@lucern/contracts 0.3.0-alpha.8 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (261) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/api-enums.contract.d.ts +5 -3
  3. package/dist/api-enums.contract.js +14 -12
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +14 -2
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +14 -2
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +14 -2
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/component-boundary.contract.d.ts +1 -1
  13. package/dist/component-boundary.contract.js +46 -26
  14. package/dist/component-boundary.contract.js.map +1 -1
  15. package/dist/component-host-boundary.contract.d.ts +10 -5
  16. package/dist/component-host-boundary.contract.js +10 -4
  17. package/dist/component-host-boundary.contract.js.map +1 -1
  18. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  19. package/dist/{dsl-djCRfuWC.d.ts → dsl-DVPthQGY.d.ts} +1 -1
  20. package/dist/dsl.d.ts +2 -2
  21. package/dist/dsl.js.map +1 -1
  22. package/dist/edge-policy-manifest-Dw5IhT1L.d.ts +133 -0
  23. package/dist/function-registry/beliefs.d.ts +23 -10
  24. package/dist/function-registry/beliefs.js +467 -36
  25. package/dist/function-registry/beliefs.js.map +1 -1
  26. package/dist/function-registry/coding.d.ts +15 -6
  27. package/dist/function-registry/coding.js +531 -22
  28. package/dist/function-registry/coding.js.map +1 -1
  29. package/dist/function-registry/context.d.ts +9 -3
  30. package/dist/function-registry/context.js +464 -21
  31. package/dist/function-registry/context.js.map +1 -1
  32. package/dist/function-registry/contracts.d.ts +9 -3
  33. package/dist/function-registry/contracts.js +464 -21
  34. package/dist/function-registry/contracts.js.map +1 -1
  35. package/dist/function-registry/coordination.d.ts +21 -9
  36. package/dist/function-registry/coordination.js +464 -21
  37. package/dist/function-registry/coordination.js.map +1 -1
  38. package/dist/function-registry/edges.d.ts +167 -2
  39. package/dist/function-registry/edges.js +661 -52
  40. package/dist/function-registry/edges.js.map +1 -1
  41. package/dist/function-registry/evidence.d.ts +19 -8
  42. package/dist/function-registry/evidence.js +473 -40
  43. package/dist/function-registry/evidence.js.map +1 -1
  44. package/dist/function-registry/graph.d.ts +33 -15
  45. package/dist/function-registry/graph.js +464 -21
  46. package/dist/function-registry/graph.js.map +1 -1
  47. package/dist/function-registry/helpers.d.ts +6 -3
  48. package/dist/function-registry/helpers.js +465 -22
  49. package/dist/function-registry/helpers.js.map +1 -1
  50. package/dist/function-registry/identity.d.ts +62 -16
  51. package/dist/function-registry/identity.js +487 -27
  52. package/dist/function-registry/identity.js.map +1 -1
  53. package/dist/function-registry/index.d.ts +4 -2
  54. package/dist/function-registry/index.js +468 -22
  55. package/dist/function-registry/index.js.map +1 -1
  56. package/dist/function-registry/judgments.d.ts +7 -2
  57. package/dist/function-registry/judgments.js +464 -21
  58. package/dist/function-registry/judgments.js.map +1 -1
  59. package/dist/function-registry/legacy.d.ts +5 -1
  60. package/dist/function-registry/legacy.js +464 -21
  61. package/dist/function-registry/legacy.js.map +1 -1
  62. package/dist/function-registry/lenses.d.ts +11 -4
  63. package/dist/function-registry/lenses.js +464 -21
  64. package/dist/function-registry/lenses.js.map +1 -1
  65. package/dist/function-registry/manifest.d.ts +4 -4
  66. package/dist/function-registry/manifest.js +16 -1
  67. package/dist/function-registry/manifest.js.map +1 -1
  68. package/dist/function-registry/nodes.d.ts +412 -0
  69. package/dist/function-registry/nodes.js +5354 -0
  70. package/dist/function-registry/nodes.js.map +1 -0
  71. package/dist/function-registry/ontologies.d.ts +25 -11
  72. package/dist/function-registry/ontologies.js +464 -21
  73. package/dist/function-registry/ontologies.js.map +1 -1
  74. package/dist/function-registry/pipeline.d.ts +9 -3
  75. package/dist/function-registry/pipeline.js +464 -21
  76. package/dist/function-registry/pipeline.js.map +1 -1
  77. package/dist/function-registry/questions.d.ts +27 -12
  78. package/dist/function-registry/questions.js +466 -26
  79. package/dist/function-registry/questions.js.map +1 -1
  80. package/dist/function-registry/tasks.d.ts +11 -4
  81. package/dist/function-registry/tasks.js +497 -30
  82. package/dist/function-registry/tasks.js.map +1 -1
