@lucern/events 0.3.0-alpha.10 → 0.3.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -26,6 +26,20 @@ function matchesAnyEventPattern(eventType, patterns) {
26
26
  return patterns.some((pattern) => matchesEventPattern(eventType, pattern));
27
27
  }
28
28
 
29
+ // ../contracts/src/types/reasoning-method.ts
30
+ var REASONING_METHODS = [
31
+ "deductive",
32
+ "inductive",
33
+ "abductive",
34
+ "analogical",
35
+ "causal",
36
+ "correlational",
37
+ "testimonial",
38
+ "statistical",
39
+ "implicit",
40
+ "pattern_match"
41
+ ];
42
+
29
43
  // ../contracts/src/graph-intelligence.contract.ts
30
44
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
31
45
  core: [
@@ -847,7 +861,7 @@ defineTable({
847
861
  });
848
862
  defineTable({
849
863
  name: "agents",
850
- component: "identity",
864
+ component: "control-plane",
851
865
  category: "agent",
852
866
  shape: z.object({
853
867
  "slug": z.string(),
@@ -878,6 +892,7 @@ defineTable({
878
892
  category: "tenant",
879
893
  shape: z.object({
880
894
  "tenantId": idOf("tenants"),
895
+ "workspaceId": idOf("workspaces").optional(),
881
896
  "keyPrefix": z.enum(["luc", "stk"]),
882
897
  "keyHash": z.string(),
883
898
  "keyHint": z.string(),
@@ -905,7 +920,7 @@ defineTable({
905
920
  shape: z.object({
906
921
  "tenantId": idOf("tenants").optional(),
907
922
  "apiKeyId": idOf("apiKeys").optional(),
908
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
923
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
909
924
  "actorClerkId": z.string(),
910
925
  "details": z.any().optional(),
911
926
  "createdAt": z.number()
@@ -1784,29 +1799,37 @@ defineTable({
1784
1799
  component: "mc",
1785
1800
  category: "runtime",
1786
1801
  shape: z.object({
1787
- "shimId": z.string(),
1788
- "gateId": z.string(),
1789
- "removalDate": z.string(),
1790
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1791
- "description": z.string(),
1792
- "owner": z.string(),
1793
- "createdAt": z.string(),
1794
- "status": z.enum(["active", "overdue", "removed"]),
1795
- "bridgeType": z.enum(["tool", "agent"]),
1796
- "bridgeTarget": z.object({
1797
- "type": z.enum(["tool", "agent"]),
1798
- "legacyPath": z.string(),
1799
- "harnessPath": z.string()
1802
+ shimId: z.string(),
1803
+ gateId: z.string(),
1804
+ removalDate: z.string(),
1805
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1806
+ description: z.string(),
1807
+ owner: z.string(),
1808
+ createdAt: z.string(),
1809
+ status: z.enum(["active", "overdue", "removed"]),
1810
+ bridgeType: z.enum(["tool", "agent"]),
1811
+ bridgeTarget: z.object({
1812
+ type: z.enum(["tool", "agent"]),
1813
+ legacyPath: z.string(),
1814
+ harnessPath: z.string()
1800
1815
  }),
1801
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1802
- "producesLedgerEntries": z.boolean(),
1803
- "lastAuditedAt": z.number(),
1804
- "metadata": z.record(z.any()).optional()
1816
+ shimBehavior: z.enum([
1817
+ "passthrough_with_logging",
1818
+ "adapter",
1819
+ "feature_flag_gate"
1820
+ ]),
1821
+ producesLedgerEntries: z.boolean(),
1822
+ lastAuditedAt: z.number(),
1823
+ metadata: z.record(z.any()).optional()
1805
1824
  }),
1806
1825
  indices: [
1807
1826
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1808
1827
  { kind: "index", name: "by_status", columns: ["status"] },
1809
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1828
+ {
1829
+ kind: "index",
1830
+ name: "by_bridgeType_status",
1831
+ columns: ["bridgeType", "status"]
1832
+ }
1810
1833
  ]
1811
1834
  });
1812
1835
  defineTable({
@@ -1814,12 +1837,23 @@ defineTable({
1814
1837
  component: "mc",
1815
1838
  category: "runtime",
1816
1839
  shape: z.object({
1817
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1818
- "state": z.enum(["legacy", "cutover", "disabled"]),
1819
- "metadata": z.record(z.any()).optional(),
1820
- "updatedBy": z.string(),
1821
- "createdAt": z.number(),
1822
- "updatedAt": z.number()
1840
+ domain: z.enum([
1841
+ "graph",
1842
+ "schema",
1843
+ "identity",
1844
+ "policy",
1845
+ "audit",
1846
+ "admin",
1847
+ "agent",
1848
+ "tool",
1849
+ "prompt",
1850
+ "intelligence"
1851
+ ]),
1852
+ state: z.enum(["legacy", "cutover", "disabled"]),
1853
+ metadata: z.record(z.any()).optional(),
1854
+ updatedBy: z.string(),
1855
+ createdAt: z.number(),
1856
+ updatedAt: z.number()
1823
1857
  }),
1824
1858
  indices: [
1825
1859
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1831,57 +1865,193 @@ defineTable({
1831
1865
  component: "mc",
1832
1866
  category: "runtime",
1833
1867
  shape: z.object({
1834
- "credentialRef": z.string(),
1835
- "tenantId": idOf("tenants"),
1836
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1837
- "environment": z.enum(["dev", "staging", "prod"]),
1838
- "encryptedDeployKey": z.string(),
1839
- "encryptionVersion": z.string(),
1840
- "keyFingerprint": z.string(),
1841
- "keyHint": z.string(),
1842
- "status": z.enum(["active", "revoked"]),
1843
- "rotatedFromCredentialRef": z.string().optional(),
1844
- "revokedAt": z.number().optional(),
1845
- "revokedBy": z.string().optional(),
1846
- "lastUsedAt": z.number().optional(),
1847
- "metadata": z.record(z.any()).optional(),
1848
- "createdBy": z.string(),
1849
- "createdAt": z.number(),
1850
- "updatedAt": z.number()
1868
+ credentialRef: z.string(),
1869
+ tenantId: idOf("tenants"),
1870
+ workspaceId: idOf("workspaces").optional(),
1871
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1872
+ environment: z.enum(["dev", "staging", "prod"]),
1873
+ encryptedDeployKey: z.string(),
1874
+ encryptionVersion: z.string(),
1875
+ keyFingerprint: z.string(),
1876
+ keyHint: z.string(),
1877
+ status: z.enum(["active", "revoked"]),
1878
+ rotatedFromCredentialRef: z.string().optional(),
1879
+ revokedAt: z.number().optional(),
1880
+ revokedBy: z.string().optional(),
1881
+ lastUsedAt: z.number().optional(),
1882
+ metadata: z.record(z.any()).optional(),
1883
+ createdBy: z.string(),
1884
+ createdAt: z.number(),
1885
+ updatedAt: z.number()
1851
1886
  }),
1852
1887
  indices: [
1853
1888
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1854
1889
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1855
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1856
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1857
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1890
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1891
+ {
1892
+ kind: "index",
1893
+ name: "by_tenant_target",
1894
+ columns: ["tenantId", "target"]
1895
+ },
1896
+ {
1897
+ kind: "index",
1898
+ name: "by_tenant_target_environment",
1899
+ columns: ["tenantId", "target", "environment"]
1900
+ },
1901
+ {
1902
+ kind: "index",
1903
+ name: "by_tenant_target_environment_status",
1904
+ columns: ["tenantId", "target", "environment", "status"]
1905
+ },
1906
+ {
1907
+ kind: "index",
1908
+ name: "by_tenant_workspace_target_environment_status",
1909
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1910
+ },
1858
1911
  { kind: "index", name: "by_status", columns: ["status"] }
1859
1912
  ]
1860
1913
  });
1914
+ defineTable({
1915
+ name: "permitSyncStates",
1916
+ component: "mc",
1917
+ category: "runtime",
1918
+ shape: z.object({
1919
+ syncKey: z.string(),
1920
+ objectType: z.enum([
1921
+ "resource",
1922
+ "role",
1923
+ "resource_role",
1924
+ "resource_relation",
1925
+ "tenant",
1926
+ "workspace",
1927
+ "principal",
1928
+ "membership",
1929
+ "group",
1930
+ "resource_instance",
1931
+ "relationship_tuple",
1932
+ "role_assignment"
1933
+ ]),
1934
+ objectId: z.string(),
1935
+ tenantId: idOf("tenants").optional(),
1936
+ workspaceId: idOf("workspaces").optional(),
1937
+ principalId: z.string().optional(),
1938
+ permitTenantKey: z.string().optional(),
1939
+ permitResourceType: z.string().optional(),
1940
+ permitResourceKey: z.string().optional(),
1941
+ desiredPayload: z.record(z.any()),
1942
+ lastAppliedPayloadHash: z.string().optional(),
1943
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1944
+ attemptCount: z.number(),
1945
+ lastError: z.string().optional(),
1946
+ nextAttemptAt: z.number().optional(),
1947
+ lastSyncedAt: z.number().optional(),
1948
+ createdBy: z.string(),
1949
+ updatedBy: z.string().optional(),
1950
+ createdAt: z.number(),
1951
+ updatedAt: z.number()
1952
+ }),
1953
+ indices: [
1954
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1955
+ { kind: "index", name: "by_status", columns: ["status"] },
1956
+ {
1957
+ kind: "index",
1958
+ name: "by_tenant_status",
1959
+ columns: ["tenantId", "status"]
1960
+ },
1961
+ {
1962
+ kind: "index",
1963
+ name: "by_workspace_status",
1964
+ columns: ["workspaceId", "status"]
1965
+ },
1966
+ {
1967
+ kind: "index",
1968
+ name: "by_principal_status",
1969
+ columns: ["principalId", "status"]
1970
+ }
1971
+ ]
1972
+ });
1973
+ defineTable({
1974
+ name: "secretSyncDriftReports",
1975
+ component: "mc",
1976
+ category: "runtime",
1977
+ shape: z.object({
1978
+ reportId: z.string(),
1979
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1980
+ generatedAt: z.number(),
1981
+ recordedAt: z.number(),
1982
+ recordedBy: z.string(),
1983
+ status: z.enum([
1984
+ "in_sync",
1985
+ "drift",
1986
+ "exception",
1987
+ "blocked",
1988
+ "not_observed"
1989
+ ]),
1990
+ reportHash: z.string(),
1991
+ manifestHash: z.string().optional(),
1992
+ dryRunReceiptId: z.string().optional(),
1993
+ appliedReceiptId: z.string().optional(),
1994
+ summary: z.object({
1995
+ totalPipelines: z.number(),
1996
+ inSync: z.number(),
1997
+ drift: z.number(),
1998
+ exception: z.number(),
1999
+ blocked: z.number(),
2000
+ notObserved: z.number(),
2001
+ missingKeys: z.number(),
2002
+ valueDriftKeys: z.number(),
2003
+ extraKeys: z.number(),
2004
+ deniedConvexLeakage: z.number(),
2005
+ approvedExceptions: z.number()
2006
+ }),
2007
+ redactedReport: z.record(z.any()),
2008
+ metadata: z.record(z.any()).optional()
2009
+ }),
2010
+ indices: [
2011
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2012
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2013
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2014
+ {
2015
+ kind: "index",
2016
+ name: "by_status_generatedAt",
2017
+ columns: ["status", "generatedAt"]
2018
+ }
2019
+ ]
2020
+ });
1861
2021
  defineTable({
1862
2022
  name: "controlPlaneTenantModelSlotBindings",
1863
2023
  component: "mc",
1864
2024
  category: "runtime",
1865
2025
  shape: z.object({
1866
- "bindingId": z.string(),
1867
- "tenantId": idOf("tenants"),
1868
- "providerId": z.string(),
1869
- "modelSlotId": z.string(),
1870
- "secretRef": z.string(),
1871
- "status": z.enum(["active", "revoked"]),
1872
- "passThroughOnly": z.boolean(),
1873
- "revokedAt": z.number().optional(),
1874
- "revokedBy": z.string().optional(),
1875
- "metadata": z.record(z.any()).optional(),
1876
- "createdBy": z.string(),
1877
- "createdAt": z.number(),
1878
- "updatedAt": z.number()
2026
+ bindingId: z.string(),
2027
+ tenantId: idOf("tenants"),
2028
+ workspaceId: idOf("workspaces").optional(),
2029
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2030
+ providerId: z.string(),
2031
+ modelSlotId: z.string(),
2032
+ secretRef: z.string(),
2033
+ status: z.enum(["active", "revoked"]),
2034
+ passThroughOnly: z.boolean(),
2035
+ revokedAt: z.number().optional(),
2036
+ revokedBy: z.string().optional(),
2037
+ metadata: z.record(z.any()).optional(),
2038
+ createdBy: z.string(),
2039
+ createdAt: z.number(),
2040
+ updatedAt: z.number()
1879
2041
  }),
1880
2042
  indices: [
1881
2043
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1882
2044
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1883
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1884
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2045
+ {
2046
+ kind: "index",
2047
+ name: "by_tenant_slot",
2048
+ columns: ["tenantId", "modelSlotId"]
2049
+ },
2050
+ {
2051
+ kind: "index",
2052
+ name: "by_tenant_provider_slot",
2053
+ columns: ["tenantId", "providerId", "modelSlotId"]
2054
+ },
1885
2055
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1886
2056
  { kind: "index", name: "by_status", columns: ["status"] }
1887
2057
  ]
@@ -1891,29 +2061,42 @@ defineTable({
1891
2061
  component: "mc",
1892
2062
  category: "runtime",
1893
2063
  shape: z.object({
1894
- "secretRef": z.string(),
1895
- "tenantId": idOf("tenants"),
1896
- "providerId": z.string(),
1897
- "label": z.string().optional(),
1898
- "encryptedSecret": z.string(),
1899
- "encryptionVersion": z.string(),
1900
- "secretFingerprint": z.string(),
1901
- "keyHint": z.string(),
1902
- "status": z.enum(["active", "revoked"]),
1903
- "rotatedFromSecretRef": z.string().optional(),
1904
- "revokedAt": z.number().optional(),
1905
- "revokedBy": z.string().optional(),
1906
- "lastUsedAt": z.number().optional(),
1907
- "metadata": z.record(z.any()).optional(),
1908
- "createdBy": z.string(),
1909
- "createdAt": z.number(),
1910
- "updatedAt": z.number()
2064
+ secretRef: z.string(),
2065
+ tenantId: idOf("tenants"),
2066
+ workspaceId: idOf("workspaces").optional(),
2067
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2068
+ providerId: z.string(),
