@lucern/contracts 0.3.0-alpha.3 → 0.3.0-alpha.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/component-host-boundary.contract.d.ts +41 -0
- package/dist/component-host-boundary.contract.js +54 -0
- package/dist/component-host-boundary.contract.js.map +1 -0
- package/dist/function-registry/beliefs.d.ts +41 -41
- package/dist/function-registry/beliefs.js +202 -8
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.js +187 -8
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +13 -13
- package/dist/function-registry/context.js +187 -9
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.js +158 -5
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.js +158 -5
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.js +169 -6
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +33 -33
- package/dist/function-registry/evidence.js +202 -9
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +53 -53
- package/dist/function-registry/graph.js +217 -12
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +1 -1
- package/dist/function-registry/helpers.js +158 -5
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.js +158 -5
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +1 -1
- package/dist/function-registry/index.js +158 -5
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +9 -9
- package/dist/function-registry/judgments.js +170 -8
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.js +158 -5
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +17 -17
- package/dist/function-registry/lenses.js +181 -8
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +3 -3
- package/dist/function-registry/manifest.js +1 -1
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +45 -45
- package/dist/function-registry/ontologies.js +176 -11
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +13 -13
- package/dist/function-registry/pipeline.js +167 -8
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +49 -49
- package/dist/function-registry/questions.js +255 -13
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.js +158 -5
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +21 -21
- package/dist/function-registry/topics.js +172 -8
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +1 -1
- package/dist/function-registry/worktrees.d.ts +80 -41
- package/dist/function-registry/worktrees.js +292 -17
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/function-registry-input-audit.d.ts +13 -0
- package/dist/function-registry-input-audit.js +164 -0
- package/dist/function-registry-input-audit.js.map +1 -0
- package/dist/gateway.contract.d.ts +1 -0
- package/dist/gateway.contract.js.map +1 -1
- package/dist/generated/convexSchemas.js +1 -1
- package/dist/generated/convexSchemas.js.map +1 -1
- package/dist/index.d.ts +188 -35
- package/dist/index.js +1370 -17
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +174 -0
- package/dist/infisical-runtime.contract.js +192 -0
- package/dist/infisical-runtime.contract.js.map +1 -0
- package/dist/schemas/index.js +3 -1
- package/dist/schemas/index.js.map +1 -1
- package/dist/schemas/manifest.d.ts +935 -905
- package/dist/schemas/manifest.js +3 -1
- package/dist/schemas/manifest.js.map +1 -1
- package/dist/schemas/sl-opinion.d.ts +4 -4
- package/dist/schemas/tables/identity/platform.d.ts +10 -10
- package/dist/schemas/tables/kernel/epistemic.d.ts +6 -6
- package/dist/schemas/tables/kernel/infra.d.ts +4 -4
- package/dist/schemas/tables/kernel/intelligence.d.ts +10 -10
- package/dist/schemas/tables/kernel/lens.d.ts +4 -4
- package/dist/schemas/tables/kernel/platform.d.ts +12 -12
- package/dist/schemas/tables/kernel/spine.d.ts +2 -2
