@lucern/contracts 1.0.11 → 1.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +7 -0
- package/dist/function-registry/beliefs.d.ts +1 -1
- package/dist/function-registry/beliefs.js +126 -10
- package/dist/function-registry/beliefs.js.map +1 -1
- package/dist/function-registry/coding.d.ts +1 -1
- package/dist/function-registry/coding.js +124 -8
- package/dist/function-registry/coding.js.map +1 -1
- package/dist/function-registry/context.d.ts +44 -4
- package/dist/function-registry/context.js +146 -8
- package/dist/function-registry/context.js.map +1 -1
- package/dist/function-registry/contracts.d.ts +1 -1
- package/dist/function-registry/contracts.js +124 -8
- package/dist/function-registry/contracts.js.map +1 -1
- package/dist/function-registry/coordination.d.ts +1 -1
- package/dist/function-registry/coordination.js +124 -8
- package/dist/function-registry/coordination.js.map +1 -1
- package/dist/function-registry/edges.d.ts +1 -1
- package/dist/function-registry/edges.js +124 -8
- package/dist/function-registry/edges.js.map +1 -1
- package/dist/function-registry/evidence.d.ts +1 -1
- package/dist/function-registry/evidence.js +309 -40
- package/dist/function-registry/evidence.js.map +1 -1
- package/dist/function-registry/graph.d.ts +1 -1
- package/dist/function-registry/graph.js +126 -12
- package/dist/function-registry/graph.js.map +1 -1
- package/dist/function-registry/helpers.js +124 -8
- package/dist/function-registry/helpers.js.map +1 -1
- package/dist/function-registry/identity.d.ts +1 -1
- package/dist/function-registry/identity.js +124 -8
- package/dist/function-registry/identity.js.map +1 -1
- package/dist/function-registry/index.js +124 -8
- package/dist/function-registry/index.js.map +1 -1
- package/dist/function-registry/judgments.d.ts +1 -1
- package/dist/function-registry/judgments.js +124 -8
- package/dist/function-registry/judgments.js.map +1 -1
- package/dist/function-registry/legacy.d.ts +1 -1
- package/dist/function-registry/legacy.js +124 -8
- package/dist/function-registry/legacy.js.map +1 -1
- package/dist/function-registry/lenses.d.ts +1 -1
- package/dist/function-registry/lenses.js +124 -8
- package/dist/function-registry/lenses.js.map +1 -1
- package/dist/function-registry/manifest.d.ts +10 -4
- package/dist/function-registry/manifest.js +14 -1
- package/dist/function-registry/manifest.js.map +1 -1
- package/dist/function-registry/nodes.d.ts +1 -1
- package/dist/function-registry/nodes.js +124 -8
- package/dist/function-registry/nodes.js.map +1 -1
- package/dist/function-registry/ontologies.d.ts +1 -1
- package/dist/function-registry/ontologies.js +124 -8
- package/dist/function-registry/ontologies.js.map +1 -1
- package/dist/function-registry/pipeline.d.ts +1 -1
- package/dist/function-registry/pipeline.js +124 -8
- package/dist/function-registry/pipeline.js.map +1 -1
- package/dist/function-registry/questions.d.ts +1 -1
- package/dist/function-registry/questions.js +124 -8
- package/dist/function-registry/questions.js.map +1 -1
- package/dist/function-registry/tasks.d.ts +1 -1
- package/dist/function-registry/tasks.js +124 -8
- package/dist/function-registry/tasks.js.map +1 -1
- package/dist/function-registry/topics.d.ts +1 -1
- package/dist/function-registry/topics.js +126 -12
- package/dist/function-registry/topics.js.map +1 -1
- package/dist/function-registry/types.d.ts +1 -1
- package/dist/function-registry/worktrees.d.ts +1 -1
- package/dist/function-registry/worktrees.js +124 -8
- package/dist/function-registry/worktrees.js.map +1 -1
- package/dist/generated/infisicalRuntimeEnv.js +536 -1
- package/dist/generated/infisicalRuntimeEnv.js.map +1 -1
- package/dist/index.d.ts +2 -1
- package/dist/index.js +941 -14
- package/dist/index.js.map +1 -1
- package/dist/infisical-runtime.base.d.ts +42 -1
- package/dist/infisical-runtime.base.js +50 -1
- package/dist/infisical-runtime.base.js.map +1 -1
- package/dist/infisical-runtime.contract.d.ts +102 -0
- package/dist/infisical-runtime.contract.js +170 -1
- package/dist/infisical-runtime.contract.js.map +1 -1
- package/dist/infisical-runtime.platform-secrets.d.ts +102 -0
- package/dist/infisical-runtime.platform-secrets.js +120 -0
- package/dist/infisical-runtime.platform-secrets.js.map +1 -1
- package/dist/infisical-runtime.tenant-secrets.js.map +1 -1
- package/dist/manifests/infisical-runtime-manifest.d.ts +144 -1
- package/dist/manifests/infisical-runtime-manifest.js +170 -1
- package/dist/manifests/infisical-runtime-manifest.js.map +1 -1
- package/dist/manifests/invariants/index.js +24 -5
- package/dist/manifests/invariants/index.js.map +1 -1
- package/dist/manifests/invariants/inv-1-beliefs-append-only.js +24 -5
- package/dist/manifests/invariants/inv-1-beliefs-append-only.js.map +1 -1
- package/dist/projections/check-convex-args-shape.js +138 -5
- package/dist/projections/check-convex-args-shape.js.map +1 -1
- package/dist/projections/create-evidence.projection.d.ts +168 -0
- package/dist/projections/create-evidence.projection.js +138 -5
- package/dist/projections/create-evidence.projection.js.map +1 -1
- package/dist/projections/index.d.ts +28 -0
- package/dist/projections/index.js +138 -5
- package/dist/projections/index.js.map +1 -1
- package/dist/proof-attestation.json +1 -1
- package/dist/schemas/manifest.d.ts +20 -20
- package/dist/schemas/tables/kernel/platform.d.ts +4 -4
- package/dist/sdk-methods.contract.d.ts +3 -2
- package/dist/sdk-tools.contract.js +110 -7
- package/dist/sdk-tools.contract.js.map +1 -1
- package/dist/sdk-tools.contract.registry.js +110 -7
- package/dist/sdk-tools.contract.registry.js.map +1 -1
- package/dist/sdk-tools.contract.values.js +110 -7
- package/dist/sdk-tools.contract.values.js.map +1 -1
- package/dist/tool-contracts.context-orientation.d.ts +5 -0
- package/dist/tool-contracts.context-orientation.js +57 -0
- package/dist/tool-contracts.context-orientation.js.map +1 -0
- package/dist/tool-contracts.d.ts +1 -0
- package/dist/tool-contracts.intelligence-evidence.js +26 -4
- package/dist/tool-contracts.intelligence-evidence.js.map +1 -1
- package/dist/tool-contracts.js +111 -8
- package/dist/tool-contracts.js.map +1 -1
- package/dist/tool-contracts.lifecycle.js +2 -2
- package/dist/tool-contracts.lifecycle.js.map +1 -1
- package/dist/tool-contracts.questions-listing.js +27 -1
- package/dist/tool-contracts.questions-listing.js.map +1 -1
- package/dist/{tool-contracts.values-DjctSW7S.d.ts → tool-contracts.values-BhxfrXS5.d.ts} +3 -1
- package/dist/tool-contracts.values.d.ts +1 -0
- package/dist/tool-contracts.values.js +111 -8
- package/dist/tool-contracts.values.js.map +1 -1
- package/package.json +1 -1
|
@@ -216,6 +216,47 @@ declare const INFISICAL_RUNTIME_PATHS: readonly [{
|
|
|
216
216
|
readonly public: false;
|
|
217
217
|
readonly description: "Optional web-issued CLI login session lifetime override in milliseconds.";
|
|
218
218
|
}];
|
|
219
|
+
}, {
|
|
220
|
+
readonly id: "platform-permit";
|
|
221
|
+
readonly secretPath: "/platform/permit";
|
|
222
|
+
readonly description: "Permit runtime configuration for policy enforcement and embedded Permit Elements.";
|
|
223
|
+
readonly variables: readonly [{
|
|
224
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_ENV_ID";
|
|
225
|
+
readonly required: false;
|
|
226
|
+
readonly secret: false;
|
|
227
|
+
readonly public: false;
|
|
228
|
+
readonly description: "Permit environment id used by Lucern web to authenticate embedded Permit Elements.";
|
|
229
|
+
}, {
|
|
230
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_JWT_TEMPLATE";
|
|
231
|
+
readonly required: false;
|
|
232
|
+
readonly secret: false;
|
|
233
|
+
readonly public: false;
|
|
234
|
+
readonly description: "Optional Clerk JWT template name for Permit Elements frontendOnly login.";
|
|
235
|
+
}, {
|
|
236
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_USER_MANAGEMENT_URL";
|
|
237
|
+
readonly required: false;
|
|
238
|
+
readonly secret: false;
|
|
239
|
+
readonly public: false;
|
|
240
|
+
readonly description: "Permit Elements dashboard iframe URL for user and group management.";
|
|
241
|
+
}, {
|
|
242
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_AUDIT_LOGS_URL";
|
|
243
|
+
readonly required: false;
|
|
244
|
+
readonly secret: false;
|
|
245
|
+
readonly public: false;
|
|
246
|
+
readonly description: "Permit Elements dashboard iframe URL for audit logs.";
|
|
247
|
+
}, {
|
|
248
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_ACCESS_REQUEST_URL";
|
|
249
|
+
readonly required: false;
|
|
250
|
+
readonly secret: false;
|
|
251
|
+
readonly public: false;
|
|
252
|
+
readonly description: "Permit Elements dashboard iframe URL for access requests.";
|
|
253
|
+
}, {
|
|
254
|
+
readonly name: "LUCERN_PERMIT_ELEMENTS_APPROVALS_URL";
|
|
255
|
+
readonly required: false;
|
|
256
|
+
readonly secret: false;
|
|
257
|
+
readonly public: false;
|
|
258
|
+
readonly description: "Permit Elements dashboard iframe URL for approval management.";
|
|
259
|
+
}];
|
|
219
260
|
}, {
|
|
220
261
|
readonly id: "platform-operator-credentials";
|
|
221
262
|
readonly secretPath: "/platform/runtime";
|
|
@@ -254,7 +295,7 @@ type InfisicalRuntimeSurfaceDefinition = {
|
|
|
254
295
|
declare const INFISICAL_RUNTIME_SURFACES: readonly [{
|
|
255
296
|
readonly id: "lucern-web";
|
|
256
297
|
readonly delivery: "vercel_sync";
|
|
257
|
-
readonly sourcePathIds: readonly ["platform-auth", "platform-runtime"];
|
|
298
|
+
readonly sourcePathIds: readonly ["platform-auth", "platform-runtime", "platform-permit"];
|
|
258
299
|
readonly consumer: "apps/web on Vercel project lucern";
|
|
259
300
|
readonly description: "Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.";
|
|
260
301
|
}, {
|
|
@@ -376,6 +376,55 @@ var INFISICAL_RUNTIME_PATHS = [
|
|
|
376
376
|
}
|
|
377
377
|
]
|
|
378
378
|
},
|
|
379
|
+
{
|
|
380
|
+
id: "platform-permit",
|
|
381
|
+
secretPath: "/platform/permit",
|
|
382
|
+
description: "Permit runtime configuration for policy enforcement and embedded Permit Elements.",
|
|
383
|
+
variables: [
|
|
384
|
+
{
|
|
385
|
+
name: "LUCERN_PERMIT_ELEMENTS_ENV_ID",
|
|
386
|
+
required: false,
|
|
387
|
+
secret: false,
|
|
388
|
+
public: false,
|
|
389
|
+
description: "Permit environment id used by Lucern web to authenticate embedded Permit Elements."
|
|
390
|
+
},
|
|
391
|
+
{
|
|
392
|
+
name: "LUCERN_PERMIT_ELEMENTS_JWT_TEMPLATE",
|
|
393
|
+
required: false,
|
|
394
|
+
secret: false,
|
|
395
|
+
public: false,
|
|
396
|
+
description: "Optional Clerk JWT template name for Permit Elements frontendOnly login."
|
|
397
|
+
},
|
|
398
|
+
{
|
|
399
|
+
name: "LUCERN_PERMIT_ELEMENTS_USER_MANAGEMENT_URL",
|
|
400
|
+
required: false,
|
|
401
|
+
secret: false,
|
|
402
|
+
public: false,
|
|
403
|
+
description: "Permit Elements dashboard iframe URL for user and group management."
