@lucern/contracts 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +4 -1
  2. package/dist/dsl.d.ts +75 -4
  3. package/dist/dsl.values-rhsroqi0.d.ts +21 -0
  4. package/dist/dsl.values.d.ts +5 -0
  5. package/dist/dsl.values.js +675 -0
  6. package/dist/dsl.values.js.map +1 -0
  7. package/dist/function-registry/beliefs.d.ts +1 -17
  8. package/dist/function-registry/beliefs.js +155 -117
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.d.ts +1 -17
  11. package/dist/function-registry/coding.js +155 -117
  12. package/dist/function-registry/coding.js.map +1 -1
  13. package/dist/function-registry/context.d.ts +1 -17
  14. package/dist/function-registry/context.js +155 -117
  15. package/dist/function-registry/context.js.map +1 -1
  16. package/dist/function-registry/contracts.d.ts +1 -17
  17. package/dist/function-registry/contracts.js +155 -117
  18. package/dist/function-registry/contracts.js.map +1 -1
  19. package/dist/function-registry/coordination.d.ts +1 -17
  20. package/dist/function-registry/coordination.js +155 -117
  21. package/dist/function-registry/coordination.js.map +1 -1
  22. package/dist/function-registry/edges.d.ts +1 -17
  23. package/dist/function-registry/edges.js +155 -117
  24. package/dist/function-registry/edges.js.map +1 -1
  25. package/dist/function-registry/evidence.d.ts +1 -17
  26. package/dist/function-registry/evidence.js +155 -117
  27. package/dist/function-registry/evidence.js.map +1 -1
  28. package/dist/function-registry/graph.d.ts +1 -17
  29. package/dist/function-registry/graph.js +155 -117
  30. package/dist/function-registry/graph.js.map +1 -1
  31. package/dist/function-registry/helpers.d.ts +1 -1
  32. package/dist/function-registry/helpers.js +155 -117
  33. package/dist/function-registry/helpers.js.map +1 -1
  34. package/dist/function-registry/identity.d.ts +1 -17
  35. package/dist/function-registry/identity.js +155 -117
  36. package/dist/function-registry/identity.js.map +1 -1
  37. package/dist/function-registry/index.d.ts +1 -1
  38. package/dist/function-registry/index.js +158 -118
  39. package/dist/function-registry/index.js.map +1 -1
  40. package/dist/function-registry/judgments.d.ts +1 -17
  41. package/dist/function-registry/judgments.js +155 -117
  42. package/dist/function-registry/judgments.js.map +1 -1
  43. package/dist/function-registry/legacy.d.ts +1 -17
  44. package/dist/function-registry/legacy.js +155 -117
  45. package/dist/function-registry/legacy.js.map +1 -1
  46. package/dist/function-registry/lenses.d.ts +1 -17
  47. package/dist/function-registry/lenses.js +155 -117
  48. package/dist/function-registry/lenses.js.map +1 -1
  49. package/dist/function-registry/manifest.d.ts +3 -3
  50. package/dist/function-registry/manifest.js +1 -0
  51. package/dist/function-registry/manifest.js.map +1 -1
  52. package/dist/function-registry/nodes.d.ts +1 -17
  53. package/dist/function-registry/nodes.js +155 -117
  54. package/dist/function-registry/nodes.js.map +1 -1
  55. package/dist/function-registry/ontologies.d.ts +1 -17
  56. package/dist/function-registry/ontologies.js +155 -117
  57. package/dist/function-registry/ontologies.js.map +1 -1
  58. package/dist/function-registry/pipeline.d.ts +1 -17
  59. package/dist/function-registry/pipeline.js +155 -117
  60. package/dist/function-registry/pipeline.js.map +1 -1
  61. package/dist/function-registry/questions.d.ts +1 -17
  62. package/dist/function-registry/questions.js +155 -117
  63. package/dist/function-registry/questions.js.map +1 -1
  64. package/dist/function-registry/tasks.d.ts +1 -17
  65. package/dist/function-registry/tasks.js +155 -117
  66. package/dist/function-registry/tasks.js.map +1 -1
  67. package/dist/function-registry/topics.d.ts +1 -17
  68. package/dist/function-registry/topics.js +155 -117
  69. package/dist/function-registry/topics.js.map +1 -1
  70. package/dist/function-registry/types.d.ts +2 -2
  71. package/dist/function-registry/worktrees.d.ts +41 -17
  72. package/dist/function-registry/worktrees.js +174 -117
  73. package/dist/function-registry/worktrees.js.map +1 -1
  74. package/dist/generated/lucernWebPublicEnv.js.map +1 -1
  75. package/dist/generated/lucernWebServerEnv.js.map +1 -1
  76. package/dist/{idOf-DR8tkhQS.d.ts → idOf-BmkVDhD8.d.ts} +1 -1
  77. package/dist/index.d.ts +47 -8
  78. package/dist/index.js +45072 -45005
  79. package/dist/index.js.map +1 -1
  80. package/dist/infisical-runtime.base.d.ts +444 -0
  81. package/dist/infisical-runtime.base.js +640 -0
  82. package/dist/infisical-runtime.base.js.map +1 -0
  83. package/dist/infisical-runtime.contract.d.ts +9 -440
  84. package/dist/infisical-runtime.contract.js +14 -1
  85. package/dist/infisical-runtime.contract.js.map +1 -1
  86. package/dist/infisical-runtime.platform-ops-secrets.d.ts +743 -0
