@lucern/contracts 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (253) hide show
  1. package/CHANGELOG.md +7 -0
  2. package/dist/api-enums.contract.d.ts +5 -3
  3. package/dist/api-enums.contract.js +14 -12
  4. package/dist/api-enums.contract.js.map +1 -1
  5. package/dist/auth-context.contract.js +14 -2
  6. package/dist/auth-context.contract.js.map +1 -1
  7. package/dist/auth-session.contract.js +14 -2
  8. package/dist/auth-session.contract.js.map +1 -1
  9. package/dist/auth.contract.d.ts +1 -1
  10. package/dist/auth.contract.js +14 -2
  11. package/dist/auth.contract.js.map +1 -1
  12. package/dist/component-boundary.contract.d.ts +1 -1
  13. package/dist/component-boundary.contract.js +46 -26
  14. package/dist/component-boundary.contract.js.map +1 -1
  15. package/dist/component-host-boundary.contract.d.ts +10 -5
  16. package/dist/component-host-boundary.contract.js +10 -4
  17. package/dist/component-host-boundary.contract.js.map +1 -1
  18. package/dist/{defineTable-CBQ03FXl.d.ts → defineTable-t1wr5wgn.d.ts} +1 -1
  19. package/dist/{dsl-djCRfuWC.d.ts → dsl-DVPthQGY.d.ts} +1 -1
  20. package/dist/dsl.d.ts +2 -2
  21. package/dist/dsl.js.map +1 -1
  22. package/dist/function-registry/beliefs.d.ts +23 -10
  23. package/dist/function-registry/beliefs.js +467 -36
  24. package/dist/function-registry/beliefs.js.map +1 -1
  25. package/dist/function-registry/coding.d.ts +15 -6
  26. package/dist/function-registry/coding.js +531 -22
  27. package/dist/function-registry/coding.js.map +1 -1
  28. package/dist/function-registry/context.d.ts +9 -3
  29. package/dist/function-registry/context.js +464 -21
  30. package/dist/function-registry/context.js.map +1 -1
  31. package/dist/function-registry/contracts.d.ts +9 -3
  32. package/dist/function-registry/contracts.js +464 -21
  33. package/dist/function-registry/contracts.js.map +1 -1
  34. package/dist/function-registry/coordination.d.ts +21 -9
  35. package/dist/function-registry/coordination.js +464 -21
  36. package/dist/function-registry/coordination.js.map +1 -1
  37. package/dist/function-registry/edges.d.ts +167 -2
  38. package/dist/function-registry/edges.js +619 -28
  39. package/dist/function-registry/edges.js.map +1 -1
  40. package/dist/function-registry/evidence.d.ts +19 -8
  41. package/dist/function-registry/evidence.js +469 -36
  42. package/dist/function-registry/evidence.js.map +1 -1
  43. package/dist/function-registry/graph.d.ts +33 -15
  44. package/dist/function-registry/graph.js +464 -21
  45. package/dist/function-registry/graph.js.map +1 -1
  46. package/dist/function-registry/helpers.d.ts +6 -3
  47. package/dist/function-registry/helpers.js +465 -22
  48. package/dist/function-registry/helpers.js.map +1 -1
  49. package/dist/function-registry/identity.d.ts +62 -16
  50. package/dist/function-registry/identity.js +487 -27
  51. package/dist/function-registry/identity.js.map +1 -1
  52. package/dist/function-registry/index.d.ts +4 -2
  53. package/dist/function-registry/index.js +468 -22
  54. package/dist/function-registry/index.js.map +1 -1
  55. package/dist/function-registry/judgments.d.ts +7 -2
  56. package/dist/function-registry/judgments.js +464 -21
  57. package/dist/function-registry/judgments.js.map +1 -1
  58. package/dist/function-registry/legacy.d.ts +5 -1
  59. package/dist/function-registry/legacy.js +464 -21
  60. package/dist/function-registry/legacy.js.map +1 -1
  61. package/dist/function-registry/lenses.d.ts +11 -4
  62. package/dist/function-registry/lenses.js +464 -21
  63. package/dist/function-registry/lenses.js.map +1 -1
  64. package/dist/function-registry/manifest.d.ts +4 -4
  65. package/dist/function-registry/manifest.js +16 -1
  66. package/dist/function-registry/manifest.js.map +1 -1
  67. package/dist/function-registry/nodes.d.ts +412 -0
  68. package/dist/function-registry/nodes.js +5354 -0
  69. package/dist/function-registry/nodes.js.map +1 -0
  70. package/dist/function-registry/ontologies.d.ts +25 -11
  71. package/dist/function-registry/ontologies.js +464 -21
  72. package/dist/function-registry/ontologies.js.map +1 -1
  73. package/dist/function-registry/pipeline.d.ts +9 -3
  74. package/dist/function-registry/pipeline.js +464 -21
  75. package/dist/function-registry/pipeline.js.map +1 -1
  76. package/dist/function-registry/questions.d.ts +27 -12
  77. package/dist/function-registry/questions.js +466 -26
  78. package/dist/function-registry/questions.js.map +1 -1
  79. package/dist/function-registry/tasks.d.ts +11 -4
  80. package/dist/function-registry/tasks.js +497 -30
  81. package/dist/function-registry/tasks.js.map +1 -1
  82. package/dist/function-registry/topics.d.ts +93 -5
  83. package/dist/function-registry/topics.js +534 -24
  84. package/dist/function-registry/topics.js.map +1 -1
  85. package/dist/function-registry/types.d.ts +7 -3
  86. package/dist/function-registry/worktrees.d.ts +25 -11
  87. package/dist/function-registry/worktrees.js +480 -21
  88. package/dist/function-registry/worktrees.js.map +1 -1
  89. package/dist/gateway.contract.d.ts +4 -0
  90. package/dist/gateway.contract.js.map +1 -1
  91. package/dist/generated/convexSchemas.d.ts +3 -3
  92. package/dist/generated/convexSchemas.js +37 -17
  93. package/dist/generated/convexSchemas.js.map +1 -1
  94. package/dist/generated/infisicalRuntimeEnv.d.ts +70 -0
  95. package/dist/generated/infisicalRuntimeEnv.js +27585 -0
  96. package/dist/generated/infisicalRuntimeEnv.js.map +1 -0
  97. package/dist/generated/lucernGatewayEnv.d.ts +17 -0
  98. package/dist/generated/lucernGatewayEnv.js +38 -0
  99. package/dist/generated/lucernGatewayEnv.js.map +1 -0
  100. package/dist/generated/lucernWebPublicEnv.d.ts +26 -0
  101. package/dist/generated/lucernWebPublicEnv.js +32 -0
  102. package/dist/generated/lucernWebPublicEnv.js.map +1 -0
  103. package/dist/generated/lucernWebServerEnv.d.ts +33 -0
  104. package/dist/generated/lucernWebServerEnv.js +51 -0
  105. package/dist/generated/lucernWebServerEnv.js.map +1 -0
  106. package/dist/generated/schema-manifest.json +1221 -114
  107. package/dist/generated/tableOwnership.d.ts +48 -28
  108. package/dist/generated/tableOwnership.js +66 -26
  109. package/dist/generated/tableOwnership.js.map +1 -1
  110. package/dist/generated/tier-expectations.json +64 -9
  111. package/dist/{index-O09U2xHk.d.ts → index-CM1Pl_vI.d.ts} +3 -3
  112. package/dist/index.d.ts +11 -6
  113. package/dist/index.js +32838 -413
  114. package/dist/index.js.map +1 -1
  115. package/dist/infisical-runtime.contract.d.ts +1763 -6
  116. package/dist/infisical-runtime.contract.js +2994 -15
  117. package/dist/infisical-runtime.contract.js.map +1 -1
  118. package/dist/manifests/infisical-runtime-manifest.d.ts +1689 -6
  119. package/dist/manifests/infisical-runtime-manifest.js +2847 -12
  120. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  121. package/dist/manifests/tenant-client-manifest.d.ts +19 -14
  122. package/dist/manifests/tenant-client-manifest.js +29 -12
  123. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  124. package/dist/mcp-gateway-boundary.contract.d.ts +23 -3
  125. package/dist/mcp-gateway-boundary.contract.js +2 -0
  126. package/dist/mcp-gateway-boundary.contract.js.map +1 -1
  127. package/dist/permit-principal-projection.contract.d.ts +74 -0
  128. package/dist/permit-principal-projection.contract.js +167 -0
  129. package/dist/permit-principal-projection.contract.js.map +1 -0
  130. package/dist/projections/check-convex-args-shape.js +10 -6
  131. package/dist/projections/check-convex-args-shape.js.map +1 -1
  132. package/dist/projections/create-evidence.projection.d.ts +6 -6
  133. package/dist/projections/create-evidence.projection.js +2 -3
  134. package/dist/projections/create-evidence.projection.js.map +1 -1
  135. package/dist/projections/index.d.ts +3 -3
  136. package/dist/projections/index.js +10 -6
  137. package/dist/projections/index.js.map +1 -1
  138. package/dist/projections/list-tasks.projection.d.ts +20 -8
  139. package/dist/projections/list-tasks.projection.js +8 -3
  140. package/dist/projections/list-tasks.projection.js.map +1 -1
  141. package/dist/proof-attestation.json +45 -0
  142. package/dist/schemas/component-table-manifest.d.ts +6 -6
  143. package/dist/schemas/component-table-manifest.js +2 -2
  144. package/dist/schemas/component-table-manifest.js.map +1 -1
  145. package/dist/schemas/index.d.ts +2 -2
  146. package/dist/schemas/index.js +1123 -137
  147. package/dist/schemas/index.js.map +1 -1
  148. package/dist/schemas/manifest.d.ts +2102 -132
  149. package/dist/schemas/manifest.js +1121 -135
  150. package/dist/schemas/manifest.js.map +1 -1
  151. package/dist/schemas/tables/controlPlane/accessControl.d.ts +260 -0
  152. package/dist/schemas/tables/controlPlane/accessControl.js +658 -0
  153. package/dist/schemas/tables/controlPlane/accessControl.js.map +1 -0
  154. package/dist/schemas/tables/{identity → controlPlane}/agent.d.ts +1 -1
