@lucern/contracts 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (253) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/api-enums.contract.d.ts +5 -3
  3. package/dist/api-enums.contract.js +14 -12
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +14 -2
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +14 -2
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +14 -2
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/component-boundary.contract.d.ts +1 -1
  13. package/dist/component-boundary.contract.js +46 -26
  14. package/dist/component-boundary.contract.js.map +1 -1
  15. package/dist/component-host-boundary.contract.d.ts +10 -5
  16. package/dist/component-host-boundary.contract.js +10 -4
  17. package/dist/component-host-boundary.contract.js.map +1 -1
  18. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  19. package/dist/{dsl-djCRfuWC.d.ts → dsl-DVPthQGY.d.ts} +1 -1
  20. package/dist/dsl.d.ts +2 -2
  21. package/dist/dsl.js.map +1 -1
  22. package/dist/function-registry/beliefs.d.ts +23 -10
  23. package/dist/function-registry/beliefs.js +467 -36
  24. package/dist/function-registry/beliefs.js.map +1 -1
  25. package/dist/function-registry/coding.d.ts +15 -6
  26. package/dist/function-registry/coding.js +531 -22
  27. package/dist/function-registry/coding.js.map +1 -1
  28. package/dist/function-registry/context.d.ts +9 -3
  29. package/dist/function-registry/context.js +464 -21
  30. package/dist/function-registry/context.js.map +1 -1
  31. package/dist/function-registry/contracts.d.ts +9 -3
  32. package/dist/function-registry/contracts.js +464 -21
  33. package/dist/function-registry/contracts.js.map +1 -1
  34. package/dist/function-registry/coordination.d.ts +21 -9
  35. package/dist/function-registry/coordination.js +464 -21
  36. package/dist/function-registry/coordination.js.map +1 -1
  37. package/dist/function-registry/edges.d.ts +167 -2
  38. package/dist/function-registry/edges.js +619 -28
  39. package/dist/function-registry/edges.js.map +1 -1
  40. package/dist/function-registry/evidence.d.ts +19 -8
  41. package/dist/function-registry/evidence.js +469 -36
  42. package/dist/function-registry/evidence.js.map +1 -1
  43. package/dist/function-registry/graph.d.ts +33 -15
  44. package/dist/function-registry/graph.js +464 -21
  45. package/dist/function-registry/graph.js.map +1 -1
  46. package/dist/function-registry/helpers.d.ts +6 -3
  47. package/dist/function-registry/helpers.js +465 -22
  48. package/dist/function-registry/helpers.js.map +1 -1
  49. package/dist/function-registry/identity.d.ts +62 -16
  50. package/dist/function-registry/identity.js +487 -27
  51. package/dist/function-registry/identity.js.map +1 -1
  52. package/dist/function-registry/index.d.ts +4 -2
  53. package/dist/function-registry/index.js +468 -22
  54. package/dist/function-registry/index.js.map +1 -1
  55. package/dist/function-registry/judgments.d.ts +7 -2
  56. package/dist/function-registry/judgments.js +464 -21
  57. package/dist/function-registry/judgments.js.map +1 -1
  58. package/dist/function-registry/legacy.d.ts +5 -1
  59. package/dist/function-registry/legacy.js +464 -21
  60. package/dist/function-registry/legacy.js.map +1 -1
  61. package/dist/function-registry/lenses.d.ts +11 -4
  62. package/dist/function-registry/lenses.js +464 -21
  63. package/dist/function-registry/lenses.js.map +1 -1
  64. package/dist/function-registry/manifest.d.ts +4 -4
  65. package/dist/function-registry/manifest.js +16 -1
  66. package/dist/function-registry/manifest.js.map +1 -1
  67. package/dist/function-registry/nodes.d.ts +412 -0
  68. package/dist/function-registry/nodes.js +5354 -0
  69. package/dist/function-registry/nodes.js.map +1 -0
  70. package/dist/function-registry/ontologies.d.ts +25 -11
  71. package/dist/function-registry/ontologies.js +464 -21
  72. package/dist/function-registry/ontologies.js.map +1 -1
  73. package/dist/function-registry/pipeline.d.ts +9 -3
  74. package/dist/function-registry/pipeline.js +464 -21
  75. package/dist/function-registry/pipeline.js.map +1 -1
  76. package/dist/function-registry/questions.d.ts +27 -12
  77. package/dist/function-registry/questions.js +466 -26
  78. package/dist/function-registry/questions.js.map +1 -1
  79. package/dist/function-registry/tasks.d.ts +11 -4
  80. package/dist/function-registry/tasks.js +497 -30
  81. package/dist/function-registry/tasks.js.map +1 -1
  82. package/dist/function-registry/topics.d.ts +93 -5
  83. package/dist/function-registry/topics.js +534 -24
  84. package/dist/function-registry/topics.js.map +1 -1
  85. package/dist/function-registry/types.d.ts +7 -3
  86. package/dist/function-registry/worktrees.d.ts +25 -11
  87. package/dist/function-registry/worktrees.js +480 -21
  88. package/dist/function-registry/worktrees.js.map +1 -1
  89. package/dist/gateway.contract.d.ts +4 -0
  90. package/dist/gateway.contract.js.map +1 -1
  91. package/dist/generated/convexSchemas.d.ts +3 -3
  92. package/dist/generated/convexSchemas.js +37 -17
  93. package/dist/generated/convexSchemas.js.map +1 -1
  94. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  95. package/dist/generated/infisicalRuntimeEnv.js +27585 -0
  96. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  97. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  98. package/dist/generated/lucernGatewayEnv.js +38 -0
  99. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  100. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  101. package/dist/generated/lucernWebPublicEnv.js +32 -0
  102. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  103. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  104. package/dist/generated/lucernWebServerEnv.js +51 -0
