d.ts → sdk-tools.contract-S4ia0TTo.d.ts} +2 -2
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +27 -719
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-client.contract.d.ts +14 -102
- package/dist/tenant-client.contract.js +12 -113
- package/dist/tenant-client.contract.js.map +1 -1
- package/dist/{tool-contracts-C_xvM9q2.d.ts → tool-contracts-C92-9ueT.d.ts} +2 -38
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +28 -720
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -30
- package/dist/component-host-boundary.contract.d.ts +0 -46
- package/dist/component-host-boundary.contract.js +0 -60
- package/dist/component-host-boundary.contract.js.map +0 -1
- package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +0 -133
- package/dist/function-registry/nodes.d.ts +0 -412
- package/dist/function-registry/nodes.js +0 -5354
- package/dist/function-registry/nodes.js.map +0 -1
- package/dist/function-registry-input-audit.d.ts +0 -13
- package/dist/function-registry-input-audit.js +0 -166
- package/dist/function-registry-input-audit.js.map +0 -1
- package/dist/generated/infisicalRuntimeEnv.d.ts +0 -70
- package/dist/generated/infisicalRuntimeEnv.js +0 -27345
- package/dist/generated/infisicalRuntimeEnv.js.map +0 -1
- package/dist/generated/lucernGatewayEnv.d.ts +0 -17
- package/dist/generated/lucernGatewayEnv.js +0 -38
- package/dist/generated/lucernGatewayEnv.js.map +0 -1
- package/dist/generated/lucernWebPublicEnv.d.ts +0 -26
- package/dist/generated/lucernWebPublicEnv.js +0 -32
- package/dist/generated/lucernWebPublicEnv.js.map +0 -1
- package/dist/generated/lucernWebServerEnv.d.ts +0 -33
- package/dist/generated/lucernWebServerEnv.js +0 -51
- package/dist/generated/lucernWebServerEnv.js.map +0 -1
- package/dist/graph-intelligence.contract.d.ts +0 -506
- package/dist/graph-intelligence.contract.js +0 -595
- package/dist/graph-intelligence.contract.js.map +0 -1
- package/dist/index-CM1Pl_vI.d.ts +0 -28
- package/dist/infisical-runtime.contract.d.ts +0 -1889
- package/dist/infisical-runtime.contract.js +0 -3235
- package/dist/infisical-runtime.contract.js.map +0 -1
- package/dist/manifests/edge-policy-manifest.d.ts +0 -2
- package/dist/manifests/edge-policy-manifest.data.d.ts +0 -13
- package/dist/manifests/edge-policy-manifest.data.js +0 -26
- package/dist/manifests/edge-policy-manifest.data.js.map +0 -1
- package/dist/manifests/edge-policy-manifest.js +0 -92
- package/dist/manifests/edge-policy-manifest.js.map +0 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +0 -1792
- package/dist/manifests/infisical-runtime-manifest.js +0 -3090
- package/dist/manifests/infisical-runtime-manifest.js.map +0 -1
- package/dist/manifests/invariant-manifest.d.ts +0 -65
- package/dist/manifests/invariant-manifest.js +0 -18
- package/dist/manifests/invariant-manifest.js.map +0 -1
- package/dist/manifests/invariants/ast-utils.d.ts +0 -14
- package/dist/manifests/invariants/ast-utils.js +0 -54
- package/dist/manifests/invariants/ast-utils.js.map +0 -1
- package/dist/manifests/invariants/index.d.ts +0 -15
- package/dist/manifests/invariants/index.js +0 -183
- package/dist/manifests/invariants/index.js.map +0 -1
- package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +0 -12
- package/dist/manifests/invariants/inv-1-beliefs-append-only.js +0 -94
- package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +0 -1
- package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +0 -12
- package/dist/manifests/invariants/inv-14-no-silent-transitions.js +0 -99
- package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +0 -1
- package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +0 -12
- package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +0 -42
- package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +0 -1
- package/dist/manifests/tenant-client-manifest.d.ts +0 -327
- package/dist/manifests/tenant-client-manifest.js +0 -449
- package/dist/manifests/tenant-client-manifest.js.map +0 -1
- package/dist/permit-principal-projection.contract.d.ts +0 -74
- package/dist/permit-principal-projection.contract.js +0 -167
- package/dist/permit-principal-projection.contract.js.map +0 -1
- package/dist/projections/check-convex-args-shape.d.ts +0 -3
- package/dist/projections/check-convex-args-shape.js +0 -403
- package/dist/projections/check-convex-args-shape.js.map +0 -1
- package/dist/projections/create-evidence.projection.d.ts +0 -176
- package/dist/projections/create-evidence.projection.js +0 -130
- package/dist/projections/create-evidence.projection.js.map +0 -1
- package/dist/projections/index.d.ts +0 -102
- package/dist/projections/index.js +0 -352
- package/dist/projections/index.js.map +0 -1
- package/dist/projections/list-beliefs.projection.d.ts +0 -36
- package/dist/projections/list-beliefs.projection.js +0 -54
- package/dist/projections/list-beliefs.projection.js.map +0 -1
- package/dist/projections/list-tasks.projection.d.ts +0 -44
- package/dist/projections/list-tasks.projection.js +0 -57
- package/dist/projections/list-tasks.projection.js.map +0 -1
- package/dist/projections/modulate-confidence.projection.d.ts +0 -219
- package/dist/projections/modulate-confidence.projection.js +0 -148
- package/dist/projections/modulate-confidence.projection.js.map +0 -1
- package/dist/projections/projection-dsl.d.ts +0 -11
- package/dist/projections/projection-dsl.js +0 -8
- package/dist/projections/projection-dsl.js.map +0 -1
- package/dist/proof-attestation.json +0 -45