|
|
404
|
+
},
|
|
405
|
+
{
|
|
406
|
+
name: "LUCERN_PERMIT_ELEMENTS_AUDIT_LOGS_URL",
|
|
407
|
+
required: false,
|
|
408
|
+
secret: false,
|
|
409
|
+
public: false,
|
|
410
|
+
description: "Permit Elements dashboard iframe URL for audit logs."
|
|
411
|
+
},
|
|
412
|
+
{
|
|
413
|
+
name: "LUCERN_PERMIT_ELEMENTS_ACCESS_REQUEST_URL",
|
|
414
|
+
required: false,
|
|
415
|
+
secret: false,
|
|
416
|
+
public: false,
|
|
417
|
+
description: "Permit Elements dashboard iframe URL for access requests."
|
|
418
|
+
},
|
|
419
|
+
{
|
|
420
|
+
name: "LUCERN_PERMIT_ELEMENTS_APPROVALS_URL",
|
|
421
|
+
required: false,
|
|
422
|
+
secret: false,
|
|
423
|
+
public: false,
|
|
424
|
+
description: "Permit Elements dashboard iframe URL for approval management."
|
|
425
|
+
}
|
|
426
|
+
]
|
|
427
|
+
},
|
|
379
428
|
{
|
|
380
429
|
id: "platform-operator-credentials",
|
|
381
430
|
secretPath: "/platform/runtime",
|
|
@@ -410,7 +459,7 @@ var INFISICAL_RUNTIME_SURFACES = [
|
|
|
410
459
|
{
|
|
411
460
|
id: "lucern-web",
|
|
412
461
|
delivery: "vercel_sync",
|
|
413
|
-
sourcePathIds: ["platform-auth", "platform-runtime"],
|
|
462
|
+
sourcePathIds: ["platform-auth", "platform-runtime", "platform-permit"],
|
|
414
463
|
consumer: "apps/web on Vercel project lucern",
|
|
415
464
|
description: "Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs."
|
|
416
465
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.base.ts"],"names":[],"mappings":";AA8DO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACrNK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,yCAAA,GAA4C;AAAA,EACvD,aAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,wBAAA,GAA2B;AAAA,EACtC,aAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAGO,IAAM,sBAAA,GAAyB,CAAC,SAAA,EAAW,MAAM;AAGjD,IAAM,2CAAA,GAA8C;AAAA,EACzD,WAAA,EAAa,SAAA;AAAA,EACb,OAAA,EAAS,SAAA;AAAA,EACT,OAAA,EAAS,SAAA;AAAA,EACT,UAAA,EAAY;AACd;AAcO,IAAM,oCAAA,GAAuC;AAAA,EAClD,aAAA,EAAe,WAAA;AAAA,EACf,MAAA,EAAQ,YAAA;AAAA,EACR,qBAAA,EAAuB,KAAA;AAAA,EACvB,oBAAA,EAAsB;AACxB;AAEO,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,YAAA,EAAc,aAAA;AAAA,IACd,UAAA,EAAY;AAAA,GACd;AAAA,EACA;AAAA,IACE,WAAA,EAAa,SAAA;AAAA,IACb,YAAA,EAAc,SAAA;AAAA,IACd,UAAA,EAAY;AAAA,GACd;AAAA,EACA;AAAA,IACE,WAAA,EAAa,SAAA;AAAA,IACb,YAAA,EAAc,SAAA;AAAA,IACd,UAAA,EAAY,SAAA;AAAA,IACZ,qBAAA,EAAuB,SAAA;AAAA,IACvB,iCAAA,EAAmC;AAAA,MACjC,OAAA,EAAS;AAAA,KACX;AAAA,IACA,oBAAA,EAAsB;AAAA,MACpB,OAAA,EAAS;AAAA;AACX,GACF;AAAA,EACA;AAAA,IACE,WAAA,EAAa,YAAA;AAAA,IACb,YAAA,EAAc,YAAA;AAAA,IACd,UAAA,EAAY;AAAA;AAEhB;AAEO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,IAAA,EAAM,UAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,IAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,YAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,YAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,uBAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,cAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,SAAA;AAAA,IACN,QAAA,EAAU,eAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,qBAAA;AAAA,IACN,QAAA,EAAU,eAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,oBAAA;AAAA,IACN,QAAA,EAAU,aAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,aAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,2BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA;AACJ;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,iFAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EACE;AAAA;AACJ;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA;AACJ;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EACE,oEAAA;AAAA,IACF,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AA0BO,IAAM,iCAAA,GAAoC;AAAA,EAC/C;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,UAAA;AAAA,IACd,iBAAA,EAAmB,iBAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,gBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,qBAAA;AAAA,MACR,YAAA,EAAc,4BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,SAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,SAAA;AAAA,IACd,iBAAA,EAAmB,SAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,gBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,oBAAA;AAAA,MACR,YAAA,EAAc,2BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,WAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,aAAA;AAAA,IACd,iBAAA,EAAmB,2BAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,4BAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,sBAAA;AAAA,MACR,YAAA,EAAc,6BAAA;AAAA,MACd,iBAAA,EAAmB,kBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,SAAA,EAAW,QAAA;AAAA,IACX,YAAA,EAAc,QAAA;AAAA,IACd,iBAAA,EAAmB,cAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,qBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,wBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,mBAAA;AAAA,MACR,YAAA,EAAc,0BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB;AAEJ;AAMO,SAAS,kCACd,QAAA,EAC2C;AAC3C,EAAA,OAAO,iCAAA,CAAkC,IAAA;AAAA,IACvC,CAAC,MAAA,KAAW,MAAA,CAAO,EAAA,KAAO;AAAA,GAC5B;AACF;AAEO,SAAS,mCACd,QAAA,EAC2B;AAC3B,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAChE;AACA,EAAA,OAAO,CAAC,MAAA,CAAO,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,OAAO,YAAY,CAAA;AAC1D;AAEO,SAAS,qCAAA,CACd,UACA,OAAA,EACS;AACT,EAAA,OAAO,kCAAA,CAAmC,QAAQ,CAAA,CAAE,QAAA,CAAS,OAAO,CAAA;AACtE;AAEO,SAAS,0CACd,WAAA,EACqB;AACrB,EAAA,OAAO,4CAA4C,WAAW,CAAA;AAChE;AAEO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,WAAA,KAAgB,WAAA,CAAY,WAAA,KAAgB;AAAA,GAC/C;AACF;AAEO,SAAS,gDAAA,CACd,UACA,WAAA,EACoB;AACpB,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,MAAM,WAAA,GAAc,mCAAmC,WAAW,CAAA;AAClE,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,WAAA,EAAa;AAC3B,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,WAAA,CAAY,iCAAA,GACjB,MAAA,CAAO,iBACT,CAAA;AACF;AAEO,SAAS,kDAAA,CACd,UACA,WAAA,EACQ;AACR,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAChE;AACA,EAAA,OAAO,yCAAA,CAA0C,WAAW,CAAA,KAAM,MAAA,GAC9D,OAAO,MAAA,CAAO,cAAA,GACd,OAAO,MAAA,CAAO,iBAAA;AACpB;AAEO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,2BAA2B,IAAA,CAAK,CAAC,OAAA,KAAY,OAAA,CAAQ,OAAO,SAAS,CAAA;AAC9E;AAEO,IAAM,uBAAA,GAA0B;AAAA,EACrC,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,QAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,iBAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAGO,IAAM,qCAAA,GAAwC;AAAA,EACnD,uBAAA;AAAA,EACA,sBAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,mBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,mBAAA;AAAA,EACA,0BAAA;AAAA,EACA,mBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,qBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF;AAGO,IAAM,kCAAA,GAAqC;AAAA,EAChD,QAAA;AAAA,EACA,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF","file":"infisical-runtime.base.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"clerkId\",\n \"principalType\",\n \"roles\",\n \"groupIds\",\n \"permittedToolNames\",\n \"permittedPackKeys\",\n \"principalStatus\",\n \"tenantStatus\",\n \"workspaceStatus\",\n \"permit\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/transport-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"controlPlane\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.resolve_interactive_principal\",\n description:\n \"Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: [\"principalId\", \"tenantId\", \"scopes\"],\n },\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-05-06\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS = [\n \"development\",\n \"preview\",\n \"staging\",\n \"production\",\n] as const;\nexport type InfisicalVercelDestinationEnvironment =\n (typeof INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS)[number];\n\nexport const INFISICAL_VERCEL_TARGETS = [\n \"development\",\n \"preview\",\n \"production\",\n] as const;\nexport type InfisicalVercelTarget = (typeof INFISICAL_VERCEL_TARGETS)[number];\n\nexport const INFISICAL_CONVEX_TIERS = [\"preprod\", \"prod\"] as const;\nexport type InfisicalConvexTier = (typeof INFISICAL_CONVEX_TIERS)[number];\n\nexport const INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT = {\n development: \"preprod\",\n preview: \"preprod\",\n staging: \"preprod\",\n production: \"prod\",\n} as const satisfies Record<\n InfisicalVercelDestinationEnvironment,\n InfisicalConvexTier\n>;\n\nexport type InfisicalVercelSyncDestination = {\n readonly environment: InfisicalVercelDestinationEnvironment;\n readonly vercelTarget: InfisicalVercelTarget;\n readonly convexTier: InfisicalConvexTier;\n readonly customEnvironmentSlug?: string;\n readonly customEnvironmentIdsByProjectName?: Readonly<Record<string, string>>;\n readonly domainsByProjectName?: Readonly<Record<string, string>>;\n};\n\nexport const INFISICAL_VERCEL_SYNC_RECONCILIATION = {\n sourceOfTruth: \"infisical\",\n writer: \"vercel_api\",\n disableSecretDeletion: false,\n pruneDestinationKeys: true,\n} as const;\n\nexport const INFISICAL_VERCEL_SYNC_DESTINATIONS = [\n {\n environment: \"development\",\n vercelTarget: \"development\",\n convexTier: \"preprod\",\n },\n {\n environment: \"preview\",\n vercelTarget: \"preview\",\n convexTier: \"preprod\",\n },\n {\n environment: \"staging\",\n vercelTarget: \"preview\",\n convexTier: \"preprod\",\n customEnvironmentSlug: \"staging\",\n customEnvironmentIdsByProjectName: {\n stackos: \"env_RbS0TYRRvWISTje8qR4u2lRg7TC8\",\n },\n domainsByProjectName: {\n stackos: \"staging.stack.vc\",\n },\n },\n {\n environment: \"production\",\n vercelTarget: \"production\",\n convexTier: \"prod\",\n },\n] as const satisfies readonly InfisicalVercelSyncDestination[];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport const INFISICAL_RUNTIME_CONTROL_ENV = [\n {\n name: \"NODE_ENV\",\n category: \"framework\",\n description:\n \"Node/Next runtime mode. Framework-owned, not written by Infisical.\",\n },\n {\n name: \"CI\",\n category: \"ci\",\n description:\n \"CI execution signal. Workflow-owned, not written by Infisical.\",\n },\n {\n name: \"VERCEL\",\n category: \"vercel\",\n description:\n \"Vercel runtime signal. Platform-owned, not written by Infisical.\",\n },\n {\n name: \"VERCEL_ENV\",\n category: \"vercel\",\n description:\n \"Vercel environment label used for build/runtime selection.\",\n },\n {\n name: \"VERCEL_URL\",\n category: \"vercel\",\n description:\n \"Vercel deployment URL supplied by Vercel for previews and builds.\",\n },\n {\n name: \"VERCEL_GIT_COMMIT_SHA\",\n category: \"vercel\",\n description:\n \"Vercel git metadata used for release labels. Platform-owned, not written by Infisical.\",\n },\n {\n name: \"NEXT_RUNTIME\",\n category: \"nextjs\",\n description:\n \"Next.js runtime selector for node/edge instrumentation modules.\",\n },\n {\n name: \"PORT\",\n category: \"framework\",\n description:\n \"Local/server port supplied by the runtime process manager.\",\n },\n {\n name: \"HOST\",\n category: \"framework\",\n description:\n \"Local/server host supplied by the runtime process manager.\",\n },\n {\n name: \"APP_URL\",\n category: \"compatibility\",\n description:\n \"Legacy local app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL.\",\n },\n {\n name: \"NEXT_PUBLIC_APP_URL\",\n category: \"compatibility\",\n description:\n \"Legacy public app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL.\",\n },\n {\n name: \"CLAUDE_PROJECT_DIR\",\n category: \"agent_local\",\n description:\n \"Local agent workspace hint. Agent-runtime-owned, not written by Infisical.\",\n },\n {\n name: \"HOME\",\n category: \"os\",\n description:\n \"Operating-system home directory used only for local credential discovery.\",\n },\n {\n name: \"USERPROFILE\",\n category: \"os\",\n description:\n \"Windows home directory used only for local credential discovery.\",\n },\n] as const;\nexport type InfisicalRuntimeControlEnv =\n (typeof INFISICAL_RUNTIME_CONTROL_ENV)[number];\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n {\n name: \"LUCERN_CLI_SESSION_TTL_MS\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Optional web-issued CLI login session lifetime override in milliseconds.\",\n },\n ],\n },\n {\n id: \"platform-operator-credentials\",\n secretPath: \"/platform/runtime\",\n description:\n \"Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.\",\n variables: [\n {\n name: \"LUCERN_API_KEY\",\n required: false,\n secret: true,\n public: false,\n aliases: [\"LUCERN_KEY\"],\n description:\n \"Lucern-owned operator API key for gateway calls from trusted local tooling.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description:\n \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n fallback: \"runtime_fetch\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs and may self-hydrate from Infisical when the host environment has scoped bootstrap credentials.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer:\n \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport type InfisicalTenantSoftwareSystemDefinition = {\n readonly id: string;\n readonly tenantKey: string;\n readonly workspaceKey: string;\n readonly vercelProjectName: string;\n readonly vercelTeamId: string;\n readonly vercelProjectId: string;\n readonly vercelWriterTokenEnv: string;\n readonly repository: {\n readonly owner: string;\n readonly name: string;\n };\n readonly sharedSourcePath: string;\n readonly sharedVariablePolicy: \"tenant_shared_all_systems\";\n readonly convex: {\n readonly urlEnv: string;\n readonly deployKeyEnv: string;\n readonly preprodDeployment: string;\n readonly prodDeployment: string;\n };\n};\n\nexport const INFISICAL_TENANT_SOFTWARE_SYSTEMS = [\n {\n id: \"stack-frontend\",\n tenantKey: \"stack\",\n workspaceKey: \"frontend\",\n vercelProjectName: \"ai-chatbot-diao\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_PihFw8kohSSw14nZs9YQV3xVo517\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"front-end\",\n },\n sharedSourcePath: \"/tenants/stack\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_FRONTEND_URL\",\n deployKeyEnv: \"CONVEX_FRONTEND_DEPLOY_KEY\",\n preprodDeployment: \"rugged-lobster-664\",\n prodDeployment: \"wonderful-toucan-0\",\n },\n },\n {\n id: \"stackos\",\n tenantKey: \"stack\",\n workspaceKey: \"stackos\",\n vercelProjectName: \"stackos\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_rXLAL0Z6v9p1fasKbomby6GI7kau\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"stackos\",\n },\n sharedSourcePath: \"/tenants/stack\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_STACKOS_URL\",\n deployKeyEnv: \"CONVEX_STACKOS_DEPLOY_KEY\",\n preprodDeployment: \"giant-mandrill-761\",\n prodDeployment: \"good-snake-515\",\n },\n },\n {\n id: \"stack-eng\",\n tenantKey: \"stack\",\n workspaceKey: \"engineering\",\n vercelProjectName: \"stackos-engineering-graph\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"stackos-engineering-graph\",\n },\n sharedSourcePath: \"/tenants/stack/engineering\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_STACK_ENG_URL\",\n deployKeyEnv: \"CONVEX_STACK_ENG_DEPLOY_KEY\",\n preprodDeployment: \"small-oyster-270\",\n prodDeployment: \"bold-cuttlefish-804\",\n },\n },\n {\n id: \"lucern-graph\",\n tenantKey: \"lucern\",\n workspaceKey: \"lucern\",\n vercelProjectName: \"lucern-graph\",\n vercelTeamId: \"team_vTHxxs8GAoAFUe6RWMlYt7fY\",\n vercelProjectId: \"prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ\",\n vercelWriterTokenEnv: \"LUCERN_VERCEL_TOKEN\",\n repository: {\n owner: \"LucernAI\",\n name: \"lucern-graph\",\n },\n sharedSourcePath: \"/tenants/lucern/shared\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_LUCERN_URL\",\n deployKeyEnv: \"CONVEX_LUCERN_DEPLOY_KEY\",\n preprodDeployment: \"good-blackbird-774\",\n prodDeployment: \"precious-dog-365\",\n },\n },\n] as const satisfies readonly InfisicalTenantSoftwareSystemDefinition[];\nexport type InfisicalTenantSoftwareSystem =\n (typeof INFISICAL_TENANT_SOFTWARE_SYSTEMS)[number];\nexport type InfisicalTenantSoftwareSystemId =\n InfisicalTenantSoftwareSystem[\"id\"];\n\nexport function findInfisicalTenantSoftwareSystem(\n systemId: InfisicalTenantSoftwareSystemId,\n): InfisicalTenantSoftwareSystem | undefined {\n return INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(\n (system) => system.id === systemId,\n );\n}\n\nexport function tenantSoftwareSystemConvexEnvNames(\n systemId: InfisicalTenantSoftwareSystemId,\n): readonly [string, string] {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n if (!system) {\n throw new Error(`Unknown tenant software system: ${systemId}.`);\n }\n return [system.convex.urlEnv, system.convex.deployKeyEnv] as const;\n}\n\nexport function tenantSoftwareSystemOwnsConvexEnvName(\n systemId: InfisicalTenantSoftwareSystemId,\n envName: string,\n): boolean {\n return tenantSoftwareSystemConvexEnvNames(systemId).includes(envName);\n}\n\nexport function convexTierForVercelDestinationEnvironment(\n environment: InfisicalVercelDestinationEnvironment,\n): InfisicalConvexTier {\n return INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT[environment];\n}\n\nexport function findInfisicalVercelSyncDestination(\n environment: InfisicalVercelDestinationEnvironment,\n): InfisicalVercelSyncDestination | undefined {\n return INFISICAL_VERCEL_SYNC_DESTINATIONS.find(\n (destination) => destination.environment === environment,\n );\n}\n\nexport function vercelCustomEnvironmentIdForTenantSoftwareSystem(\n systemId: InfisicalTenantSoftwareSystemId,\n environment: InfisicalVercelDestinationEnvironment,\n): string | undefined {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n const destination = findInfisicalVercelSyncDestination(environment);\n if (!system || !destination) {\n return undefined;\n }\n return destination.customEnvironmentIdsByProjectName?.[\n system.vercelProjectName\n ];\n}\n\nexport function expectedTenantConvexDeploymentForVercelEnvironment(\n systemId: InfisicalTenantSoftwareSystemId,\n environment: InfisicalVercelDestinationEnvironment,\n): string {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n if (!system) {\n throw new Error(`Unknown tenant software system: ${systemId}.`);\n }\n return convexTierForVercelDestinationEnvironment(environment) === \"prod\"\n ? system.convex.prodDeployment\n : system.convex.preprodDeployment;\n}\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId,\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId,\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find((surface) => surface.id === surfaceId);\n}\n\nexport const INFISICAL_SECRET_OWNERS = [\n \"lucern_platform\",\n \"tenant\",\n \"provider\",\n \"operator_local\",\n] as const;\nexport type InfisicalSecretOwner = (typeof INFISICAL_SECRET_OWNERS)[number];\n\nexport const INFISICAL_SECRET_SCOPES = [\n \"global\",\n \"environment\",\n \"tenant\",\n \"workspace\",\n \"software_system\",\n \"deployment\",\n \"local\",\n] as const;\nexport type InfisicalSecretScope = (typeof INFISICAL_SECRET_SCOPES)[number];\n\nexport const INFISICAL_SECRET_ENVIRONMENT_POLICIES = [\n \"same_all_environments\",\n \"environment_specific\",\n \"preprod_staging_prod_prod\",\n \"local_only\",\n] as const;\nexport type InfisicalSecretEnvironmentPolicy =\n (typeof INFISICAL_SECRET_ENVIRONMENT_POLICIES)[number];\n\nexport const INFISICAL_SECRET_CONSUMERS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-mcp\",\n \"lucern-cli\",\n \"lucern-agent\",\n \"lucern-railway-pdp\",\n \"lucern-ai-runtime\",\n \"lucern-graph-sync\",\n \"lucern-observability\",\n \"lucern-repo-ci\",\n \"mc-convex\",\n \"mc-operator-tooling\",\n \"tenant-vercel-app\",\n \"tenant-convex-deployment\",\n \"tenant-ai-runtime\",\n \"tenant-graph-sync\",\n \"tenant-observability\",\n \"tenant-vector-store\",\n \"tenant-deploy-tooling\",\n \"tenant-agent-runtime\",\n] as const;\nexport type InfisicalSecretConsumer = (typeof INFISICAL_SECRET_CONSUMERS)[number];\n\nexport const INFISICAL_SECRET_DESTINATION_KINDS = [\n \"vercel\",\n \"convex\",\n \"github_actions\",\n \"runtime_fetch\",\n \"operator_local\",\n] as const;\nexport type InfisicalSecretDestinationKind =\n (typeof INFISICAL_SECRET_DESTINATION_KINDS)[number];\n\nexport type InfisicalSecretDestination = {\n readonly kind: InfisicalSecretDestinationKind;\n readonly target: string;\n readonly environmentPolicy: InfisicalSecretEnvironmentPolicy;\n readonly writeNames?: readonly string[];\n readonly notes?: string;\n};\n\nexport type InfisicalSecretDefinition = {\n readonly id: string;\n readonly canonicalName: string;\n readonly aliases?: readonly string[];\n readonly owner: InfisicalSecretOwner;\n readonly scope: InfisicalSecretScope;\n readonly sourcePath: string;\n readonly environmentPolicy: InfisicalSecretEnvironmentPolicy;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly consumers: readonly InfisicalSecretConsumer[];\n readonly destinations: readonly InfisicalSecretDestination[];\n readonly description: string;\n};\n"]}
|
|
1
|
+
