@lucern/contracts 0.3.0-alpha.5 → 0.3.0-alpha.7
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +4 -0
- package/dist/{dsl-BgpoVOVQ.d.ts → dsl-djCRfuWC.d.ts} +1 -1
- package/dist/dsl.d.ts +1 -1
- package/dist/dsl.js +1 -4
- package/dist/dsl.js.map +1 -1
- package/dist/{edge-policy-manifest-DpmTtjmm.d.ts → edge-policy-manifest-Byv6cQPP.d.ts} +1 -1
- package/dist/function-registry/beliefs.js +73 -10
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.js +73 -10
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.js +78 -12
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.js +73 -10
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.js +73 -10
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.js +73 -10
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.js +77 -11
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.js +73 -10
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.d.ts +3 -3
- package/dist/function-registry/helpers.js +73 -10
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.js +73 -10
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.d.ts +2 -2
- package/dist/function-registry/index.js +76 -13
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.js +73 -10
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.js +73 -10
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.js +73 -10
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +1 -1
- package/dist/function-registry/ontologies.js +73 -10
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.js +73 -10
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.js +73 -10
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +17 -17
- package/dist/function-registry/tasks.js +117 -12
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.js +73 -10
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +1 -1
- package/dist/function-registry/worktrees.js +81 -13
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/function-registry-input-audit.js +4 -2
- package/dist/function-registry-input-audit.js.map +1 -1
- package/dist/index.d.ts +5 -5
- package/dist/index.js +100 -12
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.contract.js +5 -0
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/lens-filter.contract.js +4 -3
- package/dist/lens-filter.contract.js.map +1 -1
- package/dist/lens-workflow.contract.js +4 -3
- package/dist/lens-workflow.contract.js.map +1 -1
- package/dist/manifests/edge-policy-manifest.d.ts +1 -1
- package/dist/manifests/infisical-runtime-manifest.js +5 -0
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/manifests/tenant-client-manifest.d.ts +20 -1
- package/dist/manifests/tenant-client-manifest.js +23 -0
- package/dist/manifests/tenant-client-manifest.js.map +1 -1
- package/dist/projections/check-convex-args-shape.js +4 -1
- package/dist/projections/check-convex-args-shape.js.map +1 -1
- package/dist/projections/create-evidence.projection.js +4 -1
- package/dist/projections/create-evidence.projection.js.map +1 -1
- package/dist/projections/index.js +4 -1
- package/dist/projections/index.js.map +1 -1
- package/dist/schema-helpers/enumValidation.js +2 -5
- package/dist/schema-helpers/enumValidation.js.map +1 -1
- package/dist/schema-helpers/spine/nodes/decision.js +2 -1
- package/dist/schema-helpers/spine/nodes/decision.js.map +1 -1
- package/dist/schema-helpers/spine/tables/epistemicNodes.js +27 -27
- package/dist/schema-helpers/spine/tables/epistemicNodes.js.map +1 -1
- package/dist/sdk-methods.contract.d.ts +1 -1
- package/dist/{sdk-tools.contract-Ng8ULxjr.d.ts → sdk-tools.contract-Ci8bkoai.d.ts} +2 -2
- package/dist/sdk-tools.contract.d.ts +2 -2
- package/dist/sdk-tools.contract.js +72 -7
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/tenant-client.contract.d.ts +20 -1
- package/dist/tenant-client.contract.js +23 -0
- package/dist/tenant-client.contract.js.map +1 -1
- package/dist/{tool-contracts-CYXVPN4K.d.ts → tool-contracts-B4iWhejG.d.ts} +1 -1
- package/dist/tool-contracts.d.ts +1 -1
- package/dist/tool-contracts.js +72 -7
- package/dist/tool-contracts.js.map +1 -1
- package/package.json +1 -1
|
@@ -61,6 +61,11 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
61
61
|
role: "sdk_dependency",
|
|
62
62
|
directTenantImport: false
|
|
63
63
|
},
|
|
64
|
+
{
|
|
65
|
+
packageName: "@lucern/graph-sync",
|
|
66
|
+
role: "host_addon_runtime",
|
|
67
|
+
directTenantImport: true
|
|
68
|
+
},
|
|
64
69
|
{
|
|
65
70
|
packageName: "@lucern/identity",
|
|
66
71
|
role: "component_runtime",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.contract.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACjMK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAIO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,0BAAA,CAA2B,IAAA;AAAA,IAChC,CAAC,OAAA,KAAY,OAAA,CAAQ,EAAA,KAAO;AAAA,GAC9B;AACF","file":"infisical-runtime.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/identity` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern identity and reasoning-kernel components.\",\n packageNames: [\"@lucern/identity\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.contract.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACtMK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAIO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,0BAAA,CAA2B,IAAA;AAAA,IAChC,CAAC,OAAA,KAAY,OAAA,CAAQ,EAAA,KAAO;AAAA,GAC9B;AACF","file":"infisical-runtime.contract.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/identity` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern identity and reasoning-kernel components.\",\n packageNames: [\"@lucern/identity\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n"]}
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
// src/lens-filter.contract.ts
|
|
2
2
|
function isLensFilterCriteria(value) {
|
|
3
|
-
|
|
4
|
-
const obj = value;
|
|
5
|
-
return typeof obj.version === "number" && typeof obj.kind === "string";
|
|
3
|
+
return isRecord(value) && typeof value.version === "number" && typeof value.kind === "string";
|
|
6
4
|
}
|
|
7
5
|
function isTaxonomyFilterCriteriaV1(value) {
|
|
8
6
|
if (!isLensFilterCriteria(value)) return false;
|
|
@@ -31,6 +29,9 @@ function validateFilterCriteria(value) {