  87. package/dist/infisical-runtime.platform-ops-secrets.js +962 -0
  88. package/dist/infisical-runtime.platform-ops-secrets.js.map +1 -0
  89. package/dist/infisical-runtime.platform-secrets.d.ts +598 -0
  90. package/dist/infisical-runtime.platform-secrets.js +726 -0
  91. package/dist/infisical-runtime.platform-secrets.js.map +1 -0
  92. package/dist/infisical-runtime.tenant-secrets.d.ts +486 -0
  93. package/dist/infisical-runtime.tenant-secrets.js +1131 -0
  94. package/dist/infisical-runtime.tenant-secrets.js.map +1 -0
  95. package/dist/manifests/edge-policy-manifest.d.ts +1 -1
  96. package/dist/manifests/infisical-runtime-manifest.d.ts +1 -1
  97. package/dist/manifests/infisical-runtime-manifest.js +14 -1
  98. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  99. package/dist/manifests/tenant-client-manifest.d.ts +5 -1
  100. package/dist/manifests/tenant-client-manifest.js +5 -0
  101. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  102. package/dist/proof-attestation.json +1 -1
  103. package/dist/schemas/index.d.ts +1 -1
  104. package/dist/schemas/index.js.map +1 -1
  105. package/dist/schemas/manifest.d.ts +61 -61
  106. package/dist/schemas/manifest.js.map +1 -1
  107. package/dist/schemas/tables/kernel/config.js.map +1 -1
  108. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  109. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  110. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  111. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  112. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  113. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  114. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  115. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  116. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  117. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  118. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  119. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  120. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  121. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  122. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  123. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  124. package/dist/schemas/tables/kernel/spine.d.ts +1 -1
  125. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  126. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  127. package/dist/schemas/tables/kernel/task.js.map +1 -1
  128. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  129. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  130. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  131. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  132. package/dist/schemas/tables/kernel/worktree.d.ts +1 -1
  133. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  134. package/dist/schemas/tables/mc/identity.d.ts +1 -1
  135. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  136. package/dist/schemas/tables/mc/pack.d.ts +9 -9
  137. package/dist/schemas/tables/mc/policy.d.ts +1 -1
  138. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  139. package/dist/schemas/tables/mc/runtime.d.ts +1 -1
  140. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  141. package/dist/schemas/tables/mc/workspace.d.ts +1 -1
  142. package/dist/schemas.values-5J5oIK7z.d.ts +26 -0
  143. package/dist/schemas.values.d.ts +7 -0
  144. package/dist/schemas.values.js +5324 -0
  145. package/dist/schemas.values.js.map +1 -0
  146. package/dist/sdk-tools.contract.analytics.d.ts +27 -0
  147. package/dist/sdk-tools.contract.analytics.js +616 -0
  148. package/dist/sdk-tools.contract.analytics.js.map +1 -0
  149. package/dist/sdk-tools.contract.d.ts +43 -2
  150. package/dist/sdk-tools.contract.graph.d.ts +11 -0
  151. package/dist/sdk-tools.contract.graph.js +156 -0
  152. package/dist/sdk-tools.contract.graph.js.map +1 -0
  153. package/dist/sdk-tools.contract.js +4107 -4062
  154. package/dist/sdk-tools.contract.js.map +1 -1
  155. package/dist/sdk-tools.contract.registry.d.ts +25 -0
  156. package/dist/sdk-tools.contract.registry.js +5504 -0
  157. package/dist/sdk-tools.contract.registry.js.map +1 -0
  158. package/dist/sdk-tools.contract.types.d.ts +15 -0
  159. package/dist/sdk-tools.contract.types.js +3 -0
  160. package/dist/sdk-tools.contract.types.js.map +1 -0
  161. package/dist/sdk-tools.contract.values-LuBh95zg.d.ts +58 -0
  162. package/dist/sdk-tools.contract.values.d.ts +7 -0
  163. package/dist/sdk-tools.contract.values.js +5581 -0
  164. package/dist/sdk-tools.contract.values.js.map +1 -0
  165. package/dist/sdk-tools.contract.workflow.d.ts +17 -0
  166. package/dist/sdk-tools.contract.workflow.js +287 -0
  167. package/dist/sdk-tools.contract.workflow.js.map +1 -0
  168. package/dist/tenant-client.contract.d.ts +5 -1
