@lucern/events 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/types.js CHANGED
@@ -1,6 +1,20 @@
1
1
  import { z } from 'zod';
2
2
  import { v } from 'convex/values';
3
3
 
4
+ // ../contracts/src/types/reasoning-method.ts
5
+ var REASONING_METHODS = [
6
+ "deductive",
7
+ "inductive",
8
+ "abductive",
9
+ "analogical",
10
+ "causal",
11
+ "correlational",
12
+ "testimonial",
13
+ "statistical",
14
+ "implicit",
15
+ "pattern_match"
16
+ ];
17
+
4
18
  // ../contracts/src/graph-intelligence.contract.ts
5
19
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
6
20
  core: [
@@ -731,7 +745,7 @@ defineTable({
731
745
  });
732
746
  defineTable({
733
747
  name: "agents",
734
- component: "identity",
748
+ component: "control-plane",
735
749
  category: "agent",
736
750
  shape: z.object({
737
751
  "slug": z.string(),
@@ -762,6 +776,8 @@ defineTable({
762
776
  category: "tenant",
763
777
  shape: z.object({
764
778
  "tenantId": idOf("tenants"),
779
+ "workspaceId": idOf("workspaces").optional(),
780
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
765
781
  "keyPrefix": z.enum(["luc", "stk"]),
766
782
  "keyHash": z.string(),
767
783
  "keyHint": z.string(),
@@ -789,7 +805,7 @@ defineTable({
789
805
  shape: z.object({
790
806
  "tenantId": idOf("tenants").optional(),
791
807
  "apiKeyId": idOf("apiKeys").optional(),
792
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
808
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
793
809
  "actorClerkId": z.string(),
794
810
  "details": z.any().optional(),
795
811
  "createdAt": z.number()
@@ -1013,6 +1029,35 @@ defineTable({
1013
1029
  { kind: "index", name: "by_source", columns: ["source"] }
1014
1030
  ]
1015
1031
  });
1032
+ defineTable({
1033
+ name: "domainEvents",
1034
+ component: "kernel",
1035
+ category: "events",
1036
+ shape: z.object({
1037
+ "eventId": z.string(),
1038
+ "type": z.string(),
1039
+ "version": z.string(),
1040
+ "timestamp": z.number(),
1041
+ "tenantId": z.string().optional(),
1042
+ "workspaceId": z.string().optional(),
1043
+ "topicId": z.string(),
1044
+ "resourceId": z.string(),
1045
+ "resourceType": z.string(),
1046
+ "actorId": z.string(),
1047
+ "actorType": z.enum(["human", "agent", "service"]),
1048
+ "data": z.record(z.any()),
1049
+ "correlationId": z.string().optional(),
1050
+ "expiresAt": z.number()
1051
+ }),
1052
+ indices: [
1053
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1054
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1055
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1056
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1057
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1058
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1059
+ ]
1060
+ });
1016
1061
  defineTable({
1017
1062
  name: "beliefConfidence",
1018
1063
  component: "kernel",
@@ -1668,29 +1713,37 @@ defineTable({
1668
1713
  component: "mc",
1669
1714
  category: "runtime",
1670
1715
  shape: z.object({
1671
- "shimId": z.string(),
1672
- "gateId": z.string(),
1673
- "removalDate": z.string(),
1674
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1675
- "description": z.string(),
1676
- "owner": z.string(),
1677
- "createdAt": z.string(),
1678
- "status": z.enum(["active", "overdue", "removed"]),
1679
- "bridgeType": z.enum(["tool", "agent"]),
1680
- "bridgeTarget": z.object({
1681
- "type": z.enum(["tool", "agent"]),
1682
- "legacyPath": z.string(),
1683
- "harnessPath": z.string()
1716
+ shimId: z.string(),
1717
+ gateId: z.string(),
1718
+ removalDate: z.string(),
1719
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1720
+ description: z.string(),
1721
+ owner: z.string(),
1722
+ createdAt: z.string(),
1723
+ status: z.enum(["active", "overdue", "removed"]),
1724
+ bridgeType: z.enum(["tool", "agent"]),
1725
+ bridgeTarget: z.object({
1726
+ type: z.enum(["tool", "agent"]),
1727
+ legacyPath: z.string(),
1728
+ harnessPath: z.string()
1684
1729
  }),
1685
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1686
- "producesLedgerEntries": z.boolean(),
1687
- "lastAuditedAt": z.number(),
1688
- "metadata": z.record(z.any()).optional()
1730
+ shimBehavior: z.enum([
1731
+ "passthrough_with_logging",
1732
+ "adapter",
1733
+ "feature_flag_gate"
1734
+ ]),
