@lucern/events 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/outbox.js CHANGED
@@ -1,6 +1,20 @@
1
1
  import { z } from 'zod';
2
2
  import { v } from 'convex/values';
3
3
 
4
+ // ../contracts/src/types/reasoning-method.ts
5
+ var REASONING_METHODS = [
6
+ "deductive",
7
+ "inductive",
8
+ "abductive",
9
+ "analogical",
10
+ "causal",
11
+ "correlational",
12
+ "testimonial",
13
+ "statistical",
14
+ "implicit",
15
+ "pattern_match"
16
+ ];
17
+
4
18
  // ../contracts/src/graph-intelligence.contract.ts
5
19
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
6
20
  core: [
@@ -783,7 +797,7 @@ defineTable({
783
797
  });
784
798
  defineTable({
785
799
  name: "agents",
786
- component: "identity",
800
+ component: "control-plane",
787
801
  category: "agent",
788
802
  shape: z.object({
789
803
  "slug": z.string(),
@@ -814,6 +828,8 @@ defineTable({
814
828
  category: "tenant",
815
829
  shape: z.object({
816
830
  "tenantId": idOf("tenants"),
831
+ "workspaceId": idOf("workspaces").optional(),
832
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
817
833
  "keyPrefix": z.enum(["luc", "stk"]),
818
834
  "keyHash": z.string(),
819
835
  "keyHint": z.string(),
@@ -841,7 +857,7 @@ defineTable({
841
857
  shape: z.object({
842
858
  "tenantId": idOf("tenants").optional(),
843
859
  "apiKeyId": idOf("apiKeys").optional(),
844
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
860
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
845
861
  "actorClerkId": z.string(),
846
862
  "details": z.any().optional(),
847
863
  "createdAt": z.number()
@@ -1065,6 +1081,35 @@ defineTable({
1065
1081
  { kind: "index", name: "by_source", columns: ["source"] }
1066
1082
  ]
1067
1083
  });
1084
+ defineTable({
1085
+ name: "domainEvents",
1086
+ component: "kernel",
1087
+ category: "events",
1088
+ shape: z.object({
1089
+ "eventId": z.string(),
1090
+ "type": z.string(),
1091
+ "version": z.string(),
1092
+ "timestamp": z.number(),
1093
+ "tenantId": z.string().optional(),
1094
+ "workspaceId": z.string().optional(),
1095
+ "topicId": z.string(),
1096
+ "resourceId": z.string(),
1097
+ "resourceType": z.string(),
1098
+ "actorId": z.string(),
1099
+ "actorType": z.enum(["human", "agent", "service"]),
1100
+ "data": z.record(z.any()),
1101
+ "correlationId": z.string().optional(),
1102
+ "expiresAt": z.number()
1103
+ }),
1104
+ indices: [
1105
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1106
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1107
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1108
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1109
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1110
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1111
+ ]
1112
+ });
1068
1113
  defineTable({
1069
1114
  name: "beliefConfidence",
1070
1115
  component: "kernel",
@@ -1720,29 +1765,37 @@ defineTable({
1720
1765
  component: "mc",
1721
1766
  category: "runtime",
1722
1767
  shape: z.object({
1723
- "shimId": z.string(),
1724
- "gateId": z.string(),
1725
- "removalDate": z.string(),
1726
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1727
- "description": z.string(),
1728
- "owner": z.string(),
1729
- "createdAt": z.string(),
1730
- "status": z.enum(["active", "overdue", "removed"]),
1731
- "bridgeType": z.enum(["tool", "agent"]),
1732
- "bridgeTarget": z.object({
1733
- "type": z.enum(["tool", "agent"]),
1734
- "legacyPath": z.string(),
1735
- "harnessPath": z.string()
1768
+ shimId: z.string(),
1769
+ gateId: z.string(),
1770
+ removalDate: z.string(),
1771
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1772
+ description: z.string(),
1773
+ owner: z.string(),
1774
+ createdAt: z.string(),
1775
+ status: z.enum(["active", "overdue", "removed"]),
1776
+ bridgeType: z.enum(["tool", "agent"]),
1777
+ bridgeTarget: z.object({
1778
+ type: z.enum(["tool", "agent"]),
1779
+ legacyPath: z.string(),
1780
+ harnessPath: z.string()
1736
1781
  }),
1737
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1738
- "producesLedgerEntries": z.boolean(),
1739
- "lastAuditedAt": z.number(),
1740
- "metadata": z.record(z.any()).optional()
1782
+ shimBehavior: z.enum([
1783
+ "passthrough_with_logging",
1784
+ "adapter",
1785
+ "feature_flag_gate"
1786
+ ]),
1787
+ producesLedgerEntries: z.boolean(),
1788
+ lastAuditedAt: z.number(),
1789
+ metadata: z.record(z.any()).optional()
1741
1790
  }),
1742
1791
  indices: [
1743
1792
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1744
1793
  { kind: "index", name: "by_status", columns: ["status"] },
1745
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1794
+ {
1795
+ kind: "index",
1796
+ name: "by_bridgeType_status",
1797
+ columns: ["bridgeType", "status"]
1798
+ }
1746
1799
  ]
1747
1800
  });
1748
1801
  defineTable({
@@ -1750,12 +1803,23 @@ defineTable({
1750
1803
  component: "mc",
1751
1804
  category: "runtime",
1752
1805
  shape: z.object({
1753
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1754
- "state": z.enum(["legacy", "cutover", "disabled"]),
1755
- "metadata": z.record(z.any()).optional(),
1756
- "updatedBy": z.string(),
1757
- "createdAt": z.number(),
1758
- "updatedAt": z.number()
1806
+ domain: z.enum([
1807
+ "graph",
1808
+ "schema",
1809
+ "identity",
1810
+ "policy",
1811
+ "audit",
1812
+ "admin",
1813
+ "agent",
1814
+ "tool",
1815
+ "prompt",
1816
+ "intelligence"
1817
+ ]),
1818
+ state: z.enum(["legacy", "cutover", "disabled"]),
1819
+ metadata: z.record(z.any()).optional(),
1820
+ updatedBy: z.string(),
1821
+ createdAt: z.number(),
1822
+ updatedAt: z.number()
1759
1823
  }),
1760
1824
  indices: [
1761
1825
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1767,57 +1831,193 @@ defineTable({
1767
1831
  component: "mc",
1768
1832
  category: "runtime",
1769
1833
  shape: z.object({
1770
- "credentialRef": z.string(),
1771
- "tenantId": idOf("tenants"),
1772
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1773
- "environment": z.enum(["dev", "staging", "prod"]),
1774
- "encryptedDeployKey": z.string(),
1775
- "encryptionVersion": z.string(),
1776
- "keyFingerprint": z.string(),
1777
- "keyHint": z.string(),
1778
- "status": z.enum(["active", "revoked"]),
1779
- "rotatedFromCredentialRef": z.string().optional(),
1780
- "revokedAt": z.number().optional(),
1781
- "revokedBy": z.string().optional(),
1782
- "lastUsedAt": z.number().optional(),
1783
- "metadata": z.record(z.any()).optional(),
1784
- "createdBy": z.string(),
1785
- "createdAt": z.number(),
1786
- "updatedAt": z.number()
1834
+ credentialRef: z.string(),
1835
+ tenantId: idOf("tenants"),
1836
+ workspaceId: idOf("workspaces").optional(),
1837
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1838
+ environment: z.enum(["dev", "staging", "prod"]),
1839
+ encryptedDeployKey: z.string(),
1840
+ encryptionVersion: z.string(),
1841
+ keyFingerprint: z.string(),
1842
+ keyHint: z.string(),
1843
+ status: z.enum(["active", "revoked"]),
1844
+ rotatedFromCredentialRef: z.string().optional(),
1845
+ revokedAt: z.number().optional(),
1846
+ revokedBy: z.string().optional(),
1847
+ lastUsedAt: z.number().optional(),
1848
+ metadata: z.record(z.any()).optional(),
1849
+ createdBy: z.string(),
1850
+ createdAt: z.number(),
1851
+ updatedAt: z.number()
1787
1852
  }),
1788
1853
  indices: [
1789
1854
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1790
1855
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1791
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1792
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1793
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1856
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1857
+ {
1858
+ kind: "index",
1859
+ name: "by_tenant_target",
1860
+ columns: ["tenantId", "target"]
1861
+ },
1862
+ {
1863
+ kind: "index",
1864
+ name: "by_tenant_target_environment",
1865
+ columns: ["tenantId", "target", "environment"]
1866
+ },
1867
+ {
1868
+ kind: "index",
1869
+ name: "by_tenant_target_environment_status",
1870
+ columns: ["tenantId", "target", "environment", "status"]
1871
+ },
1872
+ {
1873
+ kind: "index",
1874
+ name: "by_tenant_workspace_target_environment_status",
1875
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1876
+ },
1794
1877
  { kind: "index", name: "by_status", columns: ["status"] }
1795
1878
  ]
1796
1879
  });
1880
+ defineTable({
1881
+ name: "permitSyncStates",
1882
+ component: "mc",
1883
+ category: "runtime",
1884
+ shape: z.object({
1885
+ syncKey: z.string(),
1886
+ objectType: z.enum([
1887
+ "resource",
1888
+ "role",
1889
+ "resource_role",
1890
+ "resource_relation",
1891
+ "tenant",
1892
+ "workspace",
1893
+ "principal",
1894
+ "membership",
1895
+ "group",
1896
+ "resource_instance",
1897
+ "relationship_tuple",
1898
+ "role_assignment"
1899
+ ]),
1900
+ objectId: z.string(),
1901
+ tenantId: idOf("tenants").optional(),
1902
+ workspaceId: idOf("workspaces").optional(),
1903
+ principalId: z.string().optional(),
1904
+ permitTenantKey: z.string().optional(),
1905
+ permitResourceType: z.string().optional(),
1906
+ permitResourceKey: z.string().optional(),
1907
+ desiredPayload: z.record(z.any()),
1908
+ lastAppliedPayloadHash: z.string().optional(),
1909
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1910
+ attemptCount: z.number(),
1911
+ lastError: z.string().optional(),
1912
+ nextAttemptAt: z.number().optional(),
1913
+ lastSyncedAt: z.number().optional(),
1914
+ createdBy: z.string(),
1915
+ updatedBy: z.string().optional(),
1916
+ createdAt: z.number(),
1917
+ updatedAt: z.number()
1918
+ }),
1919
+ indices: [
1920
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1921
+ { kind: "index", name: "by_status", columns: ["status"] },
1922
+ {
1923
+ kind: "index",
1924
+ name: "by_tenant_status",
1925
+ columns: ["tenantId", "status"]
1926
+ },
1927
+ {
1928
+ kind: "index",
1929
+ name: "by_workspace_status",
1930
+ columns: ["workspaceId", "status"]
1931
+ },
1932
+ {
1933
+ kind: "index",
1934
+ name: "by_principal_status",
1935
+ columns: ["principalId", "status"]
1936
+ }
1937
+ ]
1938
+ });
1939
+ defineTable({
1940
+ name: "secretSyncDriftReports",
1941
+ component: "mc",
1942
+ category: "runtime",
1943
+ shape: z.object({
1944
+ reportId: z.string(),
1945
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1946
+ generatedAt: z.number(),
1947
+ recordedAt: z.number(),
1948
+ recordedBy: z.string(),
1949
+ status: z.enum([
1950
+ "in_sync",
1951
+ "drift",
1952
+ "exception",
1953
+ "blocked",
1954
+ "not_observed"
1955
+ ]),
1956
+ reportHash: z.string(),
1957
+ manifestHash: z.string().optional(),
1958
+ dryRunReceiptId: z.string().optional(),
1959
+ appliedReceiptId: z.string().optional(),
1960
+ summary: z.object({
1961
+ totalPipelines: z.number(),
1962
+ inSync: z.number(),
1963
+ drift: z.number(),
1964
+ exception: z.number(),
1965
+ blocked: z.number(),
1966
+ notObserved: z.number(),
1967
+ missingKeys: z.number(),
1968
+ valueDriftKeys: z.number(),
1969
+ extraKeys: z.number(),
1970
+ deniedConvexLeakage: z.number(),
1971
+ approvedExceptions: z.number()
1972
+ }),
1973
+ redactedReport: z.record(z.any()),
1974
+ metadata: z.record(z.any()).optional()
1975
+ }),
1976
+ indices: [
1977
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
1978
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
1979
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
1980
+ {
1981
+ kind: "index",
1982
+ name: "by_status_generatedAt",
1983
+ columns: ["status", "generatedAt"]
1984
+ }
1985
+ ]
1986
+ });
1797
1987
  defineTable({
1798
1988
  name: "controlPlaneTenantModelSlotBindings",
1799
1989
  component: "mc",
1800
1990
  category: "runtime",
1801
1991
  shape: z.object({
1802
- "bindingId": z.string(),
1803
- "tenantId": idOf("tenants"),
1804
- "providerId": z.string(),
1805
- "modelSlotId": z.string(),
1806
- "secretRef": z.string(),
1807
- "status": z.enum(["active", "revoked"]),
1808
- "passThroughOnly": z.boolean(),
1809
- "revokedAt": z.number().optional(),
1810
- "revokedBy": z.string().optional(),
1811
- "metadata": z.record(z.any()).optional(),
1812
- "createdBy": z.string(),
1813
- "createdAt": z.number(),
1814
- "updatedAt": z.number()
1992
+ bindingId: z.string(),
1993
+ tenantId: idOf("tenants"),
1994
+ workspaceId: idOf("workspaces").optional(),
1995
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1996
+ providerId: z.string(),
1997
+ modelSlotId: z.string(),
1998
+ secretRef: z.string(),
1999
+ status: z.enum(["active", "revoked"]),
2000
+ passThroughOnly: z.boolean(),
2001
+ revokedAt: z.number().optional(),
2002
+ revokedBy: z.string().optional(),
2003
+ metadata: z.record(z.any()).optional(),
2004
+ createdBy: z.string(),
2005
+ createdAt: z.number(),
2006
+ updatedAt: z.number()
1815
2007
  }),
1816
2008
  indices: [
1817
2009
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1818
2010
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1819
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1820
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2011
+ {
2012
+ kind: "index",
2013
+ name: "by_tenant_slot",
2014
+ columns: ["tenantId", "modelSlotId"]
2015
+ },
2016
+ {
2017
+ kind: "index",
2018
+ name: "by_tenant_provider_slot",
2019
+ columns: ["tenantId", "providerId", "modelSlotId"]
2020
+ },
1821
2021
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1822
2022
  { kind: "index", name: "by_status", columns: ["status"] }
1823
2023
  ]
@@ -1827,29 +2027,42 @@ defineTable({
1827
2027
  component: "mc",
1828
2028
  category: "runtime",
1829
2029
  shape: z.object({
1830
- "secretRef": z.string(),
1831
- "tenantId": idOf("tenants"),
1832
- "providerId": z.string(),
1833
- "label": z.string().optional(),
1834
- "encryptedSecret": z.string(),
1835
- "encryptionVersion": z.string(),
1836
- "secretFingerprint": z.string(),
1837
- "keyHint": z.string(),
1838
- "status": z.enum(["active", "revoked"]),
1839
- "rotatedFromSecretRef": z.string().optional(),
1840
- "revokedAt": z.number().optional(),
1841
- "revokedBy": z.string().optional(),
1842
- "lastUsedAt": z.number().optional(),
1843
- "metadata": z.record(z.any()).optional(),
1844
- "createdBy": z.string(),
1845
- "createdAt": z.number(),
1846
- "updatedAt": z.number()
2030
+ secretRef: z.string(),
2031
+ tenantId: idOf("tenants"),
2032
+ workspaceId: idOf("workspaces").optional(),
2033
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2034
+ providerId: z.string(),
2035
+ label: z.string().optional(),
2036
+ encryptedSecret: z.string().optional(),
2037
+ infisicalPath: z.string().optional(),
2038
+ infisicalSecretKey: z.string().optional(),
2039
+ infisicalProjectId: z.string().optional(),
2040
+ encryptionVersion: z.string(),
2041
+ secretFingerprint: z.string(),
2042
+ keyHint: z.string(),
2043
+ status: z.enum(["active", "revoked"]),
2044
+ rotatedFromSecretRef: z.string().optional(),
2045
+ revokedAt: z.number().optional(),
2046
+ revokedBy: z.string().optional(),
2047
+ lastUsedAt: z.number().optional(),
2048
+ metadata: z.record(z.any()).optional(),
2049
+ createdBy: z.string(),
2050
+ createdAt: z.number(),
2051
+ updatedAt: z.number()
1847
2052
  }),
1848
2053
  indices: [
1849
2054
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1850
2055
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1851
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1852
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2056
+ {
2057
+ kind: "index",
2058
+ name: "by_tenant_provider",
2059
+ columns: ["tenantId", "providerId"]
2060
+ },
2061
+ {
2062
+ kind: "index",
2063
+ name: "by_tenant_provider_status",
2064
+ columns: ["tenantId", "providerId", "status"]
2065
+ },
1853
2066
  { kind: "index", name: "by_status", columns: ["status"] }
1854
2067
  ]
1855
2068
  });
@@ -1858,35 +2071,93 @@ defineTable({
1858
2071
  component: "mc",
1859
2072
  category: "runtime",
1860
2073
  shape: z.object({
1861
- "usageId": z.string(),
1862
- "tenantId": idOf("tenants"),
1863
- "providerId": z.string(),
1864
- "modelSlotId": z.string(),
1865
- "secretRef": z.string(),
1866
- "proxyTokenId": z.string(),
1867
- "sessionId": z.string(),
1868
- "principalId": z.string(),
1869
- "workspaceId": z.string().optional(),
1870
- "modelId": z.string().optional(),
1871
- "requestPath": z.string(),
1872
- "status": z.enum(["success", "error"]),
1873
- "responseStatus": z.number().optional(),
1874
- "inputTokens": z.number().optional(),
1875
- "outputTokens": z.number().optional(),
1876
- "tokenCount": z.number().optional(),
1877
- "latencyMs": z.number(),
1878
- "estimatedCostUsd": z.number().optional(),
1879
- "failureCode": z.string().optional(),
1880
- "metadata": z.record(z.any()).optional(),
1881
- "createdAt": z.number(),
1882
- "updatedAt": z.number()
2074
+ usageId: z.string(),
2075
+ tenantId: idOf("tenants"),
2076
+ providerId: z.string(),
2077
+ modelSlotId: z.string(),
2078
+ secretRef: z.string(),
2079
+ proxyTokenId: z.string(),
2080
+ sessionId: z.string(),
2081
+ principalId: z.string(),
2082
+ workspaceId: z.string().optional(),
2083
+ modelId: z.string().optional(),
2084
+ requestPath: z.string(),
2085
+ status: z.enum(["success", "error"]),
2086
+ responseStatus: z.number().optional(),
2087
+ inputTokens: z.number().optional(),
2088
+ outputTokens: z.number().optional(),
2089
+ tokenCount: z.number().optional(),
2090
+ latencyMs: z.number(),
2091
+ estimatedCostUsd: z.number().optional(),
2092
+ failureCode: z.string().optional(),
2093
+ metadata: z.record(z.any()).optional(),
2094
+ createdAt: z.number(),
2095
+ updatedAt: z.number()
1883
2096
  }),
1884
2097
  indices: [
1885
2098
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1886
2099
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1887
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1888
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1889
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2100
+ {
2101
+ kind: "index",
2102
+ name: "by_tenant_provider",
2103
+ columns: ["tenantId", "providerId", "createdAt"]
2104
+ },
2105
+ {
2106
+ kind: "index",
2107
+ name: "by_proxyTokenId",
2108
+ columns: ["proxyTokenId", "createdAt"]
2109
+ },
2110
+ {
2111
+ kind: "index",
2112
+ name: "by_sessionId",
2113
+ columns: ["sessionId", "createdAt"]
2114
+ }
2115
+ ]
2116
+ });
2117
+ defineTable({
2118
+ name: "controlPlaneTenantProxyTokenLeases",
2119
+ component: "mc",
2120
+ category: "runtime",
2121
+ shape: z.object({
2122
+ leaseId: z.string(),
2123
+ proxyTokenId: z.string(),
2124
+ tenantId: idOf("tenants"),
2125
+ workspaceId: idOf("workspaces").optional(),
2126
+ environment: z.enum(["dev", "staging", "prod"]),
2127
+ providerId: z.string(),
2128
+ modelSlotId: z.string(),
2129
+ bindingId: z.string(),
2130
+ secretRef: z.string(),
2131
+ sessionId: z.string(),
2132
+ principalId: z.string(),
2133
+ agentSessionId: z.string().optional(),
2134
+ status: z.enum(["active", "revoked"]),
2135
+ expiresAt: z.number(),
2136
+ renewedAt: z.number().optional(),
2137
+ revokedAt: z.number().optional(),
2138
+ revokedBy: z.string().optional(),
2139
+ revokeReason: z.string().optional(),
2140
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2141
+ permitTraceId: z.string().optional(),
2142
+ metadata: z.record(z.any()).optional(),
2143
+ createdAt: z.number(),
2144
+ updatedAt: z.number()
2145
+ }),
2146
+ indices: [
2147
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2148
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2149
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2150
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2151
+ {
2152
+ kind: "index",
2153
+ name: "by_principalId",
2154
+ columns: ["principalId", "createdAt"]
2155
+ },
2156
+ {
2157
+ kind: "index",
2158
+ name: "by_status_expiresAt",
2159
+ columns: ["status", "expiresAt"]
2160
+ }
1890
2161
  ]
1891
2162
  });
1892
2163
  defineTable({
@@ -2219,6 +2490,7 @@ defineTable({
2219
2490
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2220
2491
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2221
2492
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2493
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2222
2494
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2223
2495
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2224
2496
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2369,6 +2641,7 @@ defineTable({
2369
2641
  indices: [
2370
2642
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2371
2643
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2644
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2372
2645
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2373
2646
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2374
2647
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2400,6 +2673,36 @@ defineTable({
2400
2673
  { kind: "index", name: "by_status", columns: ["status"] }
2401
2674
  ]
2402
2675
  });
2676
+ defineTable({
2677
+ name: "principalIdentityAliases",
2678
+ component: "mc",
2679
+ category: "identity",
2680
+ shape: z.object({
2681
+ "principalId": z.string(),
2682
+ "principalRefId": idOf("principals").optional(),
2683
+ "provider": z.string(),
2684
+ "providerProjectId": z.string().optional(),
2685
+ "externalSubjectId": z.string(),
2686
+ "tenantId": idOf("tenants").optional(),
2687
+ "workspaceId": idOf("workspaces").optional(),
2688
+ "email": z.string().optional(),
2689
+ "status": z.enum(["active", "revoked"]),
2690
+ "metadata": z.record(z.any()).optional(),
2691
+ "createdBy": z.string(),
2692
+ "revokedAt": z.number().optional(),
2693
+ "revokedBy": z.string().optional(),
2694
+ "createdAt": z.number(),
2695
+ "updatedAt": z.number()
2696
+ }),
2697
+ indices: [
2698
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2699
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2700
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2701
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2702
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2703
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2704
+ ]
2705
+ });
2403
2706
  defineTable({
2404
2707
  name: "rateLimitWindows",
2405
2708
  component: "mc",
@@ -2989,7 +3292,7 @@ defineTable({
2989
3292
  });
2990
3293
  defineTable({
2991
3294
  name: "mcpWritePolicy",
2992
- component: "identity",
3295
+ component: "control-plane",
2993
3296
  category: "platform",
2994
3297
  shape: z.object({
2995
3298
  "topicId": z.string().optional(),
@@ -3012,7 +3315,7 @@ defineTable({
3012
3315
  });
3013
3316
  defineTable({
3014
3317
  name: "platformAudienceGrants",
3015
- component: "identity",
3318
+ component: "control-plane",
3016
3319
  category: "platform",
3017
3320
  shape: z.object({
3018
3321
  "tenantId": z.string(),
@@ -3038,7 +3341,7 @@ defineTable({
3038
3341
  });
3039
3342
  defineTable({
3040
3343
  name: "platformAudiences",
3041
- component: "identity",
3344
+ component: "control-plane",
3042
3345
  category: "platform",
3043
3346
  shape: z.object({
3044
3347
  "tenantId": z.string(),
@@ -3063,7 +3366,7 @@ defineTable({
3063
3366
  });
3064
3367
  defineTable({
3065
3368
  name: "platformPolicyDecisionLogs",
3066
- component: "identity",
3369
+ component: "control-plane",
3067
3370
  category: "platform",