{"version":3,"sources":["../src/tenant-client.contract.ts","../src/infisical-runtime.base.ts"],"names":[],"mappings":";AA8DO,IAAM,0CAAA,GACX,gBAAA;AAUK,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,cAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,eAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,uBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,gBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,oBAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,mBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,0BAAA;AAAA,IACb,IAAA,EAAM,mBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,IAAA,EAAM,oBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,qBAAA;AAAA,IACb,IAAA,EAAM,kBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,iBAAA;AAAA,IACb,IAAA,EAAM,cAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,wBAAA;AAAA,IACb,IAAA,EAAM,gBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA,GACtB;AAAA,EACA;AAAA,IACE,WAAA,EAAa,eAAA;AAAA,IACb,IAAA,EAAM,qBAAA;AAAA,IACN,kBAAA,EAAoB;AAAA;AAExB,CAAA;AAyBE,kCAAA,CAAmC,GAAA;AAAA,EACjC,CAAC,UAAU,KAAA,CAAM;AACnB;;;ACrNK,IAAM,kCAAA,GAAqC;AAE3C,IAAM,iCAAA,GACX;AACK,IAAM,oCAAA,GACX;AAEK,IAAM,8BAAA,GAAiC;AAAA,EAC5C,KAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,gCAAA,GAAmC;AAAA,EAC9C,aAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF;AAIO,IAAM,yCAAA,GAA4C;AAAA,EACvD,aAAA;AAAA,EACA,SAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAIO,IAAM,wBAAA,GAA2B;AAAA,EACtC,aAAA;AAAA,EACA,SAAA;AAAA,EACA;AACF;AAGO,IAAM,sBAAA,GAAyB,CAAC,SAAA,EAAW,MAAM;AAGjD,IAAM,2CAAA,GAA8C;AAAA,EACzD,WAAA,EAAa,SAAA;AAAA,EACb,OAAA,EAAS,SAAA;AAAA,EACT,OAAA,EAAS,SAAA;AAAA,EACT,UAAA,EAAY;AACd;AAcO,IAAM,oCAAA,GAAuC;AAAA,EAClD,aAAA,EAAe,WAAA;AAAA,EACf,MAAA,EAAQ,YAAA;AAAA,EACR,qBAAA,EAAuB,KAAA;AAAA,EACvB,oBAAA,EAAsB;AACxB;AAEO,IAAM,kCAAA,GAAqC;AAAA,EAChD;AAAA,IACE,WAAA,EAAa,aAAA;AAAA,IACb,YAAA,EAAc,aAAA;AAAA,IACd,UAAA,EAAY;AAAA,GACd;AAAA,EACA;AAAA,IACE,WAAA,EAAa,SAAA;AAAA,IACb,YAAA,EAAc,SAAA;AAAA,IACd,UAAA,EAAY;AAAA,GACd;AAAA,EACA;AAAA,IACE,WAAA,EAAa,SAAA;AAAA,IACb,YAAA,EAAc,SAAA;AAAA,IACd,UAAA,EAAY,SAAA;AAAA,IACZ,qBAAA,EAAuB,SAAA;AAAA,IACvB,iCAAA,EAAmC;AAAA,MACjC,OAAA,EAAS;AAAA,KACX;AAAA,IACA,oBAAA,EAAsB;AAAA,MACpB,OAAA,EAAS;AAAA;AACX,GACF;AAAA,EACA;AAAA,IACE,WAAA,EAAa,YAAA;AAAA,IACb,YAAA,EAAc,YAAA;AAAA,IACd,UAAA,EAAY;AAAA;AAEhB;AAEO,IAAM,6BAAA,GAAgC;AAAA,EAC3C,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAIO,IAAM,+BAAA,GAAkC;AAAA,EAC7C,MAAA,EAAQ,CAAC,mBAAA,EAAqB,eAAe,CAAA;AAAA,EAC7C,SAAA,EAAW,CAAC,sBAAA,EAAwB,wBAAwB,CAAA;AAAA,EAC5D,QAAA,EAAU;AAAA,IACR,qBAAA;AAAA,IACA,6BAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,YAAA,EAAc;AAAA,IACZ,yBAAA;AAAA,IACA,iCAAA;AAAA,IACA;AAAA,GACF;AAAA,EACA,WAAA,EAAa,CAAC,eAAA,EAAiB,sBAAsB,CAAA;AAAA,EACrD,gBAAA,EAAkB,CAAC,oBAAA,EAAsB,6BAA6B,CAAA;AAAA,EACtE,QAAA,EAAU,CAAC,0BAAA,EAA4B,mBAAmB;AAC5D;AAIO,IAAM,6BAAA,GAAgC;AAAA,EAC3C;AAAA,IACE,IAAA,EAAM,UAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,IAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,QAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,YAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,YAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,uBAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,cAAA;AAAA,IACN,QAAA,EAAU,QAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,WAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,SAAA;AAAA,IACN,QAAA,EAAU,eAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,qBAAA;AAAA,IACN,QAAA,EAAU,eAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,oBAAA;AAAA,IACN,QAAA,EAAU,aAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,MAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,IAAA,EAAM,aAAA;AAAA,IACN,QAAA,EAAU,IAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AAoBO,IAAM,uBAAA,GAA0B;AAAA,EACrC;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,UAAA,EAAY,gBAAA;AAAA,IACZ,WAAA,EACE,qHAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,mCAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,kBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,yBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,IAAA;AAAA,QACR,WAAA,EAAa;AAAA;AACf;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,kBAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,6EAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,qBAAA,EAAuB,iBAAiB,CAAA;AAAA,QAClD,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,sBAAsB,CAAA;AAAA,QAChC,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,2BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA;AACJ;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,iBAAA;AAAA,IACJ,UAAA,EAAY,kBAAA;AAAA,IACZ,WAAA,EACE,mFAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,+BAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA,OACJ;AAAA,MACA;AAAA,QACE,IAAA,EAAM,qCAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA,OACJ;AAAA,MACA;AAAA,QACE,IAAA,EAAM,4CAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA,OACJ;AAAA,MACA;AAAA,QACE,IAAA,EAAM,uCAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EAAa;AAAA,OACf;AAAA,MACA;AAAA,QACE,IAAA,EAAM,2CAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA,OACJ;AAAA,MACA;AAAA,QACE,IAAA,EAAM,sCAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,KAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA;AACJ;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,+BAAA;AAAA,IACJ,UAAA,EAAY,mBAAA;AAAA,IACZ,WAAA,EACE,iFAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,gBAAA;AAAA,QACN,QAAA,EAAU,KAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,OAAA,EAAS,CAAC,YAAY,CAAA;AAAA,QACtB,WAAA,EACE;AAAA;AACJ;AACF,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,uBAAA;AAAA,IACJ,UAAA,EAAY,0CAAA;AAAA,IACZ,WAAA,EACE,sGAAA;AAAA,IACF,SAAA,EAAW;AAAA,MACT;AAAA,QACE,IAAA,EAAM,oBAAA;AAAA,QACN,QAAA,EAAU,IAAA;AAAA,QACV,MAAA,EAAQ,IAAA;AAAA,QACR,MAAA,EAAQ,KAAA;AAAA,QACR,WAAA,EACE;AAAA;AACJ;AACF;AAEJ;AAcO,IAAM,0BAAA,GAA6B;AAAA,EACxC;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAA,EAAoB,iBAAiB,CAAA;AAAA,IACtE,QAAA,EAAU,mCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,eAAA,EAAiB,kBAAkB,CAAA;AAAA,IACnD,QAAA,EAAU,+CAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EACE,oEAAA;AAAA,IACF,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EAAU,kCAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,YAAA;AAAA,IACJ,WAAA,EAAa,aAAA;AAAA,IACb,QAAA,EAAU,eAAA;AAAA,IACV,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,kBAAA,EAAoB,+BAA+B,CAAA;AAAA,IACnE,QAAA,EAAU,6BAAA;AAAA,IACV,WAAA,EACE;AAAA,GACJ;AAAA,EACA;AAAA,IACE,EAAA,EAAI,eAAA;AAAA,IACJ,QAAA,EAAU,aAAA;AAAA,IACV,aAAA,EAAe,CAAC,uBAAuB,CAAA;AAAA,IACvC,QAAA,EAAU,qCAAA;AAAA,IACV,WAAA,EACE;AAAA;AAEN;AA0BO,IAAM,iCAAA,GAAoC;AAAA,EAC/C;AAAA,IACE,EAAA,EAAI,gBAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,UAAA;AAAA,IACd,iBAAA,EAAmB,iBAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,gBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,qBAAA;AAAA,MACR,YAAA,EAAc,4BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,SAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,SAAA;AAAA,IACd,iBAAA,EAAmB,SAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,gBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,oBAAA;AAAA,MACR,YAAA,EAAc,2BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,WAAA;AAAA,IACJ,SAAA,EAAW,OAAA;AAAA,IACX,YAAA,EAAc,aAAA;AAAA,IACd,iBAAA,EAAmB,2BAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,oBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,4BAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,sBAAA;AAAA,MACR,YAAA,EAAc,6BAAA;AAAA,MACd,iBAAA,EAAmB,kBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB,GACF;AAAA,EACA;AAAA,IACE,EAAA,EAAI,cAAA;AAAA,IACJ,SAAA,EAAW,QAAA;AAAA,IACX,YAAA,EAAc,QAAA;AAAA,IACd,iBAAA,EAAmB,cAAA;AAAA,IACnB,YAAA,EAAc,+BAAA;AAAA,IACd,eAAA,EAAiB,kCAAA;AAAA,IACjB,oBAAA,EAAsB,qBAAA;AAAA,IACtB,UAAA,EAAY;AAAA,MACV,KAAA,EAAO,UAAA;AAAA,MACP,IAAA,EAAM;AAAA,KACR;AAAA,IACA,gBAAA,EAAkB,wBAAA;AAAA,IAClB,oBAAA,EAAsB,2BAAA;AAAA,IACtB,MAAA,EAAQ;AAAA,MACN,MAAA,EAAQ,mBAAA;AAAA,MACR,YAAA,EAAc,0BAAA;AAAA,MACd,iBAAA,EAAmB,oBAAA;AAAA,MACnB,cAAA,EAAgB;AAAA;AAClB;AAEJ;AAMO,SAAS,kCACd,QAAA,EAC2C;AAC3C,EAAA,OAAO,iCAAA,CAAkC,IAAA;AAAA,IACvC,CAAC,MAAA,KAAW,MAAA,CAAO,EAAA,KAAO;AAAA,GAC5B;AACF;AAEO,SAAS,mCACd,QAAA,EAC2B;AAC3B,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAChE;AACA,EAAA,OAAO,CAAC,MAAA,CAAO,MAAA,CAAO,MAAA,EAAQ,MAAA,CAAO,OAAO,YAAY,CAAA;AAC1D;AAEO,SAAS,qCAAA,CACd,UACA,OAAA,EACS;AACT,EAAA,OAAO,kCAAA,CAAmC,QAAQ,CAAA,CAAE,QAAA,CAAS,OAAO,CAAA;AACtE;AAEO,SAAS,0CACd,WAAA,EACqB;AACrB,EAAA,OAAO,4CAA4C,WAAW,CAAA;AAChE;AAEO,SAAS,mCACd,WAAA,EAC4C;AAC5C,EAAA,OAAO,kCAAA,CAAmC,IAAA;AAAA,IACxC,CAAC,WAAA,KAAgB,WAAA,CAAY,WAAA,KAAgB;AAAA,GAC/C;AACF;AAEO,SAAS,gDAAA,CACd,UACA,WAAA,EACoB;AACpB,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,MAAM,WAAA,GAAc,mCAAmC,WAAW,CAAA;AAClE,EAAA,IAAI,CAAC,MAAA,IAAU,CAAC,WAAA,EAAa;AAC3B,IAAA,OAAO,MAAA;AAAA,EACT;AACA,EAAA,OAAO,WAAA,CAAY,iCAAA,GACjB,MAAA,CAAO,iBACT,CAAA;AACF;AAEO,SAAS,kDAAA,CACd,UACA,WAAA,EACQ;AACR,EAAA,MAAM,MAAA,GAAS,kCAAkC,QAAQ,CAAA;AACzD,EAAA,IAAI,CAAC,MAAA,EAAQ;AACX,IAAA,MAAM,IAAI,KAAA,CAAM,CAAA,gCAAA,EAAmC,QAAQ,CAAA,CAAA,CAAG,CAAA;AAAA,EAChE;AACA,EAAA,OAAO,yCAAA,CAA0C,WAAW,CAAA,KAAM,MAAA,GAC9D,OAAO,MAAA,CAAO,cAAA,GACd,OAAO,MAAA,CAAO,iBAAA;AACpB;AAEO,SAAS,yBACd,MAAA,EACkC;AAClC,EAAA,OAAO,wBAAwB,IAAA,CAAK,CAAC,IAAA,KAAS,IAAA,CAAK,OAAO,MAAM,CAAA;AAClE;AAEO,SAAS,4BACd,SAAA,EACqC;AACrC,EAAA,OAAO,2BAA2B,IAAA,CAAK,CAAC,OAAA,KAAY,OAAA,CAAQ,OAAO,SAAS,CAAA;AAC9E;AAEO,IAAM,uBAAA,GAA0B;AAAA,EACrC,iBAAA;AAAA,EACA,QAAA;AAAA,EACA,UAAA;AAAA,EACA;AACF;AAGO,IAAM,uBAAA,GAA0B;AAAA,EACrC,QAAA;AAAA,EACA,aAAA;AAAA,EACA,QAAA;AAAA,EACA,WAAA;AAAA,EACA,iBAAA;AAAA,EACA,YAAA;AAAA,EACA;AACF;AAGO,IAAM,qCAAA,GAAwC;AAAA,EACnD,uBAAA;AAAA,EACA,sBAAA;AAAA,EACA,2BAAA;AAAA,EACA;AACF;AAIO,IAAM,0BAAA,GAA6B;AAAA,EACxC,YAAA;AAAA,EACA,gBAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,YAAA;AAAA,EACA,cAAA;AAAA,EACA,oBAAA;AAAA,EACA,mBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,gBAAA;AAAA,EACA,WAAA;AAAA,EACA,qBAAA;AAAA,EACA,mBAAA;AAAA,EACA,0BAAA;AAAA,EACA,mBAAA;AAAA,EACA,mBAAA;AAAA,EACA,sBAAA;AAAA,EACA,qBAAA;AAAA,EACA,uBAAA;AAAA,EACA;AACF;AAGO,IAAM,kCAAA,GAAqC;AAAA,EAChD,QAAA;AAAA,EACA,QAAA;AAAA,EACA,gBAAA;AAAA,EACA,eAAA;AAAA,EACA;AACF","file":"infisical-runtime.base.js","sourcesContent":["/**\n * Tenant client contract\n *\n * Defines the generic boundary for any customer-owned product that consumes\n * Lucern through the SDK, hosted API, or MCP server. Tenant clients may run\n * their own UI, auth provider, deployment, and data plane, but reasoning\n * operations must enter through the published packages below.\n */\n\nimport type {\n SessionAuthMode,\n SessionPrincipalType,\n} from \"./auth.contract\";\n\nexport const TENANT_CLIENT_CONTRACT_VERSION = \"2026-04-27\" as const;\n\nexport const TENANT_CLIENT_AUTH_MODES = [\n \"interactive_user\",\n \"service_principal\",\n \"tenant_api_key\",\n \"session_token\",\n] as const satisfies readonly SessionAuthMode[];\nexport type TenantClientAuthMode = (typeof TENANT_CLIENT_AUTH_MODES)[number];\n\nexport const TENANT_CLIENT_PRINCIPAL_TYPES = [\n \"human\",\n \"service\",\n \"agent\",\n \"group\",\n \"external_viewer\",\n] as const satisfies readonly SessionPrincipalType[];\nexport type TenantClientPrincipalType =\n (typeof TENANT_CLIENT_PRINCIPAL_TYPES)[number];\n\nexport const TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS = [\n \"tenantId\",\n \"workspaceId\",\n \"principalId\",\n \"authMode\",\n \"scopes\",\n] as const;\nexport type TenantClientRequiredContextField =\n (typeof TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS = [\n \"clerkId\",\n \"principalType\",\n \"roles\",\n \"groupIds\",\n \"permittedToolNames\",\n \"permittedPackKeys\",\n \"principalStatus\",\n \"tenantStatus\",\n \"workspaceStatus\",\n \"permit\",\n \"sessionId\",\n \"delegationChain\",\n] as const;\nexport type TenantClientOptionalContextField =\n (typeof TENANT_CLIENT_OPTIONAL_CONTEXT_FIELDS)[number];\n\nexport const TENANT_CLIENT_INSTALL_TOKEN_ENV = \"INSTALL_LUCERN_NPM\" as const;\nexport const TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH =\n \"tenants/shared\" as const;\nexport const TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS = [\n \"/platform/publish\",\n] as const;\nexport const TENANT_CLIENT_FORBIDDEN_SECRET_ENV = [\"NPM_TOKEN\"] as const;\nexport type TenantClientForbiddenInstallTokenInfisicalPath =\n (typeof TENANT_CLIENT_FORBIDDEN_INSTALL_TOKEN_INFISICAL_PATHS)[number];\nexport type TenantClientForbiddenSecretEnv =\n (typeof TENANT_CLIENT_FORBIDDEN_SECRET_ENV)[number];\n\nexport const