  169. package/dist/tenant-client.contract.js +5 -0
  170. package/dist/tenant-client.contract.js.map +1 -1
  171. package/dist/tool-contracts.d.ts +34 -1
  172. package/dist/tool-contracts.graph.d.ts +18 -0
  173. package/dist/tool-contracts.graph.js +378 -0
  174. package/dist/tool-contracts.graph.js.map +1 -0
  175. package/dist/tool-contracts.intelligence-evidence.d.ts +15 -0
  176. package/dist/tool-contracts.intelligence-evidence.js +303 -0
  177. package/dist/tool-contracts.intelligence-evidence.js.map +1 -0
  178. package/dist/tool-contracts.js +155 -118
  179. package/dist/tool-contracts.js.map +1 -1
  180. package/dist/tool-contracts.lifecycle.d.ts +13 -0
  181. package/dist/tool-contracts.lifecycle.js +410 -0
  182. package/dist/tool-contracts.lifecycle.js.map +1 -0
  183. package/dist/tool-contracts.nodes-lenses.d.ts +17 -0
  184. package/dist/tool-contracts.nodes-lenses.js +334 -0
  185. package/dist/tool-contracts.nodes-lenses.js.map +1 -0
  186. package/dist/tool-contracts.ontology.d.ts +16 -0
  187. package/dist/tool-contracts.ontology.js +344 -0
  188. package/dist/tool-contracts.ontology.js.map +1 -0
  189. package/dist/tool-contracts.pipeline-coordination.d.ts +25 -0
  190. package/dist/tool-contracts.pipeline-coordination.js +684 -0
  191. package/dist/tool-contracts.pipeline-coordination.js.map +1 -0
  192. package/dist/tool-contracts.policy-observation-task-topic.d.ts +25 -0
  193. package/dist/tool-contracts.policy-observation-task-topic.js +740 -0
  194. package/dist/tool-contracts.policy-observation-task-topic.js.map +1 -0
  195. package/dist/tool-contracts.questions-listing.d.ts +27 -0
  196. package/dist/tool-contracts.questions-listing.js +782 -0
  197. package/dist/tool-contracts.questions-listing.js.map +1 -0
  198. package/dist/tool-contracts.types.d.ts +34 -0
  199. package/dist/tool-contracts.types.js +3 -0
  200. package/dist/tool-contracts.types.js.map +1 -0
  201. package/dist/tool-contracts.values-DjctSW7S.d.ts +147 -0
  202. package/dist/tool-contracts.values.d.ts +11 -0
  203. package/dist/tool-contracts.values.js +4398 -0
  204. package/dist/tool-contracts.values.js.map +1 -0
  205. package/dist/tool-contracts.worktrees.d.ts +8 -0
  206. package/dist/tool-contracts.worktrees.js +280 -0
  207. package/dist/tool-contracts.worktrees.js.map +1 -0
  208. package/package.json +3 -11
  209. package/dist/dsl-DVPthQGY.d.ts +0 -110
  210. package/dist/index-CM1Pl_vI.d.ts +0 -28
  211. package/dist/sdk-tools.contract-CKmSsrZ2.d.ts +0 -146
  212. package/dist/tool-contracts-C_xvM9q2.d.ts +0 -326
  213. package/dist/{edge-policy-manifest-Dw5IhT1L.d.ts → edge-policy-manifest-4KOSP4nk.d.ts} +2 -2
@@ -0,0 +1,598 @@
1
+ declare const PLATFORM_SECRET_DEFINITIONS: readonly [{
2
+ readonly id: "platform.clerk.publishable";
3
+ readonly canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY";
4
+ readonly aliases: readonly ["CLERK_PUBLISHABLE_KEY"];
5
+ readonly owner: "lucern_platform";
6
+ readonly scope: "environment";
7
+ readonly sourcePath: "/platform/auth";
8
+ readonly environmentPolicy: "environment_specific";
9
+ readonly required: true;
10
+ readonly secret: false;
11
+ readonly public: true;
12
+ readonly consumers: readonly ["lucern-web", "lucern-gateway", "lucern-mcp"];
13
+ readonly destinations: readonly [{
14
+ readonly kind: "vercel";
15
+ readonly target: "lucern";
16
+ readonly environmentPolicy: "environment_specific";
17
+ }, {
18
+ readonly kind: "vercel";
19
+ readonly target: "lucern-gateway";
20
+ readonly environmentPolicy: "environment_specific";
21
+ }, {
22
+ readonly kind: "runtime_fetch";
23
+ readonly target: "hosted-mcp-oauth";
24
+ readonly environmentPolicy: "environment_specific";
25
+ }];
26
+ readonly description: "Lucern-owned Clerk browser key for platform web, gateway, and hosted MCP OAuth flows.";
27
+ }, {
28
+ readonly id: "platform.clerk.secret";
29
+ readonly canonicalName: "CLERK_SECRET_KEY";
30
+ readonly owner: "lucern_platform";
31
+ readonly scope: "environment";
32
+ readonly sourcePath: "/platform/auth";
33
+ readonly environmentPolicy: "environment_specific";
34
+ readonly required: true;
35
+ readonly secret: true;
36
+ readonly public: false;
37
+ readonly consumers: readonly ["lucern-web", "lucern-gateway", "lucern-mcp"];
38
+ readonly destinations: readonly [{
39
+ readonly kind: "vercel";
40
+ readonly target: "lucern";
41
+ readonly environmentPolicy: "environment_specific";
42
+ }, {
43
+ readonly kind: "vercel";
44
+ readonly target: "lucern-gateway";
45
+ readonly environmentPolicy: "environment_specific";
46
+ }, {
47
+ readonly kind: "runtime_fetch";
48
+ readonly target: "hosted-mcp-oauth";
49
+ readonly environmentPolicy: "environment_specific";
50
+ }];
51
+ readonly description: "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself.";