  155. package/dist/schemas/tables/{identity → controlPlane}/agent.js +3 -3
  156. package/dist/schemas/tables/controlPlane/agent.js.map +1 -0
  157. package/dist/schemas/tables/{identity → controlPlane}/epistemic.d.ts +1 -1
  158. package/dist/schemas/tables/{identity → controlPlane}/epistemic.js +3 -3
  159. package/dist/schemas/tables/controlPlane/epistemic.js.map +1 -0
  160. package/dist/schemas/tables/{identity → controlPlane}/model.d.ts +1 -1
  161. package/dist/schemas/tables/{identity → controlPlane}/model.js +6 -6
  162. package/dist/schemas/tables/controlPlane/model.js.map +1 -0
  163. package/dist/schemas/tables/{identity → controlPlane}/platform.d.ts +1 -1
  164. package/dist/schemas/tables/{identity → controlPlane}/platform.js +18 -18
  165. package/dist/schemas/tables/controlPlane/platform.js.map +1 -0
  166. package/dist/schemas/tables/{identity → controlPlane}/project.d.ts +1 -1
  167. package/dist/schemas/tables/{identity → controlPlane}/project.js +3 -3
  168. package/dist/schemas/tables/controlPlane/project.js.map +1 -0
  169. package/dist/schemas/tables/{identity → controlPlane}/user.d.ts +1 -1
  170. package/dist/schemas/tables/{identity → controlPlane}/user.js +3 -3
  171. package/dist/schemas/tables/controlPlane/user.js.map +1 -0
  172. package/dist/schemas/tables/kernel/config.d.ts +1 -1
  173. package/dist/schemas/tables/kernel/config.js.map +1 -1
  174. package/dist/schemas/tables/kernel/coordination.d.ts +1 -1
  175. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  176. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  177. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  178. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  179. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  180. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  181. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  182. package/dist/schemas/tables/kernel/events.d.ts +21 -0
  183. package/dist/schemas/tables/kernel/events.js +43 -0
  184. package/dist/schemas/tables/kernel/events.js.map +1 -0
  185. package/dist/schemas/tables/kernel/idempotency.d.ts +1 -1
  186. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  187. package/dist/schemas/tables/kernel/infra.d.ts +1 -1
  188. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  189. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  190. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  191. package/dist/schemas/tables/kernel/lens.d.ts +1 -1
  192. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  193. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  194. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  195. package/dist/schemas/tables/kernel/platform.d.ts +1 -1
  196. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  197. package/dist/schemas/tables/kernel/spine.d.ts +2 -1
  198. package/dist/schemas/tables/kernel/spine.js +1 -0
  199. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  200. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  201. package/dist/schemas/tables/kernel/task.js.map +1 -1
  202. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  203. package/dist/schemas/tables/kernel/topic.js +1 -0
  204. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  205. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  206. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  207. package/dist/schemas/tables/kernel/worktree.d.ts +17 -17
  208. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  209. package/dist/schemas/tables/mc/identity.d.ts +19 -2
  210. package/dist/schemas/tables/mc/identity.js +32 -1
  211. package/dist/schemas/tables/mc/identity.js.map +1 -1
  212. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  213. package/dist/schemas/tables/mc/methodology.js.map +1 -1
  214. package/dist/schemas/tables/mc/pack.d.ts +1 -1
  215. package/dist/schemas/tables/mc/pack.js.map +1 -1
  216. package/dist/schemas/tables/mc/policy.d.ts +2 -2
  217. package/dist/schemas/tables/mc/policy.js +1 -1
  218. package/dist/schemas/tables/mc/policy.js.map +1 -1
  219. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  220. package/dist/schemas/tables/mc/registry.js.map +1 -1
  221. package/dist/schemas/tables/mc/runtime.d.ts +109 -3
  222. package/dist/schemas/tables/mc/runtime.js +330 -104
  223. package/dist/schemas/tables/mc/runtime.js.map +1 -1
  224. package/dist/schemas/tables/mc/tenant.d.ts +4 -2
  225. package/dist/schemas/tables/mc/tenant.js +3 -1
  226. package/dist/schemas/tables/mc/tenant.js.map +1 -1
  227. package/dist/schemas/tables/mc/workspace.d.ts +22 -5
  228. package/dist/schemas/tables/mc/workspace.js +34 -2
  229. package/dist/schemas/tables/mc/workspace.js.map +1 -1
  230. package/dist/{sdk-tools.contract-Ci8bkoai.d.ts → sdk-tools.contract-CKmSsrZ2.d.ts} +1 -1
  231. package/dist/sdk-tools.contract.d.ts +2 -2
  232. package/dist/sdk-tools.contract.js +417 -13
  233. package/dist/sdk-tools.contract.js.map +1 -1
  234. package/dist/tenant-bootstrap-seed.contract.d.ts +244 -56
  235. package/dist/tenant-bootstrap-seed.contract.js +139 -28
  236. package/dist/tenant-bootstrap-seed.contract.js.map +1 -1
  237. package/dist/tenant-bootstrap-seed.defaults.d.ts +2 -2
  238. package/dist/tenant-bootstrap-seed.defaults.js +31 -13
  239. package/dist/tenant-bootstrap-seed.defaults.js.map +1 -1
  240. package/dist/tenant-client.contract.d.ts +20 -15
  241. package/dist/tenant-client.contract.js +29 -12
  242. package/dist/tenant-client.contract.js.map +1 -1
  243. package/dist/{tool-contracts-B4iWhejG.d.ts → tool-contracts-C_xvM9q2.d.ts} +32 -2
  244. package/dist/tool-contracts.d.ts +1 -1
  245. package/dist/tool-contracts.js +418 -14
  246. package/dist/tool-contracts.js.map +1 -1
  247. package/package.json +22 -1
  248. package/dist/schemas/tables/identity/agent.js.map +0 -1
  249. package/dist/schemas/tables/identity/epistemic.js.map +0 -1
  250. package/dist/schemas/tables/identity/model.js.map +0 -1
  251. package/dist/schemas/tables/identity/platform.js.map +0 -1
  252. package/dist/schemas/tables/identity/project.js.map +0 -1
  253. package/dist/schemas/tables/identity/user.js.map +0 -1
@@ -210,7 +210,7 @@ var toolRegistryEntries = defineTable({
210
210
  });
211
211
  var agents = defineTable({
212
212
  name: "agents",
213
- component: "identity",
213
+ component: "control-plane",
214
214
  category: "agent",
215
215
  shape: z.object({
216
216
  "slug": z.string(),
@@ -241,6 +241,8 @@ var apiKeys = defineTable({
241
241
  category: "tenant",
242
242
  shape: z.object({
243
243
  "tenantId": idOf("tenants"),
244
+ "workspaceId": idOf("workspaces").optional(),
245
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
244
246
  "keyPrefix": z.enum(["luc", "stk"]),
245
247
  "keyHash": z.string(),
246
248
  "keyHint": z.string(),
@@ -268,7 +270,7 @@ var auditLog = defineTable({
268
270
  shape: z.object({
269
271
  "tenantId": idOf("tenants").optional(),
270
272
  "apiKeyId": idOf("apiKeys").optional(),
271
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
273
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
272
274
  "actorClerkId": z.string(),
273
275
  "details": z.any().optional(),
274
276
  "createdAt": z.number()
@@ -492,6 +494,35 @@ var systemLogs = defineTable({
492
494
  { kind: "index", name: "by_source", columns: ["source"] }
493
495
  ]
494
496
  });
497
+ var domainEvents = defineTable({
498
+ name: "domainEvents",
499
+ component: "kernel",
500
+ category: "events",
501
+ shape: z.object({
502
+ "eventId": z.string(),
503
+ "type": z.string(),
504
+ "version": z.string(),
505
+ "timestamp": z.number(),
506
+ "tenantId": z.string().optional(),
507
+ "workspaceId": z.string().optional(),
508
+ "topicId": z.string(),
509
+ "resourceId": z.string(),
510
+ "resourceType": z.string(),
511
+ "actorId": z.string(),
512
+ "actorType": z.enum(["human", "agent", "service"]),
513
+ "data": z.record(z.any()),
514
+ "correlationId": z.string().optional(),
515
+ "expiresAt": z.number()
516
+ }),
517
+ indices: [
518
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
519
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
520
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
521
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
522
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
523
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
524
+ ]
525
+ });
495
526
  var beliefConfidence = defineTable({
496
527
  name: "beliefConfidence",
497
528
  component: "kernel",
@@ -1147,29 +1178,37 @@ var compatibilityShims = defineTable({
1147
1178
  component: "mc",
1148
1179
  category: "runtime",
1149
1180
  shape: z.object({
1150
- "shimId": z.string(),
1151
- "gateId": z.string(),
1152
- "removalDate": z.string(),
1153
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1154
- "description": z.string(),
1155
- "owner": z.string(),
1156
- "createdAt": z.string(),
1157
- "status": z.enum(["active", "overdue", "removed"]),
1158
- "bridgeType": z.enum(["tool", "agent"]),
1159
- "bridgeTarget": z.object({
1160