|
|
|
31
29
|
]
|
|
32
30
|
};
|
|
33
31
|
}
|
|
32
|
+
function isRecord(value) {
|
|
33
|
+
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
34
|
+
}
|
|
34
35
|
function validateTaxonomyFilterV1(criteria) {
|
|
35
36
|
const errors = [];
|
|
36
37
|
if (!Array.isArray(criteria.entityTypeFilters)) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/lens-filter.contract.ts"],"names":[],"mappings":";AA4EO,SAAS,qBACd,KAAA,EAC6B;AAC7B,EAAA,
|
|
1
|
+
{"version":3,"sources":["../src/lens-filter.contract.ts"],"names":[],"mappings":";AA4EO,SAAS,qBACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,QAAA,CAAS,KAAK,CAAA,IAAK,OAAO,MAAM,OAAA,KAAY,QAAA,IAAY,OAAO,KAAA,CAAM,IAAA,KAAS,QAAA;AACvF;AAEO,SAAS,2BACd,KAAA,EACmC;AACnC,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG,OAAO,KAAA;AACzC,EAAA,OAAO,KAAA,CAAM,OAAA,KAAY,CAAA,IAAK,KAAA,CAAM,IAAA,KAAS,UAAA;AAC/C;AAcO,SAAS,uBACd,KAAA,EACwB;AACxB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AAEA,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG;AAChC,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ;AAAA,QACN;AAAA;AACF,KACF;AAAA,EACF;AAEA,EAAA,IAAI,0BAAA,CAA2B,KAAK,CAAA,EAAG;AACrC,IAAA,OAAO,yBAAyB,KAAK,CAAA;AAAA,EACvC;AAIA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,MAAA,EAAQ;AAAA,MACN,CAAA,qCAAA,EAAwC,GAAA,CAAI,OAAO,CAAA,OAAA,EAAU,IAAI,IAAI,CAAA;AAAA;AACvE,GACF;AACF;AAEA,SAAS,SAAS,KAAA,EAAkD;AAClE,EAAA,OAAO,KAAA,KAAU,QAAQ,OAAO,KAAA,KAAU,YAAY,CAAC,KAAA,CAAM,QAAQ,KAAK,CAAA;AAC5E;AAEA,SAAS,yBACP,QAAA,EACwB;AACxB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAA,CAAS,iBAAiB,CAAA,EAAG;AAC9C,IAAA,MAAA,CAAO,KAAK,oCAAoC,CAAA;AAChD,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,IAAI,QAAA,CAAS,iBAAA,CAAkB,MAAA,KAAW,CAAA,EAAG;AAC3C,IAAA,MAAA,CAAO,KAAK,mDAAmD,CAAA;AAC/D,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,iBAAA,CAAkB,QAAQ,CAAA,EAAA,EAAK;AAC1D,IAAA,MAAM,MAAA,GAAS,QAAA,CAAS,iBAAA,CAAkB,CAAC,CAAA;AAC3C,IAAA,IAAI,CAAC,MAAA,IAAU,OAAO,MAAA,CAAO,oBAAoB,QAAA,EAAU;AACzD,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AACA,MAAA;AAAA,IACF;AACA,IAAA,IAAI,MAAA,CAAO,eAAA,CAAgB,IAAA,EAAK,CAAE,WAAW,CAAA,EAAG;AAC9C,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AAAA,IACF;AACA,IAAA,IACE,MAAA,CAAO,kBAAkB,MAAA,IACzB,CAAC,MAAM,OAAA,CAAQ,MAAA,CAAO,aAAa,CAAA,EACnC;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,kBAAA,EAAqB,CAAC,CAAA,gCAAA,CAAkC,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,IAAI,QAAA,CAAS,kBAAkB,MAAA,EAAW;AACxC,IAAA,IACE,OAAO,QAAA,CAAS,aAAA,KAAkB,QAAA,IAClC,QAAA,CAAS,kBAAkB,IAAA,EAC3B;AACA,MAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAAA,IAC/C;AAAA,EACF;AAEA,EAAA,OAAO,MAAA,CAAO,MAAA,KAAW,CAAA,GACrB,EAAE,KAAA,EAAO,MAAK,GACd,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAC7B","file":"lens-filter.contract.js","sourcesContent":["/**\n * Lens Filter Criteria Contract\n *\n * Version-discriminated filter DSL for lenses. Each filter criteria document\n * carries a `version` and `kind` discriminator so future shapes can coexist\n * without schema migrations. The Convex `filterCriteria` field remains v.any()\n * — all type enforcement happens here at the TypeScript contract layer.\n *\n * Forward-compatibility guarantees:\n * - `version` field: new versions add fields, never remove or rename existing ones\n * - `kind` field: new filter kinds (temporal, confidence-range) can be added\n * without touching taxonomy code paths\n * - `entityTypeFilters` array items are open to extension in future versions\n * - Resolution logic switches on `version` + `kind` to select the right resolver\n *\n * @module lucern/contracts/src/lens-filter\n */\n\n// ---------------------------------------------------------------------------\n// V1: Taxonomy Filter — entity type + subtype matching\n// ---------------------------------------------------------------------------\n\n/**\n * A single entity type filter entry. Matches nodes whose `nodeType` equals\n * `entityTypeValue`, optionally further narrowed by subtype membership.\n *\n * V2 will add `propertyMatchers` here for arbitrary JSON Schema facet queries.\n */\nexport type EntityTypeFilterV1 = {\n /** References ontologyVersion.entityTypes[].value, e.g. \"company\" */\n entityTypeValue: string;\n\n /** Optional subtype narrowing. If omitted or empty, all subtypes match. */\n subtypeValues?: string[];\n};\n\n/**\n * Optional scope to restrict which ontology the filter resolves against.\n * If omitted, resolution uses whatever ontology is active in the workspace.\n */\nexport type OntologyScope = {\n /** Restrict to a specific ontology by key, e.g. \"vc-investment\" */\n ontologyKey?: string;\n};\n\n/**\n * Taxonomy filter criteria v1: entity type + subtype matching over ontology.\n */\nexport type TaxonomyFilterCriteriaV1 = {\n version: 1;\n kind: \"taxonomy\";\n entityTypeFilters: EntityTypeFilterV1[];\n ontologyScope?: OntologyScope;\n};\n\n// ---------------------------------------------------------------------------\n// Union: All filter criteria versions and kinds\n// ---------------------------------------------------------------------------\n\n/**\n * Discriminated union of all supported filter criteria.\n * Resolution logic switches on `version` + `kind`.\n *\n * To add a new filter kind:\n * 1. Define a new type (e.g., TemporalFilterCriteriaV1)\n * 2. Add it to this union\n * 3. Add a resolver in taxonomy-filter.ts\n * 4. No schema migration needed — filterCriteria is v.any()\n */\nexport type LensFilterCriteria = TaxonomyFilterCriteriaV1;\n// Future: | TemporalFilterCriteriaV1 | ConfidenceRangeFilterCriteriaV1 | ...\n\n// ---------------------------------------------------------------------------\n// Type guards\n// ---------------------------------------------------------------------------\n\nexport function isLensFilterCriteria(\n value: unknown\n): value is LensFilterCriteria {\n return isRecord(value) && typeof value.version === \"number\" && typeof value.kind === \"string\";\n}\n\nexport function isTaxonomyFilterCriteriaV1(\n value: unknown\n): value is TaxonomyFilterCriteriaV1 {\n if (!isLensFilterCriteria(value)) return false;\n return value.version === 1 && value.kind === \"taxonomy\";\n}\n\n// ---------------------------------------------------------------------------\n// Validation\n// ---------------------------------------------------------------------------\n\nexport type FilterValidationResult =\n | { valid: true }\n | { valid: false; errors: string[] };\n\n/**\n * Validate a filter criteria document at the contract layer.