  105. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  106. package/dist/generated/schema-manifest.json +1221 -114
  107. package/dist/generated/tableOwnership.d.ts +48 -28
  108. package/dist/generated/tableOwnership.js +66 -26
  109. package/dist/generated/tableOwnership.js.map +1 -1
  110. package/dist/generated/tier-expectations.json +64 -9
  111. package/dist/{index-O09U2xHk.d.ts → index-CM1Pl_vI.d.ts} +3 -3
  112. package/dist/index.d.ts +11 -6
  113. package/dist/index.js +32838 -413
  114. package/dist/index.js.map +1 -1
  115. package/dist/infisical-runtime.contract.d.ts +1763 -6
  116. package/dist/infisical-runtime.contract.js +2994 -15
  117. package/dist/infisical-runtime.contract.js.map +1 -1
  118. package/dist/manifests/infisical-runtime-manifest.d.ts +1689 -6
  119. package/dist/manifests/infisical-runtime-manifest.js +2847 -12
  120. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  121. package/dist/manifests/tenant-client-manifest.d.ts +19 -14
  122. package/dist/manifests/tenant-client-manifest.js +29 -12
  123. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  124. package/dist/mcp-gateway-boundary.contract.d.ts +23 -3
  125. package/dist/mcp-gateway-boundary.contract.js +2 -0
  126. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  127. package/dist/permit-principal-projection.contract.d.ts +74 -0
  128. package/dist/permit-principal-projection.contract.js +167 -0
  129. package/dist/permit-principal-projection.contract.js.map +1 -0
  130. package/dist/projections/check-convex-args-shape.js +10 -6
  131. package/dist/projections/check-convex-args-shape.js.map +1 -1
  132. package/dist/projections/create-evidence.projection.d.ts +6 -6
  133. package/dist/projections/create-evidence.projection.js +2 -3
  134. package/dist/projections/create-evidence.projection.js.map +1 -1
  135. package/dist/projections/index.d.ts +3 -3
  136. package/dist/projections/index.js +10 -6
  137. package/dist/projections/index.js.map +1 -1
  138. package/dist/projections/list-tasks.projection.d.ts +20 -8
  139. package/dist/projections/list-tasks.projection.js +8 -3
  140. package/dist/projections/list-tasks.projection.js.map +1 -1
  141. package/dist/proof-attestation.json +45 -0
  142. package/dist/schemas/component-table-manifest.d.ts +6 -6
  143. package/dist/schemas/component-table-manifest.js +2 -2
  144. package/dist/schemas/component-table-manifest.js.map +1 -1
  145. package/dist/schemas/index.d.ts +2 -2
  146. package/dist/schemas/index.js +1123 -137
  147. package/dist/schemas/index.js.map +1 -1
  148. package/dist/schemas/manifest.d.ts +2102 -132
  149. package/dist/schemas/manifest.js +1121 -135
  150. package/dist/schemas/manifest.js.map +1 -1
  151. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  152. package/dist/schemas/tables/controlPlane/accessControl.js +658 -0
  153. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  154. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  155. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  156. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  157. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  158. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  159. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  160. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  161. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  162. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  163. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +1 -1
  164. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  165. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  166. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  167. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  168. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  169. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  170. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  171. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  172. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  173. package/dist/schemas/tables/kernel/config.js.map +1 -1
  174. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  175. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  176. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  177. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  178. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  179. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  180. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  181. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  182. package/dist/schemas/tables/kernel/events.d.ts +21 -0
  183. package/dist/schemas/tables/kernel/events.js +43 -0
  184. package/dist/schemas/tables/kernel/events.js.map +1 -0
  185. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  186. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  187. package/dist/schemas/tables/kernel/infra.d.ts +1 -1
  188. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  189. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  190. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  191. package/dist/schemas/tables/kernel/lens.d.ts +1 -1
  192. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  193. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  194. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  195. package/dist/schemas/tables/kernel/platform.d.ts +1 -1
  196. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  197. package/dist/schemas/tables/kernel/spine.d.ts +2 -1
  198. package/dist/schemas/tables/kernel/spine.js +1 -0
  199. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  200. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  201. package/dist/schemas/tables/kernel/task.js.map +1 -1