- package/dist/schemas/tables/controlPlane/accessControl.d.ts +0 -260
- package/dist/schemas/tables/controlPlane/accessControl.js +0 -658
- package/dist/schemas/tables/controlPlane/accessControl.js.map +0 -1
- package/dist/schemas/tables/controlPlane/agent.js.map +0 -1
- package/dist/schemas/tables/controlPlane/epistemic.js.map +0 -1
- package/dist/schemas/tables/controlPlane/model.js.map +0 -1
- package/dist/schemas/tables/controlPlane/platform.js.map +0 -1
- package/dist/schemas/tables/controlPlane/project.js.map +0 -1
- package/dist/schemas/tables/controlPlane/user.js.map +0 -1
- package/dist/schemas/tables/kernel/events.d.ts +0 -21
- package/dist/schemas/tables/kernel/events.js +0 -43
- package/dist/schemas/tables/kernel/events.js.map +0 -1
- package/dist/tenant-bootstrap-seed.contract.d.ts +0 -1289
- package/dist/tenant-bootstrap-seed.contract.js +0 -764
- package/dist/tenant-bootstrap-seed.contract.js.map +0 -1
- package/dist/tenant-bootstrap-seed.defaults.d.ts +0 -16
- package/dist/tenant-bootstrap-seed.defaults.js +0 -321
- package/dist/tenant-bootstrap-seed.defaults.js.map +0 -1
|
@@ -9,11 +9,11 @@
|
|
|
9
9
|
declare const TENANT_CLIENT_CONTRACT_VERSION: "2026-04-27";
|
|
10
10
|
declare const TENANT_CLIENT_AUTH_MODES: readonly ["interactive_user", "service_principal", "tenant_api_key", "session_token"];
|
|
11
11
|
type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];
|
|
12
|
-
declare const TENANT_CLIENT_PRINCIPAL_TYPES: readonly ["human", "service", "agent"
|
|
12
|
+
declare const TENANT_CLIENT_PRINCIPAL_TYPES: readonly ["human", "service", "agent"];
|
|
13
13
|
type TenantClientPrincipalType = (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];
|
|
14
14
|
declare const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
15
15
|
type TenantClientRequiredContextField = (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];
|
|
16
|
-
declare const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS: readonly ["
|
|
16
|
+
declare const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS: readonly ["principalType", "roles", "sessionId", "delegationChain"];
|
|
17
17
|
type TenantClientOptionalContextField = (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];
|
|
18
18
|
declare const TENANT_CLIENT_INSTALL_TOKEN_ENV: "INSTALL_LUCERN_NPM";
|
|
19
19
|
declare const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH: "tenants/shared";
|
|
@@ -23,8 +23,8 @@ type TenantClientForbiddenInstallTokenInfisicalPath = (typeof TENANT_CLIENT_FORB
|
|
|
23
23
|
type TenantClientForbiddenSecretEnv = (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];
|
|
24
24
|
declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
|
|
25
25
|
readonly packageName: "@lucern/access-control";
|
|
26
|
-
readonly role: "
|
|
27
|
-
readonly directTenantImport:
|
|
26
|
+
readonly role: "sdk_dependency";
|
|
27
|
+
readonly directTenantImport: false;
|
|
28
28
|
}, {
|
|
29
29
|
readonly packageName: "@lucern/agent";
|
|
30
30
|
readonly role: "platform_runtime";
|
|
@@ -55,7 +55,7 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
|
|
|
55
55
|
readonly directTenantImport: true;
|
|
56
56
|
}, {
|
|
57
57
|
readonly packageName: "@lucern/control-plane";
|
|
58
|
-
readonly role: "
|
|
58
|
+
readonly role: "platform_runtime";
|
|
59
59
|
readonly directTenantImport: false;
|
|
60
60
|
}, {
|
|
61
61
|
readonly packageName: "@lucern/developer-kit";
|
|
@@ -70,9 +70,9 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
|
|
|
70
70
|
readonly role: "sdk_dependency";
|
|
71
71
|
readonly directTenantImport: false;
|
|
72
72
|
}, {
|
|
73
|
-
readonly packageName: "@lucern/
|
|
74
|
-
readonly role: "
|
|
75
|
-
readonly directTenantImport:
|
|
73
|
+
readonly packageName: "@lucern/identity";
|
|
74
|
+
readonly role: "component_runtime";
|
|
75
|
+
readonly directTenantImport: false;
|
|
76
76
|
}, {
|
|
77
77
|
readonly packageName: "@lucern/mcp";
|
|
78
78
|
readonly role: "runtime_entrypoint";
|
|
@@ -101,10 +101,6 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
|
|
|
101
101
|
readonly packageName: "@lucern/sdk";
|
|
102
102
|
readonly role: "runtime_entrypoint";
|
|
103
103
|
readonly directTenantImport: true;
|
|
104
|
-
}, {
|
|
105
|
-
readonly packageName: "@lucern/secrets";
|
|
106
|
-
readonly role: "sdk_dependency";
|
|
107
|
-
readonly directTenantImport: false;
|
|
108
104
|
}, {
|
|
109
105
|
readonly packageName: "@lucern/server-core";
|
|
110
106
|
readonly role: "platform_runtime";
|
|
@@ -121,65 +117,6 @@ declare const TENANT_CLIENT_INSTALLABLE_PACKAGES: readonly [{
|
|
|
121
117
|
type TenantClientInstallablePackage = (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];
|
|
122
118
|
type TenantClientPackageRole = TenantClientInstallablePackage["role"];
|
|
123
119
|
type TenantClientInstallablePackageName = TenantClientInstallablePackage["packageName"];
|
|
124
|
-
/**
|
|
125
|
-
* Direct package installs are package.json entries owned by the tenant repo.
|
|
126
|
-
* Direct imports are source-code imports that tenant application code may use.
|
|
127
|
-
*
|
|
128
|
-
* These concepts intentionally differ: `@lucern/cli` is a direct install when a
|
|
129
|
-
* tenant repo needs the `lucern` binary, but it is not a direct application
|
|
130
|
-
* import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs
|
|
131
|
-
* for Convex component binding, while tenant app code should only import their
|
|
132
|
-
* explicit component config subpaths.
