@lucern/events 0.3.0-alpha.10 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -26,6 +26,20 @@ function matchesAnyEventPattern(eventType, patterns) {
26
26
  return patterns.some((pattern) => matchesEventPattern(eventType, pattern));
27
27
  }
28
28
 
29
+ // ../contracts/src/types/reasoning-method.ts
30
+ var REASONING_METHODS = [
31
+ "deductive",
32
+ "inductive",
33
+ "abductive",
34
+ "analogical",
35
+ "causal",
36
+ "correlational",
37
+ "testimonial",
38
+ "statistical",
39
+ "implicit",
40
+ "pattern_match"
41
+ ];
42
+
29
43
  // ../contracts/src/graph-intelligence.contract.ts
30
44
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
31
45
  core: [
@@ -847,7 +861,7 @@ defineTable({
847
861
  });
848
862
  defineTable({
849
863
  name: "agents",
850
- component: "identity",
864
+ component: "control-plane",
851
865
  category: "agent",
852
866
  shape: z.object({
853
867
  "slug": z.string(),
@@ -878,6 +892,7 @@ defineTable({
878
892
  category: "tenant",
879
893
  shape: z.object({
880
894
  "tenantId": idOf("tenants"),
895
+ "workspaceId": idOf("workspaces").optional(),
881
896
  "keyPrefix": z.enum(["luc", "stk"]),
882
897
  "keyHash": z.string(),
883
898
  "keyHint": z.string(),
@@ -905,7 +920,7 @@ defineTable({
905
920
  shape: z.object({
906
921
  "tenantId": idOf("tenants").optional(),
907
922
  "apiKeyId": idOf("apiKeys").optional(),
908
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
923
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
909
924
  "actorClerkId": z.string(),
910
925
  "details": z.any().optional(),
911
926
  "createdAt": z.number()
@@ -1784,29 +1799,37 @@ defineTable({
1784
1799
  component: "mc",
1785
1800
  category: "runtime",
1786
1801
  shape: z.object({
1787
- "shimId": z.string(),
1788
- "gateId": z.string(),
1789
- "removalDate": z.string(),
1790
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1791
- "description": z.string(),
1792
- "owner": z.string(),
1793
- "createdAt": z.string(),
1794
- "status": z.enum(["active", "overdue", "removed"]),
1795
- "bridgeType": z.enum(["tool", "agent"]),
1796
- "bridgeTarget": z.object({
1797
- "type": z.enum(["tool", "agent"]),
1798
- "legacyPath": z.string(),
1799
- "harnessPath": z.string()
1802
+ shimId: z.string(),
1803
+ gateId: z.string(),
1804
+ removalDate: z.string(),
1805
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1806
+ description: z.string(),
1807
+ owner: z.string(),
1808
+ createdAt: z.string(),
1809
+ status: z.enum(["active", "overdue", "removed"]),
1810
+ bridgeType: z.enum(["tool", "agent"]),
1811
+ bridgeTarget: z.object({
1812
+ type: z.enum(["tool", "agent"]),
1813
+ legacyPath: z.string(),
1814
+ harnessPath: z.string()
1800
1815
  }),
1801
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1802
- "producesLedgerEntries": z.boolean(),
1803
- "lastAuditedAt": z.number(),
1804
- "metadata": z.record(z.any()).optional()
1816
+ shimBehavior: z.enum([
1817
+ "passthrough_with_logging",
1818
+ "adapter",
1819
+ "feature_flag_gate"
1820
+ ]),
1821
+ producesLedgerEntries: z.boolean(),
1822
+ lastAuditedAt: z.number(),
1823
+ metadata: z.record(z.any()).optional()
1805
1824
  }),
1806
1825
  indices: [
1807
1826
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1808
1827
  { kind: "index", name: "by_status", columns: ["status"] },
1809
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1828
+ {
1829
+ kind: "index",
1830
+ name: "by_bridgeType_status",
1831
+ columns: ["bridgeType", "status"]
1832
+ }
1810
1833
  ]
1811
1834
  });
1812
1835
  defineTable({
@@ -1814,12 +1837,23 @@ defineTable({
1814
1837
  component: "mc",
1815
1838
  category: "runtime",
1816
1839
  shape: z.object({
1817
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1818
- "state": z.enum(["legacy", "cutover", "disabled"]),
1819
- "metadata": z.record(z.any()).optional(),
1820
- "updatedBy": z.string(),
1821
- "createdAt": z.number(),
1822
- "updatedAt": z.number()
1840
+ domain: z.enum([
1841
+ "graph",
1842
+ "schema",
1843
+ "identity",
1844
+ "policy",
1845
+ "audit",
1846
+ "admin",
1847
+ "agent",
1848
+ "tool",
1849
+ "prompt",
1850
+ "intelligence"
1851
+ ]),
1852
+ state: z.enum(["legacy", "cutover", "disabled"]),
1853
+ metadata: z.record(z.any()).optional(),
1854
+ updatedBy: z.string(),
1855
+ createdAt: z.number(),
1856
+ updatedAt: z.number()
1823
1857
  }),
1824
1858
  indices: [
1825
1859
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1831,57 +1865,193 @@ defineTable({
1831
1865
  component: "mc",
1832
1866
  category: "runtime",
1833
1867
  shape: z.object({
1834
- "credentialRef": z.string(),
1835
- "tenantId": idOf("tenants"),
1836
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1837
- "environment": z.enum(["dev", "staging", "prod"]),
1838
- "encryptedDeployKey": z.string(),
1839
- "encryptionVersion": z.string(),
1840
- "keyFingerprint": z.string(),
1841
- "keyHint": z.string(),
1842
- "status": z.enum(["active", "revoked"]),
1843
- "rotatedFromCredentialRef": z.string().optional(),
1844
- "revokedAt": z.number().optional(),
1845
- "revokedBy": z.string().optional(),
1846
- "lastUsedAt": z.number().optional(),
1847
- "metadata": z.record(z.any()).optional(),
1848
- "createdBy": z.string(),
1849
- "createdAt": z.number(),
1850
- "updatedAt": z.number()
1868
+ credentialRef: z.string(),
1869
+ tenantId: idOf("tenants"),
1870
+ workspaceId: idOf("workspaces").optional(),
1871
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1872
+ environment: z.enum(["dev", "staging", "prod"]),
1873
+ encryptedDeployKey: z.string(),
1874
+ encryptionVersion: z.string(),
1875
+ keyFingerprint: z.string(),
1876
+ keyHint: z.string(),
1877
+ status: z.enum(["active", "revoked"]),
1878
+ rotatedFromCredentialRef: z.string().optional(),
1879
+ revokedAt: z.number().optional(),
1880
+ revokedBy: z.string().optional(),
1881
+ lastUsedAt: z.number().optional(),
1882
+ metadata: z.record(z.any()).optional(),
1883
+ createdBy: z.string(),
1884
+ createdAt: z.number(),
1885
+ updatedAt: z.number()
1851
1886
  }),
1852
1887
  indices: [
1853
1888
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1854
1889
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1855
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1856
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1857
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1890
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1891
+ {
1892
+ kind: "index",
1893
+ name: "by_tenant_target",
1894
+ columns: ["tenantId", "target"]
1895
+ },
1896
+ {
1897
+ kind: "index",
1898
+ name: "by_tenant_target_environment",
1899
+ columns: ["tenantId", "target", "environment"]
1900
+ },
1901
+ {
1902
+ kind: "index",
1903
+ name: "by_tenant_target_environment_status",
1904
+ columns: ["tenantId", "target", "environment", "status"]
1905
+ },
1906
+ {
1907
+ kind: "index",
1908
+ name: "by_tenant_workspace_target_environment_status",
1909
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1910
+ },
1858
1911
  { kind: "index", name: "by_status", columns: ["status"] }
1859
1912
  ]
1860
1913
  });
1914
+ defineTable({
1915
+ name: "permitSyncStates",
1916
+ component: "mc",
1917
+ category: "runtime",
1918
+ shape: z.object({
1919
+ syncKey: z.string(),
1920
+ objectType: z.enum([
1921
+ "resource",
1922
+ "role",
1923
+ "resource_role",
1924
+ "resource_relation",
1925
+ "tenant",
1926
+ "workspace",
1927
+ "principal",
1928
+ "membership",
1929
+ "group",
1930
+ "resource_instance",
1931
+ "relationship_tuple",
1932
+ "role_assignment"
1933
+ ]),
1934
+ objectId: z.string(),
1935
+ tenantId: idOf("tenants").optional(),
1936
+ workspaceId: idOf("workspaces").optional(),
1937
+ principalId: z.string().optional(),
1938
+ permitTenantKey: z.string().optional(),
1939
+ permitResourceType: z.string().optional(),
1940
+ permitResourceKey: z.string().optional(),
1941
+ desiredPayload: z.record(z.any()),
1942
+ lastAppliedPayloadHash: z.string().optional(),
1943
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1944
+ attemptCount: z.number(),
1945
+ lastError: z.string().optional(),
1946
+ nextAttemptAt: z.number().optional(),
1947
+ lastSyncedAt: z.number().optional(),
1948
+ createdBy: z.string(),
1949
+ updatedBy: z.string().optional(),
1950
+ createdAt: z.number(),
1951
+ updatedAt: z.number()
1952
+ }),
1953
+ indices: [
1954
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1955
+ { kind: "index", name: "by_status", columns: ["status"] },
1956
+ {
1957
+ kind: "index",
1958
+ name: "by_tenant_status",
1959
+ columns: ["tenantId", "status"]
1960
+ },
1961
+ {
1962
+ kind: "index",
1963
+ name: "by_workspace_status",
1964
+ columns: ["workspaceId", "status"]
1965
+ },
1966
+ {
1967
+ kind: "index",
1968
+ name: "by_principal_status",
1969
+ columns: ["principalId", "status"]
1970
+ }
1971
+ ]
1972
+ });
1973
+ defineTable({
1974
+ name: "secretSyncDriftReports",
1975
+ component: "mc",
1976
+ category: "runtime",
1977
+ shape: z.object({
1978
+ reportId: z.string(),
1979
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1980
+ generatedAt: z.number(),
1981
+ recordedAt: z.number(),
1982
+ recordedBy: z.string(),
1983
+ status: z.enum([
1984
+ "in_sync",
1985
+ "drift",
1986
+ "exception",
1987
+ "blocked",
1988
+ "not_observed"
1989
+ ]),
1990
+ reportHash: z.string(),
1991
+ manifestHash: z.string().optional(),
1992
+ dryRunReceiptId: z.string().optional(),
1993
+ appliedReceiptId: z.string().optional(),
1994
+ summary: z.object({
1995
+ totalPipelines: z.number(),
1996
+ inSync: z.number(),
1997
+ drift: z.number(),
1998
+ exception: z.number(),
1999
+ blocked: z.number(),
2000
+ notObserved: z.number(),
2001
+ missingKeys: z.number(),
2002
+ valueDriftKeys: z.number(),
2003
+ extraKeys: z.number(),
2004
+ deniedConvexLeakage: z.number(),
2005
+ approvedExceptions: z.number()
2006
+ }),
2007
+ redactedReport: z.record(z.any()),
2008
+ metadata: z.record(z.any()).optional()
2009
+ }),
2010
+ indices: [
2011
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2012
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2013
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2014
+ {
2015
+ kind: "index",
2016
+ name: "by_status_generatedAt",
2017
+ columns: ["status", "generatedAt"]
2018
+ }
2019
+ ]
2020
+ });
1861
2021
  defineTable({
1862
2022
  name: "controlPlaneTenantModelSlotBindings",
1863
2023
  component: "mc",
1864
2024
  category: "runtime",
1865
2025
  shape: z.object({
1866
- "bindingId": z.string(),
1867
- "tenantId": idOf("tenants"),
1868
- "providerId": z.string(),
1869
- "modelSlotId": z.string(),
1870
- "secretRef": z.string(),
1871
- "status": z.enum(["active", "revoked"]),
1872
- "passThroughOnly": z.boolean(),
1873
- "revokedAt": z.number().optional(),
1874
- "revokedBy": z.string().optional(),
1875
- "metadata": z.record(z.any()).optional(),
1876
- "createdBy": z.string(),
1877
- "createdAt": z.number(),
1878
- "updatedAt": z.number()
2026
+ bindingId: z.string(),
2027
+ tenantId: idOf("tenants"),
2028
+ workspaceId: idOf("workspaces").optional(),
2029
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2030
+ providerId: z.string(),
2031
+ modelSlotId: z.string(),
2032
+ secretRef: z.string(),
2033
+ status: z.enum(["active", "revoked"]),
2034
+ passThroughOnly: z.boolean(),
2035
+ revokedAt: z.number().optional(),
2036
+ revokedBy: z.string().optional(),
2037
+ metadata: z.record(z.any()).optional(),
2038
+ createdBy: z.string(),
2039
+ createdAt: z.number(),
2040
+ updatedAt: z.number()
1879
2041
  }),
1880
2042
  indices: [
1881
2043
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1882
2044
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1883
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1884
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2045
+ {
2046
+ kind: "index",
2047
+ name: "by_tenant_slot",
2048
+ columns: ["tenantId", "modelSlotId"]
2049
+ },
2050
+ {
2051
+ kind: "index",
2052
+ name: "by_tenant_provider_slot",
2053
+ columns: ["tenantId", "providerId", "modelSlotId"]
2054
+ },
1885
2055
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1886
2056
  { kind: "index", name: "by_status", columns: ["status"] }
1887
2057
  ]
@@ -1891,29 +2061,42 @@ defineTable({
1891
2061
  component: "mc",
1892
2062
  category: "runtime",
1893
2063
  shape: z.object({
1894
- "secretRef": z.string(),
1895
- "tenantId": idOf("tenants"),
1896
- "providerId": z.string(),
1897
- "label": z.string().optional(),
1898
- "encryptedSecret": z.string(),
1899
- "encryptionVersion": z.string(),
1900
- "secretFingerprint": z.string(),
1901
- "keyHint": z.string(),
1902
- "status": z.enum(["active", "revoked"]),
1903
- "rotatedFromSecretRef": z.string().optional(),
1904
- "revokedAt": z.number().optional(),
1905
- "revokedBy": z.string().optional(),
1906
- "lastUsedAt": z.number().optional(),
1907
- "metadata": z.record(z.any()).optional(),
1908
- "createdBy": z.string(),
1909
- "createdAt": z.number(),
1910
- "updatedAt": z.number()
2064
+ secretRef: z.string(),
2065
+ tenantId: idOf("tenants"),
2066
+ workspaceId: idOf("workspaces").optional(),