\n * This runs before persisting to Convex.\n */\nexport function validateFilterCriteria(\n value: unknown\n): FilterValidationResult {\n if (value === undefined || value === null) {\n return { valid: true }; // filterCriteria is optional\n }\n\n if (!isLensFilterCriteria(value)) {\n return {\n valid: false,\n errors: [\n 'filterCriteria must have numeric \"version\" and string \"kind\" fields',\n ],\n };\n }\n\n if (isTaxonomyFilterCriteriaV1(value)) {\n return validateTaxonomyFilterV1(value);\n }\n\n // Cast to access properties — TypeScript narrows to `never` when all union\n // members are exhausted, but at runtime unknown version/kind combos are possible.\n const raw = value as { version: number; kind: string };\n return {\n valid: false,\n errors: [\n `Unsupported filter criteria: version=${raw.version}, kind=${raw.kind}`,\n ],\n };\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return value !== null && typeof value === \"object\" && !Array.isArray(value);\n}\n\nfunction validateTaxonomyFilterV1(\n criteria: TaxonomyFilterCriteriaV1\n): FilterValidationResult {\n const errors: string[] = [];\n\n if (!Array.isArray(criteria.entityTypeFilters)) {\n errors.push(\"entityTypeFilters must be an array\");\n return { valid: false, errors };\n }\n\n if (criteria.entityTypeFilters.length === 0) {\n errors.push(\"entityTypeFilters must contain at least one entry\");\n return { valid: false, errors };\n }\n\n for (let i = 0; i < criteria.entityTypeFilters.length; i++) {\n const filter = criteria.entityTypeFilters[i];\n if (!filter || typeof filter.entityTypeValue !== \"string\") {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n continue;\n }\n if (filter.entityTypeValue.trim().length === 0) {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n }\n if (\n filter.subtypeValues !== undefined &&\n !Array.isArray(filter.subtypeValues)\n ) {\n errors.push(`entityTypeFilters[${i}].subtypeValues must be an array`);\n }\n }\n\n if (criteria.ontologyScope !== undefined) {\n if (\n typeof criteria.ontologyScope !== \"object\" ||\n criteria.ontologyScope === null\n ) {\n errors.push(\"ontologyScope must be an object\");\n }\n }\n\n return errors.length === 0\n ? { valid: true }\n : { valid: false, errors };\n}\n"]}
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
// src/lens-filter.contract.ts
|
|
2
2
|
function isLensFilterCriteria(value) {
|
|
3
|
-
|
|
4
|
-
const obj = value;
|
|
5
|
-
return typeof obj.version === "number" && typeof obj.kind === "string";
|
|
3
|
+
return isRecord(value) && typeof value.version === "number" && typeof value.kind === "string";
|
|
6
4
|
}
|
|
7
5
|
function isTaxonomyFilterCriteriaV1(value) {
|
|
8
6
|
if (!isLensFilterCriteria(value)) return false;
|
|
@@ -31,6 +29,9 @@ function validateFilterCriteria(value) {
|
|
|
31
29
|
]
|
|
32
30
|
};
|
|
33
31
|
}
|
|
32
|
+
function isRecord(value) {
|
|
33
|
+
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
34
|
+
}
|
|
34
35
|
function validateTaxonomyFilterV1(criteria) {
|
|
35
36
|
const errors = [];
|
|
36
37
|
if (!Array.isArray(criteria.entityTypeFilters)) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/lens-filter.contract.ts","../src/lens-workflow.contract.ts"],"names":[],"mappings":";AA4EO,SAAS,qBACd,KAAA,EAC6B;AAC7B,EAAA,IAAI,CAAC,KAAA,IAAS,OAAO,KAAA,KAAU,UAAU,OAAO,KAAA;AAChD,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,OAAO,OAAO,GAAA,CAAI,OAAA,KAAY,QAAA,IAAY,OAAO,IAAI,IAAA,KAAS,QAAA;AAChE;AAEO,SAAS,2BACd,KAAA,EACmC;AACnC,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG,OAAO,KAAA;AACzC,EAAA,OAAO,KAAA,CAAM,OAAA,KAAY,CAAA,IAAK,KAAA,CAAM,IAAA,KAAS,UAAA;AAC/C;AAcO,SAAS,uBACd,KAAA,EACwB;AACxB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AAEA,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG;AAChC,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ;AAAA,QACN;AAAA;AACF,KACF;AAAA,EACF;AAEA,EAAA,IAAI,0BAAA,CAA2B,KAAK,CAAA,EAAG;AACrC,IAAA,OAAO,yBAAyB,KAAK,CAAA;AAAA,EACvC;AAIA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,MAAA,EAAQ;AAAA,MACN,CAAA,qCAAA,EAAwC,GAAA,CAAI,OAAO,CAAA,OAAA,EAAU,IAAI,IAAI,CAAA;AAAA;AACvE,GACF;AACF;AAEA,SAAS,yBACP,QAAA,EACwB;AACxB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAA,CAAS,iBAAiB,CAAA,EAAG;AAC9C,IAAA,MAAA,CAAO,KAAK,oCAAoC,CAAA;AAChD,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,IAAI,QAAA,CAAS,iBAAA,CAAkB,MAAA,KAAW,CAAA,EAAG;AAC3C,IAAA,MAAA,CAAO,KAAK,mDAAmD,CAAA;AAC/D,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,iBAAA,CAAkB,QAAQ,CAAA,EAAA,EAAK;AAC1D,IAAA,MAAM,MAAA,GAAS,QAAA,CAAS,iBAAA,CAAkB,CAAC,CAAA;AAC3C,IAAA,IAAI,CAAC,MAAA,IAAU,OAAO,MAAA,CAAO,oBAAoB,QAAA,EAAU;AACzD,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AACA,MAAA;AAAA,IACF;AACA,IAAA,IAAI,MAAA,CAAO,eAAA,CAAgB,IAAA,EAAK,CAAE,WAAW,CAAA,EAAG;AAC9C,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AAAA,IACF;AACA,IAAA,IACE,MAAA,CAAO,kBAAkB,MAAA,IACzB,CAAC,MAAM,OAAA,CAAQ,MAAA,CAAO,aAAa,CAAA,EACnC;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,kBAAA,EAAqB,CAAC,CAAA,gCAAA,CAAkC,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,IAAI,QAAA,CAAS,kBAAkB,MAAA,EAAW;AACxC,IAAA,IACE,OAAO,QAAA,CAAS,aAAA,KAAkB,QAAA,IAClC,QAAA,CAAS,kBAAkB,IAAA,EAC3B;AACA,MAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAAA,IAC/C;AAAA,EACF;AAEA,EAAA,OAAO,MAAA,CAAO,MAAA,KAAW,CAAA,GACrB,EAAE,KAAA,EAAO,MAAK,GACd,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAC7B;;;ACpKO,IAAM,sBAAA,GAAyB;AAAA,EACpC,eAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,aAAA,GAAgB,CAAC,OAAA,EAAS,QAAA,EAAU,UAAU;AAIpD,IAAM,6BAAA,GAAgC;AAAA,EAC3C,UAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF;AAgEO,IAAM,0BAAA,GACX;AAQK,SAAS,yCACd,MAAA,EACqB;AACrB,EAAA,MAAM,UAAA,GAAa,MAAA,EAAQ,IAAA,EAAK,CAAE,WAAA,EAAY;AAC9C,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI,UAAA,KAAe,MAAA,IAAU,UAAA,KAAe,WAAA,EAAa;AACvD,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAO,eAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAA;AACT;AAEO,SAAS,oBAAoB,IAAA,EAMF;AAChC,EAAA,MAAM,eAAA,GAAkB,wCAAA,CAAyC,IAAA,CAAK,MAAM,CAAA;AAC5E,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,aAAA;AAAA,IACjB,eAAA;AAAA,IACA,OAAA,EACE,qHAAA;AAAA,IACF,gBAAA,EAAkB;AAAA,MAChB,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB;AAAA;AACF,GACF;AACF;AAEO,SAAS,8BAA8B,IAAA,EAMjB;AAC3B,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ,kBAAA,EAAoB,0BAAA;AAAA,IACpB,cAAA,EAAgB,oBAAoB,IAAI;AAAA,GAC1C;AACF","file":"lens-workflow.contract.js","sourcesContent":["/**\n * Lens Filter Criteria Contract\n *\n * Version-discriminated filter DSL for lenses. Each filter criteria document\n * carries a `version` and `kind` discriminator so future shapes can coexist\n * without schema migrations. The Convex `filterCriteria` field remains v.any()\n * — all type enforcement happens here at the TypeScript contract layer.\n *\n * Forward-compatibility guarantees:\n * - `version` field: new versions add fields, never remove or rename existing ones\n * - `kind` field: new filter kinds (temporal, confidence-range) can be added\n * without touching taxonomy code paths\n * - `entityTypeFilters` array items are open to extension in future versions\n * - Resolution logic switches on `version` + `kind` to select the right resolver\n *\n * @module lucern/contracts/src/lens-filter\n */\n\n// ---------------------------------------------------------------------------\n// V1: Taxonomy Filter — entity type + subtype matching\n// ---------------------------------------------------------------------------\n\n/**\n * A single entity type filter entry. Matches nodes whose `nodeType` equals\n * `entityTypeValue`, optionally further narrowed by subtype membership.\n *\n * V2 will add `propertyMatchers` here for arbitrary JSON Schema facet queries.\n */\nexport type EntityTypeFilterV1 = {\n /** References ontologyVersion.entityTypes[].value, e.g. \"company\" */\n entityTypeValue: string;\n\n /** Optional subtype narrowing. If omitted or empty, all subtypes match. */\n subtypeValues?: string[];\n};\n\n/**\n * Optional scope to restrict which ontology the filter resolves against.\n * If omitted, resolution uses whatever ontology is active in the workspace.\n */\nexport type OntologyScope = {\n /** Restrict to a specific ontology by key, e.g. \"vc-investment\" */\n ontologyKey?: string;\n};\n\n/**\n * Taxonomy filter criteria v1: entity type + subtype matching over ontology.\n */\nexport type TaxonomyFilterCriteriaV1 = {\n version: 1;\n kind: \"taxonomy\";\n entityTypeFilters: EntityTypeFilterV1[];\n ontologyScope?: OntologyScope;\n};\n\n// ---------------------------------------------------------------------------\n// Union: All filter criteria versions and kinds\n// ---------------------------------------------------------------------------\n\n/**\n * Discriminated union of all supported filter criteria.\n * Resolution logic switches on `version` + `kind`.\n *\n * To add a new filter kind:\n * 1. Define a new type (e.g., TemporalFilterCriteriaV1)\n * 2. Add it to this union\n * 3. Add a resolver in taxonomy-filter.ts\n * 4. No schema migration needed — filterCriteria is v.any()\n */\nexport type LensFilterCriteria = TaxonomyFilterCriteriaV1;\n// Future: | TemporalFilterCriteriaV1 | ConfidenceRangeFilterCriteriaV1 | ...\n\n// ---------------------------------------------------------------------------\n// Type guards\n// ---------------------------------------------------------------------------\n\nexport function isLensFilterCriteria(\n value: unknown\n): value is LensFilterCriteria {\n if (!value || typeof value !== \"object\") return false;\n const obj = value as Record<string, unknown>;\n return typeof obj.version === \"number\" && typeof obj.kind === \"string\";\n}\n\nexport function isTaxonomyFilterCriteriaV1(\n value: unknown\n): value is TaxonomyFilterCriteriaV1 {\n if (!isLensFilterCriteria(value)) return false;\n return value.version === 1 && value.kind === \"taxonomy\";\n}\n\n// ---------------------------------------------------------------------------\n// Validation\n// ---------------------------------------------------------------------------\n\nexport type FilterValidationResult =\n | { valid: true }\n | { valid: false; errors: string[] };\n\n/**\n * Validate a filter criteria document at the contract layer.\n * This runs before persisting to Convex.\n */\nexport function validateFilterCriteria(\n value: unknown\n): FilterValidationResult {\n if (value === undefined || value === null) {\n return { valid: true }; // filterCriteria is optional\n }\n\n if (!isLensFilterCriteria(value)) {\n return {\n valid: false,\n errors: [\n 'filterCriteria must have numeric \"version\" and string \"kind\" fields',\n ],\n };\n }\n\n if (isTaxonomyFilterCriteriaV1(value)) {\n return validateTaxonomyFilterV1(value);\n }\n\n // Cast to access properties — TypeScript narrows to `never` when all union\n // members are exhausted, but at runtime unknown version/kind combos are possible.\n const raw = value as { version: number; kind: string };\n return {\n valid: false,\n errors: [\n `Unsupported filter criteria: version=${raw.version}, kind=${raw.kind}`,\n ],\n };\n}\n\nfunction validateTaxonomyFilterV1(\n criteria: TaxonomyFilterCriteriaV1\n): FilterValidationResult {\n const errors: string[] = [];\n\n if (!Array.isArray(criteria.entityTypeFilters)) {\n errors.push(\"entityTypeFilters must be an array\");\n return { valid: false, errors };\n }\n\n if (criteria.entityTypeFilters.length === 0) {\n errors.push(\"entityTypeFilters must contain at least one entry\");\n return { valid: false, errors };\n }\n\n for (let i = 0; i < criteria.entityTypeFilters.length; i++) {\n const filter = criteria.entityTypeFilters[i];\n if (!filter || typeof filter.entityTypeValue !== \"string\") {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n continue;\n }\n if (filter.entityTypeValue.trim().length === 0) {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n }\n if (\n filter.subtypeValues !