3068
3371
  shape: z.object({
3069
3372
  "principalId": z.string(),
@@ -3099,7 +3402,7 @@ defineTable({
3099
3402
  });
3100
3403
  defineTable({
3101
3404
  name: "tenantApiKeys",
3102
- component: "identity",
3405
+ component: "control-plane",
3103
3406
  category: "platform",
3104
3407
  shape: z.object({
3105
3408
  "tenantId": z.string(),
@@ -3126,7 +3429,7 @@ defineTable({
3126
3429
  });
3127
3430
  defineTable({
3128
3431
  name: "tenantConfig",
3129
- component: "identity",
3432
+ component: "control-plane",
3130
3433
  category: "platform",
3131
3434
  shape: z.object({
3132
3435
  "tenantId": z.string(),
@@ -3145,7 +3448,7 @@ defineTable({
3145
3448
  });
3146
3449
  defineTable({
3147
3450
  name: "tenantIntegrations",
3148
- component: "identity",
3451
+ component: "control-plane",
3149
3452
  category: "platform",
3150
3453
  shape: z.object({
3151
3454
  "tenantId": z.string(),
@@ -3200,7 +3503,7 @@ defineTable({
3200
3503
  });
3201
3504
  defineTable({
3202
3505
  name: "tenantModelSlotBindings",
3203
- component: "identity",
3506
+ component: "control-plane",
3204
3507
  category: "platform",
3205
3508
  shape: z.object({
3206
3509
  "bindingId": z.string(),
@@ -3228,7 +3531,7 @@ defineTable({
3228
3531
  });
3229
3532
  defineTable({
3230
3533
  name: "tenantPolicies",
3231
- component: "identity",
3534
+ component: "control-plane",
3232
3535
  category: "platform",
3233
3536
  shape: z.object({
3234
3537
  "tenantId": z.string(),
@@ -3253,7 +3556,7 @@ defineTable({
3253
3556
  });
3254
3557
  defineTable({
3255
3558
  name: "tenantProviderSecrets",
3256
- component: "identity",
3559
+ component: "control-plane",
3257
3560
  category: "platform",
3258
3561
  shape: z.object({
3259
3562
  "secretRef": z.string(),
@@ -3284,7 +3587,7 @@ defineTable({
3284
3587
  });
3285
3588
  defineTable({
3286
3589
  name: "tenantProxyGatewayUsage",
3287
- component: "identity",
3590
+ component: "control-plane",
3288
3591
  category: "platform",
3289
3592
  shape: z.object({
3290
3593
  "usageId": z.string(),
@@ -3319,7 +3622,7 @@ defineTable({
3319
3622
  });
3320
3623
  defineTable({
3321
3624
  name: "tenantProxyTokenMints",
3322
- component: "identity",
3625
+ component: "control-plane",
3323
3626
  category: "platform",
3324
3627
  shape: z.object({
3325
3628
  "proxyTokenId": z.string(),
@@ -3342,7 +3645,7 @@ defineTable({
3342
3645
  });
3343
3646
  defineTable({
3344
3647
  name: "tenantSandboxAuditEvents",
3345
- component: "identity",
3648
+ component: "control-plane",
3346
3649
  category: "platform",
3347
3650
  shape: z.object({
3348
3651
  "eventId": z.string(),
@@ -3376,7 +3679,7 @@ defineTable({
3376
3679
  });
3377
3680
  defineTable({
3378
3681
  name: "tenantSecrets",
3379
- component: "identity",
3682
+ component: "control-plane",
3380
3683
  category: "platform",
3381
3684
  shape: z.object({
3382
3685
  "tenantId": z.string(),
@@ -3398,7 +3701,7 @@ defineTable({
3398
3701
  });
3399
3702
  defineTable({
3400
3703
  name: "toolAcls",
3401
- component: "identity",
3704
+ component: "control-plane",
3402
3705
  category: "platform",
3403
3706
  shape: z.object({
3404
3707
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3413,7 +3716,7 @@ defineTable({
3413
3716
  });
3414
3717
  defineTable({
3415
3718
  name: "toolRegistry",
3416
- component: "identity",
3719
+ component: "control-plane",
3417
3720
  category: "platform",
3418
3721
  shape: z.object({
3419
3722
  "toolName": z.string(),
@@ -3494,7 +3797,7 @@ defineTable({
3494
3797
  });
3495
3798
  defineTable({
3496
3799
  name: "modelCallLogs",
3497
- component: "identity",
3800
+ component: "control-plane",
3498
3801
  category: "model",
3499
3802
  shape: z.object({
3500
3803
  "slot": z.string(),
@@ -3520,7 +3823,7 @@ defineTable({
3520
3823
  });
3521
3824
  defineTable({
3522
3825
  name: "modelFunctionSlots",
3523
- component: "identity",
3826
+ component: "control-plane",
3524
3827
  category: "model",
3525
3828
  shape: z.object({
3526
3829
  "slot": z.string(),
@@ -3545,7 +3848,7 @@ defineTable({
3545
3848
  });
3546
3849
  defineTable({
3547
3850
  name: "modelRegistry",
3548
- component: "identity",
3851
+ component: "control-plane",
3549
3852
  category: "model",
3550
3853
  shape: z.object({
3551
3854
  "key": z.string(),
@@ -3572,7 +3875,7 @@ defineTable({
3572
3875
  });
3573
3876
  defineTable({
3574
3877
  name: "modelSlotConfigs",
3575
- component: "identity",
3878
+ component: "control-plane",
3576
3879
  category: "model",
3577
3880
  shape: z.object({
3578
3881
  "slot": z.string(),
@@ -3959,7 +4262,7 @@ defineTable({
3959
4262
  "workspaceId": idOf("workspaces").optional(),
3960
4263
  "resourceType": z.string(),
3961
4264
  "resourceId": z.string(),
3962
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4265
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
3963
4266
  "decision": z.enum(["allow", "deny"]),
3964
4267
  "reasonCode": z.string(),
3965
4268
  "policyVersion": z.string(),
@@ -4021,7 +4324,7 @@ defineTable({
4021
4324
  });
4022
4325
  defineTable({
4023
4326
  name: "projectGrants",
4024
- component: "identity",
4327
+ component: "control-plane",
4025
4328
  category: "project",
4026
4329
  shape: z.object({
4027
4330
  "projectId": z.string().optional(),
@@ -4053,91 +4356,735 @@ defineTable({
4053
4356
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4054
4357
  ]
4055
4358
  });
4359
+ var permitActorType = z.enum([
4360
+ "human",
4361
+ "agent",
4362
+ "service_principal",
4363
+ "external_stakeholder",
4364
+ "system"
4365
+ ]);
4366
+ var permitMembershipStatus = z.enum([
4367
+ "active",
4368
+ "invited",
4369
+ "revoked",
4370
+ "suspended",
4371
+ "disabled"
4372
+ ]);
4373
+ var permitDecision = z.enum(["allow", "deny"]);
4374
+ var permitAccessReviewStatus = z.enum([
4375
+ "open",
4376
+ "in_progress",
4377
+ "approved",
4378
+ "denied",
4379
+ "expired",
4380
+ "cancelled"
4381
+ ]);
4382
+ var permitReviewScope = z.enum([
4383
+ "tenant",
4384
+ "workspace",
4385
+ "resource_instance",
4386
+ "group",
4387
+ "principal",
4388
+ "api_key",
4389
+ "admin_action"
4390
+ ]);
4391
+ var permitRecordStatus = z.enum([
4392
+ "queued",
4393
+ "inflight",
4394
+ "completed",
4395
+ "failed",
4396
+ "skipped",
4397
+ "stale"
4398
+ ]);
4399
+ var permitObjectType = z.enum([
4400
+ "resource",
4401
+ "role",
4402
+ "resource_role",
4403
+ "resource_relation",
4404
+ "tenant",
4405
+ "workspace",
4406
+ "principal",
4407
+ "membership",
4408
+ "group",
4409
+ "resource_instance",
4410
+ "relationship_tuple",
4411
+ "role_assignment",
4412
+ "attribute_binding",
4413
+ "policy_bundle"
4414
+ ]);
4415
+ var permitOutboxOperation = z.enum([
4416
+ "upsert",
4417
+ "delete",
4418
+ "sync",
4419
+ "resync",
4420
+ "delete_sync",
4421
+ "noop"
4422
+ ]);
4423
+ var permitPolicyBundleStatus = z.enum([
4424
+ "draft",
4425
+ "validated",
4426
+ "enforced",
4427
+ "archived"
4428
+ ]);
4429
+ var permitSyncStatus = z.enum([
4430
+ "pending",
4431
+ "synced",
4432
+ "error",
4433
+ "skipped"
4434
+ ]);
4435
+ var permitAccessReviewSubjectType = z.enum([
4436
+ "principal",
4437
+ "group",
4438
+ "role_assignment",
4439
+ "resource_instance"
4440
+ ]);
4441
+ var permitAttributeType = z.enum([
4442
+ "string",
4443
+ "number",
4444
+ "bool",
4445
+ "json",
4446
+ "time"
4447
+ ]);
4448
+ var permitAttributeOperator = z.enum([
4449
+ "eq",
4450
+ "neq",
4451
+ "in",
4452
+ "not_in",
4453
+ "gt",
4454
+ "gte",
4455
+ "lt",
4456
+ "lte",
4457
+ "contains",
4458
+ "not_contains",
4459
+ "matches"
4460
+ ]);
4461
+ var permitRoleBindingTarget = z.enum([
4462
+ "principal",
4463
+ "group"
4464
+ ]);
4056
4465
  defineTable({
4057
- name: "reasoningPermissions",
4058
- component: "identity",
4059
- category: "epistemic",
4466
+ name: "permitPrincipals",
4467
+ component: "control-plane",
4468
+ category: "access-control",
4060
4469
  shape: z.object({
4061
- "topicId": z.string().optional(),
4062
- "principalId": z.string(),
4063
- "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4064
- "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4065
- "effect": z.enum(["allow", "deny"]),
4066
- "policyReference": z.string().optional(),
4067
- "rationale": z.string().optional(),
4068
- "metadata": z.record(z.any()).optional(),
4069
- "createdAt": z.number(),
4070
- "createdBy": z.string(),
4071
- "updatedAt": z.number()
4470
+ principalId: z.string(),
4471
+ tenantId: z.string(),
4472
+ workspaceId: z.optional(z.string()),
4473
+ principalType: permitActorType,
4474
+ status: permitMembershipStatus,
4475
+ displayName: z.string().optional(),
4476
+ metadata: z.record(z.any()).optional(),
4477
+ createdBy: z.string(),
4478
+ createdAt: z.number(),
4479
+ updatedAt: z.number(),
4480
+ updatedBy: z.string().optional(),
4481
+ lastSeenAt: z.number().optional()
4072
4482
  }),
4073
4483
  indices: [
4074
- { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4075
- { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4076
- { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4077
- { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4484
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4485
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4486
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4487
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4488
+ {
4489
+ kind: "index",
4490
+ name: "by_tenant_principalType_status",
4491
+ columns: ["tenantId", "principalType", "status"]
4492
+ }
4078
4493
  ]
4079
4494
  });
4080
4495
  defineTable({
4081
- name: "schemaEnumConfig",
4082
- component: "kernel",
4083
- category: "config",
4496
+ name: "permitPrincipalAliases",
4497
+ component: "control-plane",
4498
+ category: "access-control",
4084
4499
  shape: z.object({
4085
- "tenantId": z.string().optional(),
4086
- "category": z.string(),
4087
- "value": z.string(),
4088
- "label": z.string(),
4089
- "description": z.string().optional(),
4090
- "tier": z.enum(["platform", "tenant"]),
4091
- "domainNamespace": z.string().optional(),
4092
- "metadata": z.any().optional(),
4093
- "isDefault": z.boolean().optional(),
4094
- "sortOrder": z.number().optional(),
4095
- "status": z.enum(["active", "deprecated"]),
4096
- "createdAt": z.number(),
4097
- "updatedAt": z.number()
4500
+ principalId: z.string(),
4501
+ tenantId: z.string(),
4502
+ workspaceId: z.optional(z.string()),
4503
+ provider: z.string(),
4504
+ providerSubjectId: z.string(),
4505
+ providerProjectId: z.string().optional(),
4506
+ alias: z.string(),
4507
+ aliasKind: z.string(),
4508
+ status: permitMembershipStatus,
4509
+ metadata: z.record(z.any()).optional(),
4510
+ createdBy: z.string(),
4511
+ createdAt: z.number(),
4512
+ updatedAt: z.number(),
4513
+ revokedBy: z.string().optional(),
4514
+ revokedAt: z.number().optional(),
4515
+ updatedBy: z.string().optional()
4098
4516
  }),
4099
4517
  indices: [
4100
- { kind: "index", name: "by_category", columns: ["category"] },
4101
- { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4102
- { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4518
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4519
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4520
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4521
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4522
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4523
+ {
4524
+ kind: "index",
4525
+ name: "by_tenant_provider_alias",
4526
+ columns: ["tenantId", "provider", "alias"]
4527
+ },
4528
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4529
+ {
4530
+ kind: "index",
4531
+ name: "by_tenant_provider_status",
4532
+ columns: ["tenantId", "provider", "status"]
4533
+ }
4103
4534
  ]
4104
4535
  });
4105
4536
  defineTable({
4106
- name: "tasks",
4107
- component: "kernel",
4108
- category: "task",
4537
+ name: "permitGroups",
4538
+ component: "control-plane",
4539
+ category: "access-control",
4109
4540
  shape: z.object({
4110
- "topicId": z.string().optional(),
4111
- "tenantId": z.string().optional(),
4112
- "workspaceId": z.string().optional(),
4113
- "title": z.string(),
4114
- "description": z.string().optional(),
4115
- "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4116
- "priority": z.enum(["urgent", "high", "medium", "low"]),
4117
- "dueDate": z.number().optional(),
4118
- "linkedWorktreeId": idOf("worktrees").optional(),
4119
- "linkedBeliefId": z.string().optional(),
4120
- "linkedQuestionId": z.string().optional(),
4121
- "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4122
- "assigneeId": z.string().optional(),
4123
- "blockedReason": z.string().optional(),
4124
- "blockedBy": z.array(idOf("tasks")).optional(),
4125
- "blocks": z.array(idOf("tasks")).optional(),
4126
- "sortOrder": z.number().optional(),
4127
- "executionOrder": z.number().optional(),
4128
- "subtasks": z.array(z.object({
4129
- "id": z.string(),
4130
- "title": z.string(),
4131
- "completed": z.boolean(),
4132
- "completedAt": z.number().optional()
4133
- })).optional(),
4134
- "comments": z.array(z.object({
4135
- "id": z.string(),
4136
- "userId": z.string(),
4137
- "content": z.string(),
4138
- "createdAt": z.number()
4139
- })).optional(),
4140
- "attachments": z.array(z.object({
4541
+ tenantId: z.string(),
4542
+ workspaceId: z.optional(z.string()),
4543
+ groupId: z.string(),
4544
+ groupKey: z.string(),
4545
+ groupName: z.string(),
4546
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4547
+ status: permitMembershipStatus,
4548
+ description: z.string().optional(),
4549
+ metadata: z.record(z.any()).optional(),
4550
+ createdBy: z.string(),
4551
+ createdAt: z.number(),
4552
+ updatedAt: z.number(),
4553
+ updatedBy: z.string().optional()
4554
+ }),
4555
+ indices: [
4556
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4557
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4558
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4559
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4560
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4561
+ ]
4562
+ });
4563
+ defineTable({
4564
+ name: "permitGroupMemberships",
4565
+ component: "control-plane",
4566
+ category: "access-control",
4567
+ shape: z.object({
4568
+ tenantId: z.string(),
4569
+ workspaceId: z.optional(z.string()),
4570
+ groupId: z.string(),
4571
+ memberType: z.enum(["principal", "group"]),
4572
+ memberId: z.string(),
4573
+ principalId: z.string().optional(),
4574
+ childGroupId: z.string().optional(),
4575
+ status: permitMembershipStatus,
4576
+ addedBy: z.string().optional(),
4577
+ revokedBy: z.string().optional(),
4578
+ expiresAt: z.number().optional(),
4579
+ revocationReason: z.string().optional(),
4580
+ metadata: z.record(z.any()).optional(),
4581
+ createdAt: z.number(),
4582
+ updatedAt: z.number(),
4583
+ updatedBy: z.string().optional()
4584
+ }),
4585
+ indices: [
4586
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4587
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4588
+ {
4589
+ kind: "index",
4590
+ name: "by_tenant_member_group",
4591
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4592
+ },
4593
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4594
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4595
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4596
+ {
4597
+ kind: "index",
4598
+ name: "by_workspace_principal",
4599
+ columns: ["workspaceId", "principalId"]
4600
+ }
4601
+ ]
4602
+ });
4603
+ defineTable({
4604
+ name: "permitResourceInstances",
4605
+ component: "control-plane",
4606
+ category: "access-control",
4607
+ shape: z.object({
4608
+ tenantId: z.string(),
4609
+ workspaceId: z.optional(z.string()),
4610
+ resourceType: z.string(),
4611
+ resourceKey: z.string(),
4612
+ resourceId: z.string(),
4613
+ status: z.enum(["active", "deleted", "archived"]),
4614
+ attributes: z.record(z.any()).optional(),
4615
+ ownerPrincipalId: z.string().optional(),
4616
+ metadata: z.record(z.any()).optional(),
4617
+ createdBy: z.string(),
4618
+ updatedBy: z.string().optional(),
4619
+ createdAt: z.number(),
4620
+ updatedAt: z.number()
4621
+ }),
4622
+ indices: [
4623
+ {
4624
+ kind: "index",
4625
+ name: "by_tenant_resource_type",
4626
+ columns: ["tenantId", "resourceType"]
4627
+ },
4628
+ {
4629
+ kind: "index",
4630
+ name: "by_tenant_resource_key",
4631
+ columns: ["tenantId", "resourceType", "resourceKey"]
4632
+ },
4633
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4634
+ { kind: "index", name: "by_status", columns: ["status"] },
4635
+ {
4636
+ kind: "index",
4637
+ name: "by_tenant_status",
4638
+ columns: ["tenantId", "status"]
4639
+ },
4640
+ {
4641
+ kind: "index",
4642
+ name: "by_ownerPrincipalId",
4643
+ columns: ["ownerPrincipalId"]
4644
+ }
4645
+ ]
4646
+ });
4647
+ defineTable({
4648
+ name: "permitRoleAssignments",
4649
+ component: "control-plane",
4650
+ category: "access-control",
4651
+ shape: z.object({
4652
+ tenantId: z.string(),
4653
+ workspaceId: z.optional(z.string()),
4654
+ role: z.string(),
4655
+ targetType: permitRoleBindingTarget,
4656
+ targetId: z.string(),
4657
+ resourceType: z.string(),
4658
+ resourceKey: z.string(),
4659
+ resourceInstanceId: z.string().optional(),
4660
+ status: permitMembershipStatus,
4661
+ expiresAt: z.number().optional(),
4662
+ attributes: z.record(z.any()).optional(),
4663
+ grantedBy: z.string().optional(),
4664
+ updatedBy: z.string().optional(),
4665
+ revokedBy: z.string().optional(),
4666
+ createdAt: z.number(),
4667
+ updatedAt: z.number()
4668
+ }),
4669
+ indices: [
4670
+ {
4671
+ kind: "index",
4672
+ name: "by_tenant_target",
4673
+ columns: ["tenantId", "targetType", "targetId"]
4674
+ },
4675
+ {
4676
+ kind: "index",
4677
+ name: "by_tenant_resource",
4678
+ columns: ["tenantId", "resourceType", "resourceKey"]
4679
+ },
4680
+ {
4681
+ kind: "index",
4682
+ name: "by_tenant_role",
4683
+ columns: ["tenantId", "role", "status"]
4684
+ },
4685
+ { kind: "index", name: "by_status", columns: ["status"] },
4686
+ {
4687
+ kind: "index",
4688
+ name: "by_workspace_resource",
4689
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4690
+ }
4691
+ ]
4692
+ });
4693
+ defineTable({
4694
+ name: "permitRelationshipTuples",
4695
+ component: "control-plane",
4696
+ category: "access-control",
4697
+ shape: z.object({
4698
+ tenantId: z.string(),
4699
+ workspaceId: z.optional(z.string()),
4700
+ relation: z.string(),
4701
+ subject: z.string(),
4702
+ object: z.string(),
4703
+ resourceType: z.string().optional(),
4704
+ resourceKey: z.string().optional(),
4705
+ status: permitRecordStatus,
4706
+ attributes: z.record(z.any()).optional(),
4707
+ createdBy: z.string(),
4708
+ createdAt: z.number(),
4709
+ updatedAt: z.number(),
4710
+ lastSeenAt: z.number().optional(),
4711
+ updatedBy: z.string().optional()
4712
+ }),
4713
+ indices: [
4714
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4715
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4716
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4717
+ {
4718
+ kind: "index",
4719
+ name: "by_tenant_relation_subject",
4720
+ columns: ["tenantId", "relation", "subject"]
4721
+ },
4722
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4723
+ ]
4724
+ });
4725
+ defineTable({
4726
+ name: "permitAttributeBindings",
4727
+ component: "control-plane",
4728
+ category: "access-control",
4729
+ shape: z.object({
4730
+ tenantId: z.string(),
4731
+ workspaceId: z.optional(z.string()),
4732
+ targetType: permitRoleBindingTarget,
4733
+ targetId: z.string(),
4734
+ attributeName: z.string(),
4735
+ attributeType: permitAttributeType,
4736
+ attributeOperator: permitAttributeOperator,
4737
+ attributeValue: z.any(),
4738
+ status: permitRecordStatus,
4739
+ source: z.string().optional(),
4740
+ sourceRef: z.string().optional(),
4741
+ metadata: z.record(z.any()).optional(),
4742
+ createdAt: z.number(),
4743
+ updatedAt: z.number(),
4744
+ createdBy: z.string(),
4745
+ updatedBy: z.string().optional(),
4746
+ expiresAt: z.number().optional()
4747
+ }),
4748
+ indices: [
4749
+ {
4750
+ kind: "index",
4751
+ name: "by_tenant_target",
4752
+ columns: ["tenantId", "targetType", "targetId"]
4753
+ },
4754
+ {
4755
+ kind: "index",
4756
+ name: "by_tenant_target_attribute",
4757
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4758
+ },
4759
+ {
4760
+ kind: "index",
4761
+ name: "by_tenant_name",
4762
+ columns: ["tenantId", "attributeName"]
4763
+ },
4764
+ {
4765
+ kind: "index",
4766
+ name: "by_tenant_status",
4767
+ columns: ["tenantId", "status"]
4768
+ }
4769
+ ]
4770
+ });
4771
+ defineTable({
4772
+ name: "permitPolicyBundles",
4773
+ component: "control-plane",
4774
+ category: "access-control",
4775
+ shape: z.object({
4776
+ tenantId: z.string(),
4777
+ workspaceId: z.optional(z.string()),
4778
+ bundleKey: z.string(),
4779
+ version: z.number(),
4780
+ status: permitPolicyBundleStatus,
4781
+ policyHash: z.string().optional(),
4782
+ policyPayload: z.record(z.any()),
4783
+ metadata: z.record(z.any()).optional(),
4784
+ createdBy: z.string(),
4785
+ reviewedBy: z.string().optional(),
4786
+ createdAt: z.number(),
4787
+ updatedAt: z.number(),
4788
+ retiredAt: z.number().optional()
4789
+ }),
4790
+ indices: [
4791
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4792
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4793
+ {
4794
+ kind: "index",
4795
+ name: "by_tenant_bundleKey",
4796
+ columns: ["tenantId", "bundleKey"]
4797
+ },
4798
+ {
4799
+ kind: "index",
4800
+ name: "by_tenant_bundle_version",
4801
+ columns: ["tenantId", "bundleKey", "version"]
4802
+ },
4803
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4804
+ ]
4805
+ });
4806
+ defineTable({
4807
+ name: "permitProjectionOutbox",
4808
+ component: "control-plane",
4809
+ category: "access-control",
4810
+ shape: z.object({
4811
+ syncKey: z.string(),
4812
+ objectType: permitObjectType,
4813
+ objectId: z.string(),
4814
+ operation: permitOutboxOperation,
4815
+ payload: z.record(z.any()),
4816
+ status: permitRecordStatus,
4817
+ attemptCount: z.number(),
4818
+ nextAttemptAt: z.number().optional(),
4819
+ lastError: z.string().optional(),
4820
+ tenantId: z.string().optional(),
4821
+ workspaceId: z.optional(z.string()),
4822
+ principalId: z.string().optional(),
4823
+ permitTenantKey: z.string().optional(),
4824
+ permitResourceType: z.string().optional(),
4825
+ permitResourceKey: z.string().optional(),
4826
+ createdAt: z.number(),
4827
+ updatedAt: z.number(),
4828
+ lastHandledAt: z.number().optional()
4829
+ }),
4830
+ indices: [
4831
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4832
+ { kind: "index", name: "by_status", columns: ["status"] },
4833
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4834
+ {
4835
+ kind: "index",
4836
+ name: "by_tenant_status",
4837
+ columns: ["tenantId", "status"]
4838
+ },
4839
+ {
4840
+ kind: "index",
4841
+ name: "by_objectType",
4842
+ columns: ["objectType", "status"]
4843
+ }
4844
+ ]
4845
+ });
4846
+ defineTable({
4847
+ name: "tenantPermitSyncStates",
4848
+ component: "control-plane",
4849
+ category: "access-control",
4850
+ shape: z.object({
4851
+ syncKey: z.string(),
4852
+ objectType: permitObjectType,
4853