2067
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2068
+ providerId: z.string(),
2069
+ label: z.string().optional(),
2070
+ encryptedSecret: z.string().optional(),
2071
+ infisicalPath: z.string().optional(),
2072
+ infisicalSecretKey: z.string().optional(),
2073
+ infisicalProjectId: z.string().optional(),
2074
+ encryptionVersion: z.string(),
2075
+ secretFingerprint: z.string(),
2076
+ keyHint: z.string(),
2077
+ status: z.enum(["active", "revoked"]),
2078
+ rotatedFromSecretRef: z.string().optional(),
2079
+ revokedAt: z.number().optional(),
2080
+ revokedBy: z.string().optional(),
2081
+ lastUsedAt: z.number().optional(),
2082
+ metadata: z.record(z.any()).optional(),
2083
+ createdBy: z.string(),
2084
+ createdAt: z.number(),
2085
+ updatedAt: z.number()
1911
2086
  }),
1912
2087
  indices: [
1913
2088
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1914
2089
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1915
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1916
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2090
+ {
2091
+ kind: "index",
2092
+ name: "by_tenant_provider",
2093
+ columns: ["tenantId", "providerId"]
2094
+ },
2095
+ {
2096
+ kind: "index",
2097
+ name: "by_tenant_provider_status",
2098
+ columns: ["tenantId", "providerId", "status"]
2099
+ },
1917
2100
  { kind: "index", name: "by_status", columns: ["status"] }
1918
2101
  ]
1919
2102
  });
@@ -1922,35 +2105,93 @@ defineTable({
1922
2105
  component: "mc",
1923
2106
  category: "runtime",
1924
2107
  shape: z.object({
1925
- "usageId": z.string(),
1926
- "tenantId": idOf("tenants"),
1927
- "providerId": z.string(),
1928
- "modelSlotId": z.string(),
1929
- "secretRef": z.string(),
1930
- "proxyTokenId": z.string(),
1931
- "sessionId": z.string(),
1932
- "principalId": z.string(),
1933
- "workspaceId": z.string().optional(),
1934
- "modelId": z.string().optional(),
1935
- "requestPath": z.string(),
1936
- "status": z.enum(["success", "error"]),
1937
- "responseStatus": z.number().optional(),
1938
- "inputTokens": z.number().optional(),
1939
- "outputTokens": z.number().optional(),
1940
- "tokenCount": z.number().optional(),
1941
- "latencyMs": z.number(),
1942
- "estimatedCostUsd": z.number().optional(),
1943
- "failureCode": z.string().optional(),
1944
- "metadata": z.record(z.any()).optional(),
1945
- "createdAt": z.number(),
1946
- "updatedAt": z.number()
2108
+ usageId: z.string(),
2109
+ tenantId: idOf("tenants"),
2110
+ providerId: z.string(),
2111
+ modelSlotId: z.string(),
2112
+ secretRef: z.string(),
2113
+ proxyTokenId: z.string(),
2114
+ sessionId: z.string(),
2115
+ principalId: z.string(),
2116
+ workspaceId: z.string().optional(),
2117
+ modelId: z.string().optional(),
2118
+ requestPath: z.string(),
2119
+ status: z.enum(["success", "error"]),
2120
+ responseStatus: z.number().optional(),
2121
+ inputTokens: z.number().optional(),
2122
+ outputTokens: z.number().optional(),
2123
+ tokenCount: z.number().optional(),
2124
+ latencyMs: z.number(),
2125
+ estimatedCostUsd: z.number().optional(),
2126
+ failureCode: z.string().optional(),
2127
+ metadata: z.record(z.any()).optional(),
2128
+ createdAt: z.number(),
2129
+ updatedAt: z.number()
1947
2130
  }),
1948
2131
  indices: [
1949
2132
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1950
2133
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1951
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1952
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1953
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2134
+ {
2135
+ kind: "index",
2136
+ name: "by_tenant_provider",
2137
+ columns: ["tenantId", "providerId", "createdAt"]
2138
+ },
2139
+ {
2140
+ kind: "index",
2141
+ name: "by_proxyTokenId",
2142
+ columns: ["proxyTokenId", "createdAt"]
2143
+ },
2144
+ {
2145
+ kind: "index",
2146
+ name: "by_sessionId",
2147
+ columns: ["sessionId", "createdAt"]
2148
+ }
2149
+ ]
2150
+ });
2151
+ defineTable({
2152
+ name: "controlPlaneTenantProxyTokenLeases",
2153
+ component: "mc",
2154
+ category: "runtime",
2155
+ shape: z.object({
2156
+ leaseId: z.string(),
2157
+ proxyTokenId: z.string(),
2158
+ tenantId: idOf("tenants"),
2159
+ workspaceId: idOf("workspaces").optional(),
2160
+ environment: z.enum(["dev", "staging", "prod"]),
2161
+ providerId: z.string(),
2162
+ modelSlotId: z.string(),
2163
+ bindingId: z.string(),
2164
+ secretRef: z.string(),
2165
+ sessionId: z.string(),
2166
+ principalId: z.string(),
2167
+ agentSessionId: z.string().optional(),
2168
+ status: z.enum(["active", "revoked"]),
2169
+ expiresAt: z.number(),
2170
+ renewedAt: z.number().optional(),
2171
+ revokedAt: z.number().optional(),
2172
+ revokedBy: z.string().optional(),
2173
+ revokeReason: z.string().optional(),
2174
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2175
+ permitTraceId: z.string().optional(),
2176
+ metadata: z.record(z.any()).optional(),
2177
+ createdAt: z.number(),
2178
+ updatedAt: z.number()
2179
+ }),
2180
+ indices: [
2181
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2182
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2183
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2184
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2185
+ {
2186
+ kind: "index",
2187
+ name: "by_principalId",
2188
+ columns: ["principalId", "createdAt"]
2189
+ },
2190
+ {
2191
+ kind: "index",
2192
+ name: "by_status_expiresAt",
2193
+ columns: ["status", "expiresAt"]
2194
+ }
1954
2195
  ]
1955
2196
  });
1956
2197
  defineTable({
@@ -2283,6 +2524,7 @@ defineTable({
2283
2524
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2284
2525
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2285
2526
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2527
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2286
2528
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2287
2529
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2288
2530
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2433,6 +2675,7 @@ defineTable({
2433
2675
  indices: [
2434
2676
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2435
2677
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2678
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2436
2679
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2437
2680
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2438
2681
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2464,6 +2707,36 @@ defineTable({
2464
2707
  { kind: "index", name: "by_status", columns: ["status"] }
2465
2708
  ]
2466
2709
  });
2710
+ defineTable({
2711
+ name: "principalIdentityAliases",
2712
+ component: "mc",
2713
+ category: "identity",
2714
+ shape: z.object({
2715
+ "principalId": z.string(),
2716
+ "principalRefId": idOf("principals").optional(),
2717
+ "provider": z.string(),
2718
+ "providerProjectId": z.string().optional(),
2719
+ "externalSubjectId": z.string(),
2720
+ "tenantId": idOf("tenants").optional(),
2721
+ "workspaceId": idOf("workspaces").optional(),
2722
+ "email": z.string().optional(),
2723
+ "status": z.enum(["active", "revoked"]),
2724
+ "metadata": z.record(z.any()).optional(),
2725
+ "createdBy": z.string(),
2726
+ "revokedAt": z.number().optional(),
2727
+ "revokedBy": z.string().optional(),
2728
+ "createdAt": z.number(),
2729
+ "updatedAt": z.number()
2730
+ }),
2731
+ indices: [
2732
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2733
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2734
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2735
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2736
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2737
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2738
+ ]
2739
+ });
2467
2740
  defineTable({
2468
2741
  name: "rateLimitWindows",
2469
2742
  component: "mc",
@@ -3053,7 +3326,7 @@ defineTable({
3053
3326
  });
3054
3327
  defineTable({
3055
3328
  name: "mcpWritePolicy",
3056
- component: "identity",
3329
+ component: "control-plane",
3057
3330
  category: "platform",
3058
3331
  shape: z.object({
3059
3332
  "topicId": z.string().optional(),
@@ -3076,7 +3349,7 @@ defineTable({
3076
3349
  });
3077
3350
  defineTable({
3078
3351
  name: "platformAudienceGrants",
3079
- component: "identity",
3352
+ component: "control-plane",
3080
3353
  category: "platform",
3081
3354
  shape: z.object({
3082
3355
  "tenantId": z.string(),
@@ -3102,7 +3375,7 @@ defineTable({
3102
3375
  });
3103
3376
  defineTable({
3104
3377
  name: "platformAudiences",
3105
- component: "identity",
3378
+ component: "control-plane",
3106
3379
  category: "platform",
3107
3380
  shape: z.object({
3108
3381
  "tenantId": z.string(),
@@ -3127,7 +3400,7 @@ defineTable({
3127
3400
  });
3128
3401
  defineTable({
3129
3402
  name: "platformPolicyDecisionLogs",
3130
- component: "identity",
3403
+ component: "control-plane",
3131
3404
  category: "platform",
3132
3405
  shape: z.object({
3133
3406
  "principalId": z.string(),
@@ -3163,7 +3436,7 @@ defineTable({
3163
3436
  });
3164
3437
  defineTable({
3165
3438
  name: "tenantApiKeys",
3166
- component: "identity",
3439
+ component: "control-plane",
3167
3440
  category: "platform",
3168
3441
  shape: z.object({
3169
3442
  "tenantId": z.string(),
@@ -3190,7 +3463,7 @@ defineTable({
3190
3463
  });
3191
3464
  defineTable({
3192
3465
  name: "tenantConfig",
3193
- component: "identity",
3466
+ component: "control-plane",
3194
3467
  category: "platform",
3195
3468
  shape: z.object({
3196
3469
  "tenantId": z.string(),
@@ -3209,7 +3482,7 @@ defineTable({
3209
3482
  });
3210
3483
  defineTable({
3211
3484
  name: "tenantIntegrations",
3212
- component: "identity",
3485
+ component: "control-plane",
3213
3486
  category: "platform",
3214
3487
  shape: z.object({
3215
3488
  "tenantId": z.string(),
@@ -3264,7 +3537,7 @@ defineTable({
3264
3537
  });
3265
3538
  defineTable({
3266
3539
  name: "tenantModelSlotBindings",
3267
- component: "identity",
3540
+ component: "control-plane",
3268
3541
  category: "platform",
3269
3542
  shape: z.object({
3270
3543
  "bindingId": z.string(),
@@ -3292,7 +3565,7 @@ defineTable({
3292
3565
  });
3293
3566
  defineTable({
3294
3567
  name: "tenantPolicies",
3295
- component: "identity",
3568
+ component: "control-plane",
3296
3569
  category: "platform",
3297
3570
  shape: z.object({
3298
3571
  "tenantId": z.string(),
@@ -3317,7 +3590,7 @@ defineTable({
3317
3590
  });
3318
3591
  defineTable({
3319
3592
  name: "tenantProviderSecrets",
3320
- component: "identity",
3593
+ component: "control-plane",
3321
3594
  category: "platform",
3322
3595
  shape: z.object({
3323
3596
  "secretRef": z.string(),
@@ -3348,7 +3621,7 @@ defineTable({
3348
3621
  });
3349
3622
  defineTable({
3350
3623
  name: "tenantProxyGatewayUsage",
3351
- component: "identity",
3624
+ component: "control-plane",
3352
3625
  category: "platform",
3353
3626
  shape: z.object({
3354
3627
  "usageId": z.string(),
@@ -3383,7 +3656,7 @@ defineTable({
3383
3656
  });
3384
3657
  defineTable({
3385
3658
  name: "tenantProxyTokenMints",
3386
- component: "identity",
3659
+ component: "control-plane",
3387
3660
  category: "platform",
3388
3661
  shape: z.object({
3389
3662
  "proxyTokenId": z.string(),
@@ -3406,7 +3679,7 @@ defineTable({
3406
3679
  });
3407
3680
  defineTable({
3408
3681
  name: "tenantSandboxAuditEvents",
3409
- component: "identity",
3682
+ component: "control-plane",
3410
3683
  category: "platform",
3411
3684
  shape: z.object({
3412
3685
  "eventId": z.string(),
@@ -3440,7 +3713,7 @@ defineTable({
3440
3713
  });
3441
3714
  defineTable({
3442
3715
  name: "tenantSecrets",
3443
- component: "identity",
3716
+ component: "control-plane",
3444
3717
  category: "platform",
3445
3718
  shape: z.object({
3446
3719
  "tenantId": z.string(),
@@ -3462,7 +3735,7 @@ defineTable({
3462
3735
  });
3463
3736
  defineTable({
3464
3737
  name: "toolAcls",
3465
- component: "identity",
3738
+ component: "control-plane",
3466
3739
  category: "platform",
3467
3740
  shape: z.object({
3468
3741
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3477,7 +3750,7 @@ defineTable({
3477
3750
  });
3478
3751
  defineTable({
3479
3752
  name: "toolRegistry",
3480
- component: "identity",
3753
+ component: "control-plane",
3481
3754
  category: "platform",
3482
3755
  shape: z.object({
3483
3756
  "toolName": z.string(),
@@ -3558,7 +3831,7 @@ defineTable({
3558
3831
  });
3559
3832
  defineTable({
3560
3833
  name: "modelCallLogs",
3561
- component: "identity",
3834
+ component: "control-plane",
3562
3835
  category: "model",
3563
3836
  shape: z.object({
3564
3837
  "slot": z.string(),
@@ -3584,7 +3857,7 @@ defineTable({
3584
3857
  });
3585
3858
  defineTable({
3586
3859
  name: "modelFunctionSlots",
3587
- component: "identity",
3860
+ component: "control-plane",
3588
3861
  category: "model",
3589
3862
  shape: z.object({
3590
3863
  "slot": z.string(),
@@ -3609,7 +3882,7 @@ defineTable({
3609
3882
  });
3610
3883
  defineTable({
3611
3884
  name: "modelRegistry",
3612
- component: "identity",
3885
+ component: "control-plane",
