@lucern/contracts 0.3.0-alpha.3 → 0.3.0-alpha.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (110) hide show
  1. package/dist/component-host-boundary.contract.d.ts +41 -0
  2. package/dist/component-host-boundary.contract.js +54 -0
  3. package/dist/component-host-boundary.contract.js.map +1 -0
  4. package/dist/function-registry/beliefs.d.ts +41 -41
  5. package/dist/function-registry/beliefs.js +202 -8
  6. package/dist/function-registry/beliefs.js.map +1 -1
  7. package/dist/function-registry/coding.js +187 -8
  8. package/dist/function-registry/coding.js.map +1 -1
  9. package/dist/function-registry/context.d.ts +13 -13
  10. package/dist/function-registry/context.js +187 -9
  11. package/dist/function-registry/context.js.map +1 -1
  12. package/dist/function-registry/contracts.js +158 -5
  13. package/dist/function-registry/contracts.js.map +1 -1
  14. package/dist/function-registry/coordination.js +158 -5
  15. package/dist/function-registry/coordination.js.map +1 -1
  16. package/dist/function-registry/edges.js +169 -6
  17. package/dist/function-registry/edges.js.map +1 -1
  18. package/dist/function-registry/evidence.d.ts +33 -33
  19. package/dist/function-registry/evidence.js +202 -9
  20. package/dist/function-registry/evidence.js.map +1 -1
  21. package/dist/function-registry/graph.d.ts +53 -53
  22. package/dist/function-registry/graph.js +217 -12
  23. package/dist/function-registry/graph.js.map +1 -1
  24. package/dist/function-registry/helpers.d.ts +1 -1
  25. package/dist/function-registry/helpers.js +158 -5
  26. package/dist/function-registry/helpers.js.map +1 -1
  27. package/dist/function-registry/identity.js +158 -5
  28. package/dist/function-registry/identity.js.map +1 -1
  29. package/dist/function-registry/index.d.ts +1 -1
  30. package/dist/function-registry/index.js +158 -5
  31. package/dist/function-registry/index.js.map +1 -1
  32. package/dist/function-registry/judgments.d.ts +9 -9
  33. package/dist/function-registry/judgments.js +170 -8
  34. package/dist/function-registry/judgments.js.map +1 -1
  35. package/dist/function-registry/legacy.js +158 -5
  36. package/dist/function-registry/legacy.js.map +1 -1
  37. package/dist/function-registry/lenses.d.ts +17 -17
  38. package/dist/function-registry/lenses.js +181 -8
  39. package/dist/function-registry/lenses.js.map +1 -1
  40. package/dist/function-registry/manifest.d.ts +3 -3
  41. package/dist/function-registry/manifest.js +1 -1
  42. package/dist/function-registry/manifest.js.map +1 -1
  43. package/dist/function-registry/ontologies.d.ts +45 -45
  44. package/dist/function-registry/ontologies.js +176 -11
  45. package/dist/function-registry/ontologies.js.map +1 -1
  46. package/dist/function-registry/pipeline.d.ts +13 -13
  47. package/dist/function-registry/pipeline.js +167 -8
  48. package/dist/function-registry/pipeline.js.map +1 -1
  49. package/dist/function-registry/questions.d.ts +49 -49
  50. package/dist/function-registry/questions.js +255 -13
  51. package/dist/function-registry/questions.js.map +1 -1
  52. package/dist/function-registry/tasks.js +158 -5
  53. package/dist/function-registry/tasks.js.map +1 -1
  54. package/dist/function-registry/topics.d.ts +21 -21
  55. package/dist/function-registry/topics.js +172 -8
  56. package/dist/function-registry/topics.js.map +1 -1
  57. package/dist/function-registry/types.d.ts +1 -1
  58. package/dist/function-registry/worktrees.d.ts +80 -41
  59. package/dist/function-registry/worktrees.js +292 -17
  60. package/dist/function-registry/worktrees.js.map +1 -1
  61. package/dist/function-registry-input-audit.d.ts +13 -0
  62. package/dist/function-registry-input-audit.js +164 -0