  202. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  203. package/dist/schemas/tables/kernel/topic.js +1 -0
  204. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  205. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  206. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  207. package/dist/schemas/tables/kernel/worktree.d.ts +17 -17
  208. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  209. package/dist/schemas/tables/mc/identity.d.ts +19 -2
  210. package/dist/schemas/tables/mc/identity.js +32 -1
  211. package/dist/schemas/tables/mc/identity.js.map +1 -1
  212. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  213. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  214. package/dist/schemas/tables/mc/pack.d.ts +1 -1
  215. package/dist/schemas/tables/mc/pack.js.map +1 -1
  216. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  217. package/dist/schemas/tables/mc/policy.js +1 -1
  218. package/dist/schemas/tables/mc/policy.js.map +1 -1
  219. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  220. package/dist/schemas/tables/mc/registry.js.map +1 -1
  221. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  222. package/dist/schemas/tables/mc/runtime.js +330 -104
  223. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  224. package/dist/schemas/tables/mc/tenant.d.ts +4 -2
  225. package/dist/schemas/tables/mc/tenant.js +3 -1
  226. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  227. package/dist/schemas/tables/mc/workspace.d.ts +22 -5
  228. package/dist/schemas/tables/mc/workspace.js +34 -2
  229. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  230. package/dist/{sdk-tools.contract-Ci8bkoai.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
  231. package/dist/sdk-tools.contract.d.ts +2 -2
  232. package/dist/sdk-tools.contract.js +417 -13
  233. package/dist/sdk-tools.contract.js.map +1 -1
  234. package/dist/tenant-bootstrap-seed.contract.d.ts +244 -56
  235. package/dist/tenant-bootstrap-seed.contract.js +139 -28
  236. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  237. package/dist/tenant-bootstrap-seed.defaults.d.ts +2 -2
  238. package/dist/tenant-bootstrap-seed.defaults.js +31 -13
  239. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  240. package/dist/tenant-client.contract.d.ts +20 -15
  241. package/dist/tenant-client.contract.js +29 -12
  242. package/dist/tenant-client.contract.js.map +1 -1
  243. package/dist/{tool-contracts-B4iWhejG.d.ts → tool-contracts-C_xvM9q2.d.ts} +32 -2
  244. package/dist/tool-contracts.d.ts +1 -1
  245. package/dist/tool-contracts.js +418 -14
  246. package/dist/tool-contracts.js.map +1 -1
  247. package/package.json +22 -1
  248. package/dist/schemas/tables/identity/agent.js.map +0 -1
  249. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  250. package/dist/schemas/tables/identity/model.js.map +0 -1
  251. package/dist/schemas/tables/identity/platform.js.map +0 -1
  252. package/dist/schemas/tables/identity/project.js.map +0 -1
  253. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -1,9 +1,9 @@
1
1
  /**
2
2
  * Tenant bootstrap seed contract.
3
3
  *
4
- * Fresh tenant deployments install the Lucern kernel and identity components
4
+ * Fresh tenant deployments install the Lucern kernel and control-plane components
5
5
  * from npm, then copy canonical template rows for non-secret runtime defaults.
6
- * This contract is intentionally exhaustive for the K/I tables: it separates
6
+ * This contract is intentionally exhaustive for the K/CP tables: it separates
7
7
  * rows that must be carried by the template deployments from rows that are
8
8
  * runtime data, runtime credentials, logs, queues, or derived caches.
9
9
  */
@@ -14,16 +14,20 @@ declare const TENANT_BOOTSTRAP_SEED_COMPONENTS: {
14
14
  readonly kernel: {
15
15
  readonly componentName: "lucern";
16
16
  readonly migrationModule: "adapters/migration";
17
+ readonly templateMigrationModule: "dist/adapters/migration";
18
+ readonly tenantMigrationModule: "adapters/migration";
17
19
  readonly templateService: "services/kernel-template";
18
20
  readonly templateDeployments: {
19
21
  readonly staging: "kindly-goldfish-162";
20
22
  readonly prod: "cool-badger-368";
21
23
  };
22
24
  };
23
- readonly identity: {
24
- readonly componentName: "identity";
25
+ readonly "control-plane": {
26
+ readonly componentName: "controlPlane";
25
27
  readonly migrationModule: "migration";
26
- readonly templateService: "services/identity-template";
28
+ readonly templateMigrationModule: "dist/migration";
29
+ readonly tenantMigrationModule: "migration";
30
+ readonly templateService: "services/control-plane-template";
27
31
  readonly templateDeployments: {
28
32
  readonly staging: "industrious-cheetah-864";
29
33
  readonly prod: "combative-beagle-879";
@@ -177,6 +181,12 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
177
181
  readonly prepopulation: "runtime_data";
178
182
  readonly copyMode: "none";
179
183
  readonly description: "Deliberation sessions are created by tenant workflows.";
184
+ }, {
185
+ readonly component: "kernel";
186
+ readonly table: "domainEvents";
187
+ readonly prepopulation: "runtime_log";
188
+ readonly copyMode: "none";
189
+ readonly description: "Domain event rows are append-only runtime audit/exhaust data.";
180
190
  }, {
181
191
  readonly component: "kernel";
182
192
  readonly table: "epistemicAudit";
@@ -392,13 +402,13 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
392
402
  readonly copyMode: "none";
393
403
  readonly description: "Worktrees are tenant/runtime planning data.";
394
404
  }, {
395
