@lucern/contracts 0.3.0-alpha.4 → 0.3.0-alpha.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (143) hide show
  1. package/dist/edge-policy-manifest-DpmTtjmm.d.ts +132 -0
  2. package/dist/function-registry/beliefs.js +72 -0
  3. package/dist/function-registry/beliefs.js.map +1 -1
  4. package/dist/function-registry/coding.js +72 -0
  5. package/dist/function-registry/coding.js.map +1 -1
  6. package/dist/function-registry/context.js +72 -0
  7. package/dist/function-registry/context.js.map +1 -1
  8. package/dist/function-registry/contracts.js +72 -0
  9. package/dist/function-registry/contracts.js.map +1 -1
  10. package/dist/function-registry/coordination.js +72 -0
  11. package/dist/function-registry/coordination.js.map +1 -1
  12. package/dist/function-registry/edges.js +72 -0
  13. package/dist/function-registry/edges.js.map +1 -1
  14. package/dist/function-registry/evidence.js +72 -0
  15. package/dist/function-registry/evidence.js.map +1 -1
  16. package/dist/function-registry/graph.d.ts +78 -0
  17. package/dist/function-registry/graph.js +129 -0
  18. package/dist/function-registry/graph.js.map +1 -1
  19. package/dist/function-registry/helpers.d.ts +1 -1
  20. package/dist/function-registry/helpers.js +72 -0
  21. package/dist/function-registry/helpers.js.map +1 -1
  22. package/dist/function-registry/identity.js +72 -0
  23. package/dist/function-registry/identity.js.map +1 -1
  24. package/dist/function-registry/index.d.ts +1 -1
  25. package/dist/function-registry/index.js +72 -0
  26. package/dist/function-registry/index.js.map +1 -1
  27. package/dist/function-registry/judgments.js +72 -0
  28. package/dist/function-registry/judgments.js.map +1 -1
  29. package/dist/function-registry/legacy.js +72 -0
  30. package/dist/function-registry/legacy.js.map +1 -1
  31. package/dist/function-registry/lenses.js +72 -0
  32. package/dist/function-registry/lenses.js.map +1 -1
  33. package/dist/function-registry/manifest.d.ts +3 -3
  34. package/dist/function-registry/manifest.js +2 -0
  35. package/dist/function-registry/manifest.js.map +1 -1
  36. package/dist/function-registry/ontologies.js +72 -0
  37. package/dist/function-registry/ontologies.js.map +1 -1
  38. package/dist/function-registry/pipeline.js +72 -0
  39. package/dist/function-registry/pipeline.js.map +1 -1
  40. package/dist/function-registry/questions.js +72 -0
  41. package/dist/function-registry/questions.js.map +1 -1
  42. package/dist/function-registry/tasks.js +72 -0
  43. package/dist/function-registry/tasks.js.map +1 -1
  44. package/dist/function-registry/topics.js +72 -0
  45. package/dist/function-registry/topics.js.map +1 -1
  46. package/dist/function-registry/types.d.ts +1 -1
  47. package/dist/function-registry/worktrees.js +72 -0
  48. package/dist/function-registry/worktrees.js.map +1 -1
  49. package/dist/generated/convexSchemas.js +1 -1
  50. package/dist/generated/convexSchemas.js.map +1 -1
  51. package/dist/graph-intelligence.contract.d.ts +506 -0
  52. package/dist/graph-intelligence.contract.js +595 -0
  53. package/dist/graph-intelligence.contract.js.map +1 -0
  54. package/dist/graph-types/index.d.ts +5 -1
  55. package/dist/graph-types/index.js +15 -4
  56. package/dist/graph-types/index.js.map +1 -1
  57. package/dist/{index-CV-0_VWJ.d.ts → index-O09U2xHk.d.ts} +5 -2
  58. package/dist/index.d.ts +18 -817
  59. package/dist/index.js +744 -10
  60. package/dist/index.js.map +1 -1
  61. package/dist/infisical-runtime.contract.js +120 -0
  62. package/dist/infisical-runtime.contract.js.map +1 -1
  63. package/dist/manifests/edge-policy-manifest.d.ts +2 -0
  64. package/dist/manifests/edge-policy-manifest.data.d.ts +27 -0
  65. package/dist/manifests/edge-policy-manifest.data.js +34 -0
  66. package/dist/manifests/edge-policy-manifest.data.js.map +1 -0
  67. package/dist/manifests/edge-policy-manifest.js +65 -0
  68. package/dist/manifests/edge-policy-manifest.js.map +1 -0
  69. package/dist/manifests/infisical-runtime-manifest.d.ts +151 -0
  70. package/dist/manifests/infisical-runtime-manifest.js +311 -0
  71. package/dist/manifests/infisical-runtime-manifest.js.map +1 -0
  72. package/dist/manifests/invariant-manifest.d.ts +65 -0
  73. package/dist/manifests/invariant-manifest.js +18 -0
  74. package/dist/manifests/invariant-manifest.js.map +1 -0
  75. package/dist/manifests/invariants/ast-utils.d.ts +14 -0
  76. package/dist/manifests/invariants/ast-utils.js +54 -0
  77. package/dist/manifests/invariants/ast-utils.js.map +1 -0
  78. package/dist/manifests/invariants/index.d.ts +15 -0
  79. package/dist/manifests/invariants/index.js +183 -0
  80. package/dist/manifests/invariants/index.js.map +1 -0