  83. package/dist/function-registry/topics.d.ts +93 -5
  84. package/dist/function-registry/topics.js +534 -24
  85. package/dist/function-registry/topics.js.map +1 -1
  86. package/dist/function-registry/types.d.ts +7 -3
  87. package/dist/function-registry/worktrees.d.ts +25 -11
  88. package/dist/function-registry/worktrees.js +480 -21
  89. package/dist/function-registry/worktrees.js.map +1 -1
  90. package/dist/gateway.contract.d.ts +4 -0
  91. package/dist/gateway.contract.js.map +1 -1
  92. package/dist/generated/convexSchemas.d.ts +3 -3
  93. package/dist/generated/convexSchemas.js +37 -17
  94. package/dist/generated/convexSchemas.js.map +1 -1
  95. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  96. package/dist/generated/infisicalRuntimeEnv.js +27585 -0
  97. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  98. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  99. package/dist/generated/lucernGatewayEnv.js +38 -0
  100. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  101. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  102. package/dist/generated/lucernWebPublicEnv.js +32 -0
  103. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  104. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  105. package/dist/generated/lucernWebServerEnv.js +51 -0
  106. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  107. package/dist/generated/schema-manifest.json +1221 -114
  108. package/dist/generated/tableOwnership.d.ts +48 -28
  109. package/dist/generated/tableOwnership.js +66 -26
  110. package/dist/generated/tableOwnership.js.map +1 -1
  111. package/dist/generated/tier-expectations.json +64 -9
  112. package/dist/{index-O09U2xHk.d.ts → index-CM1Pl_vI.d.ts} +3 -3
  113. package/dist/index.d.ts +12 -7
  114. package/dist/index.js +32892 -459
  115. package/dist/index.js.map +1 -1
  116. package/dist/infisical-runtime.contract.d.ts +1763 -6
  117. package/dist/infisical-runtime.contract.js +2994 -15
  118. package/dist/infisical-runtime.contract.js.map +1 -1
  119. package/dist/manifests/edge-policy-manifest.d.ts +1 -1
  120. package/dist/manifests/edge-policy-manifest.data.d.ts +6 -20
  121. package/dist/manifests/edge-policy-manifest.data.js +18 -26
  122. package/dist/manifests/edge-policy-manifest.data.js.map +1 -1
  123. package/dist/manifests/edge-policy-manifest.js +31 -4
  124. package/dist/manifests/edge-policy-manifest.js.map +1 -1
  125. package/dist/manifests/infisical-runtime-manifest.d.ts +1689 -6
  126. package/dist/manifests/infisical-runtime-manifest.js +2847 -12
  127. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  128. package/dist/manifests/tenant-client-manifest.d.ts +19 -14
  129. package/dist/manifests/tenant-client-manifest.js +29 -12
  130. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  131. package/dist/mcp-gateway-boundary.contract.d.ts +23 -3
  132. package/dist/mcp-gateway-boundary.contract.js +2 -0
  133. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  134. package/dist/permit-principal-projection.contract.d.ts +74 -0
  135. package/dist/permit-principal-projection.contract.js +167 -0
  136. package/dist/permit-principal-projection.contract.js.map +1 -0
  137. package/dist/projections/check-convex-args-shape.js +10 -6
  138. package/dist/projections/check-convex-args-shape.js.map +1 -1
  139. package/dist/projections/create-evidence.projection.d.ts +6 -6
  140. package/dist/projections/create-evidence.projection.js +2 -3
  141. package/dist/projections/create-evidence.projection.js.map +1 -1
  142. package/dist/projections/index.d.ts +3 -3
  143. package/dist/projections/index.js +10 -6
  144. package/dist/projections/index.js.map +1 -1
  145. package/dist/projections/list-tasks.projection.d.ts +20 -8
  146. package/dist/projections/list-tasks.projection.js +8 -3
  147. package/dist/projections/list-tasks.projection.js.map +1 -1
  148. package/dist/proof-attestation.json +45 -0
  149. package/dist/schemas/component-table-manifest.d.ts +6 -6
  150. package/dist/schemas/component-table-manifest.js +2 -2
  151. package/dist/schemas/component-table-manifest.js.map +1 -1
  152. package/dist/schemas/index.d.ts +2 -2
  153. package/dist/schemas/index.js +1123 -137
  154. package/dist/schemas/index.js.map +1 -1
  155. package/dist/schemas/manifest.d.ts +2102 -132
  156. package/dist/schemas/manifest.js +1121 -135
  157. package/dist/schemas/manifest.js.map +1 -1
  158. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  159. package/dist/schemas/tables/controlPlane/accessControl.js +658 -0