- "type": z.enum(["tool", "agent"]),
1161
- "legacyPath": z.string(),
1162
- "harnessPath": z.string()
1181
+ shimId: z.string(),
1182
+ gateId: z.string(),
1183
+ removalDate: z.string(),
1184
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1185
+ description: z.string(),
1186
+ owner: z.string(),
1187
+ createdAt: z.string(),
1188
+ status: z.enum(["active", "overdue", "removed"]),
1189
+ bridgeType: z.enum(["tool", "agent"]),
1190
+ bridgeTarget: z.object({
1191
+ type: z.enum(["tool", "agent"]),
1192
+ legacyPath: z.string(),
1193
+ harnessPath: z.string()
1163
1194
  }),
1164
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1165
- "producesLedgerEntries": z.boolean(),
1166
- "lastAuditedAt": z.number(),
1167
- "metadata": z.record(z.any()).optional()
1195
+ shimBehavior: z.enum([
1196
+ "passthrough_with_logging",
1197
+ "adapter",
1198
+ "feature_flag_gate"
1199
+ ]),
1200
+ producesLedgerEntries: z.boolean(),
1201
+ lastAuditedAt: z.number(),
1202
+ metadata: z.record(z.any()).optional()
1168
1203
  }),
1169
1204
  indices: [
1170
1205
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1171
1206
  { kind: "index", name: "by_status", columns: ["status"] },
1172
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1207
+ {
1208
+ kind: "index",
1209
+ name: "by_bridgeType_status",
1210
+ columns: ["bridgeType", "status"]
1211
+ }
1173
1212
  ]
1174
1213
  });
1175
1214
  var cutoverFlags = defineTable({
@@ -1177,12 +1216,23 @@ var cutoverFlags = defineTable({
1177
1216
  component: "mc",
1178
1217
  category: "runtime",
1179
1218
  shape: z.object({
1180
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1181
- "state": z.enum(["legacy", "cutover", "disabled"]),
1182
- "metadata": z.record(z.any()).optional(),
1183
- "updatedBy": z.string(),
1184
- "createdAt": z.number(),
1185
- "updatedAt": z.number()
1219
+ domain: z.enum([
1220
+ "graph",
1221
+ "schema",
1222
+ "identity",
1223
+ "policy",
1224
+ "audit",
1225
+ "admin",
1226
+ "agent",
1227
+ "tool",
1228
+ "prompt",
1229
+ "intelligence"
1230
+ ]),
1231
+ state: z.enum(["legacy", "cutover", "disabled"]),
1232
+ metadata: z.record(z.any()).optional(),
1233
+ updatedBy: z.string(),
1234
+ createdAt: z.number(),
1235
+ updatedAt: z.number()
1186
1236
  }),
1187
1237
  indices: [
1188
1238
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1194,57 +1244,193 @@ var tenantDeploymentCredentials = defineTable({
1194
1244
  component: "mc",
1195
1245
  category: "runtime",
1196
1246
  shape: z.object({
1197
- "credentialRef": z.string(),
1198
- "tenantId": idOf("tenants"),
1199
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1200
- "environment": z.enum(["dev", "staging", "prod"]),
1201
- "encryptedDeployKey": z.string(),
1202
- "encryptionVersion": z.string(),
1203
- "keyFingerprint": z.string(),
1204
- "keyHint": z.string(),
1205
- "status": z.enum(["active", "revoked"]),
1206
- "rotatedFromCredentialRef": z.string().optional(),
1207
- "revokedAt": z.number().optional(),
1208
- "revokedBy": z.string().optional(),
1209
- "lastUsedAt": z.number().optional(),
1210
- "metadata": z.record(z.any()).optional(),
1211
- "createdBy": z.string(),
1212
- "createdAt": z.number(),
1213
- "updatedAt": z.number()
1247
+ credentialRef: z.string(),
1248
+ tenantId: idOf("tenants"),
1249
+ workspaceId: idOf("workspaces").optional(),
1250
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1251
+ environment: z.enum(["dev", "staging", "prod"]),
1252
+ encryptedDeployKey: z.string(),
1253
+ encryptionVersion: z.string(),
1254
+ keyFingerprint: z.string(),
1255
+ keyHint: z.string(),
1256
+ status: z.enum(["active", "revoked"]),
1257
+ rotatedFromCredentialRef: z.string().optional(),
1258
+ revokedAt: z.number().optional(),
1259
+ revokedBy: z.string().optional(),
1260
+ lastUsedAt: z.number().optional(),
1261
+ metadata: z.record(z.any()).optional(),
1262
+ createdBy: z.string(),
1263
+ createdAt: z.number(),
1264
+ updatedAt: z.number()
1214
1265
  }),
1215
1266
  indices: [
1216
1267
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1217
1268
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1218
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1219
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1220
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1269
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1270
+ {
1271
+ kind: "index",
1272
+ name: "by_tenant_target",
1273
+ columns: ["tenantId", "target"]
1274
+ },
1275
+ {
1276
+ kind: "index",
1277
+ name: "by_tenant_target_environment",
1278
+ columns: ["tenantId", "target", "environment"]
1279
+ },
1280
+ {
1281
+ kind: "index",
1282
+ name: "by_tenant_target_environment_status",
1283
+ columns: ["tenantId", "target", "environment", "status"]
1284
+ },
1285
+ {
1286
+ kind: "index",
1287
+ name: "by_tenant_workspace_target_environment_status",
1288
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1289
+ },
1221
1290
  { kind: "index", name: "by_status", columns: ["status"] }
1222
1291
  ]
1223
1292
  });
1293
+ var permitSyncStates = defineTable({
1294
+ name: "permitSyncStates",
1295
+ component: "mc",
1296
+ category: "runtime",
1297
+ shape: z.object({
1298
+ syncKey: z.string(),
1299
+ objectType: z.enum([
1300
+ "resource",
1301
+ "role",
1302
+ "resource_role",
1303
+ "resource_relation",
1304
+ "tenant",
1305
+ "workspace",
1306
+ "principal",
1307
+ "membership",
1308
+ "group",
1309
+ "resource_instance",
1310
+ "relationship_tuple",
1311
+ "role_assignment"
1312
+ ]),
1313
+ objectId: z.string(),
1314
+ tenantId: idOf("tenants").optional(),
1315
+ workspaceId: idOf("workspaces").optional(),
1316
+ principalId: z.string().optional(),
1317
+ permitTenantKey: z.string().optional(),
1318
+ permitResourceType: z.string().optional(),
1319
+ permitResourceKey: z.string().optional(),
1320
+ desiredPayload: z.record(z.any()),
1321
+ lastAppliedPayloadHash: z.string().optional(),
1322
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1323
+ attemptCount: z.number(),
1324
+ lastError: z.string().optional(),
1325
+ nextAttemptAt: z.number().optional(),
1326
+ lastSyncedAt: z.number().optional(),
1327
+ createdBy: z.string(),
1328
+ updatedBy: z.string().optional(),
1329
+ createdAt: z.number(),
1330
+ updatedAt: z.number()
1331
+ }),
1332
+ indices: [
1333
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1334
+ { kind: "index", name: "by_status", columns: ["status"] },
1335
+ {
1336
+ kind: "index",
1337
+ name: "by_tenant_status",
1338
+ columns: ["tenantId", "status"]
1339
+ },
1340
+ {
1341
+ kind: "index",
1342
+ name: "by_workspace_status",
1343
+ columns: ["workspaceId", "status"]
1344
+ },
1345
+ {
1346
+ kind: "index",
1347
+ name: "by_principal_status",
1348
+ columns: ["principalId", "status"]
1349
+ }
1350
+ ]
1351
+ });
1352
+ var secretSyncDriftReports = defineTable({
1353
+ name: "secretSyncDriftReports",
1354
+ component: "mc",
1355
+ category: "runtime",
1356
+ shape: z.object({
1357
+ reportId: z.string(),
1358
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1359
+ generatedAt: z.number(),
1360
+ recordedAt: z.number(),
1361
+ recordedBy: z.string(),
1362
+ status: z.enum([
1363
+ "in_sync",
1364
+ "drift",
1365
+ "exception",
1366
+ "blocked",
1367
+ "not_observed"
1368
+ ]),
1369
+ reportHash: z.string(),
1370
+ manifestHash: z.string().optional(),
1371
+ dryRunReceiptId: z.string().optional(),
1372
+ appliedReceiptId: z.string().optional(),
1373
+ summary: z.object({
1374
+ totalPipelines: z.number(),
1375
+ inSync: z.number(),
1376
+ drift: z.number(),
1377
+ exception: z.number(),
1378
+ blocked: z.number(),
1379
+ notObserved: z.number(),
1380
+ missingKeys: z.number(),
1381
+ valueDriftKeys: z.number(),
1382
+ extraKeys: z.number(),
1383
+ deniedConvexLeakage: z.number(),
1384
+ approvedExceptions: z.number()
1385
+ }),
1386
+ redactedReport: z.record(z.any()),
1387
+ metadata: z.record(z.any()).optional()
1388
+ }),
1389
+ indices: [
1390
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
1391
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
1392
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
1393
+ {
1394
+ kind: "index",
1395
+ name: "by_status_generatedAt",
1396
+ columns: ["status", "generatedAt"]
1397
+ }
1398
+ ]
1399
+ });
1224
1400
  var controlPlaneTenantModelSlotBindings = defineTable({
1225
1401
  name: "controlPlaneTenantModelSlotBindings",
1226
1402
  component: "mc",
1227
1403
  category: "runtime",
1228
1404
  shape: z.object({
1229
- "bindingId": z.string(),
1230
- "tenantId": idOf("tenants"),
1231
- "providerId": z.string(),
1232
- "modelSlotId": z.string(),
1233
- "secretRef": z.string(),
1234
- "status": z.enum(["active", "revoked"]),
1235
- "passThroughOnly": z.boolean(),
1236
- "revokedAt": z.number().optional(),
1237
- "revokedBy": z.string().optional(),
1238
- "metadata": z.record(z.any()).optional(),
1239
- "createdBy": z.string(),
1240
- "createdAt": z.number(),
1241
- "updatedAt": z.number()
1405
+ bindingId: z.string(),
1406
+ tenantId: idOf("tenants"),
1407