3613
3886
  category: "model",
3614
3887
  shape: z.object({
3615
3888
  "key": z.string(),
@@ -3636,7 +3909,7 @@ defineTable({
3636
3909
  });
3637
3910
  defineTable({
3638
3911
  name: "modelSlotConfigs",
3639
- component: "identity",
3912
+ component: "control-plane",
3640
3913
  category: "model",
3641
3914
  shape: z.object({
3642
3915
  "slot": z.string(),
@@ -4023,7 +4296,7 @@ defineTable({
4023
4296
  "workspaceId": idOf("workspaces").optional(),
4024
4297
  "resourceType": z.string(),
4025
4298
  "resourceId": z.string(),
4026
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4299
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4027
4300
  "decision": z.enum(["allow", "deny"]),
4028
4301
  "reasonCode": z.string(),
4029
4302
  "policyVersion": z.string(),
@@ -4085,7 +4358,7 @@ defineTable({
4085
4358
  });
4086
4359
  defineTable({
4087
4360
  name: "projectGrants",
4088
- component: "identity",
4361
+ component: "control-plane",
4089
4362
  category: "project",
4090
4363
  shape: z.object({
4091
4364
  "projectId": z.string().optional(),
@@ -4117,9 +4390,650 @@ defineTable({
4117
4390
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4118
4391
  ]
4119
4392
  });
4393
+ var permitActorType = z.enum([
4394
+ "human",
4395
+ "agent",
4396
+ "service_principal",
4397
+ "external_stakeholder",
4398
+ "system"
4399
+ ]);
4400
+ var permitMembershipStatus = z.enum([
4401
+ "active",
4402
+ "invited",
4403
+ "revoked",
4404
+ "suspended",
4405
+ "disabled"
4406
+ ]);
4407
+ var permitDecision = z.enum(["allow", "deny"]);
4408
+ var permitAccessReviewStatus = z.enum([
4409
+ "open",
4410
+ "in_progress",
4411
+ "approved",
4412
+ "denied",
4413
+ "expired",
4414
+ "cancelled"
4415
+ ]);
4416
+ var permitReviewScope = z.enum([
4417
+ "tenant",
4418
+ "workspace",
4419
+ "resource_instance",
4420
+ "group",
4421
+ "principal",
4422
+ "api_key",
4423
+ "admin_action"
4424
+ ]);
4425
+ var permitRecordStatus = z.enum([
4426
+ "queued",
4427
+ "inflight",
4428
+ "completed",
4429
+ "failed",
4430
+ "skipped",
4431
+ "stale"
4432
+ ]);
4433
+ var permitObjectType = z.enum([
4434
+ "resource",
4435
+ "role",
4436
+ "resource_role",
4437
+ "resource_relation",
4438
+ "tenant",
4439
+ "workspace",
4440
+ "principal",
4441
+ "membership",
4442
+ "group",
4443
+ "resource_instance",
4444
+ "relationship_tuple",
4445
+ "role_assignment",
4446
+ "attribute_binding",
4447
+ "policy_bundle"
4448
+ ]);
4449
+ var permitOutboxOperation = z.enum([
4450
+ "upsert",
4451
+ "delete",
4452
+ "sync",
4453
+ "resync",
4454
+ "delete_sync",
4455
+ "noop"
4456
+ ]);
4457
+ var permitPolicyBundleStatus = z.enum([
4458
+ "draft",
4459
+ "validated",
4460
+ "enforced",
4461
+ "archived"
4462
+ ]);
4463
+ var permitSyncStatus = z.enum([
4464
+ "pending",
4465
+ "synced",
4466
+ "error",
4467
+ "skipped"
4468
+ ]);
4469
+ var permitAccessReviewSubjectType = z.enum([
4470
+ "principal",
4471
+ "group",
4472
+ "role_assignment",
4473
+ "resource_instance"
4474
+ ]);
4475
+ var permitAttributeType = z.enum([
4476
+ "string",
4477
+ "number",
4478
+ "bool",
4479
+ "json",
4480
+ "time"
4481
+ ]);
4482
+ var permitAttributeOperator = z.enum([
4483
+ "eq",
4484
+ "neq",
4485
+ "in",
4486
+ "not_in",
4487
+ "gt",
4488
+ "gte",
4489
+ "lt",
4490
+ "lte",
4491
+ "contains",
4492
+ "not_contains",
4493
+ "matches"
4494
+ ]);
4495
+ var permitRoleBindingTarget = z.enum([
4496
+ "principal",
4497
+ "group"
4498
+ ]);
4499
+ defineTable({
4500
+ name: "permitPrincipals",
4501
+ component: "control-plane",
4502
+ category: "access-control",
4503
+ shape: z.object({
4504
+ principalId: z.string(),
4505
+ tenantId: z.string(),
4506
+ workspaceId: z.optional(z.string()),
4507
+ principalType: permitActorType,
4508
+ status: permitMembershipStatus,
4509
+ displayName: z.string().optional(),
4510
+ metadata: z.record(z.any()).optional(),
4511
+ createdBy: z.string(),
4512
+ createdAt: z.number(),
4513
+ updatedAt: z.number(),
4514
+ updatedBy: z.string().optional(),
4515
+ lastSeenAt: z.number().optional()
4516
+ }),
4517
+ indices: [
4518
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4519
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4520
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4521
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4522
+ {
4523
+ kind: "index",
4524
+ name: "by_tenant_principalType_status",
4525
+ columns: ["tenantId", "principalType", "status"]
4526
+ }
4527
+ ]
4528
+ });
4529
+ defineTable({
4530
+ name: "permitPrincipalAliases",
4531
+ component: "control-plane",
4532
+ category: "access-control",
4533
+ shape: z.object({
4534
+ principalId: z.string(),
4535
+ tenantId: z.string(),
4536
+ workspaceId: z.optional(z.string()),
4537
+ provider: z.string(),
4538
+ providerSubjectId: z.string(),
4539
+ providerProjectId: z.string().optional(),
4540
+ alias: z.string(),
4541
+ aliasKind: z.string(),
4542
+ status: permitMembershipStatus,
4543
+ metadata: z.record(z.any()).optional(),
4544
+ createdBy: z.string(),
4545
+ createdAt: z.number(),
4546
+ updatedAt: z.number(),
4547
+ revokedBy: z.string().optional(),
4548
+ revokedAt: z.number().optional(),
4549
+ updatedBy: z.string().optional()
4550
+ }),
4551
+ indices: [
4552
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4553
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4554
+ {
4555
+ kind: "index",
4556
+ name: "by_tenant_provider_alias",
4557
+ columns: ["tenantId", "provider", "alias"]
4558
+ },
4559
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4560
+ {
4561
+ kind: "index",
4562
+ name: "by_tenant_provider_status",
4563
+ columns: ["tenantId", "provider", "status"]
4564
+ }
4565
+ ]
4566
+ });
4567
+ defineTable({
4568
+ name: "permitGroups",
4569
+ component: "control-plane",
4570
+ category: "access-control",
4571
+ shape: z.object({
4572
+ tenantId: z.string(),
4573
+ workspaceId: z.optional(z.string()),
4574
+ groupId: z.string(),
4575
+ groupKey: z.string(),
4576
+ groupName: z.string(),
4577
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4578
+ status: permitMembershipStatus,
4579
+ description: z.string().optional(),
4580
+ metadata: z.record(z.any()).optional(),
4581
+ createdBy: z.string(),
4582
+ createdAt: z.number(),
4583
+ updatedAt: z.number(),
4584
+ updatedBy: z.string().optional()
4585
+ }),
4586
+ indices: [
4587
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4588
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4589
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4590
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4591
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4592
+ ]
4593
+ });
4594
+ defineTable({
4595
+ name: "permitGroupMemberships",
4596
+ component: "control-plane",
4597
+ category: "access-control",
4598
+ shape: z.object({
4599
+ tenantId: z.string(),
4600
+ workspaceId: z.optional(z.string()),
4601
+ groupId: z.string(),
4602
+ memberType: z.enum(["principal", "group"]),
4603
+ memberId: z.string(),
4604
+ principalId: z.string().optional(),
4605
+ childGroupId: z.string().optional(),
4606
+ status: permitMembershipStatus,
4607
+ addedBy: z.string().optional(),
4608
+ revokedBy: z.string().optional(),
4609
+ expiresAt: z.number().optional(),
4610
+ revocationReason: z.string().optional(),
4611
+ metadata: z.record(z.any()).optional(),
4612
+ createdAt: z.number(),
4613
+ updatedAt: z.number(),
4614
+ updatedBy: z.string().optional()
4615
+ }),
4616
+ indices: [
4617
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4618
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4619
+ {
4620
+ kind: "index",
4621
+ name: "by_tenant_member_group",
4622
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4623
+ },
4624
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4625
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4626
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4627
+ {
4628
+ kind: "index",
4629
+ name: "by_workspace_principal",
4630
+ columns: ["workspaceId", "principalId"]
4631
+ }
4632
+ ]
4633
+ });
4634
+ defineTable({
4635
+ name: "permitResourceInstances",
4636
+ component: "control-plane",
4637
+ category: "access-control",
4638
+ shape: z.object({
4639
+ tenantId: z.string(),
4640
+ workspaceId: z.optional(z.string()),
4641
+ resourceType: z.string(),
4642
+ resourceKey: z.string(),
4643
+ resourceId: z.string(),
4644
+ status: z.enum(["active", "deleted", "archived"]),
4645
+ attributes: z.record(z.any()).optional(),
4646
+ ownerPrincipalId: z.string().optional(),
4647
+ metadata: z.record(z.any()).optional(),
4648
+ createdBy: z.string(),
4649
+ updatedBy: z.string().optional(),
4650
+ createdAt: z.number(),
4651
+ updatedAt: z.number()
4652
+ }),
4653
+ indices: [
4654
+ {
4655
+ kind: "index",
4656
+ name: "by_tenant_resource_type",
4657
+ columns: ["tenantId", "resourceType"]
4658
+ },
4659
+ {
4660
+ kind: "index",
4661
+ name: "by_tenant_resource_key",
4662
+ columns: ["tenantId", "resourceType", "resourceKey"]
4663
+ },
4664
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4665
+ { kind: "index", name: "by_status", columns: ["status"] },
4666
+ {
4667
+ kind: "index",
4668
+ name: "by_tenant_status",
4669
+ columns: ["tenantId", "status"]
4670
+ },
4671
+ {
4672
+ kind: "index",
4673
+ name: "by_ownerPrincipalId",
4674
+ columns: ["ownerPrincipalId"]
4675
+ }
4676
+ ]
4677
+ });
4678
+ defineTable({
4679
+ name: "permitRoleAssignments",
4680
+ component: "control-plane",
4681
+ category: "access-control",
4682
+ shape: z.object({
4683
+ tenantId: z.string(),
4684
+ workspaceId: z.optional(z.string()),
4685
+ role: z.string(),
4686
+ targetType: permitRoleBindingTarget,
4687
+ targetId: z.string(),
4688
+ resourceType: z.string(),
4689
+ resourceKey: z.string(),
4690
+ resourceInstanceId: z.string().optional(),
4691
+ status: permitMembershipStatus,
4692
+ expiresAt: z.number().optional(),
4693
+ attributes: z.record(z.any()).optional(),
4694
+ grantedBy: z.string().optional(),
4695
+ updatedBy: z.string().optional(),
4696
+ revokedBy: z.string().optional(),
4697
+ createdAt: z.number(),
4698
+ updatedAt: z.number()
4699
+ }),
4700
+ indices: [
4701
+ {
4702
+ kind: "index",
4703
+ name: "by_tenant_target",
4704
+ columns: ["tenantId", "targetType", "targetId"]
4705
+ },
4706
+ {
4707
+ kind: "index",
4708
+ name: "by_tenant_resource",
4709
+ columns: ["tenantId", "resourceType", "resourceKey"]
4710
+ },
4711
+ {
4712
+ kind: "index",
4713
+ name: "by_tenant_role",
4714
+ columns: ["tenantId", "role", "status"]
4715
+ },
4716
+ { kind: "index", name: "by_status", columns: ["status"] },
4717
+ {
4718
+ kind: "index",
4719
+ name: "by_workspace_resource",
4720
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4721
+ }
4722
+ ]
4723
+ });
4724
+ defineTable({
4725
+ name: "permitRelationshipTuples",
4726
+ component: "control-plane",
4727
+ category: "access-control",
4728
+ shape: z.object({
4729
+ tenantId: z.string(),
4730
+ workspaceId: z.optional(z.string()),
4731
+ relation: z.string(),
4732
+ subject: z.string(),
4733
+ object: z.string(),
4734
+ resourceType: z.string().optional(),
4735
+ resourceKey: z.string().optional(),
4736
+ status: permitRecordStatus,
4737
+ attributes: z.record(z.any()).optional(),
4738
+ createdBy: z.string(),
4739
+ createdAt: z.number(),
4740
+ updatedAt: z.number(),
4741
+ lastSeenAt: z.number().optional(),
4742
+ updatedBy: z.string().optional()
4743
+ }),
4744
+ indices: [
4745
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4746
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4747
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4748
+ {
4749
+ kind: "index",
4750
+ name: "by_tenant_relation_subject",
4751
+ columns: ["tenantId", "relation", "subject"]
4752
+ },
4753
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4754
+ ]
4755
+ });
4756
+ defineTable({
4757
+ name: "permitAttributeBindings",
4758
+ component: "control-plane",
4759
+ category: "access-control",
4760
+ shape: z.object({
4761
+ tenantId: z.string(),
4762
+ workspaceId: z.optional(z.string()),
4763
+ targetType: permitRoleBindingTarget,
4764
+ targetId: z.string(),
4765
+ attributeName: z.string(),
4766
+ attributeType: permitAttributeType,
4767
+ attributeOperator: permitAttributeOperator,
4768
+ attributeValue: z.any(),
4769
+ status: permitRecordStatus,
4770
+ source: z.string().optional(),
4771
+ sourceRef: z.string().optional(),
4772
+ metadata: z.record(z.any()).optional(),
4773
+ createdAt: z.number(),
4774
+ updatedAt: z.number(),
4775
+ createdBy: z.string(),
4776
+ updatedBy: z.string().optional(),
4777
+ expiresAt: z.number().optional()
4778
+ }),
4779
+ indices: [
4780
+ {
4781
+ kind: "index",
4782
+ name: "by_tenant_target",
4783
+ columns: ["tenantId", "targetType", "targetId"]
4784
+ },
4785
+ {
4786
+ kind: "index",
4787
+ name: "by_tenant_target_attribute",
4788
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4789
+ },
4790
+ {
4791
+ kind: "index",
4792
+ name: "by_tenant_name",
4793
+ columns: ["tenantId", "attributeName"]
4794
+ },
4795
+ {
4796
+ kind: "index",
4797
+ name: "by_tenant_status",