  160. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  161. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  162. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  163. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  164. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  165. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  166. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  167. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  168. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  169. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  170. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +1 -1
  171. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  172. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  173. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  174. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  175. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  176. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  177. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  178. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  179. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  180. package/dist/schemas/tables/kernel/config.js.map +1 -1
  181. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  182. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  183. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  184. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  185. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  186. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  187. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  188. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  189. package/dist/schemas/tables/kernel/events.d.ts +21 -0
  190. package/dist/schemas/tables/kernel/events.js +43 -0
  191. package/dist/schemas/tables/kernel/events.js.map +1 -0
  192. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  193. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  194. package/dist/schemas/tables/kernel/infra.d.ts +1 -1
  195. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  196. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  197. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  198. package/dist/schemas/tables/kernel/lens.d.ts +1 -1
  199. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  200. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  201. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  202. package/dist/schemas/tables/kernel/platform.d.ts +1 -1
  203. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  204. package/dist/schemas/tables/kernel/spine.d.ts +2 -1
  205. package/dist/schemas/tables/kernel/spine.js +1 -0
  206. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  207. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  208. package/dist/schemas/tables/kernel/task.js.map +1 -1
  209. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  210. package/dist/schemas/tables/kernel/topic.js +1 -0
  211. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  212. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  213. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  214. package/dist/schemas/tables/kernel/worktree.d.ts +17 -17
  215. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  216. package/dist/schemas/tables/mc/identity.d.ts +19 -2
  217. package/dist/schemas/tables/mc/identity.js +32 -1
  218. package/dist/schemas/tables/mc/identity.js.map +1 -1
  219. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  220. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  221. package/dist/schemas/tables/mc/pack.d.ts +1 -1
  222. package/dist/schemas/tables/mc/pack.js.map +1 -1
  223. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  224. package/dist/schemas/tables/mc/policy.js +1 -1
  225. package/dist/schemas/tables/mc/policy.js.map +1 -1
  226. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  227. package/dist/schemas/tables/mc/registry.js.map +1 -1
  228. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  229. package/dist/schemas/tables/mc/runtime.js +330 -104
  230. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  231. package/dist/schemas/tables/mc/tenant.d.ts +4 -2
  232. package/dist/schemas/tables/mc/tenant.js +3 -1
  233. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  234. package/dist/schemas/tables/mc/workspace.d.ts +22 -5
  235. package/dist/schemas/tables/mc/workspace.js +34 -2