2069
+ label: z.string().optional(),
2070
+ encryptedSecret: z.string().optional(),
2071
+ infisicalPath: z.string().optional(),
2072
+ infisicalSecretKey: z.string().optional(),
2073
+ infisicalProjectId: z.string().optional(),
2074
+ encryptionVersion: z.string(),
2075
+ secretFingerprint: z.string(),
2076
+ keyHint: z.string(),
2077
+ status: z.enum(["active", "revoked"]),
2078
+ rotatedFromSecretRef: z.string().optional(),
2079
+ revokedAt: z.number().optional(),
2080
+ revokedBy: z.string().optional(),
2081
+ lastUsedAt: z.number().optional(),
2082
+ metadata: z.record(z.any()).optional(),
2083
+ createdBy: z.string(),
2084
+ createdAt: z.number(),
2085
+ updatedAt: z.number()
1911
2086
  }),
1912
2087
  indices: [
1913
2088
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1914
2089
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1915
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1916
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2090
+ {
2091
+ kind: "index",
2092
+ name: "by_tenant_provider",
2093
+ columns: ["tenantId", "providerId"]
2094
+ },
2095
+ {
2096
+ kind: "index",
2097
+ name: "by_tenant_provider_status",
2098
+ columns: ["tenantId", "providerId", "status"]
2099
+ },
1917
2100
  { kind: "index", name: "by_status", columns: ["status"] }
1918
2101
  ]
1919
2102
  });
@@ -1922,35 +2105,93 @@ defineTable({
1922
2105
  component: "mc",
1923
2106
  category: "runtime",
1924
2107
  shape: z.object({
1925
- "usageId": z.string(),
1926
- "tenantId": idOf("tenants"),
1927
- "providerId": z.string(),
1928
- "modelSlotId": z.string(),
1929
- "secretRef": z.string(),
1930
- "proxyTokenId": z.string(),
1931
- "sessionId": z.string(),
1932
- "principalId": z.string(),
1933
- "workspaceId": z.string().optional(),
1934
- "modelId": z.string().optional(),
1935
- "requestPath": z.string(),
1936
- "status": z.enum(["success", "error"]),
1937
- "responseStatus": z.number().optional(),
1938
- "inputTokens": z.number().optional(),
1939
- "outputTokens": z.number().optional(),
1940
- "tokenCount": z.number().optional(),
1941
- "latencyMs": z.number(),
1942
- "estimatedCostUsd": z.number().optional(),
1943
- "failureCode": z.string().optional(),
1944
- "metadata": z.record(z.any()).optional(),
1945
- "createdAt": z.number(),
1946
- "updatedAt": z.number()
2108
+ usageId: z.string(),
2109
+ tenantId: idOf("tenants"),
2110
+ providerId: z.string(),
2111
+ modelSlotId: z.string(),
2112
+ secretRef: z.string(),
2113
+ proxyTokenId: z.string(),
2114
+ sessionId: z.string(),
2115
+ principalId: z.string(),
2116
+ workspaceId: z.string().optional(),
2117
+ modelId: z.string().optional(),
2118
+ requestPath: z.string(),
2119
+ status: z.enum(["success", "error"]),
2120
+ responseStatus: z.number().optional(),
2121
+ inputTokens: z.number().optional(),
2122
+ outputTokens: z.number().optional(),
2123
+ tokenCount: z.number().optional(),
2124
+ latencyMs: z.number(),
2125
+ estimatedCostUsd: z.number().optional(),
2126
+ failureCode: z.string().optional(),
2127
+ metadata: z.record(z.any()).optional(),
2128
+ createdAt: z.number(),
2129
+ updatedAt: z.number()
1947
2130
  }),
1948
2131
  indices: [
1949
2132
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1950
2133
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1951
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1952
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1953
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2134
+ {
2135
+ kind: "index",
2136
+ name: "by_tenant_provider",
2137
+ columns: ["tenantId", "providerId", "createdAt"]
2138
+ },
2139
+ {
2140
+ kind: "index",
2141
+ name: "by_proxyTokenId",
2142
+ columns: ["proxyTokenId", "createdAt"]
2143
+ },
2144
+ {
2145
+ kind: "index",
2146
+ name: "by_sessionId",
2147
+ columns: ["sessionId", "createdAt"]
2148
+ }
2149
+ ]
2150
+ });
2151
+ defineTable({
2152
+ name: "controlPlaneTenantProxyTokenLeases",
2153
+ component: "mc",
2154
+ category: "runtime",
2155
+ shape: z.object({
2156
+ leaseId: z.string(),
2157
+ proxyTokenId: z.string(),
2158
+ tenantId: idOf("tenants"),
2159
+ workspaceId: idOf("workspaces").optional(),
2160
+ environment: z.enum(["dev", "staging", "prod"]),
2161
+ providerId: z.string(),
2162
+ modelSlotId: z.string(),
2163
+ bindingId: z.string(),
2164
+ secretRef: z.string(),
2165
+ sessionId: z.string(),
2166
+ principalId: z.string(),
2167
+ agentSessionId: z.string().optional(),
2168
+ status: z.enum(["active", "revoked"]),
2169
+ expiresAt: z.number(),
2170
+ renewedAt: z.number().optional(),
2171
+ revokedAt: z.number().optional(),
2172
+ revokedBy: z.string().optional(),
2173
+ revokeReason: z.string().optional(),
2174
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2175
+ permitTraceId: z.string().optional(),
2176
+ metadata: z.record(z.any()).optional(),
2177
+ createdAt: z.number(),
2178
+ updatedAt: z.number()
2179
+ }),
2180
+ indices: [
2181
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2182
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2183
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2184
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2185
+ {
2186
+ kind: "index",
2187
+ name: "by_principalId",
2188
+ columns: ["principalId", "createdAt"]
2189
+ },
2190
+ {
2191
+ kind: "index",
2192
+ name: "by_status_expiresAt",
2193
+ columns: ["status", "expiresAt"]
2194
+ }
1954
2195
  ]
1955
2196
  });
1956
2197
  defineTable({
@@ -2283,6 +2524,7 @@ defineTable({
2283
2524
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2284
2525
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2285
2526
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2527
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2286
2528
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2287
2529
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2288
2530
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2433,6 +2675,7 @@ defineTable({
2433
2675
  indices: [
2434
2676
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2435
2677
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2678
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2436
2679
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2437
2680
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2438
2681
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2464,6 +2707,36 @@ defineTable({
2464
2707
  { kind: "index", name: "by_status", columns: ["status"] }
2465
2708
  ]
2466
2709
  });
2710
+ defineTable({
2711
+ name: "principalIdentityAliases",
2712
+ component: "mc",
2713
+ category: "identity",
2714
+ shape: z.object({
2715
+ "principalId": z.string(),
2716
+ "principalRefId": idOf("principals").optional(),
2717
+ "provider": z.string(),
2718
+ "providerProjectId": z.string().optional(),
2719
+ "externalSubjectId": z.string(),
2720
+ "tenantId": idOf("tenants").optional(),
2721
+ "workspaceId": idOf("workspaces").optional(),
2722
+ "email": z.string().optional(),
2723
+ "status": z.enum(["active", "revoked"]),
2724
+ "metadata": z.record(z.any()).optional(),
2725
+ "createdBy": z.string(),
2726
+ "revokedAt": z.number().optional(),
2727
+ "revokedBy": z.string().optional(),
2728
+ "createdAt": z.number(),
2729
+ "updatedAt": z.number()
2730
+ }),
2731
+ indices: [
2732
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2733
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2734
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2735
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2736
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2737
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2738
+ ]
2739
+ });
2467
2740
  defineTable({
2468
2741
  name: "rateLimitWindows",
2469
2742
  component: "mc",
@@ -3053,7 +3326,7 @@ defineTable({
3053
3326
  });
3054
3327
  defineTable({
3055
3328
  name: "mcpWritePolicy",
3056
- component: "identity",
3329
+ component: "control-plane",
3057
3330
  category: "platform",
3058
3331
  shape: z.object({
3059
3332
  "topicId": z.string().optional(),
@@ -3076,7 +3349,7 @@ defineTable({
3076
3349
  });
3077
3350
  defineTable({
3078
3351
  name: "platformAudienceGrants",
3079
- component: "identity",
3352
+ component: "control-plane",
3080
3353
  category: "platform",
3081
3354
  shape: z.object({
3082
3355
  "tenantId": z.string(),
@@ -3102,7 +3375,7 @@ defineTable({
3102
3375
  });
3103
3376
  defineTable({
3104
3377
  name: "platformAudiences",
3105
- component: "identity",
3378
+ component: "control-plane",
3106
3379
  category: "platform",
3107
3380
  shape: z.object({
3108
3381
  "tenantId": z.string(),
@@ -3127,7 +3400,7 @@ defineTable({
3127
3400
  });
3128
3401
  defineTable({
3129
3402
  name: "platformPolicyDecisionLogs",
3130
- component: "identity",
3403
+ component: "control-plane",
3131
3404
  category: "platform",
3132
3405
  shape: z.object({
3133
3406
  "principalId": z.string(),
@@ -3163,7 +3436,7 @@ defineTable({
3163
3436
  });
3164
3437
  defineTable({
3165
3438
  name: "tenantApiKeys",
3166
- component: "identity",
3439
+ component: "control-plane",
3167
3440
  category: "platform",
3168
3441
  shape: z.object({
3169
3442
  "tenantId": z.string(),
@@ -3190,7 +3463,7 @@ defineTable({
3190
3463
  });
3191
3464
  defineTable({
3192
3465
  name: "tenantConfig",
3193
- component: "identity",
3466
+ component: "control-plane",
3194
3467
  category: "platform",
3195
3468
  shape: z.object({
3196
3469
  "tenantId": z.string(),
@@ -3209,7 +3482,7 @@ defineTable({
3209
3482
  });
3210
3483
  defineTable({
3211
3484
  name: "tenantIntegrations",
3212
- component: "identity",
3485
+ component: "control-plane",
3213
3486
  category: "platform",
3214
3487
  shape: z.object({
3215
3488
  "tenantId": z.string(),
@@ -3264,7 +3537,7 @@ defineTable({
3264
3537
  });
3265
3538
  defineTable({
3266
3539
  name: "tenantModelSlotBindings",
3267
- component: "identity",
3540
+ component: "control-plane",
3268
3541
  category: "platform",
3269
3542
  shape: z.object({
3270
3543
  "bindingId": z.string(),
@@ -3292,7 +3565,7 @@ defineTable({
3292
3565
  });
3293
3566
  defineTable({
3294
3567
  name: "tenantPolicies",
3295
- component: "identity",
3568
+ component: "control-plane",
3296
3569
  category: "platform",
3297
3570
  shape: z.object({
3298
3571
  "tenantId": z.string(),
@@ -3317,7 +3590,7 @@ defineTable({
3317
3590
  });
3318
3591
  defineTable({
3319
3592
  name: "tenantProviderSecrets",
3320
- component: "identity",
3593
+ component: "control-plane",
3321
3594
  category: "platform",
3322
3595
  shape: z.object({
3323
3596
  "secretRef": z.string(),
@@ -3348,7 +3621,7 @@ defineTable({
3348
3621
  });
3349
3622
  defineTable({
3350
3623
  name: "tenantProxyGatewayUsage",
3351
- component: "identity",
3624
+ component: "control-plane",
3352
3625
  category: "platform",
3353
3626
  shape: z.object({
3354
3627
  "usageId": z.string(),
@@ -3383,7 +3656,7 @@ defineTable({
3383
3656
  });
3384
3657
  defineTable({
3385
3658
  name: "tenantProxyTokenMints",
3386
- component: "identity",
3659
+ component: "control-plane",
3387
3660
  category: "platform",
3388
3661
  shape: z.object({
3389
3662
  "proxyTokenId": z.string(),
@@ -3406,7 +3679,7 @@ defineTable({
3406
3679
  });
3407
3680
  defineTable({
3408
3681
  name: "tenantSandboxAuditEvents",
3409
- component: "identity",
3682
+ component: "control-plane",
3410
3683
  category: "platform",
3411
3684
  shape: z.object({
3412
3685
  "eventId": z.string(),
@@ -3440,7 +3713,7 @@ defineTable({
3440
3713
  });
3441
3714
  defineTable({
3442
3715
  name: "tenantSecrets",
3443
- component: "identity",
3716
+ component: "control-plane",
3444
3717
  category: "platform",
3445
3718
  shape: z.object({
3446
3719
  "tenantId": z.string(),
@@ -3462,7 +3735,7 @@ defineTable({
3462
3735
  });
3463
3736
  defineTable({
3464
3737
  name: "toolAcls",
3465
- component: "identity",
3738
+ component: "control-plane",
3466
3739
  category: "platform",
3467
3740
  shape: z.object({
3468
3741
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3477,7 +3750,7 @@ defineTable({
3477
3750
  });
3478
3751
  defineTable({
3479
3752
  name: "toolRegistry",
3480
- component: "identity",
3753
+ component: "control-plane",
3481
3754
  category: "platform",
3482
3755
  shape: z.object({
3483
3756
  "toolName": z.string(),
@@ -3558,7 +3831,7 @@ defineTable({
3558
3831
  });
3559
3832
  defineTable({
3560
3833
  name: "modelCallLogs",
3561
- component: "identity",
3834
+ component: "control-plane",
3562
3835
  category: "model",
3563
3836
  shape: z.object({
3564
3837
  "slot": z.string(),
@@ -3584,7 +3857,7 @@ defineTable({
3584
3857
  });
3585
3858
  defineTable({
3586
3859
  name: "modelFunctionSlots",
3587
- component: "identity",
3860
+ component: "control-plane",
3588
3861
  category: "model",
3589
3862
  shape: z.object({
3590
3863
  "slot": z.string(),
@@ -3609,7 +3882,7 @@ defineTable({
3609
3882
  });
3610
3883
  defineTable({
3611
3884
  name: "modelRegistry",
3612
- component: "identity",
3885
+ component: "control-plane",
3613
3886
  category: "model",
3614
3887
  shape: z.object({
3615
3888
  "key": z.string(),
@@ -3636,7 +3909,7 @@ defineTable({
3636
3909
  });
3637
3910
  defineTable({
