@lucern/contracts 1.0.0 → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +4 -1
  2. package/dist/dsl.d.ts +75 -4
  3. package/dist/dsl.values-rhsroqi0.d.ts +21 -0
  4. package/dist/dsl.values.d.ts +5 -0
  5. package/dist/dsl.values.js +675 -0
  6. package/dist/dsl.values.js.map +1 -0
  7. package/dist/function-registry/beliefs.d.ts +1 -17
  8. package/dist/function-registry/beliefs.js +155 -117
  9. package/dist/function-registry/beliefs.js.map +1 -1
  10. package/dist/function-registry/coding.d.ts +1 -17
  11. package/dist/function-registry/coding.js +155 -117
  12. package/dist/function-registry/coding.js.map +1 -1
  13. package/dist/function-registry/context.d.ts +1 -17
  14. package/dist/function-registry/context.js +155 -117
  15. package/dist/function-registry/context.js.map +1 -1
  16. package/dist/function-registry/contracts.d.ts +1 -17
  17. package/dist/function-registry/contracts.js +155 -117
  18. package/dist/function-registry/contracts.js.map +1 -1
  19. package/dist/function-registry/coordination.d.ts +1 -17
  20. package/dist/function-registry/coordination.js +155 -117
  21. package/dist/function-registry/coordination.js.map +1 -1
  22. package/dist/function-registry/edges.d.ts +1 -17
  23. package/dist/function-registry/edges.js +155 -117
  24. package/dist/function-registry/edges.js.map +1 -1
  25. package/dist/function-registry/evidence.d.ts +1 -17
  26. package/dist/function-registry/evidence.js +155 -117
  27. package/dist/function-registry/evidence.js.map +1 -1
  28. package/dist/function-registry/graph.d.ts +1 -17
  29. package/dist/function-registry/graph.js +155 -117
  30. package/dist/function-registry/graph.js.map +1 -1
  31. package/dist/function-registry/helpers.d.ts +1 -1
  32. package/dist/function-registry/helpers.js +155 -117
  33. package/dist/function-registry/helpers.js.map +1 -1
  34. package/dist/function-registry/identity.d.ts +1 -17
  35. package/dist/function-registry/identity.js +155 -117
  36. package/dist/function-registry/identity.js.map +1 -1
  37. package/dist/function-registry/index.d.ts +1 -1
  38. package/dist/function-registry/index.js +158 -118
  39. package/dist/function-registry/index.js.map +1 -1
  40. package/dist/function-registry/judgments.d.ts +1 -17
  41. package/dist/function-registry/judgments.js +155 -117
  42. package/dist/function-registry/judgments.js.map +1 -1
  43. package/dist/function-registry/legacy.d.ts +1 -17
  44. package/dist/function-registry/legacy.js +155 -117
  45. package/dist/function-registry/legacy.js.map +1 -1
  46. package/dist/function-registry/lenses.d.ts +1 -17
  47. package/dist/function-registry/lenses.js +155 -117
  48. package/dist/function-registry/lenses.js.map +1 -1
  49. package/dist/function-registry/manifest.d.ts +3 -3
  50. package/dist/function-registry/manifest.js +1 -0
  51. package/dist/function-registry/manifest.js.map +1 -1
  52. package/dist/function-registry/nodes.d.ts +1 -17
  53. package/dist/function-registry/nodes.js +155 -117
  54. package/dist/function-registry/nodes.js.map +1 -1
  55. package/dist/function-registry/ontologies.d.ts +1 -17
  56. package/dist/function-registry/ontologies.js +155 -117
  57. package/dist/function-registry/ontologies.js.map +1 -1
  58. package/dist/function-registry/pipeline.d.ts +1 -17
  59. package/dist/function-registry/pipeline.js +155 -117
  60. package/dist/function-registry/pipeline.js.map +1 -1
  61. package/dist/function-registry/questions.d.ts +1 -17
  62. package/dist/function-registry/questions.js +155 -117
  63. package/dist/function-registry/questions.js.map +1 -1
  64. package/dist/function-registry/tasks.d.ts +1 -17
  65. package/dist/function-registry/tasks.js +155 -117
  66. package/dist/function-registry/tasks.js.map +1 -1
  67. package/dist/function-registry/topics.d.ts +1 -17
  68. package/dist/function-registry/topics.js +155 -117
  69. package/dist/function-registry/topics.js.map +1 -1
  70. package/dist/function-registry/types.d.ts +2 -2
  71. package/dist/function-registry/worktrees.d.ts +41 -17
  72. package/dist/function-registry/worktrees.js +174 -117
  73. package/dist/function-registry/worktrees.js.map +1 -1
  74. package/dist/generated/lucernWebPublicEnv.js.map +1 -1
  75. package/dist/generated/lucernWebServerEnv.js.map +1 -1
  76. package/dist/{idOf-DR8tkhQS.d.ts → idOf-BmkVDhD8.d.ts} +1 -1
  77. package/dist/index.d.ts +47 -8
  78. package/dist/index.js +45072 -45005
  79. package/dist/index.js.map +1 -1