- readonly component: "identity";
405
+ readonly component: "control-plane";
396
406
  readonly table: "agents";
397
407
  readonly prepopulation: "runtime_bootstrap";
398
408
  readonly copyMode: "none";
399
409
  readonly description: "Service agents are provisioned per tenant or service, not copied.";
400
410
  }, {
401
- readonly component: "identity";
411
+ readonly component: "control-plane";
402
412
  readonly table: "mcpWritePolicy";
403
413
  readonly prepopulation: "required_template";
404
414
  readonly copyMode: "template_global";
@@ -406,13 +416,13 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
406
416
  readonly uniqueKey: readonly ["topicId", "role", "toolCategory"];
407
417
  readonly description: "Global write policy defaults govern service and interactive MCP writes.";
408
418
  }, {
409
- readonly component: "identity";
419
+ readonly component: "control-plane";
410
420
  readonly table: "modelCallLogs";
411
421
  readonly prepopulation: "runtime_log";
412
422
  readonly copyMode: "none";
413
423
  readonly description: "Model call logs are runtime telemetry.";
414
424
  }, {
415
- readonly component: "identity";
425
+ readonly component: "control-plane";
416
426
  readonly table: "modelFunctionSlots";
417
427
  readonly prepopulation: "required_template";
418
428
  readonly copyMode: "template_global";
@@ -420,7 +430,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
420
430
  readonly uniqueKey: readonly ["slot"];
421
431
  readonly description: "Function-to-model slots are required by model runtime resolution.";
422
432
  }, {
423
- readonly component: "identity";
433
+ readonly component: "control-plane";
424
434
  readonly table: "modelRegistry";
425
435
  readonly prepopulation: "required_template";
426
436
  readonly copyMode: "template_global";
@@ -428,7 +438,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
428
438
  readonly uniqueKey: readonly ["key"];
429
439
  readonly description: "Model catalog defaults are required by model runtime clients.";
430
440
  }, {
431
- readonly component: "identity";
441
+ readonly component: "control-plane";
432
442
  readonly table: "modelSlotConfigs";
433
443
  readonly prepopulation: "required_template";
434
444
  readonly copyMode: "template_global";
@@ -436,13 +446,91 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
436
446
  readonly uniqueKey: readonly ["slot"];
437
447
  readonly description: "Slot-level defaults are required before tenant overrides exist.";
438
448
  }, {
439
- readonly component: "identity";
449
+ readonly component: "control-plane";
450
+ readonly table: "permitAccessReviewItems";
451
+ readonly prepopulation: "runtime_data";
452
+ readonly copyMode: "none";
453
+ readonly description: "Permit access-review item rows are tenant review data projected from Permit.";
454
+ }, {
455
+ readonly component: "control-plane";
456
+ readonly table: "permitAccessReviews";
457
+ readonly prepopulation: "runtime_data";
458
+ readonly copyMode: "none";
459
+ readonly description: "Permit access-review campaigns are tenant review data projected from Permit.";
460
+ }, {
461
+ readonly component: "control-plane";
462
+ readonly table: "permitAttributeBindings";
463
+ readonly prepopulation: "runtime_data";
464
+ readonly copyMode: "none";
465
+ readonly description: "Permit ABAC attribute bindings are tenant policy projection rows.";
466
+ }, {
467
+ readonly component: "control-plane";
468
+ readonly table: "permitGroups";
469
+ readonly prepopulation: "runtime_data";
470
+ readonly copyMode: "none";
471
+ readonly description: "Permit groups are tenant-defined policy subjects, not template data.";
472
+ }, {
473
+ readonly component: "control-plane";
474
+ readonly table: "permitGroupMemberships";
475
+ readonly prepopulation: "runtime_data";
476
+ readonly copyMode: "none";
477
+ readonly description: "Permit group memberships are tenant-specific policy projection rows.";
478
+ }, {
479
+ readonly component: "control-plane";
480
+ readonly table: "permitPolicyBundles";
481
+ readonly prepopulation: "runtime_derived";
482
+ readonly copyMode: "none";
483
+ readonly description: "Permit policy bundles are derived from the Permit control plane.";
484
+ }, {
485
+ readonly component: "control-plane";
486
+ readonly table: "permitPolicyDecisionReceipts";
487
+ readonly prepopulation: "runtime_log";
488
+ readonly copyMode: "none";
489
+ readonly description: "Permit decision receipts are runtime authorization audit logs.";
490
+ }, {
491
+ readonly component: "control-plane";
492
+ readonly table: "permitPrincipalAliases";
493
+ readonly prepopulation: "runtime_data";
494
+ readonly copyMode: "none";
495
+ readonly description: "Permit principal aliases are tenant-specific identity projection rows.";
496
+ }, {
497
+ readonly component: "control-plane";
498
+ readonly table: "permitPrincipals";
499
+ readonly prepopulation: "runtime_data";
500
+ readonly copyMode: "none";
501
+ readonly description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows.";
502
+ }, {
503
+ readonly component: "control-plane";
504
+ readonly table: "permitProjectionOutbox";
505
+ readonly prepopulation: "runtime_queue";
506
+ readonly copyMode: "none";
507
+ readonly description: "Permit projection outbox rows are runtime sync queue data.";
508
+ }, {
509
+ readonly component: "control-plane";
510
+ readonly table: "permitRelationshipTuples";
511
+ readonly prepopulation: "runtime_data";
512
+ readonly copyMode: "none";
513
+ readonly description: "Permit ReBAC relationship tuples are tenant policy projection rows.";
514
+ }, {
515
+ readonly component: "control-plane";
516
+ readonly table: "permitResourceInstances";
517