  81. package/dist/manifests/invariants/inv-1-beliefs-append-only.d.ts +12 -0
  82. package/dist/manifests/invariants/inv-1-beliefs-append-only.js +94 -0
  83. package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +1 -0
  84. package/dist/manifests/invariants/inv-14-no-silent-transitions.d.ts +12 -0
  85. package/dist/manifests/invariants/inv-14-no-silent-transitions.js +99 -0
  86. package/dist/manifests/invariants/inv-14-no-silent-transitions.js.map +1 -0
  87. package/dist/manifests/invariants/manifest-1-projections-declare-audit.d.ts +12 -0
  88. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js +42 -0
  89. package/dist/manifests/invariants/manifest-1-projections-declare-audit.js.map +1 -0
  90. package/dist/manifests/tenant-client-manifest.d.ts +303 -0
  91. package/dist/manifests/tenant-client-manifest.js +409 -0
  92. package/dist/manifests/tenant-client-manifest.js.map +1 -0
  93. package/dist/projections/check-convex-args-shape.d.ts +3 -0
  94. package/dist/projections/check-convex-args-shape.js +396 -0
  95. package/dist/projections/check-convex-args-shape.js.map +1 -0
  96. package/dist/projections/create-evidence.projection.d.ts +176 -0
  97. package/dist/projections/create-evidence.projection.js +128 -0
  98. package/dist/projections/create-evidence.projection.js.map +1 -0
  99. package/dist/projections/index.d.ts +102 -0
  100. package/dist/projections/index.js +345 -0
  101. package/dist/projections/index.js.map +1 -0
  102. package/dist/projections/list-beliefs.projection.d.ts +36 -0
  103. package/dist/projections/list-beliefs.projection.js +54 -0
  104. package/dist/projections/list-beliefs.projection.js.map +1 -0
  105. package/dist/projections/list-tasks.projection.d.ts +32 -0
  106. package/dist/projections/list-tasks.projection.js +52 -0
  107. package/dist/projections/list-tasks.projection.js.map +1 -0
  108. package/dist/projections/modulate-confidence.projection.d.ts +219 -0
  109. package/dist/projections/modulate-confidence.projection.js +148 -0
  110. package/dist/projections/modulate-confidence.projection.js.map +1 -0
  111. package/dist/projections/projection-dsl.d.ts +11 -0
  112. package/dist/projections/projection-dsl.js +8 -0
  113. package/dist/projections/projection-dsl.js.map +1 -0
  114. package/dist/schemas/enums.d.ts +5 -2
  115. package/dist/schemas/enums.js +5 -2
  116. package/dist/schemas/enums.js.map +1 -1
  117. package/dist/schemas/index.d.ts +1 -1
  118. package/dist/schemas/index.js +6 -3
  119. package/dist/schemas/index.js.map +1 -1
  120. package/dist/schemas/manifest.d.ts +15 -15
  121. package/dist/schemas/manifest.js +5 -2
  122. package/dist/schemas/manifest.js.map +1 -1
  123. package/dist/schemas/tables/kernel/intelligence.d.ts +2 -2
  124. package/dist/schemas/tables/kernel/spine.d.ts +1 -1
  125. package/dist/schemas/tables/kernel/spine.js +5 -2
  126. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  127. package/dist/schemas/tables/kernel/topic.js +4 -1
  128. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  129. package/dist/{sdk-tools.contract-CD-N1Jf7.d.ts → sdk-tools.contract-Ng8ULxjr.d.ts} +1 -1
  130. package/dist/sdk-tools.contract.d.ts +2 -2
  131. package/dist/sdk-tools.contract.js +70 -0
  132. package/dist/sdk-tools.contract.js.map +1 -1
  133. package/dist/tenant-bootstrap-seed.contract.d.ts +12 -8
  134. package/dist/tenant-bootstrap-seed.contract.js +6 -4
  135. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  136. package/dist/tenant-client.contract.d.ts +69 -5
  137. package/dist/tenant-client.contract.js +65 -4
  138. package/dist/tenant-client.contract.js.map +1 -1
  139. package/dist/{tool-contracts-BcKz-VGj.d.ts → tool-contracts-CYXVPN4K.d.ts} +6 -2
  140. package/dist/tool-contracts.d.ts +1 -1
  141. package/dist/tool-contracts.js +71 -1
  142. package/dist/tool-contracts.js.map +1 -1
  143. package/package.json +9 -1
@@ -1,5 +1,125 @@
1
1
  // src/tenant-client.contract.ts
2
2
  var TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH = "tenants/shared";
3
+ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4
+ {
5
+ packageName: "@lucern/access-control",
6
+ role: "runtime_entrypoint",
7
+ directTenantImport: true
8
+ },
9
+ {
10
+ packageName: "@lucern/agent",
11
+ role: "platform_runtime",
12
+ directTenantImport: false
13
+ },
14
+ {
15
+ packageName: "@lucern/auth",
16
+ role: "sdk_dependency",
17
+ directTenantImport: false
18
+ },
19
+ {
20
+ packageName: "@lucern/cli",
21
+ role: "developer_tool",
22
+ directTenantImport: false
23
+ },
24
+ {
25
+ packageName: "@lucern/client-core",
26
+ role: "sdk_dependency",
27
+ directTenantImport: false
28
+ },
29
+ {
30
+ packageName: "@lucern/confidence",
31
+ role: "sdk_dependency",
32