  80. package/dist/infisical-runtime.base.d.ts +444 -0
  81. package/dist/infisical-runtime.base.js +640 -0
  82. package/dist/infisical-runtime.base.js.map +1 -0
  83. package/dist/infisical-runtime.contract.d.ts +9 -440
  84. package/dist/infisical-runtime.contract.js +14 -1
  85. package/dist/infisical-runtime.contract.js.map +1 -1
  86. package/dist/infisical-runtime.platform-ops-secrets.d.ts +743 -0
  87. package/dist/infisical-runtime.platform-ops-secrets.js +962 -0
  88. package/dist/infisical-runtime.platform-ops-secrets.js.map +1 -0
  89. package/dist/infisical-runtime.platform-secrets.d.ts +598 -0
  90. package/dist/infisical-runtime.platform-secrets.js +726 -0
  91. package/dist/infisical-runtime.platform-secrets.js.map +1 -0
  92. package/dist/infisical-runtime.tenant-secrets.d.ts +486 -0
  93. package/dist/infisical-runtime.tenant-secrets.js +1131 -0
  94. package/dist/infisical-runtime.tenant-secrets.js.map +1 -0
  95. package/dist/manifests/edge-policy-manifest.d.ts +1 -1
  96. package/dist/manifests/infisical-runtime-manifest.d.ts +1 -1
  97. package/dist/manifests/infisical-runtime-manifest.js +14 -1
  98. package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
  99. package/dist/manifests/tenant-client-manifest.d.ts +5 -1
  100. package/dist/manifests/tenant-client-manifest.js +5 -0
  101. package/dist/manifests/tenant-client-manifest.js.map +1 -1
  102. package/dist/proof-attestation.json +1 -1
  103. package/dist/schemas/index.d.ts +1 -1
  104. package/dist/schemas/index.js.map +1 -1
  105. package/dist/schemas/manifest.d.ts +61 -61
  106. package/dist/schemas/manifest.js.map +1 -1
  107. package/dist/schemas/tables/kernel/config.js.map +1 -1
  108. package/dist/schemas/tables/kernel/coordination.js.map +1 -1
  109. package/dist/schemas/tables/kernel/decision.d.ts +1 -1
  110. package/dist/schemas/tables/kernel/decision.js.map +1 -1
  111. package/dist/schemas/tables/kernel/embedding.d.ts +1 -1
  112. package/dist/schemas/tables/kernel/embedding.js.map +1 -1
  113. package/dist/schemas/tables/kernel/epistemic.d.ts +1 -1
  114. package/dist/schemas/tables/kernel/epistemic.js.map +1 -1
  115. package/dist/schemas/tables/kernel/idempotency.js.map +1 -1
  116. package/dist/schemas/tables/kernel/infra.js.map +1 -1
  117. package/dist/schemas/tables/kernel/intelligence.d.ts +1 -1
  118. package/dist/schemas/tables/kernel/intelligence.js.map +1 -1
  119. package/dist/schemas/tables/kernel/lens.d.ts +5 -5
  120. package/dist/schemas/tables/kernel/lens.js.map +1 -1
  121. package/dist/schemas/tables/kernel/ontology.d.ts +1 -1
  122. package/dist/schemas/tables/kernel/ontology.js.map +1 -1
  123. package/dist/schemas/tables/kernel/platform.js.map +1 -1
  124. package/dist/schemas/tables/kernel/spine.d.ts +1 -1
  125. package/dist/schemas/tables/kernel/spine.js.map +1 -1
  126. package/dist/schemas/tables/kernel/task.d.ts +1 -1
  127. package/dist/schemas/tables/kernel/task.js.map +1 -1
  128. package/dist/schemas/tables/kernel/topic.d.ts +1 -1
  129. package/dist/schemas/tables/kernel/topic.js.map +1 -1
  130. package/dist/schemas/tables/kernel/workflow.d.ts +1 -1
  131. package/dist/schemas/tables/kernel/workflow.js.map +1 -1
  132. package/dist/schemas/tables/kernel/worktree.d.ts +1 -1
  133. package/dist/schemas/tables/kernel/worktree.js.map +1 -1
  134. package/dist/schemas/tables/mc/identity.d.ts +1 -1
  135. package/dist/schemas/tables/mc/methodology.d.ts +1 -1
  136. package/dist/schemas/tables/mc/pack.d.ts +9 -9
  137. package/dist/schemas/tables/mc/policy.d.ts +1 -1
  138. package/dist/schemas/tables/mc/registry.d.ts +1 -1
  139. package/dist/schemas/tables/mc/runtime.d.ts +1 -1
  140. package/dist/schemas/tables/mc/tenant.d.ts +1 -1
  141. package/dist/schemas/tables/mc/workspace.d.ts +1 -1
  142. package/dist/schemas.values-5J5oIK7z.d.ts +26 -0
  143. package/dist/schemas.values.d.ts +7 -0
  144. package/dist/schemas.values.js +5324 -0
  145. package/dist/schemas.values.js.map +1 -0
  146. package/dist/sdk-tools.contract.analytics.d.ts +27 -0
  147. package/dist/sdk-tools.contract.analytics.js +616 -0
  148. package/dist/sdk-tools.contract.analytics.js.map +1 -0
  149. package/dist/sdk-tools.contract.d.ts +43 -2
  150. package/dist/sdk-tools.contract.graph.d.ts +11 -0
  151. package/dist/sdk-tools.contract.graph.js +156 -0
  152. package/dist/sdk-tools.contract.graph.js.map +1 -0
  153. package/dist/sdk-tools.contract.js +4107 -4062