|
|
133
|
-
*/
|
|
134
|
-
type TenantClientInstallProfile = {
|
|
135
|
-
id: string;
|
|
136
|
-
description: string;
|
|
137
|
-
packageNames: readonly TenantClientInstallablePackageName[];
|
|
138
|
-
dependencyField: "dependencies" | "devDependencies" | "mixed";
|
|
139
|
-
};
|
|
140
|
-
declare const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES: readonly TenantClientInstallablePackageName[];
|
|
141
|
-
declare const TENANT_CLIENT_INSTALL_PROFILES: readonly [{
|
|
142
|
-
readonly id: "core_app_runtime";
|
|
143
|
-
readonly description: "Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.";
|
|
144
|
-
readonly packageNames: readonly ["@lucern/sdk", "@lucern/access-control"];
|
|
145
|
-
readonly dependencyField: "dependencies";
|
|
146
|
-
}, {
|
|
147
|
-
readonly id: "react_app_runtime";
|
|
148
|
-
readonly description: "React tenant app install for hooks, provider, curated graph components, and direct SDK calls.";
|
|
149
|
-
readonly packageNames: readonly ["@lucern/react", "@lucern/sdk", "@lucern/access-control"];
|
|
150
|
-
readonly dependencyField: "dependencies";
|
|
151
|
-
}, {
|
|
152
|
-
readonly id: "convex_components";
|
|
153
|
-
readonly description: "Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.";
|
|
154
|
-
readonly packageNames: readonly ["@lucern/control-plane", "@lucern/reasoning-kernel"];
|
|
155
|
-
readonly dependencyField: "dependencies";
|
|
156
|
-
}, {
|
|
157
|
-
readonly id: "graph_mirroring_addon";
|
|
158
|
-
readonly description: "Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.";
|
|
159
|
-
readonly packageNames: readonly ["@lucern/graph-sync"];
|
|
160
|
-
readonly dependencyField: "dependencies";
|
|
161
|
-
}, {
|
|
162
|
-
readonly id: "operator_cli";
|
|
163
|
-
readonly description: "Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.";
|
|
164
|
-
readonly packageNames: readonly ["@lucern/cli"];
|
|
165
|
-
readonly dependencyField: "devDependencies";
|
|
166
|
-
}, {
|
|
167
|
-
readonly id: "mcp_runtime";
|
|
168
|
-
readonly description: "Agent runtime install for the standalone Lucern MCP server and hosted route helpers.";
|
|
169
|
-
readonly packageNames: readonly ["@lucern/mcp"];
|
|
170
|
-
readonly dependencyField: "dependencies";
|
|
171
|
-
}, {
|
|
172
|
-
readonly id: "contracts_and_types";
|
|
173
|
-
readonly description: "Compile-time contract/type install for codegen, audits, and tenant integration validation.";
|
|
174
|
-
readonly packageNames: readonly ["@lucern/contracts", "@lucern/types"];
|
|
175
|
-
readonly dependencyField: "dependencies";
|
|
176
|
-
}, {
|
|
177
|
-
readonly id: "full_suite";
|
|
178
|
-
readonly description: "Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.";
|
|
179
|
-
readonly packageNames: readonly ("@lucern/access-control" | "@lucern/agent" | "@lucern/auth" | "@lucern/cli" | "@lucern/client-core" | "@lucern/confidence" | "@lucern/config" | "@lucern/contracts" | "@lucern/control-plane" | "@lucern/developer-kit" | "@lucern/events" | "@lucern/graph-primitives" | "@lucern/graph-sync" | "@lucern/mcp" | "@lucern/pack-host" | "@lucern/pack-installer" | "@lucern/proof-compiler" | "@lucern/react" | "@lucern/reasoning-kernel" | "@lucern/sdk" | "@lucern/secrets" | "@lucern/server-core" | "@lucern/testing" | "@lucern/types")[];
|
|
180
|
-
readonly dependencyField: "mixed";
|
|
181
|
-
}];
|
|
182
|
-
type TenantClientInstallProfileId = (typeof TENANT_CLIENT_INSTALL_PROFILES)[number]["id"];
|
|
183
120
|
/**
|
|
184
121
|
* Direct imports tenant-owned product code may use. This is intentionally
|
|
185
122
|
* smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages
|
|
@@ -201,21 +138,11 @@ declare const TENANT_CLIENT_PUBLIC_IMPORTS: readonly [{
|
|
|
201
138
|
readonly surface: "runtime";
|
|
202
139
|
readonly subpaths: "published_exports";
|
|
203
140
|
readonly description: "MCP client/server entry points and hosted route helpers.";
|
|
204
|
-
}, {
|
|
205
|
-
readonly packageName: "@lucern/graph-sync";
|
|
206
|
-
readonly surface: "runtime";
|
|
207
|
-
readonly subpaths: "published_exports";
|
|
208
|
-
readonly description: "Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.";
|
|
209
141
|
}, {
|
|
210
142
|
readonly packageName: "@lucern/contracts";
|
|
211
143
|
readonly surface: "contract";
|
|
212
144
|
readonly subpaths: "published_exports";
|
|
213
145
|
readonly description: "Published type and manifest contracts.";
|
|
214
|
-
}, {
|
|
215
|
-
readonly packageName: "@lucern/access-control";
|
|
216
|
-
readonly surface: "runtime";
|
|
217
|
-
readonly subpaths: "published_exports";
|
|
218
|
-
readonly description: "Tenant runtime access-control helpers, including effective tool access.";
|
|
219
146
|
}, {
|
|
220
147
|
readonly packageName: "@lucern/types";
|
|
221
148
|
readonly surface: "contract";
|
|
@@ -226,10 +153,10 @@ type TenantClientPublicImport = (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];
|
|
|
226
153
|
type TenantClientPublicPackage = TenantClientPublicImport["packageName"];
|
|
227
154
|
type TenantClientPublicSurface = TenantClientPublicImport["surface"];
|
|
228
155
|
declare const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS: readonly [{
|
|
229
|
-
readonly packageName: "@lucern/
|
|
230
|
-
readonly importPath: "@lucern/
|
|
156
|
+
readonly packageName: "@lucern/identity";
|
|
157
|
+
readonly importPath: "@lucern/identity/convex.config";
|
|
231
158
|
readonly surface: "component_config";
|
|
232
|
-
readonly description: "Convex component binding config for tenant deployments that install
|
|
159
|
+
readonly description: "Convex component binding config for tenant deployments that install Lucern identity.";
|
|
233
160
|
}, {
|
|
234
161
|
