@lucern/events 0.3.0-alpha.12 → 0.3.0-alpha.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -1144,6 +1144,35 @@ defineTable({
1144
1144
  { kind: "index", name: "by_source", columns: ["source"] }
1145
1145
  ]
1146
1146
  });
1147
+ defineTable({
1148
+ name: "domainEvents",
1149
+ component: "kernel",
1150
+ category: "events",
1151
+ shape: z.object({
1152
+ "eventId": z.string(),
1153
+ "type": z.string(),
1154
+ "version": z.string(),
1155
+ "timestamp": z.number(),
1156
+ "tenantId": z.string().optional(),
1157
+ "workspaceId": z.string().optional(),
1158
+ "topicId": z.string(),
1159
+ "resourceId": z.string(),
1160
+ "resourceType": z.string(),
1161
+ "actorId": z.string(),
1162
+ "actorType": z.enum(["human", "agent", "service"]),
1163
+ "data": z.record(z.any()),
1164
+ "correlationId": z.string().optional(),
1165
+ "expiresAt": z.number()
1166
+ }),
1167
+ indices: [
1168
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1169
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1170
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1171
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1172
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1173
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1174
+ ]
1175
+ });
1147
1176
  defineTable({
1148
1177
  name: "beliefConfidence",
1149
1178
  component: "kernel",
@@ -4550,7 +4579,10 @@ defineTable({
4550
4579
  }),
4551
4580
  indices: [
4552
4581
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
4582
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4583
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4553
4584
  { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4585
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4554
4586
  {
4555
4587
  kind: "index",
4556
4588
  name: "by_tenant_provider_alias",
@@ -9523,7 +9555,7 @@ var IDENTITY_WHOAMI = {
9523
9555
  description: "Canonical identity summary for the current session",
9524
9556
  fields: {
9525
9557
  principalId: "string \u2014 canonical federated principal identifier",
9526
- principalType: "string \u2014 human, service, or agent",
9558
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9527
9559
  tenantId: "string | undefined \u2014 resolved tenant scope",
9528
9560
  workspaceId: "string | undefined \u2014 resolved workspace scope",
9529
9561
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -9534,6 +9566,49 @@ var IDENTITY_WHOAMI = {
9534
9566
  ontologyPrimitive: "identity",
9535
9567
  tier: "workhorse"
9536
9568
  };
9569
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9570
+ name: "resolve_interactive_principal",
9571
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
9572
+ parameters: {
9573
+ clerkId: {
9574
+ type: "string",
9575
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9576
+ },
9577
+ tenantId: {
9578
+ type: "string",
9579
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9580
+ },
9581
+ workspaceId: {
9582
+ type: "string",
9583
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9584
+ },
9585
+ providerProjectId: {
9586
+ type: "string",
9587
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9588
+ }
9589
+ },
9590
+ required: ["clerkId"],
9591
+ response: {
9592
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9593
+ fields: {
9594
+ principalId: "string \u2014 canonical Lucern principal identifier",
9595
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9596
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9597
+ tenantId: "string \u2014 resolved tenant scope",
9598
+ workspaceId: "string | null \u2014 resolved workspace scope",
9599
+ roles: "string[] \u2014 effective Permit roles",
9600
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9601
+ groupIds: "string[] \u2014 active Permit group memberships",
9602
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9603
+ tenantStatus: "string \u2014 projected tenant resource status",
9604
+ workspaceStatus: "string \u2014 projected workspace resource status",
9605
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9606
+ }
9607
+ },
9608
+ ownerModule: "control-plane",
9609
+ ontologyPrimitive: "identity",
9610
+ tier: "workhorse"
9611
+ };
9537
9612
  var COMPILE_CONTEXT = {
9538
9613
  name: "compile_context",
9539
9614
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -11436,6 +11511,7 @@ var MCP_TOOL_CONTRACTS = {
11436
11511
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
11437
11512
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
11438
11513
  identity_whoami: IDENTITY_WHOAMI,
11514
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
11439
11515
  compile_context: COMPILE_CONTEXT,
11440
11516
  record_scope_learning: RECORD_SCOPE_LEARNING,
11441
11517
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -11553,6 +11629,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
11553
11629
  var MCP_CORE_OPERATION_NAMES = [
11554
11630
  "compile_context",
11555
11631
  "identity_whoami",
11632
+ "resolve_interactive_principal",
11556
11633
  "check_permission",
11557
11634
  "filter_by_permission",
11558
11635
  "create_belief",
@@ -12106,7 +12183,13 @@ function surfaceContract(args) {
12106
12183
  scopes: args.scopes ?? [
12107
12184
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
12108
12185
  ],
12109
- allowedPrincipalTypes: ["user", "service", "agent"]
12186
+ allowedPrincipalTypes: [
12187
+ "user",
12188
+ "service",
12189
+ "agent",
12190
+ "group",
12191
+ "external_viewer"
12192
+ ]
12110
12193
  },
12111
12194
  convex: args.convex,
12112
12195
  gateway: args.gateway,
@@ -12248,8 +12331,6 @@ var contextContracts = [
12248
12331
  args: observationContextArgs
12249
12332
  })
12250
12333
  ];
12251
-
12252
- // ../contracts/src/function-registry/identity.ts
12253
12334
  var withPrincipal = (input, context) => ({
12254
12335
  ...input,
12255
12336
  tenantId: input.tenantId ?? context.tenantId,
@@ -12275,6 +12356,28 @@ var identityContracts = [
12275
12356
  inputProjection: withPrincipal
12276
12357
  }
12277
12358
  }),
12359
+ surfaceContract({
12360
+ name: "resolve_interactive_principal",
12361
+ kind: "query",
12362
+ domain: "controlPlane",
12363
+ surfaceClass: "platform_public",
12364
+ method: "POST",
12365
+ path: "/control-plane/identity/resolve-interactive-principal",
12366
+ sdkNamespace: "controlPlane.identity",
12367
+ sdkMethod: "resolveInteractivePrincipal",
12368
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12369
+ args: z.object({
12370
+ clerkId: z.string().min(1),
12371
+ tenantId: z.string().min(1).optional(),
12372
+ workspaceId: z.string().min(1).optional(),
12373
+ providerProjectId: z.string().min(1).optional()
12374
+ }),
12375
+ convex: {
12376
+ module: "identity",
12377
+ functionName: "resolveInteractivePrincipal",
12378
+ kind: "query"
12379
+ }
12380
+ }),
12278
12381
  surfaceContract({
12279
12382
  name: "check_permission",
12280
12383
  kind: "query",
@@ -16078,6 +16181,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
16078
16181
  copyMode: "none",
16079
16182
  description: "Deliberation sessions are created by tenant workflows."
16080
16183
  },
16184
+ {
16185
+ component: "kernel",
16186
+ table: "domainEvents",
16187
+ prepopulation: "runtime_log",
16188
+ copyMode: "none",
16189
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16190
+ },
16081
16191
  {
16082
16192
  component: "kernel",
16083
16193
  table: "epistemicAudit",