  63. package/dist/function-registry-input-audit.js.map +1 -0
  64. package/dist/gateway.contract.d.ts +1 -0
  65. package/dist/gateway.contract.js.map +1 -1
  66. package/dist/generated/convexSchemas.js +1 -1
  67. package/dist/generated/convexSchemas.js.map +1 -1
  68. package/dist/index.d.ts +188 -35
  69. package/dist/index.js +1370 -17
  70. package/dist/index.js.map +1 -1
  71. package/dist/infisical-runtime.contract.d.ts +174 -0
  72. package/dist/infisical-runtime.contract.js +192 -0
  73. package/dist/infisical-runtime.contract.js.map +1 -0
  74. package/dist/schemas/index.js +3 -1
  75. package/dist/schemas/index.js.map +1 -1
  76. package/dist/schemas/manifest.d.ts +935 -905
  77. package/dist/schemas/manifest.js +3 -1
  78. package/dist/schemas/manifest.js.map +1 -1
  79. package/dist/schemas/sl-opinion.d.ts +4 -4
  80. package/dist/schemas/tables/identity/platform.d.ts +10 -10
  81. package/dist/schemas/tables/kernel/epistemic.d.ts +6 -6
  82. package/dist/schemas/tables/kernel/infra.d.ts +4 -4
  83. package/dist/schemas/tables/kernel/intelligence.d.ts +10 -10
  84. package/dist/schemas/tables/kernel/lens.d.ts +4 -4
  85. package/dist/schemas/tables/kernel/platform.d.ts +12 -12
  86. package/dist/schemas/tables/kernel/spine.d.ts +2 -2
  87. package/dist/schemas/tables/kernel/task.d.ts +42 -42
  88. package/dist/schemas/tables/kernel/worktree.d.ts +62 -62
  89. package/dist/schemas/tables/mc/identity.d.ts +2 -2
  90. package/dist/schemas/tables/mc/pack.d.ts +20 -20
  91. package/dist/schemas/tables/mc/registry.d.ts +4 -4
  92. package/dist/schemas/tables/mc/workspace.d.ts +9 -3
  93. package/dist/schemas/tables/mc/workspace.js +3 -1
  94. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  95. package/dist/sdk-methods.contract.d.ts +1 -1
  96. package/dist/{sdk-tools.contract-S4ia0TTo.d.ts → sdk-tools.contract-CD-N1Jf7.d.ts} +1 -1
  97. package/dist/sdk-tools.contract.d.ts +2 -2
  98. package/dist/sdk-tools.contract.js +157 -4
  99. package/dist/sdk-tools.contract.js.map +1 -1
  100. package/dist/tenant-bootstrap-seed.contract.d.ts +1097 -0
  101. package/dist/tenant-bootstrap-seed.contract.js +651 -0
  102. package/dist/tenant-bootstrap-seed.contract.js.map +1 -0
  103. package/dist/tenant-bootstrap-seed.defaults.d.ts +16 -0
  104. package/dist/tenant-bootstrap-seed.defaults.js +303 -0
  105. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -0
  106. package/dist/{tool-contracts-C92-9ueT.d.ts → tool-contracts-BcKz-VGj.d.ts} +4 -2
  107. package/dist/tool-contracts.d.ts +1 -1
  108. package/dist/tool-contracts.js +158 -5
  109. package/dist/tool-contracts.js.map +1 -1
  110. package/package.json +1 -1
@@ -0,0 +1,13 @@
1
+ import { FunctionContract } from './function-registry/types.js';
2
+
3
+ type FunctionRegistryInputAuditFinding = {
4
+ contractName: string;
5
+ projectionKeys: string[];
6
+ acceptedKeys: string[];
7
+ missingKeys: string[];
8
+ };
9
+ type InputProjection = NonNullable<FunctionContract["convex"]>["inputProjection"];
10
+ declare function projectionReadKeys(projection: InputProjection): string[];
11
+ declare function auditFunctionRegistryInputs(contracts?: readonly FunctionContract[]): FunctionRegistryInputAuditFinding[];
12
+
13
+ export { type FunctionRegistryInputAuditFinding, auditFunctionRegistryInputs, projectionReadKeys };
@@ -0,0 +1,164 @@
1
+ import { z } from 'zod';
2
+ import { ALL_FUNCTION_CONTRACTS } from './function-registry/index.js';
3
+
4
+ // src/function-registry-input-audit.ts
5
+ var INTERNAL_OR_ALIAS_KEYS = /* @__PURE__ */ new Set([
6
+ "__sdkSessionId",
7
+ "actorId",
8
+ "beliefId",
9
+ "createdBy",
10
+ "evidenceId",
11
+ "id",
12
+ "insightId",
13
+ "nodeId",
14