readonly packageName: "@lucern/reasoning-kernel";
|
|
235
162
|
readonly importPath: "@lucern/reasoning-kernel/convex.config";
|
|
@@ -245,14 +172,9 @@ type TenantClientComponentConfigImport = (typeof TENANT_CLIENT_COMPONENT_CONFIG_
|
|
|
245
172
|
type TenantClientAllowedImport = TenantClientPublicImport | TenantClientComponentConfigImport;
|
|
246
173
|
declare function findTenantClientInstallablePackage(packageName: string): TenantClientInstallablePackage | undefined;
|
|
247
174
|
declare function isTenantClientInstallablePackage(packageName: string): boolean;
|
|
248
|
-
declare const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "
|
|
175
|
+
declare const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES: readonly ["bootstrap", "context", "beliefs", "evidence", "questions", "graph", "worktrees", "topics", "edges", "contradictions", "contracts", "graphAnalysis", "graphRecommendations", "orgGraphSearch", "embeddings", "ontologyLinks", "graphStateClassifier", "tools", "identity", "modelRuntime", "events", "jobs", "telemetry"];
|
|
249
176
|
type TenantClientRequiredSdkNamespace = (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];
|
|
250
177
|
declare const TENANT_CLIENT_CAPABILITIES: readonly [{
|
|
251
|
-
readonly id: "identity.resolve_interactive_principal";
|
|
252
|
-
readonly description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.";
|
|
253
|
-
readonly surfaces: readonly ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"];
|
|
254
|
-
readonly requiredContextFields: readonly ["principalId", "tenantId", "scopes"];
|
|
255
|
-
}, {
|
|
256
178
|
readonly id: "identity.bootstrap_session";
|
|
257
179
|
readonly description: "Start a scoped Lucern session for a tenant principal.";
|
|
258
180
|
readonly surfaces: readonly ["@lucern/sdk", "@lucern/mcp"];
|
|
@@ -264,7 +186,7 @@ declare const TENANT_CLIENT_CAPABILITIES: readonly [{
|
|
|
264
186
|
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
265
187
|
}, {
|
|
266
188
|
readonly id: "reasoning.graph.read";
|
|
267
|
-
readonly description: "Read beliefs, evidence, questions, topics,
|
|
189
|
+
readonly description: "Read beliefs, evidence, questions, topics, and lineage.";
|
|
268
190
|
readonly surfaces: readonly ["@lucern/sdk", "@lucern/react", "@lucern/mcp"];
|
|
269
191
|
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
270
192
|
}, {
|
|
@@ -272,16 +194,6 @@ declare const TENANT_CLIENT_CAPABILITIES: readonly [{
|
|
|
272
194
|
readonly description: "Create and update graph objects through authorized APIs.";
|
|
273
195
|
readonly surfaces: readonly ["@lucern/sdk", "@lucern/mcp"];
|
|
274
196
|
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
275
|
-
}, {
|
|
276
|
-
readonly id: "reasoning.graph_intelligence.run";
|
|
277
|
-
readonly description: "Discover and run Graph Intelligence query recipes for structural graph analysis.";
|
|
278
|
-
readonly surfaces: readonly ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"];
|
|
279
|
-
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
280
|
-
}, {
|
|
281
|
-
readonly id: "reasoning.graph_mirroring.install";
|
|
282
|
-
readonly description: "Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.";
|
|
283
|
-
readonly surfaces: readonly ["@lucern/graph-sync", "@lucern/cli"];
|
|
284
|
-
readonly requiredContextFields: readonly ["tenantId", "workspaceId", "principalId", "authMode", "scopes"];
|
|
285
197
|
}, {
|
|
286
198
|
readonly id: "workflow.worktree_lifecycle";
|
|
287
199
|
readonly description: "Create, review, merge, and close scoped worktrees.";
|
|
@@ -351,4 +263,4 @@ declare function isTenantClientAllowedImport(importPath: string): boolean;
|
|
|
351
263
|
declare function assertTenantClientImportAllowed(importPath: string): void;
|
|
352
264
|
declare function formatTenantClientImportViolation(classification: TenantClientImportClassification): string;
|
|
353
265
|
|
|
354
|
-
export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV,
|
|
266
|
+
export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, type TenantClientAllowedImport, type TenantClientAuthMode, type TenantClientCapability, type TenantClientCapabilityId, type TenantClientComponentConfigImport, type TenantClientForbiddenImportPattern, type TenantClientForbiddenImportPatternId, type TenantClientForbiddenInstallTokenInfisicalPath, type TenantClientForbiddenSecretEnv, type TenantClientImportClassification, type TenantClientImportDecision, type TenantClientInstallablePackage, type TenantClientInstallablePackageName, type TenantClientIsolationRule, type TenantClientOptionalContextField, type TenantClientPackageRole, type TenantClientPrincipalType, type TenantClientPublicImport, type TenantClientPublicPackage, type TenantClientPublicSurface, type TenantClientRequiredContextField, type TenantClientRequiredSdkNamespace, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
|
|
@@ -9,9 +9,7 @@ var TENANT_CLIENT_AUTH_MODES = [
|
|
|
9
9
|
var TENANT_CLIENT_PRINCIPAL_TYPES = [
|
|
10
10
|
"human",
|
|
11
11
|
"service",
|
|
12
|
-
"agent"
|
|
13
|
-
"group",
|
|
14
|
-
"external_viewer"
|
|
12
|
+
"agent"
|
|
15
13
|
];
|
|
16
14
|
var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
17
15
|
"tenantId",
|
|
@@ -21,16 +19,8 @@ var TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [
|
|
|
21
19
|
"scopes"
|
|
22
20
|
];
|
|
23
21
|
var TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [
|
|
24
|
-
"clerkId",
|
|
25
22
|
"principalType",
|
|
26
23
|
"roles",
|
|
27
|
-
"groupIds",
|
|
28
|
-
"permittedToolNames",
|
|
29
|
-
"permittedPackKeys",
|
|
30
|
-
"principalStatus",
|
|
31
|
-
"tenantStatus",
|
|
32
|
-
"workspaceStatus",
|
|
33
|
-
"permit",
|
|
34
24
|
"sessionId",
|
|
35
25
|
"delegationChain"
|
|
36
26
|
];
|
|