+ readonly prepopulation: "runtime_data";
518
+ readonly copyMode: "none";
519
+ readonly description: "Permit resource instances are tenant/workspace graph and deployment projection rows.";
520
+ }, {
521
+ readonly component: "control-plane";
522
+ readonly table: "permitRoleAssignments";
523
+ readonly prepopulation: "runtime_data";
524
+ readonly copyMode: "none";
525
+ readonly description: "Permit role assignments are tenant-specific policy projection rows.";
526
+ }, {
527
+ readonly component: "control-plane";
440
528
  readonly table: "platformAudienceGrants";
441
529
  readonly prepopulation: "runtime_data";
442
530
  readonly copyMode: "none";
443
531
  readonly description: "Audience grants are principal/group-specific access rows.";
444
532
  }, {
445
- readonly component: "identity";
533
+ readonly component: "control-plane";
446
534
  readonly table: "platformAudiences";
447
535
  readonly prepopulation: "required_template";
448
536
  readonly copyMode: "template_tenant_rewrite";
@@ -450,31 +538,31 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
450
538
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "audienceKey"];
451
539
  readonly description: "Default tenant audience taxonomy rows are rewritten into each tenant.";
452
540
  }, {
453
- readonly component: "identity";
541
+ readonly component: "control-plane";
454
542
  readonly table: "platformPolicyDecisionLogs";
455
543
  readonly prepopulation: "runtime_log";
456
544
  readonly copyMode: "none";
457
545
  readonly description: "Policy decisions are runtime audit logs.";
458
546
  }, {
459
- readonly component: "identity";
547
+ readonly component: "control-plane";
460
548
  readonly table: "projectGrants";
461
549
  readonly prepopulation: "runtime_data";
462
550
  readonly copyMode: "none";
463
551
  readonly description: "Project/topic grants are principal or group-specific access rows.";
464
552
  }, {
465
- readonly component: "identity";
553
+ readonly component: "control-plane";
466
554
  readonly table: "reasoningPermissions";
467
555
  readonly prepopulation: "runtime_data";
468
556
  readonly copyMode: "none";
469
557
  readonly description: "Reasoning permissions are principal-specific policy rows.";
470
558
  }, {
471
- readonly component: "identity";
559
+ readonly component: "control-plane";
472
560
  readonly table: "tenantApiKeys";
473
561
  readonly prepopulation: "runtime_secret";
474
562
  readonly copyMode: "none";
475
563
  readonly description: "API keys are tenant credentials and must never be copied.";
476
564
  }, {
477
- readonly component: "identity";
565
+ readonly component: "control-plane";
478
566
  readonly table: "tenantConfig";
479
567
  readonly prepopulation: "required_template";
480
568
  readonly copyMode: "template_tenant_rewrite";
@@ -482,7 +570,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
482
570
  readonly uniqueKey: readonly ["tenantId"];
483
571
  readonly description: "Tenant-local config defaults are rewritten during bootstrap.";
484
572
  }, {
485
- readonly component: "identity";
573
+ readonly component: "control-plane";
486
574
  readonly table: "tenantIntegrations";
487
575
  readonly prepopulation: "required_template";
488
576
  readonly copyMode: "template_tenant_rewrite";
@@ -490,13 +578,19 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
490
578
  readonly uniqueKey: readonly ["tenantId", "integrationKey"];
491
579
  readonly description: "Non-secret integration descriptors are rewritten into each tenant.";
492
580
  }, {
493
- readonly component: "identity";
581
+ readonly component: "control-plane";
494
582
  readonly table: "tenantModelSlotBindings";
495
583
  readonly prepopulation: "runtime_secret";
496
584
  readonly copyMode: "none";
497
585
  readonly description: "Tenant model slot bindings reference provider secrets and are runtime-only.";
498
586
  }, {
499
- readonly component: "identity";
587
+ readonly component: "control-plane";
588
+ readonly table: "tenantPermitSyncStates";
589
+ readonly prepopulation: "runtime_derived";
590
+ readonly copyMode: "none";
591
+ readonly description: "Tenant Permit sync state rows are runtime reconciliation state.";
592
+ }, {
593
+ readonly component: "control-plane";
500
594
  readonly table: "tenantPolicies";
501
595
  readonly prepopulation: "required_template";
502
596
  readonly copyMode: "template_tenant_rewrite";
@@ -504,37 +598,37 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
504
598
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "roleName"];
505
599
  readonly description: "Default tenant policy roles are rewritten during bootstrap.";
506
600
  }, {
507
- readonly component: "identity";
601
+ readonly component: "control-plane";
508
602
  readonly table: "tenantProviderSecrets";
509
603
  readonly prepopulation: "runtime_secret";
510
604
  readonly copyMode: "none";
511
605
  readonly description: "Provider secrets are credentials and must never be copied.";
512
606
  }, {
513
- readonly component: "identity";
607
+ readonly component: "control-plane";
514
608
  readonly table: "tenantProxyGatewayUsage";
515
609
  readonly prepopulation: "runtime_log";
516
610
  readonly copyMode: "none";
517
611
  readonly description: "Proxy gateway usage rows are runtime telemetry.";
518
612
  }, {
519
- readonly component: "identity";
613
+ readonly component: "control-plane";
520
614
  readonly table: "tenantProxyTokenMints";
521
615
  readonly prepopulation: "runtime_secret";
522
616
  readonly copyMode: "none";
523
617
  readonly description: "Proxy token mints are ephemeral secret-bearing runtime rows.";
524
618
  }, {
525
- readonly component: "identity";
619
+ readonly component: "control-plane";