TENANT_CLIENT_INSTALLABLE_PACKAGES = [\n {\n packageName: \"@lucern/access-control\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/agent\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/auth\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/cli\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/client-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/confidence\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/config\",\n role: \"configuration\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/contracts\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/control-plane\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/developer-kit\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/events\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-primitives\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/graph-sync\",\n role: \"host_addon_runtime\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/mcp\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/pack-host\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/pack-installer\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/proof-compiler\",\n role: \"developer_tool\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/react\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n role: \"component_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/sdk\",\n role: \"runtime_entrypoint\",\n directTenantImport: true,\n },\n {\n packageName: \"@lucern/secrets\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/server-core\",\n role: \"platform_runtime\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/testing\",\n role: \"test_support\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/transport-core\",\n role: \"sdk_dependency\",\n directTenantImport: false,\n },\n {\n packageName: \"@lucern/types\",\n role: \"contract_entrypoint\",\n directTenantImport: true,\n },\n] as const;\nexport type TenantClientInstallablePackage =\n (typeof TENANT_CLIENT_INSTALLABLE_PACKAGES)[number];\nexport type TenantClientPackageRole = TenantClientInstallablePackage[\"role\"];\nexport type TenantClientInstallablePackageName =\n TenantClientInstallablePackage[\"packageName\"];\n\n/**\n * Direct package installs are package.json entries owned by the tenant repo.\n * Direct imports are source-code imports that tenant application code may use.\n *\n * These concepts intentionally differ: `@lucern/cli` is a direct install when a\n * tenant repo needs the `lucern` binary, but it is not a direct application\n * import. `@lucern/reasoning-kernel` and `@lucern/control-plane` are direct installs\n * for Convex component binding, while tenant app code should only import their\n * explicit component config subpaths.\n */\nexport type TenantClientInstallProfile = {\n id: string;\n description: string;\n packageNames: readonly TenantClientInstallablePackageName[];\n dependencyField: \"dependencies\" | \"devDependencies\" | \"mixed\";\n};\n\nexport const TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES =\n TENANT_CLIENT_INSTALLABLE_PACKAGES.map(\n (entry) => entry.packageName\n ) as readonly TenantClientInstallablePackageName[];\n\nexport const TENANT_CLIENT_INSTALL_PROFILES = [\n {\n id: \"core_app_runtime\",\n description:\n \"Smallest tenant app/runtime install for typed Lucern API calls plus tool-access policy helpers.\",\n packageNames: [\"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"react_app_runtime\",\n description:\n \"React tenant app install for hooks, provider, curated graph components, and direct SDK calls.\",\n packageNames: [\"@lucern/react\", \"@lucern/sdk\", \"@lucern/access-control\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"convex_components\",\n description:\n \"Tenant Convex host install for binding the Lucern control-plane and reasoning-kernel components.\",\n packageNames: [\"@lucern/control-plane\", \"@lucern/reasoning-kernel\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"graph_mirroring_addon\",\n description:\n \"Optional tenant Convex host install for Neo4j graph projection, edge topology writes, backfill, health checks, and query proxy helpers.\",\n packageNames: [\"@lucern/graph-sync\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"operator_cli\",\n description:\n \"Developer/operator install for the `lucern` binary, including tenant bootstrap seed commands.\",\n packageNames: [\"@lucern/cli\"],\n dependencyField: \"devDependencies\",\n },\n {\n id: \"mcp_runtime\",\n description:\n \"Agent runtime install for the standalone Lucern MCP server and hosted route helpers.\",\n packageNames: [\"@lucern/mcp\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"contracts_and_types\",\n description:\n \"Compile-time contract/type install for codegen, audits, and tenant integration validation.\",\n packageNames: [\"@lucern/contracts\", \"@lucern/types\"],\n dependencyField: \"dependencies\",\n },\n {\n id: \"full_suite\",\n description:\n \"Full coherent Lucern package suite for design-partner repos that want every published runtime, tool, component, test, and config package pinned together.\",\n packageNames: TENANT_CLIENT_FULL_SUITE_PACKAGE_NAMES,\n dependencyField: \"mixed\",\n },\n] as const satisfies readonly TenantClientInstallProfile[];\nexport type TenantClientInstallProfileId =\n (typeof TENANT_CLIENT_INSTALL_PROFILES)[number][\"id\"];\n\n/**\n * Direct imports tenant-owned product code may use. This is intentionally\n * smaller than TENANT_CLIENT_INSTALLABLE_PACKAGES: several publishable packages\n * are installed as SDK dependencies, tooling, or platform runtimes but should\n * not become the application integration surface.\n */\nexport const TENANT_CLIENT_PUBLIC_IMPORTS = [\n {\n packageName: \"@lucern/sdk\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"TypeScript SDK runtime and generated operation namespaces.\",\n },\n {\n packageName: \"@lucern/react\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"React bindings for tenant-owned UI applications.\",\n },\n {\n packageName: \"@lucern/mcp\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description: \"MCP client/server entry points and hosted route helpers.\",\n },\n {\n packageName: \"@lucern/graph-sync\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Optional Neo4j graph mirroring host actions, edge API, query proxy, backfill, and health helpers.\",\n },\n {\n packageName: \"@lucern/contracts\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type and manifest contracts.\",\n },\n {\n packageName: \"@lucern/access-control\",\n surface: \"runtime\",\n subpaths: \"published_exports\",\n description:\n \"Tenant runtime access-control helpers, including effective tool access.\",\n },\n {\n packageName: \"@lucern/types\",\n surface: \"contract\",\n subpaths: \"published_exports\",\n description: \"Published type-only helpers for tenant integration code.\",\n },\n] as const;\nexport type TenantClientPublicImport =\n (typeof TENANT_CLIENT_PUBLIC_IMPORTS)[number];\nexport type TenantClientPublicPackage =\n TenantClientPublicImport[\"packageName\"];\nexport type TenantClientPublicSurface = TenantClientPublicImport[\"surface\"];\n\nexport const TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS = [\n {\n packageName: \"@lucern/control-plane\",\n importPath: \"@lucern/control-plane/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern control plane.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/convex.config\",\n surface: \"component_config\",\n description:\n \"Convex component binding config for tenant deployments that install the Lucern reasoning kernel.\",\n },\n {\n packageName: \"@lucern/reasoning-kernel\",\n importPath: \"@lucern/reasoning-kernel/runtime.config\",\n surface: \"component_config\",\n description:\n \"Runtime config alias for tenant deployments that install the Lucern reasoning kernel.\",\n },\n] as const;\nexport type TenantClientComponentConfigImport =\n (typeof TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS)[number];\nexport type TenantClientAllowedImport =\n | TenantClientPublicImport\n | TenantClientComponentConfigImport;\n\nexport function findTenantClientInstallablePackage(\n packageName: string\n): TenantClientInstallablePackage | undefined {\n return TENANT_CLIENT_INSTALLABLE_PACKAGES.find(\n (entry) => entry.packageName === packageName\n );\n}\n\nexport function isTenantClientInstallablePackage(packageName: string): boolean {\n return Boolean(findTenantClientInstallablePackage(packageName));\n}\n\nexport const TENANT_CLIENT_REQUIRED_SDK_NAMESPACES = [\n \"bootstrap\",\n \"context\",\n \"beliefs\",\n \"evidence\",\n \"questions\",\n \"graph\",\n \"worktrees\",\n \"topics\",\n \"edges\",\n \"contradictions\",\n \"contracts\",\n \"graphIntel\",\n \"graphIntelligence\",\n \"graphAnalysis\",\n \"graphRecommendations\",\n \"orgGraphSearch\",\n \"embeddings\",\n \"ontologyLinks\",\n \"graphStateClassifier\",\n \"tools\",\n \"controlPlane\",\n \"identity\",\n \"modelRuntime\",\n \"events\",\n \"jobs\",\n \"telemetry\",\n] as const;\nexport type TenantClientRequiredSdkNamespace =\n (typeof TENANT_CLIENT_REQUIRED_SDK_NAMESPACES)[number];\n\nexport const TENANT_CLIENT_CAPABILITIES = [\n {\n id: \"identity.resolve_interactive_principal\",\n description:\n \"Resolve a Clerk-authenticated user into a Permit-backed Lucern principal context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: [\"principalId\", \"tenantId\", \"scopes\"],\n },\n {\n id: \"identity.bootstrap_session\",\n description: \"Start a scoped Lucern session for a tenant principal.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.context.compile\",\n description: \"Compile tenant and workspace scoped reasoning context.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.read\",\n description: \"Read beliefs, evidence, questions, topics, graph edges, and lineage.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph.write\",\n description: \"Create and update graph objects through authorized APIs.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_intelligence.run\",\n description:\n \"Discover and run Graph Intelligence query recipes for structural graph analysis.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/cli\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"reasoning.graph_mirroring.install\",\n description:\n \"Install and run the optional Neo4j graph mirror for paid or enterprise tenant deployments.\",\n surfaces: [\"@lucern/graph-sync\", \"@lucern/cli\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n {\n id: \"workflow.worktree_lifecycle\",\n description: \"Create, review, merge, and close scoped worktrees.\",\n surfaces: [\"@lucern/sdk\", \"@lucern/react\", \"@lucern/mcp\"],\n requiredContextFields: TENANT_CLIENT_REQUIRED_CONTEXT_FIELDS,\n },\n] as const;\nexport type TenantClientCapability =\n (typeof TENANT_CLIENT_CAPABILITIES)[number];\nexport type TenantClientCapabilityId = TenantClientCapability[\"id\"];\n\nexport const TENANT_CLIENT_ISOLATION_RULES = [\n {\n id: \"tenant_workspace_scope_required\",\n description:\n \"Runtime operations must resolve both tenantId and workspaceId before reaching Lucern reasoning state.