+ directTenantImport: false
33
+ },
34
+ {
35
+ packageName: "@lucern/config",
36
+ role: "configuration",
37
+ directTenantImport: false
38
+ },
39
+ {
40
+ packageName: "@lucern/contracts",
41
+ role: "contract_entrypoint",
42
+ directTenantImport: true
43
+ },
44
+ {
45
+ packageName: "@lucern/control-plane",
46
+ role: "platform_runtime",
47
+ directTenantImport: false
48
+ },
49
+ {
50
+ packageName: "@lucern/developer-kit",
51
+ role: "developer_tool",
52
+ directTenantImport: false
53
+ },
54
+ {
55
+ packageName: "@lucern/events",
56
+ role: "sdk_dependency",
57
+ directTenantImport: false
58
+ },
59
+ {
60
+ packageName: "@lucern/graph-primitives",
61
+ role: "sdk_dependency",
62
+ directTenantImport: false
63
+ },
64
+ {
65
+ packageName: "@lucern/identity",
66
+ role: "component_runtime",
67
+ directTenantImport: false
68
+ },
69
+ {
70
+ packageName: "@lucern/mcp",
71
+ role: "runtime_entrypoint",
72
+ directTenantImport: true
73
+ },
74
+ {
75
+ packageName: "@lucern/pack-host",
76
+ role: "platform_runtime",
77
+ directTenantImport: false
78
+ },
79
+ {
80
+ packageName: "@lucern/pack-installer",
81
+ role: "developer_tool",
82
+ directTenantImport: false
83
+ },
84
+ {
85
+ packageName: "@lucern/proof-compiler",
86
+ role: "developer_tool",
87
+ directTenantImport: false
88
+ },
89
+ {
90
+ packageName: "@lucern/react",
91
+ role: "runtime_entrypoint",
92
+ directTenantImport: true
93
+ },
94
+ {
95
+ packageName: "@lucern/reasoning-kernel",
96
+ role: "component_runtime",
97
+ directTenantImport: false
98
+ },
99
+ {
100
+ packageName: "@lucern/sdk",
101
+ role: "runtime_entrypoint",
102
+ directTenantImport: true
103
+ },
104
+ {
105
+ packageName: "@lucern/server-core",
106
+ role: "platform_runtime",
107
+ directTenantImport: false
108
+ },
109
+ {
110
+ packageName: "@lucern/testing",
111
+ role: "test_support",
112
+ directTenantImport: false
113
+ },
114
+ {
115
+ packageName: "@lucern/types",
116
+ role: "contract_entrypoint",
117
+ directTenantImport: true
118
+ }
119
+ ];
120
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
121
+ (entry) => entry.packageName
122
+ );
3
123
 
4
124
  // src/infisical-runtime.contract.ts
5
125
  var INFISICAL_RUNTIME_CONTRACT_VERSION = "2026-04-28";
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.contract.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;;;ACxCK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAIO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,0BAAA,CAA2B,IAAA;AAAA,IAChC,CAAC,OAAA,KAAY,OAAA,CAAQ,EAAA,KAAO;AAAA,GAC9B;AACF","file":"infisical-runtime.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n"]}
1
+ {"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.contract.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACjMK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAIO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,0BAAA,CAA2B,IAAA;AAAA,IAChC,CAAC,OAAA,KAAY,OAAA,CAAQ,EAAA,KAAO;AAAA,GAC9B;AACF","file":"infisical-runtime.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/identity` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern identity and reasoning-kernel components.\",\n packageNames: [\"@lucern/identity\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n"]}
@@ -0,0 +1,2 @@
1
+ import 'zod';
2
+ export { e as EdgePolicyEntry, c as EdgePolicyEntrySchema, f as EdgePolicyManifest, d as EdgePolicyManifestSchema, g as EdgePolicyViolation, i as assertEdgePolicyAllowed, h as findEdgePolicy } from '../edge-policy-manifest-DpmTtjmm.js';
@@ -0,0 +1,27 @@
1
+ declare const edgePolicyManifest: {
2
+ manifestVersion: "1.0.0";
3
+ policies: ({
4
+ edgeType: string;
5
+ fromKinds: "epistemic_node"[];
6
+ fromNodeTypes: "evidence"[];
7
+ toKinds: "epistemic_node"[];
8
+ toNodeTypes: "evidence"[];
9
+ description: string;
10
+ } | {
11
+ edgeType: string;
12
+ fromKinds: "epistemic_node"[];
13
+ fromNodeTypes: "evidence"[];
14
+ toKinds: "epistemic_node"[];
15
+ toNodeTypes: "belief"[];
16
+ description: string;
17
+ } | {
18
+ edgeType: string;
19
+ fromKinds: "epistemic_node"[];
20
+ fromNodeTypes: "evidence"[];
21
+ toKinds: "epistemic_node"[];
22
+ toNodeTypes: "question"[];
23
+ description: string;
24
+ })[];
25
+ };
26
+
27
+ export { edgePolicyManifest };
@@ -0,0 +1,34 @@
1
+ // src/manifests/edge-policy-manifest.data.ts
2
+ var edgePolicyManifest = {
3
+ manifestVersion: "1.0.0",
4
+ policies: [
5
+ {
6
+ edgeType: "evidence_derived_from_evidence",
7
+ fromKinds: ["epistemic_node"],
8
+ fromNodeTypes: ["evidence"],
9
+ toKinds: ["epistemic_node"],
10
+ toNodeTypes: ["evidence"],
11
+ description: "Evidence E2 was synthesized from evidence E1 by a transformation. Provides chain-of-evidence lineage."