+ objectId: z.string(),
4854
+ tenantId: z.string().optional(),
4855
+ workspaceId: z.string().optional(),
4856
+ principalId: z.string().optional(),
4857
+ permitTenantKey: z.string().optional(),
4858
+ permitResourceType: z.string().optional(),
4859
+ permitResourceKey: z.string().optional(),
4860
+ desiredPayload: z.record(z.any()),
4861
+ lastAppliedPayloadHash: z.string().optional(),
4862
+ status: permitSyncStatus,
4863
+ attemptCount: z.number(),
4864
+ lastError: z.string().optional(),
4865
+ nextAttemptAt: z.number().optional(),
4866
+ lastSyncedAt: z.number().optional(),
4867
+ createdBy: z.string(),
4868
+ updatedBy: z.string().optional(),
4869
+ createdAt: z.number(),
4870
+ updatedAt: z.number()
4871
+ }),
4872
+ indices: [
4873
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4874
+ { kind: "index", name: "by_status", columns: ["status"] },
4875
+ {
4876
+ kind: "index",
4877
+ name: "by_tenant_status",
4878
+ columns: ["tenantId", "status"]
4879
+ },
4880
+ {
4881
+ kind: "index",
4882
+ name: "by_workspace_status",
4883
+ columns: ["workspaceId", "status"]
4884
+ },
4885
+ {
4886
+ kind: "index",
4887
+ name: "by_principal_status",
4888
+ columns: ["principalId", "status"]
4889
+ }
4890
+ ]
4891
+ });
4892
+ defineTable({
4893
+ name: "permitPolicyDecisionReceipts",
4894
+ component: "control-plane",
4895
+ category: "access-control",
4896
+ shape: z.object({
4897
+ tenantId: z.string().optional(),
4898
+ workspaceId: z.string().optional(),
4899
+ principalId: z.string(),
4900
+ subjectType: permitAccessReviewSubjectType.optional(),
4901
+ subjectId: z.string().optional(),
4902
+ resourceType: z.string(),
4903
+ resourceId: z.string(),
4904
+ action: z.string(),
4905
+ decision: permitDecision,
4906
+ reasonCode: z.string(),
4907
+ policyBundleId: z.string().optional(),
4908
+ policyVersion: z.string(),
4909
+ traceId: z.string().optional(),
4910
+ requestId: z.string().optional(),
4911
+ audienceMode: z.string().optional(),
4912
+ audienceKey: z.string().optional(),
4913
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4914
+ metadata: z.record(z.any()).optional(),
4915
+ createdAt: z.number(),
4916
+ expiresAt: z.number().optional(),
4917
+ createdBy: z.string().optional()
4918
+ }),
4919
+ indices: [
4920
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4921
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4922
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4923
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4924
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4925
+ { kind: "index", name: "by_action", columns: ["action"] }
4926
+ ]
4927
+ });
4928
+ defineTable({
4929
+ name: "permitAccessReviews",
4930
+ component: "control-plane",
4931
+ category: "access-control",
4932
+ shape: z.object({
4933
+ tenantId: z.string(),
4934
+ workspaceId: z.optional(z.string()),
4935
+ reviewKey: z.string(),
4936
+ scope: permitReviewScope,
4937
+ status: permitAccessReviewStatus,
4938
+ subjectType: permitAccessReviewSubjectType,
4939
+ subjectId: z.string(),
4940
+ resourceType: z.string().optional(),
4941
+ resourceKey: z.string().optional(),
4942
+ outcome: z.enum(["allow", "deny"]).optional(),
4943
+ requestedBy: z.string(),
4944
+ reviewedBy: z.string().optional(),
4945
+ requestedAt: z.number(),
4946
+ reviewedAt: z.number().optional(),
4947
+ dueAt: z.number().optional(),
4948
+ justification: z.string().optional(),
4949
+ rationale: z.string().optional(),
4950
+ policyBundleId: z.string().optional(),
4951
+ metadata: z.record(z.any()).optional(),
4952
+ createdAt: z.number(),
4953
+ updatedAt: z.number()
4954
+ }),
4955
+ indices: [
4956
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4957
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4958
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4959
+ {
4960
+ kind: "index",
4961
+ name: "by_tenant_subject",
4962
+ columns: ["tenantId", "subjectType", "subjectId"]
4963
+ },
4964
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4965
+ {
4966
+ kind: "index",
4967
+ name: "by_workspace_status",
4968
+ columns: ["workspaceId", "status"]
4969
+ }
4970
+ ]
4971
+ });
4972
+ defineTable({
4973
+ name: "permitAccessReviewItems",
4974
+ component: "control-plane",
4975
+ category: "access-control",
4976
+ shape: z.object({
4977
+ reviewKey: z.string(),
4978
+ itemKey: z.string(),
4979
+ tenantId: z.string(),
4980
+ workspaceId: z.string().optional(),
4981
+ subjectType: permitAccessReviewSubjectType,
4982
+ subjectId: z.string(),
4983
+ resourceType: z.string().optional(),
4984
+ resourceKey: z.string().optional(),
4985
+ role: z.string().optional(),
4986
+ relation: z.string().optional(),
4987
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
4988
+ reviewerId: z.string().optional(),
4989
+ decisionAt: z.number().optional(),
4990
+ rationale: z.string().optional(),
4991
+ metadata: z.record(z.any()).optional(),
4992
+ createdAt: z.number(),
4993
+ updatedAt: z.number()
4994
+ }),
4995
+ indices: [
4996
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
4997
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4998
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
4999
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5000
+ { kind: "index", name: "by_status", columns: ["status"] }
5001
+ ]
5002
+ });
5003
+ defineTable({
5004
+ name: "reasoningPermissions",
5005
+ component: "control-plane",
5006
+ category: "epistemic",
5007
+ shape: z.object({
5008
+ "topicId": z.string().optional(),
5009
+ "principalId": z.string(),
5010
+ "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
5011
+ "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
5012
+ "effect": z.enum(["allow", "deny"]),
5013
+ "policyReference": z.string().optional(),
5014
+ "rationale": z.string().optional(),
5015
+ "metadata": z.record(z.any()).optional(),
5016
+ "createdAt": z.number(),
5017
+ "createdBy": z.string(),
5018
+ "updatedAt": z.number()
5019
+ }),
5020
+ indices: [
5021
+ { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
5022
+ { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
5023
+ { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
5024
+ { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
5025
+ ]
5026
+ });
5027
+ defineTable({
5028
+ name: "schemaEnumConfig",
5029
+ component: "kernel",
5030
+ category: "config",
5031
+ shape: z.object({
5032
+ "tenantId": z.string().optional(),
5033
+ "category": z.string(),
5034
+ "value": z.string(),
5035
+ "label": z.string(),
5036
+ "description": z.string().optional(),
5037
+ "tier": z.enum(["platform", "tenant"]),
5038
+ "domainNamespace": z.string().optional(),
5039
+ "metadata": z.any().optional(),
5040
+ "isDefault": z.boolean().optional(),
5041
+ "sortOrder": z.number().optional(),
5042
+ "status": z.enum(["active", "deprecated"]),
5043
+ "createdAt": z.number(),
5044
+ "updatedAt": z.number()
5045
+ }),
5046
+ indices: [
5047
+ { kind: "index", name: "by_category", columns: ["category"] },
5048
+ { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
5049
+ { kind: "index", name: "by_category_value", columns: ["category", "value"] }
5050
+ ]
5051
+ });
5052
+ defineTable({
5053
+ name: "tasks",
5054
+ component: "kernel",
5055
+ category: "task",
5056
+ shape: z.object({
5057
+ "topicId": z.string().optional(),
5058
+ "tenantId": z.string().optional(),
5059
+ "workspaceId": z.string().optional(),
5060
+ "title": z.string(),
5061
+ "description": z.string().optional(),
5062
+ "status": z.enum(["todo", "in_progress", "blocked", "done"]),
5063
+ "priority": z.enum(["urgent", "high", "medium", "low"]),
5064
+ "dueDate": z.number().optional(),
5065
+ "linkedWorktreeId": idOf("worktrees").optional(),
5066
+ "linkedBeliefId": z.string().optional(),
5067
+ "linkedQuestionId": z.string().optional(),
5068
+ "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
5069
+ "assigneeId": z.string().optional(),
5070
+ "blockedReason": z.string().optional(),
5071
+ "blockedBy": z.array(idOf("tasks")).optional(),
5072
+ "blocks": z.array(idOf("tasks")).optional(),
5073
+ "sortOrder": z.number().optional(),
5074
+ "executionOrder": z.number().optional(),
5075
+ "subtasks": z.array(z.object({
5076
+ "id": z.string(),
5077
+ "title": z.string(),
5078
+ "completed": z.boolean(),
5079
+ "completedAt": z.number().optional()
5080
+ })).optional(),
5081
+ "comments": z.array(z.object({
5082
+ "id": z.string(),
5083
+ "userId": z.string(),
5084
+ "content": z.string(),
5085
+ "createdAt": z.number()
5086
+ })).optional(),
5087
+ "attachments": z.array(z.object({
4141
5088
  "id": z.string(),
4142
5089
  "type": z.enum(["call_script", "email_template", "research_plan", "framework", "checklist", "note", "file", "transcript"]),
4143
5090
  "title": z.string(),
@@ -4290,6 +5237,7 @@ defineTable({
4290
5237
  "updatedAt": z.number()
4291
5238
  }),
4292
5239
  indices: [
5240
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
4293
5241
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
4294
5242
  { kind: "index", name: "by_type", columns: ["type"] },
4295
5243
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -4301,7 +5249,7 @@ defineTable({
4301
5249
  });
4302
5250
  defineTable({
4303
5251
  name: "users",
4304
- component: "identity",
5252
+ component: "control-plane",
4305
5253
  category: "user",
4306
5254
  shape: z.object({
4307
5255
  "clerkId": z.string(),
@@ -4415,7 +5363,6 @@ defineTable({
4415
5363
  "deployments": z.record(z.object({
4416
5364
  "url": z.string(),
4417
5365
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4418
- "encryptedDeployKey": z.string().optional(),
4419
5366
  "credentialRef": z.string().optional()
4420
5367
  })).optional(),
4421
5368
  "metadata": z.record(z.any()).optional(),
@@ -4430,6 +5377,39 @@ defineTable({
4430
5377
  { kind: "index", name: "by_status", columns: ["status"] }
4431
5378
  ]
4432
5379
  });
5380
+ defineTable({
5381
+ name: "deploymentHosts",
5382
+ component: "mc",
5383
+ category: "workspace",
5384
+ shape: z.object({
5385
+ "host": z.string(),
5386
+ "tenantId": idOf("tenants"),
5387
+ "workspaceId": idOf("workspaces"),
5388
+ "environment": z.enum(["dev", "staging", "prod"]),
5389
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5390
+ "deploymentUrl": z.string().optional(),
5391
+ "deploymentName": z.string().optional(),
5392
+ "vercelProjectName": z.string().optional(),
5393
+ "vercelProjectId": z.string().optional(),
5394
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5395
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5396
+ "status": z.enum(["active", "revoked"]),
5397
+ "metadata": z.record(z.any()).optional(),
5398
+ "createdBy": z.string(),
5399
+ "createdAt": z.number(),
5400
+ "updatedAt": z.number(),
5401
+ "revokedAt": z.number().optional(),
5402
+ "revokedBy": z.string().optional()
5403
+ }),
5404
+ indices: [
5405
+ { kind: "index", name: "by_host", columns: ["host"] },
5406
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5407
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5408
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5409
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5410
+ { kind: "index", name: "by_status", columns: ["status"] }
5411
+ ]
5412
+ });
4433
5413
  defineTable({
4434
5414
  name: "worktreeBeliefCluster",
4435
5415
  component: "kernel",
@@ -4737,8 +5717,8 @@ defineTable({
4737
5717
  });
4738
5718
  z.object({
4739
5719
  manifestVersion: z.string(),
4740
- componentName: z.enum(["kernel", "identity"]),
4741
- tier: z.enum(["K", "I"]),
5720
+ componentName: z.enum(["kernel", "control-plane"]),
5721
+ tier: z.enum(["K", "CP"]),
4742
5722
  packageVersion: z.string(),
4743
5723
  tables: z.array(
4744
5724
  z.object({
@@ -4905,88 +5885,957 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4905
5885
  },
4906
5886
  {
4907
5887
  packageName: "@lucern/control-plane",
5888
+ role: "component_runtime",
5889
+ directTenantImport: false
5890
+ },
5891
+ {
5892
+ packageName: "@lucern/developer-kit",
5893
+ role: "developer_tool",
5894
+ directTenantImport: false
5895
+ },
5896
+ {
5897
+ packageName: "@lucern/events",
5898
+ role: "sdk_dependency",
5899
+ directTenantImport: false
5900
+ },
5901
+ {
5902
+ packageName: "@lucern/graph-primitives",
5903
+ role: "sdk_dependency",
5904
+ directTenantImport: false
5905
+ },
5906
+ {
5907
+ packageName: "@lucern/graph-sync",
5908
+ role: "host_addon_runtime",
5909
+ directTenantImport: true
5910
+ },
5911
+ {
5912
+ packageName: "@lucern/mcp",
5913
+ role: "runtime_entrypoint",
5914
+ directTenantImport: true
5915
+ },
5916
+ {
5917
+ packageName: "@lucern/pack-host",
5918
+ role: "platform_runtime",
5919
+ directTenantImport: false
5920
+ },
5921
+ {
5922
+ packageName: "@lucern/pack-installer",
5923
+ role: "developer_tool",
5924
+ directTenantImport: false
5925
+ },
5926
+ {
5927
+ packageName: "@lucern/proof-compiler",
5928
+ role: "developer_tool",
5929
+ directTenantImport: false
5930
+ },
5931
+ {
5932
+ packageName: "@lucern/react",
5933
+ role: "runtime_entrypoint",
5934
+ directTenantImport: true
5935
+ },
5936
+ {
5937
+ packageName: "@lucern/reasoning-kernel",
5938
+ role: "component_runtime",
5939
+ directTenantImport: false
5940
+ },
5941
+ {
5942
+ packageName: "@lucern/sdk",
5943
+ role: "runtime_entrypoint",
5944
+ directTenantImport: true
5945
+ },
5946
+ {
5947
+ packageName: "@lucern/secrets",
5948
+ role: "sdk_dependency",
5949
+ directTenantImport: false
5950
+ },
5951
+ {
5952
+ packageName: "@lucern/server-core",
4908
5953
  role: "platform_runtime",
4909
5954
  directTenantImport: false
4910
5955
  },
4911
5956
  {
4912
- packageName: "@lucern/developer-kit",
4913
- role: "developer_tool",
4914
- directTenantImport: false
5957
+ packageName: "@lucern/testing",
5958
+ role: "test_support",
5959
+ directTenantImport: false
5960
+ },
5961
+ {
5962
+ packageName: "@lucern/types",
5963
+ role: "contract_entrypoint",
5964
+ directTenantImport: true
5965
+ }
5966
+ ];
5967
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5968
+ (entry) => entry.packageName
5969
+ );
5970
+
5971
+ // ../contracts/src/infisical-runtime.contract.ts
5972
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
5973
+ {
5974
+ id: "stack-frontend",
5975
+ tenantKey: "stack",
5976
+ workspaceKey: "frontend",
5977
+ vercelProjectName: "ai-chatbot-diao",
5978
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5979
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
5980
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5981
+ repository: {
5982
+ owner: "stack-vc",
5983
+ name: "front-end"
5984
+ },
5985
+ sharedSourcePath: "/tenants/stack",
5986
+ sharedVariablePolicy: "tenant_shared_all_systems",
5987
+ convex: {
5988
+ urlEnv: "CONVEX_FRONTEND_URL",
5989
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
5990
+ preprodDeployment: "rugged-lobster-664",
5991
+ prodDeployment: "wonderful-toucan-0"
5992
+ }
5993
+ },
5994
+ {
5995
+ id: "stackos",
5996
+ tenantKey: "stack",
5997
+ workspaceKey: "stackos",
5998
+ vercelProjectName: "stackos",
5999
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6000
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6001
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6002
+ repository: {
6003
+ owner: "stack-vc",
6004
+ name: "stackos"
6005
+ },
6006
+ sharedSourcePath: "/tenants/stack",
6007
+ sharedVariablePolicy: "tenant_shared_all_systems",
6008
+ convex: {
6009
+ urlEnv: "CONVEX_STACKOS_URL",
6010
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6011
+ preprodDeployment: "giant-mandrill-761",
6012
+ prodDeployment: "good-snake-515"
6013
+ }
6014
+ },
6015
+ {
6016
+ id: "stack-eng",
6017
+ tenantKey: "stack",
6018
+ workspaceKey: "engineering",
6019
+ vercelProjectName: "stackos-engineering-graph",
6020
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6021
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6022
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6023
+ repository: {
6024
+ owner: "stack-vc",
6025
+ name: "stackos-engineering-graph"
6026
+ },
6027
+ sharedSourcePath: "/tenants/stack/engineering",
6028
+ sharedVariablePolicy: "tenant_shared_all_systems",
6029
+ convex: {
6030
+ urlEnv: "CONVEX_STACK_ENG_URL",
6031
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6032
+ preprodDeployment: "small-oyster-270",
6033
+ prodDeployment: "bold-cuttlefish-804"
6034
+ }
6035
+ },
6036
+ {
6037
+ id: "lucern-graph",
6038
+ tenantKey: "lucern",
6039
+ workspaceKey: "lucern",
6040
+ vercelProjectName: "lucern-graph",
6041
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6042
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6043
+ vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
6044
+ repository: {
6045
+ owner: "LucernAI",
6046
+ name: "lucern-graph"
6047
+ },
6048
+ sharedSourcePath: "/tenants/lucern/shared",
6049
+ sharedVariablePolicy: "tenant_shared_all_systems",
6050
+ convex: {
6051
+ urlEnv: "CONVEX_LUCERN_URL",
6052
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6053
+ preprodDeployment: "good-blackbird-774",
6054
+ prodDeployment: "precious-dog-365"
6055
+ }
6056
+ }
6057
+ ];
6058
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6059
+ {
6060
+ idSuffix: "clerk.publishable",
6061
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6062
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6063
+ required: true,
6064
+ secret: false,
6065
+ public: true,
6066
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6067
+ },
6068
+ {
6069
+ idSuffix: "clerk.secret",
6070
+ canonicalName: "CLERK_SECRET_KEY",
6071
+ required: true,
6072
+ secret: true,
6073
+ public: false,
6074
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6075
+ },
6076
+ {
6077
+ idSuffix: "clerk.project",
6078
+ canonicalName: "CLERK_PROJECT_ID",
6079
+ required: true,
6080
+ secret: false,
6081
+ public: false,
6082
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6083
+ },
6084
+ {
6085
+ idSuffix: "clerk.jwks",
6086
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6087
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6088
+ required: false,
6089
+ secret: false,
6090
+ public: false,
6091
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6092
+ },
6093
+ {
6094
+ idSuffix: "clerk.jwt-key",
6095
+ canonicalName: "CLERK_JWT_KEY",
6096
+ required: false,
6097
+ secret: true,
6098
+ public: false,
6099
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6100
+ },
6101
+ {
6102
+ idSuffix: "clerk.authorized-parties",
6103
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6104
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6105
+ required: false,
6106
+ secret: false,
6107
+ public: false,
6108
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6109
+ },
6110
+ {
6111
+ idSuffix: "clerk.sign-in-url",
6112
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6113
+ required: false,
6114
+ secret: false,
6115
+ public: true,
6116
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6117
+ },
6118
+ {
6119
+ idSuffix: "clerk.sign-up-url",
6120
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6121
+ required: false,
6122
+ secret: false,
6123
+ public: true,
6124
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6125
+ }
6126
+ ];
6127
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6128
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6129
+ (template) => ({
6130
+ id: `tenant.${system.id}.${template.idSuffix}`,
6131
+ canonicalName: template.canonicalName,
6132
+ aliases: "aliases" in template ? template.aliases : void 0,
6133
+ owner: "tenant",
6134
+ scope: "tenant",
6135
+ sourcePath: system.sharedSourcePath,
6136
+ environmentPolicy: "environment_specific",
6137
+ required: template.required,
6138
+ secret: template.secret,
6139
+ public: template.public,
6140
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6141
+ destinations: [
6142
+ {
6143
+ kind: "vercel",
6144
+ target: system.vercelProjectName,
6145
+ environmentPolicy: "preprod_staging_prod_prod"
6146
+ },
6147
+ {
6148
+ kind: "convex",
6149
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6150
+ environmentPolicy: "preprod_staging_prod_prod"
6151
+ }
6152
+ ],
6153
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6154
+ })
6155
+ )
6156
+ );
6157
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6158
+ (system) => ({
6159
+ id: `tenant.${system.id}.install-lucern-npm`,
6160
+ canonicalName: "INSTALL_LUCERN_NPM",
6161
+ owner: "provider",
6162
+ scope: "global",
6163
+ sourcePath: "/tenants/shared",
6164
+ environmentPolicy: "same_all_environments",
6165
+ required: true,
6166
+ secret: true,
6167
+ public: false,
6168
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6169
+ destinations: [
6170
+ {
6171
+ kind: "vercel",
6172
+ target: system.vercelProjectName,
6173
+ environmentPolicy: "same_all_environments"
6174
+ },
6175
+ {
6176
+ kind: "github_actions",
6177
+ target: `${system.repository.owner}/${system.repository.name}`,
6178
+ environmentPolicy: "same_all_environments"
6179
+ }
6180
+ ],
6181
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6182
+ })
6183
+ );
6184
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6185
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6186
+ {
6187
+ idSuffix: "ai.openai-api-key",
6188
+ canonicalName: "OPENAI_API_KEY",
6189
+ required: false,
6190
+ secret: true,
6191
+ public: false,
6192
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6193
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6194
+ },
6195
+ {
6196
+ idSuffix: "ai.anthropic-api-key",
6197
+ canonicalName: "ANTHROPIC_API_KEY",
6198
+ required: false,
6199
+ secret: true,
6200
+ public: false,
6201
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6202
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6203
+ },
6204
+ {
6205
+ idSuffix: "ai.gemini-api-key",
6206
+ canonicalName: "GEMINI_API_KEY",
6207
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6208
+ required: false,
6209
+ secret: true,
6210
+ public: false,
6211
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6212
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6213
+ },
6214
+ {
6215
+ idSuffix: "langfuse.secret-key",
6216
+ canonicalName: "LANGFUSE_SECRET_KEY",
6217
+ required: false,
6218
+ secret: true,
6219
+ public: false,
6220
+ consumers: [
6221
+ "tenant-vercel-app",
6222
+ "tenant-convex-deployment",
6223
+ "tenant-observability"
6224
+ ],
6225
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6226
+ },
6227
+ {
6228
+ idSuffix: "langfuse.public-key",
6229
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6230
+ required: false,
6231
+ secret: false,
6232
+ public: false,
6233
+ consumers: [
6234
+ "tenant-vercel-app",
6235
+ "tenant-convex-deployment",
6236
+ "tenant-observability"
6237
+ ],
6238
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6239
+ },
6240
+ {
6241
+ idSuffix: "langfuse.base-url",
6242
+ canonicalName: "LANGFUSE_BASE_URL",
6243
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6244
+ required: false,
6245
+ secret: false,
6246
+ public: false,
6247
+ consumers: [
6248
+ "tenant-vercel-app",
6249
+ "tenant-convex-deployment",
6250
+ "tenant-observability"
6251
+ ],
6252
+ description: "Tenant-owned Langfuse API origin."