== undefined &&\n !Array.isArray(filter.subtypeValues)\n ) {\n errors.push(`entityTypeFilters[${i}].subtypeValues must be an array`);\n }\n }\n\n if (criteria.ontologyScope !== undefined) {\n if (\n typeof criteria.ontologyScope !== \"object\" ||\n criteria.ontologyScope === null\n ) {\n errors.push(\"ontologyScope must be an object\");\n }\n }\n\n return errors.length === 0\n ? { valid: true }\n : { valid: false, errors };\n}\n","/**\n * Canonical lens workflow contract shared across schema, SDK, and MCP surfaces.\n */\n\n// Re-export filter criteria types for consumers who import from lens-workflow\nexport type {\n LensFilterCriteria,\n TaxonomyFilterCriteriaV1,\n EntityTypeFilterV1,\n OntologyScope,\n FilterValidationResult,\n} from \"./lens-filter.contract\";\nexport {\n validateFilterCriteria,\n isLensFilterCriteria,\n isTaxonomyFilterCriteriaV1,\n} from \"./lens-filter.contract\";\n\nexport const LENS_PERSPECTIVE_TYPES = [\n \"investigation\",\n \"monitoring\",\n \"analysis\",\n \"comparison\",\n \"taxonomy\",\n] as const;\n\nexport type LensPerspectiveType = (typeof LENS_PERSPECTIVE_TYPES)[number];\n\nexport const LENS_STATUSES = [\"draft\", \"active\", \"archived\"] as const;\n\nexport type LensStatus = (typeof LENS_STATUSES)[number];\n\nexport const LENS_TASK_TEMPLATE_PRIORITIES = [\n \"critical\",\n \"high\",\n \"medium\",\n \"low\",\n] as const;\n\nexport type LensTaskTemplatePriority =\n (typeof LENS_TASK_TEMPLATE_PRIORITIES)[number];\n\nexport type LensLooseMetadata = Record<string, unknown>;\n\nexport type LensPromptTemplateReference = {\n key: string;\n promptRef: string;\n phase?: string;\n role?: string;\n version?: string;\n required?: boolean;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensWorkflowStepTemplate = {\n key: string;\n title: string;\n description?: string;\n promptTemplateKey?: string;\n taskTemplateKeys?: string[];\n metadata?: LensLooseMetadata;\n};\n\nexport type LensWorkflowTemplate = {\n key: string;\n name: string;\n description?: string;\n steps: LensWorkflowStepTemplate[];\n metadata?: LensLooseMetadata;\n};\n\nexport type LensTaskTemplate = {\n key: string;\n title: string;\n description?: string;\n priority?: LensTaskTemplatePriority;\n phase?: string;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensQuestionTemplate = {\n key: string;\n text: string;\n priority?: LensTaskTemplatePriority;\n linkedBeliefKey?: string;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensBranchMigrationSuggestion = {\n recommendedTool: \"create_lens\";\n perspectiveType: LensPerspectiveType;\n message: string;\n suggestedPayload: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n perspectiveType: LensPerspectiveType;\n };\n};\n\nexport const BRANCH_DEPRECATION_MESSAGE =\n \"Branches are deprecated for operational framing. Create a workspace-scoped lens instead.\";\n\nexport type DeprecatedBranchMetadata = {\n deprecated: true;\n deprecationMessage: string;\n lensSuggestion: LensBranchMigrationSuggestion;\n};\n\nexport function inferLensPerspectiveTypeFromBranchSchema(\n schema?: string | null\n): LensPerspectiveType {\n const normalized = schema?.trim().toLowerCase();\n if (normalized === \"phase\") {\n return \"monitoring\";\n }\n if (normalized === \"axis\" || normalized === \"dimension\") {\n return \"comparison\";\n }\n if (normalized === \"track\") {\n return \"investigation\";\n }\n return \"analysis\";\n}\n\nexport function migrateBranchToLens(args: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n schema?: string | null;\n}): LensBranchMigrationSuggestion {\n const perspectiveType = inferLensPerspectiveTypeFromBranchSchema(args.schema);\n return {\n recommendedTool: \"create_lens\",\n perspectiveType,\n message:\n \"Branches are deprecated for operational framing. Create a workspace-scoped lens with the suggested payload instead.\",\n suggestedPayload: {\n name: args.name,\n description: args.description,\n topicId: args.topicId,\n workspaceId: args.workspaceId,\n perspectiveType,\n },\n };\n}\n\nexport function buildDeprecatedBranchMetadata(args: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n schema?: string | null;\n}): DeprecatedBranchMetadata {\n return {\n deprecated: true,\n deprecationMessage: BRANCH_DEPRECATION_MESSAGE,\n lensSuggestion: migrateBranchToLens(args),\n };\n}\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/lens-filter.contract.ts","../src/lens-workflow.contract.ts"],"names":[],"mappings":";AA4EO,SAAS,qBACd,KAAA,EAC6B;AAC7B,EAAA,OAAO,QAAA,CAAS,KAAK,CAAA,IAAK,OAAO,MAAM,OAAA,KAAY,QAAA,IAAY,OAAO,KAAA,CAAM,IAAA,KAAS,QAAA;AACvF;AAEO,SAAS,2BACd,KAAA,EACmC;AACnC,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG,OAAO,KAAA;AACzC,EAAA,OAAO,KAAA,CAAM,OAAA,KAAY,CAAA,IAAK,KAAA,CAAM,IAAA,KAAS,UAAA;AAC/C;AAcO,SAAS,uBACd,KAAA,EACwB;AACxB,EAAA,IAAI,KAAA,KAAU,MAAA,IAAa,KAAA,KAAU,IAAA,EAAM;AACzC,IAAA,OAAO,EAAE,OAAO,IAAA,EAAK;AAAA,EACvB;AAEA,EAAA,IAAI,CAAC,oBAAA,CAAqB,KAAK,CAAA,EAAG;AAChC,IAAA,OAAO;AAAA,MACL,KAAA,EAAO,KAAA;AAAA,MACP,MAAA,EAAQ;AAAA,QACN;AAAA;AACF,KACF;AAAA,EACF;AAEA,EAAA,IAAI,0BAAA,CAA2B,KAAK,CAAA,EAAG;AACrC,IAAA,OAAO,yBAAyB,KAAK,CAAA;AAAA,EACvC;AAIA,EAAA,MAAM,GAAA,GAAM,KAAA;AACZ,EAAA,OAAO;AAAA,IACL,KAAA,EAAO,KAAA;AAAA,IACP,MAAA,EAAQ;AAAA,MACN,CAAA,qCAAA,EAAwC,GAAA,CAAI,OAAO,CAAA,OAAA,EAAU,IAAI,IAAI,CAAA;AAAA;AACvE,GACF;AACF;AAEA,SAAS,SAAS,KAAA,EAAkD;AAClE,EAAA,OAAO,KAAA,KAAU,QAAQ,OAAO,KAAA,KAAU,YAAY,CAAC,KAAA,CAAM,QAAQ,KAAK,CAAA;AAC5E;AAEA,SAAS,yBACP,QAAA,EACwB;AACxB,EAAA,MAAM,SAAmB,EAAC;AAE1B,EAAA,IAAI,CAAC,KAAA,CAAM,OAAA,CAAQ,QAAA,CAAS,iBAAiB,CAAA,EAAG;AAC9C,IAAA,MAAA,CAAO,KAAK,oCAAoC,CAAA;AAChD,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,IAAI,QAAA,CAAS,iBAAA,CAAkB,MAAA,KAAW,CAAA,EAAG;AAC3C,IAAA,MAAA,CAAO,KAAK,mDAAmD,CAAA;AAC/D,IAAA,OAAO,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAAA,EAChC;AAEA,EAAA,KAAA,IAAS,IAAI,CAAA,EAAG,CAAA,GAAI,QAAA,CAAS,iBAAA,CAAkB,QAAQ,CAAA,EAAA,EAAK;AAC1D,IAAA,MAAM,MAAA,GAAS,QAAA,CAAS,iBAAA,CAAkB,CAAC,CAAA;AAC3C,IAAA,IAAI,CAAC,MAAA,IAAU,OAAO,MAAA,CAAO,oBAAoB,QAAA,EAAU;AACzD,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AACA,MAAA;AAAA,IACF;AACA,IAAA,IAAI,MAAA,CAAO,eAAA,CAAgB,IAAA,EAAK,CAAE,WAAW,CAAA,EAAG;AAC9C,MAAA,MAAA,CAAO,IAAA;AAAA,QACL,qBAAqB,CAAC,CAAA,4CAAA;AAAA,OACxB;AAAA,IACF;AACA,IAAA,IACE