12
+ },
13
+ {
14
+ edgeType: "evidence_supports_belief",
15
+ fromKinds: ["epistemic_node"],
16
+ fromNodeTypes: ["evidence"],
17
+ toKinds: ["epistemic_node"],
18
+ toNodeTypes: ["belief"],
19
+ description: "Existing link_evidence_to_belief semantics promoted to the create_edge policy source."
20
+ },
21
+ {
22
+ edgeType: "evidence_supports_question",
23
+ fromKinds: ["epistemic_node"],
24
+ fromNodeTypes: ["evidence"],
25
+ toKinds: ["epistemic_node"],
26
+ toNodeTypes: ["question"],
27
+ description: "Existing link_evidence_to_question semantics promoted to the create_edge policy source."
28
+ }
29
+ ]
30
+ };
31
+
32
+ export { edgePolicyManifest };
33
+ //# sourceMappingURL=edge-policy-manifest.data.js.map
34
+ //# sourceMappingURL=edge-policy-manifest.data.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/manifests/edge-policy-manifest.data.ts"],"names":[],"mappings":";AAEO,IAAM,kBAAA,GAAqB;AAAA,EAChC,eAAA,EAAiB,OAAA;AAAA,EACjB,QAAA,EAAU;AAAA,IACR;AAAA,MACE,QAAA,EAAU,gCAAA;AAAA,MACV,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,aAAA,EAAe,CAAC,UAAU,CAAA;AAAA,MAC1B,OAAA,EAAS,CAAC,gBAAgB,CAAA;AAAA,MAC1B,WAAA,EAAa,CAAC,UAAU,CAAA;AAAA,MACxB,WAAA,EACE;AAAA,KACJ;AAAA,IACA;AAAA,MACE,QAAA,EAAU,0BAAA;AAAA,MACV,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,aAAA,EAAe,CAAC,UAAU,CAAA;AAAA,MAC1B,OAAA,EAAS,CAAC,gBAAgB,CAAA;AAAA,MAC1B,WAAA,EAAa,CAAC,QAAQ,CAAA;AAAA,MACtB,WAAA,EACE;AAAA,KACJ;AAAA,IACA;AAAA,MACE,QAAA,EAAU,4BAAA;AAAA,MACV,SAAA,EAAW,CAAC,gBAAgB,CAAA;AAAA,MAC5B,aAAA,EAAe,CAAC,UAAU,CAAA;AAAA,MAC1B,OAAA,EAAS,CAAC,gBAAgB,CAAA;AAAA,MAC1B,WAAA,EAAa,CAAC,UAAU,CAAA;AAAA,MACxB,WAAA,EACE;AAAA;AACJ;AAEJ","file":"edge-policy-manifest.data.js","sourcesContent":["import type { EdgePolicyManifest } from \"./edge-policy-manifest.js\";\n\nexport const edgePolicyManifest = {\n manifestVersion: \"1.0.0\",\n policies: [\n {\n edgeType: \"evidence_derived_from_evidence\",\n fromKinds: [\"epistemic_node\"],\n fromNodeTypes: [\"evidence\"],\n toKinds: [\"epistemic_node\"],\n toNodeTypes: [\"evidence\"],\n description:\n \"Evidence E2 was synthesized from evidence E1 by a transformation. Provides chain-of-evidence lineage.\",\n },\n {\n edgeType: \"evidence_supports_belief\",\n fromKinds: [\"epistemic_node\"],\n fromNodeTypes: [\"evidence\"],\n toKinds: [\"epistemic_node\"],\n toNodeTypes: [\"belief\"],\n description:\n \"Existing link_evidence_to_belief semantics promoted to the create_edge policy source.\",\n },\n {\n edgeType: \"evidence_supports_question\",\n fromKinds: [\"epistemic_node\"],\n fromNodeTypes: [\"evidence\"],\n toKinds: [\"epistemic_node\"],\n toNodeTypes: [\"question\"],\n description:\n \"Existing link_evidence_to_question semantics promoted to the create_edge policy source.\",\n },\n ],\n} satisfies EdgePolicyManifest;\n"]}
@@ -0,0 +1,65 @@
1
+ import { z } from 'zod';
2
+
3
+ // src/manifests/edge-policy-manifest.ts
4
+ var EpistemicNodeTypeSchema = z.enum([
5
+ "belief",
6
+ "evidence",
7
+ "question",
8
+ "answer",
9
+ "topic",
10
+ "edge",
11
+ "ontology",
12
+ "lens",
13
+ "contradiction"
14
+ ]);
15
+ z.discriminatedUnion("kind", [
16
+ z.object({
17
+ kind: z.literal("epistemic_node"),
18
+ nodeId: z.string(),
19
+ nodeType: EpistemicNodeTypeSchema
20
+ }),
21
+ z.object({
22
+ kind: z.literal("external_belief"),
23
+ ref: z.object({
24
+ tenantId: z.string(),
25
+ beliefId: z.string()
26
+ })
27
+ })
28
+ ]);
29
+
30
+ // src/manifests/edge-policy-manifest.ts
31
+ var graphRefKind = z.enum(["epistemic_node", "external_belief"]);