52
+ }, {
53
+ readonly id: "platform.clerk.project";
54
+ readonly canonicalName: "CLERK_PROJECT_ID";
55
+ readonly aliases: readonly ["LUCERN_CLERK_PROJECT_ID"];
56
+ readonly owner: "lucern_platform";
57
+ readonly scope: "environment";
58
+ readonly sourcePath: "/platform/auth";
59
+ readonly environmentPolicy: "environment_specific";
60
+ readonly required: true;
61
+ readonly secret: false;
62
+ readonly public: false;
63
+ readonly consumers: readonly ["lucern-gateway", "mc-convex"];
64
+ readonly destinations: readonly [{
65
+ readonly kind: "vercel";
66
+ readonly target: "lucern-gateway";
67
+ readonly environmentPolicy: "environment_specific";
68
+ }, {
69
+ readonly kind: "convex";
70
+ readonly target: "master-control";
71
+ readonly environmentPolicy: "environment_specific";
72
+ }];
73
+ readonly description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities.";
74
+ }, {
75
+ readonly id: "platform.clerk.webhook-secret";
76
+ readonly canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET";
77
+ readonly aliases: readonly ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"];
78
+ readonly owner: "lucern_platform";
79
+ readonly scope: "environment";
80
+ readonly sourcePath: "/platform/auth";
81
+ readonly environmentPolicy: "environment_specific";
82
+ readonly required: true;
83
+ readonly secret: true;
84
+ readonly public: false;
85
+ readonly consumers: readonly ["lucern-gateway"];
86
+ readonly destinations: readonly [{
87
+ readonly kind: "vercel";
88
+ readonly target: "lucern-gateway";
89
+ readonly environmentPolicy: "environment_specific";
90
+ }];
91
+ readonly description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit.";
92
+ }, {
93
+ readonly id: "platform.clerk.jwks";
94
+ readonly canonicalName: "CLERK_JWKS_URL";
95
+ readonly aliases: readonly ["CLERK_JWT_ISSUER_DOMAIN"];
96
+ readonly owner: "lucern_platform";
97
+ readonly scope: "environment";
98
+ readonly sourcePath: "/platform/auth";
99
+ readonly environmentPolicy: "environment_specific";
100
+ readonly required: false;
101
+ readonly secret: false;
102
+ readonly public: false;
103
+ readonly consumers: readonly ["lucern-mcp", "lucern-gateway"];
104
+ readonly destinations: readonly [{
105
+ readonly kind: "runtime_fetch";
106
+ readonly target: "lucern-mcp";
107
+ readonly environmentPolicy: "environment_specific";
108
+ }, {
109
+ readonly kind: "vercel";
110
+ readonly target: "lucern-gateway";
111
+ readonly environmentPolicy: "environment_specific";
112
+ }];
113
+ readonly description: "Optional Clerk JWKS/issuer override for server-side token verification.";
114
+ }, {
115
+ readonly id: "platform.runtime.api-base-url";
116
+ readonly canonicalName: "LUCERN_API_URL";
117
+ readonly aliases: readonly ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"];
118
+ readonly owner: "lucern_platform";
119
+ readonly scope: "environment";
120
+ readonly sourcePath: "/platform/runtime";
121
+ readonly environmentPolicy: "environment_specific";
122
+ readonly required: true;
123
+ readonly secret: false;
124
+ readonly public: false;
125
+ readonly consumers: readonly ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"];
126
+ readonly destinations: readonly [{
127
+ readonly kind: "vercel";
128
+ readonly target: "lucern";
129
+ readonly environmentPolicy: "environment_specific";
130
+ }, {
131
+ readonly kind: "vercel";
132
+ readonly target: "lucern-gateway";
133
+ readonly environmentPolicy: "environment_specific";
134
+ }, {
135
+ readonly kind: "runtime_fetch";
136
+ readonly target: "lucern-cli-mcp-sdk";
137
+ readonly environmentPolicy: "environment_specific";
138
+ }];
139
+ readonly description: "Canonical Lucern API gateway base URL. Older names remain aliases only.";
140
+ }, {
141
+ readonly id: "platform.runtime.login-base-url";
142
+ readonly canonicalName: "LUCERN_LOGIN_BASE_URL";
143
+ readonly aliases: readonly ["LUCERN_AUTH_BASE_URL", "LUCERN_WEB_BASE_URL"];
144
+ readonly owner: "lucern_platform";
145
+ readonly scope: "environment";
146
+ readonly sourcePath: "/platform/runtime";
147
+ readonly environmentPolicy: "environment_specific";
148
+ readonly required: false;
149
+ readonly secret: false;
150
+ readonly public: false;
151
+ readonly consumers: readonly ["lucern-gateway", "lucern-mcp", "lucern-cli"];
152
+ readonly destinations: readonly [{
153
+ readonly kind: "vercel";
154
+ readonly target: "lucern-gateway";
155
+ readonly environmentPolicy: "environment_specific";
156
+ }, {
157
+ readonly kind: "runtime_fetch";
158
+ readonly target: "lucern-cli-mcp-sdk";
159
+ readonly environmentPolicy: "environment_specific";
160
+ }];
161
+ readonly description: "Browser login origin used when device/OAuth login is not served by the API base URL.";