- package/dist/schemas/tables/kernel/task.d.ts +42 -42
- package/dist/schemas/tables/kernel/worktree.d.ts +62 -62
- package/dist/schemas/tables/mc/identity.d.ts +2 -2
- package/dist/schemas/tables/mc/pack.d.ts +20 -20
- package/dist/schemas/tables/mc/registry.d.ts +4 -4
- package/dist/schemas/tables/mc/workspace.d.ts +9 -3
- package/dist/schemas/tables/mc/workspace.js +3 -1
- package/dist/schemas/tables/mc/workspace.js.map +1 -1
- package/dist/sdk-methods.contract.d.ts +1 -1
- package/dist/{sdk-tools.contract-S4ia0TTo.d.ts → sdk-tools.contract-CD-N1Jf7.d.ts} +1 -1
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +157 -4
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-bootstrap-seed.contract.d.ts +1097 -0
- package/dist/tenant-bootstrap-seed.contract.js +651 -0
- package/dist/tenant-bootstrap-seed.contract.js.map +1 -0
- package/dist/tenant-bootstrap-seed.defaults.d.ts +16 -0
- package/dist/tenant-bootstrap-seed.defaults.js +303 -0
- package/dist/tenant-bootstrap-seed.defaults.js.map +1 -0
- package/dist/{tool-contracts-C92-9ueT.d.ts → tool-contracts-BcKz-VGj.d.ts} +4 -2
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +158 -5
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { FunctionContract } from './function-registry/types.js';
|
|
2
|
+
|
|
3
|
+
type FunctionRegistryInputAuditFinding = {
|
|
4
|
+
contractName: string;
|
|
5
|
+
projectionKeys: string[];
|
|
6
|
+
acceptedKeys: string[];
|
|
7
|
+
missingKeys: string[];
|
|
8
|
+
};
|
|
9
|
+
type InputProjection = NonNullable<FunctionContract["convex"]>["inputProjection"];
|
|
10
|
+
declare function projectionReadKeys(projection: InputProjection): string[];
|
|
11
|
+
declare function auditFunctionRegistryInputs(contracts?: readonly FunctionContract[]): FunctionRegistryInputAuditFinding[];
|
|
12
|
+
|
|
13
|
+
export { type FunctionRegistryInputAuditFinding, auditFunctionRegistryInputs, projectionReadKeys };
|
|
@@ -0,0 +1,164 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
import { ALL_FUNCTION_CONTRACTS } from './function-registry/index.js';
|
|
3
|
+
|
|
4
|
+
// src/function-registry-input-audit.ts
|
|
5
|
+
var INTERNAL_OR_ALIAS_KEYS = /* @__PURE__ */ new Set([
|
|
6
|
+
"__sdkSessionId",
|
|
7
|
+
"actorId",
|
|
8
|
+
"beliefId",
|
|
9
|
+
"createdBy",
|
|
10
|
+
"evidenceId",
|
|
11
|
+
"id",
|
|
12
|
+
"insightId",
|
|
13
|
+
"nodeId",
|
|
14
|
+
"ontologyId",
|
|
15
|
+
"parentNodeId",
|
|
16
|
+
"principalId",
|
|
17
|
+
"projectId",
|
|
18
|
+
"questionId",
|
|
19
|
+
"tenantId",
|
|
20
|
+
"trustedBypassAccessCheck",
|
|
21
|
+
"userId",
|
|
22
|
+
"versionId",
|
|
23
|
+
"workspaceId"
|
|
24
|
+
]);
|
|
25
|
+
var INTENTIONAL_PROJECTION_READS = {
|
|
26
|
+
add_evidence: ["linkedBeliefNodeId", "targetId"],
|
|
27
|
+
apply_lens_to_topic: ["metadata"],
|
|
28
|
+
archive_belief: ["reason"],
|
|
29
|
+
check_permission: ["principalId", "tenantId", "userId", "workspaceId"],
|
|
30
|
+
claim_files: ["paths", "touchedFiles"],
|
|
31
|
+
complete_task: ["summary"],
|
|
32
|
+
create_belief: ["formulation"],
|
|
33
|
+
discover: ["prompt", "topicHint"],
|
|
34
|
+
filter_by_permission: ["principalId", "tenantId", "userId", "workspaceId"],
|
|
35
|
+
get_change_history: ["status"],
|
|
36
|
+
get_failure_log: ["status"],
|
|
37
|
+
identity_whoami: ["principalId", "tenantId", "userId", "workspaceId"],
|
|
38
|
+
ingest_observation: ["reasoning", "trustedBypassAccessCheck"],
|
|
39
|
+
link_evidence: [
|
|
40
|
+
"beliefId",
|
|
41
|
+
"beliefNodeId",
|
|
42
|
+
"context",
|
|
43
|
+
"evidenceNodeId",
|
|
44
|
+
"globalId",
|
|
45
|
+
"insightId",
|
|
46
|
+
"topicId",
|
|
47
|
+
"trustedBypassAccessCheck",
|
|
48
|
+
"type"
|
|
49
|