32
+ var EdgePolicyEntrySchema = z.object({
33
+ edgeType: z.string(),
34
+ fromKinds: z.array(graphRefKind),
35
+ fromNodeTypes: z.array(EpistemicNodeTypeSchema).optional(),
36
+ toKinds: z.array(graphRefKind),
37
+ toNodeTypes: z.array(EpistemicNodeTypeSchema).optional(),
38
+ description: z.string()
39
+ });
40
+ var EdgePolicyManifestSchema = z.object({
41
+ manifestVersion: z.literal("1.0.0"),
42
+ policies: z.array(EdgePolicyEntrySchema)
43
+ });
44
+ function findEdgePolicy(manifest, edgeType) {
45
+ return manifest.policies.find((policy) => policy.edgeType === edgeType);
46
+ }
47
+ function nodeTypeAllowed(allowed, ref) {
48
+ return ref.kind !== "epistemic_node" || !allowed || allowed.includes(ref.nodeType);
49
+ }
50
+ function assertEdgePolicyAllowed(manifest, edgeType, from, to) {
51
+ const policy = findEdgePolicy(manifest, edgeType);
52
+ const allowed = Boolean(policy) && policy.fromKinds.includes(from.kind) && policy.toKinds.includes(to.kind) && nodeTypeAllowed(policy.fromNodeTypes, from) && nodeTypeAllowed(policy.toNodeTypes, to);
53
+ if (!allowed) {
54
+ const error = new Error(
55
+ `Edge policy violation for ${edgeType}: ${from.kind} -> ${to.kind}`
56
+ );
57
+ error.code = "POLICY_VIOLATION";
58
+ error.details = { code: "POLICY_VIOLATION", edgeType, from, to };
59
+ throw error;
60
+ }
61
+ }
62
+
63
+ export { EdgePolicyEntrySchema, EdgePolicyManifestSchema, assertEdgePolicyAllowed, findEdgePolicy };
64
+ //# sourceMappingURL=edge-policy-manifest.js.map
65
+ //# sourceMappingURL=edge-policy-manifest.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../../src/types/graph-ref.ts","../../src/manifests/edge-policy-manifest.ts"],"names":["z"],"mappings":";;;AAEO,IAAM,uBAAA,GAA0B,EAAE,IAAA,CAAK;AAAA,EAC5C,QAAA;AAAA,EACA,UAAA;AAAA,EACA,UAAA;AAAA,EACA,QAAA;AAAA,EACA,OAAA;AAAA,EACA,MAAA;AAAA,EACA,UAAA;AAAA,EACA,MAAA;AAAA,EACA;AACF,CAAC,CAAA;AAQ6B,CAAA,CAAE,kBAAA,CAAmB,MAAA,EAAQ;AAAA,EACzD,EAAE,MAAA,CAAO;AAAA,IACP,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,gBAAgB,CAAA;AAAA,IAChC,MAAA,EAAQ,EAAE,MAAA,EAAO;AAAA,IACjB,QAAA,EAAU;AAAA,GACX,CAAA;AAAA,EACD,EAAE,MAAA,CAAO;AAAA,IACP,IAAA,EAAM,CAAA,CAAE,OAAA,CAAQ,iBAAiB,CAAA;AAAA,IACjC,GAAA,EAAK,EAAE,MAAA,CAAO;AAAA,MACZ,QAAA,EAAU,EAAE,MAAA,EAAO;AAAA,MACnB,QAAA,EAAU,EAAE,MAAA;AAAO,KACpB;AAAA,GACF;AACH,CAAC;;;AC1BD,IAAM,eAAeA,CAAAA,CAAE,IAAA,CAAK,CAAC,gBAAA,EAAkB,iBAAiB,CAAC,CAAA;AAE1D,IAAM,qBAAA,GAAwBA,EAAE,MAAA,CAAO;AAAA,EAC5C,QAAA,EAAUA,EAAE,MAAA,EAAO;AAAA,EACnB,SAAA,EAAWA,CAAAA,CAAE,KAAA,CAAM,YAAY,CAAA;AAAA,EAC/B,aAAA,EAAeA,CAAAA,CAAE,KAAA,CAAM,uBAAuB,EAAE,QAAA,EAAS;AAAA,EACzD,OAAA,EAASA,CAAAA,CAAE,KAAA,CAAM,YAAY,CAAA;AAAA,EAC7B,WAAA,EAAaA,CAAAA,CAAE,KAAA,CAAM,uBAAuB,EAAE,QAAA,EAAS;AAAA,EACvD,WAAA,EAAaA,EAAE,MAAA;AACjB,CAAC;AAEM,IAAM,wBAAA,GAA2BA,EAAE,MAAA,CAAO;AAAA,EAC/C,eAAA,EAAiBA,CAAAA,CAAE,OAAA,CAAQ,OAAO,CAAA;AAAA,EAClC,QAAA,EAAUA,CAAAA,CAAE,KAAA,CAAM,qBAAqB;AACzC,CAAC;AAYM,SAAS,cAAA,CACd,UACA,QAAA,EAC6B;AAC7B,EAAA,OAAO,SAAS,QAAA,CAAS,IAAA,CAAK,CAAC,MAAA,KAAW,MAAA,CAAO,aAAa,QAAQ,CAAA;AACxE;AAEA,SAAS,eAAA,CACP,SACA,GAAA,EACS;AACT,EAAA,OACE,GAAA,CAAI,SAAS,gBAAA,IACb,CAAC,WACD,OAAA,CAAQ,QAAA,CAAS,IAAI,QAAQ,CAAA;AAEjC;AAEO,SAAS,uBAAA,CACd,QAAA,EACA,QAAA,EACA,IAAA,EACA,EAAA,EACM;AACN,EAAA,MAAM,MAAA,GAAS,cAAA,CAAe,QAAA,EAAU,QAAQ,CAAA;AAChD,EAAA,MAAM,OAAA,GACJ,OAAA,CAAQ,MAAM,CAAA,IACd,MAAA,CAAQ,UAAU,QAAA,CAAS,IAAA,CAAK,IAAI,CAAA,IACpC,MAAA,CAAQ,OAAA,CAAQ,SAAS,EAAA,CAAG,IAAI,CAAA,IAChC,eAAA,CAAgB,MAAA,CAAQ,aAAA,EAAe,IAAI,CAAA,IAC3C,eAAA,CAAgB,MAAA,CAAQ,WAAA,EAAa,EAAE,CAAA;AAEzC,EAAA,IAAI,CAAC,OAAA,EAAS;AACZ,IAAA,MAAM,QAAQ,IAAI,KAAA;AAAA,MAChB,6BAA6B,QAAQ,CAAA,EAAA,EAAK,KAAK,IAAI,CAAA,IAAA,EAAO,GAAG,IAAI,CAAA;AAAA,KACnE;AACA,IAAA,KAAA,CAAM,IAAA,GAAO,kBAAA;AACb,IAAA,KAAA,CAAM,UAAU,EAAE,IAAA,EAAM,kBAAA,EAAoB,QAAA,EAAU,MAAM,EAAA,EAAG;AAC/D,IAAA,MAAM,KAAA;AAAA,EACR;AACF","file":"edge-policy-manifest.js","sourcesContent":["import { z } from \"zod\";\n\nexport const EpistemicNodeTypeSchema = z.enum([\n \"belief\",\n \"evidence\",\n \"question\",\n \"answer\",\n \"topic\",\n \"edge\",\n \"ontology\",\n \"lens\",\n \"contradiction\",\n]);\n\nexport type EpistemicNodeType = z.infer<typeof EpistemicNodeTypeSchema>;\n\nexport type GraphRef =\n | { kind: \"epistemic_node\"; nodeId: string; nodeType: EpistemicNodeType }\n | { kind: \"external_belief\"; ref: { tenantId: string; beliefId: string } };\n\nexport const GraphRefSchema = z.discriminatedUnion(\"kind\", [\n z.object({\n kind: z.literal(\"epistemic_node\"),\n nodeId: z.string(),\n nodeType: EpistemicNodeTypeSchema,\n }),\n z.object({\n kind: z.literal(\"external_belief\"),\n ref: z.object({\n tenantId: z.string(),\n beliefId: z.string(),\n }),\n }),\n]);\n","import { z } from \"zod\";\nimport {\n EpistemicNodeTypeSchema,\n type EpistemicNodeType,\n type GraphRef,\n} from \"../types/graph-ref.js\";\n\nconst graphRefKind = z.enum([\"epistemic_node\", \"external_belief\"]);\n\nexport const EdgePolicyEntrySchema = z.object({\n edgeType: z.string(),\n fromKinds: z.array(graphRefKind),\n fromNodeTypes: z.array(EpistemicNodeTypeSchema).optional(),\n toKinds: z.array(graphRefKind),\n toNodeTypes: z.array(EpistemicNodeTypeSchema).optional(),\n description: z.string(),\n});\n\nexport const EdgePolicyManifestSchema = z.object({\n manifestVersion: z.literal(\"1.0.0\"),\n policies: z.array(EdgePolicyEntrySchema),\n});\n\nexport type EdgePolicyEntry = z.infer<typeof EdgePolicyEntrySchema>;\nexport type EdgePolicyManifest = z.infer<typeof EdgePolicyManifestSchema>;\n\nexport type EdgePolicyViolation = {\n code: \"POLICY_VIOLATION\";\n edgeType: string;\n from: GraphRef;\n to: GraphRef;\n};\n\nexport function findEdgePolicy(\n manifest: EdgePolicyManifest,\n edgeType: string\n): EdgePolicyEntry | undefined {\n return manifest.policies.find((policy) => policy.edgeType === edgeType);\n}\n\nfunction nodeTypeAllowed(\n allowed: EpistemicNodeType[] | undefined,\n ref: GraphRef\n): boolean {\n return (\n ref.kind !== \"epistemic_node\" ||\n !allowed ||\n allowed.includes(ref.nodeType)\n );\n}\n\nexport function assertEdgePolicyAllowed(\n manifest: EdgePolicyManifest,\n edgeType: string,\n from: GraphRef,\n to: GraphRef\n): void {\n const policy = findEdgePolicy(manifest, edgeType);\n const allowed =\n Boolean(policy) &&\n policy!.fromKinds.includes(from.kind) &&\n policy!.toKinds.includes(to.kind) &&\n nodeTypeAllowed(policy!.fromNodeTypes, from) &&\n nodeTypeAllowed(policy!.toNodeTypes, to);\n\n if (!allowed) {\n const error = new Error(\n `Edge policy violation for ${edgeType}: ${from.kind} -> ${to.kind}`\n ) as Error & { code: \"POLICY_VIOLATION\"; details: EdgePolicyViolation };\n error.code = \"POLICY_VIOLATION\";\n error.details = { code: \"POLICY_VIOLATION\", edgeType, from, to };\n throw error;\n }\n}\n"]}
@@ -0,0 +1,151 @@
1
+ import { INFISICAL_RUNTIME_CONTRACT_VERSION, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DEFAULT_API_URL, InfisicalRuntimeEnvironment, InfisicalRuntimeDeliveryMode, InfisicalRuntimeBootstrapEnv, InfisicalRuntimePath, InfisicalRuntimeSurface } from '../infisical-runtime.contract.js';