,MAAA,CAAO,kBAAkB,MAAA,IACzB,CAAC,MAAM,OAAA,CAAQ,MAAA,CAAO,aAAa,CAAA,EACnC;AACA,MAAA,MAAA,CAAO,IAAA,CAAK,CAAA,kBAAA,EAAqB,CAAC,CAAA,gCAAA,CAAkC,CAAA;AAAA,IACtE;AAAA,EACF;AAEA,EAAA,IAAI,QAAA,CAAS,kBAAkB,MAAA,EAAW;AACxC,IAAA,IACE,OAAO,QAAA,CAAS,aAAA,KAAkB,QAAA,IAClC,QAAA,CAAS,kBAAkB,IAAA,EAC3B;AACA,MAAA,MAAA,CAAO,KAAK,iCAAiC,CAAA;AAAA,IAC/C;AAAA,EACF;AAEA,EAAA,OAAO,MAAA,CAAO,MAAA,KAAW,CAAA,GACrB,EAAE,KAAA,EAAO,MAAK,GACd,EAAE,KAAA,EAAO,KAAA,EAAO,MAAA,EAAO;AAC7B;;;ACtKO,IAAM,sBAAA,GAAyB;AAAA,EACpC,eAAA;AAAA,EACA,YAAA;AAAA,EACA,UAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,aAAA,GAAgB,CAAC,OAAA,EAAS,QAAA,EAAU,UAAU;AAIpD,IAAM,6BAAA,GAAgC;AAAA,EAC3C,UAAA;AAAA,EACA,MAAA;AAAA,EACA,QAAA;AAAA,EACA;AACF;AAgEO,IAAM,0BAAA,GACX;AAQK,SAAS,yCACd,MAAA,EACqB;AACrB,EAAA,MAAM,UAAA,GAAa,MAAA,EAAQ,IAAA,EAAK,CAAE,WAAA,EAAY;AAC9C,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI,UAAA,KAAe,MAAA,IAAU,UAAA,KAAe,WAAA,EAAa;AACvD,IAAA,OAAO,YAAA;AAAA,EACT;AACA,EAAA,IAAI,eAAe,OAAA,EAAS;AAC1B,IAAA,OAAO,eAAA;AAAA,EACT;AACA,EAAA,OAAO,UAAA;AACT;AAEO,SAAS,oBAAoB,IAAA,EAMF;AAChC,EAAA,MAAM,eAAA,GAAkB,wCAAA,CAAyC,IAAA,CAAK,MAAM,CAAA;AAC5E,EAAA,OAAO;AAAA,IACL,eAAA,EAAiB,aAAA;AAAA,IACjB,eAAA;AAAA,IACA,OAAA,EACE,qHAAA;AAAA,IACF,gBAAA,EAAkB;AAAA,MAChB,MAAM,IAAA,CAAK,IAAA;AAAA,MACX,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB,SAAS,IAAA,CAAK,OAAA;AAAA,MACd,aAAa,IAAA,CAAK,WAAA;AAAA,MAClB;AAAA;AACF,GACF;AACF;AAEO,SAAS,8BAA8B,IAAA,EAMjB;AAC3B,EAAA,OAAO;AAAA,IACL,UAAA,EAAY,IAAA;AAAA,IACZ,kBAAA,EAAoB,0BAAA;AAAA,IACpB,cAAA,EAAgB,oBAAoB,IAAI;AAAA,GAC1C;AACF","file":"lens-workflow.contract.js","sourcesContent":["/**\n * Lens Filter Criteria Contract\n *\n * Version-discriminated filter DSL for lenses. Each filter criteria document\n * carries a `version` and `kind` discriminator so future shapes can coexist\n * without schema migrations. The Convex `filterCriteria` field remains v.any()\n * — all type enforcement happens here at the TypeScript contract layer.\n *\n * Forward-compatibility guarantees:\n * - `version` field: new versions add fields, never remove or rename existing ones\n * - `kind` field: new filter kinds (temporal, confidence-range) can be added\n * without touching taxonomy code paths\n * - `entityTypeFilters` array items are open to extension in future versions\n * - Resolution logic switches on `version` + `kind` to select the right resolver\n *\n * @module lucern/contracts/src/lens-filter\n */\n\n// ---------------------------------------------------------------------------\n// V1: Taxonomy Filter — entity type + subtype matching\n// ---------------------------------------------------------------------------\n\n/**\n * A single entity type filter entry. Matches nodes whose `nodeType` equals\n * `entityTypeValue`, optionally further narrowed by subtype membership.\n *\n * V2 will add `propertyMatchers` here for arbitrary JSON Schema facet queries.\n */\nexport type EntityTypeFilterV1 = {\n /** References ontologyVersion.entityTypes[].value, e.g. \"company\" */\n entityTypeValue: string;\n\n /** Optional subtype narrowing. If omitted or empty, all subtypes match. */\n subtypeValues?: string[];\n};\n\n/**\n * Optional scope to restrict which ontology the filter resolves against.\n * If omitted, resolution uses whatever ontology is active in the workspace.\n */\nexport type OntologyScope = {\n /** Restrict to a specific ontology by key, e.g. \"vc-investment\" */\n ontologyKey?: string;\n};\n\n/**\n * Taxonomy filter criteria v1: entity type + subtype matching over ontology.\n */\nexport type TaxonomyFilterCriteriaV1 = {\n version: 1;\n kind: \"taxonomy\";\n entityTypeFilters: EntityTypeFilterV1[];\n ontologyScope?: OntologyScope;\n};\n\n// ---------------------------------------------------------------------------\n// Union: All filter criteria versions and kinds\n// ---------------------------------------------------------------------------\n\n/**\n * Discriminated union of all supported filter criteria.\n * Resolution logic switches on `version` + `kind`.\n *\n * To add a new filter kind:\n * 1. Define a new type (e.g., TemporalFilterCriteriaV1)\n * 2. Add it to this union\n * 3. Add a resolver in taxonomy-filter.ts\n * 4. No schema migration needed — filterCriteria is v.any()\n */\nexport type LensFilterCriteria = TaxonomyFilterCriteriaV1;\n// Future: | TemporalFilterCriteriaV1 | ConfidenceRangeFilterCriteriaV1 | ...\n\n// ---------------------------------------------------------------------------\n// Type guards\n// ---------------------------------------------------------------------------\n\nexport function isLensFilterCriteria(\n value: unknown\n): value is LensFilterCriteria {\n return isRecord(value) && typeof value.version === \"number\" && typeof value.kind === \"string\";\n}\n\nexport function isTaxonomyFilterCriteriaV1(\n value: unknown\n): value is TaxonomyFilterCriteriaV1 {\n if (!isLensFilterCriteria(value)) return false;\n return value.version === 1 && value.kind === \"taxonomy\";\n}\n\n// ---------------------------------------------------------------------------\n// Validation\n// ---------------------------------------------------------------------------\n\nexport type FilterValidationResult =\n | { valid: true }\n | { valid: false; errors: string[] };\n\n/**\n * Validate a filter criteria document at the contract layer.\n * This runs before persisting to Convex.\n */\nexport function validateFilterCriteria(\n value: unknown\n): FilterValidationResult {\n if (value === undefined || value === null) {\n return { valid: true }; // filterCriteria is optional\n }\n\n if (!isLensFilterCriteria(value)) {\n return {\n valid: false,\n errors: [\n 'filterCriteria must have numeric \"version\" and string \"kind\" fields',\n ],\n };\n }\n\n if (isTaxonomyFilterCriteriaV1(value)) {\n return validateTaxonomyFilterV1(value);\n }\n\n // Cast to access properties — TypeScript narrows to `never` when all union\n // members are exhausted, but at runtime unknown version/kind combos are possible.\n const raw = value as { version: number; kind: string };\n return {\n valid: false,\n errors: [\n `Unsupported filter criteria: version=${raw.version}, kind=${raw.kind}`,\n ],\n };\n}\n\nfunction isRecord(value: unknown): value is Record<string, unknown> {\n return value !