+ workspaceId: idOf("workspaces").optional(),
1408
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1409
+ providerId: z.string(),
1410
+ modelSlotId: z.string(),
1411
+ secretRef: z.string(),
1412
+ status: z.enum(["active", "revoked"]),
1413
+ passThroughOnly: z.boolean(),
1414
+ revokedAt: z.number().optional(),
1415
+ revokedBy: z.string().optional(),
1416
+ metadata: z.record(z.any()).optional(),
1417
+ createdBy: z.string(),
1418
+ createdAt: z.number(),
1419
+ updatedAt: z.number()
1242
1420
  }),
1243
1421
  indices: [
1244
1422
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1245
1423
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1246
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1247
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
1424
+ {
1425
+ kind: "index",
1426
+ name: "by_tenant_slot",
1427
+ columns: ["tenantId", "modelSlotId"]
1428
+ },
1429
+ {
1430
+ kind: "index",
1431
+ name: "by_tenant_provider_slot",
1432
+ columns: ["tenantId", "providerId", "modelSlotId"]
1433
+ },
1248
1434
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1249
1435
  { kind: "index", name: "by_status", columns: ["status"] }
1250
1436
  ]
@@ -1254,29 +1440,42 @@ var controlPlaneTenantProviderSecrets = defineTable({
1254
1440
  component: "mc",
1255
1441
  category: "runtime",
1256
1442
  shape: z.object({
1257
- "secretRef": z.string(),
1258
- "tenantId": idOf("tenants"),
1259
- "providerId": z.string(),
1260
- "label": z.string().optional(),
1261
- "encryptedSecret": z.string(),
1262
- "encryptionVersion": z.string(),
1263
- "secretFingerprint": z.string(),
1264
- "keyHint": z.string(),
1265
- "status": z.enum(["active", "revoked"]),
1266
- "rotatedFromSecretRef": z.string().optional(),
1267
- "revokedAt": z.number().optional(),
1268
- "revokedBy": z.string().optional(),
1269
- "lastUsedAt": z.number().optional(),
1270
- "metadata": z.record(z.any()).optional(),
1271
- "createdBy": z.string(),
1272
- "createdAt": z.number(),
1273
- "updatedAt": z.number()
1443
+ secretRef: z.string(),
1444
+ tenantId: idOf("tenants"),
1445
+ workspaceId: idOf("workspaces").optional(),
1446
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1447
+ providerId: z.string(),
1448
+ label: z.string().optional(),
1449
+ encryptedSecret: z.string().optional(),
1450
+ infisicalPath: z.string().optional(),
1451
+ infisicalSecretKey: z.string().optional(),
1452
+ infisicalProjectId: z.string().optional(),
1453
+ encryptionVersion: z.string(),
1454
+ secretFingerprint: z.string(),
1455
+ keyHint: z.string(),
1456
+ status: z.enum(["active", "revoked"]),
1457
+ rotatedFromSecretRef: z.string().optional(),
1458
+ revokedAt: z.number().optional(),
1459
+ revokedBy: z.string().optional(),
1460
+ lastUsedAt: z.number().optional(),
1461
+ metadata: z.record(z.any()).optional(),
1462
+ createdBy: z.string(),
1463
+ createdAt: z.number(),
1464
+ updatedAt: z.number()
1274
1465
  }),
1275
1466
  indices: [
1276
1467
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1277
1468
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1278
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1279
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
1469
+ {
1470
+ kind: "index",
1471
+ name: "by_tenant_provider",
1472
+ columns: ["tenantId", "providerId"]
1473
+ },
1474
+ {
1475
+ kind: "index",
1476
+ name: "by_tenant_provider_status",
1477
+ columns: ["tenantId", "providerId", "status"]
1478
+ },
1280
1479
  { kind: "index", name: "by_status", columns: ["status"] }
1281
1480
  ]
1282
1481
  });
@@ -1285,35 +1484,93 @@ var controlPlaneTenantProxyGatewayUsage = defineTable({
1285
1484
  component: "mc",
1286
1485
  category: "runtime",
1287
1486
  shape: z.object({
1288
- "usageId": z.string(),
1289
- "tenantId": idOf("tenants"),
1290
- "providerId": z.string(),
1291
- "modelSlotId": z.string(),
1292
- "secretRef": z.string(),
1293
- "proxyTokenId": z.string(),
1294
- "sessionId": z.string(),
1295
- "principalId": z.string(),
1296
- "workspaceId": z.string().optional(),
1297
- "modelId": z.string().optional(),
1298
- "requestPath": z.string(),
1299
- "status": z.enum(["success", "error"]),
1300
- "responseStatus": z.number().optional(),
1301
- "inputTokens": z.number().optional(),
1302
- "outputTokens": z.number().optional(),
1303
- "tokenCount": z.number().optional(),
1304
- "latencyMs": z.number(),
1305
- "estimatedCostUsd": z.number().optional(),
1306
- "failureCode": z.string().optional(),
1307
- "metadata": z.record(z.any()).optional(),
1308
- "createdAt": z.number(),
1309
- "updatedAt": z.number()
1487
+ usageId: z.string(),
1488
+ tenantId: idOf("tenants"),
1489
+ providerId: z.string(),
1490
+ modelSlotId: z.string(),
1491
+ secretRef: z.string(),
1492
+ proxyTokenId: z.string(),
1493
+ sessionId: z.string(),
1494
+ principalId: z.string(),
1495
+ workspaceId: z.string().optional(),
1496
+ modelId: z.string().optional(),
1497
+ requestPath: z.string(),
1498
+ status: z.enum(["success", "error"]),
1499
+ responseStatus: z.number().optional(),
1500
+ inputTokens: z.number().optional(),
1501
+ outputTokens: z.number().optional(),
1502
+ tokenCount: z.number().optional(),
1503
+ latencyMs: z.number(),
1504
+ estimatedCostUsd: z.number().optional(),
1505
+ failureCode: z.string().optional(),
1506
+ metadata: z.record(z.any()).optional(),
1507
+ createdAt: z.number(),
1508
+ updatedAt: z.number()
1310
1509
  }),
1311
1510
  indices: [
1312
1511
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1313
1512
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1314
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1315
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1316
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
1513
+ {
1514
+ kind: "index",
1515
+ name: "by_tenant_provider",
1516
+ columns: ["tenantId", "providerId", "createdAt"]
1517
+ },
1518
+ {
1519
+ kind: "index",
1520
+ name: "by_proxyTokenId",
1521
+ columns: ["proxyTokenId", "createdAt"]
1522
+ },
1523
+ {
1524
+ kind: "index",
1525
+ name: "by_sessionId",
1526
+ columns: ["sessionId", "createdAt"]
1527
+ }
1528
+ ]
1529
+ });
1530
+ var controlPlaneTenantProxyTokenLeases = defineTable({
1531
+ name: "controlPlaneTenantProxyTokenLeases",
1532
+ component: "mc",
1533
+ category: "runtime",
1534
+ shape: z.object({
1535
+ leaseId: z.string(),
1536
+ proxyTokenId: z.string(),
1537
+ tenantId: idOf("tenants"),
1538
+ workspaceId: idOf("workspaces").optional(),
1539
+ environment: z.enum(["dev", "staging", "prod"]),
1540
+ providerId: z.string(),
1541
+ modelSlotId: z.string(),
1542
+ bindingId: z.string(),
1543
+ secretRef: z.string(),
1544
+ sessionId: z.string(),
1545
+ principalId: z.string(),
1546
+ agentSessionId: z.string().optional(),
1547
+ status: z.enum(["active", "revoked"]),
1548
+ expiresAt: z.number(),
1549
+ renewedAt: z.number().optional(),
1550
+ revokedAt: z.number().optional(),
1551
+ revokedBy: z.string().optional(),
1552
+ revokeReason: z.string().optional(),
1553
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
1554
+ permitTraceId: z.string().optional(),
1555
+ metadata: z.record(z.any()).optional(),
1556
+ createdAt: z.number(),
1557
+ updatedAt: z.number()
1558
+ }),
1559
+ indices: [
1560
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
1561
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
1562
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1563
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
1564
+ {
1565
+ kind: "index",
1566
+ name: "by_principalId",
1567
+ columns: ["principalId", "createdAt"]
1568
+ },
1569
+ {
1570
+ kind: "index",
1571
+ name: "by_status_expiresAt",
1572
+ columns: ["status", "expiresAt"]
1573
+ }
1317
1574
  ]
1318
1575
  });
1319
1576
  var crossProjectConnections = defineTable({
@@ -1646,6 +1903,7 @@ var epistemicNodes = defineTable({
1646
1903
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
1647
1904
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
1648
1905
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
1906
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
1649
1907
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
1650
1908
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
1651
1909
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -1796,6 +2054,7 @@ var memberships = defineTable({
1796
2054
  indices: [
1797
2055
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
1798
2056
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2057
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
1799
2058
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
1800
2059
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
1801
2060
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -1827,6 +2086,36 @@ var principals = defineTable({
1827
2086
  { kind: "index", name: "by_status", columns: ["status"] }
1828
2087
  ]
1829
2088
  });
2089
+ var principalIdentityAliases = defineTable({
2090
+ name: "principalIdentityAliases",
2091
+ component: "mc",
2092
+ category: "identity",
2093