\",\n },\n {\n id: \"principal_audit_required\",\n description:\n \"Runtime operations must carry principalId, authMode, and scopes for audit attribution.\",\n },\n {\n id: \"no_private_lucern_imports\",\n description:\n \"Tenant code must not import Lucern source, Convex internals, generated adapters, or unpublished package internals.\",\n },\n] as const;\nexport type TenantClientIsolationRule =\n (typeof TENANT_CLIENT_ISOLATION_RULES)[number];\n\nexport const TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS = [\n {\n id: \"deep_src_import\",\n pattern: \"^@lucern/[^/]+/src(?:/|$)\",\n description: \"Published packages must not be bypassed through src paths.\",\n },\n {\n id: \"deep_dist_import\",\n pattern: \"^@lucern/[^/]+/dist(?:/|$)\",\n description:\n \"Published package exports must be used instead of dist file paths.\",\n },\n {\n id: \"generated_adapter_import\",\n pattern: \"^@lucern/[^/]+/(?:adapters/)?_generated(?:/|$)\",\n description:\n \"Generated Lucern adapters are internal deployment artifacts.\",\n },\n {\n id: \"private_runtime_import\",\n pattern: \"^@lucern/[^/]+/(?:internal|private)(?:/|$)\",\n description: \"Internal and private package subpaths are not public SDK API.\",\n },\n {\n id: \"workspace_source_import\",\n pattern: \"^(?:packages|modules|services|lucern|apps)/(?:.+/)?src(?:/|$)\",\n description:\n \"Tenant clients must not import source files from the Lucern monorepo.\",\n },\n {\n id: \"root_alias_lucern_import\",\n pattern: \"^@/(?:lucern|packages|modules|services|apps)(?:/|$)\",\n description:\n \"Tenant clients must not depend on Lucern repo-local path aliases.\",\n },\n {\n id: \"relative_lucern_source_import\",\n pattern: \"^\\\\.\\\\.?/(?:.+/)?(?:packages|modules|services|lucern|apps)(?:/|$)\",\n description:\n \"Tenant clients must not reach back into Lucern source through relative paths.\",\n },\n {\n id: \"monorepo_path_import\",\n pattern: \"lucern-repo\",\n description:\n \"Absolute imports that name the Lucern repository are not portable tenant code.\",\n },\n] as const;\nexport type TenantClientForbiddenImportPattern =\n (typeof TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS)[number];\nexport type TenantClientForbiddenImportPatternId =\n TenantClientForbiddenImportPattern[\"id\"];\n\nexport type TenantClientImportDecision =\n | \"public\"\n | \"forbidden\"\n | \"local\"\n | \"external\";\n\nexport type TenantClientImportClassification = {\n importPath: string;\n decision: TenantClientImportDecision;\n publicImport?: TenantClientAllowedImport;\n pattern?: TenantClientForbiddenImportPattern;\n reason: string;\n};\n\nfunction matchesPublicImport(\n importPath: string\n): TenantClientAllowedImport | undefined {\n const componentConfig = TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.find(\n (entry) => importPath === entry.importPath\n );\n if (componentConfig) {\n return componentConfig;\n }\n\n return TENANT_CLIENT_PUBLIC_IMPORTS.find(\n (entry) =>\n importPath === entry.packageName ||\n importPath.startsWith(`${entry.packageName}/`)\n );\n}\n\nfunction matchesForbiddenPattern(\n importPath: string\n): TenantClientForbiddenImportPattern | undefined {\n return TENANT_CLIENT_FORBIDDEN_IMPORT_PATTERNS.find((entry) =>\n new RegExp(entry.pattern, \"u\").test(importPath)\n );\n}\n\nexport function classifyTenantClientImport(\n importPath: string\n): TenantClientImportClassification {\n const normalizedImportPath = importPath.trim();\n const pattern = matchesForbiddenPattern(normalizedImportPath);\n\n if (pattern) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n pattern,\n reason: pattern.description,\n };\n }\n\n const publicImport = matchesPublicImport(normalizedImportPath);\n if (publicImport) {\n return {\n importPath: normalizedImportPath,\n decision: \"public\",\n publicImport,\n reason: publicImport.description,\n };\n }\n\n if (normalizedImportPath.startsWith(\"@lucern/\")) {\n return {\n importPath: normalizedImportPath,\n decision: \"forbidden\",\n reason:\n \"This @lucern package is not part of the tenant client public surface.\",\n };\n }\n\n if (\n normalizedImportPath.startsWith(\"./\") ||\n normalizedImportPath.startsWith(\"../\")\n ) {\n return {\n importPath: normalizedImportPath,\n decision: \"local\",\n reason: \"Local tenant-owned import.\",\n };\n }\n\n return {\n importPath: normalizedImportPath,\n decision: \"external\",\n reason: \"External dependency outside the Lucern package namespace.\",\n };\n}\n\nexport function isTenantClientPublicImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function isTenantClientComponentConfigImport(\n importPath: string\n): boolean {\n return TENANT_CLIENT_COMPONENT_CONFIG_IMPORTS.some(\n (entry) => importPath === entry.importPath\n );\n}\n\nexport function isTenantClientAllowedImport(importPath: string): boolean {\n return classifyTenantClientImport(importPath).decision === \"public\";\n}\n\nexport function assertTenantClientImportAllowed(importPath: string): void {\n const classification = classifyTenantClientImport(importPath);\n if (classification.decision !== \"forbidden\") {\n return;\n }\n\n throw new Error(formatTenantClientImportViolation(classification));\n}\n\nexport function formatTenantClientImportViolation(\n classification: TenantClientImportClassification\n): string {\n const patternId = classification.pattern\n ? ` [${classification.pattern.id}]`\n : \"\";\n return `Tenant client import is not allowed${patternId}: ${classification.importPath}. ${classification.reason}`;\n}\n","/**\n * Infisical runtime contract\n *\n * Defines how Lucern runtime surfaces receive platform configuration and\n * secrets. Vercel-owned apps consume Infisical through secret syncs. Server,\n * CLI, MCP, and SDK operator contexts may hydrate runtime config directly from\n * Infisical when they have a scoped machine identity. Tenant user auth still\n * flows through Lucern device login; tenant tools never receive platform Clerk\n * secrets.\n */\n\nimport { TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH } from \"./tenant-client.contract\";\n\nexport const INFISICAL_RUNTIME_CONTRACT_VERSION = \"2026-05-06\" as const;\n\nexport const INFISICAL_RUNTIME_DEFAULT_API_URL =\n \"https://app.infisical.com\" as const;\nexport const INFISICAL_RUNTIME_DEFAULT_PROJECT_ID =\n \"344b0526-90df-4606-ba50-22c647a36c65\" as const;\n\nexport const INFISICAL_RUNTIME_ENVIRONMENTS = [\n \"dev\",\n \"staging\",\n \"prod\",\n] as const;\nexport type InfisicalRuntimeEnvironment =\n (typeof INFISICAL_RUNTIME_ENVIRONMENTS)[number];\n\nexport const INFISICAL_RUNTIME_DELIVERY_MODES = [\n \"vercel_sync\",\n \"runtime_fetch\",\n \"device_auth\",\n] as const;\nexport type InfisicalRuntimeDeliveryMode =\n (typeof INFISICAL_RUNTIME_DELIVERY_MODES)[number];\n\nexport const INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS = [\n \"development\",\n \"preview\",\n \"staging\",\n \"production\",\n] as const;\nexport type InfisicalVercelDestinationEnvironment =\n (typeof INFISICAL_VERCEL_DESTINATION_ENVIRONMENTS)[number];\n\nexport const INFISICAL_VERCEL_TARGETS = [\n \"development\",\n \"preview\",\n \"production\",\n] as const;\nexport type InfisicalVercelTarget = (typeof INFISICAL_VERCEL_TARGETS)[number];\n\nexport const INFISICAL_CONVEX_TIERS = [\"preprod\", \"prod\"] as const;\nexport type InfisicalConvexTier = (typeof INFISICAL_CONVEX_TIERS)[number];\n\nexport const INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT = {\n development: \"preprod\",\n preview: \"preprod\",\n staging: \"preprod\",\n production: \"prod\",\n} as const satisfies Record<\n InfisicalVercelDestinationEnvironment,\n InfisicalConvexTier\n>;\n\nexport type InfisicalVercelSyncDestination = {\n readonly environment: InfisicalVercelDestinationEnvironment;\n readonly vercelTarget: InfisicalVercelTarget;\n readonly convexTier: InfisicalConvexTier;\n readonly customEnvironmentSlug?: string;\n readonly customEnvironmentIdsByProjectName?: Readonly<Record<string, string>>;\n readonly domainsByProjectName?: Readonly<Record<string, string>>;\n};\n\nexport const INFISICAL_VERCEL_SYNC_RECONCILIATION = {\n sourceOfTruth: \"infisical\",\n writer: \"vercel_api\",\n disableSecretDeletion: false,\n pruneDestinationKeys: true,\n} as const;\n\nexport const INFISICAL_VERCEL_SYNC_DESTINATIONS = [\n {\n environment: \"development\",\n vercelTarget: \"development\",\n convexTier: \"preprod\",\n },\n {\n environment: \"preview\",\n vercelTarget: \"preview\",\n convexTier: \"preprod\",\n },\n {\n environment: \"staging\",\n vercelTarget: \"preview\",\n convexTier: \"preprod\",\n customEnvironmentSlug: \"staging\",\n customEnvironmentIdsByProjectName: {\n stackos: \"env_RbS0TYRRvWISTje8qR4u2lRg7TC8\",\n },\n domainsByProjectName: {\n stackos: \"staging.stack.vc\",\n },\n },\n {\n environment: \"production\",\n vercelTarget: \"production\",\n convexTier: \"prod\",\n },\n] as const satisfies readonly InfisicalVercelSyncDestination[];\n\nexport const INFISICAL_RUNTIME_SURFACE_IDS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-cli\",\n \"lucern-mcp\",\n \"tenant-client\",\n] as const;\nexport type InfisicalRuntimeSurfaceId =\n (typeof INFISICAL_RUNTIME_SURFACE_IDS)[number];\n\nexport const INFISICAL_RUNTIME_BOOTSTRAP_ENV = {\n apiUrl: [\"INFISICAL_API_URL\", \"INFISICAL_URL\"],\n projectId: [\"INFISICAL_PROJECT_ID\", \"INFISICAL_WORKSPACE_ID\"],\n clientId: [\n \"INFISICAL_CLIENT_ID\",\n \"INFISICAL_MACHINE_CLIENT_ID\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_ID\",\n ],\n clientSecret: [\n \"INFISICAL_CLIENT_SECRET\",\n \"INFISICAL_MACHINE_CLIENT_SECRET\",\n \"INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET\",\n ],\n environment: [\"INFISICAL_ENV\", \"LUCERN_INFISICAL_ENV\"],\n organizationSlug: [\"INFISICAL_ORG_SLUG\", \"INFISICAL_ORGANIZATION_SLUG\"],\n disabled: [\"LUCERN_INFISICAL_DISABLE\", \"INFISICAL_DISABLE\"],\n} as const;\nexport type InfisicalRuntimeBootstrapEnv =\n typeof INFISICAL_RUNTIME_BOOTSTRAP_ENV;\n\nexport const INFISICAL_RUNTIME_CONTROL_ENV = [\n {\n name: \"NODE_ENV\",\n category: \"framework\",\n description:\n \"Node/Next runtime mode. Framework-owned, not written by Infisical.\",\n },\n {\n name: \"CI\",\n category: \"ci\",\n description:\n \"CI execution signal. Workflow-owned, not written by Infisical.\",\n },\n {\n name: \"VERCEL\",\n category: \"vercel\",\n description:\n \"Vercel runtime signal. Platform-owned, not written by Infisical.\",\n },\n {\n name: \"VERCEL_ENV\",\n category: \"vercel\",\n description:\n \"Vercel environment label used for build/runtime selection.\",\n },\n {\n name: \"VERCEL_URL\",\n category: \"vercel\",\n description:\n \"Vercel deployment URL supplied by Vercel for previews and builds.\",\n },\n {\n name: \"VERCEL_GIT_COMMIT_SHA\",\n category: \"vercel\",\n description:\n \"Vercel git metadata used for release labels. Platform-owned, not written by Infisical.\",\n },\n {\n name: \"NEXT_RUNTIME\",\n category: \"nextjs\",\n description:\n \"Next.js runtime selector for node/edge instrumentation modules.