6253
+ },
6254
+ {
6255
+ idSuffix: "graph.neo4j-uri",
6256
+ canonicalName: "NEO4J_URI",
6257
+ required: false,
6258
+ secret: false,
6259
+ public: false,
6260
+ consumers: [
6261
+ "tenant-vercel-app",
6262
+ "tenant-convex-deployment",
6263
+ "tenant-graph-sync"
6264
+ ],
6265
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6266
+ },
6267
+ {
6268
+ idSuffix: "graph.neo4j-user",
6269
+ canonicalName: "NEO4J_USER",
6270
+ aliases: ["NEO4J_USERNAME"],
6271
+ required: false,
6272
+ secret: false,
6273
+ public: false,
6274
+ consumers: [
6275
+ "tenant-vercel-app",
6276
+ "tenant-convex-deployment",
6277
+ "tenant-graph-sync"
6278
+ ],
6279
+ description: "Tenant-owned Neo4j user for product graph-sync."
6280
+ },
6281
+ {
6282
+ idSuffix: "graph.neo4j-password",
6283
+ canonicalName: "NEO4J_PASSWORD",
6284
+ required: false,
6285
+ secret: true,
6286
+ public: false,
6287
+ consumers: [
6288
+ "tenant-vercel-app",
6289
+ "tenant-convex-deployment",
6290
+ "tenant-graph-sync"
6291
+ ],
6292
+ description: "Tenant-owned Neo4j password for product graph-sync."
6293
+ },
6294
+ {
6295
+ idSuffix: "graph.neo4j-sync-secret",
6296
+ canonicalName: "NEO4J_SYNC_SECRET",
6297
+ required: false,
6298
+ secret: true,
6299
+ public: false,
6300
+ consumers: [
6301
+ "tenant-vercel-app",
6302
+ "tenant-convex-deployment",
6303
+ "tenant-graph-sync"
6304
+ ],
6305
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
6306
+ },
6307
+ {
6308
+ idSuffix: "graph.neo4j-database",
6309
+ canonicalName: "NEO4J_DATABASE",
6310
+ required: false,
6311
+ secret: false,
6312
+ public: false,
6313
+ consumers: [
6314
+ "tenant-vercel-app",
6315
+ "tenant-convex-deployment",
6316
+ "tenant-graph-sync"
6317
+ ],
6318
+ description: "Tenant-owned Neo4j database name for product graph-sync."
6319
+ },
6320
+ {
6321
+ idSuffix: "vector.pinecone-api-key",
6322
+ canonicalName: "PINECONE_API_KEY",
6323
+ required: false,
6324
+ secret: true,
6325
+ public: false,
6326
+ consumers: [
6327
+ "tenant-vercel-app",
6328
+ "tenant-convex-deployment",
6329
+ "tenant-vector-store"
6330
+ ],
6331
+ description: "Tenant-owned Pinecone API key for product vector search."
6332
+ },
6333
+ {
6334
+ idSuffix: "vector.pinecone-index-name",
6335
+ canonicalName: "PINECONE_INDEX_NAME",
6336
+ aliases: ["PINECONE_INDEX"],
6337
+ required: false,
6338
+ secret: false,
6339
+ public: false,
6340
+ consumers: [
6341
+ "tenant-vercel-app",
6342
+ "tenant-convex-deployment",
6343
+ "tenant-vector-store"
6344
+ ],
6345
+ description: "Tenant-owned Pinecone index name for product vector search."
6346
+ },
6347
+ {
6348
+ idSuffix: "vector.pinecone-host",
6349
+ canonicalName: "PINECONE_HOST",
6350
+ aliases: ["PINECONE_INDEX_HOST"],
6351
+ required: false,
6352
+ secret: false,
6353
+ public: false,
6354
+ consumers: [
6355
+ "tenant-vercel-app",
6356
+ "tenant-convex-deployment",
6357
+ "tenant-vector-store"
6358
+ ],
6359
+ description: "Tenant-owned Pinecone host for product vector search."
6360
+ },
6361
+ {
6362
+ idSuffix: "vector.pinecone-namespace",
6363
+ canonicalName: "PINECONE_NAMESPACE",
6364
+ required: false,
6365
+ secret: false,
6366
+ public: false,
6367
+ consumers: [
6368
+ "tenant-vercel-app",
6369
+ "tenant-convex-deployment",
6370
+ "tenant-vector-store"
6371
+ ],
6372
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
6373
+ },
6374
+ {
6375
+ idSuffix: "storage.aws-access-key-id",
6376
+ canonicalName: "AWS_ACCESS_KEY_ID",
6377
+ required: false,
6378
+ secret: true,
6379
+ public: false,
6380
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6381
+ description: "Tenant-owned AWS access key id for document/file ingestion."
6382
+ },
6383
+ {
6384
+ idSuffix: "storage.aws-secret-access-key",
6385
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6386
+ required: false,
6387
+ secret: true,
6388
+ public: false,
6389
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6390
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
4915
6391
  },
4916
6392
  {
4917
- packageName: "@lucern/events",
4918
- role: "sdk_dependency",
4919
- directTenantImport: false
6393
+ idSuffix: "storage.aws-region",
6394
+ canonicalName: "AWS_REGION",
6395
+ required: false,
6396
+ secret: false,
6397
+ public: false,
6398
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6399
+ description: "Tenant-owned AWS region for document/file ingestion."
4920
6400
  },
4921
6401
  {
4922
- packageName: "@lucern/graph-primitives",
4923
- role: "sdk_dependency",
4924
- directTenantImport: false
6402
+ idSuffix: "observability.sentry-dsn",
6403
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6404
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6405
+ required: false,
6406
+ secret: false,
6407
+ public: true,
6408
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6409
+ description: "Tenant-owned Sentry DSN for app telemetry."
4925
6410
  },
4926
6411
  {
4927
- packageName: "@lucern/graph-sync",
4928
- role: "host_addon_runtime",
4929
- directTenantImport: true
6412
+ idSuffix: "observability.sentry-auth-token",
6413
+ canonicalName: "SENTRY_AUTH_TOKEN",
6414
+ required: false,
6415
+ secret: true,
6416
+ public: false,
6417
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6418
+ description: "Tenant-owned Sentry release token for app deployments."
4930
6419
  },
4931
6420
  {
4932
- packageName: "@lucern/identity",
4933
- role: "component_runtime",
4934
- directTenantImport: false
6421
+ idSuffix: "observability.sentry-org",
6422
+ canonicalName: "SENTRY_ORG",
6423
+ aliases: ["SENTRY_ORG_SLUG"],
6424
+ required: false,
6425
+ secret: false,
6426
+ public: false,
6427
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6428
+ description: "Tenant-owned Sentry org slug for release uploads."
4935
6429
  },
4936
6430
  {
4937
- packageName: "@lucern/mcp",
4938
- role: "runtime_entrypoint",
4939
- directTenantImport: true
6431
+ idSuffix: "observability.sentry-project",
6432
+ canonicalName: "SENTRY_PROJECT",
6433
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6434
+ required: false,
6435
+ secret: false,
6436
+ public: false,
6437
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6438
+ description: "Tenant-owned Sentry project slug for release uploads."
4940
6439
  },
4941
6440
  {
4942
- packageName: "@lucern/pack-host",
4943
- role: "platform_runtime",
4944
- directTenantImport: false
6441
+ idSuffix: "observability.sentry-environment",
6442
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6443
+ aliases: ["SENTRY_ENVIRONMENT"],
6444
+ required: false,
6445
+ secret: false,
6446
+ public: true,
6447
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6448
+ description: "Tenant-owned Sentry environment label."
4945
6449
  },
4946
6450
  {
4947
- packageName: "@lucern/pack-installer",
4948
- role: "developer_tool",
4949
- directTenantImport: false
6451
+ idSuffix: "observability.sentry-release",
6452
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6453
+ aliases: ["SENTRY_RELEASE"],
6454
+ required: false,
6455
+ secret: false,
6456
+ public: true,
6457
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6458
+ description: "Tenant-owned Sentry release label."
4950
6459
  },
4951
6460
  {
4952
- packageName: "@lucern/proof-compiler",
4953
- role: "developer_tool",
4954
- directTenantImport: false
6461
+ idSuffix: "observability.sentry-client-options",
6462
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6463
+ aliases: [
6464
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6465
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6466
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6467
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6468
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6469
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6470
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6471
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6472
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6473
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6474
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6475
+ ],
6476
+ required: false,
6477
+ secret: false,
6478
+ public: true,
6479
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6480
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
4955
6481
  },
4956
6482
  {
4957
- packageName: "@lucern/react",
4958
- role: "runtime_entrypoint",
4959
- directTenantImport: true
6483
+ idSuffix: "observability.sentry-webhook-secret",
6484
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6485
+ required: false,
6486
+ secret: true,
6487
+ public: false,
6488
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6489
+ description: "Tenant-owned Sentry webhook verification secret."
4960
6490
  },
4961
6491
  {
4962
- packageName: "@lucern/reasoning-kernel",
4963
- role: "component_runtime",
4964
- directTenantImport: false
6492
+ idSuffix: "lucern.gateway-api-key",
6493
+ canonicalName: "LUCERN_API_KEY",
6494
+ aliases: ["STACK_API_KEY"],
6495
+ required: false,
6496
+ secret: true,
6497
+ public: false,
6498
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6499
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
4965
6500
  },
4966
6501
  {
4967
- packageName: "@lucern/sdk",
4968
- role: "runtime_entrypoint",
4969
- directTenantImport: true
6502
+ idSuffix: "lucern.gateway-base-url",
6503
+ canonicalName: "LUCERN_BASE_URL",
6504
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6505
+ required: false,
6506
+ secret: false,
6507
+ public: false,
6508
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6509
+ description: "Lucern/MC gateway base URL used by tenant product apps."
4970
6510
  },
4971
6511
  {
4972
- packageName: "@lucern/server-core",
4973
- role: "platform_runtime",
4974
- directTenantImport: false
6512
+ idSuffix: "lucern.proxy-token-secret",
6513
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6514
+ required: false,
6515
+ secret: true,
6516
+ public: false,
6517
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6518
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
4975
6519
  },
4976
6520
  {
4977
- packageName: "@lucern/testing",
4978
- role: "test_support",
4979
- directTenantImport: false
6521
+ idSuffix: "tenant.integrations.linear-api-key",
6522
+ canonicalName: "LINEAR_API_KEY",
6523
+ required: false,
6524
+ secret: true,
6525
+ public: false,
6526
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6527
+ description: "Tenant-owned Linear API key for support/slash-command flows."
4980
6528
  },
4981
6529
  {
4982
- packageName: "@lucern/types",
4983
- role: "contract_entrypoint",
4984
- directTenantImport: true
6530
+ idSuffix: "tenant.vercel.bypass-token",
6531
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6532
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6533
+ required: false,
6534
+ secret: true,
6535
+ public: false,
6536
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6537
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
4985
6538
  }
4986
6539
  ];
4987
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
4988
- (entry) => entry.packageName
6540
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6541
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6542
+ ).flatMap(
6543
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6544
+ (template) => ({
6545
+ id: `tenant.${system.id}.${template.idSuffix}`,
6546
+ canonicalName: template.canonicalName,
6547
+ aliases: "aliases" in template ? template.aliases : void 0,
6548
+ owner: "tenant",
6549
+ scope: "tenant",
6550
+ sourcePath: system.sharedSourcePath,
6551
+ environmentPolicy: "environment_specific",
6552
+ required: template.required,
6553
+ secret: template.secret,
6554
+ public: template.public,
6555
+ consumers: template.consumers,
6556
+ destinations: [
6557
+ {
6558
+ kind: "vercel",
6559
+ target: system.vercelProjectName,
6560
+ environmentPolicy: "preprod_staging_prod_prod"
6561
+ },
6562
+ {
6563
+ kind: "convex",
6564
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6565
+ environmentPolicy: "preprod_staging_prod_prod"
6566
+ },
6567
+ {
6568
+ kind: "github_actions",
6569
+ target: `${system.repository.owner}/${system.repository.name}`,
6570
+ environmentPolicy: "preprod_staging_prod_prod"
6571
+ }
6572
+ ],
6573
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6574
+ })
6575
+ )
6576
+ );
6577
+ function tenantVercelConvexUrlWriteNames(system) {
6578
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6579
+ if (system.id === "stack-eng") {
6580
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6581
+ }
6582
+ return names;
6583
+ }
6584
+ function tenantRepositoryConvexUrlWriteNames(system) {
6585
+ if (system.id === "stack-eng") {
6586
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6587
+ }
6588
+ return [system.convex.urlEnv];
6589
+ }
6590
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6591
+ if (system.id === "stack-eng") {
6592
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6593
+ }
6594
+ return [system.convex.deployKeyEnv];
6595
+ }
6596
+ function tenantConvexUrlAliases(system) {
6597
+ if (system.id === "stack-frontend") {
6598
+ return [
6599
+ "CONVEX_PROD_URL",
6600
+ "CONVEX_STACK_V2_PROD_URL",
6601
+ "CONVEX_STACK_V2_STAGING_URL",
6602
+ "STACK_CONVEX_URL"
6603
+ ];
6604
+ }
6605
+ if (system.id === "stackos") {
6606
+ return [
6607
+ "CONVEX_CLOUD_URL",
6608
+ "CONVEX_STACK_URL",
6609
+ "CONVEX_URL",
6610
+ "CONVEX_URL_DEVELOPMENT",
6611
+ "CONVEX_URL_PRODUCTION",
6612
+ "STACK_CONVEX_URL"
6613
+ ];
6614
+ }
6615
+ if (system.id === "stack-eng") {
6616
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6617
+ }
6618
+ if (system.id === "lucern-graph") {
6619
+ return [
6620
+ "CONVEX_GRAPH_URL",
6621
+ "LUCERN_PROD_URL",
6622
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6623
+ ];
6624
+ }
6625
+ return void 0;
6626
+ }
6627
+ function tenantConvexDeployKeyAliases(system) {
6628
+ if (system.id === "stack-frontend") {
6629
+ return [
6630
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6631
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6632
+ "STACK_DEPLOY_KEY"
6633
+ ];
6634
+ }
6635
+ if (system.id === "stackos") {
6636
+ return [
6637
+ "CONVEX_DEPLOY_KEY",
6638
+ "CONVEX_DEV_DEPLOY_KEY",
6639
+ "CONVEX_PROD_DEPLOY_KEY",
6640
+ "CONVEX_STACK_DEPLOY_KEY",
6641
+ "STACK_DEPLOY_KEY"
6642
+ ];
6643
+ }
6644
+ if (system.id === "stack-eng") {
6645
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6646
+ }
6647
+ if (system.id === "lucern-graph") {
6648
+ return [
6649
+ "CONVEX_DEPLOY_KEY",
6650
+ "CONVEX_GRAPH_DEPLOY_KEY",
6651
+ "LUCERN_CONVEX_DEPLOY_KEY",
6652
+ "LUCERN_DEV_DEPLOY_KEY",
6653
+ "LUCERN_PROD_DEPLOY_KEY"
6654
+ ];
6655
+ }
6656
+ return void 0;
6657
+ }
6658
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6659
+ (system) => {
6660
+ if (system.id === "lucern-graph") {
6661
+ return [
6662
+ {
6663
+ id: "tenant.lucern-graph.public.tenant-id",
6664
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6665
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6666
+ owner: "tenant",
6667
+ scope: "workspace",
6668
+ sourcePath: system.sharedSourcePath,
6669
+ environmentPolicy: "environment_specific",
6670
+ required: false,
6671
+ secret: false,
6672
+ public: true,
6673
+ consumers: ["tenant-vercel-app"],
6674
+ destinations: [
6675
+ {
6676
+ kind: "vercel",
6677
+ target: system.vercelProjectName,
6678
+ environmentPolicy: "preprod_staging_prod_prod"
6679
+ }
6680
+ ],
6681
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6682
+ },
6683
+ {
6684
+ id: "tenant.lucern-graph.public.tenant-label",
6685
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6686
+ owner: "tenant",
6687
+ scope: "workspace",
6688
+ sourcePath: system.sharedSourcePath,
6689
+ environmentPolicy: "environment_specific",
6690
+ required: false,
6691
+ secret: false,
6692
+ public: true,
6693
+ consumers: ["tenant-vercel-app"],
6694
+ destinations: [
6695
+ {
6696
+ kind: "vercel",
6697
+ target: system.vercelProjectName,
6698
+ environmentPolicy: "preprod_staging_prod_prod"
6699
+ }
6700
+ ],
6701
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6702
+ }
6703
+ ];
6704
+ }
6705
+ if (system.id === "stack-eng") {
6706
+ return [
6707
+ {
6708
+ id: "tenant.stack-eng.public.tenant-id",
6709
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6710
+ owner: "tenant",
6711
+ scope: "workspace",
6712
+ sourcePath: system.sharedSourcePath,
6713
+ environmentPolicy: "environment_specific",
6714
+ required: false,
6715
+ secret: false,
6716
+ public: true,
6717
+ consumers: ["tenant-vercel-app"],
6718
+ destinations: [
6719
+ {
6720
+ kind: "vercel",
6721
+ target: system.vercelProjectName,
6722
+ environmentPolicy: "preprod_staging_prod_prod"
6723
+ }
6724
+ ],
6725
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6726
+ },
6727
+ {
6728
+ id: "tenant.stack-eng.public.tenant-label",
6729
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6730
+ owner: "tenant",
6731
+ scope: "workspace",
6732
+ sourcePath: system.sharedSourcePath,
6733
+ environmentPolicy: "environment_specific",
6734
+ required: false,
6735
+ secret: false,
6736
+ public: true,
6737
+ consumers: ["tenant-vercel-app"],
6738
+ destinations: [
6739
+ {
6740
+ kind: "vercel",
6741
+ target: system.vercelProjectName,
6742
+ environmentPolicy: "preprod_staging_prod_prod"
6743
+ }
6744
+ ],
6745
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6746
+ },
6747
+ {
6748
+ id: "tenant.stack-eng.public.environment",
6749
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6750
+ owner: "tenant",
6751
+ scope: "workspace",
6752
+ sourcePath: system.sharedSourcePath,
6753
+ environmentPolicy: "environment_specific",
6754
+ required: false,
6755
+ secret: false,
6756
+ public: true,
6757
+ consumers: ["tenant-vercel-app"],
6758
+ destinations: [
6759
+ {
6760
+ kind: "vercel",
6761
+ target: system.vercelProjectName,
6762
+ environmentPolicy: "preprod_staging_prod_prod"
6763
+ }
6764
+ ],
6765
+ description: "Stack engineering graph public environment label used by the graph explorer."