== null && typeof value === \"object\" && !Array.isArray(value);\n}\n\nfunction validateTaxonomyFilterV1(\n criteria: TaxonomyFilterCriteriaV1\n): FilterValidationResult {\n const errors: string[] = [];\n\n if (!Array.isArray(criteria.entityTypeFilters)) {\n errors.push(\"entityTypeFilters must be an array\");\n return { valid: false, errors };\n }\n\n if (criteria.entityTypeFilters.length === 0) {\n errors.push(\"entityTypeFilters must contain at least one entry\");\n return { valid: false, errors };\n }\n\n for (let i = 0; i < criteria.entityTypeFilters.length; i++) {\n const filter = criteria.entityTypeFilters[i];\n if (!filter || typeof filter.entityTypeValue !== \"string\") {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n continue;\n }\n if (filter.entityTypeValue.trim().length === 0) {\n errors.push(\n `entityTypeFilters[${i}].entityTypeValue must be a non-empty string`\n );\n }\n if (\n filter.subtypeValues !== undefined &&\n !Array.isArray(filter.subtypeValues)\n ) {\n errors.push(`entityTypeFilters[${i}].subtypeValues must be an array`);\n }\n }\n\n if (criteria.ontologyScope !== undefined) {\n if (\n typeof criteria.ontologyScope !== \"object\" ||\n criteria.ontologyScope === null\n ) {\n errors.push(\"ontologyScope must be an object\");\n }\n }\n\n return errors.length === 0\n ? { valid: true }\n : { valid: false, errors };\n}\n","/**\n * Canonical lens workflow contract shared across schema, SDK, and MCP surfaces.\n */\n\n// Re-export filter criteria types for consumers who import from lens-workflow\nexport type {\n LensFilterCriteria,\n TaxonomyFilterCriteriaV1,\n EntityTypeFilterV1,\n OntologyScope,\n FilterValidationResult,\n} from \"./lens-filter.contract\";\nexport {\n validateFilterCriteria,\n isLensFilterCriteria,\n isTaxonomyFilterCriteriaV1,\n} from \"./lens-filter.contract\";\n\nexport const LENS_PERSPECTIVE_TYPES = [\n \"investigation\",\n \"monitoring\",\n \"analysis\",\n \"comparison\",\n \"taxonomy\",\n] as const;\n\nexport type LensPerspectiveType = (typeof LENS_PERSPECTIVE_TYPES)[number];\n\nexport const LENS_STATUSES = [\"draft\", \"active\", \"archived\"] as const;\n\nexport type LensStatus = (typeof LENS_STATUSES)[number];\n\nexport const LENS_TASK_TEMPLATE_PRIORITIES = [\n \"critical\",\n \"high\",\n \"medium\",\n \"low\",\n] as const;\n\nexport type LensTaskTemplatePriority =\n (typeof LENS_TASK_TEMPLATE_PRIORITIES)[number];\n\nexport type LensLooseMetadata = Record<string, unknown>;\n\nexport type LensPromptTemplateReference = {\n key: string;\n promptRef: string;\n phase?: string;\n role?: string;\n version?: string;\n required?: boolean;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensWorkflowStepTemplate = {\n key: string;\n title: string;\n description?: string;\n promptTemplateKey?: string;\n taskTemplateKeys?: string[];\n metadata?: LensLooseMetadata;\n};\n\nexport type LensWorkflowTemplate = {\n key: string;\n name: string;\n description?: string;\n steps: LensWorkflowStepTemplate[];\n metadata?: LensLooseMetadata;\n};\n\nexport type LensTaskTemplate = {\n key: string;\n title: string;\n description?: string;\n priority?: LensTaskTemplatePriority;\n phase?: string;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensQuestionTemplate = {\n key: string;\n text: string;\n priority?: LensTaskTemplatePriority;\n linkedBeliefKey?: string;\n metadata?: LensLooseMetadata;\n};\n\nexport type LensBranchMigrationSuggestion = {\n recommendedTool: \"create_lens\";\n perspectiveType: LensPerspectiveType;\n message: string;\n suggestedPayload: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n perspectiveType: LensPerspectiveType;\n };\n};\n\nexport const BRANCH_DEPRECATION_MESSAGE =\n \"Branches are deprecated for operational framing. Create a workspace-scoped lens instead.\";\n\nexport type DeprecatedBranchMetadata = {\n deprecated: true;\n deprecationMessage: string;\n lensSuggestion: LensBranchMigrationSuggestion;\n};\n\nexport function inferLensPerspectiveTypeFromBranchSchema(\n schema?: string | null\n): LensPerspectiveType {\n const normalized = schema?.trim().toLowerCase();\n if (normalized === \"phase\") {\n return \"monitoring\";\n }\n if (normalized === \"axis\" || normalized === \"dimension\") {\n return \"comparison\";\n }\n if (normalized === \"track\") {\n return \"investigation\";\n }\n return \"analysis\";\n}\n\nexport function migrateBranchToLens(args: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n schema?: string | null;\n}): LensBranchMigrationSuggestion {\n const perspectiveType = inferLensPerspectiveTypeFromBranchSchema(args.schema);\n return {\n recommendedTool: \"create_lens\",\n perspectiveType,\n message:\n \"Branches are deprecated for operational framing. Create a workspace-scoped lens with the suggested payload instead.\",\n suggestedPayload: {\n name: args.name,\n description: args.description,\n topicId: args.topicId,\n workspaceId: args.workspaceId,\n perspectiveType,\n },\n };\n}\n\nexport function buildDeprecatedBranchMetadata(args: {\n name: string;\n description?: string;\n topicId?: string;\n workspaceId?: string;\n schema?: string | null;\n}): DeprecatedBranchMetadata {\n return {\n deprecated: true,\n deprecationMessage: BRANCH_DEPRECATION_MESSAGE,\n lensSuggestion: migrateBranchToLens(args),\n };\n}\n"]}
|
|
@@ -1,2 +1,2 @@
|
|
|
1
1
|
import 'zod';
|
|
2
|
-
export {
|
|
2
|
+
export { E as EdgePolicyEntry, a as EdgePolicyEntrySchema, b as EdgePolicyManifest, c as EdgePolicyManifestSchema, d as EdgePolicyViolation, h as assertEdgePolicyAllowed, i as findEdgePolicy } from '../edge-policy-manifest-Byv6cQPP.js';
|
|
@@ -61,6 +61,11 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
61
61
|
role: "sdk_dependency",
|
|
62
62
|
directTenantImport: false
|
|
63
63
|
},
|
|
64
|
+
{
|
|
65
|
+
packageName: "@lucern/graph-sync",
|
|
66
|
+
role: "host_addon_runtime",
|
|
67
|
+
directTenantImport: true
|
|
68
|
+
},
|
|
64
69
|
{
|
|
65
70
|
packageName: "@lucern/identity",
|
|
66
71
|