+ shape: z.object({
2094
+ "principalId": z.string(),
2095
+ "principalRefId": idOf("principals").optional(),
2096
+ "provider": z.string(),
2097
+ "providerProjectId": z.string().optional(),
2098
+ "externalSubjectId": z.string(),
2099
+ "tenantId": idOf("tenants").optional(),
2100
+ "workspaceId": idOf("workspaces").optional(),
2101
+ "email": z.string().optional(),
2102
+ "status": z.enum(["active", "revoked"]),
2103
+ "metadata": z.record(z.any()).optional(),
2104
+ "createdBy": z.string(),
2105
+ "revokedAt": z.number().optional(),
2106
+ "revokedBy": z.string().optional(),
2107
+ "createdAt": z.number(),
2108
+ "updatedAt": z.number()
2109
+ }),
2110
+ indices: [
2111
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2112
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2113
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2114
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2115
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2116
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2117
+ ]
2118
+ });
1830
2119
  var rateLimitWindows = defineTable({
1831
2120
  name: "rateLimitWindows",
1832
2121
  component: "mc",
@@ -2416,7 +2705,7 @@ var lensTopicBindings = defineTable({
2416
2705
  });
2417
2706
  var mcpWritePolicy = defineTable({
2418
2707
  name: "mcpWritePolicy",
2419
- component: "identity",
2708
+ component: "control-plane",
2420
2709
  category: "platform",
2421
2710
  shape: z.object({
2422
2711
  "topicId": z.string().optional(),
@@ -2439,7 +2728,7 @@ var mcpWritePolicy = defineTable({
2439
2728
  });
2440
2729
  var platformAudienceGrants = defineTable({
2441
2730
  name: "platformAudienceGrants",
2442
- component: "identity",
2731
+ component: "control-plane",
2443
2732
  category: "platform",
2444
2733
  shape: z.object({
2445
2734
  "tenantId": z.string(),
@@ -2465,7 +2754,7 @@ var platformAudienceGrants = defineTable({
2465
2754
  });
2466
2755
  var platformAudiences = defineTable({
2467
2756
  name: "platformAudiences",
2468
- component: "identity",
2757
+ component: "control-plane",
2469
2758
  category: "platform",
2470
2759
  shape: z.object({
2471
2760
  "tenantId": z.string(),
@@ -2490,7 +2779,7 @@ var platformAudiences = defineTable({
2490
2779
  });
2491
2780
  var platformPolicyDecisionLogs = defineTable({
2492
2781
  name: "platformPolicyDecisionLogs",
2493
- component: "identity",
2782
+ component: "control-plane",
2494
2783
  category: "platform",
2495
2784
  shape: z.object({
2496
2785
  "principalId": z.string(),
@@ -2526,7 +2815,7 @@ var platformPolicyDecisionLogs = defineTable({
2526
2815
  });
2527
2816
  var tenantApiKeys = defineTable({
2528
2817
  name: "tenantApiKeys",
2529
- component: "identity",
2818
+ component: "control-plane",
2530
2819
  category: "platform",
2531
2820
  shape: z.object({
2532
2821
  "tenantId": z.string(),
@@ -2553,7 +2842,7 @@ var tenantApiKeys = defineTable({
2553
2842
  });
2554
2843
  var tenantConfig = defineTable({
2555
2844
  name: "tenantConfig",
2556
- component: "identity",
2845
+ component: "control-plane",
2557
2846
  category: "platform",
2558
2847
  shape: z.object({
2559
2848
  "tenantId": z.string(),
@@ -2572,7 +2861,7 @@ var tenantConfig = defineTable({
2572
2861
  });
2573
2862
  var tenantIntegrations = defineTable({
2574
2863
  name: "tenantIntegrations",
2575
- component: "identity",
2864
+ component: "control-plane",
2576
2865
  category: "platform",
2577
2866
  shape: z.object({
2578
2867
  "tenantId": z.string(),
@@ -2627,7 +2916,7 @@ var tenantIntegrations = defineTable({
2627
2916
  });
2628
2917
  var tenantModelSlotBindings = defineTable({
2629
2918
  name: "tenantModelSlotBindings",
2630
- component: "identity",
2919
+ component: "control-plane",
2631
2920
  category: "platform",
2632
2921
  shape: z.object({
2633
2922
  "bindingId": z.string(),
@@ -2655,7 +2944,7 @@ var tenantModelSlotBindings = defineTable({
2655
2944
  });
2656
2945
  var tenantPolicies = defineTable({
2657
2946
  name: "tenantPolicies",
2658
- component: "identity",
2947
+ component: "control-plane",
2659
2948
  category: "platform",
2660
2949
  shape: z.object({
2661
2950
  "tenantId": z.string(),
@@ -2680,7 +2969,7 @@ var tenantPolicies = defineTable({
2680
2969
  });
2681
2970
  var tenantProviderSecrets = defineTable({
2682
2971
  name: "tenantProviderSecrets",
2683
- component: "identity",
2972
+ component: "control-plane",
2684
2973
  category: "platform",
2685
2974
  shape: z.object({
2686
2975
  "secretRef": z.string(),
@@ -2711,7 +3000,7 @@ var tenantProviderSecrets = defineTable({
2711
3000
  });
2712
3001
  var tenantProxyGatewayUsage = defineTable({
2713
3002
  name: "tenantProxyGatewayUsage",
2714
- component: "identity",
3003
+ component: "control-plane",
2715
3004
  category: "platform",
2716
3005
  shape: z.object({
2717
3006
  "usageId": z.string(),
@@ -2746,7 +3035,7 @@ var tenantProxyGatewayUsage = defineTable({
2746
3035
  });
2747
3036
  var tenantProxyTokenMints = defineTable({
2748
3037
  name: "tenantProxyTokenMints",
2749
- component: "identity",
3038
+ component: "control-plane",
2750
3039
  category: "platform",
2751
3040
  shape: z.object({
2752
3041
  "proxyTokenId": z.string(),
@@ -2769,7 +3058,7 @@ var tenantProxyTokenMints = defineTable({
2769
3058
  });
2770
3059
  var tenantSandboxAuditEvents = defineTable({
2771
3060
  name: "tenantSandboxAuditEvents",
2772
- component: "identity",
3061
+ component: "control-plane",
2773
3062
  category: "platform",
2774
3063
  shape: z.object({
2775
3064
  "eventId": z.string(),
@@ -2803,7 +3092,7 @@ var tenantSandboxAuditEvents = defineTable({
2803
3092
  });
2804
3093
  var tenantSecrets = defineTable({
2805
3094
  name: "tenantSecrets",
2806
- component: "identity",
3095
+ component: "control-plane",
2807
3096
  category: "platform",
2808
3097
  shape: z.object({
2809
3098
  "tenantId": z.string(),
@@ -2825,7 +3114,7 @@ var tenantSecrets = defineTable({
2825
3114
  });
2826
3115
  var toolAcls = defineTable({
2827
3116
  name: "toolAcls",
2828
- component: "identity",
3117
+ component: "control-plane",
2829
3118
  category: "platform",
2830
3119
  shape: z.object({
2831
3120
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -2840,7 +3129,7 @@ var toolAcls = defineTable({
2840
3129
  });
2841
3130
  var toolRegistry = defineTable({
2842
3131
  name: "toolRegistry",
2843
- component: "identity",
3132
+ component: "control-plane",
2844
3133
  category: "platform",
2845
3134
  shape: z.object({
2846
3135
  "toolName": z.string(),
@@ -2921,7 +3210,7 @@ var tenantMethodologyAssignments = defineTable({
2921
3210
  });
2922
3211
  var modelCallLogs = defineTable({
2923
3212
  name: "modelCallLogs",
2924
- component: "identity",
3213
+ component: "control-plane",
2925
3214
  category: "model",
2926
3215
  shape: z.object({
2927
3216
  "slot": z.string(),
@@ -2947,7 +3236,7 @@ var modelCallLogs = defineTable({
2947
3236
  });
2948
3237
  var modelFunctionSlots = defineTable({
2949
3238
  name: "modelFunctionSlots",
2950
- component: "identity",
3239
+ component: "control-plane",
2951
3240
  category: "model",
2952
3241
  shape: z.object({
2953
3242
  "slot": z.string(),
@@ -2972,7 +3261,7 @@ var modelFunctionSlots = defineTable({
2972
3261
  });
2973
3262
  var modelRegistry = defineTable({
2974
3263
  name: "modelRegistry",
2975
- component: "identity",
3264
+ component: "control-plane",
2976
3265
  category: "model",
2977
3266
  shape: z.object({
2978
3267
  "key": z.string(),
@@ -2999,7 +3288,7 @@ var modelRegistry = defineTable({
2999
3288
  });
3000
3289
  var modelSlotConfigs = defineTable({
3001
3290
  name: "modelSlotConfigs",
3002
- component: "identity",
3291
+ component: "control-plane",
3003
3292
  category: "model",
3004
3293
  shape: z.object({
3005
3294
  "slot": z.string(),
@@ -3386,7 +3675,7 @@ var policyDecisionLogs = defineTable({
3386
3675
  "workspaceId": idOf("workspaces").optional(),
3387
3676
  "resourceType": z.string(),
3388
3677
  "resourceId": z.string(),
3389
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
3678
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
3390
3679
  "decision": z.enum(["allow", "deny"]),
3391
3680
  "reasonCode": z.string(),
3392
3681
  "policyVersion": z.string(),
@@ -3448,7 +3737,7 @@ var controlPlaneToolAcls = defineTable({
3448
3737
  });
3449
3738
  var projectGrants = defineTable({
3450
3739
  name: "projectGrants",
3451
- component: "identity",
3740
+ component: "control-plane",
3452
3741
  category: "project",
3453
3742
  shape: z.object({
3454
3743
  "projectId": z.string().optional(),
@@ -3480,9 +3769,653 @@ var projectGrants = defineTable({
3480
3769
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
3481
3770
  ]
3482
3771
  });
3772
+ var permitActorType = z.enum([
3773
+ "human",
3774
+ "agent",
3775
+ "service_principal",
3776
+ "external_stakeholder",
3777
+ "system"
3778
+ ]);
3779
+ var permitMembershipStatus = z.enum([
3780
+ "active",
3781
+ "invited",
3782
+ "revoked",
3783
+ "suspended",
3784
+ "disabled"
3785
+ ]);