6766
+ }
6767
+ ];
6768
+ }
6769
+ return [];
6770
+ }
4989
6771
  );
6772
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6773
+ {
6774
+ id: `tenant.${system.id}.convex.url`,
6775
+ canonicalName: system.convex.urlEnv,
6776
+ aliases: tenantConvexUrlAliases(system),
6777
+ owner: "tenant",
6778
+ scope: "software_system",
6779
+ sourcePath: system.sharedSourcePath,
6780
+ environmentPolicy: "preprod_staging_prod_prod",
6781
+ required: true,
6782
+ secret: false,
6783
+ public: false,
6784
+ consumers: [
6785
+ "tenant-vercel-app",
6786
+ "tenant-agent-runtime",
6787
+ "mc-operator-tooling"
6788
+ ],
6789
+ destinations: [
6790
+ {
6791
+ kind: "vercel",
6792
+ target: system.vercelProjectName,
6793
+ environmentPolicy: "preprod_staging_prod_prod",
6794
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6795
+ },
6796
+ {
6797
+ kind: "github_actions",
6798
+ target: `${system.repository.owner}/${system.repository.name}`,
6799
+ environmentPolicy: "preprod_staging_prod_prod",
6800
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6801
+ notes: "Only if that repository deploy/test workflow owns this software system."
6802
+ }
6803
+ ],
6804
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6805
+ },
6806
+ {
6807
+ id: `tenant.${system.id}.convex.deploy-key`,
6808
+ canonicalName: system.convex.deployKeyEnv,
6809
+ aliases: tenantConvexDeployKeyAliases(system),
6810
+ owner: "tenant",
6811
+ scope: "software_system",
6812
+ sourcePath: system.sharedSourcePath,
6813
+ environmentPolicy: "preprod_staging_prod_prod",
6814
+ required: true,
6815
+ secret: true,
6816
+ public: false,
6817
+ consumers: [
6818
+ "tenant-vercel-app",
6819
+ "tenant-agent-runtime",
6820
+ "mc-operator-tooling"
6821
+ ],
6822
+ destinations: [
6823
+ {
6824
+ kind: "vercel",
6825
+ target: system.vercelProjectName,
6826
+ environmentPolicy: "preprod_staging_prod_prod"
6827
+ },
6828
+ {
6829
+ kind: "github_actions",
6830
+ target: `${system.repository.owner}/${system.repository.name}`,
6831
+ environmentPolicy: "preprod_staging_prod_prod",
6832
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6833
+ notes: "Only if that repository deploy/test workflow owns this software system."
6834
+ }
6835
+ ],
6836
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6837
+ }
6838
+ ]);
4990
6839
  z.object({
4991
6840
  manifestVersion: z.literal("1.0.0"),
4992
6841
  rules: z.array(
@@ -5027,7 +6876,7 @@ var createEvidenceInputSchemaBase = z.object({
5027
6876
  targetId: z.string().optional(),
5028
6877
  targetNodeId: z.string().optional(),
5029
6878
  linkedBeliefNodeId: z.string().optional(),
5030
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6879
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5031
6880
  confidence: z.number().optional(),
5032
6881
  weight: z.number().optional(),
5033
6882
  reasoning: z.string().optional(),
@@ -5112,8 +6961,7 @@ var createEvidenceProjection = defineProjection({
5112
6961
  evidenceRelation: v.optional(
5113
6962
  v.union(
5114
6963
  v.literal("supports"),
5115
- v.literal("contradicts"),
5116
- v.literal("neutral")
6964
+ v.literal("contradicts")
5117
6965
  )
5118
6966
  ),
5119
6967
  confidence: v.optional(v.number()),
@@ -5138,7 +6986,7 @@ function compactRecord2(input) {
5138
6986
  Object.entries(input).filter(([, value]) => value !== void 0)
5139
6987
  );
5140
6988
  }
5141
- var listBeliefsProjection = defineProjection({
6989
+ defineProjection({
5142
6990
  contractName: "list_beliefs",
5143
6991
  inputSchema: listBeliefsInputSchema,
5144
6992
  project: (input) => compactRecord2({
@@ -5162,12 +7010,17 @@ var listBeliefsProjection = defineProjection({
5162
7010
  });
5163
7011
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5164
7012
  var listTasksInputSchema = z.object({
5165
- topicId: z.string().describe("Topic scope"),
7013
+ topicId: z.string().optional().describe("Topic scope"),
5166
7014
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5167
7015
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5168
7016
  status: taskStatusSchema,
5169
7017
  limit: z.number().optional().describe("Maximum results")
5170
- });
7018
+ }).refine(
7019
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7020
+ {
7021
+ message: "topicId or worktreeId is required"
7022
+ }
7023
+ );
5171
7024
  function compactRecord3(input) {
5172
7025
  return Object.fromEntries(
5173
7026
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5184,7 +7037,7 @@ var listTasksProjection = defineProjection({
5184
7037
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5185
7038
  }),
5186
7039
  convexArgsValidator: v.object({
5187
- topicId: v.string(),
7040
+ topicId: v.optional(v.string()),
5188
7041
  status: v.optional(
5189
7042
  v.union(
5190
7043
  v.literal("todo"),
@@ -6162,19 +8015,23 @@ var FIND_CONTRADICTIONS = {
6162
8015
  };
6163
8016
  var CREATE_EDGE = {
6164
8017
  name: "create_edge",
6165
- description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. The engine enforces layer transition rules \u2014 for example, L1 \u2192 L3 direct edges are forbidden (must go through L2).",
8018
+ description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. Accepts any public epistemic edge type between public graph node refs so agents can author the full spine.",
6166
8019
  parameters: {
6167
- sourceId: {
6168
- type: "string",
6169
- description: "Source node of the relationship"
8020
+ from: {
8021
+ type: "object",
8022
+ description: "Source graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'topic' }"
6170
8023
  },
6171
- targetId: {
6172
- type: "string",
6173
- description: "Target node of the relationship"
8024
+ to: {
8025
+ type: "object",
8026
+ description: "Target graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'belief' }"
6174
8027
  },
6175
8028
  edgeType: {
6176
8029
  type: "string",
6177
- description: "Relationship type (informs, tests, depends_on, supersedes, etc.)"
8030
+ description: "Relationship type from the public epistemic edge enum."
8031
+ },
8032
+ globalId: {
8033
+ type: "string",
8034
+ description: "Optional idempotent edge global ID."
6178
8035
  },
6179
8036
  weight: {
6180
8037
  type: "number",
@@ -6184,10 +8041,14 @@ var CREATE_EDGE = {
6184
8041
  reasoningMethod: {
6185
8042
  type: "string",
6186
8043
  description: "How this was determined",
6187
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8044
+ enum: [...REASONING_METHODS]
8045
+ },
8046
+ metadata: {
8047
+ type: "object",
8048
+ description: "Optional edge metadata."
6188
8049
  }
6189
8050
  },
6190
- required: ["sourceId", "targetId", "edgeType"],
8051
+ required: ["from", "to", "edgeType"],
6191
8052
  response: {
6192
8053
  description: "The created edge",
6193
8054
  fields: {
@@ -6201,6 +8062,240 @@ var CREATE_EDGE = {
6201
8062
  ontologyPrimitive: "edge",
6202
8063
  tier: "showcase"
6203
8064
  };
8065
+ var UPDATE_EDGE = {
8066
+ name: "update_edge",
8067
+ description: "Amend metadata on an existing graph edge. Like `git commit --amend` \u2014 changes the edge annotation without recreating the relationship.",
8068
+ parameters: {
8069
+ edgeId: { type: "string", description: "Edge ID or global ID to update" },
8070
+ weight: { type: "number", description: "Updated edge weight" },
8071
+ confidence: { type: "number", description: "Updated confidence" },
8072
+ context: { type: "string", description: "Updated human-readable context" },
8073
+ derivationType: { type: "string", description: "Updated derivation type" },
8074
+ metadata: { type: "object", description: "Updated metadata" }
8075
+ },
8076
+ required: ["edgeId"],
8077
+ response: {
8078
+ description: "Edge update result",
8079
+ fields: { success: "boolean" }
8080
+ },
8081
+ ownerModule: "graph-primitives",
8082
+ ontologyPrimitive: "edge",
8083
+ tier: "workhorse"
8084
+ };
8085
+ var REMOVE_EDGE = {
8086
+ name: "remove_edge",
8087
+ description: "Remove one graph edge by ID. Like `git rm` \u2014 deletes a single explicit relationship from the spine.",
8088
+ parameters: {
8089
+ edgeId: { type: "string", description: "Edge ID or global ID to remove" }
8090
+ },
8091
+ required: ["edgeId"],
8092
+ response: {
8093
+ description: "Edge removal result",
8094
+ fields: { success: "boolean" }
8095
+ },
8096
+ ownerModule: "graph-primitives",
8097
+ ontologyPrimitive: "edge",
8098
+ tier: "workhorse"
8099
+ };
8100
+ var REMOVE_EDGES_BETWEEN = {
8101
+ name: "remove_edges_between",
8102
+ description: "Remove graph edges between two nodes. Like `git rm <pathspec>` \u2014 deletes relationships matching a source, target, and optional type.",
8103
+ parameters: {
8104
+ fromNodeId: { type: "string", description: "Source node ID or global ID" },
8105
+ toNodeId: { type: "string", description: "Target node ID or global ID" },
8106
+ edgeType: { type: "string", description: "Optional edge type filter" }
8107
+ },
8108
+ required: ["fromNodeId", "toNodeId"],
8109
+ response: {
8110
+ description: "Matched edge removal result",
8111
+ fields: { deleted: "number" }
8112
+ },
8113
+ ownerModule: "graph-primitives",
8114
+ ontologyPrimitive: "edge",
8115
+ tier: "workhorse"
8116
+ };
8117
+ var BATCH_CREATE_EDGES = {
8118
+ name: "batch_create_edges",
8119
+ description: "Commit multiple typed graph edges. Like `git commit` with many staged paths \u2014 writes a batch of explicit relationships atomically per edge.",
8120
+ parameters: {
8121
+ edges: {
8122
+ type: "array",
8123
+ description: "Edges to create, each with from, to, edgeType, and optional weight/confidence/context."
8124
+ },
8125
+ skipLayerValidation: {
8126
+ type: "boolean",
8127
+ description: "Skip kernel layer validation for trusted materialization flows."
8128
+ }
8129
+ },
8130
+ required: ["edges"],
8131
+ response: {
8132
+ description: "Batch edge creation result",
8133
+ fields: {
8134
+ created: "number",
8135
+ results: "array",
8136
+ errors: "array"
8137
+ }
8138
+ },
8139
+ ownerModule: "graph-primitives",
8140
+ ontologyPrimitive: "edge",
8141
+ tier: "workhorse"
8142
+ };
8143
+ var CREATE_EPISTEMIC_NODE = {
8144
+ name: "create_epistemic_node",
8145
+ description: "Commit a generic epistemic graph node. Like `git commit` \u2014 creates a canonical node in the public spine for topics, beliefs, evidence, questions, answers, sources, and entities.",
8146
+ parameters: {
8147
+ globalId: { type: "string", description: "Optional idempotent node global ID" },
8148
+ nodeType: { type: "string", description: "Public epistemic node type" },
8149
+ canonicalText: { type: "string", description: "Canonical node text" },
8150
+ text: { type: "string", description: "Alias for canonicalText" },
8151
+ contentHash: { type: "string", description: "Optional idempotency content hash" },
8152
+ sourceType: { type: "string", description: "Source type for provenance" },
8153
+ topicId: { type: "string", description: "Optional topic scope" },
8154
+ content: { type: "string", description: "Extended content" },
8155
+ title: { type: "string", description: "Display title" },
8156
+ metadata: { type: "object", description: "Optional node metadata" }
8157
+ },
8158
+ required: ["nodeType"],
8159
+ response: {
8160
+ description: "Created node result",
8161
+ fields: {
8162
+ nodeId: "string",
8163
+ nodeGlobalId: "string",
8164
+ isDuplicate: "boolean"
8165
+ }
8166
+ },
8167
+ ownerModule: "reasoning-kernel",
8168
+ ontologyPrimitive: "graph",
8169
+ tier: "showcase"
8170
+ };
8171
+ var GET_EPISTEMIC_NODE = {
8172
+ name: "get_epistemic_node",
8173
+ description: "Read one epistemic graph node. Like `git show` \u2014 resolves a canonical spine node by ID or global ID.",
8174
+ parameters: {
8175
+ nodeId: { type: "string", description: "Node ID or global ID" }
8176
+ },
8177
+ required: ["nodeId"],
8178
+ response: {
8179
+ description: "The resolved node",
8180
+ fields: { node: "object" }
8181
+ },
8182
+ ownerModule: "reasoning-kernel",
8183
+ ontologyPrimitive: "graph",
8184
+ tier: "workhorse"
8185
+ };
8186
+ var LIST_EPISTEMIC_NODES = {
8187
+ name: "list_epistemic_nodes",
8188
+ description: "List epistemic graph nodes. Like `git ls-tree` \u2014 lists canonical spine nodes by topic, type, status, or search query.",
8189
+ parameters: {
8190
+ topicId: { type: "string", description: "Optional topic scope" },
8191
+ nodeType: { type: "string", description: "Optional node type filter" },
8192
+ status: { type: "string", description: "Optional lifecycle status" },
8193
+ searchQuery: { type: "string", description: "Optional text search query" },
8194
+ limit: { type: "number", description: "Maximum nodes to return" }
8195
+ },
8196
+ required: [],
8197
+ response: {
8198
+ description: "Matching nodes",
8199
+ fields: { nodes: "array" }
8200
+ },
8201
+ ownerModule: "reasoning-kernel",
8202
+ ontologyPrimitive: "graph",
8203
+ tier: "workhorse"
8204
+ };
8205
+ var UPDATE_EPISTEMIC_NODE = {
8206
+ name: "update_epistemic_node",
8207
+ description: "Amend an epistemic graph node. Like `git commit --amend` \u2014 updates mutable node metadata, text, status, or verification fields.",
8208
+ parameters: {
8209
+ nodeId: { type: "string", description: "Node ID or global ID" },
8210
+ canonicalText: { type: "string", description: "Updated canonical text" },
8211
+ text: { type: "string", description: "Alias for canonicalText" },
8212
+ contentHash: { type: "string", description: "Updated content hash" },
8213
+ content: { type: "string", description: "Updated content" },
8214
+ title: { type: "string", description: "Updated display title" },
8215
+ metadata: { type: "object", description: "Updated metadata" },
8216
+ confidence: { type: "number", description: "Updated confidence" },
8217
+ verificationStatus: { type: "string", description: "Updated verification status" },
8218
+ status: { type: "string", description: "Updated lifecycle status" }
8219
+ },
8220
+ required: ["nodeId"],
8221
+ response: {
8222
+ description: "Node update result",
8223
+ fields: { success: "boolean" }
8224
+ },
8225
+ ownerModule: "reasoning-kernel",
8226
+ ontologyPrimitive: "graph",
8227
+ tier: "workhorse"
8228
+ };
8229
+ var ARCHIVE_EPISTEMIC_NODE = {
8230
+ name: "archive_epistemic_node",
8231
+ description: "Archive an epistemic graph node. Like `git rm --cached` \u2014 removes a node from active traversal without hard-deleting it.",
8232
+ parameters: {
8233
+ nodeId: { type: "string", description: "Node ID or global ID" }
8234
+ },
8235
+ required: ["nodeId"],
8236
+ response: {
8237
+ description: "Archive result",
8238
+ fields: { success: "boolean", effectiveStatus: "string" }
8239
+ },
8240
+ ownerModule: "reasoning-kernel",
8241
+ ontologyPrimitive: "graph",
8242
+ tier: "workhorse"
8243
+ };
8244
+ var VERIFY_EPISTEMIC_NODE = {
8245
+ name: "verify_epistemic_node",
8246
+ description: "Record verification state on an epistemic graph node. Like `git tag` \u2014 marks the node with a reviewed verification state.",
8247
+ parameters: {
8248
+ nodeId: { type: "string", description: "Node ID or global ID" },
8249
+ verificationStatus: { type: "string", description: "Verification status" },
8250
+ confidence: { type: "number", description: "Optional confidence update" }
8251
+ },
8252
+ required: ["nodeId", "verificationStatus"],
8253
+ response: {
8254
+ description: "Verification result",
8255
+ fields: { success: "boolean" }
8256
+ },
8257
+ ownerModule: "reasoning-kernel",
8258
+ ontologyPrimitive: "graph",
8259
+ tier: "workhorse"
8260
+ };
8261
+ var SUPERSEDE_EPISTEMIC_NODE = {
8262
+ name: "supersede_epistemic_node",
8263
+ description: "Supersede an epistemic graph node with a new version. Like `git commit --amend` on an immutable history branch \u2014 creates the replacement and marks the old node superseded.",
8264
+ parameters: {
8265
+ oldNodeId: { type: "string", description: "Node ID or global ID to supersede" },
8266
+ newGlobalId: { type: "string", description: "Optional replacement global ID" },
8267
+ newCanonicalText: { type: "string", description: "Replacement canonical text" },
8268
+ text: { type: "string", description: "Alias for newCanonicalText" },
8269
+ newContentHash: { type: "string", description: "Optional replacement content hash" },
8270
+ reason: { type: "string", description: "Reason for superseding" }
8271
+ },
8272
+ required: ["oldNodeId"],
8273
+ response: {
8274
+ description: "Supersede result",
8275
+ fields: { oldNodeId: "string", newNodeId: "string" }
8276
+ },
8277
+ ownerModule: "reasoning-kernel",
8278
+ ontologyPrimitive: "graph",
8279
+ tier: "workhorse"
8280
+ };
8281
+ var BATCH_CREATE_EPISTEMIC_NODES = {
8282
+ name: "batch_create_epistemic_nodes",
8283
+ description: "Commit multiple epistemic graph nodes. Like `git commit` with many staged files \u2014 writes a batch of canonical spine nodes.",
8284
+ parameters: {
8285
+ nodes: {
8286
+ type: "array",
8287
+ description: "Nodes to create with nodeType, canonicalText/text, and optional metadata."