4798
+ columns: ["tenantId", "status"]
4799
+ }
4800
+ ]
4801
+ });
4802
+ defineTable({
4803
+ name: "permitPolicyBundles",
4804
+ component: "control-plane",
4805
+ category: "access-control",
4806
+ shape: z.object({
4807
+ tenantId: z.string(),
4808
+ workspaceId: z.optional(z.string()),
4809
+ bundleKey: z.string(),
4810
+ version: z.number(),
4811
+ status: permitPolicyBundleStatus,
4812
+ policyHash: z.string().optional(),
4813
+ policyPayload: z.record(z.any()),
4814
+ metadata: z.record(z.any()).optional(),
4815
+ createdBy: z.string(),
4816
+ reviewedBy: z.string().optional(),
4817
+ createdAt: z.number(),
4818
+ updatedAt: z.number(),
4819
+ retiredAt: z.number().optional()
4820
+ }),
4821
+ indices: [
4822
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4823
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4824
+ {
4825
+ kind: "index",
4826
+ name: "by_tenant_bundleKey",
4827
+ columns: ["tenantId", "bundleKey"]
4828
+ },
4829
+ {
4830
+ kind: "index",
4831
+ name: "by_tenant_bundle_version",
4832
+ columns: ["tenantId", "bundleKey", "version"]
4833
+ },
4834
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4835
+ ]
4836
+ });
4837
+ defineTable({
4838
+ name: "permitProjectionOutbox",
4839
+ component: "control-plane",
4840
+ category: "access-control",
4841
+ shape: z.object({
4842
+ syncKey: z.string(),
4843
+ objectType: permitObjectType,
4844
+ objectId: z.string(),
4845
+ operation: permitOutboxOperation,
4846
+ payload: z.record(z.any()),
4847
+ status: permitRecordStatus,
4848
+ attemptCount: z.number(),
4849
+ nextAttemptAt: z.number().optional(),
4850
+ lastError: z.string().optional(),
4851
+ tenantId: z.string().optional(),
4852
+ workspaceId: z.optional(z.string()),
4853
+ principalId: z.string().optional(),
4854
+ permitTenantKey: z.string().optional(),
4855
+ permitResourceType: z.string().optional(),
4856
+ permitResourceKey: z.string().optional(),
4857
+ createdAt: z.number(),
4858
+ updatedAt: z.number(),
4859
+ lastHandledAt: z.number().optional()
4860
+ }),
4861
+ indices: [
4862
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4863
+ { kind: "index", name: "by_status", columns: ["status"] },
4864
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4865
+ {
4866
+ kind: "index",
4867
+ name: "by_tenant_status",
4868
+ columns: ["tenantId", "status"]
4869
+ },
4870
+ {
4871
+ kind: "index",
4872
+ name: "by_objectType",
4873
+ columns: ["objectType", "status"]
4874
+ }
4875
+ ]
4876
+ });
4877
+ defineTable({
4878
+ name: "tenantPermitSyncStates",
4879
+ component: "control-plane",
4880
+ category: "access-control",
4881
+ shape: z.object({
4882
+ syncKey: z.string(),
4883
+ objectType: permitObjectType,
4884
+ objectId: z.string(),
4885
+ tenantId: z.string().optional(),
4886
+ workspaceId: z.string().optional(),
4887
+ principalId: z.string().optional(),
4888
+ permitTenantKey: z.string().optional(),
4889
+ permitResourceType: z.string().optional(),
4890
+ permitResourceKey: z.string().optional(),
4891
+ desiredPayload: z.record(z.any()),
4892
+ lastAppliedPayloadHash: z.string().optional(),
4893
+ status: permitSyncStatus,
4894
+ attemptCount: z.number(),
4895
+ lastError: z.string().optional(),
4896
+ nextAttemptAt: z.number().optional(),
4897
+ lastSyncedAt: z.number().optional(),
4898
+ createdBy: z.string(),
4899
+ updatedBy: z.string().optional(),
4900
+ createdAt: z.number(),
4901
+ updatedAt: z.number()
4902
+ }),
4903
+ indices: [
4904
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4905
+ { kind: "index", name: "by_status", columns: ["status"] },
4906
+ {
4907
+ kind: "index",
4908
+ name: "by_tenant_status",
4909
+ columns: ["tenantId", "status"]
4910
+ },
4911
+ {
4912
+ kind: "index",
4913
+ name: "by_workspace_status",
4914
+ columns: ["workspaceId", "status"]
4915
+ },
4916
+ {
4917
+ kind: "index",
4918
+ name: "by_principal_status",
4919
+ columns: ["principalId", "status"]
4920
+ }
4921
+ ]
4922
+ });
4923
+ defineTable({
4924
+ name: "permitPolicyDecisionReceipts",
4925
+ component: "control-plane",
4926
+ category: "access-control",
4927
+ shape: z.object({
4928
+ tenantId: z.string().optional(),
4929
+ workspaceId: z.string().optional(),
4930
+ principalId: z.string(),
4931
+ subjectType: permitAccessReviewSubjectType.optional(),
4932
+ subjectId: z.string().optional(),
4933
+ resourceType: z.string(),
4934
+ resourceId: z.string(),
4935
+ action: z.string(),
4936
+ decision: permitDecision,
4937
+ reasonCode: z.string(),
4938
+ policyBundleId: z.string().optional(),
4939
+ policyVersion: z.string(),
4940
+ traceId: z.string().optional(),
4941
+ requestId: z.string().optional(),
4942
+ audienceMode: z.string().optional(),
4943
+ audienceKey: z.string().optional(),
4944
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4945
+ metadata: z.record(z.any()).optional(),
4946
+ createdAt: z.number(),
4947
+ expiresAt: z.number().optional(),
4948
+ createdBy: z.string().optional()
4949
+ }),
4950
+ indices: [
4951
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4952
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4953
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4954
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4955
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4956
+ { kind: "index", name: "by_action", columns: ["action"] }
4957
+ ]
4958
+ });
4959
+ defineTable({
4960
+ name: "permitAccessReviews",
4961
+ component: "control-plane",
4962
+ category: "access-control",
4963
+ shape: z.object({
4964
+ tenantId: z.string(),
4965
+ workspaceId: z.optional(z.string()),
4966
+ reviewKey: z.string(),
4967
+ scope: permitReviewScope,
4968
+ status: permitAccessReviewStatus,
4969
+ subjectType: permitAccessReviewSubjectType,
4970
+ subjectId: z.string(),
4971
+ resourceType: z.string().optional(),
4972
+ resourceKey: z.string().optional(),
4973
+ outcome: z.enum(["allow", "deny"]).optional(),
4974
+ requestedBy: z.string(),
4975
+ reviewedBy: z.string().optional(),
4976
+ requestedAt: z.number(),
4977
+ reviewedAt: z.number().optional(),
4978
+ dueAt: z.number().optional(),
4979
+ justification: z.string().optional(),
4980
+ rationale: z.string().optional(),
4981
+ policyBundleId: z.string().optional(),
4982
+ metadata: z.record(z.any()).optional(),
4983
+ createdAt: z.number(),
4984
+ updatedAt: z.number()
4985
+ }),
4986
+ indices: [
4987
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4988
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4989
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4990
+ {
4991
+ kind: "index",
4992
+ name: "by_tenant_subject",
4993
+ columns: ["tenantId", "subjectType", "subjectId"]
4994
+ },
4995
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4996
+ {
4997
+ kind: "index",
4998
+ name: "by_workspace_status",
4999
+ columns: ["workspaceId", "status"]
5000
+ }
5001
+ ]
5002
+ });
5003
+ defineTable({
5004
+ name: "permitAccessReviewItems",
5005
+ component: "control-plane",
5006
+ category: "access-control",
5007
+ shape: z.object({
5008
+ reviewKey: z.string(),
5009
+ itemKey: z.string(),
5010
+ tenantId: z.string(),
5011
+ workspaceId: z.string().optional(),
5012
+ subjectType: permitAccessReviewSubjectType,
5013
+ subjectId: z.string(),
5014
+ resourceType: z.string().optional(),
5015
+ resourceKey: z.string().optional(),
5016
+ role: z.string().optional(),
5017
+ relation: z.string().optional(),
5018
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5019
+ reviewerId: z.string().optional(),
5020
+ decisionAt: z.number().optional(),
5021
+ rationale: z.string().optional(),
5022
+ metadata: z.record(z.any()).optional(),
5023
+ createdAt: z.number(),
5024
+ updatedAt: z.number()
5025
+ }),
5026
+ indices: [
5027
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5028
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5029
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5030
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5031
+ { kind: "index", name: "by_status", columns: ["status"] }
5032
+ ]
5033
+ });
4120
5034
  defineTable({
4121
5035
  name: "reasoningPermissions",
4122
- component: "identity",
5036
+ component: "control-plane",
4123
5037
  category: "epistemic",
4124
5038
  shape: z.object({
4125
5039
  "topicId": z.string().optional(),
@@ -4366,7 +5280,7 @@ defineTable({
4366
5280
  });
4367
5281
  defineTable({
4368
5282
  name: "users",
4369
- component: "identity",
5283
+ component: "control-plane",
4370
5284
  category: "user",
4371
5285
  shape: z.object({
4372
5286
  "clerkId": z.string(),
@@ -4480,7 +5394,6 @@ defineTable({
4480
5394
  "deployments": z.record(z.object({
4481
5395
  "url": z.string(),
4482
5396
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4483
- "encryptedDeployKey": z.string().optional(),
4484
5397
  "credentialRef": z.string().optional()
4485
5398
  })).optional(),
4486
5399
  "metadata": z.record(z.any()).optional(),
@@ -4495,6 +5408,39 @@ defineTable({
4495
5408
  { kind: "index", name: "by_status", columns: ["status"] }
4496
5409
  ]
4497
5410
  });
5411
+ defineTable({
5412
+ name: "deploymentHosts",
5413
+ component: "mc",
5414
+ category: "workspace",
5415
+ shape: z.object({
5416
+ "host": z.string(),
5417
+ "tenantId": idOf("tenants"),
5418
+ "workspaceId": idOf("workspaces"),
5419
+ "environment": z.enum(["dev", "staging", "prod"]),
5420
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5421
+ "deploymentUrl": z.string().optional(),
5422
+ "deploymentName": z.string().optional(),
5423
+ "vercelProjectName": z.string().optional(),
5424
+ "vercelProjectId": z.string().optional(),
5425
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5426
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5427
+ "status": z.enum(["active", "revoked"]),
5428
+ "metadata": z.record(z.any()).optional(),
5429
+ "createdBy": z.string(),
5430
+ "createdAt": z.number(),
5431
+ "updatedAt": z.number(),
5432
+ "revokedAt": z.number().optional(),
5433
+ "revokedBy": z.string().optional()
5434
+ }),
5435
+ indices: [
5436
+ { kind: "index", name: "by_host", columns: ["host"] },
5437
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5438
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5439
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5440
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5441
+ { kind: "index", name: "by_status", columns: ["status"] }
5442
+ ]
5443
+ });
4498
5444
  defineTable({
4499
5445
  name: "worktreeBeliefCluster",
4500
5446
  component: "kernel",
@@ -4802,8 +5748,8 @@ defineTable({
4802
5748
  });
4803
5749
  z.object({
4804
5750
  manifestVersion: z.string(),
4805
- componentName: z.enum(["kernel", "identity"]),
4806
- tier: z.enum(["K", "I"]),
5751
+ componentName: z.enum(["kernel", "control-plane"]),
5752
+ tier: z.enum(["K", "CP"]),
4807
5753
  packageVersion: z.string(),
4808
5754
  tables: z.array(
4809
5755
  z.object({
@@ -4929,129 +5875,994 @@ var edgePolicyManifest = {
4929
5875
  // ../contracts/src/tenant-client.contract.ts
4930
5876
  var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4931
5877
  {
4932
- packageName: "@lucern/access-control",
4933
- role: "runtime_entrypoint",
4934
- directTenantImport: true
5878
+ packageName: "@lucern/access-control",
5879
+ role: "runtime_entrypoint",
5880
+ directTenantImport: true
5881
+ },
5882
+ {
5883
+ packageName: "@lucern/agent",
5884
+ role: "platform_runtime",
5885
+ directTenantImport: false
5886
+ },
5887
+ {
5888
+ packageName: "@lucern/auth",
5889
+ role: "sdk_dependency",
5890
+ directTenantImport: false
5891
+ },
5892
+ {
5893
+ packageName: "@lucern/cli",
5894
+ role: "developer_tool",
5895
+ directTenantImport: false
5896
+ },
5897
+ {
5898
+ packageName: "@lucern/client-core",
5899
+ role: "sdk_dependency",
5900
+ directTenantImport: false
5901
+ },
5902
+ {
5903
+ packageName: "@lucern/confidence",
5904
+ role: "sdk_dependency",
5905
+ directTenantImport: false
5906
+ },
5907
+ {
5908
+ packageName: "@lucern/config",
5909
+ role: "configuration",
5910
+ directTenantImport: false
5911
+ },
5912
+ {
5913
+ packageName: "@lucern/contracts",
5914
+ role: "contract_entrypoint",
5915
+ directTenantImport: true
5916
+ },
5917
+ {
5918
+ packageName: "@lucern/control-plane",
5919
+ role: "component_runtime",
5920
+ directTenantImport: false
5921
+ },
5922
+ {
5923
+ packageName: "@lucern/developer-kit",
5924
+ role: "developer_tool",
5925
+ directTenantImport: false
5926
+ },
5927
+ {
5928
+ packageName: "@lucern/events",
5929
+ role: "sdk_dependency",
5930
+ directTenantImport: false
5931
+ },
5932
+ {
5933
+ packageName: "@lucern/graph-primitives",
5934
+ role: "sdk_dependency",
5935
+ directTenantImport: false
5936
+ },
5937
+ {
5938
+ packageName: "@lucern/graph-sync",
5939
+ role: "host_addon_runtime",
5940
+ directTenantImport: true
5941
+ },
5942
+ {
5943
+ packageName: "@lucern/mcp",
5944
+ role: "runtime_entrypoint",
5945
+ directTenantImport: true
5946
+ },
5947
+ {
5948
+ packageName: "@lucern/pack-host",
5949
+ role: "platform_runtime",
5950
+ directTenantImport: false
5951
+ },
5952
+ {
5953
+ packageName: "@lucern/pack-installer",