  236. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  237. package/dist/{sdk-tools.contract-Ci8bkoai.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
  238. package/dist/sdk-tools.contract.d.ts +2 -2
  239. package/dist/sdk-tools.contract.js +417 -13
  240. package/dist/sdk-tools.contract.js.map +1 -1
  241. package/dist/tenant-bootstrap-seed.contract.d.ts +244 -56
  242. package/dist/tenant-bootstrap-seed.contract.js +139 -28
  243. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  244. package/dist/tenant-bootstrap-seed.defaults.d.ts +2 -2
  245. package/dist/tenant-bootstrap-seed.defaults.js +31 -13
  246. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  247. package/dist/tenant-client.contract.d.ts +20 -15
  248. package/dist/tenant-client.contract.js +29 -12
  249. package/dist/tenant-client.contract.js.map +1 -1
  250. package/dist/{tool-contracts-B4iWhejG.d.ts → tool-contracts-C_xvM9q2.d.ts} +32 -2
  251. package/dist/tool-contracts.d.ts +1 -1
  252. package/dist/tool-contracts.js +418 -14
  253. package/dist/tool-contracts.js.map +1 -1
  254. package/package.json +22 -1
  255. package/dist/edge-policy-manifest-Byv6cQPP.d.ts +0 -132
  256. package/dist/schemas/tables/identity/agent.js.map +0 -1
  257. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  258. package/dist/schemas/tables/identity/model.js.map +0 -1
  259. package/dist/schemas/tables/identity/platform.js.map +0 -1
  260. package/dist/schemas/tables/identity/project.js.map +0 -1
  261. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -41,7 +41,11 @@ type GatewayAuthContext = {
41
41
  principalId?: string;
42
42
  principalType?: SessionPrincipalType;
43
43
  tenantId?: string;
44
+ canonicalTenantId?: string;
45
+ tenantSlug?: string;
44
46
  workspaceId?: string;
47
+ workspaceSlug?: string;
48
+ workspaceKey?: string;
45
49
  roles?: string[];
46
50
  membershipId?: string;
47
51
  sessionId?: string;
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AA6IO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n workspaceId?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
1
+ {"version":3,"sources":["../src/gateway.contract.ts"],"names":[],"mappings":";AAiJO,SAAS,wBACd,WAAA,EACQ;AACR,EAAA,MAAM,WAAA,GACJ,OAAO,WAAA,CAAY,WAAA,KAAgB,WAC/B,WAAA,CAAY,WAAA,CAAY,MAAK,GAC7B,EAAA;AACN,EAAA,IAAI,WAAA,CAAY,SAAS,CAAA,EAAG;AAC1B,IAAA,OAAO,WAAA;AAAA,EACT;AACA,EAAA,MAAM,IAAI,MAAM,sDAAsD,CAAA;AACxE","file":"gateway.contract.js","sourcesContent":["/**\n * Gateway contract types — shared between Stack's gateway middleware and\n * Lucern's server-core / gateway route handlers.\n *\n * These types describe the authenticated request context that flows from\n * the gateway into Lucern route handlers. The gateway (Stack-side) creates\n * the context; Lucern consumes it read-only.\n *\n * @module @lucern/contracts/src/gateway\n */\n\nimport type {\n SessionAuthMode,\n SessionDelegationHop,\n SessionPrincipalType,\n} from \"./auth-session.contract\";\n\n// ---------------------------------------------------------------------------\n// Error codes\n// ---------------------------------------------------------------------------\n\nexport type PlatformApiErrorCode =\n | \"AUTH_REQUIRED\"\n | \"AUTHENTICATION_REQUIRED\"\n | \"AUTH_TOKEN_MISSING\"\n | \"INVALID_REQUEST\"\n | \"IDEMPOTENCY_KEY_REQUIRED\"\n | \"FORBIDDEN\"\n | \"SCOPE_INSUFFICIENT\"\n | \"ENVIRONMENT_MISMATCH\"\n | \"KEY_EXPIRED\"\n | \"KEY_REVOKED\"\n | \"RATE_LIMIT_EXCEEDED\"\n | \"NOT_FOUND\"\n | \"CONFLICT\"\n | \"UPSTREAM_ERROR\"\n | \"INTERNAL_ERROR\";\n\n// ---------------------------------------------------------------------------\n// Gateway scope and environment\n// ---------------------------------------------------------------------------\n\nexport type GatewayScope = {\n tenantId?: string;\n workspaceId?: string;\n};\n\nexport type GatewayEnvironment = \"sandbox\" | \"production\";\n\nexport type GatewayAuthMode =\n | \"interactive_user\"\n | \"service_principal\"\n | \"tenant_api_key\"\n | \"session_token\";\n\nexport type KeyLifecycleStatus =\n | \"active\"\n | \"rotating\"\n | \"rotated\"\n | \"expired\"\n | \"revoked\";\n\nexport type CutoverDomain =\n | \"graph\"\n | \"schema\"\n | \"identity\"\n | \"policy\"\n | \"audit\"\n | \"admin\"\n | \"agent\"\n | \"tool\"\n | \"prompt\"\n | \"intelligence\";\n\nexport type CutoverFlagState = \"legacy\" | \"cutover\" | \"disabled\";\n\n// ---------------------------------------------------------------------------\n// Gateway auth context — the canonical authenticated request shape\n// ---------------------------------------------------------------------------\n\n/**\n * Authenticated request context created by the gateway middleware.