162
+ }, {
163
+ readonly id: "platform.runtime.environment";
164
+ readonly canonicalName: "LUCERN_ENVIRONMENT";
165
+ readonly aliases: readonly ["LUCERN_ENV"];
166
+ readonly owner: "lucern_platform";
167
+ readonly scope: "environment";
168
+ readonly sourcePath: "/platform/runtime";
169
+ readonly environmentPolicy: "environment_specific";
170
+ readonly required: false;
171
+ readonly secret: false;
172
+ readonly public: false;
173
+ readonly consumers: readonly ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"];
174
+ readonly destinations: readonly [{
175
+ readonly kind: "vercel";
176
+ readonly target: "lucern";
177
+ readonly environmentPolicy: "environment_specific";
178
+ }, {
179
+ readonly kind: "vercel";
180
+ readonly target: "lucern-gateway";
181
+ readonly environmentPolicy: "environment_specific";
182
+ }, {
183
+ readonly kind: "runtime_fetch";
184
+ readonly target: "lucern-cli-mcp-sdk";
185
+ readonly environmentPolicy: "environment_specific";
186
+ }];
187
+ readonly description: "Lucern runtime environment label.";
188
+ }, {
189
+ readonly id: "platform.runtime.require-deployment-host-registry";
190
+ readonly canonicalName: "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY";
191
+ readonly owner: "lucern_platform";
192
+ readonly scope: "environment";
193
+ readonly sourcePath: "/platform/runtime";
194
+ readonly environmentPolicy: "environment_specific";
195
+ readonly required: false;
196
+ readonly secret: false;
197
+ readonly public: false;
198
+ readonly consumers: readonly ["lucern-gateway"];
199
+ readonly destinations: readonly [{
200
+ readonly kind: "vercel";
201
+ readonly target: "lucern-gateway";
202
+ readonly environmentPolicy: "environment_specific";
203
+ }, {
204
+ readonly kind: "operator_local";
205
+ readonly target: "lucern-repo";
206
+ readonly environmentPolicy: "environment_specific";
207
+ }];
208
+ readonly description: "Fail-closed gateway toggle that requires MC deployment host registry resolution before routing.";
209
+ }, {
210
+ readonly id: "platform.mc.convex-url";
211
+ readonly canonicalName: "CONVEX_MC_URL";
212
+ readonly aliases: readonly ["CONVEX_MC_PROD_URL", "LUCERN_ADMIN_CONVEX_URL", "LUCERN_CONVEX_URL", "MC_CONVEX_URL"];
213
+ readonly owner: "lucern_platform";
214
+ readonly scope: "environment";
215
+ readonly sourcePath: "/platform/mc";
216
+ readonly environmentPolicy: "environment_specific";
217
+ readonly required: true;
218
+ readonly secret: false;
219
+ readonly public: false;
220
+ readonly consumers: readonly ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"];
221
+ readonly destinations: readonly [{
222
+ readonly kind: "vercel";
223
+ readonly target: "lucern-gateway";
224
+ readonly environmentPolicy: "environment_specific";
225
+ }, {
226
+ readonly kind: "github_actions";
227
+ readonly target: "LucernAI/lucern";
228
+ readonly environmentPolicy: "environment_specific";
229
+ }, {
230
+ readonly kind: "operator_local";
231
+ readonly target: "lucern-repo";
232
+ readonly environmentPolicy: "environment_specific";
233
+ }];
234
+ readonly description: "Master Control Convex URL. Prod must point to successful-clam-833; dev/staging to utmost-ox-403.";
235
+ }, {
236
+ readonly id: "platform.mc.convex-deploy-key";
237
+ readonly canonicalName: "CONVEX_MC_DEPLOY_KEY";
238
+ readonly aliases: readonly ["CONVEX_MC_PROD_DEPLOY_KEY", "LUCERN_ADMIN_DEPLOY_KEY", "LUCERN_DEPLOY_KEY", "MC_DEPLOY_KEY", "MC_PROD_DEPLOY_KEY"];
239
+ readonly owner: "lucern_platform";
240
+ readonly scope: "environment";
241
+ readonly sourcePath: "/platform/mc";
242
+ readonly environmentPolicy: "environment_specific";
243
+ readonly required: true;
244
+ readonly secret: true;
245
+ readonly public: false;
246
+ readonly consumers: readonly ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"];
247
+ readonly destinations: readonly [{
248
+ readonly kind: "vercel";
249
+ readonly target: "lucern-gateway";
250
+ readonly environmentPolicy: "environment_specific";
251
+ }, {
252
+ readonly kind: "github_actions";
253
+ readonly target: "LucernAI/lucern";
254
+ readonly environmentPolicy: "environment_specific";
255
+ }, {
256
+ readonly kind: "operator_local";
257
+ readonly target: "lucern-repo";
258
+ readonly environmentPolicy: "environment_specific";
259
+ }];
260
+ readonly description: "Master Control deploy/admin key. Never route to tenant Vercel projects or tenant Convex deployments.";
261
+ }, {
262
+ readonly id: "platform.mc.session-token-secret";
263
+ readonly canonicalName: "LUCERN_SESSION_TOKEN_SECRET";
264
+ readonly owner: "lucern_platform";
265
+ readonly scope: "environment";
266
+ readonly sourcePath: "/platform/mc";
267
+ readonly environmentPolicy: "environment_specific";
268
+ readonly required: true;
269