  154. package/dist/sdk-tools.contract.js.map +1 -1
  155. package/dist/sdk-tools.contract.registry.d.ts +25 -0
  156. package/dist/sdk-tools.contract.registry.js +5504 -0
  157. package/dist/sdk-tools.contract.registry.js.map +1 -0
  158. package/dist/sdk-tools.contract.types.d.ts +15 -0
  159. package/dist/sdk-tools.contract.types.js +3 -0
  160. package/dist/sdk-tools.contract.types.js.map +1 -0
  161. package/dist/sdk-tools.contract.values-LuBh95zg.d.ts +58 -0
  162. package/dist/sdk-tools.contract.values.d.ts +7 -0
  163. package/dist/sdk-tools.contract.values.js +5581 -0
  164. package/dist/sdk-tools.contract.values.js.map +1 -0
  165. package/dist/sdk-tools.contract.workflow.d.ts +17 -0
  166. package/dist/sdk-tools.contract.workflow.js +287 -0
  167. package/dist/sdk-tools.contract.workflow.js.map +1 -0
  168. package/dist/tenant-client.contract.d.ts +5 -1
  169. package/dist/tenant-client.contract.js +5 -0
  170. package/dist/tenant-client.contract.js.map +1 -1
  171. package/dist/tool-contracts.d.ts +34 -1
  172. package/dist/tool-contracts.graph.d.ts +18 -0
  173. package/dist/tool-contracts.graph.js +378 -0
  174. package/dist/tool-contracts.graph.js.map +1 -0
  175. package/dist/tool-contracts.intelligence-evidence.d.ts +15 -0
  176. package/dist/tool-contracts.intelligence-evidence.js +303 -0
  177. package/dist/tool-contracts.intelligence-evidence.js.map +1 -0
  178. package/dist/tool-contracts.js +155 -118
  179. package/dist/tool-contracts.js.map +1 -1
  180. package/dist/tool-contracts.lifecycle.d.ts +13 -0
  181. package/dist/tool-contracts.lifecycle.js +410 -0
  182. package/dist/tool-contracts.lifecycle.js.map +1 -0
  183. package/dist/tool-contracts.nodes-lenses.d.ts +17 -0
  184. package/dist/tool-contracts.nodes-lenses.js +334 -0
  185. package/dist/tool-contracts.nodes-lenses.js.map +1 -0
  186. package/dist/tool-contracts.ontology.d.ts +16 -0
  187. package/dist/tool-contracts.ontology.js +344 -0
  188. package/dist/tool-contracts.ontology.js.map +1 -0
  189. package/dist/tool-contracts.pipeline-coordination.d.ts +25 -0
  190. package/dist/tool-contracts.pipeline-coordination.js +684 -0
  191. package/dist/tool-contracts.pipeline-coordination.js.map +1 -0
  192. package/dist/tool-contracts.policy-observation-task-topic.d.ts +25 -0
  193. package/dist/tool-contracts.policy-observation-task-topic.js +740 -0
  194. package/dist/tool-contracts.policy-observation-task-topic.js.map +1 -0
  195. package/dist/tool-contracts.questions-listing.d.ts +27 -0
  196. package/dist/tool-contracts.questions-listing.js +782 -0
  197. package/dist/tool-contracts.questions-listing.js.map +1 -0
  198. package/dist/tool-contracts.types.d.ts +34 -0
  199. package/dist/tool-contracts.types.js +3 -0
  200. package/dist/tool-contracts.types.js.map +1 -0
  201. package/dist/tool-contracts.values-DjctSW7S.d.ts +147 -0
  202. package/dist/tool-contracts.values.d.ts +11 -0
  203. package/dist/tool-contracts.values.js +4398 -0
  204. package/dist/tool-contracts.values.js.map +1 -0
  205. package/dist/tool-contracts.worktrees.d.ts +8 -0
  206. package/dist/tool-contracts.worktrees.js +280 -0
  207. package/dist/tool-contracts.worktrees.js.map +1 -0
  208. package/package.json +3 -11
  209. package/dist/dsl-DVPthQGY.d.ts +0 -110
  210. package/dist/index-CM1Pl_vI.d.ts +0 -28
  211. package/dist/sdk-tools.contract-CKmSsrZ2.d.ts +0 -146
  212. package/dist/tool-contracts-C_xvM9q2.d.ts +0 -326
  213. package/dist/{edge-policy-manifest-Dw5IhT1L.d.ts → edge-policy-manifest-4KOSP4nk.d.ts} +2 -2
@@ -0,0 +1,726 @@
1
+ // src/infisical-runtime.platform-secrets.ts
2
+ var PLATFORM_SECRET_DEFINITIONS = [
3
+ {
4
+ id: "platform.clerk.publishable",
5
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
7
+ owner: "lucern_platform",
8
+ scope: "environment",
9
+ sourcePath: "/platform/auth",
10
+ environmentPolicy: "environment_specific",
11
+ required: true,
12
+ secret: false,
13
+ public: true,
14
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
15
+ destinations: [
16
+ {
17
+ kind: "vercel",
18
+ target: "lucern",
19
+ environmentPolicy: "environment_specific"
20
+ },
21
+ {
22
+ kind: "vercel",
23
+ target: "lucern-gateway",
24
+ environmentPolicy: "environment_specific"
25
+ },
26
+ {
27
+ kind: "runtime_fetch",
28
+ target: "hosted-mcp-oauth",
29
+ environmentPolicy: "environment_specific"
30
+ }
31
+ ],
32
+ description: "Lucern-owned Clerk browser key for platform web, gateway, and hosted MCP OAuth flows."