3638
3911
  name: "modelSlotConfigs",
3639
- component: "identity",
3912
+ component: "control-plane",
3640
3913
  category: "model",
3641
3914
  shape: z.object({
3642
3915
  "slot": z.string(),
@@ -4023,7 +4296,7 @@ defineTable({
4023
4296
  "workspaceId": idOf("workspaces").optional(),
4024
4297
  "resourceType": z.string(),
4025
4298
  "resourceId": z.string(),
4026
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4299
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4027
4300
  "decision": z.enum(["allow", "deny"]),
4028
4301
  "reasonCode": z.string(),
4029
4302
  "policyVersion": z.string(),
@@ -4085,7 +4358,7 @@ defineTable({
4085
4358
  });
4086
4359
  defineTable({
4087
4360
  name: "projectGrants",
4088
- component: "identity",
4361
+ component: "control-plane",
4089
4362
  category: "project",
4090
4363
  shape: z.object({
4091
4364
  "projectId": z.string().optional(),
@@ -4117,9 +4390,648 @@ defineTable({
4117
4390
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4118
4391
  ]
4119
4392
  });
4393
+ var permitActorType = z.enum([
4394
+ "human",
4395
+ "agent",
4396
+ "service_principal",
4397
+ "external_stakeholder",
4398
+ "system"
4399
+ ]);
4400
+ var permitMembershipStatus = z.enum([
4401
+ "active",
4402
+ "invited",
4403
+ "revoked",
4404
+ "suspended",
4405
+ "disabled"
4406
+ ]);
4407
+ var permitDecision = z.enum(["allow", "deny"]);
4408
+ var permitAccessReviewStatus = z.enum([
4409
+ "open",
4410
+ "in_progress",
4411
+ "approved",
4412
+ "denied",
4413
+ "expired",
4414
+ "cancelled"
4415
+ ]);
4416
+ var permitReviewScope = z.enum([
4417
+ "tenant",
4418
+ "workspace",
4419
+ "resource_instance",
4420
+ "group",
4421
+ "principal",
4422
+ "api_key",
4423
+ "admin_action"
4424
+ ]);
4425
+ var permitRecordStatus = z.enum([
4426
+ "queued",
4427
+ "inflight",
4428
+ "completed",
4429
+ "failed",
4430
+ "skipped",
4431
+ "stale"
4432
+ ]);
4433
+ var permitObjectType = z.enum([
4434
+ "resource",
4435
+ "role",
4436
+ "resource_role",
4437
+ "resource_relation",
4438
+ "tenant",
4439
+ "workspace",
4440
+ "principal",
4441
+ "membership",
4442
+ "group",
4443
+ "resource_instance",
4444
+ "relationship_tuple",
4445
+ "role_assignment"
4446
+ ]);
4447
+ var permitOutboxOperation = z.enum([
4448
+ "upsert",
4449
+ "delete",
4450
+ "sync",
4451
+ "resync",
4452
+ "delete_sync",
4453
+ "noop"
4454
+ ]);
4455
+ var permitPolicyBundleStatus = z.enum([
4456
+ "draft",
4457
+ "validated",
4458
+ "enforced",
4459
+ "archived"
4460
+ ]);
4461
+ var permitSyncStatus = z.enum([
4462
+ "pending",
4463
+ "synced",
4464
+ "error",
4465
+ "skipped"
4466
+ ]);
4467
+ var permitAccessReviewSubjectType = z.enum([
4468
+ "principal",
4469
+ "group",
4470
+ "role_assignment",
4471
+ "resource_instance"
4472
+ ]);
4473
+ var permitAttributeType = z.enum([
4474
+ "string",
4475
+ "number",
4476
+ "bool",
4477
+ "json",
4478
+ "time"
4479
+ ]);
4480
+ var permitAttributeOperator = z.enum([
4481
+ "eq",
4482
+ "neq",
4483
+ "in",
4484
+ "not_in",
4485
+ "gt",
4486
+ "gte",
4487
+ "lt",
4488
+ "lte",
4489
+ "contains",
4490
+ "not_contains",
4491
+ "matches"
4492
+ ]);
4493
+ var permitRoleBindingTarget = z.enum([
4494
+ "principal",
4495
+ "group"
4496
+ ]);
4497
+ defineTable({
4498
+ name: "permitPrincipals",
4499
+ component: "control-plane",
4500
+ category: "access-control",
4501
+ shape: z.object({
4502
+ principalId: z.string(),
4503
+ tenantId: z.string(),
4504
+ workspaceId: z.optional(z.string()),
4505
+ principalType: permitActorType,
4506
+ status: permitMembershipStatus,
4507
+ displayName: z.string().optional(),
4508
+ metadata: z.record(z.any()).optional(),
4509
+ createdBy: z.string(),
4510
+ createdAt: z.number(),
4511
+ updatedAt: z.number(),
4512
+ updatedBy: z.string().optional(),
4513
+ lastSeenAt: z.number().optional()
4514
+ }),
4515
+ indices: [
4516
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4517
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4518
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4519
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4520
+ {
4521
+ kind: "index",
4522
+ name: "by_tenant_principalType_status",
4523
+ columns: ["tenantId", "principalType", "status"]
4524
+ }
4525
+ ]
4526
+ });
4527
+ defineTable({
4528
+ name: "permitPrincipalAliases",
4529
+ component: "control-plane",
4530
+ category: "access-control",
4531
+ shape: z.object({
4532
+ principalId: z.string(),
4533
+ tenantId: z.string(),
4534
+ workspaceId: z.optional(z.string()),
4535
+ provider: z.string(),
4536
+ providerSubjectId: z.string(),
4537
+ providerProjectId: z.string().optional(),
4538
+ alias: z.string(),
4539
+ aliasKind: z.string(),
4540
+ status: permitMembershipStatus,
4541
+ metadata: z.record(z.any()).optional(),
4542
+ createdBy: z.string(),
4543
+ createdAt: z.number(),
4544
+ updatedAt: z.number(),
4545
+ revokedBy: z.string().optional(),
4546
+ revokedAt: z.number().optional(),
4547
+ updatedBy: z.string().optional()
4548
+ }),
4549
+ indices: [
4550
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4551
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4552
+ {
4553
+ kind: "index",
4554
+ name: "by_tenant_provider_alias",
4555
+ columns: ["tenantId", "provider", "alias"]
4556
+ },
4557
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4558
+ {
4559
+ kind: "index",
4560
+ name: "by_tenant_provider_status",
4561
+ columns: ["tenantId", "provider", "status"]
4562
+ }
4563
+ ]
4564
+ });
4565
+ defineTable({
4566
+ name: "permitGroups",
4567
+ component: "control-plane",
4568
+ category: "access-control",
4569
+ shape: z.object({
4570
+ tenantId: z.string(),
4571
+ workspaceId: z.optional(z.string()),
4572
+ groupId: z.string(),
4573
+ groupKey: z.string(),
4574
+ groupName: z.string(),
4575
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4576
+ status: permitMembershipStatus,
4577
+ description: z.string().optional(),
4578
+ metadata: z.record(z.any()).optional(),
4579
+ createdBy: z.string(),
4580
+ createdAt: z.number(),
4581
+ updatedAt: z.number(),
4582
+ updatedBy: z.string().optional()
4583
+ }),
4584
+ indices: [
4585
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4586
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4587
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4588
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4589
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4590
+ ]
4591
+ });
4592
+ defineTable({
4593
+ name: "permitGroupMemberships",
4594
+ component: "control-plane",
4595
+ category: "access-control",
4596
+ shape: z.object({
4597
+ tenantId: z.string(),
4598
+ workspaceId: z.optional(z.string()),
4599
+ groupId: z.string(),
4600
+ memberType: z.enum(["principal", "group"]),
4601
+ memberId: z.string(),
4602
+ principalId: z.string().optional(),
4603
+ childGroupId: z.string().optional(),
4604
+ status: permitMembershipStatus,
4605
+ addedBy: z.string().optional(),
4606
+ revokedBy: z.string().optional(),
4607
+ expiresAt: z.number().optional(),
4608
+ revocationReason: z.string().optional(),
4609
+ metadata: z.record(z.any()).optional(),
4610
+ createdAt: z.number(),
4611
+ updatedAt: z.number(),
4612
+ updatedBy: z.string().optional()
4613
+ }),
4614
+ indices: [
4615
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4616
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4617
+ {
4618
+ kind: "index",
4619
+ name: "by_tenant_member_group",
4620
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4621
+ },
4622
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4623
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4624
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4625
+ {
4626
+ kind: "index",
4627
+ name: "by_workspace_principal",
4628
+ columns: ["workspaceId", "principalId"]
4629
+ }
4630
+ ]
4631
+ });
4632
+ defineTable({
4633
+ name: "permitResourceInstances",
4634
+ component: "control-plane",
4635
+ category: "access-control",
4636
+ shape: z.object({
4637
+ tenantId: z.string(),
4638
+ workspaceId: z.optional(z.string()),
4639
+ resourceType: z.string(),
4640
+ resourceKey: z.string(),
4641
+ resourceId: z.string(),
4642
+ status: z.enum(["active", "deleted", "archived"]),
4643
+ attributes: z.record(z.any()).optional(),
4644
+ ownerPrincipalId: z.string().optional(),
4645
+ metadata: z.record(z.any()).optional(),
4646
+ createdBy: z.string(),
4647
+ updatedBy: z.string().optional(),
4648
+ createdAt: z.number(),
4649
+ updatedAt: z.number()
4650
+ }),
4651
+ indices: [
4652
+ {
4653
+ kind: "index",
4654
+ name: "by_tenant_resource_type",
4655
+ columns: ["tenantId", "resourceType"]
4656
+ },
4657
+ {
4658
+ kind: "index",
4659
+ name: "by_tenant_resource_key",
4660
+ columns: ["tenantId", "resourceType", "resourceKey"]
4661
+ },
4662
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4663
+ { kind: "index", name: "by_status", columns: ["status"] },
4664
+ {
4665
+ kind: "index",
4666
+ name: "by_tenant_status",
4667
+ columns: ["tenantId", "status"]
4668
+ },
4669
+ {
4670
+ kind: "index",
4671
+ name: "by_ownerPrincipalId",
4672
+ columns: ["ownerPrincipalId"]
4673
+ }
4674
+ ]
4675
+ });
4676
+ defineTable({
4677
+ name: "permitRoleAssignments",
4678
+ component: "control-plane",
4679
+ category: "access-control",
4680
+ shape: z.object({
4681
+ tenantId: z.string(),
4682
+ workspaceId: z.optional(z.string()),
4683
+ role: z.string(),
4684
+ targetType: permitRoleBindingTarget,
4685
+ targetId: z.string(),
4686
+ resourceType: z.string(),
4687
+ resourceKey: z.string(),
4688
+ resourceInstanceId: z.string().optional(),
4689
+ status: permitMembershipStatus,
4690
+ expiresAt: z.number().optional(),
4691
+ attributes: z.record(z.any()).optional(),
4692
+ grantedBy: z.string().optional(),
4693
+ updatedBy: z.string().optional(),
4694
+ revokedBy: z.string().optional(),
4695
+ createdAt: z.number(),
4696
+ updatedAt: z.number()
4697
+ }),
4698
+ indices: [
4699
+ {
4700
+ kind: "index",
4701
+ name: "by_tenant_target",
4702
+ columns: ["tenantId", "targetType", "targetId"]
4703
+ },
4704
+ {
4705
+ kind: "index",
4706
+ name: "by_tenant_resource",
4707
+ columns: ["tenantId", "resourceType", "resourceKey"]
4708
+ },
4709
+ {
4710
+ kind: "index",
4711
+ name: "by_tenant_role",
4712
+ columns: ["tenantId", "role", "status"]
4713
+ },
4714
+ { kind: "index", name: "by_status", columns: ["status"] },
4715
+ {
4716
+ kind: "index",
4717
+ name: "by_workspace_resource",
4718
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4719
+ }
4720
+ ]
4721
+ });
4722
+ defineTable({
4723
+ name: "permitRelationshipTuples",
4724
+ component: "control-plane",
4725
+ category: "access-control",
4726
+ shape: z.object({
4727
+ tenantId: z.string(),
4728
+ workspaceId: z.optional(z.string()),
4729
+ relation: z.string(),
4730
+ subject: z.string(),
4731
+ object: z.string(),
4732
+ resourceType: z.string().optional(),
4733
+ resourceKey: z.string().optional(),
4734
+ status: permitRecordStatus,
4735
+ attributes: z.record(z.any()).optional(),
4736
+ createdBy: z.string(),
4737
+ createdAt: z.number(),
4738
+ updatedAt: z.number(),
4739
+ lastSeenAt: z.number().optional(),
4740
+ updatedBy: z.string().optional()
4741
+ }),
4742
+ indices: [
4743
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4744
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4745
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4746
+ {
4747
+ kind: "index",
4748
+ name: "by_tenant_relation_subject",
4749
+ columns: ["tenantId", "relation", "subject"]
4750
+ },
4751
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4752
+ ]
4753
+ });
4754
+ defineTable({
4755
+ name: "permitAttributeBindings",
4756
+ component: "control-plane",
4757
+ category: "access-control",
4758
+ shape: z.object({
4759
+ tenantId: z.string(),
4760
+ workspaceId: z.optional(z.string()),
4761
+ targetType: permitRoleBindingTarget,
4762
+ targetId: z.string(),
4763
+ attributeName: z.string(),
4764
+ attributeType: permitAttributeType,
4765
+ attributeOperator: permitAttributeOperator,
4766
+ attributeValue: z.any(),
4767
+ status: permitRecordStatus,
4768
+ source: z.string().optional(),
4769
+ sourceRef: z.string().optional(),
4770
+ metadata: z.record(z.any()).optional(),
4771
+ createdAt: z.number(),
4772
+ updatedAt: z.number(),
4773
+ createdBy: z.string(),
4774
+ updatedBy: z.string().optional(),
4775
+ expiresAt: z.number().optional()
4776
+ }),
4777
+ indices: [
4778
+ {
4779
+ kind: "index",
4780
+ name: "by_tenant_target",
4781
+ columns: ["tenantId", "targetType", "targetId"]
4782
+ },
4783
+ {
4784
+ kind: "index",
4785
+ name: "by_tenant_target_attribute",
4786
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4787
+ },
4788
+ {
4789
+ kind: "index",
4790
+ name: "by_tenant_name",
4791
+ columns: ["tenantId", "attributeName"]
4792
+ },
4793
+ {
4794
+ kind: "index",
4795
+ name: "by_tenant_status",
4796
+ columns: ["tenantId", "status"]
4797
+ }
4798
+ ]
4799
+ });
4800
+ defineTable({
4801
+ name: "permitPolicyBundles",
4802
+ component: "control-plane",
4803
+ category: "access-control",
4804
+ shape: z.object({
4805
+ tenantId: z.string(),
4806
+ workspaceId: z.optional(z.string()),
4807
+ bundleKey: z.string(),