5954
+ role: "developer_tool",
5955
+ directTenantImport: false
5956
+ },
5957
+ {
5958
+ packageName: "@lucern/proof-compiler",
5959
+ role: "developer_tool",
5960
+ directTenantImport: false
5961
+ },
5962
+ {
5963
+ packageName: "@lucern/react",
5964
+ role: "runtime_entrypoint",
5965
+ directTenantImport: true
5966
+ },
5967
+ {
5968
+ packageName: "@lucern/reasoning-kernel",
5969
+ role: "component_runtime",
5970
+ directTenantImport: false
5971
+ },
5972
+ {
5973
+ packageName: "@lucern/sdk",
5974
+ role: "runtime_entrypoint",
5975
+ directTenantImport: true
5976
+ },
5977
+ {
5978
+ packageName: "@lucern/secrets",
5979
+ role: "sdk_dependency",
5980
+ directTenantImport: false
5981
+ },
5982
+ {
5983
+ packageName: "@lucern/server-core",
5984
+ role: "platform_runtime",
5985
+ directTenantImport: false
5986
+ },
5987
+ {
5988
+ packageName: "@lucern/testing",
5989
+ role: "test_support",
5990
+ directTenantImport: false
5991
+ },
5992
+ {
5993
+ packageName: "@lucern/types",
5994
+ role: "contract_entrypoint",
5995
+ directTenantImport: true
5996
+ }
5997
+ ];
5998
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5999
+ (entry) => entry.packageName
6000
+ );
6001
+
6002
+ // ../contracts/src/infisical-runtime.contract.ts
6003
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6004
+ {
6005
+ id: "stack-frontend",
6006
+ tenantKey: "stack",
6007
+ workspaceKey: "frontend",
6008
+ vercelProjectName: "ai-chatbot-diao",
6009
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6010
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6011
+ repository: {
6012
+ owner: "stack-vc",
6013
+ name: "front-end"
6014
+ },
6015
+ sharedSourcePath: "/tenants/stack",
6016
+ sharedVariablePolicy: "tenant_shared_all_systems",
6017
+ convex: {
6018
+ urlEnv: "CONVEX_FRONTEND_URL",
6019
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6020
+ preprodDeployment: "rugged-lobster-664",
6021
+ prodDeployment: "wonderful-toucan-0"
6022
+ }
6023
+ },
6024
+ {
6025
+ id: "stackos",
6026
+ tenantKey: "stack",
6027
+ workspaceKey: "stackos",
6028
+ vercelProjectName: "stackos",
6029
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6030
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6031
+ repository: {
6032
+ owner: "stack-vc",
6033
+ name: "stackos"
6034
+ },
6035
+ sharedSourcePath: "/tenants/stack",
6036
+ sharedVariablePolicy: "tenant_shared_all_systems",
6037
+ convex: {
6038
+ urlEnv: "CONVEX_STACKOS_URL",
6039
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6040
+ preprodDeployment: "giant-mandrill-761",
6041
+ prodDeployment: "good-snake-515"
6042
+ }
6043
+ },
6044
+ {
6045
+ id: "stack-eng",
6046
+ tenantKey: "stack",
6047
+ workspaceKey: "engineering",
6048
+ vercelProjectName: "stackos-engineering-graph",
6049
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6050
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6051
+ repository: {
6052
+ owner: "stack-vc",
6053
+ name: "stackos-engineering-graph"
6054
+ },
6055
+ sharedSourcePath: "/tenants/stack/engineering",
6056
+ sharedVariablePolicy: "tenant_shared_all_systems",
6057
+ convex: {
6058
+ urlEnv: "CONVEX_STACK_ENG_URL",
6059
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6060
+ preprodDeployment: "small-oyster-270",
6061
+ prodDeployment: "bold-cuttlefish-804"
6062
+ }
6063
+ },
6064
+ {
6065
+ id: "lucern-graph",
6066
+ tenantKey: "lucern",
6067
+ workspaceKey: "lucern",
6068
+ vercelProjectName: "lucern-graph",
6069
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6070
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6071
+ repository: {
6072
+ owner: "LucernAI",
6073
+ name: "lucern-graph"
6074
+ },
6075
+ sharedSourcePath: "/tenants/lucern/shared",
6076
+ sharedVariablePolicy: "tenant_shared_all_systems",
6077
+ convex: {
6078
+ urlEnv: "CONVEX_LUCERN_URL",
6079
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6080
+ preprodDeployment: "good-blackbird-774",
6081
+ prodDeployment: "precious-dog-365"
6082
+ }
6083
+ }
6084
+ ];
6085
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6086
+ {
6087
+ idSuffix: "clerk.publishable",
6088
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6089
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6090
+ required: true,
6091
+ secret: false,
6092
+ public: true,
6093
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6094
+ },
6095
+ {
6096
+ idSuffix: "clerk.secret",
6097
+ canonicalName: "CLERK_SECRET_KEY",
6098
+ required: true,
6099
+ secret: true,
6100
+ public: false,
6101
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6102
+ },
6103
+ {
6104
+ idSuffix: "clerk.project",
6105
+ canonicalName: "CLERK_PROJECT_ID",
6106
+ required: true,
6107
+ secret: false,
6108
+ public: false,
6109
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6110
+ },
6111
+ {
6112
+ idSuffix: "clerk.jwks",
6113
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6114
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6115
+ required: false,
6116
+ secret: false,
6117
+ public: false,
6118
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6119
+ },
6120
+ {
6121
+ idSuffix: "clerk.jwt-key",
6122
+ canonicalName: "CLERK_JWT_KEY",
6123
+ required: false,
6124
+ secret: true,
6125
+ public: false,
6126
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6127
+ },
6128
+ {
6129
+ idSuffix: "clerk.authorized-parties",
6130
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6131
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6132
+ required: false,
6133
+ secret: false,
6134
+ public: false,
6135
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6136
+ },
6137
+ {
6138
+ idSuffix: "clerk.sign-in-url",
6139
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6140
+ required: false,
6141
+ secret: false,
6142
+ public: true,
6143
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6144
+ },
6145
+ {
6146
+ idSuffix: "clerk.sign-up-url",
6147
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6148
+ required: false,
6149
+ secret: false,
6150
+ public: true,
6151
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6152
+ }
6153
+ ];
6154
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6155
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6156
+ (template) => ({
6157
+ id: `tenant.${system.id}.${template.idSuffix}`,
6158
+ canonicalName: template.canonicalName,
6159
+ aliases: "aliases" in template ? template.aliases : void 0,
6160
+ owner: "tenant",
6161
+ scope: "tenant",
6162
+ sourcePath: system.sharedSourcePath,
6163
+ environmentPolicy: "environment_specific",
6164
+ required: template.required,
6165
+ secret: template.secret,
6166
+ public: template.public,
6167
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6168
+ destinations: [
6169
+ {
6170
+ kind: "vercel",
6171
+ target: system.vercelProjectName,
6172
+ environmentPolicy: "preprod_staging_prod_prod"
6173
+ },
6174
+ {
6175
+ kind: "convex",
6176
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6177
+ environmentPolicy: "preprod_staging_prod_prod"
6178
+ }
6179
+ ],
6180
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6181
+ })
6182
+ )
6183
+ );
6184
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6185
+ (system) => ({
6186
+ id: `tenant.${system.id}.install-lucern-npm`,
6187
+ canonicalName: "INSTALL_LUCERN_NPM",
6188
+ owner: "provider",
6189
+ scope: "global",
6190
+ sourcePath: "/tenants/shared",
6191
+ environmentPolicy: "same_all_environments",
6192
+ required: true,
6193
+ secret: true,
6194
+ public: false,
6195
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6196
+ destinations: [
6197
+ {
6198
+ kind: "vercel",
6199
+ target: system.vercelProjectName,
6200
+ environmentPolicy: "same_all_environments"
6201
+ },
6202
+ {
6203
+ kind: "github_actions",
6204
+ target: `${system.repository.owner}/${system.repository.name}`,
6205
+ environmentPolicy: "same_all_environments"
6206
+ }
6207
+ ],
6208
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6209
+ })
6210
+ );
6211
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6212
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6213
+ {
6214
+ idSuffix: "ai.openai-api-key",
6215
+ canonicalName: "OPENAI_API_KEY",
6216
+ required: false,
6217
+ secret: true,
6218
+ public: false,
6219
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6220
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
4935
6221
  },
4936
6222
  {
4937
- packageName: "@lucern/agent",
4938
- role: "platform_runtime",
4939
- directTenantImport: false
6223
+ idSuffix: "ai.anthropic-api-key",
6224
+ canonicalName: "ANTHROPIC_API_KEY",
6225
+ required: false,
6226
+ secret: true,
6227
+ public: false,
6228
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6229
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
4940
6230
  },
4941
6231
  {
4942
- packageName: "@lucern/auth",
4943
- role: "sdk_dependency",
4944
- directTenantImport: false
6232
+ idSuffix: "ai.gemini-api-key",
6233
+ canonicalName: "GEMINI_API_KEY",
6234
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6235
+ required: false,
6236
+ secret: true,
6237
+ public: false,
6238
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6239
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
4945
6240
  },
4946
6241
  {
4947
- packageName: "@lucern/cli",
4948
- role: "developer_tool",
4949
- directTenantImport: false
6242
+ idSuffix: "langfuse.secret-key",
6243
+ canonicalName: "LANGFUSE_SECRET_KEY",
6244
+ required: false,
6245
+ secret: true,
6246
+ public: false,
6247
+ consumers: [
6248
+ "tenant-vercel-app",
6249
+ "tenant-convex-deployment",
6250
+ "tenant-observability"
6251
+ ],
6252
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
4950
6253
  },
4951
6254
  {
4952
- packageName: "@lucern/client-core",
4953
- role: "sdk_dependency",
4954
- directTenantImport: false
6255
+ idSuffix: "langfuse.public-key",
6256
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6257
+ required: false,
6258
+ secret: false,
6259
+ public: false,
6260
+ consumers: [
6261
+ "tenant-vercel-app",
6262
+ "tenant-convex-deployment",
6263
+ "tenant-observability"
6264
+ ],
6265
+ description: "Tenant-owned Langfuse public key for product AI tracing."
4955
6266
  },
4956
6267
  {
4957
- packageName: "@lucern/confidence",
4958
- role: "sdk_dependency",
4959
- directTenantImport: false
6268
+ idSuffix: "langfuse.base-url",
6269
+ canonicalName: "LANGFUSE_BASE_URL",
6270
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6271
+ required: false,
6272
+ secret: false,
6273
+ public: false,
6274
+ consumers: [
6275
+ "tenant-vercel-app",
6276
+ "tenant-convex-deployment",
6277
+ "tenant-observability"
6278
+ ],
6279
+ description: "Tenant-owned Langfuse API origin."
4960
6280
  },
4961
6281
  {
4962
- packageName: "@lucern/config",
4963
- role: "configuration",
4964
- directTenantImport: false
6282
+ idSuffix: "graph.neo4j-uri",
6283
+ canonicalName: "NEO4J_URI",
6284
+ required: false,
6285
+ secret: false,
6286
+ public: false,
6287
+ consumers: [
6288
+ "tenant-vercel-app",
6289
+ "tenant-convex-deployment",
6290
+ "tenant-graph-sync"
6291
+ ],
6292
+ description: "Tenant-owned Neo4j URI for product graph-sync."
4965
6293
  },
4966
6294
  {
4967
- packageName: "@lucern/contracts",
4968
- role: "contract_entrypoint",
4969
- directTenantImport: true
6295
+ idSuffix: "graph.neo4j-user",
6296
+ canonicalName: "NEO4J_USER",
6297
+ aliases: ["NEO4J_USERNAME"],
6298
+ required: false,
6299
+ secret: false,
6300
+ public: false,
6301
+ consumers: [
6302
+ "tenant-vercel-app",
6303
+ "tenant-convex-deployment",
6304
+ "tenant-graph-sync"
6305
+ ],
6306
+ description: "Tenant-owned Neo4j user for product graph-sync."
4970
6307
  },
4971
6308
  {
4972
- packageName: "@lucern/control-plane",
4973
- role: "platform_runtime",
4974
- directTenantImport: false
6309
+ idSuffix: "graph.neo4j-password",
6310
+ canonicalName: "NEO4J_PASSWORD",
6311
+ required: false,
6312
+ secret: true,
6313
+ public: false,
6314
+ consumers: [
6315
+ "tenant-vercel-app",
6316
+ "tenant-convex-deployment",
6317
+ "tenant-graph-sync"
6318
+ ],
6319
+ description: "Tenant-owned Neo4j password for product graph-sync."
4975
6320
  },
4976
6321
  {
4977
- packageName: "@lucern/developer-kit",
4978
- role: "developer_tool",
4979
- directTenantImport: false
6322
+ idSuffix: "graph.neo4j-sync-secret",
6323
+ canonicalName: "NEO4J_SYNC_SECRET",
6324
+ required: false,
6325
+ secret: true,
6326
+ public: false,
6327
+ consumers: [
6328
+ "tenant-vercel-app",
6329
+ "tenant-convex-deployment",
6330
+ "tenant-graph-sync"
6331
+ ],
6332
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
4980
6333
  },
4981
6334
  {
4982
- packageName: "@lucern/events",
4983
- role: "sdk_dependency",
4984
- directTenantImport: false
6335
+ idSuffix: "graph.neo4j-database",
6336
+ canonicalName: "NEO4J_DATABASE",
6337
+ required: false,
6338
+ secret: false,
6339
+ public: false,
6340
+ consumers: [
6341
+ "tenant-vercel-app",
6342
+ "tenant-convex-deployment",
6343
+ "tenant-graph-sync"
6344
+ ],
6345
+ description: "Tenant-owned Neo4j database name for product graph-sync."