33
+ },
34
+ {
35
+ id: "platform.clerk.secret",
36
+ canonicalName: "CLERK_SECRET_KEY",
37
+ owner: "lucern_platform",
38
+ scope: "environment",
39
+ sourcePath: "/platform/auth",
40
+ environmentPolicy: "environment_specific",
41
+ required: true,
42
+ secret: true,
43
+ public: false,
44
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp"],
45
+ destinations: [
46
+ {
47
+ kind: "vercel",
48
+ target: "lucern",
49
+ environmentPolicy: "environment_specific"
50
+ },
51
+ {
52
+ kind: "vercel",
53
+ target: "lucern-gateway",
54
+ environmentPolicy: "environment_specific"
55
+ },
56
+ {
57
+ kind: "runtime_fetch",
58
+ target: "hosted-mcp-oauth",
59
+ environmentPolicy: "environment_specific"
60
+ }
61
+ ],
62
+ description: "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
63
+ },
64
+ {
65
+ id: "platform.clerk.project",
66
+ canonicalName: "CLERK_PROJECT_ID",
67
+ aliases: ["LUCERN_CLERK_PROJECT_ID"],
68
+ owner: "lucern_platform",
69
+ scope: "environment",
70
+ sourcePath: "/platform/auth",
71
+ environmentPolicy: "environment_specific",
72
+ required: true,
73
+ secret: false,
74
+ public: false,
75
+ consumers: ["lucern-gateway", "mc-convex"],
76
+ destinations: [
77
+ {
78
+ kind: "vercel",
79
+ target: "lucern-gateway",
80
+ environmentPolicy: "environment_specific"
81
+ },
82
+ {
83
+ kind: "convex",
84
+ target: "master-control",
85
+ environmentPolicy: "environment_specific"
86
+ }
87
+ ],
88
+ description: "Canonical Lucern Clerk project identifier used when MC resolves Clerk identities."
89
+ },
90
+ {
91
+ id: "platform.clerk.webhook-secret",
92
+ canonicalName: "LUCERN_CLERK_WEBHOOK_SECRET",
93
+ aliases: ["CLERK_WEBHOOK_SECRET", "CLERK_WEBHOOK_SIGNING_SECRET"],
94
+ owner: "lucern_platform",
95
+ scope: "environment",
96
+ sourcePath: "/platform/auth",
97
+ environmentPolicy: "environment_specific",
98
+ required: true,
99
+ secret: true,
100
+ public: false,
101
+ consumers: ["lucern-gateway"],
102
+ destinations: [
103
+ {
104
+ kind: "vercel",
105
+ target: "lucern-gateway",
106
+ environmentPolicy: "environment_specific"
107
+ }
108
+ ],
109
+ description: "Lucern-owned Clerk/Svix webhook signing secret used by the gateway to verify Clerk identity and organization events before projecting them into Permit."
110
+ },
111
+ {
112
+ id: "platform.clerk.jwks",
113
+ canonicalName: "CLERK_JWKS_URL",
114
+ aliases: ["CLERK_JWT_ISSUER_DOMAIN"],
115
+ owner: "lucern_platform",
116
+ scope: "environment",
117
+ sourcePath: "/platform/auth",
118
+ environmentPolicy: "environment_specific",
119
+ required: false,
120
+ secret: false,
121
+ public: false,
122
+ consumers: ["lucern-mcp", "lucern-gateway"],
123
+ destinations: [
124
+ {
125
+ kind: "runtime_fetch",
126
+ target: "lucern-mcp",
127
+ environmentPolicy: "environment_specific"
128
+ },
129
+ {
130
+ kind: "vercel",
131
+ target: "lucern-gateway",
132
+ environmentPolicy: "environment_specific"
133
+ }
134
+ ],
135
+ description: "Optional Clerk JWKS/issuer override for server-side token verification."
136
+ },
137
+ {
138
+ id: "platform.runtime.api-base-url",
139
+ canonicalName: "LUCERN_API_URL",
140
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_BASE_URL"],
141
+ owner: "lucern_platform",
142
+ scope: "environment",
143
+ sourcePath: "/platform/runtime",
144
+ environmentPolicy: "environment_specific",
145
+ required: true,
146
+ secret: false,
147
+ public: false,
148
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
149
+ destinations: [
150
+ {
151
+ kind: "vercel",
152
+ target: "lucern",
153
+ environmentPolicy: "environment_specific"
154
+ },
155
+ {
156
+ kind: "vercel",
157
+ target: "lucern-gateway",
158
+ environmentPolicy: "environment_specific"
159
+ },
160
+ {
161
+ kind: "runtime_fetch",
162
+ target: "lucern-cli-mcp-sdk",
163
+ environmentPolicy: "environment_specific"
164
+ }
165
+ ],
166
+ description: "Canonical Lucern API gateway base URL. Older names remain aliases only."