3786
+ var permitDecision = z.enum(["allow", "deny"]);
3787
+ var permitAccessReviewStatus = z.enum([
3788
+ "open",
3789
+ "in_progress",
3790
+ "approved",
3791
+ "denied",
3792
+ "expired",
3793
+ "cancelled"
3794
+ ]);
3795
+ var permitReviewScope = z.enum([
3796
+ "tenant",
3797
+ "workspace",
3798
+ "resource_instance",
3799
+ "group",
3800
+ "principal",
3801
+ "api_key",
3802
+ "admin_action"
3803
+ ]);
3804
+ var permitRecordStatus = z.enum([
3805
+ "queued",
3806
+ "inflight",
3807
+ "completed",
3808
+ "failed",
3809
+ "skipped",
3810
+ "stale"
3811
+ ]);
3812
+ var permitObjectType = z.enum([
3813
+ "resource",
3814
+ "role",
3815
+ "resource_role",
3816
+ "resource_relation",
3817
+ "tenant",
3818
+ "workspace",
3819
+ "principal",
3820
+ "membership",
3821
+ "group",
3822
+ "resource_instance",
3823
+ "relationship_tuple",
3824
+ "role_assignment",
3825
+ "attribute_binding",
3826
+ "policy_bundle"
3827
+ ]);
3828
+ var permitOutboxOperation = z.enum([
3829
+ "upsert",
3830
+ "delete",
3831
+ "sync",
3832
+ "resync",
3833
+ "delete_sync",
3834
+ "noop"
3835
+ ]);
3836
+ var permitPolicyBundleStatus = z.enum([
3837
+ "draft",
3838
+ "validated",
3839
+ "enforced",
3840
+ "archived"
3841
+ ]);
3842
+ var permitSyncStatus = z.enum([
3843
+ "pending",
3844
+ "synced",
3845
+ "error",
3846
+ "skipped"
3847
+ ]);
3848
+ var permitAccessReviewSubjectType = z.enum([
3849
+ "principal",
3850
+ "group",
3851
+ "role_assignment",
3852
+ "resource_instance"
3853
+ ]);
3854
+ var permitAttributeType = z.enum([
3855
+ "string",
3856
+ "number",
3857
+ "bool",
3858
+ "json",
3859
+ "time"
3860
+ ]);
3861
+ var permitAttributeOperator = z.enum([
3862
+ "eq",
3863
+ "neq",
3864
+ "in",
3865
+ "not_in",
3866
+ "gt",
3867
+ "gte",
3868
+ "lt",
3869
+ "lte",
3870
+ "contains",
3871
+ "not_contains",
3872
+ "matches"
3873
+ ]);
3874
+ var permitRoleBindingTarget = z.enum([
3875
+ "principal",
3876
+ "group"
3877
+ ]);
3878
+ var permitPrincipals = defineTable({
3879
+ name: "permitPrincipals",
3880
+ component: "control-plane",
3881
+ category: "access-control",
3882
+ shape: z.object({
3883
+ principalId: z.string(),
3884
+ tenantId: z.string(),
3885
+ workspaceId: z.optional(z.string()),
3886
+ principalType: permitActorType,
3887
+ status: permitMembershipStatus,
3888
+ displayName: z.string().optional(),
3889
+ metadata: z.record(z.any()).optional(),
3890
+ createdBy: z.string(),
3891
+ createdAt: z.number(),
3892
+ updatedAt: z.number(),
3893
+ updatedBy: z.string().optional(),
3894
+ lastSeenAt: z.number().optional()
3895
+ }),
3896
+ indices: [
3897
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
3898
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
3899
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
3900
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
3901
+ {
3902
+ kind: "index",
3903
+ name: "by_tenant_principalType_status",
3904
+ columns: ["tenantId", "principalType", "status"]
3905
+ }
3906
+ ]
3907
+ });
3908
+ var permitPrincipalAliases = defineTable({
3909
+ name: "permitPrincipalAliases",
3910
+ component: "control-plane",
3911
+ category: "access-control",
3912
+ shape: z.object({
3913
+ principalId: z.string(),
3914
+ tenantId: z.string(),
3915
+ workspaceId: z.optional(z.string()),
3916
+ provider: z.string(),
3917
+ providerSubjectId: z.string(),
3918
+ providerProjectId: z.string().optional(),
3919
+ alias: z.string(),
3920
+ aliasKind: z.string(),
3921
+ status: permitMembershipStatus,
3922
+ metadata: z.record(z.any()).optional(),
3923
+ createdBy: z.string(),
3924
+ createdAt: z.number(),
3925
+ updatedAt: z.number(),
3926
+ revokedBy: z.string().optional(),
3927
+ revokedAt: z.number().optional(),
3928
+ updatedBy: z.string().optional()
3929
+ }),
3930
+ indices: [
3931
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
3932
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
3933
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
3934
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
3935
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
3936
+ {
3937
+ kind: "index",
3938
+ name: "by_tenant_provider_alias",
3939
+ columns: ["tenantId", "provider", "alias"]
3940
+ },
3941
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
3942
+ {
3943
+ kind: "index",
3944
+ name: "by_tenant_provider_status",
3945
+ columns: ["tenantId", "provider", "status"]
3946
+ }
3947
+ ]
3948
+ });
3949
+ var permitGroups = defineTable({
3950
+ name: "permitGroups",
3951
+ component: "control-plane",
3952
+ category: "access-control",
3953
+ shape: z.object({
3954
+ tenantId: z.string(),
3955
+ workspaceId: z.optional(z.string()),
3956
+ groupId: z.string(),
3957
+ groupKey: z.string(),
3958
+ groupName: z.string(),
3959
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
3960
+ status: permitMembershipStatus,
3961
+ description: z.string().optional(),
3962
+ metadata: z.record(z.any()).optional(),
3963
+ createdBy: z.string(),
3964
+ createdAt: z.number(),
3965
+ updatedAt: z.number(),
3966
+ updatedBy: z.string().optional()
3967
+ }),
3968
+ indices: [
3969
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
3970
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
3971
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
3972
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
3973
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
3974
+ ]
3975
+ });
3976
+ var permitGroupMemberships = defineTable({
3977
+ name: "permitGroupMemberships",
3978
+ component: "control-plane",
3979
+ category: "access-control",
3980
+ shape: z.object({
3981
+ tenantId: z.string(),
3982
+ workspaceId: z.optional(z.string()),
3983
+ groupId: z.string(),
3984
+ memberType: z.enum(["principal", "group"]),
3985
+ memberId: z.string(),
3986
+ principalId: z.string().optional(),
3987
+ childGroupId: z.string().optional(),
3988
+ status: permitMembershipStatus,
3989
+ addedBy: z.string().optional(),
3990
+ revokedBy: z.string().optional(),
3991
+ expiresAt: z.number().optional(),
3992
+ revocationReason: z.string().optional(),
3993
+ metadata: z.record(z.any()).optional(),
3994
+ createdAt: z.number(),
3995
+ updatedAt: z.number(),
3996
+ updatedBy: z.string().optional()
3997
+ }),
3998
+ indices: [
3999
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4000
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4001
+ {
4002
+ kind: "index",
4003
+ name: "by_tenant_member_group",
4004
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4005
+ },
4006
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4007
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4008
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4009
+ {
4010
+ kind: "index",
4011
+ name: "by_workspace_principal",
4012
+ columns: ["workspaceId", "principalId"]
4013
+ }
4014
+ ]
4015
+ });
4016
+ var permitResourceInstances = defineTable({
4017
+ name: "permitResourceInstances",
4018
+ component: "control-plane",
4019
+ category: "access-control",
4020
+ shape: z.object({
4021
+ tenantId: z.string(),
4022
+ workspaceId: z.optional(z.string()),
4023
+ resourceType: z.string(),
4024
+ resourceKey: z.string(),
4025
+ resourceId: z.string(),
4026
+ status: z.enum(["active", "deleted", "archived"]),
4027
+ attributes: z.record(z.any()).optional(),
4028
+ ownerPrincipalId: z.string().optional(),
4029
+ metadata: z.record(z.any()).optional(),
4030
+ createdBy: z.string(),
4031
+ updatedBy: z.string().optional(),
4032
+ createdAt: z.number(),
4033
+ updatedAt: z.number()
4034
+ }),
4035
+ indices: [
4036
+ {
4037
+ kind: "index",
4038
+ name: "by_tenant_resource_type",
4039
+ columns: ["tenantId", "resourceType"]
4040
+ },
4041
+ {
4042
+ kind: "index",
4043
+ name: "by_tenant_resource_key",
4044
+ columns: ["tenantId", "resourceType", "resourceKey"]
4045
+ },
4046
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4047
+ { kind: "index", name: "by_status", columns: ["status"] },
4048
+ {
4049
+ kind: "index",
4050
+ name: "by_tenant_status",
4051
+ columns: ["tenantId", "status"]
4052
+ },
4053
+ {
4054
+ kind: "index",
4055
+ name: "by_ownerPrincipalId",
4056
+ columns: ["ownerPrincipalId"]
4057
+ }
4058
+ ]
4059
+ });
4060
+ var permitRoleAssignments = defineTable({
4061
+ name: "permitRoleAssignments",
4062
+ component: "control-plane",
4063
+ category: "access-control",
4064
+ shape: z.object({
4065
+ tenantId: z.string(),
4066
+ workspaceId: z.optional(z.string()),
4067
+ role: z.string(),
4068
+ targetType: permitRoleBindingTarget,
4069
+ targetId: z.string(),
4070
+ resourceType: z.string(),
4071
+ resourceKey: z.string(),
4072
+ resourceInstanceId: z.string().optional(),
4073
+ status: permitMembershipStatus,
4074
+ expiresAt: z.number().optional(),
4075
+ attributes: z.record(z.any()).optional(),
4076
+ grantedBy: z.string().optional(),
4077
+ updatedBy: z.string().optional(),
4078
+ revokedBy: z.string().optional(),
4079
+ createdAt: z.number(),
4080
+ updatedAt: z.number()
4081
+ }),
4082
+ indices: [
4083
+ {
4084
+ kind: "index",
4085