2
+
3
+ type InfisicalRuntimeManifest = {
4
+ readonly manifestVersion: "1.0.0";
5
+ readonly contractVersion: typeof INFISICAL_RUNTIME_CONTRACT_VERSION;
6
+ readonly project: {
7
+ readonly id: typeof INFISICAL_RUNTIME_DEFAULT_PROJECT_ID;
8
+ readonly apiUrl: typeof INFISICAL_RUNTIME_DEFAULT_API_URL;
9
+ };
10
+ readonly environments: readonly InfisicalRuntimeEnvironment[];
11
+ readonly deliveryModes: readonly InfisicalRuntimeDeliveryMode[];
12
+ readonly bootstrapEnv: InfisicalRuntimeBootstrapEnv;
13
+ readonly paths: readonly InfisicalRuntimePath[];
14
+ readonly surfaces: readonly InfisicalRuntimeSurface[];
15
+ };
16
+ declare const INFISICAL_RUNTIME_MANIFEST: {
17
+ readonly manifestVersion: "1.0.0";
18
+ readonly contractVersion: "2026-04-28";
19
+ readonly project: {
20
+ readonly id: "344b0526-90df-4606-ba50-22c647a36c65";
21
+ readonly apiUrl: "https://app.infisical.com";
22
+ };
23
+ readonly environments: readonly ["dev", "staging", "prod"];
24
+ readonly deliveryModes: readonly ["vercel_sync", "runtime_fetch", "device_auth"];
25
+ readonly bootstrapEnv: {
26
+ readonly apiUrl: readonly ["INFISICAL_API_URL", "INFISICAL_URL"];
27
+ readonly projectId: readonly ["INFISICAL_PROJECT_ID", "INFISICAL_WORKSPACE_ID"];
28
+ readonly clientId: readonly ["INFISICAL_CLIENT_ID", "INFISICAL_MACHINE_CLIENT_ID", "INFISICAL_UNIVERSAL_AUTH_CLIENT_ID"];
29
+ readonly clientSecret: readonly ["INFISICAL_CLIENT_SECRET", "INFISICAL_MACHINE_CLIENT_SECRET", "INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET"];
30
+ readonly environment: readonly ["INFISICAL_ENV", "LUCERN_INFISICAL_ENV"];
31
+ readonly organizationSlug: readonly ["INFISICAL_ORG_SLUG", "INFISICAL_ORGANIZATION_SLUG"];
32
+ readonly disabled: readonly ["LUCERN_INFISICAL_DISABLE", "INFISICAL_DISABLE"];
33
+ };
34
+ readonly paths: readonly [{
35
+ readonly id: "platform-auth";
36
+ readonly secretPath: "/platform/auth";
37
+ readonly description: "Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.";
38
+ readonly variables: readonly [{
39
+ readonly name: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY";
40
+ readonly required: true;
41
+ readonly secret: false;
42
+ readonly public: true;
43
+ readonly description: "Clerk publishable key for the Lucern web origin.";
44
+ }, {
45
+ readonly name: "CLERK_SECRET_KEY";
46
+ readonly required: true;
47
+ readonly secret: true;
48
+ readonly public: false;
49
+ readonly description: "Clerk backend secret key for Lucern server runtimes.";
50
+ }, {
51
+ readonly name: "CLERK_JWT_ISSUER_DOMAIN";
52
+ readonly required: false;
53
+ readonly secret: false;
54
+ readonly public: false;
55
+ readonly description: "Expected Clerk issuer/JWKS domain for JWT verification.";
56
+ }, {
57
+ readonly name: "NEXT_PUBLIC_CLERK_SIGN_IN_URL";
58
+ readonly required: false;
59
+ readonly secret: false;
60
+ readonly public: true;
61
+ readonly description: "Public sign-in URL for Lucern-owned web flows.";
62
+ }, {
63
+ readonly name: "NEXT_PUBLIC_CLERK_SIGN_UP_URL";
64
+ readonly required: false;
65
+ readonly secret: false;
66
+ readonly public: true;
67
+ readonly description: "Public sign-up URL for Lucern-owned web flows.";
68
+ }];
69
+ }, {
70
+ readonly id: "platform-runtime";
71
+ readonly secretPath: "/platform/runtime";
72
+ readonly description: "Runtime defaults shared by server-side Lucern clients and operator tooling.";
73
+ readonly variables: readonly [{
74
+ readonly name: "LUCERN_API_URL";