+
],
|
|
50
|
+
link_evidence_to_belief: [
|
|
51
|
+
"beliefNodeId",
|
|
52
|
+
"context",
|
|
53
|
+
"evidenceNodeId",
|
|
54
|
+
"globalId",
|
|
55
|
+
"insightId",
|
|
56
|
+
"targetId",
|
|
57
|
+
"topicId",
|
|
58
|
+
"trustedBypassAccessCheck",
|
|
59
|
+
"type"
|
|
60
|
+
],
|
|
61
|
+
link_evidence_to_question: [
|
|
62
|
+
"context",
|
|
63
|
+
"evidenceNodeId",
|
|
64
|
+
"globalId",
|
|
65
|
+
"impactScore",
|
|
66
|
+
"insightId",
|
|
67
|
+
"questionNodeId",
|
|
68
|
+
"targetId",
|
|
69
|
+
"topicId",
|
|
70
|
+
"trustedBypassAccessCheck",
|
|
71
|
+
"weight"
|
|
72
|
+
],
|
|
73
|
+
list_evidence: ["status"],
|
|
74
|
+
manage_write_policy: ["summary"],
|
|
75
|
+
merge: ["decisionsReached", "keyFindings", "nextSteps"],
|
|
76
|
+
record_attempt: ["reasoning", "trustedBypassAccessCheck"],
|
|
77
|
+
record_judgment: ["reasoning", "trustedBypassAccessCheck"],
|
|
78
|
+
record_scope_learning: ["reasoning", "trustedBypassAccessCheck"],
|
|
79
|
+
search_beliefs: ["searchQuery"],
|
|
80
|
+
search_evidence: ["query", "searchQuery"],
|
|
81
|
+
update_question_status: ["answer", "answerStatus", "nodeId", "questionId"],
|
|
82
|
+
update_topic: ["graphScopeProjectId"]
|
|
83
|
+
};
|
|
84
|
+
function unwrapObjectSchema(schema) {
|
|
85
|
+
let current = schema;
|
|
86
|
+
while (true) {
|
|
87
|
+
switch (current._def.typeName) {
|
|
88
|
+
case z.ZodFirstPartyTypeKind.ZodEffects:
|
|
89
|
+
current = current._def.schema;
|
|
90
|
+
continue;
|
|
91
|
+
case z.ZodFirstPartyTypeKind.ZodBranded:
|
|
92
|
+
current = current._def.type;
|
|
93
|
+
continue;
|
|
94
|
+
default:
|
|
95
|
+
return current instanceof z.ZodObject ? current : void 0;
|
|
96
|
+
}
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
function objectSchemaKeys(schema) {
|
|
100
|
+
const objectSchema = unwrapObjectSchema(schema);
|
|
101
|
+
if (!objectSchema) {
|
|
102
|
+
return /* @__PURE__ */ new Set();
|
|
103
|
+
}
|
|
104
|
+
const shape = typeof objectSchema._def.shape === "function" ? objectSchema._def.shape() : objectSchema._def.shape;
|
|
105
|
+
return new Set(Object.keys(shape));
|
|
106
|
+
}
|
|
107
|
+
function projectionReadKeys(projection) {
|
|
108
|
+
if (!projection) {
|
|
109
|
+
return [];
|
|
110
|
+
}
|
|
111
|
+
const source = String(projection);
|
|
112
|
+
const keys = /* @__PURE__ */ new Set();
|
|
113
|
+
for (const match of source.matchAll(/\binput\s*\.\s*([A-Za-z_$][\w$]*)/gu)) {
|
|
114
|
+
keys.add(match[1]);
|
|
115
|
+
}
|
|
116
|
+
for (const match of source.matchAll(/\binput\s*\[\s*["']([^"']+)["']\s*\]/gu)) {
|
|
117
|
+
keys.add(match[1]);
|
|
118
|
+
}
|
|
119
|
+
return [...keys].sort();
|
|
120
|
+
}
|
|
121
|
+
function acceptedInputKeys(contract) {
|
|
122
|
+
return [
|
|
123
|
+
.../* @__PURE__ */ new Set([
|
|
124
|
+
...objectSchemaKeys(contract.args),
|
|
125
|
+
...objectSchemaKeys(contract.input),
|
|
126
|
+
...Object.keys(contract.mcp.parameters),
|
|
127
|
+
"__sdkSessionId"
|
|
128
|
+
])
|
|
129
|
+
].sort();
|
|
130
|
+
}
|
|
131
|
+
function allowedProjectionKeys(contractName) {
|
|
132
|
+
return /* @__PURE__ */ new Set([
|
|
133
|
+
...INTERNAL_OR_ALIAS_KEYS,
|
|
134
|
+
...INTENTIONAL_PROJECTION_READS[contractName] ?? []
|
|
135
|
+
]);
|
|
136
|
+
}
|
|
137
|
+
function auditFunctionRegistryInputs(contracts = ALL_FUNCTION_CONTRACTS) {
|
|
138
|
+
return contracts.flatMap((contract) => {
|
|
139
|
+
const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);
|
|
140
|
+
if (projectionKeys.length === 0) {
|
|
141
|
+
return [];
|
|
142
|
+
}
|
|
143
|
+
const accepted = new Set(acceptedInputKeys(contract));
|
|
144
|
+
const allowed = allowedProjectionKeys(contract.name);