@@ -43,8 +33,8 @@ var TENANT_CLIENT_FORBIDDEN_SECRET_ENV = ["NPM_TOKEN"];
|
|
|
43
33
|
var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
44
34
|
{
|
|
45
35
|
packageName: "@lucern/access-control",
|
|
46
|
-
role: "
|
|
47
|
-
directTenantImport:
|
|
36
|
+
role: "sdk_dependency",
|
|
37
|
+
directTenantImport: false
|
|
48
38
|
},
|
|
49
39
|
{
|
|
50
40
|
packageName: "@lucern/agent",
|
|
@@ -83,7 +73,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
83
73
|
},
|
|
84
74
|
{
|
|
85
75
|
packageName: "@lucern/control-plane",
|
|
86
|
-
role: "
|
|
76
|
+
role: "platform_runtime",
|
|
87
77
|
directTenantImport: false
|
|
88
78
|
},
|
|
89
79
|
{
|
|
@@ -102,9 +92,9 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
102
92
|
directTenantImport: false
|
|
103
93
|
},
|
|
104
94
|
{
|
|
105
|
-
packageName: "@lucern/
|
|
106
|
-
role: "
|
|
107
|
-
directTenantImport:
|
|
95
|
+
packageName: "@lucern/identity",
|
|
96
|
+
role: "component_runtime",
|
|
97
|
+
directTenantImport: false
|
|
108
98
|
},
|
|
109
99
|
{
|
|
110
100
|
packageName: "@lucern/mcp",
|
|
@@ -141,11 +131,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
141
131
|
role: "runtime_entrypoint",
|
|
142
132
|
directTenantImport: true
|
|
143
133
|
},
|
|
144
|
-
{
|
|
145
|
-
packageName: "@lucern/secrets",
|
|
146
|
-
role: "sdk_dependency",
|
|
147
|
-
directTenantImport: false
|
|
148
|
-
},
|
|
149
134
|
{
|
|
150
135
|
packageName: "@lucern/server-core",
|
|
151
136
|
role: "platform_runtime",
|
|
@@ -162,59 +147,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
162
147
|
directTenantImport: true
|
|
163
148
|
}
|
|
164
149
|
];
|
|
165
|
-
var TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES = TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
|
|
166
|
-
(entry) => entry.packageName
|
|
167
|
-
);
|
|
168
|
-
var TENANT_CLIENT_INSTALL_PROFILES = [
|
|
169
|
-
{
|
|
170
|
-
id: "core_app_runtime",
|
|
171
|
-
description: "Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.",
|
|
172
|
-
packageNames: ["@lucern/sdk", "@lucern/access-control"],
|
|
173
|
-
dependencyField: "dependencies"
|
|
174
|
-
},
|
|
175
|
-
{
|
|
176
|
-
id: "react_app_runtime",
|
|
177
|
-
description: "React tenant app install for hooks, provider, curated graph components, and direct SDK calls.",
|
|
178
|
-
packageNames: ["@lucern/react", "@lucern/sdk", "@lucern/access-control"],
|
|
179
|
-
dependencyField: "dependencies"
|
|
180
|
-
},
|
|
181
|
-
{
|
|
182
|
-
id: "convex_components",
|
|
183
|
-
description: "Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.",
|
|
184
|
-
packageNames: ["@lucern/control-plane", "@lucern/reasoning-kernel"],
|
|
185
|
-
dependencyField: "dependencies"
|
|
186
|
-
},
|
|
187
|
-
{
|
|
188
|
-
id: "graph_mirroring_addon",
|
|
189
|
-
description: "Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.",
|
|
190
|
-
packageNames: ["@lucern/graph-sync"],
|
|
191
|
-
dependencyField: "dependencies"
|
|
192
|
-
},
|
|
193
|
-
{
|
|
194
|
-
id: "operator_cli",
|
|
195
|
-
description: "Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.",
|
|
196
|
-
packageNames: ["@lucern/cli"],
|
|
197
|
-
dependencyField: "devDependencies"
|
|
198
|
-
},
|
|
199
|
-
{
|
|
200
|
-
id: "mcp_runtime",
|
|
201
|
-
description: "Agent runtime install for the standalone Lucern MCP server and hosted route helpers.",
|
|
202
|
-
packageNames: ["@lucern/mcp"],
|
|
203
|
-
dependencyField: "dependencies"
|
|
204
|
-
},
|
|
205
|
-
{
|
|
206
|
-
id: "contracts_and_types",
|
|
207
|
-
description: "Compile-time contract/type install for codegen, audits, and tenant integration validation.",
|
|
208
|
-
packageNames: ["@lucern/contracts", "@lucern/types"],
|
|
209
|
-
dependencyField: "dependencies"
|
|
210
|
-
},
|
|
211
|
-
{
|
|
212
|
-
id: "full_suite",
|
|
213
|
-
description: "Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.",
|
|
214
|
-
packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,
|
|
215
|
-
dependencyField: "mixed"
|
|
216
|
-
}
|
|
217
|
-
];
|
|
218
150
|
var TENANT_CLIENT_PUBLIC_IMPORTS = [
|
|
219
151
|
{
|
|
220
152
|
packageName: "@lucern/sdk",
|
|
@@ -234,24 +166,12 @@ var TENANT_CLIENT_PUBLIC_IMPORTS = [
|
|
|
234
166
|
subpaths: "published_exports",
|
|
235
167
|
description: "MCP client/server entry points and hosted route helpers."
|
|
236
168
|
},
|
|
237
|
-
{
|
|
238
|
-
packageName: "@lucern/graph-sync",
|
|
239
|
-
surface: "runtime",
|
|
240
|
-
subpaths: "published_exports",
|
|
241
|
-
description: "Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers."
|
|
242
|
-
},
|
|
243
169
|
{
|
|
244
170
|
packageName: "@lucern/contracts",
|
|
245
171
|
surface: "contract",
|
|
246
172
|
subpaths: "published_exports",
|
|
247
173
|
description: "Published type and manifest contracts."
|
|
248
174
|
},
|
|
249
|
-
{
|
|
250
|
-
packageName: "@lucern/access-control",
|
|
251
|
-
surface: "runtime",
|
|
252
|
-
subpaths: "published_exports",
|
|
253
|
-
description: "Tenant runtime access-control helpers, including effective tool access."
|
|
254
|
-
},
|
|
255
175
|
{
|
|
256
176
|
packageName: "@lucern/types",
|
|
257
177
|
surface: "contract",
|
|
@@ -261,10 +181,10 @@ var TENANT_CLIENT_PUBLIC_IMPORTS = [
|
|
|
261
181
|
];
|
|
262
182
|
var TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [
|
|
263
183
|
{
|
|
264
|
-
packageName: "@lucern/
|
|
265
|
-
importPath: "@lucern/
|
|
184
|
+
packageName: "@lucern/identity",
|
|
185
|
+
importPath: "@lucern/identity/convex.config",
|
|
266
186
|
surface: "component_config",
|
|
267
|
-
description: "Convex component binding config for tenant deployments that install
|
|
187
|
+
description: "Convex component binding config for tenant deployments that install Lucern identity."