4808
+ version: z.number(),
4809
+ status: permitPolicyBundleStatus,
4810
+ policyHash: z.string().optional(),
4811
+ policyPayload: z.record(z.any()),
4812
+ metadata: z.record(z.any()).optional(),
4813
+ createdBy: z.string(),
4814
+ reviewedBy: z.string().optional(),
4815
+ createdAt: z.number(),
4816
+ updatedAt: z.number(),
4817
+ retiredAt: z.number().optional()
4818
+ }),
4819
+ indices: [
4820
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4821
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4822
+ {
4823
+ kind: "index",
4824
+ name: "by_tenant_bundleKey",
4825
+ columns: ["tenantId", "bundleKey"]
4826
+ },
4827
+ {
4828
+ kind: "index",
4829
+ name: "by_tenant_bundle_version",
4830
+ columns: ["tenantId", "bundleKey", "version"]
4831
+ },
4832
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4833
+ ]
4834
+ });
4835
+ defineTable({
4836
+ name: "permitProjectionOutbox",
4837
+ component: "control-plane",
4838
+ category: "access-control",
4839
+ shape: z.object({
4840
+ syncKey: z.string(),
4841
+ objectType: permitObjectType,
4842
+ objectId: z.string(),
4843
+ operation: permitOutboxOperation,
4844
+ payload: z.record(z.any()),
4845
+ status: permitRecordStatus,
4846
+ attemptCount: z.number(),
4847
+ nextAttemptAt: z.number().optional(),
4848
+ lastError: z.string().optional(),
4849
+ tenantId: z.string().optional(),
4850
+ workspaceId: z.optional(z.string()),
4851
+ principalId: z.string().optional(),
4852
+ permitTenantKey: z.string().optional(),
4853
+ permitResourceType: z.string().optional(),
4854
+ permitResourceKey: z.string().optional(),
4855
+ createdAt: z.number(),
4856
+ updatedAt: z.number(),
4857
+ lastHandledAt: z.number().optional()
4858
+ }),
4859
+ indices: [
4860
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4861
+ { kind: "index", name: "by_status", columns: ["status"] },
4862
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4863
+ {
4864
+ kind: "index",
4865
+ name: "by_tenant_status",
4866
+ columns: ["tenantId", "status"]
4867
+ },
4868
+ {
4869
+ kind: "index",
4870
+ name: "by_objectType",
4871
+ columns: ["objectType", "status"]
4872
+ }
4873
+ ]
4874
+ });
4875
+ defineTable({
4876
+ name: "tenantPermitSyncStates",
4877
+ component: "control-plane",
4878
+ category: "access-control",
4879
+ shape: z.object({
4880
+ syncKey: z.string(),
4881
+ objectType: permitObjectType,
4882
+ objectId: z.string(),
4883
+ tenantId: z.string().optional(),
4884
+ workspaceId: z.string().optional(),
4885
+ principalId: z.string().optional(),
4886
+ permitTenantKey: z.string().optional(),
4887
+ permitResourceType: z.string().optional(),
4888
+ permitResourceKey: z.string().optional(),
4889
+ desiredPayload: z.record(z.any()),
4890
+ lastAppliedPayloadHash: z.string().optional(),
4891
+ status: permitSyncStatus,
4892
+ attemptCount: z.number(),
4893
+ lastError: z.string().optional(),
4894
+ nextAttemptAt: z.number().optional(),
4895
+ lastSyncedAt: z.number().optional(),
4896
+ createdBy: z.string(),
4897
+ updatedBy: z.string().optional(),
4898
+ createdAt: z.number(),
4899
+ updatedAt: z.number()
4900
+ }),
4901
+ indices: [
4902
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4903
+ { kind: "index", name: "by_status", columns: ["status"] },
4904
+ {
4905
+ kind: "index",
4906
+ name: "by_tenant_status",
4907
+ columns: ["tenantId", "status"]
4908
+ },
4909
+ {
4910
+ kind: "index",
4911
+ name: "by_workspace_status",
4912
+ columns: ["workspaceId", "status"]
4913
+ },
4914
+ {
4915
+ kind: "index",
4916
+ name: "by_principal_status",
4917
+ columns: ["principalId", "status"]
4918
+ }
4919
+ ]
4920
+ });
4921
+ defineTable({
4922
+ name: "permitPolicyDecisionReceipts",
4923
+ component: "control-plane",
4924
+ category: "access-control",
4925
+ shape: z.object({
4926
+ tenantId: z.string().optional(),
4927
+ workspaceId: z.string().optional(),
4928
+ principalId: z.string(),
4929
+ subjectType: permitAccessReviewSubjectType.optional(),
4930
+ subjectId: z.string().optional(),
4931
+ resourceType: z.string(),
4932
+ resourceId: z.string(),
4933
+ action: z.string(),
4934
+ decision: permitDecision,
4935
+ reasonCode: z.string(),
4936
+ policyBundleId: z.string().optional(),
4937
+ policyVersion: z.string(),
4938
+ traceId: z.string().optional(),
4939
+ requestId: z.string().optional(),
4940
+ audienceMode: z.string().optional(),
4941
+ audienceKey: z.string().optional(),
4942
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4943
+ metadata: z.record(z.any()).optional(),
4944
+ createdAt: z.number(),
4945
+ expiresAt: z.number().optional(),
4946
+ createdBy: z.string().optional()
4947
+ }),
4948
+ indices: [
4949
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4950
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4951
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4952
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4953
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4954
+ { kind: "index", name: "by_action", columns: ["action"] }
4955
+ ]
4956
+ });
4957
+ defineTable({
4958
+ name: "permitAccessReviews",
4959
+ component: "control-plane",
4960
+ category: "access-control",
4961
+ shape: z.object({
4962
+ tenantId: z.string(),
4963
+ workspaceId: z.optional(z.string()),
4964
+ reviewKey: z.string(),
4965
+ scope: permitReviewScope,
4966
+ status: permitAccessReviewStatus,
4967
+ subjectType: permitAccessReviewSubjectType,
4968
+ subjectId: z.string(),
4969
+ resourceType: z.string().optional(),
4970
+ resourceKey: z.string().optional(),
4971
+ outcome: z.enum(["allow", "deny"]).optional(),
4972
+ requestedBy: z.string(),
4973
+ reviewedBy: z.string().optional(),
4974
+ requestedAt: z.number(),
4975
+ reviewedAt: z.number().optional(),
4976
+ dueAt: z.number().optional(),
4977
+ justification: z.string().optional(),
4978
+ rationale: z.string().optional(),
4979
+ policyBundleId: z.string().optional(),
4980
+ metadata: z.record(z.any()).optional(),
4981
+ createdAt: z.number(),
4982
+ updatedAt: z.number()
4983
+ }),
4984
+ indices: [
4985
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4986
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4987
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4988
+ {
4989
+ kind: "index",
4990
+ name: "by_tenant_subject",
4991
+ columns: ["tenantId", "subjectType", "subjectId"]
4992
+ },
4993
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4994
+ {
4995
+ kind: "index",
4996
+ name: "by_workspace_status",
4997
+ columns: ["workspaceId", "status"]
4998
+ }
4999
+ ]
5000
+ });
5001
+ defineTable({
5002
+ name: "permitAccessReviewItems",
5003
+ component: "control-plane",
5004
+ category: "access-control",
5005
+ shape: z.object({
5006
+ reviewKey: z.string(),
5007
+ itemKey: z.string(),
5008
+ tenantId: z.string(),
5009
+ workspaceId: z.string().optional(),
5010
+ subjectType: permitAccessReviewSubjectType,
5011
+ subjectId: z.string(),
5012
+ resourceType: z.string().optional(),
5013
+ resourceKey: z.string().optional(),
5014
+ role: z.string().optional(),
5015
+ relation: z.string().optional(),
5016
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5017
+ reviewerId: z.string().optional(),
5018
+ decisionAt: z.number().optional(),
5019
+ rationale: z.string().optional(),
5020
+ metadata: z.record(z.any()).optional(),
5021
+ createdAt: z.number(),
5022
+ updatedAt: z.number()
5023
+ }),
5024
+ indices: [
5025
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5026
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5027
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5028
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5029
+ { kind: "index", name: "by_status", columns: ["status"] }
5030
+ ]
5031
+ });
4120
5032
  defineTable({
4121
5033
  name: "reasoningPermissions",
4122
- component: "identity",
5034
+ component: "control-plane",
4123
5035
  category: "epistemic",
4124
5036
  shape: z.object({
4125
5037
  "topicId": z.string().optional(),
@@ -4366,7 +5278,7 @@ defineTable({
4366
5278
  });
4367
5279
  defineTable({
4368
5280
  name: "users",
4369
- component: "identity",
5281
+ component: "control-plane",
4370
5282
  category: "user",
4371
5283
  shape: z.object({
4372
5284
  "clerkId": z.string(),
@@ -4480,7 +5392,6 @@ defineTable({
4480
5392
  "deployments": z.record(z.object({
4481
5393
  "url": z.string(),
4482
5394
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4483
- "encryptedDeployKey": z.string().optional(),
4484
5395
  "credentialRef": z.string().optional()
4485
5396
  })).optional(),
4486
5397
  "metadata": z.record(z.any()).optional(),
@@ -4495,6 +5406,39 @@ defineTable({
4495
5406
  { kind: "index", name: "by_status", columns: ["status"] }
4496
5407
  ]
4497
5408
  });
5409
+ defineTable({
5410
+ name: "deploymentHosts",
5411
+ component: "mc",
5412
+ category: "workspace",
5413
+ shape: z.object({
5414
+ "host": z.string(),
5415
+ "tenantId": idOf("tenants"),
5416
+ "workspaceId": idOf("workspaces"),
5417
+ "environment": z.enum(["dev", "staging", "prod"]),
5418
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5419
+ "deploymentUrl": z.string().optional(),
5420
+ "deploymentName": z.string().optional(),
5421
+ "vercelProjectName": z.string().optional(),
5422
+ "vercelProjectId": z.string().optional(),
5423
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5424
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5425
+ "status": z.enum(["active", "revoked"]),
5426
+ "metadata": z.record(z.any()).optional(),
5427
+ "createdBy": z.string(),
5428
+ "createdAt": z.number(),
5429
+ "updatedAt": z.number(),
5430
+ "revokedAt": z.number().optional(),
5431
+ "revokedBy": z.string().optional()
5432
+ }),
5433
+ indices: [
5434
+ { kind: "index", name: "by_host", columns: ["host"] },
5435
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5436
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5437
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5438
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5439
+ { kind: "index", name: "by_status", columns: ["status"] }
5440
+ ]
5441
+ });
4498
5442
  defineTable({
4499
5443
  name: "worktreeBeliefCluster",
4500
5444
  component: "kernel",
@@ -4802,8 +5746,8 @@ defineTable({
4802
5746
  });
4803
5747
  z.object({
4804
5748
  manifestVersion: z.string(),
4805
- componentName: z.enum(["kernel", "identity"]),
4806
- tier: z.enum(["K", "I"]),
5749
+ componentName: z.enum(["kernel", "control-plane"]),
5750
+ tier: z.enum(["K", "CP"]),
4807
5751
  packageVersion: z.string(),
4808
5752
  tables: z.array(
4809
5753
  z.object({
@@ -4929,129 +5873,994 @@ var edgePolicyManifest = {
4929
5873
  // ../contracts/src/tenant-client.contract.ts
4930
5874
  var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4931
5875
  {
4932
- packageName: "@lucern/access-control",
4933
- role: "runtime_entrypoint",
4934
- directTenantImport: true
5876
+ packageName: "@lucern/access-control",
5877
+ role: "runtime_entrypoint",
5878
+ directTenantImport: true
5879
+ },
5880
+ {
5881
+ packageName: "@lucern/agent",
5882
+ role: "platform_runtime",
5883
+ directTenantImport: false
5884
+ },
5885
+ {
5886
+ packageName: "@lucern/auth",
5887
+ role: "sdk_dependency",
5888
+ directTenantImport: false
5889
+ },
5890
+ {
5891
+ packageName: "@lucern/cli",
5892
+ role: "developer_tool",
5893
+ directTenantImport: false
5894
+ },
5895
+ {
5896
+ packageName: "@lucern/client-core",
5897
+ role: "sdk_dependency",
5898
+ directTenantImport: false
5899
+ },
5900
+ {
5901
+ packageName: "@lucern/confidence",
5902
+ role: "sdk_dependency",
5903
+ directTenantImport: false
5904
+ },
5905
+ {
5906
+ packageName: "@lucern/config",
5907
+ role: "configuration",
5908
+ directTenantImport: false
5909
+ },
5910
+ {
5911
+ packageName: "@lucern/contracts",
5912
+ role: "contract_entrypoint",
5913
+ directTenantImport: true
5914
+ },
5915
+ {
5916
+ packageName: "@lucern/control-plane",
5917
+ role: "component_runtime",
5918
+ directTenantImport: false
5919
+ },
5920
+ {
5921
+ packageName: "@lucern/developer-kit",
5922
+ role: "developer_tool",
5923
+ directTenantImport: false
5924
+ },
5925
+ {
5926
+ packageName: "@lucern/events",
5927
+ role: "sdk_dependency",
5928
+ directTenantImport: false
5929
+ },
5930
+ {
5931
+ packageName: "@lucern/graph-primitives",
5932
+ role: "sdk_dependency",
5933
+ directTenantImport: false
5934
+ },
5935
+ {
5936
+ packageName: "@lucern/graph-sync",
5937
+ role: "host_addon_runtime",
5938
+ directTenantImport: true
5939
+ },
5940
+ {
5941
+ packageName: "@lucern/mcp",
5942
+ role: "runtime_entrypoint",
5943
+ directTenantImport: true
5944
+ },
5945
+ {
5946
+ packageName: "@lucern/pack-host",
5947
+ role: "platform_runtime",
5948
+ directTenantImport: false
5949
+ },
5950
+ {
5951
+ packageName: "@lucern/pack-installer",
5952
+ role: "developer_tool",
5953
+ directTenantImport: false
5954
+ },
5955
+ {
5956
+ packageName: "@lucern/proof-compiler",
5957
+ role: "developer_tool",
5958
+ directTenantImport: false
5959
+ },
5960
+ {
5961
+ packageName: "@lucern/react",
5962
+ role: "runtime_entrypoint",
5963
+ directTenantImport: true
5964
+ },
5965
+ {
5966
+ packageName: "@lucern/reasoning-kernel",
5967