8288
+ }
8289
+ },
8290
+ required: ["nodes"],
8291
+ response: {
8292
+ description: "Batch node creation result",
8293
+ fields: { created: "number", results: "array" }
8294
+ },
8295
+ ownerModule: "reasoning-kernel",
8296
+ ontologyPrimitive: "graph",
8297
+ tier: "workhorse"
8298
+ };
6204
8299
  var RECORD_JUDGMENT = {
6205
8300
  name: "record_judgment",
6206
8301
  description: "Record a judgment \u2014 an irreversible commitment based on the current epistemic state. Like a `git tag` marking a release. A judgment synthesizes beliefs, evidence, and uncertainties into a determination. Once issued, a judgment is evaluated against the epistemic state that existed when it was made (knowledge horizon evaluation, Invariant #10).",
@@ -7400,8 +9495,8 @@ var IDENTITY_WHOAMI = {
7400
9495
  response: {
7401
9496
  description: "Canonical identity summary for the current session",
7402
9497
  fields: {
7403
- principalId: "string \u2014 canonical federated principal identifier",
7404
- principalType: "string \u2014 human, service, or agent",
9498
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
9499
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
7405
9500
  tenantId: "string | undefined \u2014 resolved tenant scope",
7406
9501
  workspaceId: "string | undefined \u2014 resolved workspace scope",
7407
9502
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -7412,6 +9507,49 @@ var IDENTITY_WHOAMI = {
7412
9507
  ontologyPrimitive: "identity",
7413
9508
  tier: "workhorse"
7414
9509
  };
9510
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9511
+ name: "resolve_interactive_principal",
9512
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
9513
+ parameters: {
9514
+ clerkId: {
9515
+ type: "string",
9516
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9517
+ },
9518
+ tenantId: {
9519
+ type: "string",
9520
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9521
+ },
9522
+ workspaceId: {
9523
+ type: "string",
9524
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9525
+ },
9526
+ providerProjectId: {
9527
+ type: "string",
9528
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9529
+ }
9530
+ },
9531
+ required: ["clerkId"],
9532
+ response: {
9533
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9534
+ fields: {
9535
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
9536
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9537
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9538
+ tenantId: "string \u2014 resolved tenant scope",
9539
+ workspaceId: "string | null \u2014 resolved workspace scope",
9540
+ roles: "string[] \u2014 effective Permit roles",
9541
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9542
+ groupIds: "string[] \u2014 active Permit group memberships",
9543
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9544
+ tenantStatus: "string \u2014 projected tenant resource status",
9545
+ workspaceStatus: "string \u2014 projected workspace resource status",
9546
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9547
+ }
9548
+ },
9549
+ ownerModule: "control-plane",
9550
+ ontologyPrimitive: "identity",
9551
+ tier: "workhorse"
9552
+ };
7415
9553
  var COMPILE_CONTEXT = {
7416
9554
  name: "compile_context",
7417
9555
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -7673,6 +9811,10 @@ var CREATE_TASK = {
7673
9811
  tags: {
7674
9812
  type: "array",
7675
9813
  description: "Free-form string tags"
9814
+ },
9815
+ metadata: {
9816
+ type: "object",
9817
+ description: "Structured task metadata for handoff context and routing hints"
7676
9818
  }
7677
9819
  },
7678
9820
  required: ["title"],
@@ -7746,6 +9888,10 @@ var UPDATE_TASK = {
7746
9888
  type: "string",
7747
9889
  description: "Updated status",
7748
9890
  enum: ["todo", "in_progress", "blocked", "done"]
9891
+ },
9892
+ metadata: {
9893
+ type: "object",
9894
+ description: "Structured task metadata to replace or refine"
7749
9895
  }
7750
9896
  },
7751
9897
  required: ["taskId"],
@@ -7793,6 +9939,10 @@ var CREATE_TOPIC = {
7793
9939
  name: "create_topic",
7794
9940
  description: "Create a new topic container for scoping knowledge. Like `git init` \u2014 initializes a new repository for a knowledge domain. Topics are hierarchical: a deal topic can nest under a theme topic. Types: domain, theme, deal, strategy, constitution, project, portfolio.",
7795
9941
  parameters: {
9942
+ globalId: {
9943
+ type: "string",
9944
+ description: "Optional idempotent topic global ID"
9945
+ },
7796
9946
  name: { type: "string", description: "Topic name" },
7797
9947
  type: {
7798
9948
  type: "string",
@@ -7803,6 +9953,18 @@ var CREATE_TOPIC = {
7803
9953
  type: "string",
7804
9954
  description: "Optional parent topic for nesting"
7805
9955
  },
9956
+ parentTopicGlobalId: {
9957
+ type: "string",
9958
+ description: "Optional parent topic global ID for nesting"
9959
+ },
9960
+ tenantId: { type: "string", description: "Optional tenant scope" },
9961
+ workspaceId: { type: "string", description: "Optional workspace scope" },
9962
+ visibility: {
9963
+ type: "string",
9964
+ description: "Topic visibility",
9965
+ enum: ["private", "team", "firm", "external", "public"]
9966
+ },
9967
+ metadata: { type: "object", description: "Optional topic metadata" },
7806
9968
  createdBy: { type: "string", description: "Who created this topic" }
7807
9969
  },
7808
9970
  required: ["name", "type"],
@@ -7811,6 +9973,9 @@ var CREATE_TOPIC = {
7811
9973
  fields: {
7812
9974
  id: "string \u2014 topic ID",
7813
9975
  globalId: "string \u2014 globally unique ID",
9976
+ topicGlobalId: "string \u2014 topic global ID",
9977
+ epistemicNodeId: "string \u2014 materialized topic node ID",
9978
+ epistemicNodeGlobalId: "string \u2014 materialized topic node global ID",
7814
9979
  depth: "number \u2014 nesting depth"
7815
9980
  }
7816
9981
  },
@@ -7941,6 +10106,65 @@ var GET_TOPIC_TREE = {
7941
10106
  ontologyPrimitive: "graph",
7942
10107
  tier: "workhorse"
7943
10108
  };
10109
+ var MATERIALIZE_TOPIC_GRAPH = {
10110
+ name: "materialize_topic_graph",
10111
+ description: "Backfill the topic graph spine. Like `git fsck --connectivity-only` with repair enabled \u2014 creates missing topic nodes and parent-child edges idempotently.",
10112
+ parameters: {
10113
+ rootTopicId: {
10114
+ type: "string",
10115
+ description: "Optional root topic for a bounded materialization pass"
10116
+ },
10117
+ dryRun: {
10118
+ type: "boolean",
10119
+ description: "When true, report missing rows without writing them"
10120
+ }
10121
+ },
10122
+ required: [],
10123
+ response: {
10124
+ description: "Topic graph materialization counts",
10125
+ fields: {
10126
+ topicsSeen: "number",
10127
+ nodesCreated: "number",
10128
+ nodesExisting: "number",
10129
+ edgesCreated: "number",
10130
+ edgesExisting: "number",
10131
+ errors: "array"
10132
+ }
10133
+ },
10134
+ ownerModule: "reasoning-kernel",
10135
+ ontologyPrimitive: "graph",
10136
+ tier: "workhorse"
10137
+ };
10138
+ var GET_TOPIC_GRAPH_SPINE = {
10139
+ name: "get_topic_graph_spine",
10140
+ description: "Verify the topic graph spine. Like `git fsck` \u2014 reads topics, materialized topic nodes, parent-child edges, and missing spine rows.",
10141
+ parameters: {
10142
+ rootTopicId: {
10143
+ type: "string",
10144
+ description: "Optional root topic for a bounded verifier pass"
10145
+ },
10146
+ includeTopicBeliefEdges: {
10147
+ type: "boolean",
10148
+ description: "Include topic -> belief edges in the verifier payload"
10149
+ }
10150
+ },
10151
+ required: [],
10152
+ response: {
10153
+ description: "Topic graph spine verification payload",
10154
+ fields: {
10155
+ ok: "boolean",
10156
+ counts: "object",
10157
+ topics: "array",
10158
+ topicNodes: "array",
10159
+ parentEdges: "array",
10160
+ missingTopicNodes: "array",
10161
+ missingParentEdges: "array"
10162
+ }
10163
+ },
10164
+ ownerModule: "reasoning-kernel",
10165
+ ontologyPrimitive: "graph",
10166
+ tier: "workhorse"
10167
+ };
7944
10168
  var GET_CODE_CONTEXT = {
7945
10169
  name: "get_code_context",
7946
10170
  description: "Returns code-grounded beliefs, contracts, migration states, and failed attempts anchored to a specific file or function path. Like `git log -- <path>` \u2014 filters the knowledge graph to nodes anchored to a file path via metadata.codeAnchors. Results are separated by coding belief type: decisions, contracts, migrations, patterns, deprecations, and failures.",
@@ -8136,7 +10360,7 @@ var MANAGE_WRITE_POLICY = {
8136
10360
  },
8137
10361
  role: {
8138
10362
  type: "string",
8139
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
10363
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
8140
10364
  },
8141
10365
  permission: {
8142
10366
  type: "string",
@@ -9123,6 +11347,9 @@ var BEGIN_BUILD_SESSION = {
9123
11347
  sessionMode: "string \u2014 async | interactive",
9124
11348
  targetBeliefIds: "array \u2014 scoped belief IDs",
9125
11349
  targetQuestionIds: "array \u2014 scoped question IDs",
11350
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11351
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11352
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9126
11353
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9127
11354
  openQuestions: "array \u2014 open scoped questions",
9128
11355
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -9178,6 +11405,19 @@ var MCP_TOOL_CONTRACTS = {
9178
11405
  bisect_confidence: BISECT_CONFIDENCE,
9179
11406
  // Edges (commit)
9180
11407
  create_edge: CREATE_EDGE,
11408
+ update_edge: UPDATE_EDGE,
11409
+ remove_edge: REMOVE_EDGE,
11410
+ remove_edges_between: REMOVE_EDGES_BETWEEN,
11411
+ batch_create_edges: BATCH_CREATE_EDGES,
11412
+ // Epistemic node spine (commit/amend/show)
11413
+ create_epistemic_node: CREATE_EPISTEMIC_NODE,
11414
+ get_epistemic_node: GET_EPISTEMIC_NODE,
11415
+ list_epistemic_nodes: LIST_EPISTEMIC_NODES,
11416
+ update_epistemic_node: UPDATE_EPISTEMIC_NODE,
11417
+ archive_epistemic_node: ARCHIVE_EPISTEMIC_NODE,
11418
+ verify_epistemic_node: VERIFY_EPISTEMIC_NODE,
11419
+ supersede_epistemic_node: SUPERSEDE_EPISTEMIC_NODE,
11420
+ batch_create_epistemic_nodes: BATCH_CREATE_EPISTEMIC_NODES,
9181
11421
  // Judgments (tag)
9182
11422
  record_judgment: RECORD_JUDGMENT,
9183
11423
  // Graph intelligence (showcase)
@@ -9212,6 +11452,7 @@ var MCP_TOOL_CONTRACTS = {
9212
11452
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
9213
11453
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
9214
11454
  identity_whoami: IDENTITY_WHOAMI,
11455
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
9215
11456
  compile_context: COMPILE_CONTEXT,
9216
11457
  record_scope_learning: RECORD_SCOPE_LEARNING,
9217
11458
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -9251,6 +11492,8 @@ var MCP_TOOL_CONTRACTS = {
9251
11492
  get_topic: GET_TOPIC,
9252
11493
  update_topic: UPDATE_TOPIC,
9253
11494
  get_topic_tree: GET_TOPIC_TREE,
11495
+ materialize_topic_graph: MATERIALIZE_TOPIC_GRAPH,
11496
+ get_topic_graph_spine: GET_TOPIC_GRAPH_SPINE,
9254
11497
  // Coding intelligence (code-grounded knowledge)
9255
11498
  get_code_context: GET_CODE_CONTEXT,
9256
11499
  get_change_history: GET_CHANGE_HISTORY,
@@ -9327,6 +11570,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
9327
11570
  var MCP_CORE_OPERATION_NAMES = [
9328
11571
  "compile_context",
9329
11572
  "identity_whoami",
11573
+ "resolve_interactive_principal",
9330
11574
  "check_permission",
9331
11575
  "filter_by_permission",
9332
11576
  "create_belief",
@@ -9355,14 +11599,28 @@ var MCP_CORE_OPERATION_NAMES = [
9355
11599
  "find_missing_questions",
9356
11600
  "get_high_priority_questions",
9357
11601
  "get_falsification_questions",
11602
+ "create_epistemic_node",
11603
+ "get_epistemic_node",
11604
+ "list_epistemic_nodes",
11605
+ "update_epistemic_node",
11606
+ "archive_epistemic_node",
11607
+ "verify_epistemic_node",
11608
+ "supersede_epistemic_node",
11609
+ "batch_create_epistemic_nodes",
9358
11610
  "create_topic",
9359
11611
  "get_topic",
9360
11612
  "list_topics",
9361
11613
  "update_topic",
9362
- "get_topic_tree"
11614
+ "get_topic_tree",
11615
+ "materialize_topic_graph",
11616
+ "get_topic_graph_spine"
9363
11617
  ];
9364
11618
  var MCP_ANALYSIS_PLATFORM_OPERATION_NAMES = [
9365
11619
  "create_edge",
11620
+ "update_edge",
11621
+ "remove_edge",
11622
+ "remove_edges_between",
11623
+ "batch_create_edges",
9366
11624
  "query_lineage",
9367
11625
  "traverse_graph",
9368
11626
  "get_graph_neighborhood",
@@ -9694,12 +11952,20 @@ function unwrapMcpParameterSchema(schema) {
9694
11952
  current = current._def.schema;
9695
11953
  continue;
9696
11954
  default:
9697
- return { schema: current, required, description: description ?? current.description };
11955
+ return {
11956
+ schema: current,
11957
+ required,
11958
+ description: description ?? current.description
11959
+ };
9698
11960
  }
9699
11961
  }
9700
11962
  }
9701
11963
  function mcpParameterFromZod(fieldName, schema, contractName) {
9702
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
11964
+ const {
11965
+ schema: unwrapped,
11966
+ required,
11967
+ description: schemaDescription
11968
+ } = unwrapMcpParameterSchema(schema);
9703
11969
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
9704
11970
  switch (unwrapped._def.typeName) {
9705
11971
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -9744,10 +12010,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
9744
12010
  const entries2 = Object.entries(getObjectShape(args)).sort(
9745
12011
  ([left], [right]) => left.localeCompare(right)
9746
12012
  );
9747
- const converted = entries2.map(([fieldName, schema]) => [
9748
- fieldName,
9749
- mcpParameterFromZod(fieldName, schema, contractName)
9750
- ]);
12013
+ const converted = entries2.map(
12014
+ ([fieldName, schema]) => [
12015
+ fieldName,
12016
+ mcpParameterFromZod(fieldName, schema, contractName)
12017
+ ]
12018
+ );
9751
12019
  return {
9752
12020
  ...base,
9753
12021
  parameters: Object.fromEntries(
@@ -9856,9 +12124,16 @@ function surfaceContract(args) {
9856
12124
  scopes: args.scopes ?? [
9857
12125
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
9858
12126
  ],
9859
- allowedPrincipalTypes: ["user", "service", "agent"]
12127
+ allowedPrincipalTypes: [
12128
+ "user",
12129
+ "service",
12130
+ "agent",
12131
+ "group",
12132
+ "external_viewer"
12133
+ ]
9860
12134
  },
9861
12135
  convex: args.convex,
12136
+ gateway: args.gateway,
9862
12137
  args: canonicalArgs,
9863
12138
  returns: canonicalReturns,
9864
12139
  input,
@@ -9997,8 +12272,6 @@ var contextContracts = [
9997
12272
  args: observationContextArgs
9998
12273
  })
9999
12274
  ];
10000
-
10001
- // ../contracts/src/function-registry/identity.ts
10002
12275
  var withPrincipal = (input, context) => ({
10003
12276
  ...input,
10004
12277
  tenantId: input.tenantId ?? context.tenantId,
@@ -10017,11 +12290,30 @@ var identityContracts = [
10017
12290
  sdkNamespace: "identity",
10018
12291
  sdkMethod: "whoami",
10019
12292
  summary: "Describe the current gateway principal.",
12293
+ gateway: {
12294
+ handler: "identity.whoami"
12295
+ }
12296
+ }),
12297
+ surfaceContract({
12298
+ name: "resolve_interactive_principal",
12299
+ kind: "query",
12300
+ domain: "controlPlane",
12301
+ surfaceClass: "platform_public",
12302
+ method: "POST",
12303
+ path: "/control-plane/identity/resolve-interactive-principal",
12304
+ sdkNamespace: "controlPlane.identity",
12305
+ sdkMethod: "resolveInteractivePrincipal",
12306
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12307
+ args: z.object({
12308
+ clerkId: z.string().min(1),
12309
+ tenantId: z.string().min(1).optional(),
12310
+ workspaceId: z.string().min(1).optional(),
12311
+ providerProjectId: z.string().min(1).optional()
12312
+ }),
10020
12313
  convex: {
10021
- module: "identity",
10022
- functionName: "whoami",
10023
- kind: "query",
10024
- inputProjection: withPrincipal
12314
+ module: "platform",
12315
+ functionName: "resolveInteractivePrincipal",
12316
+ kind: "query"
10025
12317
  }
10026
12318
  }),
10027
12319
  surfaceContract({
@@ -10103,15 +12395,6 @@ var beliefLookupInput = (input) => compactRecord4({
10103
12395
  var beliefNodeInput = (input) => compactRecord4({
10104
12396
  nodeId: input.nodeId ?? input.id ?? input.beliefId
10105
12397
  });
10106
- var beliefTopicInput = (input) => {
10107
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
10108
- if (!parsed.success) {
10109
- throw new Error(
10110
- `list_beliefs projection input rejected: ${parsed.error.message}`
10111
- );
10112
- }
10113
- return compactRecord4(listBeliefsProjection.project(parsed.data));
10114
- };
10115
12398
  var createBeliefInput = (input, context) => {
10116
12399
  return withUserId(
10117
12400
  compactRecord4({
@@ -10200,11 +12483,8 @@ var beliefsContracts = [
10200
12483
  sdkNamespace: "beliefs",
10201
12484
  sdkMethod: "listBeliefs",
10202
12485
  summary: "List beliefs for a topic.",
10203
- convex: {
10204
- module: "beliefs",
10205
- functionName: "getByTopic",
10206
- kind: "query",
10207
- inputProjection: beliefTopicInput
12486
+ gateway: {
12487
+ handler: "beliefs.list"
10208
12488
  },
10209
12489
  args: listBeliefsInputSchema
10210
12490
  }),
@@ -10345,7 +12625,7 @@ var beliefsContracts = [
10345
12625
  })
10346
12626
  ];
10347
12627
  var jsonRecordSchema4 = z.record(z.unknown());
10348
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12628
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10349
12629
  var createEvidenceArgs = z.object({
10350
12630
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10351
12631
  text: z.string().describe("Canonical evidence text."),
@@ -10389,12 +12669,6 @@ var evidenceIdInput = (input) => compactRecord4({
10389
12669
  insightId: input.insightId,
10390
12670
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
10391
12671
  });
10392
- var evidenceTopicInput = (input) => compactRecord4({
10393
- topicId: input.topicId,
10394
- status: input.status,
10395
- userId: input.userId,
10396
- limit: input.limit
10397
- });
10398
12672
  var createEvidenceInput = (input, context) => {
10399
12673
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
10400
12674
  if (!parsed.success) {
@@ -10525,11 +12799,8 @@ var evidenceContracts = [
10525
12799
  sdkNamespace: "evidence",
10526
12800
  sdkMethod: "listEvidence",
10527
12801
  summary: "List evidence for a topic.",
10528
- convex: {
10529
- module: "evidence",
10530
- functionName: "getByTopic",
10531
- kind: "query",
10532
- inputProjection: evidenceTopicInput
12802
+ gateway: {
12803
+ handler: "evidence.list"
10533
12804
  }
10534
12805
  }),
10535
12806
  surfaceContract({
@@ -10764,11 +13035,8 @@ var questionsContracts = [
10764
13035
  sdkNamespace: "questions",
10765
13036
  sdkMethod: "listQuestions",
10766
13037
  summary: "List questions for a topic.",
10767
- convex: {
10768
- module: "questions",
10769
- functionName: "getByTopic",
10770
- kind: "query",
10771
- inputProjection: questionTopicInput
13038
+ gateway: {
13039
+ handler: "questions.list"
10772
13040
  }
10773
13041
  }),
10774
13042
  surfaceContract({
@@ -10971,18 +13239,50 @@ var questionsContracts = [
10971
13239
  args: falsificationQuestionsArgs
10972
13240
  })
10973
13241
  ];
13242
+ var topicVisibilitySchema = z.enum([
13243
+ "private",
13244
+ "team",
13245
+ "firm",
13246
+ "external",
13247
+ "public"
13248
+ ]);
13249
+ var topicStatusSchema = z.enum(["active", "archived", "watching"]);
13250
+ var createTopicArgs = z.object({
13251
+ globalId: z.string().optional().describe("Optional idempotent topic global ID."),
13252
+ name: z.string().describe("Topic name."),
13253
+ description: z.string().optional().describe("Topic description."),
13254
+ type: z.string().describe("Topic type."),
13255
+ parentTopicId: z.string().optional().describe("Optional parent topic ID."),
13256
+ parentTopicGlobalId: z.string().optional().describe("Optional parent topic global ID."),
13257
+ ontologyId: z.string().optional().describe("Ontology to bind."),
13258
+ tenantId: z.string().optional().describe("Optional tenant scope."),
13259
+ workspaceId: z.string().optional().describe("Optional workspace scope."),
13260
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
13261
+ metadata: z.record(z.unknown()).optional().describe("Topic metadata."),
13262
+ graphScopeProjectId: z.string().optional(),
13263
+ createdBy: z.string().optional()
13264
+ });
10974
13265
  var updateTopicArgs = z.object({
10975
13266
  id: z.string().describe("Topic ID."),
10976
13267
  topicId: z.string().optional().describe("Topic ID alias."),
10977
13268
  name: z.string().optional().describe("Topic name."),
10978
13269
  description: z.string().optional().describe("Topic description."),
10979
13270
  type: z.string().optional().describe("Topic type."),
10980
- status: z.string().optional().describe("Topic status."),
10981
- visibility: z.string().optional().describe("Topic visibility."),
13271
+ status: topicStatusSchema.optional().describe("Topic status."),
13272
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
10982
13273
  ontologyId: z.string().optional().describe("Ontology to bind."),
10983
13274
  clearOntologyId: z.boolean().optional().describe("Whether to clear the ontology binding."),
10984
13275
  metadata: z.record(z.unknown()).optional().describe("Topic metadata.")
10985
13276
  });
13277
+ var materializeTopicGraphArgs = z.object({
13278
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13279
+ dryRun: z.boolean().optional().describe("Report missing rows without writing."),
13280
+ createdBy: z.string().optional()
13281
+ });
13282
+ var getTopicGraphSpineArgs = z.object({
13283
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13284
+ includeTopicBeliefEdges: z.boolean().optional()
13285
+ });
10986
13286
  var topicIdInput = (input) => compactRecord4({
10987
13287
  id: input.id ?? input.topicId
10988
13288
  });
@@ -11000,87 +13300,488 @@ var updateTopicInput = (input) => compactRecord4({
11000
13300
  });
11001
13301
  var topicsContracts = [
11002
13302
  surfaceContract({
11003
- name: "create_topic",
13303
+ name: "create_topic",
13304
+ kind: "mutation",
13305
+ domain: "topics",
13306
+ surfaceClass: "platform_public",
13307
+ path: "/topics",
13308
+ sdkNamespace: "topics",
13309
+ sdkMethod: "createTopic",
13310
+ summary: "Create a topic.",
13311
+ convex: {
13312
+ module: "topics",
13313
+ functionName: "create",
13314
+ kind: "mutation",
13315
+ inputProjection: withCreatedBy
13316
+ },
13317
+ args: createTopicArgs
13318
+ }),
13319
+ surfaceContract({
13320
+ name: "get_topic",
13321
+ kind: "query",
13322
+ domain: "topics",
13323
+ surfaceClass: "platform_public",
13324
+ method: "GET",
13325
+ path: "/topics/get",
13326
+ sdkNamespace: "topics",
13327
+ sdkMethod: "getTopic",
13328
+ summary: "Get a topic.",
13329
+ convex: {
13330
+ module: "topics",
13331
+ functionName: "get",
13332
+ kind: "query",
13333
+ inputProjection: topicIdInput
13334
+ }
13335
+ }),
13336
+ surfaceContract({
13337
+ name: "list_topics",
13338
+ kind: "query",
13339
+ domain: "topics",
13340
+ surfaceClass: "platform_public",
13341
+ method: "GET",
13342
+ path: "/topics",
13343
+ sdkNamespace: "topics",
13344
+ sdkMethod: "listTopics",
13345
+ summary: "List topics.",
13346
+ convex: {
13347
+ module: "topics",
13348
+ functionName: "list",
13349
+ kind: "query"
13350
+ }
13351
+ }),
13352
+ surfaceContract({
13353
+ name: "update_topic",
13354
+ kind: "mutation",
13355
+ domain: "topics",
13356
+ surfaceClass: "platform_public",
13357
+ method: "PATCH",
13358
+ path: "/topics",
13359
+ sdkNamespace: "topics",
13360
+ sdkMethod: "updateTopic",
13361
+ summary: "Update a topic.",
13362
+ convex: {
13363
+ module: "topics",
13364
+ functionName: "update",
13365
+ kind: "mutation",
13366
+ inputProjection: updateTopicInput
13367
+ },
13368
+ args: updateTopicArgs
13369
+ }),
13370
+ surfaceContract({
13371
+ name: "get_topic_tree",
13372
+ kind: "query",
13373
+ domain: "topics",
13374
+ surfaceClass: "platform_public",
13375
+ method: "GET",
13376
+ path: "/topics/tree",
13377
+ sdkNamespace: "topics",
13378
+ sdkMethod: "getTopicTree",
13379
+ summary: "Get a topic tree.",
13380
+ convex: {
13381
+ module: "topics",
13382
+ functionName: "getTree",
13383
+ kind: "query"
13384
+ }
13385
+ }),
13386
+ surfaceContract({
13387
+ name: "materialize_topic_graph",
13388
+ kind: "mutation",
13389
+ domain: "topics",
13390
+ surfaceClass: "platform_public",
13391
+ path: "/topics/materialize-graph",
13392
+ sdkNamespace: "topics",
13393
+ sdkMethod: "materializeTopicGraph",
13394
+ summary: "Materialize topic nodes and parent-child graph edges.",
13395
+ convex: {
13396
+ module: "topics",
13397
+ functionName: "materializeTopicGraph",
13398
+ kind: "mutation",
13399
+ inputProjection: withCreatedBy
13400
+ },
13401
+ args: materializeTopicGraphArgs
13402
+ }),
13403
+ surfaceContract({
13404
+ name: "get_topic_graph_spine",
13405
+ kind: "query",
13406
+ domain: "topics",
13407
+ surfaceClass: "platform_public",
13408
+ method: "GET",
13409
+ path: "/topics/graph-spine",
13410
+ sdkNamespace: "topics",
13411
+ sdkMethod: "getTopicGraphSpine",
13412
+ summary: "Verify topic nodes and parent-child graph edges.",
13413
+ convex: {
13414
+ module: "topics",
13415
+ functionName: "getTopicGraphSpine",
13416
+ kind: "query"
13417
+ },
13418
+ args: getTopicGraphSpineArgs
13419
+ })
13420
+ ];
13421
+ var sourceTypeSchema2 = z.enum([
13422
+ "human",
13423
+ "ai_extracted",
13424
+ "ai_generated",
13425
+ "imported",
13426
+ "system",
13427
+ "verified",
13428
+ "proprietary"
13429
+ ]);
13430
+ var verificationStatusSchema = z.enum([
13431
+ "unverified",
13432
+ "human_verified",
13433
+ "ai_verified",
13434
+ "contradicted",
13435
+ "outdated"
13436
+ ]);
13437
+ var nodeStatusSchema = z.enum([
13438
+ "active",
13439
+ "superseded",
13440
+ "archived",
13441
+ "deleted"
13442
+ ]);
13443
+ var externalIdsArgs = z.object({
13444
+ crunchbase: z.string().optional(),
13445
+ linkedin: z.string().optional(),
13446
+ pitchbook: z.string().optional(),
13447
+ twitter: z.string().optional(),
13448
+ website: z.string().optional()
13449
+ }).optional();
13450
+ var createEpistemicNodeItemArgs = z.object({
13451
+ globalId: z.string().optional().describe("Optional idempotent node global ID."),
13452
+ nodeType: NODE_TYPE.describe("Public epistemic node type."),
13453
+ subtype: z.string().optional(),
13454
+ canonicalText: z.string().optional().describe("Canonical node text."),
13455
+ text: z.string().optional().describe("Alias for canonicalText."),
13456
+ contentHash: z.string().optional().describe("Optional idempotency content hash."),
13457
+ content: z.string().optional(),
13458
+ contentType: z.string().optional(),
13459
+ title: z.string().optional(),
13460
+ tags: z.array(z.string()).optional(),
13461
+ domain: z.string().optional(),
13462
+ metadata: z.record(z.unknown()).optional(),
13463
+ externalIds: externalIdsArgs,
13464
+ sourceType: sourceTypeSchema2.optional(),
13465
+ aiProvider: z.string().optional(),
13466
+ extractedFromNodeId: z.string().optional(),
13467
+ confidence: z.number().optional(),
13468
+ verificationStatus: verificationStatusSchema.optional(),
13469
+ topicId: z.string().optional(),
13470
+ projectId: z.string().optional(),
13471
+ createdBy: z.string().optional(),
13472
+ trustedBypassAccessCheck: z.boolean().optional()
13473
+ });
13474
+ var createEpistemicNodeArgs = createEpistemicNodeItemArgs;
13475
+ var batchCreateEpistemicNodesArgs = z.object({
13476
+ nodes: z.array(createEpistemicNodeItemArgs)
13477
+ });
13478
+ var getEpistemicNodeArgs = z.object({
13479
+ nodeId: z.string().describe("Node ID or global ID."),
13480
+ globalId: z.string().optional().describe("Node global ID alias.")