167
+ },
168
+ {
169
+ id: "platform.runtime.login-base-url",
170
+ canonicalName: "LUCERN_LOGIN_BASE_URL",
171
+ aliases: ["LUCERN_AUTH_BASE_URL", "LUCERN_WEB_BASE_URL"],
172
+ owner: "lucern_platform",
173
+ scope: "environment",
174
+ sourcePath: "/platform/runtime",
175
+ environmentPolicy: "environment_specific",
176
+ required: false,
177
+ secret: false,
178
+ public: false,
179
+ consumers: ["lucern-gateway", "lucern-mcp", "lucern-cli"],
180
+ destinations: [
181
+ {
182
+ kind: "vercel",
183
+ target: "lucern-gateway",
184
+ environmentPolicy: "environment_specific"
185
+ },
186
+ {
187
+ kind: "runtime_fetch",
188
+ target: "lucern-cli-mcp-sdk",
189
+ environmentPolicy: "environment_specific"
190
+ }
191
+ ],
192
+ description: "Browser login origin used when device/OAuth login is not served by the API base URL."
193
+ },
194
+ {
195
+ id: "platform.runtime.environment",
196
+ canonicalName: "LUCERN_ENVIRONMENT",
197
+ aliases: ["LUCERN_ENV"],
198
+ owner: "lucern_platform",
199
+ scope: "environment",
200
+ sourcePath: "/platform/runtime",
201
+ environmentPolicy: "environment_specific",
202
+ required: false,
203
+ secret: false,
204
+ public: false,
205
+ consumers: ["lucern-web", "lucern-gateway", "lucern-mcp", "lucern-cli"],
206
+ destinations: [
207
+ {
208
+ kind: "vercel",
209
+ target: "lucern",
210
+ environmentPolicy: "environment_specific"
211
+ },
212
+ {
213
+ kind: "vercel",
214
+ target: "lucern-gateway",
215
+ environmentPolicy: "environment_specific"
216
+ },
217
+ {
218
+ kind: "runtime_fetch",
219
+ target: "lucern-cli-mcp-sdk",
220
+ environmentPolicy: "environment_specific"
221
+ }
222
+ ],
223
+ description: "Lucern runtime environment label."
224
+ },
225
+ {
226
+ id: "platform.runtime.require-deployment-host-registry",
227
+ canonicalName: "LUCERN_REQUIRE_DEPLOYMENT_HOST_REGISTRY",
228
+ owner: "lucern_platform",
229
+ scope: "environment",
230
+ sourcePath: "/platform/runtime",
231
+ environmentPolicy: "environment_specific",
232
+ required: false,
233
+ secret: false,
234
+ public: false,
235
+ consumers: ["lucern-gateway"],
236
+ destinations: [
237
+ {
238
+ kind: "vercel",
239
+ target: "lucern-gateway",
240
+ environmentPolicy: "environment_specific"
241
+ },
242
+ {
243
+ kind: "operator_local",
244
+ target: "lucern-repo",
245
+ environmentPolicy: "environment_specific"
246
+ }
247
+ ],
248
+ description: "Fail-closed gateway toggle that requires MC deployment host registry resolution before routing."
249
+ },
250
+ {
251
+ id: "platform.mc.convex-url",
252
+ canonicalName: "CONVEX_MC_URL",
253
+ aliases: [
254
+ "CONVEX_MC_PROD_URL",
255
+ "LUCERN_ADMIN_CONVEX_URL",
256
+ "LUCERN_CONVEX_URL",
257
+ "MC_CONVEX_URL"
258
+ ],
259
+ owner: "lucern_platform",
260
+ scope: "environment",
261
+ sourcePath: "/platform/mc",
262
+ environmentPolicy: "environment_specific",
263
+ required: true,
264
+ secret: false,
265
+ public: false,
266
+ consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
267
+ destinations: [
268
+ {
269
+ kind: "vercel",
270
+ target: "lucern-gateway",
271
+ environmentPolicy: "environment_specific"
272
+ },
273
+ {
274
+ kind: "github_actions",
275
+ target: "LucernAI/lucern",
276
+ environmentPolicy: "environment_specific"
277
+ },
278
+ {
279
+ kind: "operator_local",
280
+ target: "lucern-repo",
281
+ environmentPolicy: "environment_specific"
282
+ }
283
+ ],
284
+ description: "Master Control Convex URL. Prod must point to successful-clam-833; dev/staging to utmost-ox-403."