+ name: "by_tenant_target",
4086
+ columns: ["tenantId", "targetType", "targetId"]
4087
+ },
4088
+ {
4089
+ kind: "index",
4090
+ name: "by_tenant_resource",
4091
+ columns: ["tenantId", "resourceType", "resourceKey"]
4092
+ },
4093
+ {
4094
+ kind: "index",
4095
+ name: "by_tenant_role",
4096
+ columns: ["tenantId", "role", "status"]
4097
+ },
4098
+ { kind: "index", name: "by_status", columns: ["status"] },
4099
+ {
4100
+ kind: "index",
4101
+ name: "by_workspace_resource",
4102
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4103
+ }
4104
+ ]
4105
+ });
4106
+ var permitRelationshipTuples = defineTable({
4107
+ name: "permitRelationshipTuples",
4108
+ component: "control-plane",
4109
+ category: "access-control",
4110
+ shape: z.object({
4111
+ tenantId: z.string(),
4112
+ workspaceId: z.optional(z.string()),
4113
+ relation: z.string(),
4114
+ subject: z.string(),
4115
+ object: z.string(),
4116
+ resourceType: z.string().optional(),
4117
+ resourceKey: z.string().optional(),
4118
+ status: permitRecordStatus,
4119
+ attributes: z.record(z.any()).optional(),
4120
+ createdBy: z.string(),
4121
+ createdAt: z.number(),
4122
+ updatedAt: z.number(),
4123
+ lastSeenAt: z.number().optional(),
4124
+ updatedBy: z.string().optional()
4125
+ }),
4126
+ indices: [
4127
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4128
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4129
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4130
+ {
4131
+ kind: "index",
4132
+ name: "by_tenant_relation_subject",
4133
+ columns: ["tenantId", "relation", "subject"]
4134
+ },
4135
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4136
+ ]
4137
+ });
4138
+ var permitAttributeBindings = defineTable({
4139
+ name: "permitAttributeBindings",
4140
+ component: "control-plane",
4141
+ category: "access-control",
4142
+ shape: z.object({
4143
+ tenantId: z.string(),
4144
+ workspaceId: z.optional(z.string()),
4145
+ targetType: permitRoleBindingTarget,
4146
+ targetId: z.string(),
4147
+ attributeName: z.string(),
4148
+ attributeType: permitAttributeType,
4149
+ attributeOperator: permitAttributeOperator,
4150
+ attributeValue: z.any(),
4151
+ status: permitRecordStatus,
4152
+ source: z.string().optional(),
4153
+ sourceRef: z.string().optional(),
4154
+ metadata: z.record(z.any()).optional(),
4155
+ createdAt: z.number(),
4156
+ updatedAt: z.number(),
4157
+ createdBy: z.string(),
4158
+ updatedBy: z.string().optional(),
4159
+ expiresAt: z.number().optional()
4160
+ }),
4161
+ indices: [
4162
+ {
4163
+ kind: "index",
4164
+ name: "by_tenant_target",
4165
+ columns: ["tenantId", "targetType", "targetId"]
4166
+ },
4167
+ {
4168
+ kind: "index",
4169
+ name: "by_tenant_target_attribute",
4170
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4171
+ },
4172
+ {
4173
+ kind: "index",
4174
+ name: "by_tenant_name",
4175
+ columns: ["tenantId", "attributeName"]
4176
+ },
4177
+ {
4178
+ kind: "index",
4179
+ name: "by_tenant_status",
4180
+ columns: ["tenantId", "status"]
4181
+ }
4182
+ ]
4183
+ });
4184
+ var permitPolicyBundles = defineTable({
4185
+ name: "permitPolicyBundles",
4186
+ component: "control-plane",
4187
+ category: "access-control",
4188
+ shape: z.object({
4189
+ tenantId: z.string(),
4190
+ workspaceId: z.optional(z.string()),
4191
+ bundleKey: z.string(),
4192
+ version: z.number(),
4193
+ status: permitPolicyBundleStatus,
4194
+ policyHash: z.string().optional(),
4195
+ policyPayload: z.record(z.any()),
4196
+ metadata: z.record(z.any()).optional(),
4197
+ createdBy: z.string(),
4198
+ reviewedBy: z.string().optional(),
4199
+ createdAt: z.number(),
4200
+ updatedAt: z.number(),
4201
+ retiredAt: z.number().optional()
4202
+ }),
4203
+ indices: [
4204
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4205
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4206
+ {
4207
+ kind: "index",
4208
+ name: "by_tenant_bundleKey",
4209
+ columns: ["tenantId", "bundleKey"]
4210
+ },
4211
+ {
4212
+ kind: "index",
4213
+ name: "by_tenant_bundle_version",
4214
+ columns: ["tenantId", "bundleKey", "version"]
4215
+ },
4216
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4217
+ ]
4218
+ });
4219
+ var permitProjectionOutbox = defineTable({
4220
+ name: "permitProjectionOutbox",
4221
+ component: "control-plane",
4222
+ category: "access-control",
4223
+ shape: z.object({
4224
+ syncKey: z.string(),
4225
+ objectType: permitObjectType,
4226
+ objectId: z.string(),
4227
+ operation: permitOutboxOperation,
4228
+ payload: z.record(z.any()),
4229
+ status: permitRecordStatus,
4230
+ attemptCount: z.number(),
4231
+ nextAttemptAt: z.number().optional(),
4232
+ lastError: z.string().optional(),
4233
+ tenantId: z.string().optional(),
4234
+ workspaceId: z.optional(z.string()),
4235
+ principalId: z.string().optional(),
4236
+ permitTenantKey: z.string().optional(),
4237
+ permitResourceType: z.string().optional(),
4238
+ permitResourceKey: z.string().optional(),
4239
+ createdAt: z.number(),
4240
+ updatedAt: z.number(),
4241
+ lastHandledAt: z.number().optional()
4242
+ }),
4243
+ indices: [
4244
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4245
+ { kind: "index", name: "by_status", columns: ["status"] },
4246
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4247
+ {
4248
+ kind: "index",
4249
+ name: "by_tenant_status",
4250
+ columns: ["tenantId", "status"]
4251
+ },
4252
+ {
4253
+ kind: "index",
4254
+ name: "by_objectType",
4255
+ columns: ["objectType", "status"]
4256
+ }
4257
+ ]
4258
+ });
4259
+ var tenantPermitSyncStates = defineTable({
4260
+ name: "tenantPermitSyncStates",
4261
+ component: "control-plane",
4262
+ category: "access-control",
4263
+ shape: z.object({
4264
+ syncKey: z.string(),
4265
+ objectType: permitObjectType,
4266
+ objectId: z.string(),
4267
+ tenantId: z.string().optional(),
4268
+ workspaceId: z.string().optional(),
4269
+ principalId: z.string().optional(),
4270
+ permitTenantKey: z.string().optional(),
4271
+ permitResourceType: z.string().optional(),
4272
+ permitResourceKey: z.string().optional(),
4273
+ desiredPayload: z.record(z.any()),
4274
+ lastAppliedPayloadHash: z.string().optional(),
4275
+ status: permitSyncStatus,
4276
+ attemptCount: z.number(),
4277
+ lastError: z.string().optional(),
4278
+ nextAttemptAt: z.number().optional(),
4279
+ lastSyncedAt: z.number().optional(),
4280
+ createdBy: z.string(),
4281
+ updatedBy: z.string().optional(),
4282
+ createdAt: z.number(),
4283
+ updatedAt: z.number()
4284
+ }),
4285
+ indices: [
4286
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4287
+ { kind: "index", name: "by_status", columns: ["status"] },
4288
+ {
4289
+ kind: "index",
4290
+ name: "by_tenant_status",
4291
+ columns: ["tenantId", "status"]
4292
+ },
4293
+ {
4294
+ kind: "index",
4295
+ name: "by_workspace_status",
4296
+ columns: ["workspaceId", "status"]
4297
+ },
4298
+ {
4299
+ kind: "index",
4300
+ name: "by_principal_status",
4301
+ columns: ["principalId", "status"]
4302
+ }
4303
+ ]
4304
+ });
4305
+ var permitPolicyDecisionReceipts = defineTable({
4306
+ name: "permitPolicyDecisionReceipts",
4307
+ component: "control-plane",
4308
+ category: "access-control",
4309
+ shape: z.object({
4310
+ tenantId: z.string().optional(),
4311
+ workspaceId: z.string().optional(),
4312
+ principalId: z.string(),
4313
+ subjectType: permitAccessReviewSubjectType.optional(),
4314
+ subjectId: z.string().optional(),
4315
+ resourceType: z.string(),
4316
+ resourceId: z.string(),
4317
+ action: z.string(),
4318
+ decision: permitDecision,
4319
+ reasonCode: z.string(),
4320
+ policyBundleId: z.string().optional(),
4321
+ policyVersion: z.string(),
4322
+ traceId: z.string().optional(),
4323
+ requestId: z.string().optional(),
4324
+ audienceMode: z.string().optional(),
4325
+ audienceKey: z.string().optional(),
4326
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4327
+ metadata: z.record(z.any()).optional(),
4328
+ createdAt: z.number(),
4329
+ expiresAt: z.number().optional(),
4330
+ createdBy: z.string().optional()
4331
+ }),
4332
+ indices: [
4333
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4334
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4335
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4336
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4337
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4338
+ { kind: "index", name: "by_action", columns: ["action"] }
4339
+ ]
4340
+ });
4341
+ var permitAccessReviews = defineTable({
4342
+ name: "permitAccessReviews",
4343
+ component: "control-plane",
4344
+ category: "access-control",
4345
+ shape: z.object({
4346
+ tenantId: z.string(),
4347
+ workspaceId: z.optional(z.string()),
4348
+ reviewKey: z.string(),
4349
+ scope: permitReviewScope,
4350
+ status: permitAccessReviewStatus,
4351
+ subjectType: permitAccessReviewSubjectType,
4352
+ subjectId: z.string(),
4353
+ resourceType: z.string().optional(),
4354
+ resourceKey: z.string().optional(),
4355
+ outcome: z.enum(["allow", "deny"]).optional(),
4356