+ "ontologyId",
15
+ "parentNodeId",
16
+ "principalId",
17
+ "projectId",
18
+ "questionId",
19
+ "tenantId",
20
+ "trustedBypassAccessCheck",
21
+ "userId",
22
+ "versionId",
23
+ "workspaceId"
24
+ ]);
25
+ var INTENTIONAL_PROJECTION_READS = {
26
+ add_evidence: ["linkedBeliefNodeId", "targetId"],
27
+ apply_lens_to_topic: ["metadata"],
28
+ archive_belief: ["reason"],
29
+ check_permission: ["principalId", "tenantId", "userId", "workspaceId"],
30
+ claim_files: ["paths", "touchedFiles"],
31
+ complete_task: ["summary"],
32
+ create_belief: ["formulation"],
33
+ discover: ["prompt", "topicHint"],
34
+ filter_by_permission: ["principalId", "tenantId", "userId", "workspaceId"],
35
+ get_change_history: ["status"],
36
+ get_failure_log: ["status"],
37
+ identity_whoami: ["principalId", "tenantId", "userId", "workspaceId"],
38
+ ingest_observation: ["reasoning", "trustedBypassAccessCheck"],
39
+ link_evidence: [
40
+ "beliefId",
41
+ "beliefNodeId",
42
+ "context",
43
+ "evidenceNodeId",
44
+ "globalId",
45
+ "insightId",
46
+ "topicId",
47
+ "trustedBypassAccessCheck",
48
+ "type"
49
+ ],
50
+ link_evidence_to_belief: [
51
+ "beliefNodeId",
52
+ "context",
53
+ "evidenceNodeId",
54
+ "globalId",
55
+ "insightId",
56
+ "targetId",
57
+ "topicId",
58
+ "trustedBypassAccessCheck",
59
+ "type"
60
+ ],
61
+ link_evidence_to_question: [
62
+ "context",
63
+ "evidenceNodeId",
64
+ "globalId",
65
+ "impactScore",
66
+ "insightId",
67
+ "questionNodeId",
68
+ "targetId",
69
+ "topicId",
70
+ "trustedBypassAccessCheck",
71
+ "weight"
72
+ ],
73
+ list_evidence: ["status"],
74
+ manage_write_policy: ["summary"],
75
+ merge: ["decisionsReached", "keyFindings", "nextSteps"],
76
+ record_attempt: ["reasoning", "trustedBypassAccessCheck"],
77
+ record_judgment: ["reasoning", "trustedBypassAccessCheck"],
78
+ record_scope_learning: ["reasoning", "trustedBypassAccessCheck"],
79
+ search_beliefs: ["searchQuery"],
80
+ search_evidence: ["query", "searchQuery"],
81
+ update_question_status: ["answer", "answerStatus", "nodeId", "questionId"],
82
+ update_topic: ["graphScopeProjectId"]
83
+ };
84
+ function unwrapObjectSchema(schema) {
85
+ let current = schema;
86
+ while (true) {
87
+ switch (current._def.typeName) {
88
+ case z.ZodFirstPartyTypeKind.ZodEffects:
89
+ current = current._def.schema;
90
+ continue;
91
+ case z.ZodFirstPartyTypeKind.ZodBranded:
92
+ current = current._def.type;
93
+ continue;
94
+ default:
95
+ return current instanceof z.ZodObject ? current : void 0;
96
+ }
97
+ }
98
+ }
99
+ function objectSchemaKeys(schema) {
100
+ const objectSchema = unwrapObjectSchema(schema);
101
+ if (!objectSchema) {
102
+ return /* @__PURE__ */ new Set();
103
+ }
104
+ const shape = typeof objectSchema._def.shape === "function" ? objectSchema._def.shape() : objectSchema._def.shape;
105
+ return new Set(Object.keys(shape));
106
+ }
107
+ function projectionReadKeys(projection) {
108
+ if (!projection) {
109
+ return [];
110
+ }
111
+ const source = String(projection);
112
+ const keys = /* @__PURE__ */ new Set();
113
+ for (const match of source.matchAll(/\binput\s*\.\s*([A-Za-z_$][\w$]*)/gu)) {
114
+ keys.add(match[1]);
115
+ }
116
+ for (const match of source.matchAll(/\binput\s*\[\s*["']([^"']+)["']\s*\]/gu)) {
117
+ keys.add(match[1]);
118
+ }
119
+ return [...keys].sort();
120
+ }
121
+ function acceptedInputKeys(contract) {
122
+ return [
123
+ .../* @__PURE__ */ new Set([
124
+ ...objectSchemaKeys(contract.args),
125
+ ...objectSchemaKeys(contract.input),
126
+ ...Object.keys(contract.mcp.parameters),
127
+ "__sdkSessionId"
128
+ ])
129
+ ].sort();
130
+ }
131
+ function allowedProjectionKeys(contractName) {
132
+ return /* @__PURE__ */ new Set([