285
+ },
286
+ {
287
+ id: "platform.mc.convex-deploy-key",
288
+ canonicalName: "CONVEX_MC_DEPLOY_KEY",
289
+ aliases: [
290
+ "CONVEX_MC_PROD_DEPLOY_KEY",
291
+ "LUCERN_ADMIN_DEPLOY_KEY",
292
+ "LUCERN_DEPLOY_KEY",
293
+ "MC_DEPLOY_KEY",
294
+ "MC_PROD_DEPLOY_KEY"
295
+ ],
296
+ owner: "lucern_platform",
297
+ scope: "environment",
298
+ sourcePath: "/platform/mc",
299
+ environmentPolicy: "environment_specific",
300
+ required: true,
301
+ secret: true,
302
+ public: false,
303
+ consumers: ["lucern-gateway", "mc-operator-tooling", "lucern-repo-ci"],
304
+ destinations: [
305
+ {
306
+ kind: "vercel",
307
+ target: "lucern-gateway",
308
+ environmentPolicy: "environment_specific"
309
+ },
310
+ {
311
+ kind: "github_actions",
312
+ target: "LucernAI/lucern",
313
+ environmentPolicy: "environment_specific"
314
+ },
315
+ {
316
+ kind: "operator_local",
317
+ target: "lucern-repo",
318
+ environmentPolicy: "environment_specific"
319
+ }
320
+ ],
321
+ description: "Master Control deploy/admin key. Never route to tenant Vercel projects or tenant Convex deployments."
322
+ },
323
+ {
324
+ id: "platform.mc.session-token-secret",
325
+ canonicalName: "LUCERN_SESSION_TOKEN_SECRET",
326
+ owner: "lucern_platform",
327
+ scope: "environment",
328
+ sourcePath: "/platform/mc",
329
+ environmentPolicy: "environment_specific",
330
+ required: true,
331
+ secret: true,
332
+ public: false,
333
+ consumers: ["lucern-mcp", "mc-convex", "lucern-gateway"],
334
+ destinations: [
335
+ {
336
+ kind: "convex",
337
+ target: "master-control",
338
+ environmentPolicy: "environment_specific"
339
+ },
340
+ {
341
+ kind: "runtime_fetch",
342
+ target: "hosted-mcp-oauth",
343
+ environmentPolicy: "environment_specific"
344
+ },
345
+ {
346
+ kind: "vercel",
347
+ target: "lucern-gateway",
348
+ environmentPolicy: "environment_specific"
349
+ }
350
+ ],
351
+ description: "Signs Lucern platform session/delegation tokens. This is platform-owned, not tenant-owned."
352
+ },
353
+ {
354
+ id: "platform.mc.tenant-secret-encryption-key",
355
+ canonicalName: "LUCERN_TENANT_SECRET_ENCRYPTION_KEY",
356
+ aliases: ["LUCERN_SESSION_TOKEN_SECRET"],
357
+ owner: "lucern_platform",
358
+ scope: "environment",
359
+ sourcePath: "/platform/mc",
360
+ environmentPolicy: "environment_specific",
361
+ required: true,
362
+ secret: true,
363
+ public: false,
364
+ consumers: ["mc-convex", "mc-operator-tooling"],
365
+ destinations: [
366
+ {
367
+ kind: "convex",
368
+ target: "master-control",
369
+ environmentPolicy: "environment_specific"
370
+ },
371
+ {
372
+ kind: "operator_local",
373
+ target: "mc-credential-maintenance",
374
+ environmentPolicy: "environment_specific"
375
+ }
376
+ ],
377
+ description: "Encrypts tenant deployment credentials stored in MC. Session-token fallback is legacy only."
378
+ },
379
+ {
380
+ id: "platform.permit.api-key",
381
+ canonicalName: "LUCERN_PERMIT_API_KEY",
382
+ aliases: ["PERMIT_API_KEY"],
383
+ owner: "lucern_platform",
384
+ scope: "environment",
385
+ sourcePath: "/platform/permit",
386
+ environmentPolicy: "environment_specific",
387
+ required: true,
388
+ secret: true,
389
+ public: false,
390
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
391
+ destinations: [
392
+ {
393
+ kind: "convex",
394
+ target: "master-control",
395
+ environmentPolicy: "environment_specific"
396
+ },
397
+ {
398
+ kind: "runtime_fetch",
399
+ target: "hosted-mcp-oauth",
400
+ environmentPolicy: "environment_specific"
401
+ },
402
+ {
403
+ kind: "vercel",
404
+ target: "lucern-gateway",
405
+ environmentPolicy: "environment_specific"
406
+ }
407
+ ],
408
+ description: "Permit.io API key used for MC sync and policy checks. Must fail closed if missing."
409
+ },
410
+ {
411
+ id: "platform.permit.webhook-secret",
412
+ canonicalName: "LUCERN_PERMIT_WEBHOOK_SECRET",
413
+ aliases: ["PERMIT_WEBHOOK_SECRET"],
414
+ owner: "lucern_platform",
415
+ scope: "environment",
416
+ sourcePath: "/platform/permit",
417
+ environmentPolicy: "environment_specific",
418
+ required: true,
419
+ secret: true,
420
+ public: false,
421
+ consumers: ["mc-convex", "lucern-gateway", "mc-operator-tooling"],
422
+ destinations: [
423
+ {
424
+ kind: "convex",
425
+ target: "master-control",
426
+ environmentPolicy: "environment_specific"
427
+ },
428
+ {
429
+ kind: "vercel",
430
+ target: "lucern-gateway",
431
+ environmentPolicy: "environment_specific"
432
+ },
433
+ {
434
+ kind: "operator_local",
435
+ target: "mc-credential-maintenance",
436
+ environmentPolicy: "environment_specific"
437
+ }
438
+ ],
439
+ description: "Permit.io webhook secret used by gateway and MC webhook handlers. Must fail closed if missing."