role: "component_runtime",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../../src/tenant-client.contract.ts","../../src/infisical-runtime.contract.ts","../../src/manifests/infisical-runtime-manifest.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACjMK,IAAM,kCAAA,GAAqC,YAAA;AAE3C,IAAM,iCAAA,GACX,2BAAA;AACK,IAAM,oCAAA,GACX,sCAAA;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF,CAAA;AAeO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D,CAAA;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ,CAAA;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN,CAAA;;;ACpNO,IAAM,0BAAA,GAA6B;AAAA,EACxC,eAAA,EAAiB,OAAA;AAAA,EACjB,eAAA,EAAiB,kCAAA;AAAA,EACjB,OAAA,EAAS;AAAA,IACP,EAAA,EAAI,oCAAA;AAAA,IACJ,MAAA,EAAQ;AAAA,GACV;AAAA,EACA,YAAA,EAAc,8BAAA;AAAA,EACd,aAAA,EAAe,gCAAA;AAAA,EACf,YAAA,EAAc,+BAAA;AAAA,EACd,KAAA,EAAO,uBAAA;AAAA,EACP,QAAA,EAAU;AACZ","file":"infisical-runtime-manifest.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/identity` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern identity and reasoning-kernel components.\",\n packageNames: [\"@lucern/identity\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n","import {\n INFISICAL_RUNTIME_BOOTSTRAP_ENV,\n INFISICAL_RUNTIME_CONTRACT_VERSION,\n INFISICAL_RUNTIME_DEFAULT_API_URL,\n INFISICAL_RUNTIME_DEFAULT_PROJECT_ID,\n INFISICAL_RUNTIME_DELIVERY_MODES,\n INFISICAL_RUNTIME_ENVIRONMENTS,\n INFISICAL_RUNTIME_PATHS,\n INFISICAL_RUNTIME_SURFACES,\n type InfisicalRuntimeBootstrapEnv,\n type InfisicalRuntimeDeliveryMode,\n type InfisicalRuntimeEnvironment,\n type InfisicalRuntimePath,\n type InfisicalRuntimeSurface,\n} from \"../infisical-runtime.contract\";\n\nexport type InfisicalRuntimeManifest = {\n readonly manifestVersion: \"1.0.0\";\n readonly contractVersion: typeof INFISICAL_RUNTIME_CONTRACT_VERSION;\n readonly project: {\n readonly id: typeof INFISICAL_RUNTIME_DEFAULT_PROJECT_ID;\n readonly apiUrl: typeof INFISICAL_RUNTIME_DEFAULT_API_URL;\n };\n readonly environments: readonly InfisicalRuntimeEnvironment[];\n readonly deliveryModes: readonly InfisicalRuntimeDeliveryMode[];\n readonly bootstrapEnv: InfisicalRuntimeBootstrapEnv;\n readonly paths: readonly InfisicalRuntimePath[];\n readonly surfaces: readonly InfisicalRuntimeSurface[];\n};\n\nexport const INFISICAL_RUNTIME_MANIFEST = {\n manifestVersion: \"1.0.0\",\n contractVersion: INFISICAL_RUNTIME_CONTRACT_VERSION,\n project: {\n id: INFISICAL_RUNTIME_DEFAULT_PROJECT_ID,\n apiUrl: INFISICAL_RUNTIME_DEFAULT_API_URL,\n },\n environments: INFISICAL_RUNTIME_ENVIRONMENTS,\n deliveryModes: INFISICAL_RUNTIME_DELIVERY_MODES,\n bootstrapEnv: INFISICAL_RUNTIME_BOOTSTRAP_ENV,\n paths: INFISICAL_RUNTIME_PATHS,\n surfaces: INFISICAL_RUNTIME_SURFACES,\n} as const satisfies InfisicalRuntimeManifest;\n"]}
|
|
1
|
+
{"version":3,"sources":["../../src/tenant-client.contract.ts","../../src/infisical-runtime.contract.ts","../../src/manifests/infisical-runtime-manifest.ts"],"names":[],"mappings":";AAoDO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,kBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACtMK,IAAM,kCAAA,GAAqC,YAAA;AAE3C,IAAM,iCAAA,GACX,2BAAA;AACK,IAAM,oCAAA,GACX,sCAAA;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF,CAAA;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF,CAAA;AAeO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D,CAAA;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF;AAEJ,CAAA;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,oEAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAkB,CAAA;AAAA,IAClC,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN,CAAA;;;ACpNO,IAAM,0BAAA,GAA6B;AAAA,EACxC,eAAA,EAAiB,OAAA;AAAA,EACjB,eAAA,EAAiB,kCAAA;AAAA,EACjB,OAAA,EAAS;AAAA,IACP,EAAA,EAAI,oCAAA;AAAA,IACJ,MAAA,EAAQ;AAAA,GACV;AAAA,EACA,YAAA,EAAc,8BAAA;AAAA,EACd,aAAA,EAAe,gCAAA;AAAA,EACf,YAAA,EAAc,+BAAA;AAAA,EACd,KAAA,EAAO,uBAAA;AAAA,EACP,QAAA,EAAU;AACZ","file":"infisical-runtime-manifest.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"principalType\",\n \"roles\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/identity\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/identity` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern identity and reasoning-kernel components.\",\n packageNames: [\"@lucern/identity\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/identity\",\n importPath: \"@lucern/identity/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install Lucern identity.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-04-28\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description: \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find(\n (surface) => surface.id === surfaceId\n );\n}\n","import {\n INFISICAL_RUNTIME_BOOTSTRAP_ENV,\n INFISICAL_RUNTIME_CONTRACT_VERSION,\n INFISICAL_RUNTIME_DEFAULT_API_URL,\n INFISICAL_RUNTIME_DEFAULT_PROJECT_ID,\n INFISICAL_RUNTIME_DELIVERY_MODES,\n INFISICAL_RUNTIME_ENVIRONMENTS,\n INFISICAL_RUNTIME_PATHS,\n INFISICAL_RUNTIME_SURFACES,\n type InfisicalRuntimeBootstrapEnv,\n type InfisicalRuntimeDeliveryMode,\n type InfisicalRuntimeEnvironment,\n type InfisicalRuntimePath,\n type InfisicalRuntimeSurface,\n} from \"../infisical-runtime.contract\";\n\nexport type InfisicalRuntimeManifest = {\n readonly manifestVersion: \"1.0.0\";\n readonly contractVersion: typeof INFISICAL_RUNTIME_CONTRACT_VERSION;\n readonly project: {\n readonly id: typeof INFISICAL_RUNTIME_DEFAULT_PROJECT_ID;\n readonly apiUrl: typeof INFISICAL_RUNTIME_DEFAULT_API_URL;\n };\n readonly environments: readonly InfisicalRuntimeEnvironment[];\n readonly deliveryModes: readonly InfisicalRuntimeDeliveryMode[];\n readonly bootstrapEnv: InfisicalRuntimeBootstrapEnv;\n readonly paths: readonly InfisicalRuntimePath[];\n readonly surfaces: readonly InfisicalRuntimeSurface[];\n};\n\nexport const INFISICAL_RUNTIME_MANIFEST = {\n manifestVersion: \"1.0.0\",\n contractVersion: INFISICAL_RUNTIME_CONTRACT_VERSION,\n project: {\n id: INFISICAL_RUNTIME_DEFAULT_PROJECT_ID,\n apiUrl: INFISICAL_RUNTIME_DEFAULT_API_URL,\n },\n environments: INFISICAL_RUNTIME_ENVIRONMENTS,\n deliveryModes: INFISICAL_RUNTIME_DELIVERY_MODES,\n bootstrapEnv: INFISICAL_RUNTIME_BOOTSTRAP_ENV,\n paths: INFISICAL_RUNTIME_PATHS,\n surfaces: INFISICAL_RUNTIME_SURFACES,\n} as const satisfies InfisicalRuntimeManifest;\n"]}
|