133
+ ...INTERNAL_OR_ALIAS_KEYS,
134
+ ...INTENTIONAL_PROJECTION_READS[contractName] ?? []
135
+ ]);
136
+ }
137
+ function auditFunctionRegistryInputs(contracts = ALL_FUNCTION_CONTRACTS) {
138
+ return contracts.flatMap((contract) => {
139
+ const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);
140
+ if (projectionKeys.length === 0) {
141
+ return [];
142
+ }
143
+ const accepted = new Set(acceptedInputKeys(contract));
144
+ const allowed = allowedProjectionKeys(contract.name);
145
+ const missingKeys = projectionKeys.filter(
146
+ (key) => !accepted.has(key) && !allowed.has(key)
147
+ );
148
+ if (missingKeys.length === 0) {
149
+ return [];
150
+ }
151
+ return [
152
+ {
153
+ contractName: contract.name,
154
+ projectionKeys,
155
+ acceptedKeys: [...accepted].sort(),
156
+ missingKeys
157
+ }
158
+ ];
159
+ });
160
+ }
161
+
162
+ export { auditFunctionRegistryInputs, projectionReadKeys };
163
+ //# sourceMappingURL=function-registry-input-audit.js.map
164
+ //# sourceMappingURL=function-registry-input-audit.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/function-registry-input-audit.ts"],"names":[],"mappings":";;;;AAeA,IAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,EACrC,gBAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,IAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,0BAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF,CAAC,CAAA;AAED,IAAM,4BAAA,GAAkE;AAAA,EACtE,YAAA,EAAc,CAAC,oBAAA,EAAsB,UAAU,CAAA;AAAA,EAC/C,mBAAA,EAAqB,CAAC,UAAU,CAAA;AAAA,EAChC,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,EACzB,gBAAA,EAAkB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACrE,WAAA,EAAa,CAAC,OAAA,EAAS,cAAc,CAAA;AAAA,EACrC,aAAA,EAAe,CAAC,SAAS,CAAA;AAAA,EACzB,aAAA,EAAe,CAAC,aAAa,CAAA;AAAA,EAC7B,QAAA,EAAU,CAAC,QAAA,EAAU,WAAW,CAAA;AAAA,EAChC,oBAAA,EAAsB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACzE,kBAAA,EAAoB,CAAC,QAAQ,CAAA;AAAA,EAC7B,eAAA,EAAiB,CAAC,QAAQ,CAAA;AAAA,EAC1B,eAAA,EAAiB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACpE,kBAAA,EAAoB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC5D,aAAA,EAAe;AAAA,IACb,UAAA;AAAA,IACA,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,yBAAA,EAA2B;AAAA,IACzB,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,CAAC,QAAQ,CAAA;AAAA,EACxB,mBAAA,EAAqB,CAAC,SAAS,CAAA;AAAA,EAC/B,KAAA,EAAO,CAAC,kBAAA,EAAoB,aAAA,EAAe,WAAW,CAAA;AAAA,EACtD,cAAA,EAAgB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACxD,eAAA,EAAiB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACzD,qBAAA,EAAuB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC/D,cAAA,EAAgB,CAAC,aAAa,CAAA;AAAA,EAC9B,eAAA,EAAiB,CAAC,OAAA,EAAS,aAAa,CAAA;AAAA,EACxC,sBAAA,EAAwB,CAAC,QAAA,EAAU,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,EACzE,YAAA,EAAc,CAAC,qBAAqB;AACtC,CAAA;AAEA,SAAS,mBACP,MAAA,EACwC;AACxC,EAAA,IAAI,OAAA,GAAU,MAAA;AACd,EAAA,OAAO,IAAA,EAAM;AACX,IAAA,QAAQ,OAAA,CAAQ,KAAK,QAAA;AAAU,MAC7B,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,MAAA;AACvB,QAAA;AAAA,MACF,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,IAAA;AACvB,QAAA;AAAA,MACF;AACE,QAAA,OAAO,OAAA,YAAmB,CAAA,CAAE,SAAA,GAAY,OAAA,GAAU,MAAA;AAAA;AACtD,EACF;AACF;AAEA,SAAS,iBAAiB,MAAA,EAAmC;AAC3D,EAAA,MAAM,YAAA,GAAe,mBAAmB,MAAM,CAAA;AAC9C,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,2BAAW,GAAA,EAAI;AAAA,EACjB;AACA,EAAA,MAAM,KAAA,GACJ,OAAO,YAAA,CAAa,IAAA,CAAK,KAAA,KAAU,UAAA,GAC/B,YAAA,CAAa,IAAA,CAAK,KAAA,EAAM,GACxB,YAAA,CAAa,IAAA,CAAK,KAAA;AACxB,EAAA,OAAO,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,KAAK,CAAC,CAAA;AACnC;AAEO,SAAS,mBACd,UAAA,EACU;AACV,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,OAAO,EAAC;AAAA,EACV;AACA,EAAA,MAAM,MAAA,GAAS,OAAO,UAAU,CAAA;AAChC,EAAA