440
+ },
441
+ {
442
+ id: "platform.permit.pdp-url",
443
+ canonicalName: "LUCERN_PERMIT_PDP_URL",
444
+ aliases: ["PERMIT_PDP_URL"],
445
+ owner: "lucern_platform",
446
+ scope: "environment",
447
+ sourcePath: "/platform/permit",
448
+ environmentPolicy: "environment_specific",
449
+ required: false,
450
+ secret: false,
451
+ public: false,
452
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
453
+ destinations: [
454
+ {
455
+ kind: "convex",
456
+ target: "master-control",
457
+ environmentPolicy: "environment_specific"
458
+ },
459
+ {
460
+ kind: "runtime_fetch",
461
+ target: "hosted-mcp-oauth",
462
+ environmentPolicy: "environment_specific"
463
+ },
464
+ {
465
+ kind: "vercel",
466
+ target: "lucern-gateway",
467
+ environmentPolicy: "environment_specific"
468
+ }
469
+ ],
470
+ description: "Optional Permit PDP URL override."
471
+ },
472
+ {
473
+ id: "platform.permit.api-url",
474
+ canonicalName: "LUCERN_PERMIT_API_URL",
475
+ aliases: ["PERMIT_API_URL"],
476
+ owner: "lucern_platform",
477
+ scope: "environment",
478
+ sourcePath: "/platform/permit",
479
+ environmentPolicy: "environment_specific",
480
+ required: false,
481
+ secret: false,
482
+ public: false,
483
+ consumers: ["mc-convex", "lucern-mcp", "lucern-gateway"],
484
+ destinations: [
485
+ {
486
+ kind: "convex",
487
+ target: "master-control",
488
+ environmentPolicy: "environment_specific"
489
+ },
490
+ {
491
+ kind: "runtime_fetch",
492
+ target: "hosted-mcp-oauth",
493
+ environmentPolicy: "environment_specific"
494
+ },
495
+ {
496
+ kind: "vercel",
497
+ target: "lucern-gateway",
498
+ environmentPolicy: "environment_specific"
499
+ }
500
+ ],
501
+ description: "Optional Permit API URL override."
502
+ },
503
+ {
504
+ id: "platform.ci.infisical-bootstrap-client-id",
505
+ canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID",
506
+ aliases: ["INFISICAL_CI_CLIENT_ID"],
507
+ owner: "provider",
508
+ scope: "environment",
509
+ sourcePath: "/platform/ci",
510
+ environmentPolicy: "same_all_environments",
511
+ required: true,
512
+ secret: true,
513
+ public: false,
514
+ consumers: ["lucern-repo-ci"],
515
+ destinations: [
516
+ {
517
+ kind: "github_actions",
518
+ target: "LucernAI/lucern",
519
+ environmentPolicy: "same_all_environments"
520
+ }
521
+ ],
522
+ description: "Machine identity client id used by CI to reconcile Infisical desired state."
523
+ },
524
+ {
525
+ id: "platform.ci.infisical-bootstrap-client-secret",
526
+ canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_SECRET",
527
+ aliases: ["INFISICAL_CI_CLIENT_SECRET"],
528
+ owner: "provider",
529
+ scope: "environment",
530
+ sourcePath: "/platform/ci",
531
+ environmentPolicy: "same_all_environments",
532
+ required: true,
533
+ secret: true,
534
+ public: false,
535
+ consumers: ["lucern-repo-ci"],
536
+ destinations: [
537
+ {
538
+ kind: "github_actions",
539
+ target: "LucernAI/lucern",
540
+ environmentPolicy: "same_all_environments"
541
+ }
542
+ ],
543
+ description: "Machine identity client secret used by CI to reconcile Infisical desired state."
544
+ },
545
+ {
546
+ id: "platform.publish.npm-token",
547
+ canonicalName: "NPM_TOKEN",
548
+ aliases: ["NODE_AUTH_TOKEN"],
549
+ owner: "provider",
550
+ scope: "environment",
551
+ sourcePath: "/platform/publish",
552
+ environmentPolicy: "same_all_environments",
553
+ required: true,
554
+ secret: true,
555
+ public: false,
556
+ consumers: ["lucern-repo-ci"],
557
+ destinations: [
558
+ {
559
+ kind: "github_actions",
560
+ target: "LucernAI/lucern",
561
+ environmentPolicy: "same_all_environments"
562
+ }
563
+ ],
564
+ description: "Package publish/install token for @lucern/* release automation."
565
+ }
566
+ ];
567
+ var PLATFORM_AI_SECRET_DEFINITIONS = [
568
+ {
569
+ id: "platform.ai.openai-api-key",
570
+ canonicalName: "OPENAI_API_KEY",
571
+ owner: "lucern_platform",
572
+ scope: "environment",
573
+ sourcePath: "/platform/ai",
574
+ environmentPolicy: "environment_specific",
575
+ required: false,
576
+ secret: true,
577
+ public: false,
578
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
579
+ destinations: [
580
+ {
581
+ kind: "runtime_fetch",
582
+ target: "lucern-ai-runtime",
583
+ environmentPolicy: "environment_specific"
584
+ },
585
+ {
586
+ kind: "github_actions",
587
+ target: "LucernAI/lucern",
588
+ environmentPolicy: "environment_specific"
589
+ }
590
+ ],
591
+ description: "Lucern-owned OpenAI key for platform AI jobs, benchmarks, and controlled operator automation."