1735
+ producesLedgerEntries: z.boolean(),
1736
+ lastAuditedAt: z.number(),
1737
+ metadata: z.record(z.any()).optional()
1689
1738
  }),
1690
1739
  indices: [
1691
1740
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1692
1741
  { kind: "index", name: "by_status", columns: ["status"] },
1693
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1742
+ {
1743
+ kind: "index",
1744
+ name: "by_bridgeType_status",
1745
+ columns: ["bridgeType", "status"]
1746
+ }
1694
1747
  ]
1695
1748
  });
1696
1749
  defineTable({
@@ -1698,12 +1751,23 @@ defineTable({
1698
1751
  component: "mc",
1699
1752
  category: "runtime",
1700
1753
  shape: z.object({
1701
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1702
- "state": z.enum(["legacy", "cutover", "disabled"]),
1703
- "metadata": z.record(z.any()).optional(),
1704
- "updatedBy": z.string(),
1705
- "createdAt": z.number(),
1706
- "updatedAt": z.number()
1754
+ domain: z.enum([
1755
+ "graph",
1756
+ "schema",
1757
+ "identity",
1758
+ "policy",
1759
+ "audit",
1760
+ "admin",
1761
+ "agent",
1762
+ "tool",
1763
+ "prompt",
1764
+ "intelligence"
1765
+ ]),
1766
+ state: z.enum(["legacy", "cutover", "disabled"]),
1767
+ metadata: z.record(z.any()).optional(),
1768
+ updatedBy: z.string(),
1769
+ createdAt: z.number(),
1770
+ updatedAt: z.number()
1707
1771
  }),
1708
1772
  indices: [
1709
1773
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1715,57 +1779,193 @@ defineTable({
1715
1779
  component: "mc",
1716
1780
  category: "runtime",
1717
1781
  shape: z.object({
1718
- "credentialRef": z.string(),
1719
- "tenantId": idOf("tenants"),
1720
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1721
- "environment": z.enum(["dev", "staging", "prod"]),
1722
- "encryptedDeployKey": z.string(),
1723
- "encryptionVersion": z.string(),
1724
- "keyFingerprint": z.string(),
1725
- "keyHint": z.string(),
1726
- "status": z.enum(["active", "revoked"]),
1727
- "rotatedFromCredentialRef": z.string().optional(),
1728
- "revokedAt": z.number().optional(),
1729
- "revokedBy": z.string().optional(),
1730
- "lastUsedAt": z.number().optional(),
1731
- "metadata": z.record(z.any()).optional(),
1732
- "createdBy": z.string(),
1733
- "createdAt": z.number(),
1734
- "updatedAt": z.number()
1782
+ credentialRef: z.string(),
1783
+ tenantId: idOf("tenants"),
1784
+ workspaceId: idOf("workspaces").optional(),
1785
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1786
+ environment: z.enum(["dev", "staging", "prod"]),
1787
+ encryptedDeployKey: z.string(),
1788
+ encryptionVersion: z.string(),
1789
+ keyFingerprint: z.string(),
1790
+ keyHint: z.string(),
1791
+ status: z.enum(["active", "revoked"]),
1792
+ rotatedFromCredentialRef: z.string().optional(),
1793
+ revokedAt: z.number().optional(),
1794
+ revokedBy: z.string().optional(),
1795
+ lastUsedAt: z.number().optional(),
1796
+ metadata: z.record(z.any()).optional(),
1797
+ createdBy: z.string(),
1798
+ createdAt: z.number(),
1799
+ updatedAt: z.number()
1735
1800
  }),
1736
1801
  indices: [
1737
1802
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1738
1803
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1739
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1740
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1741
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1804
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1805
+ {
1806
+ kind: "index",
1807
+ name: "by_tenant_target",
1808
+ columns: ["tenantId", "target"]
1809
+ },
1810
+ {
1811
+ kind: "index",
1812
+ name: "by_tenant_target_environment",
1813
+ columns: ["tenantId", "target", "environment"]
1814
+ },
1815
+ {
1816
+ kind: "index",
1817
+ name: "by_tenant_target_environment_status",
1818
+ columns: ["tenantId", "target", "environment", "status"]
1819
+ },
1820
+ {
1821
+ kind: "index",
1822
+ name: "by_tenant_workspace_target_environment_status",
1823
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1824
+ },
1742
1825
  { kind: "index", name: "by_status", columns: ["status"] }
1743
1826
  ]
1744
1827
  });
1828
+ defineTable({
1829
+ name: "permitSyncStates",
1830
+ component: "mc",
1831
+ category: "runtime",
1832
+ shape: z.object({
1833
+ syncKey: z.string(),
1834
+ objectType: z.enum([
1835