|
|
268
188
|
},
|
|
269
189
|
{
|
|
270
190
|
packageName: "@lucern/reasoning-kernel",
|
|
@@ -299,8 +219,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
299
219
|
"edges",
|
|
300
220
|
"contradictions",
|
|
301
221
|
"contracts",
|
|
302
|
-
"graphIntel",
|
|
303
|
-
"graphIntelligence",
|
|
304
222
|
"graphAnalysis",
|
|
305
223
|
"graphRecommendations",
|
|
306
224
|
"orgGraphSearch",
|
|
@@ -308,7 +226,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
308
226
|
"ontologyLinks",
|
|
309
227
|
"graphStateClassifier",
|
|
310
228
|
"tools",
|
|
311
|
-
"controlPlane",
|
|
312
229
|
"identity",
|
|
313
230
|
"modelRuntime",
|
|
314
231
|
"events",
|
|
@@ -316,12 +233,6 @@ var TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [
|
|
|
316
233
|
"telemetry"
|
|
317
234
|
];
|
|
318
235
|
var TENANT_CLIENT_CAPABILITIES = [
|
|
319
|
-
{
|
|
320
|
-
id: "identity.resolve_interactive_principal",
|
|
321
|
-
description: "Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.",
|
|
322
|
-
surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
|
|
323
|
-
requiredContextFields: ["principalId", "tenantId", "scopes"]
|
|
324
|
-
},
|
|
325
236
|
{
|
|
326
237
|
id: "identity.bootstrap_session",
|
|
327
238
|
description: "Start a scoped Lucern session for a tenant principal.",
|
|
@@ -336,7 +247,7 @@ var TENANT_CLIENT_CAPABILITIES = [
|
|
|
336
247
|
},
|
|
337
248
|
{
|
|
338
249
|
id: "reasoning.graph.read",
|
|
339
|
-
description: "Read beliefs, evidence, questions, topics,
|
|
250
|
+
description: "Read beliefs, evidence, questions, topics, and lineage.",
|
|
340
251
|
surfaces: ["@lucern/sdk", "@lucern/react", "@lucern/mcp"],
|
|
341
252
|
requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
|
|
342
253
|
},
|
|
@@ -346,18 +257,6 @@ var TENANT_CLIENT_CAPABILITIES = [
|
|
|
346
257
|
surfaces: ["@lucern/sdk", "@lucern/mcp"],
|
|
347
258
|
requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
|
|
348
259
|
},
|
|
349
|
-
{
|
|
350
|
-
id: "reasoning.graph_intelligence.run",
|
|
351
|
-
description: "Discover and run Graph Intelligence query recipes for structural graph analysis.",
|
|
352
|
-
surfaces: ["@lucern/sdk", "@lucern/cli", "@lucern/mcp"],
|
|
353
|
-
requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
|
|
354
|
-
},
|
|
355
|
-
{
|
|
356
|
-
id: "reasoning.graph_mirroring.install",
|
|
357
|
-
description: "Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.",
|
|
358
|
-
surfaces: ["@lucern/graph-sync", "@lucern/cli"],
|
|
359
|
-
requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS
|
|
360
|
-
},
|
|
361
260
|
{
|
|
362
261
|
id: "workflow.worktree_lifecycle",
|
|
363
262
|
description: "Create, review, merge, and close scoped worktrees.",
|
|
@@ -500,6 +399,6 @@ function formatTenantClientImportViolation(classification) {
|
|
|
500
399
|
return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;
|
|
501
400
|
}
|
|
502
401
|
|
|
503
|
-
export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV,
|
|
402
|
+
export { TENANT_CLIENT_AUTH_MODES, TENANT_CLIENT_CAPABILITIES, TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS, TENANT_CLIENT_CONTRACT_VERSION, TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS, TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS, TENANT_CLIENT_FORBIDDEN_SECRET_ENV, TENANT_CLIENT_INSTALLABLE_PACKAGES, TENANT_CLIENT_INSTALL_TOKEN_ENV, TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH, TENANT_CLIENT_ISOLATION_RULES, TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS, TENANT_CLIENT_PRINCIPAL_TYPES, TENANT_CLIENT_PUBLIC_IMPORTS, TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS, TENANT_CLIENT_REQUIRED_SDK_NAMESPACES, assertTenantClientImportAllowed, classifyTenantClientImport, findTenantClientInstallablePackage, formatTenantClientImportViolation, isTenantClientAllowedImport, isTenantClientComponentConfigImport, isTenantClientInstallablePackage, isTenantClientPublicImport };
|
|
504
403
|
//# sourceMappingURL=tenant-client.contract.js.map
|
|
505
404
|
//# sourceMappingURL=tenant-client.contract.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/tenant-client.contract.