,MAAM,IAAA,uBAAW,GAAA,EAAY;AAE7B,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,qCAAqC,CAAA,EAAG;AAC1E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AACA,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,wCAAwC,CAAA,EAAG;AAC7E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,CAAA,CAAE,IAAA,EAAK;AACxB;AAEA,SAAS,kBAAkB,QAAA,EAAsC;AAC/D,EAAA,OAAO;AAAA,IACL,uBAAO,GAAA,CAAI;AAAA,MACT,GAAG,gBAAA,CAAiB,QAAA,CAAS,IAAI,CAAA;AAAA,MACjC,GAAG,gBAAA,CAAiB,QAAA,CAAS,KAAK,CAAA;AAAA,MAClC,GAAG,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,IAAI,UAAU,CAAA;AAAA,MACtC;AAAA,KACD;AAAA,IACD,IAAA,EAAK;AACT;AAEA,SAAS,sBAAsB,YAAA,EAAmC;AAChE,EAAA,2BAAW,GAAA,CAAI;AAAA,IACb,GAAG,sBAAA;AAAA,IACH,GAAI,4BAAA,CAA6B,YAAY,CAAA,IAAK;AAAC,GACpD,CAAA;AACH;AAEO,SAAS,2BAAA,CACd,YAAyC,sBAAA,EACJ;AACrC,EAAA,OAAO,SAAA,CAAU,OAAA,CAAQ,CAAC,QAAA,KAAa;AACrC,IAAA,MAAM,cAAA,GAAiB,kBAAA,CAAmB,QAAA,CAAS,MAAA,EAAQ,eAAe,CAAA;AAC1E,IAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,iBAAA,CAAkB,QAAQ,CAAC,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,qBAAA,CAAsB,QAAA,CAAS,IAAI,CAAA;AACnD,IAAA,MAAM,cAAc,cAAA,CAAe,MAAA;AAAA,MACjC,CAAC,GAAA,KAAQ,CAAC,QAAA,CAAS,GAAA,CAAI,GAAG,CAAA,IAAK,CAAC,OAAA,CAAQ,GAAA,CAAI,GAAG;AAAA,KACjD;AAEA,IAAA,IAAI,WAAA,CAAY,WAAW,CAAA,EAAG;AAC5B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,cAAc,QAAA,CAAS,IAAA;AAAA,QACvB,cAAA;AAAA,QACA,YAAA,EAAc,CAAC,GAAG,QAAQ,EAAE,IAAA,EAAK;AAAA,QACjC;AAAA;AACF,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"function-registry-input-audit.js","sourcesContent":["import { z } from \"zod\";\nimport { ALL_FUNCTION_CONTRACTS } from \"./function-registry/index.js\";\nimport type { FunctionContract } from \"./function-registry/types.js\";\n\nexport type FunctionRegistryInputAuditFinding = {\n contractName: string;\n projectionKeys: string[];\n acceptedKeys: string[];\n missingKeys: string[];\n};\n\ntype InputProjection = NonNullable<\n FunctionContract[\"convex\"]\n>[\"inputProjection\"];\n\nconst INTERNAL_OR_ALIAS_KEYS = new Set([\n \"__sdkSessionId\",\n \"actorId\",\n \"beliefId\",\n \"createdBy\",\n \"evidenceId\",\n \"id\",\n \"insightId\",\n \"nodeId\",\n \"ontologyId\",\n \"parentNodeId\",\n \"principalId\",\n \"projectId\",\n \"questionId\",\n \"tenantId\",\n \"trustedBypassAccessCheck\",\n \"userId\",\n \"versionId\",\n \"workspaceId\",\n]);\n\nconst INTENTIONAL_PROJECTION_READS: Record<string, readonly string[]> = {\n add_evidence: [\"linkedBeliefNodeId\", \"targetId\"],\n apply_lens_to_topic: [\"metadata\"],\n archive_belief: [\"reason\"],\n check_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n claim_files: [\"paths\", \"touchedFiles\"],\n complete_task: [\"summary\"],\n create_belief: [\"formulation\"],\n discover: [\"prompt\", \"topicHint\"],\n filter_by_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n get_change_history: [\"status\"],\n get_failure_log: [\"status\"],\n identity_whoami: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n ingest_observation: [\"reasoning\", \"trustedBypassAccessCheck\"],\n link_evidence: [\n \"beliefId\",\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_belief: [\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_question: [\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"impactScore\",\n \"insightId\",\n \"questionNodeId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"weight\",\n ],\n list_evidence: [\"status\"],\n manage_write_policy: [\"summary\"],\n merge: [\"decisionsReached\", \"keyFindings\", \"nextSteps\"],\n record_attempt: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_judgment: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_scope_learning: [\"reasoning\", \"trustedBypassAccessCheck\"],\n