|
|
145
|
+
const missingKeys = projectionKeys.filter(
|
|
146
|
+
(key) => !accepted.has(key) && !allowed.has(key)
|
|
147
|
+
);
|
|
148
|
+
if (missingKeys.length === 0) {
|
|
149
|
+
return [];
|
|
150
|
+
}
|
|
151
|
+
return [
|
|
152
|
+
{
|
|
153
|
+
contractName: contract.name,
|
|
154
|
+
projectionKeys,
|
|
155
|
+
acceptedKeys: [...accepted].sort(),
|
|
156
|
+
missingKeys
|
|
157
|
+
}
|
|
158
|
+
];
|
|
159
|
+
});
|
|
160
|
+
}
|
|
161
|
+
|
|
162
|
+
export { auditFunctionRegistryInputs, projectionReadKeys };
|
|
163
|
+
//# sourceMappingURL=function-registry-input-audit.js.map
|
|
164
|
+
//# sourceMappingURL=function-registry-input-audit.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"sources":["../src/function-registry-input-audit.ts"],"names":[],"mappings":";;;;AAeA,IAAM,sBAAA,uBAA6B,GAAA,CAAI;AAAA,EACrC,gBAAA;AAAA,EACA,SAAA;AAAA,EACA,UAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,IAAA;AAAA,EACA,WAAA;AAAA,EACA,QAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,aAAA;AAAA,EACA,WAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,0BAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA;AACF,CAAC,CAAA;AAED,IAAM,4BAAA,GAAkE;AAAA,EACtE,YAAA,EAAc,CAAC,oBAAA,EAAsB,UAAU,CAAA;AAAA,EAC/C,mBAAA,EAAqB,CAAC,UAAU,CAAA;AAAA,EAChC,cAAA,EAAgB,CAAC,QAAQ,CAAA;AAAA,EACzB,gBAAA,EAAkB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACrE,WAAA,EAAa,CAAC,OAAA,EAAS,cAAc,CAAA;AAAA,EACrC,aAAA,EAAe,CAAC,SAAS,CAAA;AAAA,EACzB,aAAA,EAAe,CAAC,aAAa,CAAA;AAAA,EAC7B,QAAA,EAAU,CAAC,QAAA,EAAU,WAAW,CAAA;AAAA,EAChC,oBAAA,EAAsB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACzE,kBAAA,EAAoB,CAAC,QAAQ,CAAA;AAAA,EAC7B,eAAA,EAAiB,CAAC,QAAQ,CAAA;AAAA,EAC1B,eAAA,EAAiB,CAAC,aAAA,EAAe,UAAA,EAAY,UAAU,aAAa,CAAA;AAAA,EACpE,kBAAA,EAAoB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC5D,aAAA,EAAe;AAAA,IACb,UAAA;AAAA,IACA,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,uBAAA,EAAyB;AAAA,IACvB,cAAA;AAAA,IACA,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,WAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,yBAAA,EAA2B;AAAA,IACzB,SAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,aAAA;AAAA,IACA,WAAA;AAAA,IACA,gBAAA;AAAA,IACA,UAAA;AAAA,IACA,SAAA;AAAA,IACA,0BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,aAAA,EAAe,CAAC,QAAQ,CAAA;AAAA,EACxB,mBAAA,EAAqB,CAAC,SAAS,CAAA;AAAA,EAC/B,KAAA,EAAO,CAAC,kBAAA,EAAoB,aAAA,EAAe,WAAW,CAAA;AAAA,EACtD,cAAA,EAAgB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACxD,eAAA,EAAiB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EACzD,qBAAA,EAAuB,CAAC,WAAA,EAAa,0BAA0B,CAAA;AAAA,EAC/D,cAAA,EAAgB,CAAC,aAAa,CAAA;AAAA,EAC9B,eAAA,EAAiB,CAAC,OAAA,EAAS,aAAa,CAAA;AAAA,EACxC,sBAAA,EAAwB,CAAC,QAAA,EAAU,cAAA,EAAgB,UAAU,YAAY,CAAA;AAAA,EACzE,YAAA,EAAc,CAAC,qBAAqB;AACtC,CAAA;AAEA,SAAS,mBACP,MAAA,EACwC;AACxC,EAAA,IAAI,OAAA,GAAU,MAAA;AACd,EAAA,OAAO,IAAA,EAAM;AACX,IAAA,QAAQ,OAAA,CAAQ,KAAK,QAAA;AAAU,MAC7B,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,MAAA;AACvB,QAAA;AAAA,MACF,KAAK,EAAE,qBAAA,CAAsB,UAAA;AAC3B,QAAA,OAAA,GAAU,QAAQ,IAAA,CAAK,IAAA;AACvB,QAAA;AAAA,MACF;AACE,QAAA,OAAO,OAAA,YAAmB,CAAA,CAAE,SAAA,GAAY,OAAA,GAAU,MAAA;AAAA;AACtD,EACF;AACF;AAEA,SAAS,iBAAiB,MAAA,EAAmC;AAC3D,EAAA,MAAM,YAAA,GAAe,mBAAmB,MAAM,CAAA;AAC9C,EAAA,IAAI,CAAC,YAAA,EAAc;AACjB,IAAA,2BAAW,GAAA,EAAI;AAAA,EACjB;AACA,EAAA,MAAM,KAAA,GACJ,OAAO,YAAA,CAAa,IAAA,CAAK,KAAA,KAAU,UAAA,GAC/B,YAAA,CAAa,IAAA,CAAK,KAAA,EAAM,GACxB,YAAA,CAAa,IAAA,CAAK,KAAA;AACxB,EAAA,OAAO,IAAI,GAAA,CAAI,MAAA,CAAO,IAAA,CAAK,KAAK,CAAC,CAAA;AACnC;AAEO,SAAS,mBACd,UAAA,EACU;AACV,EAAA,IAAI,CAAC,UAAA,EAAY;AACf,IAAA,OAAO,EAAC;AAAA,EACV;AACA,EAAA,MAAM,MAAA,GAAS,OAAO,UAAU,CAAA;AAChC,EAAA,MAAM,IAAA,uBAAW,GAAA,EAAY;AAE7B,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,qCAAqC,CAAA,EAAG;AAC1E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AACA,EAAA,KAAA,MAAW,KAAA,IAAS,MAAA,CAAO,QAAA,CAAS,wCAAwC,CAAA,EAAG;AAC7E,IAAA,IAAA,CAAK,GAAA,CAAI,KAAA,CAAM,CAAC,CAAC,CAAA;AAAA,EACnB;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,CAAA,CAAE,IAAA,EAAK;AACxB;AAEA,SAAS,kBAAkB,QAAA,EAAsC;AAC/D,EAAA,OAAO;AAAA,IACL,uBAAO,GAAA,CAAI;AAAA,MACT,GAAG,gBAAA,CAAiB,QAAA,CAAS,IAAI,CAAA;AAAA,MACjC,GAAG,gBAAA,CAAiB,QAAA,CAAS,KAAK,CAAA;AAAA,MAClC,GAAG,MAAA,CAAO,IAAA,CAAK,QAAA,CAAS,IAAI,UAAU,CAAA;AAAA,MACtC;AAAA,KACD;AAAA,IACD,IAAA,EAAK;AACT;AAEA,SAAS,sBAAsB,YAAA,EAAmC;AAChE,EAAA,2BAAW,GAAA,CAAI;AAAA,IACb,GAAG,sBAAA;AAAA,IACH,GAAI,4BAAA,CAA6B,YAAY,CAAA,IAAK;AAAC,GACpD,CAAA;AACH;AAEO,SAAS,2BAAA,CACd,YAAyC,sBAAA,EACJ;AACrC,EAAA,OAAO,SAAA,CAAU,OAAA,CAAQ,CAAC,QAAA,KAAa;AACrC,IAAA,MAAM,cAAA,GAAiB,kBAAA,CAAmB,QAAA,CAAS,MAAA,EAAQ,eAAe,CAAA;AAC1E,IAAA,IAAI,cAAA,CAAe,WAAW,CAAA,EAAG;AAC/B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,MAAM,QAAA,GAAW,IAAI,GAAA,CAAI,iBAAA,CAAkB,QAAQ,CAAC,CAAA;AACpD,IAAA,MAAM,OAAA,GAAU,qBAAA,CAAsB,QAAA,CAAS,IAAI,CAAA;AACnD,IAAA,MAAM,cAAc,cAAA,CAAe,MAAA;AAAA,MACjC,CAAC,GAAA,KAAQ,CAAC,QAAA,CAAS,GAAA,CAAI,GAAG,CAAA,IAAK,CAAC,OAAA,CAAQ,GAAA,CAAI,GAAG;AAAA,KACjD;AAEA,IAAA,IAAI,WAAA,CAAY,WAAW,CAAA,EAAG;AAC5B,MAAA,OAAO,EAAC;AAAA,IACV;AAEA,IAAA,OAAO;AAAA,MACL;AAAA,QACE,cAAc,QAAA,CAAS,IAAA;AAAA,QACvB,cAAA;AAAA,QACA,YAAA,EAAc,CAAC,GAAG,QAAQ,EAAE,IAAA,EAAK;AAAA,QACjC;AAAA;AACF,KACF;AAAA,EACF,CAAC,CAAA;AACH","file":"function-registry-input-audit.js","sourcesContent":["import { z } from \"zod\";\nimport { ALL_FUNCTION_CONTRACTS } from \"./function-registry/index.js\";\nimport type { FunctionContract } from \"./function-registry/types.js\";\n\nexport type FunctionRegistryInputAuditFinding = {\n contractName: string;\n projectionKeys: string[];\n acceptedKeys: string[];\n missingKeys: string[];\n};\n\ntype InputProjection = NonNullable<\n FunctionContract[\"convex\"]\n>[\"inputProjection\"];\n\nconst INTERNAL_OR_ALIAS_KEYS = new Set([\n \"__sdkSessionId\",\n \"actorId\",\n \"beliefId\",\n \"createdBy\",\n \"evidenceId\",\n \"id\",\n \"insightId\",\n \"nodeId\",\n \"ontologyId\",\n \"parentNodeId\",\n \"principalId\",\n \"projectId\",\n \"questionId\",\n \"tenantId\",\n \"trustedBypassAccessCheck\",\n \"userId\",\n \"versionId\",\n \"workspaceId\",\n]);\n\nconst INTENTIONAL_PROJECTION_READS: Record<string, readonly string[]> = {\n add_evidence: [\"linkedBeliefNodeId\", \"targetId\"],\n apply_lens_to_topic: [\"metadata\"],\n archive_belief: [\"reason\"],\n check_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n claim_files: [\"paths\", \"touchedFiles\"],\n complete_task: [\"summary\"],\n create_belief: [\"formulation\"],\n discover: [\"prompt\", \"topicHint\"],\n filter_by_permission: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n get_change_history: [\"status\"],\n get_failure_log: [\"status\"],\n identity_whoami: [\"principalId\", \"tenantId\", \"userId\", \"workspaceId\"],\n ingest_observation: [\"reasoning\", \"trustedBypassAccessCheck\"],\n link_evidence: [\n \"beliefId\",\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_belief: [\n \"beliefNodeId\",\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"insightId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"type\",\n ],\n link_evidence_to_question: [\n \"context\",\n \"evidenceNodeId\",\n \"globalId\",\n \"impactScore\",\n \"insightId\",\n \"questionNodeId\",\n \"targetId\",\n \"topicId\",\n \"trustedBypassAccessCheck\",\n \"weight\",\n ],\n list_evidence: [\"status\"],\n manage_write_policy: [\"summary\"],\n merge: [\"decisionsReached\", \"keyFindings\", \"nextSteps\"],\n record_attempt: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_judgment: [\"reasoning\", \"trustedBypassAccessCheck\"],\n record_scope_learning: [\"reasoning\", \"trustedBypassAccessCheck\"],\n search_beliefs: [\"searchQuery\"],\n search_evidence: [\"query\", \"searchQuery\"],\n update_question_status: [\"answer\", \"answerStatus\", \"nodeId\", \"questionId\"],\n update_topic: [\"graphScopeProjectId\"],\n};\n\nfunction unwrapObjectSchema(\n schema: z.ZodTypeAny,\n): z.ZodObject<z.ZodRawShape> | undefined {\n let current = schema;\n while (true) {\n switch (current._def.typeName) {\n case z.ZodFirstPartyTypeKind.ZodEffects:\n current = current._def.schema;\n continue;\n case z.ZodFirstPartyTypeKind.ZodBranded:\n current = current._def.type;\n continue;\n default:\n return current instanceof z.ZodObject ? current : undefined;\n }\n }\n}\n\nfunction objectSchemaKeys(schema: z.ZodTypeAny): Set<string> {\n const objectSchema = unwrapObjectSchema(schema);\n if (!objectSchema) {\n return new Set();\n }\n const shape =\n typeof objectSchema._def.shape === \"function\"\n ? objectSchema._def.shape()\n : objectSchema._def.shape;\n return new Set(Object.keys(shape));\n}\n\nexport function projectionReadKeys(\n projection: InputProjection,\n): string[] {\n if (!projection) {\n return [];\n }\n const source = String(projection);\n const keys = new Set<string>();\n\n for (const match of source.matchAll(/\\binput\\s*\\.\\s*([A-Za-z_$][\\w$]*)/gu)) {\n keys.add(match[1]);\n }\n for (const match of source.matchAll(/\\binput\\s*\\[\\s*[\"']([^\"']+)[\"']\\s*\\]/gu)) {\n keys.add(match[1]);\n }\n\n return [...keys].sort();\n}\n\nfunction acceptedInputKeys(contract: FunctionContract): string[] {\n return [\n ...new Set([\n ...objectSchemaKeys(contract.args),\n ...objectSchemaKeys(contract.input),\n ...Object.keys(contract.mcp.parameters),\n \"__sdkSessionId\",\n ]),\n ].sort();\n}\n\nfunction allowedProjectionKeys(contractName: string): Set<string> {\n return new Set([\n ...INTERNAL_OR_ALIAS_KEYS,\n ...(INTENTIONAL_PROJECTION_READS[contractName] ?? []),\n ]);\n}\n\nexport function auditFunctionRegistryInputs(\n contracts: readonly FunctionContract[] = ALL_FUNCTION_CONTRACTS,\n): FunctionRegistryInputAuditFinding[] {\n return contracts.flatMap((contract) => {\n const projectionKeys = projectionReadKeys(contract.convex?.inputProjection);\n if (projectionKeys.length === 0) {\n return [];\n }\n\n const accepted = new Set(acceptedInputKeys(contract));\n const allowed = allowedProjectionKeys(contract.name);\n const missingKeys = projectionKeys.filter(\n (key) => !accepted.has(key) && !allowed.has(key),\n );\n\n if (missingKeys.length === 0) {\n return [];\n }\n\n return [\n {\n contractName: contract.name,\n projectionKeys,\n acceptedKeys: [...accepted].sort(),\n missingKeys,\n },\n ];\n });\n}\n"]}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";
|
|
1
|
+
{"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AA6IO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n workspaceId?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
|
|
@@ -118,7 +118,7 @@ var MC_SCHEMA_TABLES = {
|
|
|
118
118
|