+ readonly secret: true;
270
+ readonly public: false;
271
+ readonly consumers: readonly ["lucern-mcp", "mc-convex", "lucern-gateway"];
272
+ readonly destinations: readonly [{
273
+ readonly kind: "convex";
274
+ readonly target: "master-control";
275
+ readonly environmentPolicy: "environment_specific";
276
+ }, {
277
+ readonly kind: "runtime_fetch";
278
+ readonly target: "hosted-mcp-oauth";
279
+ readonly environmentPolicy: "environment_specific";
280
+ }, {
281
+ readonly kind: "vercel";
282
+ readonly target: "lucern-gateway";
283
+ readonly environmentPolicy: "environment_specific";
284
+ }];
285
+ readonly description: "Signs Lucern platform session/delegation tokens. This is platform-owned, not tenant-owned.";
286
+ }, {
287
+ readonly id: "platform.mc.tenant-secret-encryption-key";
288
+ readonly canonicalName: "LUCERN_TENANT_SECRET_ENCRYPTION_KEY";
289
+ readonly aliases: readonly ["LUCERN_SESSION_TOKEN_SECRET"];
290
+ readonly owner: "lucern_platform";
291
+ readonly scope: "environment";
292
+ readonly sourcePath: "/platform/mc";
293
+ readonly environmentPolicy: "environment_specific";
294
+ readonly required: true;
295
+ readonly secret: true;
296
+ readonly public: false;
297
+ readonly consumers: readonly ["mc-convex", "mc-operator-tooling"];
298
+ readonly destinations: readonly [{
299
+ readonly kind: "convex";
300
+ readonly target: "master-control";
301
+ readonly environmentPolicy: "environment_specific";
302
+ }, {
303
+ readonly kind: "operator_local";
304
+ readonly target: "mc-credential-maintenance";
305
+ readonly environmentPolicy: "environment_specific";
306
+ }];
307
+ readonly description: "Encrypts tenant deployment credentials stored in MC. Session-token fallback is legacy only.";
308
+ }, {
309
+ readonly id: "platform.permit.api-key";
310
+ readonly canonicalName: "LUCERN_PERMIT_API_KEY";
311
+ readonly aliases: readonly ["PERMIT_API_KEY"];
312
+ readonly owner: "lucern_platform";
313
+ readonly scope: "environment";
314
+ readonly sourcePath: "/platform/permit";
315
+ readonly environmentPolicy: "environment_specific";
316
+ readonly required: true;
317
+ readonly secret: true;
318
+ readonly public: false;
319
+ readonly consumers: readonly ["mc-convex", "lucern-mcp", "lucern-gateway"];
320
+ readonly destinations: readonly [{
321
+ readonly kind: "convex";
322
+ readonly target: "master-control";
323
+ readonly environmentPolicy: "environment_specific";
324
+ }, {
325
+ readonly kind: "runtime_fetch";
326
+ readonly target: "hosted-mcp-oauth";
327
+ readonly environmentPolicy: "environment_specific";
328
+ }, {
329
+ readonly kind: "vercel";
330
+ readonly target: "lucern-gateway";
331
+ readonly environmentPolicy: "environment_specific";
332
+ }];
333
+ readonly description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing.";
334
+ }, {
335
+ readonly id: "platform.permit.webhook-secret";
336
+ readonly canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET";
337
+ readonly aliases: readonly ["PERMIT_WEBHOOK_SECRET"];
338
+ readonly owner: "lucern_platform";
339
+ readonly scope: "environment";
340
+ readonly sourcePath: "/platform/permit";
341
+ readonly environmentPolicy: "environment_specific";
342
+ readonly required: true;
343
+ readonly secret: true;
344
+ readonly public: false;
345
+ readonly consumers: readonly ["mc-convex", "lucern-gateway", "mc-operator-tooling"];
346
+ readonly destinations: readonly [{
347
+ readonly kind: "convex";
348
+ readonly target: "master-control";
349
+ readonly environmentPolicy: "environment_specific";
350
+ }, {
351
+ readonly kind: "vercel";
352
+ readonly target: "lucern-gateway";
353
+ readonly environmentPolicy: "environment_specific";
354
+ }, {
355
+ readonly kind: "operator_local";
356
+ readonly target: "mc-credential-maintenance";
357
+ readonly environmentPolicy: "environment_specific";
358
+ }];
359
+ readonly description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing.";
360
+ }, {
361
+ readonly id: "platform.permit.pdp-url";
362
+ readonly canonicalName: "LUCERN_PERMIT_PDP_URL";
363
+ readonly aliases: readonly ["PERMIT_PDP_URL"];
364
+ readonly owner: "lucern_platform";
365
+ readonly scope: "environment";
366
+ readonly sourcePath: "/platform/permit";
367
+ readonly environmentPolicy: "environment_specific";
368
+ readonly required: false;
369
+ readonly secret: false;
370
+ readonly public: false;
371
+ readonly consumers: readonly ["mc-convex", "lucern-mcp", "lucern-gateway"];
372
+ readonly destinations: readonly [{
373
+ readonly kind: "convex";
374
+ readonly target: "master-control";
375
+ readonly environmentPolicy: "environment_specific";
376
+ }, {
377
+ readonly kind: "runtime_fetch";
378
+ readonly target: "hosted-mcp-oauth";
379
+ readonly environmentPolicy: "environment_specific";
380
+ }, {