592
+ },
593
+ {
594
+ id: "platform.ai.anthropic-api-key",
595
+ canonicalName: "ANTHROPIC_API_KEY",
596
+ owner: "lucern_platform",
597
+ scope: "environment",
598
+ sourcePath: "/platform/ai",
599
+ environmentPolicy: "environment_specific",
600
+ required: false,
601
+ secret: true,
602
+ public: false,
603
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
604
+ destinations: [
605
+ {
606
+ kind: "runtime_fetch",
607
+ target: "lucern-ai-runtime",
608
+ environmentPolicy: "environment_specific"
609
+ },
610
+ {
611
+ kind: "github_actions",
612
+ target: "LucernAI/lucern",
613
+ environmentPolicy: "environment_specific"
614
+ }
615
+ ],
616
+ description: "Lucern-owned Anthropic key for platform AI jobs, benchmarks, and controlled operator automation."
617
+ },
618
+ {
619
+ id: "platform.ai.gemini-api-key",
620
+ canonicalName: "GEMINI_API_KEY",
621
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
622
+ owner: "lucern_platform",
623
+ scope: "environment",
624
+ sourcePath: "/platform/ai",
625
+ environmentPolicy: "environment_specific",
626
+ required: false,
627
+ secret: true,
628
+ public: false,
629
+ consumers: ["lucern-ai-runtime", "lucern-repo-ci"],
630
+ destinations: [
631
+ {
632
+ kind: "runtime_fetch",
633
+ target: "lucern-ai-runtime",
634
+ environmentPolicy: "environment_specific"
635
+ },
636
+ {
637
+ kind: "github_actions",
638
+ target: "LucernAI/lucern",
639
+ environmentPolicy: "environment_specific"
640
+ }
641
+ ],
642
+ description: "Lucern-owned Google/Gemini key. Google alias names are read compatibility only."
643
+ }
644
+ ];
645
+ var PLATFORM_LANGFUSE_SECRET_DEFINITIONS = [
646
+ {
647
+ id: "platform.langfuse.secret-key",
648
+ canonicalName: "LANGFUSE_SECRET_KEY",
649
+ owner: "lucern_platform",
650
+ scope: "environment",
651
+ sourcePath: "/platform/observability/langfuse",
652
+ environmentPolicy: "environment_specific",
653
+ required: false,
654
+ secret: true,
655
+ public: false,
656
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
657
+ destinations: [
658
+ {
659
+ kind: "runtime_fetch",
660
+ target: "lucern-ai-runtime",
661
+ environmentPolicy: "environment_specific"
662
+ },
663
+ {
664
+ kind: "github_actions",
665
+ target: "LucernAI/lucern",
666
+ environmentPolicy: "environment_specific"
667
+ }
668
+ ],
669
+ description: "Lucern-owned Langfuse secret key for prompt sync, prompt reads, and AI tracing."
670
+ },
671
+ {
672
+ id: "platform.langfuse.public-key",
673
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
674
+ owner: "lucern_platform",
675
+ scope: "environment",
676
+ sourcePath: "/platform/observability/langfuse",
677
+ environmentPolicy: "environment_specific",
678
+ required: false,
679
+ secret: false,
680
+ public: false,
681
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
682
+ destinations: [
683
+ {
684
+ kind: "runtime_fetch",
685
+ target: "lucern-ai-runtime",
686
+ environmentPolicy: "environment_specific"
687
+ },
688
+ {
689
+ kind: "github_actions",
690
+ target: "LucernAI/lucern",
691
+ environmentPolicy: "environment_specific"
692
+ }
693
+ ],
694
+ description: "Lucern-owned Langfuse public key paired with LANGFUSE_SECRET_KEY."
695
+ },
696
+ {
697
+ id: "platform.langfuse.base-url",
698
+ canonicalName: "LANGFUSE_BASE_URL",
699
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
700
+ owner: "lucern_platform",
701
+ scope: "environment",
702
+ sourcePath: "/platform/observability/langfuse",
703
+ environmentPolicy: "environment_specific",
704
+ required: false,
705
+ secret: false,
706
+ public: false,
707
+ consumers: ["lucern-ai-runtime", "lucern-observability", "lucern-repo-ci"],
708
+ destinations: [
709
+ {
710
+ kind: "runtime_fetch",
711
+ target: "lucern-ai-runtime",
712
+ environmentPolicy: "environment_specific"
713
+ },
714
+ {
715
+ kind: "github_actions",
716
+ target: "LucernAI/lucern",
717
+ environmentPolicy: "environment_specific"
718
+ }
719
+ ],
720
+ description: "Canonical Langfuse API origin. BASEURL/HOST are compatibility aliases."
721
+ }
722
+ ];
723
+
724
+ export { PLATFORM_AI_SECRET_DEFINITIONS, PLATFORM_LANGFUSE_SECRET_DEFINITIONS, PLATFORM_SECRET_DEFINITIONS };
725
+ //# sourceMappingURL=infisical-runtime.platform-secrets.js.map
726
+ //# sourceMappingURL=infisical-runtime.platform-secrets.js.map