\",\n },\n {\n name: \"PORT\",\n category: \"framework\",\n description:\n \"Local/server port supplied by the runtime process manager.\",\n },\n {\n name: \"HOST\",\n category: \"framework\",\n description:\n \"Local/server host supplied by the runtime process manager.\",\n },\n {\n name: \"APP_URL\",\n category: \"compatibility\",\n description:\n \"Legacy local app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL.\",\n },\n {\n name: \"NEXT_PUBLIC_APP_URL\",\n category: \"compatibility\",\n description:\n \"Legacy public app URL fallback. Prefer LUCERN_LOGIN_BASE_URL or LUCERN_API_URL.\",\n },\n {\n name: \"CLAUDE_PROJECT_DIR\",\n category: \"agent_local\",\n description:\n \"Local agent workspace hint. Agent-runtime-owned, not written by Infisical.\",\n },\n {\n name: \"HOME\",\n category: \"os\",\n description:\n \"Operating-system home directory used only for local credential discovery.\",\n },\n {\n name: \"USERPROFILE\",\n category: \"os\",\n description:\n \"Windows home directory used only for local credential discovery.\",\n },\n] as const;\nexport type InfisicalRuntimeControlEnv =\n (typeof INFISICAL_RUNTIME_CONTROL_ENV)[number];\n\nexport type InfisicalRuntimeVariable = {\n readonly name: string;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly aliases?: readonly string[];\n readonly description: string;\n};\n\nexport type InfisicalRuntimePathDefinition = {\n readonly id: string;\n readonly secretPath: string;\n readonly description: string;\n readonly variables: readonly InfisicalRuntimeVariable[];\n};\n\nexport const INFISICAL_RUNTIME_PATHS = [\n {\n id: \"platform-auth\",\n secretPath: \"/platform/auth\",\n description:\n \"Lucern platform authentication secrets. Synced into Vercel web/gateway projects; never distributed to tenant tools.\",\n variables: [\n {\n name: \"NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY\",\n required: true,\n secret: false,\n public: true,\n description: \"Clerk publishable key for the Lucern web origin.\",\n },\n {\n name: \"CLERK_SECRET_KEY\",\n required: true,\n secret: true,\n public: false,\n description: \"Clerk backend secret key for Lucern server runtimes.\",\n },\n {\n name: \"CLERK_JWT_ISSUER_DOMAIN\",\n required: false,\n secret: false,\n public: false,\n description: \"Expected Clerk issuer/JWKS domain for JWT verification.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_IN_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-in URL for Lucern-owned web flows.\",\n },\n {\n name: \"NEXT_PUBLIC_CLERK_SIGN_UP_URL\",\n required: false,\n secret: false,\n public: true,\n description: \"Public sign-up URL for Lucern-owned web flows.\",\n },\n ],\n },\n {\n id: \"platform-runtime\",\n secretPath: \"/platform/runtime\",\n description:\n \"Runtime defaults shared by server-side Lucern clients and operator tooling.\",\n variables: [\n {\n name: \"LUCERN_API_URL\",\n required: true,\n secret: false,\n public: false,\n aliases: [\"LUCERN_API_BASE_URL\", \"LUCERN_BASE_URL\"],\n description: \"Canonical Lucern API gateway URL.\",\n },\n {\n name: \"LUCERN_LOGIN_BASE_URL\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_AUTH_BASE_URL\"],\n description: \"Browser login origin used when it differs from the API.\",\n },\n {\n name: \"LUCERN_ENVIRONMENT\",\n required: false,\n secret: false,\n public: false,\n aliases: [\"LUCERN_ENV\"],\n description: \"Lucern environment label consumed by CLI profiles.\",\n },\n {\n name: \"LUCERN_CLI_SESSION_TTL_MS\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Optional web-issued CLI login session lifetime override in milliseconds.\",\n },\n ],\n },\n {\n id: \"platform-permit\",\n secretPath: \"/platform/permit\",\n description:\n \"Permit runtime configuration for policy enforcement and embedded Permit Elements.\",\n variables: [\n {\n name: \"LUCERN_PERMIT_ELEMENTS_ENV_ID\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Permit environment id used by Lucern web to authenticate embedded Permit Elements.\",\n },\n {\n name: \"LUCERN_PERMIT_ELEMENTS_JWT_TEMPLATE\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Optional Clerk JWT template name for Permit Elements frontendOnly login.\",\n },\n {\n name: \"LUCERN_PERMIT_ELEMENTS_USER_MANAGEMENT_URL\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Permit Elements dashboard iframe URL for user and group management.\",\n },\n {\n name: \"LUCERN_PERMIT_ELEMENTS_AUDIT_LOGS_URL\",\n required: false,\n secret: false,\n public: false,\n description: \"Permit Elements dashboard iframe URL for audit logs.\",\n },\n {\n name: \"LUCERN_PERMIT_ELEMENTS_ACCESS_REQUEST_URL\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Permit Elements dashboard iframe URL for access requests.\",\n },\n {\n name: \"LUCERN_PERMIT_ELEMENTS_APPROVALS_URL\",\n required: false,\n secret: false,\n public: false,\n description:\n \"Permit Elements dashboard iframe URL for approval management.\",\n },\n ],\n },\n {\n id: \"platform-operator-credentials\",\n secretPath: \"/platform/runtime\",\n description:\n \"Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.\",\n variables: [\n {\n name: \"LUCERN_API_KEY\",\n required: false,\n secret: true,\n public: false,\n aliases: [\"LUCERN_KEY\"],\n description:\n \"Lucern-owned operator API key for gateway calls from trusted local tooling.\",\n },\n ],\n },\n {\n id: \"tenant-shared-install\",\n secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,\n description:\n \"Tenant package-install secrets. This is install-only and distinct from platform publish credentials.\",\n variables: [\n {\n name: \"INSTALL_LUCERN_NPM\",\n required: true,\n secret: true,\n public: false,\n description:\n \"Read-only install token for the published @lucern/* suite.\",\n },\n ],\n },\n] as const satisfies readonly InfisicalRuntimePathDefinition[];\nexport type InfisicalRuntimePath = (typeof INFISICAL_RUNTIME_PATHS)[number];\nexport type InfisicalRuntimePathId = InfisicalRuntimePath[\"id\"];\n\nexport type InfisicalRuntimeSurfaceDefinition = {\n readonly id: InfisicalRuntimeSurfaceId;\n readonly packageName?: string;\n readonly delivery: InfisicalRuntimeDeliveryMode;\n readonly fallback?: InfisicalRuntimeDeliveryMode;\n readonly sourcePathIds: readonly InfisicalRuntimePathId[];\n readonly consumer: string;\n readonly description: string;\n};\n\nexport const INFISICAL_RUNTIME_SURFACES = [\n {\n id: \"lucern-web\",\n delivery: \"vercel_sync\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\", \"platform-permit\"],\n consumer: \"apps/web on Vercel project lucern\",\n description:\n \"Lucern web consumes Clerk and runtime config via Infisical-to-Vercel syncs.\",\n },\n {\n id: \"lucern-gateway\",\n delivery: \"vercel_sync\",\n fallback: \"runtime_fetch\",\n sourcePathIds: [\"platform-auth\", \"platform-runtime\"],\n consumer: \"apps/gateway on Vercel project lucern-gateway\",\n description:\n \"Lucern gateway consumes platform config via Infisical-to-Vercel syncs and may self-hydrate from Infisical when the host environment has scoped bootstrap credentials.\",\n },\n {\n id: \"lucern-sdk\",\n packageName: \"@lucern/sdk\",\n delivery: \"runtime_fetch\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer:\n \"server-side SDK operator contexts with a scoped Infisical identity\",\n description:\n \"SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.\",\n },\n {\n id: \"lucern-cli\",\n packageName: \"@lucern/cli\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer: \"developer/operator CLI processes\",\n description:\n \"CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.\",\n },\n {\n id: \"lucern-mcp\",\n packageName: \"@lucern/mcp\",\n delivery: \"runtime_fetch\",\n fallback: \"device_auth\",\n sourcePathIds: [\"platform-runtime\", \"platform-operator-credentials\"],\n consumer: \"MCP server/client processes\",\n description:\n \"MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.\",\n },\n {\n id: \"tenant-client\",\n delivery: \"device_auth\",\n sourcePathIds: [\"tenant-shared-install\"],\n consumer: \"tenant-owned apps and coding agents\",\n description:\n \"Tenant clients install the published packages and receive user/service credentials through Lucern auth surfaces.\",\n },\n] as const satisfies readonly InfisicalRuntimeSurfaceDefinition[];\nexport type InfisicalRuntimeSurface =\n (typeof INFISICAL_RUNTIME_SURFACES)[number];\n\nexport type InfisicalTenantSoftwareSystemDefinition = {\n readonly id: string;\n readonly tenantKey: string;\n readonly workspaceKey: string;\n readonly vercelProjectName: string;\n readonly vercelTeamId: string;\n readonly vercelProjectId: string;\n readonly vercelWriterTokenEnv: string;\n readonly repository: {\n readonly owner: string;\n readonly name: string;\n };\n readonly sharedSourcePath: string;\n readonly sharedVariablePolicy: \"tenant_shared_all_systems\";\n readonly convex: {\n readonly urlEnv: string;\n readonly deployKeyEnv: string;\n readonly preprodDeployment: string;\n readonly prodDeployment: string;\n };\n};\n\nexport const INFISICAL_TENANT_SOFTWARE_SYSTEMS = [\n {\n id: \"stack-frontend\",\n tenantKey: \"stack\",\n workspaceKey: \"frontend\",\n vercelProjectName: \"ai-chatbot-diao\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_PihFw8kohSSw14nZs9YQV3xVo517\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"front-end\",\n },\n sharedSourcePath: \"/tenants/stack\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_FRONTEND_URL\",\n deployKeyEnv: \"CONVEX_FRONTEND_DEPLOY_KEY\",\n preprodDeployment: \"rugged-lobster-664\",\n prodDeployment: \"wonderful-toucan-0\",\n },\n },\n {\n id: \"stackos\",\n tenantKey: \"stack\",\n workspaceKey: \"stackos\",\n vercelProjectName: \"stackos\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_rXLAL0Z6v9p1fasKbomby6GI7kau\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"stackos\",\n },\n sharedSourcePath: \"/tenants/stack\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_STACKOS_URL\",\n deployKeyEnv: \"CONVEX_STACKOS_DEPLOY_KEY\",\n preprodDeployment: \"giant-mandrill-761\",\n prodDeployment: \"good-snake-515\",\n },\n },\n {\n id: \"stack-eng\",\n tenantKey: \"stack\",\n workspaceKey: \"engineering\",\n vercelProjectName: \"stackos-engineering-graph\",\n vercelTeamId: \"team_mZBKwvXSSu7qxrWdg2go29sK\",\n vercelProjectId: \"prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ\",\n vercelWriterTokenEnv: \"STACK_VERCEL_TOKEN\",\n repository: {\n owner: \"stack-vc\",\n name: \"stackos-engineering-graph\",\n },\n sharedSourcePath: \"/tenants/stack/engineering\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_STACK_ENG_URL\",\n deployKeyEnv: \"CONVEX_STACK_ENG_DEPLOY_KEY\",\n preprodDeployment: \"small-oyster-270\",\n prodDeployment: \"bold-cuttlefish-804\",\n },\n },\n {\n id: \"lucern-graph\",\n tenantKey: \"lucern\",\n workspaceKey: \"lucern\",\n vercelProjectName: \"lucern-graph\",\n vercelTeamId: \"team_vTHxxs8GAoAFUe6RWMlYt7fY\",\n vercelProjectId: \"prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ\",\n vercelWriterTokenEnv: \"LUCERN_VERCEL_TOKEN\",\n repository: {\n owner: \"LucernAI\",\n name: \"lucern-graph\",\n },\n sharedSourcePath: \"/tenants/lucern/shared\",\n sharedVariablePolicy: \"tenant_shared_all_systems\",\n convex: {\n urlEnv: \"CONVEX_LUCERN_URL\",\n deployKeyEnv: \"CONVEX_LUCERN_DEPLOY_KEY\",\n preprodDeployment: \"good-blackbird-774\",\n prodDeployment: \"precious-dog-365\",\n },\n },\n] as const satisfies readonly InfisicalTenantSoftwareSystemDefinition[];\nexport type InfisicalTenantSoftwareSystem =\n (typeof INFISICAL_TENANT_SOFTWARE_SYSTEMS)[number];\nexport type InfisicalTenantSoftwareSystemId =\n InfisicalTenantSoftwareSystem[\"id\"];\n\nexport function findInfisicalTenantSoftwareSystem(\n systemId: InfisicalTenantSoftwareSystemId,\n): InfisicalTenantSoftwareSystem | undefined {\n return INFISICAL_TENANT_SOFTWARE_SYSTEMS.find(\n (system) => system.id === systemId,\n );\n}\n\nexport function tenantSoftwareSystemConvexEnvNames(\n systemId: InfisicalTenantSoftwareSystemId,\n): readonly [string, string] {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n if (!system) {\n throw new Error(`Unknown tenant software system: ${systemId}.