4985
6346
  },
4986
6347
  {
4987
- packageName: "@lucern/graph-primitives",
4988
- role: "sdk_dependency",
4989
- directTenantImport: false
6348
+ idSuffix: "vector.pinecone-api-key",
6349
+ canonicalName: "PINECONE_API_KEY",
6350
+ required: false,
6351
+ secret: true,
6352
+ public: false,
6353
+ consumers: [
6354
+ "tenant-vercel-app",
6355
+ "tenant-convex-deployment",
6356
+ "tenant-vector-store"
6357
+ ],
6358
+ description: "Tenant-owned Pinecone API key for product vector search."
4990
6359
  },
4991
6360
  {
4992
- packageName: "@lucern/graph-sync",
4993
- role: "host_addon_runtime",
4994
- directTenantImport: true
6361
+ idSuffix: "vector.pinecone-index-name",
6362
+ canonicalName: "PINECONE_INDEX_NAME",
6363
+ aliases: ["PINECONE_INDEX"],
6364
+ required: false,
6365
+ secret: false,
6366
+ public: false,
6367
+ consumers: [
6368
+ "tenant-vercel-app",
6369
+ "tenant-convex-deployment",
6370
+ "tenant-vector-store"
6371
+ ],
6372
+ description: "Tenant-owned Pinecone index name for product vector search."
4995
6373
  },
4996
6374
  {
4997
- packageName: "@lucern/identity",
4998
- role: "component_runtime",
4999
- directTenantImport: false
6375
+ idSuffix: "vector.pinecone-host",
6376
+ canonicalName: "PINECONE_HOST",
6377
+ aliases: ["PINECONE_INDEX_HOST"],
6378
+ required: false,
6379
+ secret: false,
6380
+ public: false,
6381
+ consumers: [
6382
+ "tenant-vercel-app",
6383
+ "tenant-convex-deployment",
6384
+ "tenant-vector-store"
6385
+ ],
6386
+ description: "Tenant-owned Pinecone host for product vector search."
5000
6387
  },
5001
6388
  {
5002
- packageName: "@lucern/mcp",
5003
- role: "runtime_entrypoint",
5004
- directTenantImport: true
6389
+ idSuffix: "vector.pinecone-namespace",
6390
+ canonicalName: "PINECONE_NAMESPACE",
6391
+ required: false,
6392
+ secret: false,
6393
+ public: false,
6394
+ consumers: [
6395
+ "tenant-vercel-app",
6396
+ "tenant-convex-deployment",
6397
+ "tenant-vector-store"
6398
+ ],
6399
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
5005
6400
  },
5006
6401
  {
5007
- packageName: "@lucern/pack-host",
5008
- role: "platform_runtime",
5009
- directTenantImport: false
6402
+ idSuffix: "storage.aws-access-key-id",
6403
+ canonicalName: "AWS_ACCESS_KEY_ID",
6404
+ required: false,
6405
+ secret: true,
6406
+ public: false,
6407
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6408
+ description: "Tenant-owned AWS access key id for document/file ingestion."
5010
6409
  },
5011
6410
  {
5012
- packageName: "@lucern/pack-installer",
5013
- role: "developer_tool",
5014
- directTenantImport: false
6411
+ idSuffix: "storage.aws-secret-access-key",
6412
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6413
+ required: false,
6414
+ secret: true,
6415
+ public: false,
6416
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6417
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
5015
6418
  },
5016
6419
  {
5017
- packageName: "@lucern/proof-compiler",
5018
- role: "developer_tool",
5019
- directTenantImport: false
6420
+ idSuffix: "storage.aws-region",
6421
+ canonicalName: "AWS_REGION",
6422
+ required: false,
6423
+ secret: false,
6424
+ public: false,
6425
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6426
+ description: "Tenant-owned AWS region for document/file ingestion."
5020
6427
  },
5021
6428
  {
5022
- packageName: "@lucern/react",
5023
- role: "runtime_entrypoint",
5024
- directTenantImport: true
6429
+ idSuffix: "observability.sentry-dsn",
6430
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6431
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6432
+ required: false,
6433
+ secret: false,
6434
+ public: true,
6435
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6436
+ description: "Tenant-owned Sentry DSN for app telemetry."
5025
6437
  },
5026
6438
  {
5027
- packageName: "@lucern/reasoning-kernel",
5028
- role: "component_runtime",
5029
- directTenantImport: false
6439
+ idSuffix: "observability.sentry-auth-token",
6440
+ canonicalName: "SENTRY_AUTH_TOKEN",
6441
+ required: false,
6442
+ secret: true,
6443
+ public: false,
6444
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6445
+ description: "Tenant-owned Sentry release token for app deployments."
5030
6446
  },
5031
6447
  {
5032
- packageName: "@lucern/sdk",
5033
- role: "runtime_entrypoint",
5034
- directTenantImport: true
6448
+ idSuffix: "observability.sentry-org",
6449
+ canonicalName: "SENTRY_ORG",
6450
+ aliases: ["SENTRY_ORG_SLUG"],
6451
+ required: false,
6452
+ secret: false,
6453
+ public: false,
6454
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6455
+ description: "Tenant-owned Sentry org slug for release uploads."
5035
6456
  },
5036
6457
  {
5037
- packageName: "@lucern/server-core",
5038
- role: "platform_runtime",
5039
- directTenantImport: false
6458
+ idSuffix: "observability.sentry-project",
6459
+ canonicalName: "SENTRY_PROJECT",
6460
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6461
+ required: false,
6462
+ secret: false,
6463
+ public: false,
6464
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6465
+ description: "Tenant-owned Sentry project slug for release uploads."
5040
6466
  },
5041
6467
  {
5042
- packageName: "@lucern/testing",
5043
- role: "test_support",
5044
- directTenantImport: false
6468
+ idSuffix: "observability.sentry-environment",
6469
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6470
+ aliases: ["SENTRY_ENVIRONMENT"],
6471
+ required: false,
6472
+ secret: false,
6473
+ public: true,
6474
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6475
+ description: "Tenant-owned Sentry environment label."
5045
6476
  },
5046
6477
  {
5047
- packageName: "@lucern/types",
5048
- role: "contract_entrypoint",
5049
- directTenantImport: true
6478
+ idSuffix: "observability.sentry-release",
6479
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6480
+ aliases: ["SENTRY_RELEASE"],
6481
+ required: false,
6482
+ secret: false,
6483
+ public: true,
6484
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6485
+ description: "Tenant-owned Sentry release label."
6486
+ },
6487
+ {
6488
+ idSuffix: "observability.sentry-client-options",
6489
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6490
+ aliases: [
6491
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6492
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6493
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6494
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6495
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6496
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6497
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6498
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6499
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6500
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6501
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6502
+ ],
6503
+ required: false,
6504
+ secret: false,
6505
+ public: true,
6506
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6507
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
6508
+ },
6509
+ {
6510
+ idSuffix: "observability.sentry-webhook-secret",
6511
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6512
+ required: false,
6513
+ secret: true,
6514
+ public: false,
6515
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6516
+ description: "Tenant-owned Sentry webhook verification secret."
6517
+ },
6518
+ {
6519
+ idSuffix: "lucern.gateway-api-key",
6520
+ canonicalName: "LUCERN_API_KEY",
6521
+ aliases: ["STACK_API_KEY"],
6522
+ required: false,
6523
+ secret: true,
6524
+ public: false,
6525
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6526
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
6527
+ },
6528
+ {
6529
+ idSuffix: "lucern.gateway-base-url",
6530
+ canonicalName: "LUCERN_BASE_URL",
6531
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6532
+ required: false,
6533
+ secret: false,
6534
+ public: false,
6535
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6536
+ description: "Lucern/MC gateway base URL used by tenant product apps."
6537
+ },
6538
+ {
6539
+ idSuffix: "lucern.proxy-token-secret",
6540
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6541
+ required: false,
6542
+ secret: true,
6543
+ public: false,
6544
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6545
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
6546
+ },
6547
+ {
6548
+ idSuffix: "tenant.integrations.linear-api-key",
6549
+ canonicalName: "LINEAR_API_KEY",
6550
+ required: false,
6551
+ secret: true,
6552
+ public: false,
6553
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6554
+ description: "Tenant-owned Linear API key for support/slash-command flows."
6555
+ },
6556
+ {
6557
+ idSuffix: "tenant.vercel.bypass-token",
6558
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6559
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6560
+ required: false,
6561
+ secret: true,
6562
+ public: false,
6563
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6564
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
5050
6565
  }
5051
6566
  ];
5052
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5053
- (entry) => entry.packageName
6567
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6568
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6569
+ ).flatMap(
6570
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6571
+ (template) => ({
6572
+ id: `tenant.${system.id}.${template.idSuffix}`,
6573
+ canonicalName: template.canonicalName,
6574
+ aliases: "aliases" in template ? template.aliases : void 0,
6575
+ owner: "tenant",
6576
+ scope: "tenant",
6577
+ sourcePath: system.sharedSourcePath,
6578
+ environmentPolicy: "environment_specific",
6579
+ required: template.required,
6580
+ secret: template.secret,
6581
+ public: template.public,
6582
+ consumers: template.consumers,
6583
+ destinations: [
6584
+ {
6585
+ kind: "vercel",
6586
+ target: system.vercelProjectName,
6587
+ environmentPolicy: "preprod_staging_prod_prod"
6588
+ },
6589
+ {
6590
+ kind: "convex",
6591
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6592
+ environmentPolicy: "preprod_staging_prod_prod"
6593
+ },
6594
+ {
6595
+ kind: "github_actions",
6596
+ target: `${system.repository.owner}/${system.repository.name}`,
6597
+ environmentPolicy: "preprod_staging_prod_prod"
6598
+ }
6599
+ ],
6600
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6601
+ })
6602
+ )
6603
+ );
6604
+ function tenantVercelConvexUrlWriteNames(system) {
6605
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6606
+ if (system.id === "stack-eng") {
6607
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6608
+ }
6609
+ return names;
6610
+ }
6611
+ function tenantRepositoryConvexUrlWriteNames(system) {
6612
+ if (system.id === "stack-eng") {
6613
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6614
+ }
6615
+ return [system.convex.urlEnv];
6616
+ }
6617
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6618
+ if (system.id === "stack-eng") {
6619
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6620
+ }
6621
+ return [system.convex.deployKeyEnv];
6622
+ }
6623
+ function tenantConvexUrlAliases(system) {
6624
+ if (system.id === "stack-frontend") {
6625
+ return [
6626
+ "CONVEX_PROD_URL",
6627
+ "CONVEX_STACK_V2_PROD_URL",
6628
+ "CONVEX_STACK_V2_STAGING_URL",
6629
+ "STACK_CONVEX_URL"
6630
+ ];
6631
+ }
6632
+ if (system.id === "stackos") {
6633
+ return [
6634
+ "CONVEX_CLOUD_URL",
6635
+ "CONVEX_STACK_URL",
6636
+ "CONVEX_URL",
6637
+ "CONVEX_URL_DEVELOPMENT",
6638
+ "CONVEX_URL_PRODUCTION",
6639
+ "STACK_CONVEX_URL"
6640
+ ];
6641
+ }
6642
+ if (system.id === "stack-eng") {
6643
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6644
+ }
6645
+ if (system.id === "lucern-graph") {
6646
+ return [
6647
+ "CONVEX_GRAPH_URL",
6648
+ "LUCERN_PROD_URL",
6649
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6650
+ ];
6651
+ }
6652
+ return void 0;
6653
+ }
6654
+ function tenantConvexDeployKeyAliases(system) {
6655
+ if (system.id === "stack-frontend") {
6656
+ return [
6657
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6658
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6659
+ "STACK_DEPLOY_KEY"
6660
+ ];
6661
+ }
6662
+ if (system.id === "stackos") {
6663
+ return [
6664
+ "CONVEX_DEPLOY_KEY",
6665
+ "CONVEX_DEV_DEPLOY_KEY",
6666
+ "CONVEX_PROD_DEPLOY_KEY",
6667
+ "CONVEX_STACK_DEPLOY_KEY",
6668
+ "STACK_DEPLOY_KEY"
6669
+ ];
6670
+ }
6671
+ if (system.id === "stack-eng") {
6672
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6673
+ }
6674
+ if (system.id === "lucern-graph") {
6675
+ return [
6676
+ "CONVEX_DEPLOY_KEY",
6677
+ "CONVEX_GRAPH_DEPLOY_KEY",
6678
+ "LUCERN_CONVEX_DEPLOY_KEY",
6679
+ "LUCERN_DEV_DEPLOY_KEY",
6680
+ "LUCERN_PROD_DEPLOY_KEY"
6681
+ ];
6682
+ }
6683
+ return void 0;
6684
+ }
6685
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6686
+ (system) => {
6687
+ if (system.id === "lucern-graph") {
6688
+ return [
6689
+ {
6690
+ id: "tenant.lucern-graph.public.tenant-id",
6691
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6692
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6693
+ owner: "tenant",
6694
+ scope: "workspace",
6695
+ sourcePath: system.sharedSourcePath,
6696
+ environmentPolicy: "environment_specific",
6697
+ required: false,
6698
+ secret: false,
6699
+ public: true,
6700
+ consumers: ["tenant-vercel-app"],
6701
+ destinations: [
6702
+ {
6703
+ kind: "vercel",
6704
+ target: system.vercelProjectName,
6705
+ environmentPolicy: "preprod_staging_prod_prod"
6706
+ }
6707
+ ],
6708
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6709
+ },
6710
+ {
6711
+ id: "tenant.lucern-graph.public.tenant-label",
6712
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6713
+ owner: "tenant",
6714
+ scope: "workspace",
6715
+ sourcePath: system.sharedSourcePath,
6716
+ environmentPolicy: "environment_specific",
6717
+ required: false,
6718
+ secret: false,
6719
+ public: true,
6720
+ consumers: ["tenant-vercel-app"],
6721
+ destinations: [
6722
+ {
6723
+ kind: "vercel",
6724
+ target: system.vercelProjectName,
6725
+ environmentPolicy: "preprod_staging_prod_prod"
6726
+ }
6727
+ ],
6728
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6729
+ }
6730
+ ];
6731
+ }
6732
+ if (system.id === "stack-eng") {
6733
+ return [
6734
+ {
6735
+ id: "tenant.stack-eng.public.tenant-id",
6736
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6737
+ owner: "tenant",
6738
+ scope: "workspace",
6739
+ sourcePath: system.sharedSourcePath,
6740
+ environmentPolicy: "environment_specific",
6741
+ required: false,
6742
+ secret: false,
6743
+ public: true,
6744
+ consumers: ["tenant-vercel-app"],
6745
+ destinations: [
6746
+ {
6747
+ kind: "vercel",
6748
+ target: system.vercelProjectName,
6749
+ environmentPolicy: "preprod_staging_prod_prod"
6750
+ }
6751
+ ],
6752
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6753
+ },
6754
+ {
6755
+ id: "tenant.stack-eng.public.tenant-label",
6756
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6757
+ owner: "tenant",
6758
+ scope: "workspace",
6759
+ sourcePath: system.sharedSourcePath,
6760
+ environmentPolicy: "environment_specific",
6761
+ required: false,
6762
+ secret: false,
6763
+ public: true,
6764
+ consumers: ["tenant-vercel-app"],
6765
+ destinations: [
6766
+ {
6767
+ kind: "vercel",
6768
+ target: system.vercelProjectName,
6769
+ environmentPolicy: "preprod_staging_prod_prod"
6770
+ }
6771
+ ],
6772
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6773
+ },
6774
+ {
6775
+ id: "tenant.stack-eng.public.environment",
6776
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6777
+ owner: "tenant",
6778
+ scope: "workspace",
6779
+ sourcePath: system.sharedSourcePath,
6780
+ environmentPolicy: "environment_specific",
6781
+ required: false,
6782
+ secret: false,
6783
+ public: true,
6784
+ consumers: ["tenant-vercel-app"],
6785
+ destinations: [
6786
+ {
6787
+ kind: "vercel",
6788
+ target: system.vercelProjectName,
6789
+ environmentPolicy: "preprod_staging_prod_prod"
6790
+ }
6791
+ ],
6792
+ description: "Stack engineering graph public environment label used by the graph explorer."