13481
+ });
13482
+ var listEpistemicNodesArgs = z.object({
13483
+ topicId: z.string().optional(),
13484
+ projectId: z.string().optional(),
13485
+ nodeType: NODE_TYPE.optional(),
13486
+ status: nodeStatusSchema.optional(),
13487
+ searchQuery: z.string().optional(),
13488
+ query: z.string().optional(),
13489
+ limit: z.number().optional()
13490
+ });
13491
+ var updateEpistemicNodeArgs = z.object({
13492
+ nodeId: z.string().describe("Node ID or global ID."),
13493
+ id: z.string().optional().describe("Node ID alias."),
13494
+ subtype: z.string().optional(),
13495
+ canonicalText: z.string().optional(),
13496
+ text: z.string().optional(),
13497
+ contentHash: z.string().optional(),
13498
+ content: z.string().optional(),
13499
+ contentType: z.string().optional(),
13500
+ title: z.string().optional(),
13501
+ tags: z.array(z.string()).optional(),
13502
+ domain: z.string().optional(),
13503
+ metadata: z.record(z.unknown()).optional(),
13504
+ externalIds: externalIdsArgs,
13505
+ confidence: z.number().optional(),
13506
+ verificationStatus: verificationStatusSchema.optional(),
13507
+ status: nodeStatusSchema.optional(),
13508
+ userId: z.string().optional(),
13509
+ trustedBypassAccessCheck: z.boolean().optional()
13510
+ });
13511
+ var archiveEpistemicNodeArgs = z.object({
13512
+ nodeId: z.string().describe("Node ID or global ID."),
13513
+ id: z.string().optional().describe("Node ID alias."),
13514
+ userId: z.string().optional(),
13515
+ trustedBypassAccessCheck: z.boolean().optional()
13516
+ });
13517
+ var verifyEpistemicNodeArgs = z.object({
13518
+ nodeId: z.string().describe("Node ID or global ID."),
13519
+ id: z.string().optional().describe("Node ID alias."),
13520
+ verificationStatus: verificationStatusSchema,
13521
+ confidence: z.number().optional(),
13522
+ userId: z.string().optional()
13523
+ });
13524
+ var supersedeEpistemicNodeArgs = z.object({
13525
+ oldNodeId: z.string().describe("Node ID or global ID to supersede."),
13526
+ nodeId: z.string().optional().describe("Old node ID alias."),
13527
+ newGlobalId: z.string().optional(),
13528
+ newCanonicalText: z.string().optional(),
13529
+ text: z.string().optional(),
13530
+ canonicalText: z.string().optional(),
13531
+ newContentHash: z.string().optional(),
13532
+ reason: z.string().optional(),
13533
+ createdBy: z.string().optional(),
13534
+ trustedBypassAccessCheck: z.boolean().optional()
13535
+ });
13536
+ function generatedGlobalId(prefix) {
13537
+ return `${prefix}:${crypto.randomUUID()}`;
13538
+ }
13539
+ function resolveCanonicalText(input) {
13540
+ const text = input.canonicalText ?? input.text ?? input.title ?? input.content;
13541
+ if (typeof text !== "string" || text.trim().length === 0) {
13542
+ throw new Error("canonicalText or text is required.");
13543
+ }
13544
+ return text;
13545
+ }
13546
+ function createNodeInput(input, context) {
13547
+ const canonicalText = resolveCanonicalText(input);
13548
+ const nodeType = String(input.nodeType);
13549
+ return withCreatedBy(
13550
+ compactRecord4({
13551
+ globalId: typeof input.globalId === "string" && input.globalId.trim() ? input.globalId : generatedGlobalId(nodeType),
13552
+ nodeType,
13553
+ subtype: input.subtype,
13554
+ canonicalText,
13555
+ contentHash: typeof input.contentHash === "string" && input.contentHash.trim() ? input.contentHash : `${nodeType}:${canonicalText}`,
13556
+ content: input.content,
13557
+ contentType: input.contentType,
13558
+ title: input.title,
13559
+ tags: input.tags,
13560
+ domain: input.domain,
13561
+ metadata: input.metadata,
13562
+ externalIds: input.externalIds,
13563
+ sourceType: typeof input.sourceType === "string" && input.sourceType.trim() ? input.sourceType : "human",
13564
+ aiProvider: input.aiProvider,
13565
+ extractedFromNodeId: input.extractedFromNodeId,
13566
+ confidence: input.confidence,
13567
+ verificationStatus: input.verificationStatus,
13568
+ topicId: input.topicId,
13569
+ projectId: input.projectId
13570
+ }),
13571
+ context
13572
+ );
13573
+ }
13574
+ var getNodeInput = (input) => compactRecord4({
13575
+ nodeId: input.nodeId ?? input.globalId
13576
+ });
13577
+ var listNodesInput = (input) => compactRecord4({
13578
+ topicId: input.topicId,
13579
+ projectId: input.projectId,
13580
+ nodeType: input.nodeType,
13581
+ status: input.status,
13582
+ searchQuery: input.searchQuery ?? input.query,
13583
+ limit: input.limit
13584
+ });
13585
+ var updateNodeInput = (input, context) => withUserId(
13586
+ compactRecord4({
13587
+ nodeId: input.nodeId ?? input.id,
13588
+ subtype: input.subtype,
13589
+ canonicalText: input.canonicalText ?? input.text,
13590
+ contentHash: input.contentHash,
13591
+ content: input.content,
13592
+ contentType: input.contentType,
13593
+ title: input.title,
13594
+ tags: input.tags,
13595
+ domain: input.domain,
13596
+ metadata: input.metadata,
13597
+ externalIds: input.externalIds,
13598
+ confidence: input.confidence,
13599
+ verificationStatus: input.verificationStatus,
13600
+ status: input.status,
13601
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13602
+ }),
13603
+ context
13604
+ );
13605
+ var archiveNodeInput = (input, context) => withUserId(
13606
+ compactRecord4({
13607
+ nodeId: input.nodeId ?? input.id,
13608
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13609
+ }),
13610
+ context
13611
+ );
13612
+ var verifyNodeInput = (input, context) => withUserId(
13613
+ compactRecord4({
13614
+ nodeId: input.nodeId ?? input.id,
13615
+ verificationStatus: input.verificationStatus,
13616
+ confidence: input.confidence
13617
+ }),
13618
+ context
13619
+ );
13620
+ var supersedeNodeInput = (input, context) => {
13621
+ const newCanonicalText = input.newCanonicalText ?? input.canonicalText ?? input.text;
13622
+ if (typeof newCanonicalText !== "string" || newCanonicalText.trim().length === 0) {
13623
+ throw new Error("newCanonicalText or text is required.");
13624
+ }
13625
+ return {
13626
+ oldNodeId: input.oldNodeId ?? input.nodeId,
13627
+ newGlobalId: typeof input.newGlobalId === "string" && input.newGlobalId.trim() ? input.newGlobalId : generatedGlobalId("node"),
13628
+ newCanonicalText,
13629
+ newContentHash: typeof input.newContentHash === "string" && input.newContentHash.trim() ? input.newContentHash : `superseded:${newCanonicalText}`,
13630
+ createdBy: typeof input.createdBy === "string" ? input.createdBy : authUserId(context),
13631
+ reason: input.reason,
13632
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13633
+ };
13634
+ };
13635
+ var batchCreateNodesInput = (input, context) => {
13636
+ const nodes = Array.isArray(input.nodes) ? input.nodes : [];
13637
+ return {
13638
+ nodes: nodes.map(
13639
+ (node) => createNodeInput(
13640
+ node && typeof node === "object" ? node : {},
13641
+ context
13642
+ )
13643
+ )
13644
+ };
13645
+ };
13646
+ var nodesContracts = [
13647
+ surfaceContract({
13648
+ name: "create_epistemic_node",
11004
13649
  kind: "mutation",
11005
- domain: "topics",
13650
+ domain: "nodes",
11006
13651
  surfaceClass: "platform_public",
11007
- path: "/topics",
11008
- sdkNamespace: "topics",
11009
- sdkMethod: "createTopic",
11010
- summary: "Create a topic.",
13652
+ path: "/nodes",
13653
+ sdkNamespace: "nodes",
13654
+ sdkMethod: "createEpistemicNode",
13655
+ summary: "Create a generic epistemic graph node.",
11011
13656
  convex: {
11012
- module: "topics",
13657
+ module: "nodes",
11013
13658
  functionName: "create",
11014
13659
  kind: "mutation",
11015
- inputProjection: withCreatedBy
11016
- }
13660
+ inputProjection: createNodeInput
13661
+ },
13662
+ args: createEpistemicNodeArgs
11017
13663
  }),
11018
13664
  surfaceContract({
11019
- name: "get_topic",
13665
+ name: "get_epistemic_node",
11020
13666
  kind: "query",
11021
- domain: "topics",
13667
+ domain: "nodes",
11022
13668
  surfaceClass: "platform_public",
11023
13669
  method: "GET",
11024
- path: "/topics/get",
11025
- sdkNamespace: "topics",
11026
- sdkMethod: "getTopic",
11027
- summary: "Get a topic.",
13670
+ path: "/nodes/get",
13671
+ sdkNamespace: "nodes",
13672
+ sdkMethod: "getEpistemicNode",
13673
+ summary: "Get a generic epistemic graph node.",
11028
13674
  convex: {
11029
- module: "topics",
13675
+ module: "nodes",
11030
13676
  functionName: "get",
11031
13677
  kind: "query",
11032
- inputProjection: topicIdInput
11033
- }
13678
+ inputProjection: getNodeInput
13679
+ },
13680
+ args: getEpistemicNodeArgs
11034
13681
  }),
11035
13682
  surfaceContract({
11036
- name: "list_topics",
13683
+ name: "list_epistemic_nodes",
11037
13684
  kind: "query",
11038
- domain: "topics",
13685
+ domain: "nodes",
11039
13686
  surfaceClass: "platform_public",
11040
13687
  method: "GET",
11041
- path: "/topics",
11042
- sdkNamespace: "topics",
11043
- sdkMethod: "listTopics",
11044
- summary: "List topics.",
13688
+ path: "/nodes",
13689
+ sdkNamespace: "nodes",
13690
+ sdkMethod: "listEpistemicNodes",
13691
+ summary: "List generic epistemic graph nodes.",
11045
13692
  convex: {
11046
- module: "topics",
13693
+ module: "nodes",
11047
13694
  functionName: "list",
11048
- kind: "query"
11049
- }
13695
+ kind: "query",
13696
+ inputProjection: listNodesInput
13697
+ },
13698
+ args: listEpistemicNodesArgs
11050
13699
  }),
11051
13700
  surfaceContract({
11052
- name: "update_topic",
13701
+ name: "update_epistemic_node",
11053
13702
  kind: "mutation",
11054
- domain: "topics",
13703
+ domain: "nodes",
11055
13704
  surfaceClass: "platform_public",
11056
13705
  method: "PATCH",
11057
- path: "/topics",
11058
- sdkNamespace: "topics",
11059
- sdkMethod: "updateTopic",
11060
- summary: "Update a topic.",
13706
+ path: "/nodes",
13707
+ sdkNamespace: "nodes",
13708
+ sdkMethod: "updateEpistemicNode",
13709
+ summary: "Update a generic epistemic graph node.",
11061
13710
  convex: {
11062
- module: "topics",
13711
+ module: "nodes",
11063
13712
  functionName: "update",
11064
13713
  kind: "mutation",
11065
- inputProjection: updateTopicInput
13714
+ inputProjection: updateNodeInput
11066
13715
  },
11067
- args: updateTopicArgs
13716
+ args: updateEpistemicNodeArgs
11068
13717
  }),
11069
13718
  surfaceContract({
11070
- name: "get_topic_tree",
11071
- kind: "query",
11072
- domain: "topics",
13719
+ name: "archive_epistemic_node",
13720
+ kind: "mutation",
13721
+ domain: "nodes",
11073
13722
  surfaceClass: "platform_public",
11074
- method: "GET",
11075
- path: "/topics/tree",
11076
- sdkNamespace: "topics",
11077
- sdkMethod: "getTopicTree",
11078
- summary: "Get a topic tree.",
13723
+ path: "/nodes/archive",
13724
+ sdkNamespace: "nodes",
13725
+ sdkMethod: "archiveEpistemicNode",
13726
+ summary: "Archive a generic epistemic graph node.",
11079
13727
  convex: {
11080
- module: "topics",
11081
- functionName: "getTree",
11082
- kind: "query"
11083
- }
13728
+ module: "nodes",
13729
+ functionName: "archive",
13730
+ kind: "mutation",
13731
+ inputProjection: archiveNodeInput
13732
+ },
13733
+ args: archiveEpistemicNodeArgs
13734
+ }),
13735
+ surfaceContract({
13736
+ name: "verify_epistemic_node",
13737
+ kind: "mutation",
13738
+ domain: "nodes",
13739
+ surfaceClass: "platform_public",
13740
+ path: "/nodes/verify",
13741
+ sdkNamespace: "nodes",
13742
+ sdkMethod: "verifyEpistemicNode",
13743
+ summary: "Verify a generic epistemic graph node.",
13744
+ convex: {
13745
+ module: "nodes",
13746
+ functionName: "verify",
13747
+ kind: "mutation",
13748
+ inputProjection: verifyNodeInput
13749
+ },
13750
+ args: verifyEpistemicNodeArgs
13751
+ }),
13752
+ surfaceContract({
13753
+ name: "supersede_epistemic_node",
13754
+ kind: "mutation",
13755
+ domain: "nodes",
13756
+ surfaceClass: "platform_public",
13757
+ path: "/nodes/supersede",
13758
+ sdkNamespace: "nodes",
13759
+ sdkMethod: "supersedeEpistemicNode",
13760
+ summary: "Supersede a generic epistemic graph node.",
13761
+ convex: {
13762
+ module: "nodes",
13763
+ functionName: "supersede",
13764
+ kind: "mutation",
13765
+ inputProjection: supersedeNodeInput
13766
+ },
13767
+ args: supersedeEpistemicNodeArgs
13768
+ }),
13769
+ surfaceContract({
13770
+ name: "batch_create_epistemic_nodes",
13771
+ kind: "mutation",
13772
+ domain: "nodes",
13773
+ surfaceClass: "platform_public",
13774
+ path: "/nodes/batch",
13775
+ sdkNamespace: "nodes",
13776
+ sdkMethod: "batchCreateEpistemicNodes",
13777
+ summary: "Batch create generic epistemic graph nodes.",
13778
+ convex: {
13779
+ module: "nodes",
13780
+ functionName: "batchCreate",
13781
+ kind: "mutation",
13782
+ inputProjection: batchCreateNodesInput
13783
+ },
13784
+ args: batchCreateEpistemicNodesArgs
11084
13785
  })
11085
13786
  ];
11086
13787
  var lensPerspectiveSchema = z.enum([
@@ -11440,6 +14141,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
11440
14141
  progress: z.string().optional().describe("Collection progress note for the signal."),
11441
14142
  notes: z.string().optional().describe("Additional evidence collection notes.")
11442
14143
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
14144
+ var worktreeDocCompanionTargetSchema = z.object({
14145
+ docPath: z.string().describe(
14146
+ "Repo-relative path to a documentation file the worktree promises to update."
14147
+ ),
14148
+ sectionAnchor: z.string().optional().describe(
14149
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
14150
+ ),
14151
+ reason: z.string().describe(
14152
+ "Why this doc section must be updated for the worktree to be complete."