`);\n }\n return [system.convex.urlEnv, system.convex.deployKeyEnv] as const;\n}\n\nexport function tenantSoftwareSystemOwnsConvexEnvName(\n systemId: InfisicalTenantSoftwareSystemId,\n envName: string,\n): boolean {\n return tenantSoftwareSystemConvexEnvNames(systemId).includes(envName);\n}\n\nexport function convexTierForVercelDestinationEnvironment(\n environment: InfisicalVercelDestinationEnvironment,\n): InfisicalConvexTier {\n return INFISICAL_CONVEX_TIER_BY_VERCEL_ENVIRONMENT[environment];\n}\n\nexport function findInfisicalVercelSyncDestination(\n environment: InfisicalVercelDestinationEnvironment,\n): InfisicalVercelSyncDestination | undefined {\n return INFISICAL_VERCEL_SYNC_DESTINATIONS.find(\n (destination) => destination.environment === environment,\n );\n}\n\nexport function vercelCustomEnvironmentIdForTenantSoftwareSystem(\n systemId: InfisicalTenantSoftwareSystemId,\n environment: InfisicalVercelDestinationEnvironment,\n): string | undefined {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n const destination = findInfisicalVercelSyncDestination(environment);\n if (!system || !destination) {\n return undefined;\n }\n return destination.customEnvironmentIdsByProjectName?.[\n system.vercelProjectName\n ];\n}\n\nexport function expectedTenantConvexDeploymentForVercelEnvironment(\n systemId: InfisicalTenantSoftwareSystemId,\n environment: InfisicalVercelDestinationEnvironment,\n): string {\n const system = findInfisicalTenantSoftwareSystem(systemId);\n if (!system) {\n throw new Error(`Unknown tenant software system: ${systemId}.`);\n }\n return convexTierForVercelDestinationEnvironment(environment) === \"prod\"\n ? system.convex.prodDeployment\n : system.convex.preprodDeployment;\n}\n\nexport function findInfisicalRuntimePath(\n pathId: InfisicalRuntimePathId,\n): InfisicalRuntimePath | undefined {\n return INFISICAL_RUNTIME_PATHS.find((path) => path.id === pathId);\n}\n\nexport function findInfisicalRuntimeSurface(\n surfaceId: InfisicalRuntimeSurfaceId,\n): InfisicalRuntimeSurface | undefined {\n return INFISICAL_RUNTIME_SURFACES.find((surface) => surface.id === surfaceId);\n}\n\nexport const INFISICAL_SECRET_OWNERS = [\n \"lucern_platform\",\n \"tenant\",\n \"provider\",\n \"operator_local\",\n] as const;\nexport type InfisicalSecretOwner = (typeof INFISICAL_SECRET_OWNERS)[number];\n\nexport const INFISICAL_SECRET_SCOPES = [\n \"global\",\n \"environment\",\n \"tenant\",\n \"workspace\",\n \"software_system\",\n \"deployment\",\n \"local\",\n] as const;\nexport type InfisicalSecretScope = (typeof INFISICAL_SECRET_SCOPES)[number];\n\nexport const INFISICAL_SECRET_ENVIRONMENT_POLICIES = [\n \"same_all_environments\",\n \"environment_specific\",\n \"preprod_staging_prod_prod\",\n \"local_only\",\n] as const;\nexport type InfisicalSecretEnvironmentPolicy =\n (typeof INFISICAL_SECRET_ENVIRONMENT_POLICIES)[number];\n\nexport const INFISICAL_SECRET_CONSUMERS = [\n \"lucern-web\",\n \"lucern-gateway\",\n \"lucern-sdk\",\n \"lucern-mcp\",\n \"lucern-cli\",\n \"lucern-agent\",\n \"lucern-railway-pdp\",\n \"lucern-ai-runtime\",\n \"lucern-graph-sync\",\n \"lucern-observability\",\n \"lucern-repo-ci\",\n \"mc-convex\",\n \"mc-operator-tooling\",\n \"tenant-vercel-app\",\n \"tenant-convex-deployment\",\n \"tenant-ai-runtime\",\n \"tenant-graph-sync\",\n \"tenant-observability\",\n \"tenant-vector-store\",\n \"tenant-deploy-tooling\",\n \"tenant-agent-runtime\",\n] as const;\nexport type InfisicalSecretConsumer = (typeof INFISICAL_SECRET_CONSUMERS)[number];\n\nexport const INFISICAL_SECRET_DESTINATION_KINDS = [\n \"vercel\",\n \"convex\",\n \"github_actions\",\n \"runtime_fetch\",\n \"operator_local\",\n] as const;\nexport type InfisicalSecretDestinationKind =\n (typeof INFISICAL_SECRET_DESTINATION_KINDS)[number];\n\nexport type InfisicalSecretDestination = {\n readonly kind: InfisicalSecretDestinationKind;\n readonly target: string;\n readonly environmentPolicy: InfisicalSecretEnvironmentPolicy;\n readonly writeNames?: readonly string[];\n readonly notes?: string;\n};\n\nexport type InfisicalSecretDefinition = {\n readonly id: string;\n readonly canonicalName: string;\n readonly aliases?: readonly string[];\n readonly owner: InfisicalSecretOwner;\n readonly scope: InfisicalSecretScope;\n readonly sourcePath: string;\n readonly environmentPolicy: InfisicalSecretEnvironmentPolicy;\n readonly required: boolean;\n readonly secret: boolean;\n readonly public: boolean;\n readonly consumers: readonly InfisicalSecretConsumer[];\n readonly destinations: readonly InfisicalSecretDestination[];\n readonly description: string;\n};\n"]}
|
|
@@ -420,6 +420,108 @@ declare const INFISICAL_SECRET_DEFINITIONS: readonly [{
|
|
|
420
420
|
readonly environmentPolicy: "environment_specific";
|
|
421
421
|
}];
|
|
422
422
|
readonly description: "Optional Permit API URL override.";
|
|
423
|
+
}, {
|
|
424
|
+
readonly id: "platform.permit.elements-env-id";
|
|
425
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_ENV_ID";
|
|
426
|
+
readonly owner: "lucern_platform";
|
|
427
|
+
readonly scope: "environment";
|
|
428
|
+
readonly sourcePath: "/platform/permit";
|
|
429
|
+
readonly environmentPolicy: "environment_specific";
|
|
430
|
+
readonly required: false;
|
|
431
|
+
readonly secret: false;
|
|
432
|
+
readonly public: false;
|
|
433
|
+
readonly consumers: readonly ["lucern-web"];
|
|
434
|
+
readonly destinations: readonly [{
|
|
435
|
+
readonly kind: "vercel";
|
|
436
|
+
readonly target: "lucern";
|
|
437
|
+
readonly environmentPolicy: "environment_specific";
|
|
438
|
+
}];
|
|
439
|
+
readonly description: "Permit environment id used by Lucern web to authenticate embedded Permit Elements.";
|
|
440
|
+
}, {
|
|
441
|
+
readonly id: "platform.permit.elements-jwt-template";
|
|
442
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_JWT_TEMPLATE";
|
|
443
|
+
readonly owner: "lucern_platform";
|
|
444
|
+
readonly scope: "environment";
|
|
445
|
+
readonly sourcePath: "/platform/permit";
|
|
446
|
+
readonly environmentPolicy: "environment_specific";
|
|
447
|
+
readonly required: false;
|
|
448
|
+
readonly secret: false;
|
|
449
|
+
readonly public: false;
|
|
450
|
+
readonly consumers: readonly ["lucern-web"];
|
|
451
|
+
readonly destinations: readonly [{
|
|
452
|
+
readonly kind: "vercel";
|
|
453
|
+
readonly target: "lucern";
|
|
454
|
+
readonly environmentPolicy: "environment_specific";
|
|
455
|
+
}];
|
|
456
|
+
readonly description: "Optional Clerk JWT template name used for Permit Elements frontendOnly login. Defaults to permit-elements.";
|
|
457
|
+
}, {
|
|
458
|
+
readonly id: "platform.permit.elements-user-management-url";
|
|
459
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_USER_MANAGEMENT_URL";
|
|
460
|
+
readonly owner: "lucern_platform";
|
|
461
|
+
readonly scope: "environment";
|
|
462
|
+
readonly sourcePath: "/platform/permit";
|
|
463
|
+
readonly environmentPolicy: "environment_specific";
|
|
464
|
+
readonly required: false;
|
|
465
|
+
readonly secret: false;
|
|
466
|
+
readonly public: false;
|
|
467
|
+
readonly consumers: readonly ["lucern-web"];
|
|
468
|
+
readonly destinations: readonly [{
|
|
469
|
+
readonly kind: "vercel";
|
|
470
|
+
readonly target: "lucern";
|
|
471
|
+
readonly environmentPolicy: "environment_specific";
|
|
472
|
+
}];
|
|
473
|
+
readonly description: "Permit Elements dashboard iframe URL for the User Management element.";
|
|
474
|
+
}, {
|
|
475
|
+
readonly id: "platform.permit.elements-audit-logs-url";
|
|
476
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_AUDIT_LOGS_URL";
|
|
477
|
+
readonly owner: "lucern_platform";
|
|
478
|
+
readonly scope: "environment";
|
|
479
|
+
readonly sourcePath: "/platform/permit";
|
|
480
|
+
readonly environmentPolicy: "environment_specific";
|
|
481
|
+
readonly required: false;
|
|
482
|
+
readonly secret: false;
|
|
483
|
+
readonly public: false;
|
|
484
|
+
readonly consumers: readonly ["lucern-web"];
|
|
485
|
+
readonly destinations: readonly [{
|
|
486
|
+
readonly kind: "vercel";
|
|
487
|
+
readonly target: "lucern";
|
|
488
|
+
readonly environmentPolicy: "environment_specific";
|
|
489
|
+
}];
|
|
490
|
+
readonly description: "Permit Elements dashboard iframe URL for the Audit Logs element.";
|
|
491
|
+
}, {
|
|
492
|
+
readonly id: "platform.permit.elements-access-request-url";
|
|
493
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_ACCESS_REQUEST_URL";
|
|
494
|
+
readonly owner: "lucern_platform";
|
|
495
|
+
readonly scope: "environment";
|
|
496
|
+
readonly sourcePath: "/platform/permit";
|
|
497
|
+
readonly environmentPolicy: "environment_specific";
|
|
498
|
+
readonly required: false;
|
|
499
|
+
readonly secret: false;
|
|
500
|
+
readonly public: false;
|
|
501
|
+
readonly consumers: readonly ["lucern-web"];
|
|
502
|
+
readonly destinations: readonly [{
|
|
503
|
+
readonly kind: "vercel";
|
|
504
|
+
readonly target: "lucern";
|
|
505
|
+
readonly environmentPolicy: "environment_specific";
|
|
506
|
+
}];
|
|
507
|
+
readonly description: "Permit Elements dashboard iframe URL for the Access Request element.";
|
|
508
|
+
}, {
|
|
509
|
+
readonly id: "platform.permit.elements-approvals-url";
|
|
510
|
+
readonly canonicalName: "LUCERN_PERMIT_ELEMENTS_APPROVALS_URL";
|
|
511
|
+
readonly owner: "lucern_platform";
|
|
512
|
+
readonly scope: "environment";
|
|
513
|
+
readonly sourcePath: "/platform/permit";
|
|
514
|
+
readonly environmentPolicy: "environment_specific";
|
|
515
|
+
readonly required: false;
|
|
516
|
+
readonly secret: false;
|
|
517
|
+
readonly public: false;
|
|
518
|
+
readonly consumers: readonly ["lucern-web"];
|
|
519
|
+
readonly destinations: readonly [{
|
|
520
|
+
readonly kind: "vercel";
|
|
521
|
+
readonly target: "lucern";
|
|
522
|
+
readonly environmentPolicy: "environment_specific";
|
|
523
|
+
}];
|
|
524
|
+
readonly description: "Permit Elements dashboard iframe URL for the Approval Management element.";
|
|
423
525
|
}, {
|
|
424
526
|
readonly id: "platform.ci.infisical-bootstrap-client-id";
|
|
425
527
|
readonly canonicalName: "INFISICAL_BOOTSTRAP_CLIENT_ID";
|