6793
+ }
6794
+ ];
6795
+ }
6796
+ return [];
6797
+ }
5054
6798
  );
6799
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6800
+ {
6801
+ id: `tenant.${system.id}.convex.url`,
6802
+ canonicalName: system.convex.urlEnv,
6803
+ aliases: tenantConvexUrlAliases(system),
6804
+ owner: "tenant",
6805
+ scope: "software_system",
6806
+ sourcePath: system.sharedSourcePath,
6807
+ environmentPolicy: "preprod_staging_prod_prod",
6808
+ required: true,
6809
+ secret: false,
6810
+ public: false,
6811
+ consumers: [
6812
+ "tenant-vercel-app",
6813
+ "tenant-agent-runtime",
6814
+ "mc-operator-tooling"
6815
+ ],
6816
+ destinations: [
6817
+ {
6818
+ kind: "vercel",
6819
+ target: system.vercelProjectName,
6820
+ environmentPolicy: "preprod_staging_prod_prod",
6821
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6822
+ },
6823
+ {
6824
+ kind: "github_actions",
6825
+ target: `${system.repository.owner}/${system.repository.name}`,
6826
+ environmentPolicy: "preprod_staging_prod_prod",
6827
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6828
+ notes: "Only if that repository deploy/test workflow owns this software system."
6829
+ }
6830
+ ],
6831
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6832
+ },
6833
+ {
6834
+ id: `tenant.${system.id}.convex.deploy-key`,
6835
+ canonicalName: system.convex.deployKeyEnv,
6836
+ aliases: tenantConvexDeployKeyAliases(system),
6837
+ owner: "tenant",
6838
+ scope: "software_system",
6839
+ sourcePath: system.sharedSourcePath,
6840
+ environmentPolicy: "preprod_staging_prod_prod",
6841
+ required: true,
6842
+ secret: true,
6843
+ public: false,
6844
+ consumers: [
6845
+ "tenant-vercel-app",
6846
+ "tenant-agent-runtime",
6847
+ "mc-operator-tooling"
6848
+ ],
6849
+ destinations: [
6850
+ {
6851
+ kind: "vercel",
6852
+ target: system.vercelProjectName,
6853
+ environmentPolicy: "preprod_staging_prod_prod"
6854
+ },
6855
+ {
6856
+ kind: "github_actions",
6857
+ target: `${system.repository.owner}/${system.repository.name}`,
6858
+ environmentPolicy: "preprod_staging_prod_prod",
6859
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6860
+ notes: "Only if that repository deploy/test workflow owns this software system."
6861
+ }
6862
+ ],
6863
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6864
+ }
6865
+ ]);
5055
6866
  z.object({
5056
6867
  manifestVersion: z.literal("1.0.0"),
5057
6868
  rules: z.array(
@@ -5092,7 +6903,7 @@ var createEvidenceInputSchemaBase = z.object({
5092
6903
  targetId: z.string().optional(),
5093
6904
  targetNodeId: z.string().optional(),
5094
6905
  linkedBeliefNodeId: z.string().optional(),
5095
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6906
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5096
6907
  confidence: z.number().optional(),
5097
6908
  weight: z.number().optional(),
5098
6909
  reasoning: z.string().optional(),
@@ -5177,8 +6988,7 @@ var createEvidenceProjection = defineProjection({
5177
6988
  evidenceRelation: v.optional(
5178
6989
  v.union(
5179
6990
  v.literal("supports"),
5180
- v.literal("contradicts"),
5181
- v.literal("neutral")
6991
+ v.literal("contradicts")
5182
6992
  )
5183
6993
  ),
5184
6994
  confidence: v.optional(v.number()),
@@ -5227,12 +7037,17 @@ var listBeliefsProjection = defineProjection({
5227
7037
  });
5228
7038
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5229
7039
  var listTasksInputSchema = z.object({
5230
- topicId: z.string().describe("Topic scope"),
7040
+ topicId: z.string().optional().describe("Topic scope"),
5231
7041
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5232
7042
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5233
7043
  status: taskStatusSchema,
5234
7044
  limit: z.number().optional().describe("Maximum results")
5235
- });
7045
+ }).refine(
7046
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7047
+ {
7048
+ message: "topicId or worktreeId is required"
7049
+ }
7050
+ );
5236
7051
  function compactRecord3(input) {
5237
7052
  return Object.fromEntries(
5238
7053
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5249,7 +7064,7 @@ var listTasksProjection = defineProjection({
5249
7064
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5250
7065
  }),
5251
7066
  convexArgsValidator: v.object({
5252
- topicId: v.string(),
7067
+ topicId: v.optional(v.string()),
5253
7068
  status: v.optional(
5254
7069
  v.union(
5255
7070
  v.literal("todo"),
@@ -6253,7 +8068,7 @@ var CREATE_EDGE = {
6253
8068
  reasoningMethod: {
6254
8069
  type: "string",
6255
8070
  description: "How this was determined",
6256
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8071
+ enum: [...REASONING_METHODS]
6257
8072
  },
6258
8073
  metadata: {
6259
8074
  type: "object",
@@ -7980,6 +9795,10 @@ var CREATE_TASK = {
7980
9795
  tags: {
7981
9796
  type: "array",
7982
9797
  description: "Free-form string tags"
9798
+ },
9799
+ metadata: {
9800
+ type: "object",
9801
+ description: "Structured task metadata for handoff context and routing hints"
7983
9802
  }
7984
9803
  },
7985
9804
  required: ["title"],
@@ -8053,6 +9872,10 @@ var UPDATE_TASK = {
8053
9872
  type: "string",
8054
9873
  description: "Updated status",
8055
9874
  enum: ["todo", "in_progress", "blocked", "done"]
9875
+ },
9876
+ metadata: {
9877
+ type: "object",
9878
+ description: "Structured task metadata to replace or refine"
8056
9879
  }
8057
9880
  },
8058
9881
  required: ["taskId"],
@@ -9508,6 +11331,9 @@ var BEGIN_BUILD_SESSION = {
9508
11331
  sessionMode: "string \u2014 async | interactive",
9509
11332
  targetBeliefIds: "array \u2014 scoped belief IDs",
9510
11333
  targetQuestionIds: "array \u2014 scoped question IDs",
11334
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11335
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11336
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9511
11337
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9512
11338
  openQuestions: "array \u2014 open scoped questions",
9513
11339
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -10108,12 +11934,20 @@ function unwrapMcpParameterSchema(schema) {
10108
11934
  current = current._def.schema;
10109
11935
  continue;
10110
11936
  default:
10111
- return { schema: current, required, description: description ?? current.description };
11937
+ return {
11938
+ schema: current,
11939
+ required,
11940
+ description: description ?? current.description
11941
+ };
10112
11942
  }
10113
11943
  }
10114
11944
  }
10115
11945
  function mcpParameterFromZod(fieldName, schema, contractName) {
10116
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
11946
+ const {
11947
+ schema: unwrapped,
11948
+ required,
11949
+ description: schemaDescription
11950
+ } = unwrapMcpParameterSchema(schema);
10117
11951
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
10118
11952
  switch (unwrapped._def.typeName) {
10119
11953
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -10158,10 +11992,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
10158
11992
  const entries2 = Object.entries(getObjectShape(args)).sort(
10159
11993
  ([left], [right]) => left.localeCompare(right)
10160
11994
  );
10161
- const converted = entries2.map(([fieldName, schema]) => [
10162
- fieldName,
10163
- mcpParameterFromZod(fieldName, schema, contractName)
10164
- ]);
11995
+ const converted = entries2.map(
11996
+ ([fieldName, schema]) => [
11997
+ fieldName,
11998
+ mcpParameterFromZod(fieldName, schema, contractName)
11999
+ ]
12000
+ );
10165
12001
  return {
10166
12002
  ...base,
10167
12003
  parameters: Object.fromEntries(
@@ -10273,6 +12109,7 @@ function surfaceContract(args) {
10273
12109
  allowedPrincipalTypes: ["user", "service", "agent"]
10274
12110
  },
10275
12111
  convex: args.convex,
12112
+ gateway: args.gateway,
10276
12113
  args: canonicalArgs,
10277
12114
  returns: canonicalReturns,
10278
12115
  input,
@@ -10759,7 +12596,7 @@ var beliefsContracts = [
10759
12596
  })
10760
12597
  ];
10761
12598
  var jsonRecordSchema4 = z.record(z.unknown());
10762
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12599
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10763
12600
  var createEvidenceArgs = z.object({
10764
12601
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10765
12602
  text: z.string().describe("Canonical evidence text."),
@@ -12682,7 +14519,8 @@ var createTaskArgs = z.object({
12682
14519
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
12683
14520
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
12684
14521
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
12685
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14522
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14523
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
12686
14524
  });
12687
14525
  var createTaskInput = (input) => compactRecord4({
12688
14526
  title: input.title,
@@ -12696,7 +14534,8 @@ var createTaskInput = (input) => compactRecord4({
12696
14534
  linkedQuestionId: input.linkedQuestionId,
12697
14535
  assigneeId: input.assigneeId,
12698
14536
  dueDate: input.dueDate,
12699
- tags: input.tags
14537
+ tags: input.tags,
14538
+ metadata: input.metadata
12700
14539
  });
12701
14540
  var taskInput = (input) => compactRecord4({
12702
14541
  ...input,
@@ -12713,8 +14552,7 @@ var taskTopicInput = (input) => {
12713
14552
  };
12714
14553
  var completeTaskInput = (input) => compactRecord4({
12715
14554
  taskId: input.taskId ?? input.id,
12716
- outputSummary: input.outputSummary ?? input.summary,
12717
- userId: input.userId
14555
+ outputSummary: input.outputSummary ?? input.summary
12718
14556
  });
12719
14557
  var tasksContracts = [
12720
14558
  surfaceContract({
@@ -12732,6 +14570,7 @@ var tasksContracts = [
12732
14570
  kind: "mutation",
12733
14571
  inputProjection: createTaskInput
12734
14572
  },
14573
+ gateway: { handler: "tasks.create" },
12735
14574
  args: createTaskArgs
12736
14575
  }),
12737
14576
  surfaceContract({
@@ -12750,6 +14589,7 @@ var tasksContracts = [
12750
14589
  kind: "query",
12751
14590
  inputProjection: taskTopicInput
12752
14591
  },
14592
+ gateway: { handler: "tasks.list" },
12753
14593
  args: listTasksInputSchema
12754
14594
  }),
12755
14595
  surfaceContract({
@@ -12767,7 +14607,8 @@ var tasksContracts = [
12767
14607
  functionName: "update",
12768
14608
  kind: "mutation",
12769
14609
  inputProjection: taskInput
12770
- }
14610
+ },
14611
+ gateway: { handler: "tasks.update" }
12771
14612
  }),
12772
14613
  surfaceContract({
12773
14614
  name: "complete_task",
@@ -12783,12 +14624,14 @@ var tasksContracts = [
12783
14624
  functionName: "complete",
12784
14625
  kind: "mutation",
12785
14626
  inputProjection: completeTaskInput
12786
- }
14627
+ },
14628
+ gateway: { handler: "tasks.complete" }
12787
14629
  })
12788
14630
  ];
12789
14631
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12790
14632
  (policy) => policy.edgeType
12791
14633
  );
14634
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12792
14635
  var createEdgeArgs = z.object({
12793
14636
  from: GraphRefSchema,
12794
14637
  to: GraphRefSchema,
@@ -12798,6 +14641,7 @@ var createEdgeArgs = z.object({
12798
14641
  confidence: z.number().optional(),
12799
14642
  context: z.string().optional(),
12800
14643
  reasoning: z.string().optional(),
14644
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12801
14645
  derivationType: z.string().optional(),
12802
14646
  metadata: z.record(z.unknown()).optional(),
12803
14647
  topicId: z.string().optional(),
@@ -12876,6 +14720,7 @@ var edgesContracts = [
12876
14720
  weight: parsed.weight,
12877
14721
  confidence: parsed.confidence,
12878
14722
  context: parsed.context ?? parsed.reasoning,
14723
+ reasoningMethod: parsed.reasoningMethod,
12879
14724
  derivationType: parsed.derivationType,
12880
14725
  metadata: parsed.metadata,
12881
14726
  skipLayerValidation: true,
@@ -13000,6 +14845,7 @@ var edgesContracts = [
13000
14845
  weight: edge.weight,
13001
14846
  confidence: edge.confidence,
13002
14847
  context: edge.context ?? edge.reasoning,
14848
+ reasoningMethod: edge.reasoningMethod,
13003
14849
  derivationType: edge.derivationType,
13004
14850
  metadata: edge.metadata,
13005
14851
  topicId: edge.topicId
@@ -13734,6 +15580,69 @@ var pipelineContracts = [
13734
15580
  }
13735
15581
  })
13736
15582
  ];
15583
+ function isRecord3(value) {
15584
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15585
+ }
15586
+ function stringValues(value) {
15587
+ if (typeof value === "string") {
15588
+ return [value];
15589
+ }
15590
+ if (Array.isArray(value)) {
15591
+ return value.flatMap((item) => stringValues(item));
15592
+ }
15593
+ return [];
15594
+ }
15595
+ function nestedEvidenceRows(value) {
15596
+ if (Array.isArray(value)) {
15597
+ return value.flatMap((item) => nestedEvidenceRows(item));
15598
+ }
15599
+ if (!isRecord3(value)) {
15600
+ return [];
15601
+ }
15602
+ const nestedKeys = ["evidence", "items", "nodes"];
15603
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15604
+ return nestedRows.length > 0 ? nestedRows : [value];
15605
+ }
15606
+ function isFailedAttemptRow(row) {
15607
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15608
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15609
+ }
15610
+ function failureLogSearchFields(row) {
15611
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15612
+ return [
15613
+ ...stringValues(row.id),
15614
+ ...stringValues(row._id),
15615
+ ...stringValues(row.title),
15616
+ ...stringValues(row.text),
15617
+ ...stringValues(row.canonicalText),
15618
+ ...stringValues(row.content),
15619
+ ...stringValues(metadata?.codeAnchor),
15620
+ ...stringValues(metadata?.codeAnchors),
15621
+ ...stringValues(metadata?.anchor),
15622
+ ...stringValues(metadata?.anchors),
15623
+ ...stringValues(metadata?.filePath),
15624
+ ...stringValues(metadata?.filePaths),
15625
+ ...stringValues(metadata?.path),
15626
+ ...stringValues(metadata?.paths),
15627
+ ...stringValues(metadata?.sourceRef),
15628
+ ...stringValues(metadata?.touchedPaths)
15629
+ ];
15630
+ }
15631
+ function projectFailureLog(output, input) {
15632
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15633
+ const searchKey = rawQuery?.toLowerCase();
15634
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15635
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15636
+ (field) => field.toLowerCase().includes(searchKey)
15637
+ )
15638
+ );
15639
+ return {
15640
+ query: rawQuery,
15641
+ failures,
15642
+ totalFound: failures.length,
15643
+ showing: failures.length
15644
+ };
15645
+ }
13737
15646
  var recordScopeLearningArgs = z.object({
13738
15647
  topicId: z.string().optional().describe("Topic scope ID"),
13739
15648
  summary: z.string().describe("Atomic learning statement"),
@@ -13823,6 +15732,8 @@ var attemptInput = (input, context) => withUserId(
13823
15732
  tags: ["code_attempt"],
13824
15733
  metadata: compactRecord4({
13825
15734
  ...recordValue2(input.metadata),
15735
+ failedApproach: true,
15736
+ isFailedAttempt: true,
13826
15737
  filePaths: input.filePaths,
13827
15738
  filePath: input.filePath,
13828
15739
  errorMessage: input.errorMessage,
@@ -13953,7 +15864,8 @@ var codingContracts = [
13953
15864
  limit: input.limit,
13954
15865
  status: input.status,
13955
15866
  userId: input.userId
13956
- })
15867
+ }),
15868
+ outputProjection: (output, input) => projectFailureLog(output, input)
13957
15869
  }
13958
15870
  })
13959
15871
  ];
@@ -14415,14 +16327,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14415
16327
  description: "Worktrees are tenant/runtime planning data."