"toolCatalog": defineTable(v.object({ "category": v.union(v.literal("read"), v.literal("write"), v.literal("admin"), v.literal("system")), "createdAt": v.number(), "description": v.string(), "distribution": v.union(v.literal("base"), v.literal("pack_only")), "executionAdapter": v.optional(v.union(v.literal("convex_mutation"), v.literal("convex_action"), v.literal("http_callback"), v.literal("mcp_tool"), v.literal("sdk_invocation"), v.literal("external_observed"))), "handlerRef": v.optional(v.string()), "metadata": v.optional(v.record(v.string(), v.any())), "parameterSchema": v.optional(v.record(v.string(), v.any())), "requiredAction": v.union(v.literal("read"), v.literal("mutate"), v.literal("admin"), v.literal("summarize"), v.literal("export"), v.literal("create"), v.literal("delete"), v.literal("grant"), v.literal("revoke")), "requiredRole": v.union(v.literal("platform_admin"), v.literal("tenant_admin"), v.literal("workspace_admin"), v.literal("editor"), v.literal("viewer"), v.literal("auditor"), v.literal("service_agent")), "returnSchema": v.optional(v.record(v.string(), v.any())), "safetyMetadata": v.optional(v.object({ "idempotent": v.boolean(), "readOnly": v.boolean(), "sideEffectLevel": v.union(v.literal("none"), v.literal("low"), v.literal("high")) })), "status": v.union(v.literal("active"), v.literal("deprecated"), v.literal("draft")), "surfaces": v.array(v.union(v.literal("mcp"), v.literal("chat"), v.literal("voice"), v.literal("sprint"), v.literal("api"), v.literal("sdk"), v.literal("cli"))), "toolName": v.string(), "updatedAt": v.number(), "version": v.string() })).index("by_toolName", ["toolName"]).index("by_status", ["status"]).index("by_distribution", ["distribution"]).index("by_distribution_status", ["distribution", "status"]).index("by_category", ["category"]).index("by_requiredRole", ["requiredRole"]),
|
|
119
119
|
"toolRegistryEntries": defineTable(v.object({ "approvalGateId": v.optional(v.string()), "category": v.optional(v.union(v.literal("read"), v.literal("write"), v.literal("admin"), v.literal("system"))), "createdAt": v.number(), "createdBy": v.string(), "description": v.string(), "exampleInvocations": v.array(v.object({ "expectedOutput": v.optional(v.record(v.string(), v.any())), "input": v.record(v.string(), v.any()) })), "executionAdapter": v.union(v.literal("convex_mutation"), v.literal("convex_action"), v.literal("http_callback"), v.literal("mcp_tool"), v.literal("sdk_invocation"), v.literal("external_observed")), "gateClassification": v.union(v.literal("core"), v.literal("shimmed")), "isCore": v.optional(v.boolean()), "metadata": v.optional(v.record(v.string(), v.any())), "parameterSchema": v.record(v.string(), v.any()), "requiredAction": v.optional(v.union(v.literal("read"), v.literal("mutate"), v.literal("admin"), v.literal("summarize"), v.literal("export"), v.literal("create"), v.literal("delete"), v.literal("grant"), v.literal("revoke"))), "requiredRole": v.optional(v.union(v.literal("platform_admin"), v.literal("tenant_admin"), v.literal("workspace_admin"), v.literal("editor"), v.literal("viewer"), v.literal("auditor"), v.literal("service_agent"))), "safetyMetadata": v.object({ "idempotent": v.boolean(), "readOnly": v.boolean(), "sideEffectLevel": v.union(v.literal("none"), v.literal("low"), v.literal("high")) }), "scopeRequirements": v.array(v.string()), "status": v.union(v.literal("active"), v.literal("deprecated"), v.literal("disabled")), "surfaces": v.optional(v.array(v.union(v.literal("mcp"), v.literal("chat"), v.literal("voice"), v.literal("sprint"), v.literal("api"), v.literal("sdk"), v.literal("cli")))), "tenantId": v.id("tenants"), "toolId": v.string(), "toolName": v.string(), "updatedAt": v.number(), "version": v.string(), "workspaceId": v.optional(v.id("workspaces")) })).index("by_toolId", ["toolId"]).index("by_tenant_toolId", ["tenantId", "toolId"]).index("by_tenant_toolId_version", ["tenantId", "toolId", "version"]).index("by_tenant_toolName", ["tenantId", "toolName"]).index("by_tenant_toolName_version", ["tenantId", "toolName", "version"]).index("by_workspace_toolName_version", ["workspaceId", "toolName", "version"]).index("by_tenant_gateClassification", ["tenantId", "gateClassification"]).index("by_tenant_status", ["tenantId", "status"]),