526
620
  readonly table: "tenantSandboxAuditEvents";
527
621
  readonly prepopulation: "runtime_log";
528
622
  readonly copyMode: "none";
529
623
  readonly description: "Sandbox audit rows are runtime security logs.";
530
624
  }, {
531
- readonly component: "identity";
625
+ readonly component: "control-plane";
532
626
  readonly table: "tenantSecrets";
533
627
  readonly prepopulation: "runtime_secret";
534
628
  readonly copyMode: "none";
535
629
  readonly description: "Tenant secrets are credentials and must never be copied.";
536
630
  }, {
537
- readonly component: "identity";
631
+ readonly component: "control-plane";
538
632
  readonly table: "toolAcls";
539
633
  readonly prepopulation: "required_template";
540
634
  readonly copyMode: "template_global";
@@ -542,7 +636,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
542
636
  readonly uniqueKey: readonly ["role", "toolName"];
543
637
  readonly description: "Default role-to-tool grants are required for SDK/MCP tool access.";
544
638
  }, {
545
- readonly component: "identity";
639
+ readonly component: "control-plane";
546
640
  readonly table: "toolRegistry";
547
641
  readonly prepopulation: "required_template";
548
642
  readonly copyMode: "template_global";
@@ -550,7 +644,7 @@ declare const TENANT_BOOTSTRAP_TABLE_REQUIREMENTS: readonly [{
550
644
  readonly uniqueKey: readonly ["toolName"];
551
645
  readonly description: "Core tool catalog rows are required before pack or tenant tools exist.";
552
646
  }, {
553
- readonly component: "identity";
647
+ readonly component: "control-plane";
554
648
  readonly table: "users";
555
649
  readonly prepopulation: "runtime_bootstrap";
556
650
  readonly copyMode: "none";
@@ -567,16 +661,20 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
567
661
  readonly kernel: {
568
662
  readonly componentName: "lucern";
569
663
  readonly migrationModule: "adapters/migration";
664
+ readonly templateMigrationModule: "dist/adapters/migration";
665
+ readonly tenantMigrationModule: "adapters/migration";
570
666
  readonly templateService: "services/kernel-template";
571
667
  readonly templateDeployments: {
572
668
  readonly staging: "kindly-goldfish-162";
573
669
  readonly prod: "cool-badger-368";
574
670
  };
575
671
  };
576
- readonly identity: {
577
- readonly componentName: "identity";
672
+ readonly "control-plane": {
673
+ readonly componentName: "controlPlane";
578
674
  readonly migrationModule: "migration";
579
- readonly templateService: "services/identity-template";
675
+ readonly templateMigrationModule: "dist/migration";
676
+ readonly tenantMigrationModule: "migration";
677
+ readonly templateService: "services/control-plane-template";
580
678
  readonly templateDeployments: {
581
679
  readonly staging: "industrious-cheetah-864";
582
680
  readonly prod: "combative-beagle-879";
@@ -711,6 +809,12 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
711
809
  readonly prepopulation: "runtime_data";
712
810
  readonly copyMode: "none";
713
811
  readonly description: "Deliberation sessions are created by tenant workflows.";
812
+ }, {
813
+ readonly component: "kernel";
814
+ readonly table: "domainEvents";
815
+ readonly prepopulation: "runtime_log";
816
+ readonly copyMode: "none";
817
+ readonly description: "Domain event rows are append-only runtime audit/exhaust data.";
714
818
  }, {
715
819
  readonly component: "kernel";
716
820
  readonly table: "epistemicAudit";
@@ -926,13 +1030,13 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
926
1030
  readonly copyMode: "none";
927
1031
  readonly description: "Worktrees are tenant/runtime planning data.";
928
1032
  }, {
929
- readonly component: "identity";
1033
+ readonly component: "control-plane";
930
1034
  readonly table: "agents";
931
1035
  readonly prepopulation: "runtime_bootstrap";
932
1036
  readonly copyMode: "none";
933
1037
  readonly description: "Service agents are provisioned per tenant or service, not copied.";
934
1038
  }, {
935
- readonly component: "identity";
1039
+ readonly component: "control-plane";
936
1040
  readonly table: "mcpWritePolicy";
937
1041
  readonly prepopulation: "required_template";
938
1042
  readonly copyMode: "template_global";
@@ -940,13 +1044,13 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
940
1044
  readonly uniqueKey: readonly ["topicId", "role", "toolCategory"];
941
1045
  readonly description: "Global write policy defaults govern service and interactive MCP writes.";
942
1046
  }, {
943
- readonly component: "identity";
1047
+ readonly component: "control-plane";
944
1048
  readonly table: "modelCallLogs";
945
1049
  readonly prepopulation: "runtime_log";
946
1050
  readonly copyMode: "none";
947
1051
  readonly description: "Model call logs are runtime telemetry.";
948
1052
  }, {
949
- readonly component: "identity";
1053
+ readonly component: "control-plane";
950
1054
  readonly table: "modelFunctionSlots";
951
1055
  readonly prepopulation: "required_template";
952
1056
  readonly copyMode: "template_global";
@@ -954,7 +1058,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
954
1058
  readonly uniqueKey: readonly ["slot"];
955
1059
  readonly description: "Function-to-model slots are required by model runtime resolution.";
956
1060
  }, {
957
- readonly component: "identity";
1061
+ readonly component: "control-plane";
958
1062
  readonly table: "modelRegistry";
959
1063
  readonly prepopulation: "required_template";
960
1064
  readonly copyMode: "template_global";
@@ -962,7 +1066,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
962
1066
  readonly uniqueKey: readonly ["key"];
963
1067
  readonly description: "Model catalog defaults are required by model runtime clients.";