+ role: "component_runtime",
5968
+ directTenantImport: false
5969
+ },
5970
+ {
5971
+ packageName: "@lucern/sdk",
5972
+ role: "runtime_entrypoint",
5973
+ directTenantImport: true
5974
+ },
5975
+ {
5976
+ packageName: "@lucern/secrets",
5977
+ role: "sdk_dependency",
5978
+ directTenantImport: false
5979
+ },
5980
+ {
5981
+ packageName: "@lucern/server-core",
5982
+ role: "platform_runtime",
5983
+ directTenantImport: false
5984
+ },
5985
+ {
5986
+ packageName: "@lucern/testing",
5987
+ role: "test_support",
5988
+ directTenantImport: false
5989
+ },
5990
+ {
5991
+ packageName: "@lucern/types",
5992
+ role: "contract_entrypoint",
5993
+ directTenantImport: true
5994
+ }
5995
+ ];
5996
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5997
+ (entry) => entry.packageName
5998
+ );
5999
+
6000
+ // ../contracts/src/infisical-runtime.contract.ts
6001
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6002
+ {
6003
+ id: "stack-frontend",
6004
+ tenantKey: "stack",
6005
+ workspaceKey: "frontend",
6006
+ vercelProjectName: "ai-chatbot-diao",
6007
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6008
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6009
+ repository: {
6010
+ owner: "stack-vc",
6011
+ name: "front-end"
6012
+ },
6013
+ sharedSourcePath: "/tenants/stack",
6014
+ sharedVariablePolicy: "tenant_shared_all_systems",
6015
+ convex: {
6016
+ urlEnv: "CONVEX_FRONTEND_URL",
6017
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6018
+ preprodDeployment: "rugged-lobster-664",
6019
+ prodDeployment: "wonderful-toucan-0"
6020
+ }
6021
+ },
6022
+ {
6023
+ id: "stackos",
6024
+ tenantKey: "stack",
6025
+ workspaceKey: "stackos",
6026
+ vercelProjectName: "stackos",
6027
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6028
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6029
+ repository: {
6030
+ owner: "stack-vc",
6031
+ name: "stackos"
6032
+ },
6033
+ sharedSourcePath: "/tenants/stack",
6034
+ sharedVariablePolicy: "tenant_shared_all_systems",
6035
+ convex: {
6036
+ urlEnv: "CONVEX_STACKOS_URL",
6037
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6038
+ preprodDeployment: "giant-mandrill-761",
6039
+ prodDeployment: "good-snake-515"
6040
+ }
6041
+ },
6042
+ {
6043
+ id: "stack-eng",
6044
+ tenantKey: "stack",
6045
+ workspaceKey: "engineering",
6046
+ vercelProjectName: "stackos-engineering-graph",
6047
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6048
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6049
+ repository: {
6050
+ owner: "stack-vc",
6051
+ name: "stackos-engineering-graph"
6052
+ },
6053
+ sharedSourcePath: "/tenants/stack/engineering",
6054
+ sharedVariablePolicy: "tenant_shared_all_systems",
6055
+ convex: {
6056
+ urlEnv: "CONVEX_STACK_ENG_URL",
6057
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6058
+ preprodDeployment: "small-oyster-270",
6059
+ prodDeployment: "bold-cuttlefish-804"
6060
+ }
6061
+ },
6062
+ {
6063
+ id: "lucern-graph",
6064
+ tenantKey: "lucern",
6065
+ workspaceKey: "lucern",
6066
+ vercelProjectName: "lucern-graph",
6067
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6068
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6069
+ repository: {
6070
+ owner: "LucernAI",
6071
+ name: "lucern-graph"
6072
+ },
6073
+ sharedSourcePath: "/tenants/lucern/shared",
6074
+ sharedVariablePolicy: "tenant_shared_all_systems",
6075
+ convex: {
6076
+ urlEnv: "CONVEX_LUCERN_URL",
6077
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6078
+ preprodDeployment: "good-blackbird-774",
6079
+ prodDeployment: "precious-dog-365"
6080
+ }
6081
+ }
6082
+ ];
6083
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6084
+ {
6085
+ idSuffix: "clerk.publishable",
6086
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6087
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6088
+ required: true,
6089
+ secret: false,
6090
+ public: true,
6091
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6092
+ },
6093
+ {
6094
+ idSuffix: "clerk.secret",
6095
+ canonicalName: "CLERK_SECRET_KEY",
6096
+ required: true,
6097
+ secret: true,
6098
+ public: false,
6099
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6100
+ },
6101
+ {
6102
+ idSuffix: "clerk.project",
6103
+ canonicalName: "CLERK_PROJECT_ID",
6104
+ required: true,
6105
+ secret: false,
6106
+ public: false,
6107
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6108
+ },
6109
+ {
6110
+ idSuffix: "clerk.jwks",
6111
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6112
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6113
+ required: false,
6114
+ secret: false,
6115
+ public: false,
6116
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6117
+ },
6118
+ {
6119
+ idSuffix: "clerk.jwt-key",
6120
+ canonicalName: "CLERK_JWT_KEY",
6121
+ required: false,
6122
+ secret: true,
6123
+ public: false,
6124
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6125
+ },
6126
+ {
6127
+ idSuffix: "clerk.authorized-parties",
6128
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6129
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6130
+ required: false,
6131
+ secret: false,
6132
+ public: false,
6133
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6134
+ },
6135
+ {
6136
+ idSuffix: "clerk.sign-in-url",
6137
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6138
+ required: false,
6139
+ secret: false,
6140
+ public: true,
6141
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6142
+ },
6143
+ {
6144
+ idSuffix: "clerk.sign-up-url",
6145
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6146
+ required: false,
6147
+ secret: false,
6148
+ public: true,
6149
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6150
+ }
6151
+ ];
6152
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6153
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6154
+ (template) => ({
6155
+ id: `tenant.${system.id}.${template.idSuffix}`,
6156
+ canonicalName: template.canonicalName,
6157
+ aliases: "aliases" in template ? template.aliases : void 0,
6158
+ owner: "tenant",
6159
+ scope: "tenant",
6160
+ sourcePath: system.sharedSourcePath,
6161
+ environmentPolicy: "environment_specific",
6162
+ required: template.required,
6163
+ secret: template.secret,
6164
+ public: template.public,
6165
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6166
+ destinations: [
6167
+ {
6168
+ kind: "vercel",
6169
+ target: system.vercelProjectName,
6170
+ environmentPolicy: "preprod_staging_prod_prod"
6171
+ },
6172
+ {
6173
+ kind: "convex",
6174
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6175
+ environmentPolicy: "preprod_staging_prod_prod"
6176
+ }
6177
+ ],
6178
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6179
+ })
6180
+ )
6181
+ );
6182
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6183
+ (system) => ({
6184
+ id: `tenant.${system.id}.install-lucern-npm`,
6185
+ canonicalName: "INSTALL_LUCERN_NPM",
6186
+ owner: "provider",
6187
+ scope: "global",
6188
+ sourcePath: "/tenants/shared",
6189
+ environmentPolicy: "same_all_environments",
6190
+ required: true,
6191
+ secret: true,
6192
+ public: false,
6193
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6194
+ destinations: [
6195
+ {
6196
+ kind: "vercel",
6197
+ target: system.vercelProjectName,
6198
+ environmentPolicy: "same_all_environments"
6199
+ },
6200
+ {
6201
+ kind: "github_actions",
6202
+ target: `${system.repository.owner}/${system.repository.name}`,
6203
+ environmentPolicy: "same_all_environments"
6204
+ }
6205
+ ],
6206
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6207
+ })
6208
+ );
6209
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6210
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6211
+ {
6212
+ idSuffix: "ai.openai-api-key",
6213
+ canonicalName: "OPENAI_API_KEY",
6214
+ required: false,
6215
+ secret: true,
6216
+ public: false,
6217
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6218
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
4935
6219
  },
4936
6220
  {
4937
- packageName: "@lucern/agent",
4938
- role: "platform_runtime",
4939
- directTenantImport: false
6221
+ idSuffix: "ai.anthropic-api-key",
6222
+ canonicalName: "ANTHROPIC_API_KEY",
6223
+ required: false,
6224
+ secret: true,
6225
+ public: false,
6226
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6227
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
4940
6228
  },
4941
6229
  {
4942
- packageName: "@lucern/auth",
4943
- role: "sdk_dependency",
4944
- directTenantImport: false
6230
+ idSuffix: "ai.gemini-api-key",
6231
+ canonicalName: "GEMINI_API_KEY",
6232
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6233
+ required: false,
6234
+ secret: true,
6235
+ public: false,
6236
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6237
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
4945
6238
  },
4946
6239
  {
4947
- packageName: "@lucern/cli",
4948
- role: "developer_tool",
4949
- directTenantImport: false
6240
+ idSuffix: "langfuse.secret-key",
6241
+ canonicalName: "LANGFUSE_SECRET_KEY",
6242
+ required: false,
6243
+ secret: true,
6244
+ public: false,
6245
+ consumers: [
6246
+ "tenant-vercel-app",
6247
+ "tenant-convex-deployment",
6248
+ "tenant-observability"
6249
+ ],
6250
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
4950
6251
  },
4951
6252
  {
4952
- packageName: "@lucern/client-core",
4953
- role: "sdk_dependency",
4954
- directTenantImport: false
6253
+ idSuffix: "langfuse.public-key",
6254
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6255
+ required: false,
6256
+ secret: false,
6257
+ public: false,
6258
+ consumers: [
6259
+ "tenant-vercel-app",
6260
+ "tenant-convex-deployment",
6261
+ "tenant-observability"
6262
+ ],
6263
+ description: "Tenant-owned Langfuse public key for product AI tracing."
4955
6264
  },
4956
6265
  {
4957
- packageName: "@lucern/confidence",
4958
- role: "sdk_dependency",
4959
- directTenantImport: false
6266
+ idSuffix: "langfuse.base-url",
6267
+ canonicalName: "LANGFUSE_BASE_URL",
6268
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6269
+ required: false,
6270
+ secret: false,
6271
+ public: false,
6272
+ consumers: [
6273
+ "tenant-vercel-app",
6274
+ "tenant-convex-deployment",
6275
+ "tenant-observability"
6276
+ ],
6277
+ description: "Tenant-owned Langfuse API origin."
4960
6278
  },
4961
6279
  {
4962
- packageName: "@lucern/config",
4963
- role: "configuration",
4964
- directTenantImport: false
6280
+ idSuffix: "graph.neo4j-uri",
6281
+ canonicalName: "NEO4J_URI",
6282
+ required: false,
6283
+ secret: false,
6284
+ public: false,
6285
+ consumers: [
6286
+ "tenant-vercel-app",
6287
+ "tenant-convex-deployment",
6288
+ "tenant-graph-sync"
6289
+ ],
6290
+ description: "Tenant-owned Neo4j URI for product graph-sync."
4965
6291
  },
4966
6292
  {
4967
- packageName: "@lucern/contracts",
4968
- role: "contract_entrypoint",
4969
- directTenantImport: true
6293
+ idSuffix: "graph.neo4j-user",
6294
+ canonicalName: "NEO4J_USER",
6295
+ aliases: ["NEO4J_USERNAME"],
6296
+ required: false,
6297
+ secret: false,
6298
+ public: false,
6299
+ consumers: [
6300
+ "tenant-vercel-app",
6301
+ "tenant-convex-deployment",
6302
+ "tenant-graph-sync"
6303
+ ],
6304
+ description: "Tenant-owned Neo4j user for product graph-sync."
4970
6305
  },
4971
6306
  {
4972
- packageName: "@lucern/control-plane",
4973
- role: "platform_runtime",
4974
- directTenantImport: false
6307
+ idSuffix: "graph.neo4j-password",
6308
+ canonicalName: "NEO4J_PASSWORD",
6309
+ required: false,
6310
+ secret: true,
6311
+ public: false,
6312
+ consumers: [
6313
+ "tenant-vercel-app",
6314
+ "tenant-convex-deployment",
6315
+ "tenant-graph-sync"
6316
+ ],
6317
+ description: "Tenant-owned Neo4j password for product graph-sync."
4975
6318
  },
4976
6319
  {
4977
- packageName: "@lucern/developer-kit",
4978
- role: "developer_tool",
4979
- directTenantImport: false
6320
+ idSuffix: "graph.neo4j-sync-secret",
6321
+ canonicalName: "NEO4J_SYNC_SECRET",
6322
+ required: false,
6323
+ secret: true,
6324
+ public: false,
6325
+ consumers: [
6326
+ "tenant-vercel-app",
6327
+ "tenant-convex-deployment",
6328
+ "tenant-graph-sync"
6329
+ ],
6330
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
4980
6331
  },
4981
6332
  {
4982
- packageName: "@lucern/events",
4983
- role: "sdk_dependency",
4984
- directTenantImport: false
6333
+ idSuffix: "graph.neo4j-database",
6334
+ canonicalName: "NEO4J_DATABASE",
6335
+ required: false,
6336
+ secret: false,
6337
+ public: false,
6338
+ consumers: [
6339
+ "tenant-vercel-app",
6340
+ "tenant-convex-deployment",
6341
+ "tenant-graph-sync"
6342
+ ],
6343
+ description: "Tenant-owned Neo4j database name for product graph-sync."
4985
6344
  },
4986
6345
  {
4987
- packageName: "@lucern/graph-primitives",
4988
- role: "sdk_dependency",
4989
- directTenantImport: false
6346
+ idSuffix: "vector.pinecone-api-key",
6347
+ canonicalName: "PINECONE_API_KEY",
6348
+ required: false,
6349
+ secret: true,
6350
+ public: false,
6351
+ consumers: [
6352
+ "tenant-vercel-app",
6353
+ "tenant-convex-deployment",
6354
+ "tenant-vector-store"
6355
+ ],
6356
+ description: "Tenant-owned Pinecone API key for product vector search."