381
+ readonly kind: "vercel";
382
+ readonly target: "lucern-gateway";
383
+ readonly environmentPolicy: "environment_specific";
384
+ }];
385
+ readonly description: "Optional Permit PDP URL override.";
386
+ }, {
387
+ readonly id: "platform.permit.api-url";
388
+ readonly canonicalName: "LUCERN_PERMIT_API_URL";
389
+ readonly aliases: readonly ["PERMIT_API_URL"];
390
+ readonly owner: "lucern_platform";
391
+ readonly scope: "environment";
392
+ readonly sourcePath: "/platform/permit";
393
+ readonly environmentPolicy: "environment_specific";
394
+ readonly required: false;
395
+ readonly secret: false;
396
+ readonly public: false;
397
+ readonly consumers: readonly ["mc-convex", "lucern-mcp", "lucern-gateway"];
398
+ readonly destinations: readonly [{
399
+ readonly kind: "convex";
400
+ readonly target: "master-control";
401
+ readonly environmentPolicy: "environment_specific";
402
+ }, {
403
+ readonly kind: "runtime_fetch";
404
+ readonly target: "hosted-mcp-oauth";
405
+ readonly environmentPolicy: "environment_specific";
406
+ }, {
407
+ readonly kind: "vercel";
408
+ readonly target: "lucern-gateway";
409
+ readonly environmentPolicy: "environment_specific";
410
+ }];
411
+ readonly description: "Optional Permit API URL override.";
412
+ }, {
413
+ readonly id: "platform.ci.infisical-bootstrap-client-id";
414
+ readonly canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID";
415
+ readonly aliases: readonly ["INFISICAL_CI_CLIENT_ID"];
416
+ readonly owner: "provider";
417
+ readonly scope: "environment";
418
+ readonly sourcePath: "/platform/ci";
419
+ readonly environmentPolicy: "same_all_environments";
420
+ readonly required: true;
421
+ readonly secret: true;
422
+ readonly public: false;
423
+ readonly consumers: readonly ["lucern-repo-ci"];
424
+ readonly destinations: readonly [{
425
+ readonly kind: "github_actions";
426
+ readonly target: "LucernAI/lucern";
427
+ readonly environmentPolicy: "same_all_environments";
428
+ }];
429
+ readonly description: "Machine identity client id used by CI to reconcile Infisical desired state.";
430
+ }, {
431
+ readonly id: "platform.ci.infisical-bootstrap-client-secret";
432
+ readonly canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_SECRET";
433
+ readonly aliases: readonly ["INFISICAL_CI_CLIENT_SECRET"];
434
+ readonly owner: "provider";
435
+ readonly scope: "environment";
436
+ readonly sourcePath: "/platform/ci";
437
+ readonly environmentPolicy: "same_all_environments";
438
+ readonly required: true;
439
+ readonly secret: true;
440
+ readonly public: false;
441
+ readonly consumers: readonly ["lucern-repo-ci"];
442
+ readonly destinations: readonly [{
443
+ readonly kind: "github_actions";
444
+ readonly target: "LucernAI/lucern";
445
+ readonly environmentPolicy: "same_all_environments";
446
+ }];
447
+ readonly description: "Machine identity client secret used by CI to reconcile Infisical desired state.";
448
+ }, {
449
+ readonly id: "platform.publish.npm-token";
450
+ readonly canonicalName: "NPM_TOKEN";
451
+ readonly aliases: readonly ["NODE_AUTH_TOKEN"];
452
+ readonly owner: "provider";
453
+ readonly scope: "environment";
454
+ readonly sourcePath: "/platform/publish";
455
+ readonly environmentPolicy: "same_all_environments";
456
+ readonly required: true;
457
+ readonly secret: true;
458
+ readonly public: false;
459
+ readonly consumers: readonly ["lucern-repo-ci"];
460
+ readonly destinations: readonly [{
461
+ readonly kind: "github_actions";
462
+ readonly target: "LucernAI/lucern";
463
+ readonly environmentPolicy: "same_all_environments";
464
+ }];
465
+ readonly description: "Package publish/install token for @lucern/* release automation.";
466
+ }];
467
+ declare const PLATFORM_AI_SECRET_DEFINITIONS: readonly [{
468
+ readonly id: "platform.ai.openai-api-key";
469
+ readonly canonicalName: "OPENAI_API_KEY";
470
+ readonly owner: "lucern_platform";
471
+ readonly scope: "environment";
472
+ readonly sourcePath: "/platform/ai";
473
+ readonly environmentPolicy: "environment_specific";
474
+ readonly required: false;
475
+ readonly secret: true;
476
+ readonly public: false;
477
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-repo-ci"];
478
+ readonly destinations: readonly [{
479
+ readonly kind: "runtime_fetch";
480
+ readonly target: "lucern-ai-runtime";
481
+ readonly environmentPolicy: "environment_specific";
482
+ }, {
483
+ readonly kind: "github_actions";
484
+ readonly target: "LucernAI/lucern";
485
+ readonly environmentPolicy: "environment_specific";
486
+ }];
487
+ readonly description: "Lucern-owned OpenAI key for platform AI jobs, benchmarks, and controlled operator automation.";
488
+ }, {
489
+ readonly id: "platform.ai.anthropic-api-key";
490
+ readonly canonicalName: "ANTHROPIC_API_KEY";
491