14153
+ )
14154
+ }).passthrough().describe(
14155
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
14156
+ );
11443
14157
  var worktreeDecisionGateInputSchema = z.object({
11444
14158
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
11445
14159
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -11472,6 +14186,9 @@ var addWorktreeArgs = z.object({
11472
14186
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
11473
14187
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
11474
14188
  decisionGate: worktreeDecisionGateInputSchema.optional(),
14189
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
14190
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
14191
+ ),
11475
14192
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
11476
14193
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
11477
14194
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -11835,7 +14552,21 @@ var createTaskArgs = z.object({
11835
14552
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
11836
14553
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
11837
14554
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
11838
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14555
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14556
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
14557
+ });
14558
+ var updateTaskArgs = z.object({
14559
+ taskId: z.string().describe("Task to update."),
14560
+ title: z.string().optional().describe("Updated task title."),
14561
+ description: z.string().optional().describe("Updated task description."),
14562
+ priority: taskPrioritySchema.optional().describe("Updated priority."),
14563
+ status: taskStatusSchema2.optional().describe("Updated status."),
14564
+ linkedWorktreeId: z.string().optional().describe("Worktree this task belongs to."),
14565
+ linkedBeliefId: z.string().optional().describe("Belief this task supports."),
14566
+ linkedQuestionId: z.string().optional().describe("Question this task addresses."),
14567
+ assigneeId: z.string().optional().describe("Principal assigned to the task."),
14568
+ blockedReason: z.string().optional().describe("Reason the task is blocked or deferred."),
14569
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
11839
14570
  });
11840
14571
  var createTaskInput = (input) => compactRecord4({
11841
14572
  title: input.title,
@@ -11849,7 +14580,8 @@ var createTaskInput = (input) => compactRecord4({
11849
14580
  linkedQuestionId: input.linkedQuestionId,
11850
14581
  assigneeId: input.assigneeId,
11851
14582
  dueDate: input.dueDate,
11852
- tags: input.tags
14583
+ tags: input.tags,
14584
+ metadata: input.metadata
11853
14585
  });
11854
14586
  var taskInput = (input) => compactRecord4({
11855
14587
  ...input,
@@ -11866,8 +14598,7 @@ var taskTopicInput = (input) => {
11866
14598
  };
11867
14599
  var completeTaskInput = (input) => compactRecord4({
11868
14600
  taskId: input.taskId ?? input.id,
11869
- outputSummary: input.outputSummary ?? input.summary,
11870
- userId: input.userId
14601
+ outputSummary: input.outputSummary ?? input.summary
11871
14602
  });
11872
14603
  var tasksContracts = [
11873
14604
  surfaceContract({
@@ -11885,6 +14616,7 @@ var tasksContracts = [
11885
14616
  kind: "mutation",
11886
14617
  inputProjection: createTaskInput
11887
14618
  },
14619
+ gateway: { handler: "tasks.create" },
11888
14620
  args: createTaskArgs
11889
14621
  }),
11890
14622
  surfaceContract({
@@ -11903,6 +14635,7 @@ var tasksContracts = [
11903
14635
  kind: "query",
11904
14636
  inputProjection: taskTopicInput
11905
14637
  },
14638
+ gateway: { handler: "tasks.list" },
11906
14639
  args: listTasksInputSchema
11907
14640
  }),
11908
14641
  surfaceContract({
@@ -11920,7 +14653,9 @@ var tasksContracts = [
11920
14653
  functionName: "update",
11921
14654
  kind: "mutation",
11922
14655
  inputProjection: taskInput
11923
- }
14656
+ },
14657
+ gateway: { handler: "tasks.update" },
14658
+ args: updateTaskArgs
11924
14659
  }),
11925
14660
  surfaceContract({
11926
14661
  name: "complete_task",
@@ -11936,12 +14671,14 @@ var tasksContracts = [
11936
14671
  functionName: "complete",
11937
14672
  kind: "mutation",
11938
14673
  inputProjection: completeTaskInput
11939
- }
14674
+ },
14675
+ gateway: { handler: "tasks.complete" }
11940
14676
  })
11941
14677
  ];
11942
14678
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
11943
14679
  (policy) => policy.edgeType
11944
14680
  );
14681
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
11945
14682
  var createEdgeArgs = z.object({
11946
14683
  from: GraphRefSchema,
11947
14684
  to: GraphRefSchema,
@@ -11951,10 +14688,37 @@ var createEdgeArgs = z.object({
11951
14688
  confidence: z.number().optional(),
11952
14689
  context: z.string().optional(),
11953
14690
  reasoning: z.string().optional(),
14691
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
11954
14692
  derivationType: z.string().optional(),
14693
+ metadata: z.record(z.unknown()).optional(),
11955
14694
  topicId: z.string().optional(),
11956
14695
  trustedBypassAccessCheck: z.boolean().optional()
11957
14696
  });
14697
+ var updateEdgeArgs = z.object({
14698
+ edgeId: z.string().describe("Edge ID or global ID."),
14699
+ weight: z.number().optional(),
14700
+ confidence: z.number().optional(),
14701
+ context: z.string().optional(),
14702
+ reasoning: z.string().optional(),
14703
+ derivationType: z.string().optional(),
14704
+ metadata: z.record(z.unknown()).optional(),
14705
+ userId: z.string().optional()
14706
+ });
14707
+ var removeEdgeArgs = z.object({
14708
+ edgeId: z.string().describe("Edge ID or global ID."),
14709
+ userId: z.string().optional()
14710
+ });
14711
+ var removeEdgesBetweenArgs = z.object({
14712
+ from: GraphRefSchema.optional(),
14713
+ to: GraphRefSchema.optional(),
14714
+ fromNodeId: z.string().optional(),
14715
+ toNodeId: z.string().optional(),
14716
+ edgeType: z.enum(CREATE_EDGE_TYPES).optional()
14717
+ });
14718
+ var batchCreateEdgesArgs = z.object({
14719
+ edges: z.array(createEdgeArgs),
14720
+ skipLayerValidation: z.boolean().optional()
14721
+ });
11958
14722
  var queryLineageArgs = z.object({
11959
14723
  nodeId: z.string().describe("Starting node to trace from."),
11960
14724
  startNode: z.string().optional().describe("Starting node alias accepted by traversal callers."),
@@ -12003,7 +14767,9 @@ var edgesContracts = [
12003
14767
  weight: parsed.weight,
12004
14768
  confidence: parsed.confidence,
12005
14769
  context: parsed.context ?? parsed.reasoning,
14770
+ reasoningMethod: parsed.reasoningMethod,
12006
14771
  derivationType: parsed.derivationType,
14772
+ metadata: parsed.metadata,
12007
14773
  skipLayerValidation: true,
12008
14774
  topicId: parsed.topicId,
12009
14775
  trustedBypassAccessCheck: parsed.trustedBypassAccessCheck
@@ -12014,6 +14780,131 @@ var edgesContracts = [
12014
14780
  },
12015
14781
  args: createEdgeArgs
12016
14782
  }),
14783
+ surfaceContract({
14784
+ name: "update_edge",
14785
+ kind: "mutation",
14786
+ domain: "edges",
14787
+ surfaceClass: "platform_public",
14788
+ method: "PATCH",
14789
+ path: "/edges",
14790
+ sdkNamespace: "edges",
14791
+ sdkMethod: "updateEdge",
14792
+ summary: "Update an epistemic edge.",
14793
+ convex: {
14794
+ module: "edges",
14795
+ functionName: "update",
14796
+ kind: "mutation",
14797
+ inputProjection: (input, context) => compactRecord4({
14798
+ edgeId: input.edgeId,
14799
+ weight: input.weight,
14800
+ confidence: input.confidence,
14801
+ context: input.context ?? input.reasoning,
14802
+ derivationType: input.derivationType,
14803
+ metadata: input.metadata,
14804
+ userId: input.userId ?? context.userId ?? context.principalId
14805
+ })
14806
+ },
14807
+ args: updateEdgeArgs
14808
+ }),
14809
+ surfaceContract({
14810
+ name: "remove_edge",
14811
+ kind: "mutation",
14812
+ domain: "edges",
14813
+ surfaceClass: "platform_public",
14814
+ method: "DELETE",
14815
+ path: "/edges",
14816
+ sdkNamespace: "edges",
14817
+ sdkMethod: "removeEdge",
14818
+ summary: "Remove an epistemic edge.",
14819
+ convex: {
14820
+ module: "edges",
14821
+ functionName: "remove",
14822
+ kind: "mutation",
14823
+ inputProjection: (input, context) => compactRecord4({
14824
+ edgeId: input.edgeId,
14825
+ userId: input.userId ?? context.userId ?? context.principalId
14826
+ })
14827
+ },
14828
+ args: removeEdgeArgs
14829
+ }),
14830
+ surfaceContract({
14831
+ name: "remove_edges_between",
14832
+ kind: "mutation",
14833
+ domain: "edges",
14834
+ surfaceClass: "platform_public",
14835
+ method: "DELETE",
14836
+ path: "/edges/between",
14837
+ sdkNamespace: "edges",
14838
+ sdkMethod: "removeEdgesBetween",
14839
+ summary: "Remove epistemic edges between two nodes.",
14840
+ convex: {
14841
+ module: "edges",
14842
+ functionName: "removeBetween",
14843
+ kind: "mutation",
14844
+ inputProjection: (input) => {
14845
+ const parsed = removeEdgesBetweenArgs.parse(input);
14846
+ const fromNodeId = parsed.from ? graphRefNodeId(parsed.from) : parsed.fromNodeId;
14847
+ const toNodeId = parsed.to ? graphRefNodeId(parsed.to) : parsed.toNodeId;
14848
+ if (!fromNodeId || !toNodeId) {
14849
+ throw new Error("from/to or fromNodeId/toNodeId are required.");
14850
+ }
14851
+ return compactRecord4({
14852
+ fromNodeId,
14853
+ toNodeId,
14854
+ edgeType: parsed.edgeType
14855
+ });
14856
+ }
14857
+ },
14858
+ args: removeEdgesBetweenArgs
14859
+ }),
14860
+ surfaceContract({
14861
+ name: "batch_create_edges",
14862
+ kind: "mutation",
14863
+ domain: "edges",
14864
+ surfaceClass: "platform_public",
14865
+ path: "/edges/batch",
14866
+ sdkNamespace: "edges",
14867
+ sdkMethod: "batchCreateEdges",
14868
+ summary: "Batch create epistemic edges.",
14869
+ convex: {
14870
+ module: "edges",
14871
+ functionName: "batchCreate",
14872
+ kind: "mutation",
14873
+ inputProjection: (input, context) => {
14874
+ const parsed = batchCreateEdgesArgs.parse(input);
14875
+ return {
14876
+ skipLayerValidation: parsed.skipLayerValidation ?? true,
14877
+ edges: parsed.edges.map((edge) => {
14878
+ assertEdgePolicyAllowed(
14879
+ edgePolicyManifest,
14880
+ edge.edgeType,
14881
+ edge.from,
14882
+ edge.to
14883
+ );
14884
+ const fromNodeId = graphRefNodeId(edge.from);
14885
+ const toNodeId = graphRefNodeId(edge.to);
14886
+ return withCreatedBy(
14887
+ compactRecord4({
14888
+ fromNodeId,
14889
+ toNodeId,
14890
+ edgeType: edge.edgeType,
14891
+ globalId: edge.globalId ?? `edge:${fromNodeId}:${toNodeId}:${edge.edgeType}`,
14892
+ weight: edge.weight,
14893
+ confidence: edge.confidence,
14894
+ context: edge.context ?? edge.reasoning,
14895
+ reasoningMethod: edge.reasoningMethod,
14896
+ derivationType: edge.derivationType,
14897
+ metadata: edge.metadata,
14898
+ topicId: edge.topicId
14899
+ }),
14900
+ context
14901
+ );
14902
+ })
14903
+ };
14904
+ }
14905
+ },
14906
+ args: batchCreateEdgesArgs
14907
+ }),
12017
14908
  surfaceContract({
12018
14909
  name: "query_lineage",
12019
14910
  kind: "query",
@@ -12736,6 +15627,69 @@ var pipelineContracts = [
12736
15627
  }
12737
15628
  })
12738
15629
  ];
15630
+ function isRecord3(value) {
15631
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15632
+ }
15633
+ function stringValues(value) {
15634
+ if (typeof value === "string") {
15635
+ return [value];
15636
+ }
15637
+ if (Array.isArray(value)) {
15638
+ return value.flatMap((item) => stringValues(item));
15639
+ }
15640
+ return [];
15641
+ }
15642
+ function nestedEvidenceRows(value) {
15643
+ if (Array.isArray(value)) {
15644
+ return value.flatMap((item) => nestedEvidenceRows(item));
15645
+ }
15646
+ if (!isRecord3(value)) {
15647
+ return [];
15648
+ }
15649
+ const nestedKeys = ["evidence", "items", "nodes"];
15650
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15651
+ return nestedRows.length > 0 ? nestedRows : [value];
15652
+ }
15653
+ function isFailedAttemptRow(row) {
15654
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15655
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15656
+ }
15657
+ function failureLogSearchFields(row) {
15658
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15659
+ return [
15660
+ ...stringValues(row.id),
15661
+ ...stringValues(row._id),
15662
+ ...stringValues(row.title),
15663
+ ...stringValues(row.text),
15664
+ ...stringValues(row.canonicalText),
15665
+ ...stringValues(row.content),
15666
+ ...stringValues(metadata?.codeAnchor),
15667
+ ...stringValues(metadata?.codeAnchors),
15668
+ ...stringValues(metadata?.anchor),
15669
+ ...stringValues(metadata?.anchors),
15670
+ ...stringValues(metadata?.filePath),
15671
+ ...stringValues(metadata?.filePaths),
15672
+ ...stringValues(metadata?.path),
15673
+ ...stringValues(metadata?.paths),
15674
+ ...stringValues(metadata?.sourceRef),
15675
+ ...stringValues(metadata?.touchedPaths)
15676
+ ];
15677
+ }
15678
+ function projectFailureLog(output, input) {
15679
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15680
+ const searchKey = rawQuery?.toLowerCase();
15681
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15682
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15683
+ (field) => field.toLowerCase().includes(searchKey)
15684
+ )
15685
+ );
15686
+ return {
15687
+ query: rawQuery,
15688
+ failures,
15689
+ totalFound: failures.length,
15690
+ showing: failures.length
15691
+ };
15692
+ }
12739
15693
  var recordScopeLearningArgs = z.object({
12740
15694
  topicId: z.string().optional().describe("Topic scope ID"),
12741
15695
  summary: z.string().describe("Atomic learning statement"),
@@ -12825,6 +15779,8 @@ var attemptInput = (input, context) => withUserId(
12825
15779
  tags: ["code_attempt"],
12826
15780
  metadata: compactRecord4({
12827
15781
  ...recordValue2(input.metadata),
15782
+ failedApproach: true,
15783
+ isFailedAttempt: true,
12828
15784
  filePaths: input.filePaths,
12829
15785
  filePath: input.filePath,
12830
15786
  errorMessage: input.errorMessage,
@@ -12955,7 +15911,8 @@ var codingContracts = [
12955
15911
  limit: input.limit,
12956
15912
  status: input.status,
12957
15913
  userId: input.userId
12958
- })
15914
+ }),
15915
+ outputProjection: (output, input) => projectFailureLog(output, input)
12959
15916
  }
12960
15917
  })
12961
15918
  ];
@@ -12992,6 +15949,7 @@ var ALL_FUNCTION_CONTRACTS = [
12992
15949
  ...evidenceContracts,
12993
15950
  ...questionsContracts,
12994
15951
  ...topicsContracts,
15952
+ ...nodesContracts,
12995
15953
  ...lensesContracts,
12996
15954
  ...ontologiesContracts,
12997
15955
  ...worktreesContracts,
@@ -13167,6 +16125,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13167
16125
  copyMode: "none",
13168
16126
  description: "Deliberation sessions are created by tenant workflows."
13169
16127
  },
16128
+ {
16129
+ component: "kernel",
16130
+ table: "domainEvents",
16131
+ prepopulation: "runtime_log",
16132
+ copyMode: "none",
16133
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16134
+ },
13170
16135
  {
13171
16136
  component: "kernel",
13172
16137
  table: "epistemicAudit",
@@ -13416,14 +16381,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13416
16381
  description: "Worktrees are tenant/runtime planning data."
13417
16382
  },
13418
16383
  {
13419
- component: "identity",
16384
+ component: "control-plane",
13420
16385
  table: "agents",
13421
16386
  prepopulation: "runtime_bootstrap",
13422
16387
  copyMode: "none",
13423
16388
  description: "Service agents are provisioned per tenant or service, not copied."
13424
16389
  },
13425
16390
  {
13426
- component: "identity",
16391
+ component: "control-plane",
13427
16392
  table: "mcpWritePolicy",
13428
16393
  prepopulation: "required_template",
13429
16394
  copyMode: "template_global",
@@ -13432,14 +16397,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13432
16397
  description: "Global write policy defaults govern service and interactive MCP writes."
13433
16398
  },
13434
16399
  {
13435
- component: "identity",
16400
+ component: "control-plane",
13436
16401
  table: "modelCallLogs",
13437
16402
  prepopulation: "runtime_log",
13438
16403
  copyMode: "none",
13439
16404
  description: "Model call logs are runtime telemetry."
13440
16405
  },
13441
16406
  {
13442
- component: "identity",
16407
+ component: "control-plane",
13443
16408
  table: "modelFunctionSlots",
13444
16409
  prepopulation: "required_template",
13445
16410
  copyMode: "template_global",
@@ -13448,7 +16413,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13448
16413
  description: "Function-to-model slots are required by model runtime resolution."
13449
16414
  },
13450
16415
  {
13451
- component: "identity",
16416
+ component: "control-plane",
13452
16417
  table: "modelRegistry",
13453
16418
  prepopulation: "required_template",
13454
16419
  copyMode: "template_global",
@@ -13457,7 +16422,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13457
16422
  description: "Model catalog defaults are required by model runtime clients."
13458
16423
  },
13459
16424
  {
13460
- component: "identity",
16425
+ component: "control-plane",
13461
16426
  table: "modelSlotConfigs",
13462
16427
  prepopulation: "required_template",
13463
16428
  copyMode: "template_global",
@@ -13466,14 +16431,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13466
16431
  description: "Slot-level defaults are required before tenant overrides exist."
13467
16432
  },
13468
16433
  {
13469
- component: "identity",
16434
+ component: "control-plane",
16435
+ table: "permitAccessReviewItems",
16436
+ prepopulation: "runtime_data",
16437
+ copyMode: "none",
16438
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16439
+ },
16440
+ {
16441
+ component: "control-plane",
16442
+ table: "permitAccessReviews",
16443
+ prepopulation: "runtime_data",
16444
+ copyMode: "none",
16445
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16446
+ },
16447
+ {
16448
+ component: "control-plane",
16449
+ table: "permitAttributeBindings",
16450
+ prepopulation: "runtime_data",
16451
+ copyMode: "none",
16452
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16453
+ },
16454
+ {
16455
+ component: "control-plane",
16456
+ table: "permitGroups",
16457
+ prepopulation: "runtime_data",
16458
+ copyMode: "none",
16459
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16460
+ },
16461
+ {
16462
+ component: "control-plane",
16463
+ table: "permitGroupMemberships",
16464
+ prepopulation: "runtime_data",
16465
+ copyMode: "none",
16466
+ description: "Permit group memberships are tenant-specific policy projection rows."
16467
+ },
16468
+ {
16469
+ component: "control-plane",
16470
+ table: "permitPolicyBundles",
16471
+ prepopulation: "runtime_derived",
16472
+ copyMode: "none",
16473
+ description: "Permit policy bundles are derived from the Permit control plane."
16474
+ },
16475
+ {
16476
+ component: "control-plane",
16477
+ table: "permitPolicyDecisionReceipts",
16478
+ prepopulation: "runtime_log",
16479
+ copyMode: "none",
16480
+ description: "Permit decision receipts are runtime authorization audit logs."
16481
+ },
16482
+ {
16483
+ component: "control-plane",
16484
+ table: "permitPrincipalAliases",
16485
+ prepopulation: "runtime_data",
16486
+ copyMode: "none",
16487
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16488
+ },
16489
+ {
16490
+ component: "control-plane",
16491
+ table: "permitPrincipals",
16492
+ prepopulation: "runtime_data",
16493
+ copyMode: "none",
16494
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16495
+ },
16496
+ {
16497
+ component: "control-plane",
16498
+ table: "permitProjectionOutbox",
16499
+ prepopulation: "runtime_queue",
16500
+ copyMode: "none",
16501
+ description: "Permit projection outbox rows are runtime sync queue data."
16502
+ },
16503
+ {
16504
+ component: "control-plane",
16505
+ table: "permitRelationshipTuples",
16506
+ prepopulation: "runtime_data",
16507
+ copyMode: "none",
16508
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16509
+ },
16510
+ {
16511
+ component: "control-plane",
16512
+ table: "permitResourceInstances",
16513
+ prepopulation: "runtime_data",
16514
+ copyMode: "none",
16515
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16516
+ },
16517
+ {
16518
+ component: "control-plane",
16519
+ table: "permitRoleAssignments",
16520
+ prepopulation: "runtime_data",
16521
+ copyMode: "none",
16522
+ description: "Permit role assignments are tenant-specific policy projection rows."
16523
+ },
16524
+ {
16525
+ component: "control-plane",
13470
16526
  table: "platformAudienceGrants",
13471
16527
  prepopulation: "runtime_data",
13472
16528
  copyMode: "none",
13473
16529
  description: "Audience grants are principal/group-specific access rows."
13474
16530
  },
13475
16531
  {
13476
- component: "identity",
16532
+ component: "control-plane",
13477
16533
  table: "platformAudiences",
13478
16534
  prepopulation: "required_template",
13479
16535
  copyMode: "template_tenant_rewrite",
@@ -13482,35 +16538,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13482
16538
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
13483
16539
  },
13484
16540
  {
13485
- component: "identity",
16541
+ component: "control-plane",
13486
16542
  table: "platformPolicyDecisionLogs",
13487
16543
  prepopulation: "runtime_log",
13488
16544
  copyMode: "none",
13489
16545
  description: "Policy decisions are runtime audit logs."
13490
16546
  },
13491
16547
  {
13492
- component: "identity",
16548
+ component: "control-plane",
13493
16549
  table: "projectGrants",
13494
16550
  prepopulation: "runtime_data",
13495
16551
  copyMode: "none",
13496
16552
  description: "Project/topic grants are principal or group-specific access rows."
13497
16553
  },
13498
16554
  {
13499
- component: "identity",
16555
+ component: "control-plane",
13500
16556
  table: "reasoningPermissions",
13501
16557
  prepopulation: "runtime_data",
13502
16558
  copyMode: "none",
13503
16559
  description: "Reasoning permissions are principal-specific policy rows."
13504
16560
  },
13505
16561
  {
13506
- component: "identity",
16562
+ component: "control-plane",
13507
16563
  table: "tenantApiKeys",
13508
16564
  prepopulation: "runtime_secret",
13509
16565
  copyMode: "none",
13510
16566
  description: "API keys are tenant credentials and must never be copied."
13511
16567
  },
13512
16568
  {
13513
- component: "identity",
16569
+ component: "control-plane",
13514
16570
  table: "tenantConfig",
13515
16571
  prepopulation: "required_template",
13516
16572
  copyMode: "template_tenant_rewrite",
@@ -13519,7 +16575,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13519
16575
  description: "Tenant-local config defaults are rewritten during bootstrap."
13520
16576
  },
13521
16577
  {
13522
- component: "identity",
16578
+ component: "control-plane",
13523
16579
  table: "tenantIntegrations",
13524
16580
  prepopulation: "required_template",
13525
16581
  copyMode: "template_tenant_rewrite",
@@ -13528,14 +16584,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13528
16584
  description: "Non-secret integration descriptors are rewritten into each tenant."
13529
16585
  },
13530
16586
  {
13531
- component: "identity",
16587
+ component: "control-plane",
13532
16588
  table: "tenantModelSlotBindings",
13533
16589
  prepopulation: "runtime_secret",
13534
16590
  copyMode: "none",
13535
16591
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
13536
16592
  },
13537
16593
  {
13538
- component: "identity",
16594
+ component: "control-plane",
16595
+ table: "tenantPermitSyncStates",
16596
+ prepopulation: "runtime_derived",
16597
+ copyMode: "none",
16598
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16599
+ },
16600
+ {
16601
+ component: "control-plane",
13539
16602
  table: "tenantPolicies",
13540
16603
  prepopulation: "required_template",
13541
16604
  copyMode: "template_tenant_rewrite",
@@ -13544,42 +16607,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13544
16607
  description: "Default tenant policy roles are rewritten during bootstrap."
13545
16608
  },
13546
16609
  {
13547
- component: "identity",
16610
+ component: "control-plane",
13548
16611
  table: "tenantProviderSecrets",
13549
16612
  prepopulation: "runtime_secret",
13550
16613
  copyMode: "none",
13551
16614
  description: "Provider secrets are credentials and must never be copied."
13552
16615
  },
13553
16616
  {
13554
- component: "identity",
16617
+ component: "control-plane",
13555
16618
  table: "tenantProxyGatewayUsage",
13556
16619
  prepopulation: "runtime_log",
13557
16620
  copyMode: "none",
13558
16621
  description: "Proxy gateway usage rows are runtime telemetry."
13559
16622
  },
13560
16623
  {
13561
- component: "identity",
16624
+ component: "control-plane",
13562
16625
  table: "tenantProxyTokenMints",
13563
16626
  prepopulation: "runtime_secret",
13564
16627
  copyMode: "none",
13565
16628
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
13566
16629
  },
13567
16630
  {
13568
- component: "identity",
16631
+ component: "control-plane",
13569
16632
  table: "tenantSandboxAuditEvents",
13570
16633
  prepopulation: "runtime_log",
13571
16634
  copyMode: "none",
13572
16635
  description: "Sandbox audit rows are runtime security logs."
13573
16636
  },
13574
16637
  {
13575
- component: "identity",
16638
+ component: "control-plane",
13576
16639
  table: "tenantSecrets",
13577
16640
  prepopulation: "runtime_secret",
13578
16641
  copyMode: "none",
13579
16642
  description: "Tenant secrets are credentials and must never be copied."
13580
16643
  },
13581
16644
  {
13582
- component: "identity",
16645
+ component: "control-plane",
13583
16646
  table: "toolAcls",
13584
16647
  prepopulation: "required_template",
13585
16648
  copyMode: "template_global",
@@ -13588,7 +16651,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13588
16651
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
13589
16652
  },
13590
16653
  {
13591
- component: "identity",
16654
+ component: "control-plane",
13592
16655
  table: "toolRegistry",
13593
16656
  prepopulation: "required_template",
13594
16657
  copyMode: "template_global",
@@ -13597,7 +16660,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13597
16660
  description: "Core tool catalog rows are required before pack or tenant tools exist."
13598
16661
  },
13599
16662
  {
13600
- component: "identity",
16663
+ component: "control-plane",
13601
16664
  table: "users",
13602
16665
  prepopulation: "runtime_bootstrap",
13603
16666
  copyMode: "none",