4990
6357
  },
4991
6358
  {
4992
- packageName: "@lucern/graph-sync",
4993
- role: "host_addon_runtime",
4994
- directTenantImport: true
6359
+ idSuffix: "vector.pinecone-index-name",
6360
+ canonicalName: "PINECONE_INDEX_NAME",
6361
+ aliases: ["PINECONE_INDEX"],
6362
+ required: false,
6363
+ secret: false,
6364
+ public: false,
6365
+ consumers: [
6366
+ "tenant-vercel-app",
6367
+ "tenant-convex-deployment",
6368
+ "tenant-vector-store"
6369
+ ],
6370
+ description: "Tenant-owned Pinecone index name for product vector search."
4995
6371
  },
4996
6372
  {
4997
- packageName: "@lucern/identity",
4998
- role: "component_runtime",
4999
- directTenantImport: false
6373
+ idSuffix: "vector.pinecone-host",
6374
+ canonicalName: "PINECONE_HOST",
6375
+ aliases: ["PINECONE_INDEX_HOST"],
6376
+ required: false,
6377
+ secret: false,
6378
+ public: false,
6379
+ consumers: [
6380
+ "tenant-vercel-app",
6381
+ "tenant-convex-deployment",
6382
+ "tenant-vector-store"
6383
+ ],
6384
+ description: "Tenant-owned Pinecone host for product vector search."
5000
6385
  },
5001
6386
  {
5002
- packageName: "@lucern/mcp",
5003
- role: "runtime_entrypoint",
5004
- directTenantImport: true
6387
+ idSuffix: "vector.pinecone-namespace",
6388
+ canonicalName: "PINECONE_NAMESPACE",
6389
+ required: false,
6390
+ secret: false,
6391
+ public: false,
6392
+ consumers: [
6393
+ "tenant-vercel-app",
6394
+ "tenant-convex-deployment",
6395
+ "tenant-vector-store"
6396
+ ],
6397
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
5005
6398
  },
5006
6399
  {
5007
- packageName: "@lucern/pack-host",
5008
- role: "platform_runtime",
5009
- directTenantImport: false
6400
+ idSuffix: "storage.aws-access-key-id",
6401
+ canonicalName: "AWS_ACCESS_KEY_ID",
6402
+ required: false,
6403
+ secret: true,
6404
+ public: false,
6405
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6406
+ description: "Tenant-owned AWS access key id for document/file ingestion."
5010
6407
  },
5011
6408
  {
5012
- packageName: "@lucern/pack-installer",
5013
- role: "developer_tool",
5014
- directTenantImport: false
6409
+ idSuffix: "storage.aws-secret-access-key",
6410
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6411
+ required: false,
6412
+ secret: true,
6413
+ public: false,
6414
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6415
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
5015
6416
  },
5016
6417
  {
5017
- packageName: "@lucern/proof-compiler",
5018
- role: "developer_tool",
5019
- directTenantImport: false
6418
+ idSuffix: "storage.aws-region",
6419
+ canonicalName: "AWS_REGION",
6420
+ required: false,
6421
+ secret: false,
6422
+ public: false,
6423
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6424
+ description: "Tenant-owned AWS region for document/file ingestion."
5020
6425
  },
5021
6426
  {
5022
- packageName: "@lucern/react",
5023
- role: "runtime_entrypoint",
5024
- directTenantImport: true
6427
+ idSuffix: "observability.sentry-dsn",
6428
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6429
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6430
+ required: false,
6431
+ secret: false,
6432
+ public: true,
6433
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6434
+ description: "Tenant-owned Sentry DSN for app telemetry."
5025
6435
  },
5026
6436
  {
5027
- packageName: "@lucern/reasoning-kernel",
5028
- role: "component_runtime",
5029
- directTenantImport: false
6437
+ idSuffix: "observability.sentry-auth-token",
6438
+ canonicalName: "SENTRY_AUTH_TOKEN",
6439
+ required: false,
6440
+ secret: true,
6441
+ public: false,
6442
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6443
+ description: "Tenant-owned Sentry release token for app deployments."
5030
6444
  },
5031
6445
  {
5032
- packageName: "@lucern/sdk",
5033
- role: "runtime_entrypoint",
5034
- directTenantImport: true
6446
+ idSuffix: "observability.sentry-org",
6447
+ canonicalName: "SENTRY_ORG",
6448
+ aliases: ["SENTRY_ORG_SLUG"],
6449
+ required: false,
6450
+ secret: false,
6451
+ public: false,
6452
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6453
+ description: "Tenant-owned Sentry org slug for release uploads."
5035
6454
  },
5036
6455
  {
5037
- packageName: "@lucern/server-core",
5038
- role: "platform_runtime",
5039
- directTenantImport: false
6456
+ idSuffix: "observability.sentry-project",
6457
+ canonicalName: "SENTRY_PROJECT",
6458
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6459
+ required: false,
6460
+ secret: false,
6461
+ public: false,
6462
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6463
+ description: "Tenant-owned Sentry project slug for release uploads."
5040
6464
  },
5041
6465
  {
5042
- packageName: "@lucern/testing",
5043
- role: "test_support",
5044
- directTenantImport: false
6466
+ idSuffix: "observability.sentry-environment",
6467
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6468
+ aliases: ["SENTRY_ENVIRONMENT"],
6469
+ required: false,
6470
+ secret: false,
6471
+ public: true,
6472
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6473
+ description: "Tenant-owned Sentry environment label."
5045
6474
  },
5046
6475
  {
5047
- packageName: "@lucern/types",
5048
- role: "contract_entrypoint",
5049
- directTenantImport: true
6476
+ idSuffix: "observability.sentry-release",
6477
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6478
+ aliases: ["SENTRY_RELEASE"],
6479
+ required: false,
6480
+ secret: false,
6481
+ public: true,
6482
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6483
+ description: "Tenant-owned Sentry release label."
6484
+ },
6485
+ {
6486
+ idSuffix: "observability.sentry-client-options",
6487
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6488
+ aliases: [
6489
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6490
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6491
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6492
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6493
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6494
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6495
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6496
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6497
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6498
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6499
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6500
+ ],
6501
+ required: false,
6502
+ secret: false,
6503
+ public: true,
6504
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6505
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
6506
+ },
6507
+ {
6508
+ idSuffix: "observability.sentry-webhook-secret",
6509
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6510
+ required: false,
6511
+ secret: true,
6512
+ public: false,
6513
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6514
+ description: "Tenant-owned Sentry webhook verification secret."
6515
+ },
6516
+ {
6517
+ idSuffix: "lucern.gateway-api-key",
6518
+ canonicalName: "LUCERN_API_KEY",
6519
+ aliases: ["STACK_API_KEY"],
6520
+ required: false,
6521
+ secret: true,
6522
+ public: false,
6523
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6524
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
6525
+ },
6526
+ {
6527
+ idSuffix: "lucern.gateway-base-url",
6528
+ canonicalName: "LUCERN_BASE_URL",
6529
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6530
+ required: false,
6531
+ secret: false,
6532
+ public: false,
6533
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6534
+ description: "Lucern/MC gateway base URL used by tenant product apps."
6535
+ },
6536
+ {
6537
+ idSuffix: "lucern.proxy-token-secret",
6538
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6539
+ required: false,
6540
+ secret: true,
6541
+ public: false,
6542
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6543
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
6544
+ },
6545
+ {
6546
+ idSuffix: "tenant.integrations.linear-api-key",
6547
+ canonicalName: "LINEAR_API_KEY",
6548
+ required: false,
6549
+ secret: true,
6550
+ public: false,
6551
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6552
+ description: "Tenant-owned Linear API key for support/slash-command flows."
6553
+ },
6554
+ {
6555
+ idSuffix: "tenant.vercel.bypass-token",
6556
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6557
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6558
+ required: false,
6559
+ secret: true,
6560
+ public: false,
6561
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6562
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
5050
6563
  }
5051
6564
  ];
5052
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5053
- (entry) => entry.packageName
6565
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6566
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6567
+ ).flatMap(
6568
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6569
+ (template) => ({
6570
+ id: `tenant.${system.id}.${template.idSuffix}`,
6571
+ canonicalName: template.canonicalName,
6572
+ aliases: "aliases" in template ? template.aliases : void 0,
6573
+ owner: "tenant",
6574
+ scope: "tenant",
6575
+ sourcePath: system.sharedSourcePath,
6576
+ environmentPolicy: "environment_specific",
6577
+ required: template.required,
6578
+ secret: template.secret,
6579
+ public: template.public,
6580
+ consumers: template.consumers,
6581
+ destinations: [
6582
+ {
6583
+ kind: "vercel",
6584
+ target: system.vercelProjectName,
6585
+ environmentPolicy: "preprod_staging_prod_prod"
6586
+ },
6587
+ {
6588
+ kind: "convex",
6589
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6590
+ environmentPolicy: "preprod_staging_prod_prod"
6591
+ },
6592
+ {
6593
+ kind: "github_actions",
6594
+ target: `${system.repository.owner}/${system.repository.name}`,
6595
+ environmentPolicy: "preprod_staging_prod_prod"
6596
+ }
6597
+ ],
6598
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6599
+ })
6600
+ )
6601
+ );
6602
+ function tenantVercelConvexUrlWriteNames(system) {
6603
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6604
+ if (system.id === "stack-eng") {
6605
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6606
+ }
6607
+ return names;
6608
+ }
6609
+ function tenantRepositoryConvexUrlWriteNames(system) {
6610
+ if (system.id === "stack-eng") {
6611
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6612
+ }
6613
+ return [system.convex.urlEnv];
6614
+ }
6615
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6616
+ if (system.id === "stack-eng") {
6617
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6618
+ }
6619
+ return [system.convex.deployKeyEnv];
6620
+ }
6621
+ function tenantConvexUrlAliases(system) {
6622
+ if (system.id === "stack-frontend") {
6623
+ return [
6624
+ "CONVEX_PROD_URL",
6625
+ "CONVEX_STACK_V2_PROD_URL",
6626
+ "CONVEX_STACK_V2_STAGING_URL",
6627
+ "STACK_CONVEX_URL"
6628
+ ];
6629
+ }
6630
+ if (system.id === "stackos") {
6631
+ return [
6632
+ "CONVEX_CLOUD_URL",
6633
+ "CONVEX_STACK_URL",
6634
+ "CONVEX_URL",
6635
+ "CONVEX_URL_DEVELOPMENT",
6636
+ "CONVEX_URL_PRODUCTION",
6637
+ "STACK_CONVEX_URL"
6638
+ ];
6639
+ }
6640
+ if (system.id === "stack-eng") {
6641
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6642
+ }
6643
+ if (system.id === "lucern-graph") {
6644
+ return [
6645
+ "CONVEX_GRAPH_URL",
6646
+ "LUCERN_PROD_URL",
6647
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6648
+ ];
6649
+ }
6650
+ return void 0;
6651
+ }
6652
+ function tenantConvexDeployKeyAliases(system) {
6653
+ if (system.id === "stack-frontend") {
6654
+ return [
6655
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6656
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6657
+ "STACK_DEPLOY_KEY"
6658
+ ];
6659
+ }
6660
+ if (system.id === "stackos") {
6661
+ return [
6662
+ "CONVEX_DEPLOY_KEY",
6663
+ "CONVEX_DEV_DEPLOY_KEY",
6664
+ "CONVEX_PROD_DEPLOY_KEY",
6665
+ "CONVEX_STACK_DEPLOY_KEY",
6666
+ "STACK_DEPLOY_KEY"
6667
+ ];
6668
+ }
6669
+ if (system.id === "stack-eng") {
6670
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6671
+ }
6672
+ if (system.id === "lucern-graph") {
6673
+ return [
6674
+ "CONVEX_DEPLOY_KEY",
6675
+ "CONVEX_GRAPH_DEPLOY_KEY",
6676
+ "LUCERN_CONVEX_DEPLOY_KEY",
6677
+ "LUCERN_DEV_DEPLOY_KEY",
6678
+ "LUCERN_PROD_DEPLOY_KEY"
6679
+ ];
6680
+ }
6681
+ return void 0;
6682
+ }
6683
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6684
+ (system) => {
6685
+ if (system.id === "lucern-graph") {
6686
+ return [
6687
+ {
6688
+ id: "tenant.lucern-graph.public.tenant-id",
6689
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6690
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6691
+ owner: "tenant",
6692
+ scope: "workspace",
6693
+ sourcePath: system.sharedSourcePath,
6694
+ environmentPolicy: "environment_specific",
6695
+ required: false,
6696
+ secret: false,
6697
+ public: true,
6698
+ consumers: ["tenant-vercel-app"],
6699
+ destinations: [
6700
+ {
6701
+ kind: "vercel",
6702
+ target: system.vercelProjectName,
6703
+ environmentPolicy: "preprod_staging_prod_prod"
6704
+ }
6705
+ ],
6706
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6707
+ },
6708
+ {
6709
+ id: "tenant.lucern-graph.public.tenant-label",
6710
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6711
+ owner: "tenant",
6712
+ scope: "workspace",
6713
+ sourcePath: system.sharedSourcePath,
6714
+ environmentPolicy: "environment_specific",
6715
+ required: false,
6716
+ secret: false,
6717
+ public: true,
6718
+ consumers: ["tenant-vercel-app"],
6719
+ destinations: [
6720
+ {
6721
+ kind: "vercel",
6722
+ target: system.vercelProjectName,
6723
+ environmentPolicy: "preprod_staging_prod_prod"
6724
+ }
6725
+ ],
6726
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6727
+ }
6728
+ ];
6729
+ }
6730
+ if (system.id === "stack-eng") {
6731
+ return [
6732
+ {
6733
+ id: "tenant.stack-eng.public.tenant-id",
6734
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6735
+ owner: "tenant",
6736
+ scope: "workspace",
6737
+ sourcePath: system.sharedSourcePath,
6738
+ environmentPolicy: "environment_specific",
6739
+ required: false,
6740
+ secret: false,
6741
+ public: true,
6742
+ consumers: ["tenant-vercel-app"],
6743
+ destinations: [
6744
+ {
6745
+ kind: "vercel",
6746
+ target: system.vercelProjectName,
6747
+ environmentPolicy: "preprod_staging_prod_prod"
6748
+ }
6749
+ ],
6750
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6751
+ },
6752
+ {
6753
+ id: "tenant.stack-eng.public.tenant-label",
6754
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6755
+ owner: "tenant",
6756
+ scope: "workspace",
6757
+ sourcePath: system.sharedSourcePath,
6758
+ environmentPolicy: "environment_specific",
6759
+ required: false,
6760
+ secret: false,
6761
+ public: true,
6762
+ consumers: ["tenant-vercel-app"],
6763
+ destinations: [
6764
+ {
6765
+ kind: "vercel",
6766
+ target: system.vercelProjectName,
6767
+ environmentPolicy: "preprod_staging_prod_prod"
6768
+ }
6769
+ ],
6770
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6771
+ },
6772
+ {
6773
+ id: "tenant.stack-eng.public.environment",
6774
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6775
+ owner: "tenant",
6776
+ scope: "workspace",
6777
+ sourcePath: system.sharedSourcePath,
6778
+ environmentPolicy: "environment_specific",
6779
+ required: false,
6780
+ secret: false,
6781
+ public: true,
6782
+ consumers: ["tenant-vercel-app"],
6783
+ destinations: [
6784
+ {
6785
+ kind: "vercel",
6786
+ target: system.vercelProjectName,
6787
+ environmentPolicy: "preprod_staging_prod_prod"
6788
+ }
6789
+ ],
6790
+ description: "Stack engineering graph public environment label used by the graph explorer."