964
1068
  }, {
965
- readonly component: "identity";
1069
+ readonly component: "control-plane";
966
1070
  readonly table: "modelSlotConfigs";
967
1071
  readonly prepopulation: "required_template";
968
1072
  readonly copyMode: "template_global";
@@ -970,13 +1074,91 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
970
1074
  readonly uniqueKey: readonly ["slot"];
971
1075
  readonly description: "Slot-level defaults are required before tenant overrides exist.";
972
1076
  }, {
973
- readonly component: "identity";
1077
+ readonly component: "control-plane";
1078
+ readonly table: "permitAccessReviewItems";
1079
+ readonly prepopulation: "runtime_data";
1080
+ readonly copyMode: "none";
1081
+ readonly description: "Permit access-review item rows are tenant review data projected from Permit.";
1082
+ }, {
1083
+ readonly component: "control-plane";
1084
+ readonly table: "permitAccessReviews";
1085
+ readonly prepopulation: "runtime_data";
1086
+ readonly copyMode: "none";
1087
+ readonly description: "Permit access-review campaigns are tenant review data projected from Permit.";
1088
+ }, {
1089
+ readonly component: "control-plane";
1090
+ readonly table: "permitAttributeBindings";
1091
+ readonly prepopulation: "runtime_data";
1092
+ readonly copyMode: "none";
1093
+ readonly description: "Permit ABAC attribute bindings are tenant policy projection rows.";
1094
+ }, {
1095
+ readonly component: "control-plane";
1096
+ readonly table: "permitGroups";
1097
+ readonly prepopulation: "runtime_data";
1098
+ readonly copyMode: "none";
1099
+ readonly description: "Permit groups are tenant-defined policy subjects, not template data.";
1100
+ }, {
1101
+ readonly component: "control-plane";
1102
+ readonly table: "permitGroupMemberships";
1103
+ readonly prepopulation: "runtime_data";
1104
+ readonly copyMode: "none";
1105
+ readonly description: "Permit group memberships are tenant-specific policy projection rows.";
1106
+ }, {
1107
+ readonly component: "control-plane";
1108
+ readonly table: "permitPolicyBundles";
1109
+ readonly prepopulation: "runtime_derived";
1110
+ readonly copyMode: "none";
1111
+ readonly description: "Permit policy bundles are derived from the Permit control plane.";
1112
+ }, {
1113
+ readonly component: "control-plane";
1114
+ readonly table: "permitPolicyDecisionReceipts";
1115
+ readonly prepopulation: "runtime_log";
1116
+ readonly copyMode: "none";
1117
+ readonly description: "Permit decision receipts are runtime authorization audit logs.";
1118
+ }, {
1119
+ readonly component: "control-plane";
1120
+ readonly table: "permitPrincipalAliases";
1121
+ readonly prepopulation: "runtime_data";
1122
+ readonly copyMode: "none";
1123
+ readonly description: "Permit principal aliases are tenant-specific identity projection rows.";
1124
+ }, {
1125
+ readonly component: "control-plane";
1126
+ readonly table: "permitPrincipals";
1127
+ readonly prepopulation: "runtime_data";
1128
+ readonly copyMode: "none";
1129
+ readonly description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows.";
1130
+ }, {
1131
+ readonly component: "control-plane";
1132
+ readonly table: "permitProjectionOutbox";
1133
+ readonly prepopulation: "runtime_queue";
1134
+ readonly copyMode: "none";
1135
+ readonly description: "Permit projection outbox rows are runtime sync queue data.";
1136
+ }, {
1137
+ readonly component: "control-plane";
1138
+ readonly table: "permitRelationshipTuples";
1139
+ readonly prepopulation: "runtime_data";
1140
+ readonly copyMode: "none";
1141
+ readonly description: "Permit ReBAC relationship tuples are tenant policy projection rows.";
1142
+ }, {
1143
+ readonly component: "control-plane";
1144
+ readonly table: "permitResourceInstances";
1145
+ readonly prepopulation: "runtime_data";
1146
+ readonly copyMode: "none";
1147
+ readonly description: "Permit resource instances are tenant/workspace graph and deployment projection rows.";
1148
+ }, {
1149
+ readonly component: "control-plane";
1150
+ readonly table: "permitRoleAssignments";
1151
+ readonly prepopulation: "runtime_data";
1152
+ readonly copyMode: "none";
1153
+ readonly description: "Permit role assignments are tenant-specific policy projection rows.";
1154
+ }, {
1155
+ readonly component: "control-plane";
974
1156
  readonly table: "platformAudienceGrants";
975
1157
  readonly prepopulation: "runtime_data";
976
1158
  readonly copyMode: "none";
977
1159
  readonly description: "Audience grants are principal/group-specific access rows.";
978
1160
  }, {
979
- readonly component: "identity";
1161
+ readonly component: "control-plane";
980
1162
  readonly table: "platformAudiences";
981
1163
  readonly prepopulation: "required_template";
982
1164
  readonly copyMode: "template_tenant_rewrite";
@@ -984,31 +1166,31 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
984
1166
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "audienceKey"];
985
1167
  readonly description: "Default tenant audience taxonomy rows are rewritten into each tenant.";
986
1168
  }, {
987
- readonly component: "identity";
1169
+ readonly component: "control-plane";
988
1170
  readonly table: "platformPolicyDecisionLogs";
989
1171
  readonly prepopulation: "runtime_log";
990
1172
  readonly copyMode: "none";
991
1173
  readonly description: "Policy decisions are runtime audit logs.";
992
1174
  }, {
993
- readonly component: "identity";
1175
+ readonly component: "control-plane";
994
1176
  readonly table: "projectGrants";
995
1177
  readonly prepopulation: "runtime_data";
996
1178
  readonly copyMode: "none";
997
1179
  readonly description: "Project/topic grants are principal or group-specific access rows.";