75
+ readonly required: true;
76
+ readonly secret: false;
77
+ readonly public: false;
78
+ readonly aliases: readonly ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"];
79
+ readonly description: "Canonical Lucern API gateway URL.";
80
+ }, {
81
+ readonly name: "LUCERN_LOGIN_BASE_URL";
82
+ readonly required: false;
83
+ readonly secret: false;
84
+ readonly public: false;
85
+ readonly aliases: readonly ["LUCERN_AUTH_BASE_URL"];
86
+ readonly description: "Browser login origin used when it differs from the API.";
87
+ }, {
88
+ readonly name: "LUCERN_ENVIRONMENT";
89
+ readonly required: false;
90
+ readonly secret: false;
91
+ readonly public: false;
92
+ readonly aliases: readonly ["LUCERN_ENV"];
93
+ readonly description: "Lucern environment label consumed by CLI profiles.";
94
+ }];
95
+ }, {
96
+ readonly id: "tenant-shared-install";
97
+ readonly secretPath: "tenants/shared";
98
+ readonly description: "Tenant package-install secrets. This is install-only and distinct from platform publish credentials.";
99
+ readonly variables: readonly [{
100
+ readonly name: "INSTALL_LUCERN_NPM";
101
+ readonly required: true;
102
+ readonly secret: true;
103
+ readonly public: false;
104
+ readonly description: "Read-only install token for the published @lucern/* suite.";
105
+ }];
106
+ }];
107
+ readonly surfaces: readonly [{
108
+ readonly id: "lucern-web";
109
+ readonly delivery: "vercel_sync";
110
+ readonly sourcePathIds: readonly ["platform-auth", "platform-runtime"];
111
+ readonly consumer: "apps/web on Vercel project lucern";
112
+ readonly description: "Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.";
113
+ }, {
114
+ readonly id: "lucern-gateway";
115
+ readonly delivery: "vercel_sync";
116
+ readonly sourcePathIds: readonly ["platform-auth", "platform-runtime"];
117
+ readonly consumer: "apps/gateway on Vercel project lucern-gateway";
118
+ readonly description: "Lucern gateway consumes platform config via Infisical-to-Vercel syncs.";
119
+ }, {
120
+ readonly id: "lucern-sdk";
121
+ readonly packageName: "@lucern/sdk";
122
+ readonly delivery: "runtime_fetch";
123
+ readonly sourcePathIds: readonly ["platform-runtime"];
124
+ readonly consumer: "server-side SDK operator contexts with a scoped Infisical identity";
125
+ readonly description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.";
126
+ }, {
127
+ readonly id: "lucern-cli";
128
+ readonly packageName: "@lucern/cli";
129
+ readonly delivery: "runtime_fetch";
130
+ readonly fallback: "device_auth";
131
+ readonly sourcePathIds: readonly ["platform-runtime"];
132
+ readonly consumer: "developer/operator CLI processes";
133
+ readonly description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.";
134
+ }, {
135
+ readonly id: "lucern-mcp";
136
+ readonly packageName: "@lucern/mcp";
137
+ readonly delivery: "runtime_fetch";
138
+ readonly fallback: "device_auth";
139
+ readonly sourcePathIds: readonly ["platform-runtime"];
140
+ readonly consumer: "MCP server/client processes";
141
+ readonly description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.";
142
+ }, {
143
+ readonly id: "tenant-client";
144
+ readonly delivery: "device_auth";
145
+ readonly sourcePathIds: readonly ["tenant-shared-install"];
146
+ readonly consumer: "tenant-owned apps and coding agents";
147
+ readonly description: "Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.";
148
+ }];
149
+ };
150
+
151
+ export { INFISICAL_RUNTIME_MANIFEST, type InfisicalRuntimeManifest };