6791
+ }
6792
+ ];
6793
+ }
6794
+ return [];
6795
+ }
5054
6796
  );
6797
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6798
+ {
6799
+ id: `tenant.${system.id}.convex.url`,
6800
+ canonicalName: system.convex.urlEnv,
6801
+ aliases: tenantConvexUrlAliases(system),
6802
+ owner: "tenant",
6803
+ scope: "software_system",
6804
+ sourcePath: system.sharedSourcePath,
6805
+ environmentPolicy: "preprod_staging_prod_prod",
6806
+ required: true,
6807
+ secret: false,
6808
+ public: false,
6809
+ consumers: [
6810
+ "tenant-vercel-app",
6811
+ "tenant-agent-runtime",
6812
+ "mc-operator-tooling"
6813
+ ],
6814
+ destinations: [
6815
+ {
6816
+ kind: "vercel",
6817
+ target: system.vercelProjectName,
6818
+ environmentPolicy: "preprod_staging_prod_prod",
6819
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6820
+ },
6821
+ {
6822
+ kind: "github_actions",
6823
+ target: `${system.repository.owner}/${system.repository.name}`,
6824
+ environmentPolicy: "preprod_staging_prod_prod",
6825
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6826
+ notes: "Only if that repository deploy/test workflow owns this software system."
6827
+ }
6828
+ ],
6829
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6830
+ },
6831
+ {
6832
+ id: `tenant.${system.id}.convex.deploy-key`,
6833
+ canonicalName: system.convex.deployKeyEnv,
6834
+ aliases: tenantConvexDeployKeyAliases(system),
6835
+ owner: "tenant",
6836
+ scope: "software_system",
6837
+ sourcePath: system.sharedSourcePath,
6838
+ environmentPolicy: "preprod_staging_prod_prod",
6839
+ required: true,
6840
+ secret: true,
6841
+ public: false,
6842
+ consumers: [
6843
+ "tenant-vercel-app",
6844
+ "tenant-agent-runtime",
6845
+ "mc-operator-tooling"
6846
+ ],
6847
+ destinations: [
6848
+ {
6849
+ kind: "vercel",
6850
+ target: system.vercelProjectName,
6851
+ environmentPolicy: "preprod_staging_prod_prod"
6852
+ },
6853
+ {
6854
+ kind: "github_actions",
6855
+ target: `${system.repository.owner}/${system.repository.name}`,
6856
+ environmentPolicy: "preprod_staging_prod_prod",
6857
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6858
+ notes: "Only if that repository deploy/test workflow owns this software system."
6859
+ }
6860
+ ],
6861
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6862
+ }
6863
+ ]);
5055
6864
  z.object({
5056
6865
  manifestVersion: z.literal("1.0.0"),
5057
6866
  rules: z.array(
@@ -5092,7 +6901,7 @@ var createEvidenceInputSchemaBase = z.object({
5092
6901
  targetId: z.string().optional(),
5093
6902
  targetNodeId: z.string().optional(),
5094
6903
  linkedBeliefNodeId: z.string().optional(),
5095
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6904
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5096
6905
  confidence: z.number().optional(),
5097
6906
  weight: z.number().optional(),
5098
6907
  reasoning: z.string().optional(),
@@ -5177,8 +6986,7 @@ var createEvidenceProjection = defineProjection({
5177
6986
  evidenceRelation: v.optional(
5178
6987
  v.union(
5179
6988
  v.literal("supports"),
5180
- v.literal("contradicts"),
5181
- v.literal("neutral")
6989
+ v.literal("contradicts")
5182
6990
  )
5183
6991
  ),
5184
6992
  confidence: v.optional(v.number()),
@@ -5227,12 +7035,17 @@ var listBeliefsProjection = defineProjection({
5227
7035
  });
5228
7036
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5229
7037
  var listTasksInputSchema = z.object({
5230
- topicId: z.string().describe("Topic scope"),
7038
+ topicId: z.string().optional().describe("Topic scope"),
5231
7039
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5232
7040
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5233
7041
  status: taskStatusSchema,
5234
7042
  limit: z.number().optional().describe("Maximum results")
5235
- });
7043
+ }).refine(
7044
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7045
+ {
7046
+ message: "topicId or worktreeId is required"
7047
+ }
7048
+ );
5236
7049
  function compactRecord3(input) {
5237
7050
  return Object.fromEntries(
5238
7051
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5249,7 +7062,7 @@ var listTasksProjection = defineProjection({
5249
7062
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5250
7063
  }),
5251
7064
  convexArgsValidator: v.object({
5252
- topicId: v.string(),
7065
+ topicId: v.optional(v.string()),
5253
7066
  status: v.optional(
5254
7067
  v.union(
5255
7068
  v.literal("todo"),
@@ -6253,7 +8066,7 @@ var CREATE_EDGE = {
6253
8066
  reasoningMethod: {
6254
8067
  type: "string",
6255
8068
  description: "How this was determined",
6256
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8069
+ enum: [...REASONING_METHODS]
6257
8070
  },
6258
8071
  metadata: {
6259
8072
  type: "object",
@@ -7980,6 +9793,10 @@ var CREATE_TASK = {
7980
9793
  tags: {
7981
9794
  type: "array",
7982
9795
  description: "Free-form string tags"
9796
+ },
9797
+ metadata: {
9798
+ type: "object",
9799
+ description: "Structured task metadata for handoff context and routing hints"
7983
9800
  }
7984
9801
  },
7985
9802
  required: ["title"],
@@ -8053,6 +9870,10 @@ var UPDATE_TASK = {
8053
9870
  type: "string",
8054
9871
  description: "Updated status",
8055
9872
  enum: ["todo", "in_progress", "blocked", "done"]
9873
+ },
9874
+ metadata: {
9875
+ type: "object",
9876
+ description: "Structured task metadata to replace or refine"
8056
9877
  }
8057
9878
  },
8058
9879
  required: ["taskId"],
@@ -9508,6 +11329,9 @@ var BEGIN_BUILD_SESSION = {
9508
11329
  sessionMode: "string \u2014 async | interactive",
9509
11330
  targetBeliefIds: "array \u2014 scoped belief IDs",
9510
11331
  targetQuestionIds: "array \u2014 scoped question IDs",
11332
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11333
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11334
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9511
11335
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9512
11336
  openQuestions: "array \u2014 open scoped questions",
9513
11337
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -10108,12 +11932,20 @@ function unwrapMcpParameterSchema(schema) {
10108
11932
  current = current._def.schema;
10109
11933
  continue;
10110
11934
  default:
10111
- return { schema: current, required, description: description ?? current.description };
11935
+ return {
11936
+ schema: current,
11937
+ required,
11938
+ description: description ?? current.description
11939
+ };
10112
11940
  }
10113
11941
  }
10114
11942
  }
10115
11943
  function mcpParameterFromZod(fieldName, schema, contractName) {
10116
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
11944
+ const {
11945
+ schema: unwrapped,
11946
+ required,
11947
+ description: schemaDescription
11948
+ } = unwrapMcpParameterSchema(schema);
10117
11949
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
10118
11950
  switch (unwrapped._def.typeName) {
10119
11951
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -10158,10 +11990,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
10158
11990
  const entries2 = Object.entries(getObjectShape(args)).sort(
10159
11991
  ([left], [right]) => left.localeCompare(right)
10160
11992
  );
10161
- const converted = entries2.map(([fieldName, schema]) => [
10162
- fieldName,
10163
- mcpParameterFromZod(fieldName, schema, contractName)
10164
- ]);
11993
+ const converted = entries2.map(
11994
+ ([fieldName, schema]) => [
11995
+ fieldName,
11996
+ mcpParameterFromZod(fieldName, schema, contractName)
11997
+ ]
11998
+ );
10165
11999
  return {
10166
12000
  ...base,
10167
12001
  parameters: Object.fromEntries(
@@ -10273,6 +12107,7 @@ function surfaceContract(args) {
10273
12107
  allowedPrincipalTypes: ["user", "service", "agent"]
10274
12108
  },
10275
12109
  convex: args.convex,
12110
+ gateway: args.gateway,
10276
12111
  args: canonicalArgs,
10277
12112
  returns: canonicalReturns,
10278
12113
  input,
@@ -10759,7 +12594,7 @@ var beliefsContracts = [
10759
12594
  })
10760
12595
  ];
10761
12596
  var jsonRecordSchema4 = z.record(z.unknown());
10762
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12597
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10763
12598
  var createEvidenceArgs = z.object({
10764
12599
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10765
12600
  text: z.string().describe("Canonical evidence text."),
@@ -12682,7 +14517,8 @@ var createTaskArgs = z.object({
12682
14517
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
12683
14518
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
12684
14519
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
12685
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14520
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14521
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
12686
14522
  });
12687
14523
  var createTaskInput = (input) => compactRecord4({
12688
14524
  title: input.title,
@@ -12696,7 +14532,8 @@ var createTaskInput = (input) => compactRecord4({
12696
14532
  linkedQuestionId: input.linkedQuestionId,
12697
14533
  assigneeId: input.assigneeId,
12698
14534
  dueDate: input.dueDate,
12699
- tags: input.tags
14535
+ tags: input.tags,
14536
+ metadata: input.metadata
12700
14537
  });
12701
14538
  var taskInput = (input) => compactRecord4({
12702
14539
  ...input,
@@ -12713,8 +14550,7 @@ var taskTopicInput = (input) => {
12713
14550
  };
12714
14551
  var completeTaskInput = (input) => compactRecord4({
12715
14552
  taskId: input.taskId ?? input.id,
12716
- outputSummary: input.outputSummary ?? input.summary,
12717
- userId: input.userId
14553
+ outputSummary: input.outputSummary ?? input.summary
12718
14554
  });
12719
14555
  var tasksContracts = [
12720
14556
  surfaceContract({
@@ -12732,6 +14568,7 @@ var tasksContracts = [
12732
14568
  kind: "mutation",
12733
14569
  inputProjection: createTaskInput
12734
14570
  },
14571
+ gateway: { handler: "tasks.create" },
12735
14572
  args: createTaskArgs
12736
14573
  }),
12737
14574
  surfaceContract({
@@ -12750,6 +14587,7 @@ var tasksContracts = [
12750
14587
  kind: "query",
12751
14588
  inputProjection: taskTopicInput
12752
14589
  },
14590
+ gateway: { handler: "tasks.list" },
12753
14591
  args: listTasksInputSchema
12754
14592
  }),
12755
14593
  surfaceContract({
@@ -12767,7 +14605,8 @@ var tasksContracts = [
12767
14605
  functionName: "update",
12768
14606
  kind: "mutation",
12769
14607
  inputProjection: taskInput
12770
- }
14608
+ },
14609
+ gateway: { handler: "tasks.update" }
12771
14610
  }),
12772
14611
  surfaceContract({
12773
14612
  name: "complete_task",
@@ -12783,12 +14622,14 @@ var tasksContracts = [
12783
14622
  functionName: "complete",
12784
14623
  kind: "mutation",
12785
14624
  inputProjection: completeTaskInput
12786
- }
14625
+ },
14626
+ gateway: { handler: "tasks.complete" }
12787
14627
  })
12788
14628
  ];
12789
14629
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12790
14630
  (policy) => policy.edgeType
12791
14631
  );
14632
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12792
14633
  var createEdgeArgs = z.object({
12793
14634
  from: GraphRefSchema,
12794
14635
  to: GraphRefSchema,
@@ -12798,6 +14639,7 @@ var createEdgeArgs = z.object({
12798
14639
  confidence: z.number().optional(),
12799
14640
  context: z.string().optional(),
12800
14641
  reasoning: z.string().optional(),
14642
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12801
14643
  derivationType: z.string().optional(),
12802
14644
  metadata: z.record(z.unknown()).optional(),
12803
14645
  topicId: z.string().optional(),
@@ -12876,6 +14718,7 @@ var edgesContracts = [
12876
14718
  weight: parsed.weight,
12877
14719
  confidence: parsed.confidence,
12878
14720
  context: parsed.context ?? parsed.reasoning,
14721
+ reasoningMethod: parsed.reasoningMethod,
12879
14722
  derivationType: parsed.derivationType,
12880
14723
  metadata: parsed.metadata,
12881
14724
  skipLayerValidation: true,
@@ -13000,6 +14843,7 @@ var edgesContracts = [
13000
14843
  weight: edge.weight,
13001
14844
  confidence: edge.confidence,
13002
14845
  context: edge.context ?? edge.reasoning,
14846
+ reasoningMethod: edge.reasoningMethod,
13003
14847
  derivationType: edge.derivationType,
13004
14848
  metadata: edge.metadata,
13005
14849
  topicId: edge.topicId
@@ -13734,6 +15578,69 @@ var pipelineContracts = [
13734
15578
  }
13735
15579
  })
13736
15580
  ];
15581
+ function isRecord3(value) {
15582
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15583
+ }
15584
+ function stringValues(value) {
15585
+ if (typeof value === "string") {
15586
+ return [value];
15587
+ }
15588
+ if (Array.isArray(value)) {
15589
+ return value.flatMap((item) => stringValues(item));
15590
+ }
15591
+ return [];
15592
+ }
15593
+ function nestedEvidenceRows(value) {
15594
+ if (Array.isArray(value)) {
15595
+ return value.flatMap((item) => nestedEvidenceRows(item));
15596
+ }
15597
+ if (!isRecord3(value)) {
15598
+ return [];
15599
+ }
15600
+ const nestedKeys = ["evidence", "items", "nodes"];
15601
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15602
+ return nestedRows.length > 0 ? nestedRows : [value];
15603
+ }
15604
+ function isFailedAttemptRow(row) {
15605
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15606
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15607
+ }
15608
+ function failureLogSearchFields(row) {
15609
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15610
+ return [
15611
+ ...stringValues(row.id),
15612
+ ...stringValues(row._id),
15613
+ ...stringValues(row.title),
15614
+ ...stringValues(row.text),
15615
+ ...stringValues(row.canonicalText),
15616
+ ...stringValues(row.content),
15617
+ ...stringValues(metadata?.codeAnchor),
15618
+ ...stringValues(metadata?.codeAnchors),
15619
+ ...stringValues(metadata?.anchor),
15620
+ ...stringValues(metadata?.anchors),
15621
+ ...stringValues(metadata?.filePath),
15622
+ ...stringValues(metadata?.filePaths),
15623
+ ...stringValues(metadata?.path),
15624
+ ...stringValues(metadata?.paths),
15625
+ ...stringValues(metadata?.sourceRef),
15626
+ ...stringValues(metadata?.touchedPaths)
15627
+ ];
15628
+ }
15629
+ function projectFailureLog(output, input) {
15630
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15631
+ const searchKey = rawQuery?.toLowerCase();
15632
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15633
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15634
+ (field) => field.toLowerCase().includes(searchKey)
15635
+ )
15636
+ );
15637
+ return {
15638
+ query: rawQuery,
15639
+ failures,
15640
+ totalFound: failures.length,
15641
+ showing: failures.length
15642
+ };
15643
+ }
13737
15644
  var recordScopeLearningArgs = z.object({
13738
15645
  topicId: z.string().optional().describe("Topic scope ID"),
13739
15646
  summary: z.string().describe("Atomic learning statement"),
@@ -13823,6 +15730,8 @@ var attemptInput = (input, context) => withUserId(
13823
15730
  tags: ["code_attempt"],
13824
15731
  metadata: compactRecord4({
13825
15732
  ...recordValue2(input.metadata),
15733
+ failedApproach: true,
15734
+ isFailedAttempt: true,
13826
15735
  filePaths: input.filePaths,
13827
15736
  filePath: input.filePath,
13828
15737
  errorMessage: input.errorMessage,
@@ -13953,7 +15862,8 @@ var codingContracts = [
13953
15862
  limit: input.limit,
13954
15863
  status: input.status,
13955
15864
  userId: input.userId
13956
- })
15865
+ }),
15866
+ outputProjection: (output, input) => projectFailureLog(output, input)
13957
15867
  }
13958
15868
  })
13959
15869
  ];
@@ -14415,14 +16325,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14415
16325
  description: "Worktrees are tenant/runtime planning data."