\n * Lucern route handlers receive this as a read-only parameter.\n *\n * The `convex` field is typed as `unknown` in the contract because Lucern\n * consumers should not use the gateway's Convex client directly — they\n * have their own kernel client. The gateway (Stack-side) narrows this to\n * `ConvexHttpClient` at the construction site.\n */\nexport type GatewayAuthContext = {\n userId: string;\n clerkId?: string;\n convexToken?: string;\n /** Opaque in contract — narrowed to ConvexHttpClient at the gateway. */\n convex: any; // eslint-disable-line @typescript-eslint/no-explicit-any\n authMode: GatewayAuthMode;\n principalId?: string;\n principalType?: SessionPrincipalType;\n tenantId?: string;\n canonicalTenantId?: string;\n tenantSlug?: string;\n workspaceId?: string;\n workspaceSlug?: string;\n workspaceKey?: string;\n roles?: string[];\n membershipId?: string;\n sessionId?: string;\n sessionAuthMode?: SessionAuthMode;\n sessionExpiresAt?: number;\n delegationChain?: SessionDelegationHop[];\n servicePrincipalId?: string;\n servicePrincipalKeyId?: string;\n servicePrincipalTenantId?: string;\n servicePrincipalWorkspaceId?: string;\n requestEnvironment: GatewayEnvironment;\n keyEnvironment?: GatewayEnvironment;\n keyStatus: KeyLifecycleStatus | \"unknown\";\n grantedScopes: Set<string>;\n cutoverDomain: CutoverDomain;\n cutoverState: CutoverFlagState;\n};\n\n// ---------------------------------------------------------------------------\n// Gateway response helpers — portable (no Next.js dependency)\n// ---------------------------------------------------------------------------\n\nexport type GatewayErrorArgs = {\n code: PlatformApiErrorCode;\n message: string;\n status: number;\n correlationId: string;\n policyTraceId?: string;\n invariant?: string;\n suggestion?: string;\n details?: unknown;\n headers?: HeadersInit;\n};\n\nexport type GatewaySuccessArgs = {\n status?: number;\n correlationId: string;\n policyTraceId?: string;\n idempotentReplay?: boolean;\n};\n\nexport function requireActorPrincipalId(\n authContext: GatewayAuthContext\n): string {\n const principalId =\n typeof authContext.principalId === \"string\"\n ? authContext.principalId.trim()\n : \"\";\n if (principalId.length > 0) {\n return principalId;\n }\n throw new Error(\"Access denied: federated principal context required.\");\n}\n"]}
@@ -3,11 +3,11 @@ import { GenericSchema } from 'convex/server';
3
3
 
4
4
  type GeneratedSchemaTables = GenericSchema;
5
5
  declare const KERNEL_SCHEMA_TABLES: GeneratedSchemaTables;
6
- declare const IDENTITY_SCHEMA_TABLES: GeneratedSchemaTables;
6
+ declare const CONTROL_PLANE_SCHEMA_TABLES: GeneratedSchemaTables;
7
7
  declare const MC_SCHEMA_TABLES: GeneratedSchemaTables;
8
8
  declare const DEVELOPER_PACK_SCHEMA_TABLES: GeneratedSchemaTables;
9
9
  declare const EMPTY_SCHEMA_TABLES: GeneratedSchemaTables;
10
- declare const IDENTITY_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
10
+ declare const CONTROL_PLANE_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
11
11
  declare const KERNEL_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
12
12
  declare const KERNEL_COMPONENT_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
13
13
  declare const STACK_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
@@ -17,4 +17,4 @@ declare const FULL_TIER_SCHEMA_TABLES: GeneratedSchemaTables;
17
17
  declare const TIER_SCHEMA_TABLES: Record<string, GeneratedSchemaTables>;
18
18
  declare const _default: convex_server.SchemaDefinition<GenericSchema, true>;
19
19
 
20
- export { DEVELOPER_PACK_SCHEMA_TABLES, EMPTY_SCHEMA_TABLES, FULL_TIER_SCHEMA_TABLES, IDENTITY_SCHEMA_TABLES, IDENTITY_TIER_SCHEMA_TABLES, KERNEL_COMPONENT_TIER_SCHEMA_TABLES, KERNEL_SCHEMA_TABLES, KERNEL_TIER_SCHEMA_TABLES, MC_SCHEMA_TABLES, MC_TIER_SCHEMA_TABLES, STACK_TIER_SCHEMA_TABLES, STACK_V2_TIER_SCHEMA_TABLES, TIER_SCHEMA_TABLES, _default as default };
20
+ export { CONTROL_PLANE_SCHEMA_TABLES, CONTROL_PLANE_TIER_SCHEMA_TABLES, DEVELOPER_PACK_SCHEMA_TABLES, EMPTY_SCHEMA_TABLES, FULL_TIER_SCHEMA_TABLES, KERNEL_COMPONENT_TIER_SCHEMA_TABLES, KERNEL_SCHEMA_TABLES, KERNEL_TIER_SCHEMA_TABLES, MC_SCHEMA_TABLES, MC_TIER_SCHEMA_TABLES, STACK_TIER_SCHEMA_TABLES, STACK_V2_TIER_SCHEMA_TABLES, TIER_SCHEMA_TABLES, _default as default };