+ readonly owner: "lucern_platform";
492
+ readonly scope: "environment";
493
+ readonly sourcePath: "/platform/ai";
494
+ readonly environmentPolicy: "environment_specific";
495
+ readonly required: false;
496
+ readonly secret: true;
497
+ readonly public: false;
498
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-repo-ci"];
499
+ readonly destinations: readonly [{
500
+ readonly kind: "runtime_fetch";
501
+ readonly target: "lucern-ai-runtime";
502
+ readonly environmentPolicy: "environment_specific";
503
+ }, {
504
+ readonly kind: "github_actions";
505
+ readonly target: "LucernAI/lucern";
506
+ readonly environmentPolicy: "environment_specific";
507
+ }];
508
+ readonly description: "Lucern-owned Anthropic key for platform AI jobs, benchmarks, and controlled operator automation.";
509
+ }, {
510
+ readonly id: "platform.ai.gemini-api-key";
511
+ readonly canonicalName: "GEMINI_API_KEY";
512
+ readonly aliases: readonly ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"];
513
+ readonly owner: "lucern_platform";
514
+ readonly scope: "environment";
515
+ readonly sourcePath: "/platform/ai";
516
+ readonly environmentPolicy: "environment_specific";
517
+ readonly required: false;
518
+ readonly secret: true;
519
+ readonly public: false;
520
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-repo-ci"];
521
+ readonly destinations: readonly [{
522
+ readonly kind: "runtime_fetch";
523
+ readonly target: "lucern-ai-runtime";
524
+ readonly environmentPolicy: "environment_specific";
525
+ }, {
526
+ readonly kind: "github_actions";
527
+ readonly target: "LucernAI/lucern";
528
+ readonly environmentPolicy: "environment_specific";
529
+ }];
530
+ readonly description: "Lucern-owned Google/Gemini key. Google alias names are read compatibility only.";
531
+ }];
532
+ declare const PLATFORM_LANGFUSE_SECRET_DEFINITIONS: readonly [{
533
+ readonly id: "platform.langfuse.secret-key";
534
+ readonly canonicalName: "LANGFUSE_SECRET_KEY";
535
+ readonly owner: "lucern_platform";
536
+ readonly scope: "environment";
537
+ readonly sourcePath: "/platform/observability/langfuse";
538
+ readonly environmentPolicy: "environment_specific";
539
+ readonly required: false;
540
+ readonly secret: true;
541
+ readonly public: false;
542
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"];
543
+ readonly destinations: readonly [{
544
+ readonly kind: "runtime_fetch";
545
+ readonly target: "lucern-ai-runtime";
546
+ readonly environmentPolicy: "environment_specific";
547
+ }, {
548
+ readonly kind: "github_actions";
549
+ readonly target: "LucernAI/lucern";
550
+ readonly environmentPolicy: "environment_specific";
551
+ }];
552
+ readonly description: "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing.";
553
+ }, {
554
+ readonly id: "platform.langfuse.public-key";
555
+ readonly canonicalName: "LANGFUSE_PUBLIC_KEY";
556
+ readonly owner: "lucern_platform";
557
+ readonly scope: "environment";
558
+ readonly sourcePath: "/platform/observability/langfuse";
559
+ readonly environmentPolicy: "environment_specific";
560
+ readonly required: false;
561
+ readonly secret: false;
562
+ readonly public: false;
563
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"];
564
+ readonly destinations: readonly [{
565
+ readonly kind: "runtime_fetch";
566
+ readonly target: "lucern-ai-runtime";
567
+ readonly environmentPolicy: "environment_specific";
568
+ }, {
569
+ readonly kind: "github_actions";
570
+ readonly target: "LucernAI/lucern";
571
+ readonly environmentPolicy: "environment_specific";
572
+ }];
573
+ readonly description: "Lucern-owned Langfuse public key paired with LANGFUSE_SECRET_KEY.";
574
+ }, {
575
+ readonly id: "platform.langfuse.base-url";
576
+ readonly canonicalName: "LANGFUSE_BASE_URL";
577
+ readonly aliases: readonly ["LANGFUSE_BASEURL", "LANGFUSE_HOST"];
578
+ readonly owner: "lucern_platform";
579
+ readonly scope: "environment";
580
+ readonly sourcePath: "/platform/observability/langfuse";
581
+ readonly environmentPolicy: "environment_specific";
582
+ readonly required: false;
583
+ readonly secret: false;
584
+ readonly public: false;
585
+ readonly consumers: readonly ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"];
586
+ readonly destinations: readonly [{
587
+ readonly kind: "runtime_fetch";
588
+ readonly target: "lucern-ai-runtime";
589
+ readonly environmentPolicy: "environment_specific";
590
+ }, {
591
+ readonly kind: "github_actions";
592
+ readonly target: "LucernAI/lucern";
593
+ readonly environmentPolicy: "environment_specific";
594
+ }];
595
+ readonly description: "Canonical Langfuse API origin. BASEURL/HOST are compatibility aliases.";
596
+ }];
597
+
598
+ export { PLATFORM_AI_SECRET_DEFINITIONS, PLATFORM_LANGFUSE_SECRET_DEFINITIONS, PLATFORM_SECRET_DEFINITIONS };