14416
16326
  },
14417
16327
  {
14418
- component: "identity",
16328
+ component: "control-plane",
14419
16329
  table: "agents",
14420
16330
  prepopulation: "runtime_bootstrap",
14421
16331
  copyMode: "none",
14422
16332
  description: "Service agents are provisioned per tenant or service, not copied."
14423
16333
  },
14424
16334
  {
14425
- component: "identity",
16335
+ component: "control-plane",
14426
16336
  table: "mcpWritePolicy",
14427
16337
  prepopulation: "required_template",
14428
16338
  copyMode: "template_global",
@@ -14431,14 +16341,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14431
16341
  description: "Global write policy defaults govern service and interactive MCP writes."
14432
16342
  },
14433
16343
  {
14434
- component: "identity",
16344
+ component: "control-plane",
14435
16345
  table: "modelCallLogs",
14436
16346
  prepopulation: "runtime_log",
14437
16347
  copyMode: "none",
14438
16348
  description: "Model call logs are runtime telemetry."
14439
16349
  },
14440
16350
  {
14441
- component: "identity",
16351
+ component: "control-plane",
14442
16352
  table: "modelFunctionSlots",
14443
16353
  prepopulation: "required_template",
14444
16354
  copyMode: "template_global",
@@ -14447,7 +16357,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14447
16357
  description: "Function-to-model slots are required by model runtime resolution."
14448
16358
  },
14449
16359
  {
14450
- component: "identity",
16360
+ component: "control-plane",
14451
16361
  table: "modelRegistry",
14452
16362
  prepopulation: "required_template",
14453
16363
  copyMode: "template_global",
@@ -14456,7 +16366,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14456
16366
  description: "Model catalog defaults are required by model runtime clients."
14457
16367
  },
14458
16368
  {
14459
- component: "identity",
16369
+ component: "control-plane",
14460
16370
  table: "modelSlotConfigs",
14461
16371
  prepopulation: "required_template",
14462
16372
  copyMode: "template_global",
@@ -14465,14 +16375,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14465
16375
  description: "Slot-level defaults are required before tenant overrides exist."
14466
16376
  },
14467
16377
  {
14468
- component: "identity",
16378
+ component: "control-plane",
16379
+ table: "permitAccessReviewItems",
16380
+ prepopulation: "runtime_data",
16381
+ copyMode: "none",
16382
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16383
+ },
16384
+ {
16385
+ component: "control-plane",
16386
+ table: "permitAccessReviews",
16387
+ prepopulation: "runtime_data",
16388
+ copyMode: "none",
16389
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16390
+ },
16391
+ {
16392
+ component: "control-plane",
16393
+ table: "permitAttributeBindings",
16394
+ prepopulation: "runtime_data",
16395
+ copyMode: "none",
16396
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16397
+ },
16398
+ {
16399
+ component: "control-plane",
16400
+ table: "permitGroups",
16401
+ prepopulation: "runtime_data",
16402
+ copyMode: "none",
16403
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16404
+ },
16405
+ {
16406
+ component: "control-plane",
16407
+ table: "permitGroupMemberships",
16408
+ prepopulation: "runtime_data",
16409
+ copyMode: "none",
16410
+ description: "Permit group memberships are tenant-specific policy projection rows."
16411
+ },
16412
+ {
16413
+ component: "control-plane",
16414
+ table: "permitPolicyBundles",
16415
+ prepopulation: "runtime_derived",
16416
+ copyMode: "none",
16417
+ description: "Permit policy bundles are derived from the Permit control plane."
16418
+ },
16419
+ {
16420
+ component: "control-plane",
16421
+ table: "permitPolicyDecisionReceipts",
16422
+ prepopulation: "runtime_log",
16423
+ copyMode: "none",
16424
+ description: "Permit decision receipts are runtime authorization audit logs."
16425
+ },
16426
+ {
16427
+ component: "control-plane",
16428
+ table: "permitPrincipalAliases",
16429
+ prepopulation: "runtime_data",
16430
+ copyMode: "none",
16431
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16432
+ },
16433
+ {
16434
+ component: "control-plane",
16435
+ table: "permitPrincipals",
16436
+ prepopulation: "runtime_data",
16437
+ copyMode: "none",
16438
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16439
+ },
16440
+ {
16441
+ component: "control-plane",
16442
+ table: "permitProjectionOutbox",
16443
+ prepopulation: "runtime_queue",
16444
+ copyMode: "none",
16445
+ description: "Permit projection outbox rows are runtime sync queue data."
16446
+ },
16447
+ {
16448
+ component: "control-plane",
16449
+ table: "permitRelationshipTuples",
16450
+ prepopulation: "runtime_data",
16451
+ copyMode: "none",
16452
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16453
+ },
16454
+ {
16455
+ component: "control-plane",
16456
+ table: "permitResourceInstances",
16457
+ prepopulation: "runtime_data",
16458
+ copyMode: "none",
16459
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16460
+ },
16461
+ {
16462
+ component: "control-plane",
16463
+ table: "permitRoleAssignments",
16464
+ prepopulation: "runtime_data",
16465
+ copyMode: "none",
16466
+ description: "Permit role assignments are tenant-specific policy projection rows."
16467
+ },
16468
+ {
16469
+ component: "control-plane",
14469
16470
  table: "platformAudienceGrants",
14470
16471
  prepopulation: "runtime_data",
14471
16472
  copyMode: "none",
14472
16473
  description: "Audience grants are principal/group-specific access rows."
14473
16474
  },
14474
16475
  {
14475
- component: "identity",
16476
+ component: "control-plane",
14476
16477
  table: "platformAudiences",
14477
16478
  prepopulation: "required_template",
14478
16479
  copyMode: "template_tenant_rewrite",
@@ -14481,35 +16482,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14481
16482
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
14482
16483
  },
14483
16484
  {
14484
- component: "identity",
16485
+ component: "control-plane",
14485
16486
  table: "platformPolicyDecisionLogs",
14486
16487
  prepopulation: "runtime_log",
14487
16488
  copyMode: "none",
14488
16489
  description: "Policy decisions are runtime audit logs."
14489
16490
  },
14490
16491
  {
14491
- component: "identity",
16492
+ component: "control-plane",
14492
16493
  table: "projectGrants",
14493
16494
  prepopulation: "runtime_data",
14494
16495
  copyMode: "none",
14495
16496
  description: "Project/topic grants are principal or group-specific access rows."
14496
16497
  },
14497
16498
  {
14498
- component: "identity",
16499
+ component: "control-plane",
14499
16500
  table: "reasoningPermissions",
14500
16501
  prepopulation: "runtime_data",
14501
16502
  copyMode: "none",
14502
16503
  description: "Reasoning permissions are principal-specific policy rows."
14503
16504
  },
14504
16505
  {
14505
- component: "identity",
16506
+ component: "control-plane",
14506
16507
  table: "tenantApiKeys",
14507
16508
  prepopulation: "runtime_secret",
14508
16509
  copyMode: "none",
14509
16510
  description: "API keys are tenant credentials and must never be copied."
14510
16511
  },
14511
16512
  {
14512
- component: "identity",
16513
+ component: "control-plane",
14513
16514
  table: "tenantConfig",
14514
16515
  prepopulation: "required_template",
14515
16516
  copyMode: "template_tenant_rewrite",
@@ -14518,7 +16519,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14518
16519
  description: "Tenant-local config defaults are rewritten during bootstrap."
14519
16520
  },
14520
16521
  {
14521
- component: "identity",
16522
+ component: "control-plane",
14522
16523
  table: "tenantIntegrations",
14523
16524
  prepopulation: "required_template",
14524
16525
  copyMode: "template_tenant_rewrite",
@@ -14527,14 +16528,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14527
16528
  description: "Non-secret integration descriptors are rewritten into each tenant."
14528
16529
  },
14529
16530
  {
14530
- component: "identity",
16531
+ component: "control-plane",
14531
16532
  table: "tenantModelSlotBindings",
14532
16533
  prepopulation: "runtime_secret",
14533
16534
  copyMode: "none",
14534
16535
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
14535
16536
  },
14536
16537
  {
14537
- component: "identity",
16538
+ component: "control-plane",
16539
+ table: "tenantPermitSyncStates",
16540
+ prepopulation: "runtime_derived",
16541
+ copyMode: "none",
16542
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16543
+ },
16544
+ {
16545
+ component: "control-plane",
14538
16546
  table: "tenantPolicies",
14539
16547
  prepopulation: "required_template",
14540
16548
  copyMode: "template_tenant_rewrite",
@@ -14543,42 +16551,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14543
16551
  description: "Default tenant policy roles are rewritten during bootstrap."
14544
16552
  },
14545
16553
  {
14546
- component: "identity",
16554
+ component: "control-plane",
14547
16555
  table: "tenantProviderSecrets",
14548
16556
  prepopulation: "runtime_secret",
14549
16557
  copyMode: "none",
14550
16558
  description: "Provider secrets are credentials and must never be copied."
14551
16559
  },
14552
16560
  {
14553
- component: "identity",
16561
+ component: "control-plane",
14554
16562
  table: "tenantProxyGatewayUsage",
14555
16563
  prepopulation: "runtime_log",
14556
16564
  copyMode: "none",
14557
16565
  description: "Proxy gateway usage rows are runtime telemetry."
14558
16566
  },
14559
16567
  {
14560
- component: "identity",
16568
+ component: "control-plane",
14561
16569
  table: "tenantProxyTokenMints",
14562
16570
  prepopulation: "runtime_secret",
14563
16571
  copyMode: "none",
14564
16572
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
14565
16573
  },
14566
16574
  {
14567
- component: "identity",
16575
+ component: "control-plane",
14568
16576
  table: "tenantSandboxAuditEvents",
14569
16577
  prepopulation: "runtime_log",
14570
16578
  copyMode: "none",
14571
16579
  description: "Sandbox audit rows are runtime security logs."
14572
16580
  },
14573
16581
  {
14574
- component: "identity",
16582
+ component: "control-plane",
14575
16583
  table: "tenantSecrets",
14576
16584
  prepopulation: "runtime_secret",
14577
16585
  copyMode: "none",
14578
16586
  description: "Tenant secrets are credentials and must never be copied."
14579
16587
  },
14580
16588
  {
14581
- component: "identity",
16589
+ component: "control-plane",
14582
16590
  table: "toolAcls",
14583
16591
  prepopulation: "required_template",
14584
16592
  copyMode: "template_global",
@@ -14587,7 +16595,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14587
16595
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
14588
16596
  },
14589
16597
  {
14590
- component: "identity",
16598
+ component: "control-plane",
14591
16599
  table: "toolRegistry",
14592
16600
  prepopulation: "required_template",
14593
16601
  copyMode: "template_global",
@@ -14596,7 +16604,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14596
16604
  description: "Core tool catalog rows are required before pack or tenant tools exist."
14597
16605
  },
14598
16606
  {
14599
- component: "identity",
16607
+ component: "control-plane",
14600
16608
  table: "users",
14601
16609
  prepopulation: "runtime_bootstrap",
14602
16610
  copyMode: "none",