search_beliefs: [\"searchQuery\"],\n search_evidence: [\"query\", \"searchQuery\"],\n update_question_status: [\"answer\", \"answerStatus\", \"nodeId\", \"questionId\"],\n update_topic: [\"graphScopeProjectId\"],\n};\n\nfunction unwrapObjectSchema(\n schema: z.ZodTypeAny,\n): z.ZodObject<z.ZodRawShape> | undefined {\n let current = schema;\n while (true) {\n switch (current._def.typeName) {\n case z.ZodFirstPartyTypeKind.ZodEffects:\n current = current._def.schema;\n continue;\n case z.ZodFirstPartyTypeKind.ZodBranded:\n current = current._def.type;\n continue;\n default:\n return current instanceof z.ZodObject ? current : undefined;\n }\n }\n}\n\nfunction objectSchemaKeys(schema: z.ZodTypeAny): Set<string> {\n const objectSchema = unwrapObjectSchema(schema);\n if (!objectSchema) {\n return new Set();\n }\n const shape =\n typeof objectSchema._def.shape === \"function\"\n ? objectSchema._def.shape()\n : objectSchema._def.shape;\n return new Set(Object.keys(shape));\n}\n\nexport function projectionReadKeys(\n projection: InputProjection,\n): string[] {\n if (!projection) {\n return [];\n }\n const source = String(projection);\n const keys = new Set<string>();\n\n for (const match of source.matchAll(/\\binput\\s*\\.\\s*([A-Za-z_$][\\w$]*)/gu)) {\n keys.add(match[1]);\n }\n for (const match of source.matchAll(/\\binput\\s*\\[\\s*[\"']([^\"']+)[\"']\\s*\\]/gu)) {\n keys.add(match[1]);\n }\n\n return [...keys].sort();\n}\n\nfunction acceptedInputKeys(contract: FunctionContract): string[] {\n return [\n ...new Set([\n ...objectSchemaKeys(contract.args),\n ...objectSchemaKeys(contract.input),\n ...Object.keys(contract.mcp.parameters),\n \"__sdkSessionId\",\n ]),\n ].sort();\n}\n\nfunction allowedProjectionKeys(contractName: string): Set<string> {\n return new Set([\n ...INTERNAL_OR_ALIAS_KEYS,\n ...(INTENTIONAL_PROJECTION_READS[contractName] ?? []),\n ]);\n}\n\nexport function auditFunctionRegistryInputs(\n contracts: readonly FunctionContract[] = ALL_FUNCTION_CONTRACTS,\n): FunctionRegistryInputAuditFinding[] {\n return contracts.flatMap((contract) => {\n const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);\n if (projectionKeys.length === 0) {\n return [];\n }\n\n const accepted = new Set(acceptedInputKeys(contract));\n const allowed = allowedProjectionKeys(contract.name);\n const missingKeys = projectionKeys.filter(\n (key) => !accepted.has(key) && !allowed.has(key),\n );\n\n if (missingKeys.length === 0) {\n return [];\n }\n\n return [\n {\n contractName: contract.name,\n projectionKeys,\n acceptedKeys: [...accepted].sort(),\n missingKeys,\n },\n ];\n });\n}\n"]}
@@ -43,6 +43,7 @@ type GatewayAuthContext = {
43
43
  tenantId?: string;
44
44
  workspaceId?: string;
45
45
  roles?: string[];
46
+ membershipId?: string;
46
47
  sessionId?: string;
47
48
  sessionAuthMode?: SessionAuthMode;
48
49
  sessionExpiresAt?: number;
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AA4IO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n workspaceId?: string;\n roles?: string[];\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
1
+ {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AA6IO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n workspaceId?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
@@ -118,7 +118,7 @@ var MC_SCHEMA_TABLES = {
118
118