|
|
120
120
|
"userSessions": defineTable(v.object({ "apiKeyId": v.id("apiKeys"), "authMode": v.optional(v.union(v.literal("interactive_user"), v.literal("service_principal"), v.literal("tenant_api_key"), v.literal("session_token"))), "clerkUserId": v.string(), "createdAt": v.number(), "delegationChain": v.optional(v.array(v.object({ "authMode": v.optional(v.union(v.literal("interactive_user"), v.literal("service_principal"), v.literal("tenant_api_key"), v.literal("session_token"))), "delegatedAt": v.optional(v.number()), "principalId": v.string(), "principalType": v.union(v.literal("human"), v.literal("service"), v.literal("agent")), "reason": v.optional(v.string()), "sessionId": v.optional(v.string()) }))), "jwtExpiresAt": v.optional(v.number()), "jwtIssuedAt": v.optional(v.number()), "lastActivityAt": v.number(), "lastValidatedAt": v.optional(v.number()), "principalId": v.optional(v.string()), "principalType": v.optional(v.union(v.literal("human"), v.literal("service"), v.literal("agent"))), "revokedAt": v.optional(v.number()), "revokedBy": v.optional(v.string()), "revokeReason": v.optional(v.string()), "role": v.optional(v.string()), "scopes": v.optional(v.array(v.string())), "sessionExpiresAt": v.optional(v.number()), "sessionId": v.string(), "sessionType": v.union(v.literal("user"), v.literal("agent")), "sourceSessionId": v.optional(v.string()), "status": v.union(v.literal("active"), v.literal("expired"), v.literal("revoked")), "tenantId": v.id("tenants"), "updatedAt": v.number(), "workspaceId": v.optional(v.string()) })).index("by_sessionId", ["sessionId"]).index("by_sourceSessionId", ["sourceSessionId"]).index("by_tenantId", ["tenantId"]).index("by_clerkUserId", ["clerkUserId"]).index("by_status", ["status"]),
|
|
121
|
-
"workspaces": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.optional(v.string()), "defaultProjectVisibility": v.optional(v.union(v.literal("private"), v.literal("team"), v.literal("firm"), v.literal("external"), v.literal("public"))), "deployments": v.optional(v.record(v.string(), v.object({ "encryptedDeployKey": v.string(), "url": v.string() }))), "key": v.string(), "metadata": v.optional(v.record(v.string(), v.any())), "name": v.string(), "slug": v.string(), "status": v.union(v.literal("active"), v.literal("archived")), "tenantId": v.id("tenants"), "updatedAt": v.number() })).index("by_tenantId", ["tenantId"]).index("by_tenantId_key", ["tenantId", "key"]).index("by_tenantId_slug", ["tenantId", "slug"]).index("by_status", ["status"])
|
|
121
|
+
"workspaces": defineTable(v.object({ "createdAt": v.number(), "createdBy": v.optional(v.string()), "defaultProjectVisibility": v.optional(v.union(v.literal("private"), v.literal("team"), v.literal("firm"), v.literal("external"), v.literal("public"))), "deployments": v.optional(v.record(v.string(), v.object({ "credentialRef": v.optional(v.string()), "encryptedDeployKey": v.optional(v.string()), "target": v.optional(v.union(v.literal("kernelDeployment"), v.literal("appDeployment"))), "url": v.string() }))), "key": v.string(), "metadata": v.optional(v.record(v.string(), v.any())), "name": v.string(), "slug": v.string(), "status": v.union(v.literal("active"), v.literal("archived")), "tenantId": v.id("tenants"), "updatedAt": v.number() })).index("by_tenantId", ["tenantId"]).index("by_tenantId_key", ["tenantId", "key"]).index("by_tenantId_slug", ["tenantId", "slug"]).index("by_status", ["status"])
|
|
122
122
|
};
|
|
123
123
|
var DEVELOPER_PACK_SCHEMA_TABLES = {};
|
|
124
124
|
var EMPTY_SCHEMA_TABLES = {};
|