14416
16328
  },
14417
16329
  {
14418
- component: "identity",
16330
+ component: "control-plane",
14419
16331
  table: "agents",
14420
16332
  prepopulation: "runtime_bootstrap",
14421
16333
  copyMode: "none",
14422
16334
  description: "Service agents are provisioned per tenant or service, not copied."
14423
16335
  },
14424
16336
  {
14425
- component: "identity",
16337
+ component: "control-plane",
14426
16338
  table: "mcpWritePolicy",
14427
16339
  prepopulation: "required_template",
14428
16340
  copyMode: "template_global",
@@ -14431,14 +16343,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14431
16343
  description: "Global write policy defaults govern service and interactive MCP writes."
14432
16344
  },
14433
16345
  {
14434
- component: "identity",
16346
+ component: "control-plane",
14435
16347
  table: "modelCallLogs",
14436
16348
  prepopulation: "runtime_log",
14437
16349
  copyMode: "none",
14438
16350
  description: "Model call logs are runtime telemetry."
14439
16351
  },
14440
16352
  {
14441
- component: "identity",
16353
+ component: "control-plane",
14442
16354
  table: "modelFunctionSlots",
14443
16355
  prepopulation: "required_template",
14444
16356
  copyMode: "template_global",
@@ -14447,7 +16359,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14447
16359
  description: "Function-to-model slots are required by model runtime resolution."
14448
16360
  },
14449
16361
  {
14450
- component: "identity",
16362
+ component: "control-plane",
14451
16363
  table: "modelRegistry",
14452
16364
  prepopulation: "required_template",
14453
16365
  copyMode: "template_global",
@@ -14456,7 +16368,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14456
16368
  description: "Model catalog defaults are required by model runtime clients."
14457
16369
  },
14458
16370
  {
14459
- component: "identity",
16371
+ component: "control-plane",
14460
16372
  table: "modelSlotConfigs",
14461
16373
  prepopulation: "required_template",
14462
16374
  copyMode: "template_global",
@@ -14465,14 +16377,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14465
16377
  description: "Slot-level defaults are required before tenant overrides exist."
14466
16378
  },
14467
16379
  {
14468
- component: "identity",
16380
+ component: "control-plane",
16381
+ table: "permitAccessReviewItems",
16382
+ prepopulation: "runtime_data",
16383
+ copyMode: "none",
16384
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16385
+ },
16386
+ {
16387
+ component: "control-plane",
16388
+ table: "permitAccessReviews",
16389
+ prepopulation: "runtime_data",
16390
+ copyMode: "none",
16391
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16392
+ },
16393
+ {
16394
+ component: "control-plane",
16395
+ table: "permitAttributeBindings",
16396
+ prepopulation: "runtime_data",
16397
+ copyMode: "none",
16398
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16399
+ },
16400
+ {
16401
+ component: "control-plane",
16402
+ table: "permitGroups",
16403
+ prepopulation: "runtime_data",
16404
+ copyMode: "none",
16405
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16406
+ },
16407
+ {
16408
+ component: "control-plane",
16409
+ table: "permitGroupMemberships",
16410
+ prepopulation: "runtime_data",
16411
+ copyMode: "none",
16412
+ description: "Permit group memberships are tenant-specific policy projection rows."
16413
+ },
16414
+ {
16415
+ component: "control-plane",
16416
+ table: "permitPolicyBundles",
16417
+ prepopulation: "runtime_derived",
16418
+ copyMode: "none",
16419
+ description: "Permit policy bundles are derived from the Permit control plane."
16420
+ },
16421
+ {
16422
+ component: "control-plane",
16423
+ table: "permitPolicyDecisionReceipts",
16424
+ prepopulation: "runtime_log",
16425
+ copyMode: "none",
16426
+ description: "Permit decision receipts are runtime authorization audit logs."
16427
+ },
16428
+ {
16429
+ component: "control-plane",
16430
+ table: "permitPrincipalAliases",
16431
+ prepopulation: "runtime_data",
16432
+ copyMode: "none",
16433
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16434
+ },
16435
+ {
16436
+ component: "control-plane",
16437
+ table: "permitPrincipals",
16438
+ prepopulation: "runtime_data",
16439
+ copyMode: "none",
16440
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16441
+ },
16442
+ {
16443
+ component: "control-plane",
16444
+ table: "permitProjectionOutbox",
16445
+ prepopulation: "runtime_queue",
16446
+ copyMode: "none",
16447
+ description: "Permit projection outbox rows are runtime sync queue data."
16448
+ },
16449
+ {
16450
+ component: "control-plane",
16451
+ table: "permitRelationshipTuples",
16452
+ prepopulation: "runtime_data",
16453
+ copyMode: "none",
16454
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16455
+ },
16456
+ {
16457
+ component: "control-plane",
16458
+ table: "permitResourceInstances",
16459
+ prepopulation: "runtime_data",
16460
+ copyMode: "none",
16461
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16462
+ },
16463
+ {
16464
+ component: "control-plane",
16465
+ table: "permitRoleAssignments",
16466
+ prepopulation: "runtime_data",
16467
+ copyMode: "none",
16468
+ description: "Permit role assignments are tenant-specific policy projection rows."
16469
+ },
16470
+ {
16471
+ component: "control-plane",
14469
16472
  table: "platformAudienceGrants",
14470
16473
  prepopulation: "runtime_data",
14471
16474
  copyMode: "none",
14472
16475
  description: "Audience grants are principal/group-specific access rows."
14473
16476
  },
14474
16477
  {
14475
- component: "identity",
16478
+ component: "control-plane",
14476
16479
  table: "platformAudiences",
14477
16480
  prepopulation: "required_template",
14478
16481
  copyMode: "template_tenant_rewrite",
@@ -14481,35 +16484,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14481
16484
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
14482
16485
  },
14483
16486
  {
14484
- component: "identity",
16487
+ component: "control-plane",
14485
16488
  table: "platformPolicyDecisionLogs",
14486
16489
  prepopulation: "runtime_log",
14487
16490
  copyMode: "none",
14488
16491
  description: "Policy decisions are runtime audit logs."
14489
16492
  },
14490
16493
  {
14491
- component: "identity",
16494
+ component: "control-plane",
14492
16495
  table: "projectGrants",
14493
16496
  prepopulation: "runtime_data",
14494
16497
  copyMode: "none",
14495
16498
  description: "Project/topic grants are principal or group-specific access rows."
14496
16499
  },
14497
16500
  {
14498
- component: "identity",
16501
+ component: "control-plane",
14499
16502
  table: "reasoningPermissions",
14500
16503
  prepopulation: "runtime_data",
14501
16504
  copyMode: "none",
14502
16505
  description: "Reasoning permissions are principal-specific policy rows."
14503
16506
  },
14504
16507
  {
14505
- component: "identity",
16508
+ component: "control-plane",
14506
16509
  table: "tenantApiKeys",
14507
16510
  prepopulation: "runtime_secret",
14508
16511
  copyMode: "none",
14509
16512
  description: "API keys are tenant credentials and must never be copied."
14510
16513
  },
14511
16514
  {
14512
- component: "identity",
16515
+ component: "control-plane",
14513
16516
  table: "tenantConfig",
14514
16517
  prepopulation: "required_template",
14515
16518
  copyMode: "template_tenant_rewrite",
@@ -14518,7 +16521,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14518
16521
  description: "Tenant-local config defaults are rewritten during bootstrap."
14519
16522
  },
14520
16523
  {
14521
- component: "identity",
16524
+ component: "control-plane",
14522
16525
  table: "tenantIntegrations",
14523
16526
  prepopulation: "required_template",
14524
16527
  copyMode: "template_tenant_rewrite",
@@ -14527,14 +16530,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14527
16530
  description: "Non-secret integration descriptors are rewritten into each tenant."
14528
16531
  },
14529
16532
  {
14530
- component: "identity",
16533
+ component: "control-plane",
14531
16534
  table: "tenantModelSlotBindings",
14532
16535
  prepopulation: "runtime_secret",
14533
16536
  copyMode: "none",
14534
16537
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
14535
16538
  },
14536
16539
  {
14537
- component: "identity",
16540
+ component: "control-plane",
16541
+ table: "tenantPermitSyncStates",
16542
+ prepopulation: "runtime_derived",
16543
+ copyMode: "none",
16544
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16545
+ },
16546
+ {
16547
+ component: "control-plane",
14538
16548
  table: "tenantPolicies",
14539
16549
  prepopulation: "required_template",
14540
16550
  copyMode: "template_tenant_rewrite",
@@ -14543,42 +16553,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14543
16553
  description: "Default tenant policy roles are rewritten during bootstrap."
14544
16554
  },
14545
16555
  {
14546
- component: "identity",
16556
+ component: "control-plane",
14547
16557
  table: "tenantProviderSecrets",
14548
16558
  prepopulation: "runtime_secret",
14549
16559
  copyMode: "none",
14550
16560
  description: "Provider secrets are credentials and must never be copied."
14551
16561
  },
14552
16562
  {
14553
- component: "identity",
16563
+ component: "control-plane",
14554
16564
  table: "tenantProxyGatewayUsage",
14555
16565
  prepopulation: "runtime_log",
14556
16566
  copyMode: "none",
14557
16567
  description: "Proxy gateway usage rows are runtime telemetry."
14558
16568
  },
14559
16569
  {
14560
- component: "identity",
16570
+ component: "control-plane",
14561
16571
  table: "tenantProxyTokenMints",
14562
16572
  prepopulation: "runtime_secret",
14563
16573
  copyMode: "none",
14564
16574
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
14565
16575
  },
14566
16576
  {
14567
- component: "identity",
16577
+ component: "control-plane",
14568
16578
  table: "tenantSandboxAuditEvents",
14569
16579
  prepopulation: "runtime_log",
14570
16580
  copyMode: "none",
14571
16581
  description: "Sandbox audit rows are runtime security logs."
14572
16582
  },
14573
16583
  {
14574
- component: "identity",
16584
+ component: "control-plane",
14575
16585
  table: "tenantSecrets",
14576
16586
  prepopulation: "runtime_secret",
14577
16587
  copyMode: "none",
14578
16588
  description: "Tenant secrets are credentials and must never be copied."
14579
16589
  },
14580
16590
  {
14581
- component: "identity",
16591
+ component: "control-plane",
14582
16592
  table: "toolAcls",
14583
16593
  prepopulation: "required_template",
14584
16594
  copyMode: "template_global",
@@ -14587,7 +16597,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14587
16597
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
14588
16598
  },
14589
16599
  {
14590
- component: "identity",
16600
+ component: "control-plane",
14591
16601
  table: "toolRegistry",
14592
16602
  prepopulation: "required_template",
14593
16603
  copyMode: "template_global",
@@ -14596,7 +16606,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14596
16606
  description: "Core tool catalog rows are required before pack or tenant tools exist."
14597
16607
  },
14598
16608
  {
14599
- component: "identity",
16609
+ component: "control-plane",
14600
16610
  table: "users",
14601
16611
  prepopulation: "runtime_bootstrap",
14602
16612
  copyMode: "none",