  "toolCatalog": defineTable(v.object({ "category": v.union(v.literal("read"), v.literal("write"), v.literal("admin"), v.literal("system")), "createdAt": v.number(), "description": v.string(), "distribution": v.union(v.literal("base"), v.literal("pack_only")), "executionAdapter": v.optional(v.union(v.literal("convex_mutation"), v.literal("convex_action"), v.literal("http_callback"), v.literal("mcp_tool"), v.literal("sdk_invocation"), v.literal("external_observed"))), "handlerRef": v.optional(v.string()), "metadata": v.optional(v.record(v.string(), v.any())), "parameterSchema": v.optional(v.record(v.string(), v.any())), "requiredAction": v.union(v.literal("read"), v.literal("mutate"), v.literal("admin"), v.literal("summarize"), v.literal("export"), v.literal("create"), v.literal("delete"), v.literal("grant"), v.literal("revoke")), "requiredRole": v.union(v.literal("platform_admin"), v.literal("tenant_admin"), v.literal("workspace_admin"), v.literal("editor"), v.literal("viewer"), v.literal("auditor"), v.literal("service_agent")), "returnSchema": v.optional(v.record(v.string(), v.any())), "safetyMetadata": v.optional(v.object({ "idempotent": v.boolean(), "readOnly": v.boolean(), "sideEffectLevel": v.union(v.literal("none"), v.literal("low"), v.literal("high")) })), "status": v.union(v.literal("active"), v.literal("deprecated"), v.literal("draft")), "surfaces": v.array(v.union(v.literal("mcp"), v.literal("chat"), v.literal("voice"), v.literal("sprint"), v.literal("api"), v.literal("sdk"), v.literal("cli"))), "toolName": v.string(), "updatedAt": v.number(), "version": v.string() })).index("by_toolName", ["toolName"]).index("by_status", ["status"]).index("by_distribution", ["distribution"]).index("by_distribution_status", ["distribution", "status"]).index("by_category", ["category"]).index("by_requiredRole", ["requiredRole"]),
119
119
  "toolRegistryEntries": defineTable(v.object({ "approvalGateId": v.optional(v.string()), "category": v.optional(v.union(v.literal("read"), v.literal("write"), v.literal("admin"), v.literal("system"))), "createdAt": v.number(), "createdBy": v.string(), "description": v.string(), "exampleInvocations": v.array(v.object({ "expectedOutput": v.optional(v.record(v.string(), v.any())), "input": v.record(v.string(), v.any()) })), "executionAdapter": v.union(v.literal("convex_mutation"), v.literal("convex_action"), v.literal("http_callback"), v.literal("mcp_tool"), v.literal("sdk_invocation"), v.literal("external_observed")), "gateClassification": v.union(v.literal("core"), v.literal("shimmed")), "isCore": v.optional(v.boolean()), "metadata": v.optional(v.record(v.string(), v.any())), "parameterSchema": v.record(v.string(), v.any()), "requiredAction": v.optional(v.union(v.literal("read"), v.literal("mutate"), v.literal("admin"), v.literal("summarize"), v.literal("export"), v.literal("create"), v.literal("delete"), v.literal("grant"), v.literal("revoke"))), "requiredRole": v.optional(v.union(v.literal("platform_admin"), v.literal("tenant_admin"), v.literal("workspace_admin"), v.literal("editor"), v.literal("viewer"), v.literal("auditor"), v.literal("service_agent"))), "safetyMetadata": v.object({ "idempotent": v.boolean(), "readOnly": v.boolean(), "sideEffectLevel": v.union(v.literal("none"), v.literal("low"), v.literal("high")) }), "scopeRequirements": v.array(v.string()), "status": v.union(v.literal("active"), v.literal("deprecated"), v.literal("disabled")), "surfaces": v.optional(v.array(v.union(v.literal("mcp"), v.literal("chat"), v.literal("voice"), v.literal("sprint"), v.literal("api"), v.literal("sdk"), v.literal("cli")))), "tenantId": v.id("tenants"), "toolId": v.string(), "toolName": v.string(), "updatedAt": v.number(), "version": v.string(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_toolId", ["toolId"]).index("by_tenant_toolId", ["tenantId", "toolId"]).index("by_tenant_toolId_version", ["tenantId", "toolId", "version"]).index("by_tenant_toolName", ["tenantId", "toolName"]).index("by_tenant_toolName_version", ["tenantId", "toolName", "version"]).index("by_workspace_toolName_version", ["workspaceId", "toolName", "version"]).index("by_tenant_gateClassification", ["tenantId", "gateClassification"]).index("by_tenant_status", ["tenantId", "status"]),