998
1180
  }, {
999
- readonly component: "identity";
1181
+ readonly component: "control-plane";
1000
1182
  readonly table: "reasoningPermissions";
1001
1183
  readonly prepopulation: "runtime_data";
1002
1184
  readonly copyMode: "none";
1003
1185
  readonly description: "Reasoning permissions are principal-specific policy rows.";
1004
1186
  }, {
1005
- readonly component: "identity";
1187
+ readonly component: "control-plane";
1006
1188
  readonly table: "tenantApiKeys";
1007
1189
  readonly prepopulation: "runtime_secret";
1008
1190
  readonly copyMode: "none";
1009
1191
  readonly description: "API keys are tenant credentials and must never be copied.";
1010
1192
  }, {
1011
- readonly component: "identity";
1193
+ readonly component: "control-plane";
1012
1194
  readonly table: "tenantConfig";
1013
1195
  readonly prepopulation: "required_template";
1014
1196
  readonly copyMode: "template_tenant_rewrite";
@@ -1016,7 +1198,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1016
1198
  readonly uniqueKey: readonly ["tenantId"];
1017
1199
  readonly description: "Tenant-local config defaults are rewritten during bootstrap.";
1018
1200
  }, {
1019
- readonly component: "identity";
1201
+ readonly component: "control-plane";
1020
1202
  readonly table: "tenantIntegrations";
1021
1203
  readonly prepopulation: "required_template";
1022
1204
  readonly copyMode: "template_tenant_rewrite";
@@ -1024,13 +1206,19 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1024
1206
  readonly uniqueKey: readonly ["tenantId", "integrationKey"];
1025
1207
  readonly description: "Non-secret integration descriptors are rewritten into each tenant.";
1026
1208
  }, {
1027
- readonly component: "identity";
1209
+ readonly component: "control-plane";
1028
1210
  readonly table: "tenantModelSlotBindings";
1029
1211
  readonly prepopulation: "runtime_secret";
1030
1212
  readonly copyMode: "none";
1031
1213
  readonly description: "Tenant model slot bindings reference provider secrets and are runtime-only.";
1032
1214
  }, {
1033
- readonly component: "identity";
1215
+ readonly component: "control-plane";
1216
+ readonly table: "tenantPermitSyncStates";
1217
+ readonly prepopulation: "runtime_derived";
1218
+ readonly copyMode: "none";
1219
+ readonly description: "Tenant Permit sync state rows are runtime reconciliation state.";
1220
+ }, {
1221
+ readonly component: "control-plane";
1034
1222
  readonly table: "tenantPolicies";
1035
1223
  readonly prepopulation: "required_template";
1036
1224
  readonly copyMode: "template_tenant_rewrite";
@@ -1038,37 +1226,37 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1038
1226
  readonly uniqueKey: readonly ["tenantId", "workspaceId", "roleName"];
1039
1227
  readonly description: "Default tenant policy roles are rewritten during bootstrap.";
1040
1228
  }, {
1041
- readonly component: "identity";
1229
+ readonly component: "control-plane";
1042
1230
  readonly table: "tenantProviderSecrets";
1043
1231
  readonly prepopulation: "runtime_secret";
1044
1232
  readonly copyMode: "none";
1045
1233
  readonly description: "Provider secrets are credentials and must never be copied.";
1046
1234
  }, {
1047
- readonly component: "identity";
1235
+ readonly component: "control-plane";
1048
1236
  readonly table: "tenantProxyGatewayUsage";
1049
1237
  readonly prepopulation: "runtime_log";
1050
1238
  readonly copyMode: "none";
1051
1239
  readonly description: "Proxy gateway usage rows are runtime telemetry.";
1052
1240
  }, {
1053
- readonly component: "identity";
1241
+ readonly component: "control-plane";
1054
1242
  readonly table: "tenantProxyTokenMints";
1055
1243
  readonly prepopulation: "runtime_secret";
1056
1244
  readonly copyMode: "none";
1057
1245
  readonly description: "Proxy token mints are ephemeral secret-bearing runtime rows.";
1058
1246
  }, {
1059
- readonly component: "identity";
1247
+ readonly component: "control-plane";
1060
1248
  readonly table: "tenantSandboxAuditEvents";
1061
1249
  readonly prepopulation: "runtime_log";
1062
1250
  readonly copyMode: "none";
1063
1251
  readonly description: "Sandbox audit rows are runtime security logs.";
1064
1252
  }, {
1065
- readonly component: "identity";
1253
+ readonly component: "control-plane";
1066
1254
  readonly table: "tenantSecrets";
1067
1255
  readonly prepopulation: "runtime_secret";
1068
1256
  readonly copyMode: "none";
1069
1257
  readonly description: "Tenant secrets are credentials and must never be copied.";
1070
1258
  }, {
1071
- readonly component: "identity";
1259
+ readonly component: "control-plane";
1072
1260
  readonly table: "toolAcls";
1073
1261
  readonly prepopulation: "required_template";
1074
1262
  readonly copyMode: "template_global";
@@ -1076,7 +1264,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1076
1264
  readonly uniqueKey: readonly ["role", "toolName"];
1077
1265
  readonly description: "Default role-to-tool grants are required for SDK/MCP tool access.";
1078
1266
  }, {
1079
- readonly component: "identity";
1267
+ readonly component: "control-plane";
1080
1268
  readonly table: "toolRegistry";
1081
1269
  readonly prepopulation: "required_template";
1082
1270
  readonly copyMode: "template_global";
@@ -1084,7 +1272,7 @@ declare const TENANT_BOOTSTRAP_SEED_MANIFEST: {
1084
1272
  readonly uniqueKey: readonly ["toolName"];
1085
1273
  readonly description: "Core tool catalog rows are required before pack or tenant tools exist.";
1086
1274
  }, {
1087
- readonly component: "identity";
1275
+ readonly component: "control-plane";
1088
1276
  readonly table: "users";
1089
1277
  readonly prepopulation: "runtime_bootstrap";
1090
1278
  readonly copyMode: "none";