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA,OAAA;AAAA,EACA,OAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,SAAA;AAAA,EACA,eAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,oBAAA;AAAA,EACA,mBAAA;AAAA,EACA,iBAAA;AAAA,EACA,cAAA;AAAA,EACA,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AACxC,IAAM,0CAAA,GACX;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB;AAwBO,IAAM,yCACX,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,WAAA,EACE,iGAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACtD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,eAAA,EAAiB,aAAA,EAAe,wBAAwB,CAAA;AAAA,IACvE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mBAAA;AAAA,IACJ,WAAA,EACE,kGAAA;AAAA,IACF,YAAA,EAAc,CAAC,uBAAA,EAAyB,0BAA0B,CAAA;AAAA,IAClE,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EACE,yIAAA;AAAA,IACF,YAAA,EAAc,CAAC,oBAAoB,CAAA;AAAA,IACnC,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,WAAA,EACE,+FAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,aAAA;AAAA,IACJ,WAAA,EACE,sFAAA;AAAA,IACF,YAAA,EAAc,CAAC,aAAa,CAAA;AAAA,IAC5B,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,qBAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,YAAA,EAAc,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,IACnD,eAAA,EAAiB;AAAA,GACnB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EACE,2JAAA;AAAA,IACF,YAAA,EAAc,sCAAA;AAAA,IACd,eAAA,EAAiB;AAAA;AAErB;AAUO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,UAAA,EAAY,qCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAOO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,KAAA,KAAU,KAAA,CAAM,WAAA,KAAgB;AAAA,GACnC;AACF;AAEO,SAAS,iCAAiC,WAAA,EAA8B;AAC7E,EAAA,OAAO,OAAA,CAAQ,kCAAA,CAAmC,WAAW,CAAC,CAAA;AAChE;AAEO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,mBAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,cAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,wCAAA;AAAA,IACJ,WAAA,EACE,mFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB,CAAC,aAAA,EAAe,UAAA,EAAY,QAAQ;AAAA,GAC7D;AAAA,EACA;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,sEAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kCAAA;AAAA,IACJ,WAAA,EACE,kFAAA;AAAA,IACF,QAAA,EAAU,CAAC,aAAA,EAAe,aAAA,EAAe,aAAa,CAAA;AAAA,IACtD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,mCAAA;AAAA,IACJ,WAAA,EACE,4FAAA;AAAA,IACF,QAAA,EAAU,CAAC,oBAAA,EAAsB,aAAa,CAAA;AAAA,IAC9C,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAoBA,SAAS,oBACP,UAAA,EACuC;AACvC,EAAA,MAAM,kBAAkB,sCAAA,CAAuC,IAAA;AAAA,IAC7D,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACA,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,OAAO,eAAA;AAAA,EACT;AAEA,EAAA,OAAO,4BAAA,CAA6B,IAAA;AAAA,IAClC,CAAC,KAAA,KACC,UAAA,KAAe,KAAA,CAAM,WAAA,IACrB,WAAW,UAAA,CAAW,CAAA,EAAG,KAAA,CAAM,WAAW,CAAA,CAAA,CAAG;AAAA,GACjD;AACF;AAEA,SAAS,wBACP,UAAA,EACgD;AAChD,EAAA,OAAO,uCAAA,CAAwC,IAAA;AAAA,IAAK,CAAC,UACnD,IAAI,MAAA,CAAO,MAAM,OAAA,EAAS,GAAG,CAAA,CAAE,IAAA,CAAK,UAAU;AAAA,GAChD;AACF;AAEO,SAAS,2BACd,UAAA,EACkC;AAClC,EAAA,MAAM,oBAAA,GAAuB,WAAW,IAAA,EAAK;AAC7C,EAAA,MAAM,OAAA,GAAU,wBAAwB,oBAAoB,CAAA;AAE5D,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,OAAA;AAAA,MACA,QAAQ,OAAA,CAAQ;AAAA,KAClB;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,oBAAoB,oBAAoB,CAAA;AAC7D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,QAAA;AAAA,MACV,YAAA;AAAA,MACA,QAAQ,YAAA,CAAa;AAAA,KACvB;AAAA,EACF;AAEA,EAAA,IAAI,oBAAA,CAAqB,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/C,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,MAAA,EACE;AAAA,KACJ;AAAA,EACF;AAEA,EAAA,IACE,qBAAqB,UAAA,CAAW,IAAI,KACpC,oBAAA,CAAqB,UAAA,CAAW,KAAK,CAAA,EACrC;AACA,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,oBAAA;AAAA,IACZ,QAAA,EAAU,UAAA;AAAA,IACV,MAAA,EAAQ;AAAA,GACV;AACF;AAEO,SAAS,2BAA2B,UAAA,EAA6B;AACtE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,oCACd,UAAA,EACS;AACT,EAAA,OAAO,sCAAA,CAAuC,IAAA;AAAA,IAC5C,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACF;AAEO,SAAS,4BAA4B,UAAA,EAA6B;AACvE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,gCAAgC,UAAA,EAA0B;AACxE,EAAA,MAAM,cAAA,GAAiB,2BAA2B,UAAU,CAAA;AAC5D,EAAA,IAAI,cAAA,CAAe,aAAa,WAAA,EAAa;AAC3C,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,iCAAA,CAAkC,cAAc,CAAC,CAAA;AACnE;AAEO,SAAS,kCACd,cAAA,EACQ;AACR,EAAA,MAAM,YAAY,cAAA,CAAe,OAAA,GAC7B,KAAK,cAAA,CAAe,OAAA,CAAQ,EAAE,CAAA,CAAA,CAAA,GAC9B,EAAA;AACJ,EAAA,OAAO,sCAAsC,SAAS,CAAA,EAAA,EAAK,eAAe,UAAU,CAAA,EAAA,EAAK,eAAe,MAAM,CAAA,CAAA;AAChH","file":"tenant-client.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"clerkId\",\n \"principalType\",\n \"roles\",\n \"groupIds\",\n \"permittedToolNames\",\n \"permittedPackKeys\",\n \"principalStatus\",\n \"tenantStatus\",\n \"workspaceStatus\",\n \"permit\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"controlPlane\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.resolve_interactive_principal\",\n description:\n \"Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: [\"principalId\", \"tenantId\", \"scopes\"],\n },\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/tenant-client.contract.ts"],"names":[],"mappings":";AAcO,IAAM,8BAAA,GAAiC;AAEvC,IAAM,wBAAA,GAA2B;AAAA,EACtC,kBAAA;AAAA,EACA,mBAAA;AAAA,EACA,gBAAA;AAAA,EACA;AACF;AAGO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,OAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,UAAA;AAAA,EACA,aAAA;AAAA,EACA,aAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAIO,IAAM,qCAAA,GAAwC;AAAA,EACnD,eAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AACxC,IAAM,0CAAA,GACX;AACK,IAAM,qDAAA,GAAwD;AAAA,EACnE;AACF;AACO,IAAM,kCAAA,GAAqC,CAAC,WAAW;AAMvD,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB;AAaO,IAAM,4BAAA,GAA+B;AAAA,EAC1C;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,OAAA,EAAS,SAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,OAAA,EAAS,UAAA;AAAA,IACT,QAAA,EAAU,mBAAA;AAAA,IACV,WAAA,EAAa;AAAA;AAEjB;AAOO,IAAM,sCAAA,GAAyC;AAAA,EACpD;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,UAAA,EAAY,gCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,wCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,UAAA,EAAY,yCAAA;AAAA,IACZ,OAAA,EAAS,kBAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAOO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,KAAA,KAAU,KAAA,CAAM,WAAA,KAAgB;AAAA,GACnC;AACF;AAEO,SAAS,iCAAiC,WAAA,EAA8B;AAC7E,EAAA,OAAO,OAAA,CAAQ,kCAAA,CAAmC,WAAW,CAAC,CAAA;AAChE;AAEO,IAAM,qCAAA,GAAwC;AAAA,EACnD,WAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,OAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,eAAA;AAAA,EACA,sBAAA;AAAA,EACA,OAAA;AAAA,EACA,UAAA;AAAA,EACA,cAAA;AAAA,EACA,QAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,4BAAA;AAAA,IACJ,WAAA,EAAa,uDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EAAa,wDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,WAAA,EAAa,yDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,WAAA,EAAa,0DAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,aAAa,CAAA;AAAA,IACvC,qBAAA,EAAuB;AAAA,GACzB;AAAA,EACA;AAAA,IACE,EAAA,EAAI,6BAAA;AAAA,IACJ,WAAA,EAAa,oDAAA;AAAA,IACb,QAAA,EAAU,CAAC,aAAA,EAAe,eAAA,EAAiB,aAAa,CAAA;AAAA,IACxD,qBAAA,EAAuB;AAAA;AAE3B;AAKO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,EAAA,EAAI,iCAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,2BAAA;AAAA,IACJ,WAAA,EACE;AAAA;AAEN;AAIO,IAAM,uCAAA,GAA0C;AAAA,EACrD;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,OAAA,EAAS,2BAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,OAAA,EAAS,4BAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,gDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,wBAAA;AAAA,IACJ,OAAA,EAAS,4CAAA;AAAA,IACT,WAAA,EAAa;AAAA,GACf;AAAA,EACA;AAAA,IACE,EAAA,EAAI,yBAAA;AAAA,IACJ,OAAA,EAAS,+DAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,0BAAA;AAAA,IACJ,OAAA,EAAS,qDAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,OAAA,EAAS,mEAAA;AAAA,IACT,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,sBAAA;AAAA,IACJ,OAAA,EAAS,aAAA;AAAA,IACT,WAAA,EACE;AAAA;AAEN;AAoBA,SAAS,oBACP,UAAA,EACuC;AACvC,EAAA,MAAM,kBAAkB,sCAAA,CAAuC,IAAA;AAAA,IAC7D,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACA,EAAA,IAAI,eAAA,EAAiB;AACnB,IAAA,OAAO,eAAA;AAAA,EACT;AAEA,EAAA,OAAO,4BAAA,CAA6B,IAAA;AAAA,IAClC,CAAC,KAAA,KACC,UAAA,KAAe,KAAA,CAAM,WAAA,IACrB,WAAW,UAAA,CAAW,CAAA,EAAG,KAAA,CAAM,WAAW,CAAA,CAAA,CAAG;AAAA,GACjD;AACF;AAEA,SAAS,wBACP,UAAA,EACgD;AAChD,EAAA,OAAO,uCAAA,CAAwC,IAAA;AAAA,IAAK,CAAC,UACnD,IAAI,MAAA,CAAO,MAAM,OAAA,EAAS,GAAG,CAAA,CAAE,IAAA,CAAK,UAAU;AAAA,GAChD;AACF;AAEO,SAAS,2BACd,UAAA,EACkC;AAClC,EAAA,MAAM,oBAAA,GAAuB,WAAW,IAAA,EAAK;AAC7C,EAAA,MAAM,OAAA,GAAU,wBAAwB,oBAAoB,CAAA;AAE5D,EAAA,IAAI,OAAA,EAAS;AACX,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,OAAA;AAAA,MACA,QAAQ,OAAA,CAAQ;AAAA,KAClB;AAAA,EACF;AAEA,EAAA,MAAM,YAAA,GAAe,oBAAoB,oBAAoB,CAAA;AAC7D,EAAA,IAAI,YAAA,EAAc;AAChB,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,QAAA;AAAA,MACV,YAAA;AAAA,MACA,QAAQ,YAAA,CAAa;AAAA,KACvB;AAAA,EACF;AAEA,EAAA,IAAI,oBAAA,CAAqB,UAAA,CAAW,UAAU,CAAA,EAAG;AAC/C,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,WAAA;AAAA,MACV,MAAA,EACE;AAAA,KACJ;AAAA,EACF;AAEA,EAAA,IACE,qBAAqB,UAAA,CAAW,IAAI,KACpC,oBAAA,CAAqB,UAAA,CAAW,KAAK,CAAA,EACrC;AACA,IAAA,OAAO;AAAA,MACL,UAAA,EAAY,oBAAA;AAAA,MACZ,QAAA,EAAU,OAAA;AAAA,MACV,MAAA,EAAQ;AAAA,KACV;AAAA,EACF;AAEA,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,oBAAA;AAAA,IACZ,QAAA,EAAU,UAAA;AAAA,IACV,MAAA,EAAQ;AAAA,GACV;AACF;AAEO,SAAS,2BAA2B,UAAA,EAA6B;AACtE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,oCACd,UAAA,EACS;AACT,EAAA,OAAO,sCAAA,CAAuC,IAAA;AAAA,IAC5C,CAAC,KAAA,KAAU,UAAA,KAAe,KAAA,CAAM;AAAA,GAClC;AACF;AAEO,SAAS,4BAA4B,UAAA,EAA6B;AACvE,EAAA,OAAO,0BAAA,CAA2B,UAAU,CAAA,CAAE,QAAA,KAAa,QAAA;AAC7D;AAEO,SAAS,gCAAgC,UAAA,EAA0B;AACxE,EAAA,MAAM,cAAA,GAAiB,2BAA2B,UAAU,CAAA;AAC5D,EAAA,IAAI,cAAA,CAAe,aAAa,WAAA,EAAa;AAC3C,IAAA;AAAA,EACF;AAEA,EAAA,MAAM,IAAI,KAAA,CAAM,iCAAA,CAAkC,cAAc,CAAC,CAAA;AACnE;AAEO,SAAS,kCACd,cAAA,EACQ;AACR,EAAA,MAAM,YAAY,cAAA,CAAe,OAAA,GAC7B,KAAK,cAAA,CAAe,OAAA,CAAQ,EAAE,CAAA,CAAA,CAAA,GAC9B,EAAA;AACJ,EAAA,OAAO,sCAAsC,SAAS,CAAA,EAAA,EAAK,eAAe,UAAU,CAAA,EAAA,EAAK,eAAe,MAAM,CAAA,CAAA;AAChH","file":"tenant-client.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n"]}
|