120
120
  "userSessions": defineTable(v.object({ "apiKeyId": v.id("apiKeys"), "authMode": v.optional(v.union(v.literal("interactive_user"), v.literal("service_principal"), v.literal("tenant_api_key"), v.literal("session_token"))), "clerkUserId": v.string(), "createdAt": v.number(), "delegationChain": v.optional(v.array(v.object({ "authMode": v.optional(v.union(v.literal("interactive_user"), v.literal("service_principal"), v.literal("tenant_api_key"), v.literal("session_token"))), "delegatedAt": v.optional(v.number()), "principalId": v.string(), "principalType": v.union(v.literal("human"), v.literal("service"), v.literal("agent")), "reason": v.optional(v.string()), "sessionId": v.optional(v.string()) }))), "jwtExpiresAt": v.optional(v.number()), "jwtIssuedAt": v.optional(v.number()), "lastActivityAt": v.number(), "lastValidatedAt": v.optional(v.number()), "principalId": v.optional(v.string()), "principalType": v.optional(v.union(v.literal("human"), v.literal("service"), v.literal("agent"))), "revokedAt": v.optional(v.number()), "revokedBy": v.optional(v.string()), "revokeReason": v.optional(v.string()), "role": v.optional(v.string()), "scopes": v.optional(v.array(v.string())), "sessionExpiresAt": v.optional(v.number()), "sessionId": v.string(), "sessionType": v.union(v.literal("user"), v.literal("agent")), "sourceSessionId": v.optional(v.string()), "status": v.union(v.literal("active"), v.literal("expired"), v.literal("revoked")), "tenantId": v.id("tenants"), "updatedAt": v.number(), "workspaceId": v.optional(v.string()) })).index("by_sessionId", ["sessionId"]).index("by_sourceSessionId", ["sourceSessionId"]).index("by_tenantId", ["tenantId"]).index("by_clerkUserId", ["clerkUserId"]).index("by_status", ["status"]),
121
- "workspaces": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.optional(v.string()), "defaultProjectVisibility": v.optional(v.union(v.literal("private"), v.literal("team"), v.literal("firm"), v.literal("external"), v.literal("public"))), "deployments": v.optional(v.record(v.string(), v.object({ "encryptedDeployKey": v.string(), "url": v.string() }))), "key": v.string(), "metadata": v.optional(v.record(v.string(), v.any())), "name": v.string(), "slug": v.string(), "status": v.union(v.literal("active"), v.literal("archived")), "tenantId": v.id("tenants"), "updatedAt": v.number() })).index("by_tenantId", ["tenantId"]).index("by_tenantId_key", ["tenantId", "key"]).index("by_tenantId_slug", ["tenantId", "slug"]).index("by_status", ["status"])
121
+ "workspaces": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.optional(v.string()), "defaultProjectVisibility": v.optional(v.union(v.literal("private"), v.literal("team"), v.literal("firm"), v.literal("external"), v.literal("public"))), "deployments": v.optional(v.record(v.string(), v.object({ "credentialRef": v.optional(v.string()), "encryptedDeployKey": v.optional(v.string()), "target": v.optional(v.union(v.literal("kernelDeployment"), v.literal("appDeployment"))), "url": v.string() }))), "key": v.string(), "metadata": v.optional(v.record(v.string(), v.any())), "name": v.string(), "slug": v.string(), "status": v.union(v.literal("active"), v.literal("archived")), "tenantId": v.id("tenants"), "updatedAt": v.number() })).index("by_tenantId", ["tenantId"]).index("by_tenantId_key", ["tenantId", "key"]).index("by_tenantId_slug", ["tenantId", "slug"]).index("by_status", ["status"])
122
122
  };
123
123
  var DEVELOPER_PACK_SCHEMA_TABLES = {};
124
124
  var EMPTY_SCHEMA_TABLES = {};