+ requestedBy: z.string(),
4357
+ reviewedBy: z.string().optional(),
4358
+ requestedAt: z.number(),
4359
+ reviewedAt: z.number().optional(),
4360
+ dueAt: z.number().optional(),
4361
+ justification: z.string().optional(),
4362
+ rationale: z.string().optional(),
4363
+ policyBundleId: z.string().optional(),
4364
+ metadata: z.record(z.any()).optional(),
4365
+ createdAt: z.number(),
4366
+ updatedAt: z.number()
4367
+ }),
4368
+ indices: [
4369
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4370
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4371
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4372
+ {
4373
+ kind: "index",
4374
+ name: "by_tenant_subject",
4375
+ columns: ["tenantId", "subjectType", "subjectId"]
4376
+ },
4377
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4378
+ {
4379
+ kind: "index",
4380
+ name: "by_workspace_status",
4381
+ columns: ["workspaceId", "status"]
4382
+ }
4383
+ ]
4384
+ });
4385
+ var permitAccessReviewItems = defineTable({
4386
+ name: "permitAccessReviewItems",
4387
+ component: "control-plane",
4388
+ category: "access-control",
4389
+ shape: z.object({
4390
+ reviewKey: z.string(),
4391
+ itemKey: z.string(),
4392
+ tenantId: z.string(),
4393
+ workspaceId: z.string().optional(),
4394
+ subjectType: permitAccessReviewSubjectType,
4395
+ subjectId: z.string(),
4396
+ resourceType: z.string().optional(),
4397
+ resourceKey: z.string().optional(),
4398
+ role: z.string().optional(),
4399
+ relation: z.string().optional(),
4400
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
4401
+ reviewerId: z.string().optional(),
4402
+ decisionAt: z.number().optional(),
4403
+ rationale: z.string().optional(),
4404
+ metadata: z.record(z.any()).optional(),
4405
+ createdAt: z.number(),
4406
+ updatedAt: z.number()
4407
+ }),
4408
+ indices: [
4409
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
4410
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4411
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
4412
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4413
+ { kind: "index", name: "by_status", columns: ["status"] }
4414
+ ]
4415
+ });
3483
4416
  var reasoningPermissions = defineTable({
3484
4417
  name: "reasoningPermissions",
3485
- component: "identity",
4418
+ component: "control-plane",
3486
4419
  category: "epistemic",
3487
4420
  shape: z.object({
3488
4421
  "topicId": z.string().optional(),
@@ -3717,6 +4650,7 @@ var topics = defineTable({
3717
4650
  "updatedAt": z.number()
3718
4651
  }),
3719
4652
  indices: [
4653
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
3720
4654
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
3721
4655
  { kind: "index", name: "by_type", columns: ["type"] },
3722
4656
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -3728,7 +4662,7 @@ var topics = defineTable({
3728
4662
  });
3729
4663
  var users = defineTable({
3730
4664
  name: "users",
3731
- component: "identity",
4665
+ component: "control-plane",
3732
4666
  category: "user",
3733
4667
  shape: z.object({
3734
4668
  "clerkId": z.string(),
@@ -3842,7 +4776,6 @@ var workspaces = defineTable({
3842
4776
  "deployments": z.record(z.object({
3843
4777
  "url": z.string(),
3844
4778
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
3845
- "encryptedDeployKey": z.string().optional(),
3846
4779
  "credentialRef": z.string().optional()
3847
4780
  })).optional(),
3848
4781
  "metadata": z.record(z.any()).optional(),
@@ -3857,6 +4790,39 @@ var workspaces = defineTable({
3857
4790
  { kind: "index", name: "by_status", columns: ["status"] }
3858
4791
  ]
3859
4792
  });
4793
+ var deploymentHosts = defineTable({
4794
+ name: "deploymentHosts",
4795
+ component: "mc",
4796
+ category: "workspace",
4797
+ shape: z.object({
4798
+ "host": z.string(),
4799
+ "tenantId": idOf("tenants"),
4800
+ "workspaceId": idOf("workspaces"),
4801
+ "environment": z.enum(["dev", "staging", "prod"]),
4802
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
4803
+ "deploymentUrl": z.string().optional(),
4804
+ "deploymentName": z.string().optional(),
4805
+ "vercelProjectName": z.string().optional(),
4806
+ "vercelProjectId": z.string().optional(),
4807
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
4808
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
4809
+ "status": z.enum(["active", "revoked"]),
4810
+ "metadata": z.record(z.any()).optional(),
4811
+ "createdBy": z.string(),
4812
+ "createdAt": z.number(),
4813
+ "updatedAt": z.number(),
4814
+ "revokedAt": z.number().optional(),
4815
+ "revokedBy": z.string().optional()
4816
+ }),
4817
+ indices: [
4818
+ { kind: "index", name: "by_host", columns: ["host"] },
4819
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4820
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4821
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
4822
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
4823
+ { kind: "index", name: "by_status", columns: ["status"] }
4824
+ ]
4825
+ });
3860
4826
  var worktreeBeliefCluster = defineTable({
3861
4827
  name: "worktreeBeliefCluster",
3862
4828
  component: "kernel",
@@ -4175,6 +5141,7 @@ var KERNEL_TABLE_CONTRACTS = [
4175
5141
  decisionParticipants,
4176
5142
  decisionRiskLedger,
4177
5143
  decisionSnapshots,
5144
+ domainEvents,
4178
5145
  deliberationContributions,
4179
5146
  deliberationSessions,
4180
5147
  stakeholderGroups,
@@ -4221,9 +5188,23 @@ var KERNEL_TABLE_CONTRACTS = [
4221
5188
  worktreeBeliefCluster,
4222
5189
  worktrees
4223
5190
  ];
4224
- var IDENTITY_TABLE_CONTRACTS = [
5191
+ var CONTROL_PLANE_TABLE_CONTRACTS = [
4225
5192
  agents,
4226
5193
  reasoningPermissions,
5194
+ permitAccessReviewItems,
5195
+ permitAccessReviews,
5196
+ permitAttributeBindings,
5197
+ permitGroups,
5198
+ permitGroupMemberships,
5199
+ permitPolicyBundles,
5200
+ permitPolicyDecisionReceipts,
5201
+ permitPrincipalAliases,
5202
+ permitPrincipals,
5203
+ permitProjectionOutbox,
5204
+ permitRelationshipTuples,
5205
+ permitResourceInstances,
5206
+ permitRoleAssignments,
5207
+ tenantPermitSyncStates,
4227
5208
  modelCallLogs,
4228
5209
  modelFunctionSlots,
4229
5210
  modelRegistry,
@@ -4253,6 +5234,7 @@ var MC_TABLE_CONTRACTS = [
4253
5234
  memberships,
4254
5235
  oauthDeviceCodes,
4255
5236
  principals,
5237
+ principalIdentityAliases,
4256
5238
  rateLimitWindows,
4257
5239
  servicePrincipalKeys,
4258
5240
  userSessions,
@@ -4268,29 +5250,33 @@ var MC_TABLE_CONTRACTS = [
4268
5250
  policyDecisionLogs,
4269
5251
  policySimulations,
4270
5252
  controlPlaneToolAcls,
5253
+ permitSyncStates,
4271
5254
  agentRegistryEntries,
4272
5255
  toolCatalog,
4273
5256
  toolRegistryEntries,
4274
5257
  compatibilityShims,
4275
5258
  cutoverFlags,
4276
5259
  tenantDeploymentCredentials,
5260
+ secretSyncDriftReports,
4277
5261
  controlPlaneTenantModelSlotBindings,
4278
5262
  controlPlaneTenantProviderSecrets,
4279
5263
  controlPlaneTenantProxyGatewayUsage,
5264
+ controlPlaneTenantProxyTokenLeases,
4280
5265
  apiKeys,
4281
5266
  auditLog,
4282
5267
  tenants,
4283
- workspaces
5268
+ workspaces,
5269
+ deploymentHosts
4284
5270
  ];
4285
5271
  var TABLE_CONTRACTS_BY_COMPONENT = {
4286
5272
  kernel: KERNEL_TABLE_CONTRACTS,
4287
- identity: IDENTITY_TABLE_CONTRACTS,
5273
+ "control-plane": CONTROL_PLANE_TABLE_CONTRACTS,
4288
5274
  mc: MC_TABLE_CONTRACTS,
4289
5275
  "developer-pack": []
4290
5276
  };
4291
5277
  var ALL_TABLE_CONTRACTS = [
4292
5278
  ...KERNEL_TABLE_CONTRACTS,
4293
- ...IDENTITY_TABLE_CONTRACTS,
5279
+ ...CONTROL_PLANE_TABLE_CONTRACTS,
4294
5280
  ...MC_TABLE_CONTRACTS
4295
5281
  ];
4296
5282
  function listTableContractsByName(name) {
@@ -4303,8 +5289,8 @@ function getTableContract(name, component) {
4303
5289
  }
4304
5290
  var ComponentTableManifestSchema = z.object({
4305
5291
  manifestVersion: z.string(),
4306
- componentName: z.enum(["kernel", "identity"]),
4307
- tier: z.enum(["K", "I"]),
5292
+ componentName: z.enum(["kernel", "control-plane"]),
5293
+ tier: z.enum(["K", "CP"]),
4308
5294
  packageVersion: z.string(),
4309
5295
  tables: z.array(
4310
5296
  z.object({
@@ -4333,6 +5319,6 @@ var SLOpinionInputSchema = z.object({
4333
5319
  }
4334
5320
  );
4335
5321
 
4336
- export { ALL_TABLE_CONTRACTS, ComponentTableManifestSchema, EDGE_TYPE, EDGE_TYPE_VALUES, IDENTITY_TABLE_CONTRACTS, KERNEL_TABLE_CONTRACTS, MC_TABLE_CONTRACTS, NODE_TYPE, SLOpinionInputSchema, STORAGE_EDGE_TYPE, STORAGE_EDGE_TYPE_VALUES, TABLE_CONTRACTS_BY_COMPONENT, TOPIC_STATUS, TOPIC_VISIBILITY, getTableContract, listTableContractsByName };
5322
+ export { ALL_TABLE_CONTRACTS, CONTROL_PLANE_TABLE_CONTRACTS, ComponentTableManifestSchema, EDGE_TYPE, EDGE_TYPE_VALUES, KERNEL_TABLE_CONTRACTS, MC_TABLE_CONTRACTS, NODE_TYPE, SLOpinionInputSchema, STORAGE_EDGE_TYPE, STORAGE_EDGE_TYPE_VALUES, TABLE_CONTRACTS_BY_COMPONENT, TOPIC_STATUS, TOPIC_VISIBILITY, getTableContract, listTableContractsByName };
4337
5323
  //# sourceMappingURL=index.js.map
4338
5324
  //# sourceMappingURL=index.js.map