+ "resource",
1836
+ "role",
1837
+ "resource_role",
1838
+ "resource_relation",
1839
+ "tenant",
1840
+ "workspace",
1841
+ "principal",
1842
+ "membership",
1843
+ "group",
1844
+ "resource_instance",
1845
+ "relationship_tuple",
1846
+ "role_assignment"
1847
+ ]),
1848
+ objectId: z.string(),
1849
+ tenantId: idOf("tenants").optional(),
1850
+ workspaceId: idOf("workspaces").optional(),
1851
+ principalId: z.string().optional(),
1852
+ permitTenantKey: z.string().optional(),
1853
+ permitResourceType: z.string().optional(),
1854
+ permitResourceKey: z.string().optional(),
1855
+ desiredPayload: z.record(z.any()),
1856
+ lastAppliedPayloadHash: z.string().optional(),
1857
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1858
+ attemptCount: z.number(),
1859
+ lastError: z.string().optional(),
1860
+ nextAttemptAt: z.number().optional(),
1861
+ lastSyncedAt: z.number().optional(),
1862
+ createdBy: z.string(),
1863
+ updatedBy: z.string().optional(),
1864
+ createdAt: z.number(),
1865
+ updatedAt: z.number()
1866
+ }),
1867
+ indices: [
1868
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1869
+ { kind: "index", name: "by_status", columns: ["status"] },
1870
+ {
1871
+ kind: "index",
1872
+ name: "by_tenant_status",
1873
+ columns: ["tenantId", "status"]
1874
+ },
1875
+ {
1876
+ kind: "index",
1877
+ name: "by_workspace_status",
1878
+ columns: ["workspaceId", "status"]
1879
+ },
1880
+ {
1881
+ kind: "index",
1882
+ name: "by_principal_status",
1883
+ columns: ["principalId", "status"]
1884
+ }
1885
+ ]
1886
+ });
1887
+ defineTable({
1888
+ name: "secretSyncDriftReports",
1889
+ component: "mc",
1890
+ category: "runtime",
1891
+ shape: z.object({
1892
+ reportId: z.string(),
1893
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1894
+ generatedAt: z.number(),
1895
+ recordedAt: z.number(),
1896
+ recordedBy: z.string(),
1897
+ status: z.enum([
1898
+ "in_sync",
1899
+ "drift",
1900
+ "exception",
1901
+ "blocked",
1902
+ "not_observed"
1903
+ ]),
1904
+ reportHash: z.string(),
1905
+ manifestHash: z.string().optional(),
1906
+ dryRunReceiptId: z.string().optional(),
1907
+ appliedReceiptId: z.string().optional(),
1908
+ summary: z.object({
1909
+ totalPipelines: z.number(),
1910
+ inSync: z.number(),
1911
+ drift: z.number(),
1912
+ exception: z.number(),
1913
+ blocked: z.number(),
1914
+ notObserved: z.number(),
1915
+ missingKeys: z.number(),
1916
+ valueDriftKeys: z.number(),
1917
+ extraKeys: z.number(),
1918
+ deniedConvexLeakage: z.number(),
1919
+ approvedExceptions: z.number()
1920
+ }),
1921
+ redactedReport: z.record(z.any()),
1922
+ metadata: z.record(z.any()).optional()
1923
+ }),
1924
+ indices: [
1925
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
1926
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
1927
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
1928
+ {
1929
+ kind: "index",
1930
+ name: "by_status_generatedAt",
1931
+ columns: ["status", "generatedAt"]
1932
+ }
1933
+ ]
1934
+ });
1745
1935
  defineTable({
1746
1936
  name: "controlPlaneTenantModelSlotBindings",
1747
1937
  component: "mc",
1748
1938
  category: "runtime",
1749
1939
  shape: z.object({
1750
- "bindingId": z.string(),
1751
- "tenantId": idOf("tenants"),
1752
- "providerId": z.string(),
1753
- "modelSlotId": z.string(),
1754
- "secretRef": z.string(),
1755
- "status": z.enum(["active", "revoked"]),
1756
- "passThroughOnly": z.boolean(),
1757
- "revokedAt": z.number().optional(),
1758
- "revokedBy": z.string().optional(),
1759
- "metadata": z.record(z.any()).optional(),
1760
- "createdBy": z.string(),
1761
- "createdAt": z.number(),
1762
- "updatedAt": z.number()
1940
+ bindingId: z.string(),
1941
+ tenantId: idOf("tenants"),
1942
+ workspaceId: idOf("workspaces").optional(),
1943
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1944
+ providerId: z.string(),
1945
+ modelSlotId: z.string(),
1946
+ secretRef: z.string(),
1947
+ status: z.enum(["active", "revoked"]),
1948
+ passThroughOnly: z.boolean(),
1949
+ revokedAt: z.number().optional(),
1950
+ revokedBy: z.string().optional(),
1951
+ metadata: z.record(z.any()).optional(),
1952
+ createdBy: z.string(),
1953
+ createdAt: z.number(),
1954
+ updatedAt: z.number()
1763
1955
  }),
1764
1956
  indices: [
1765
1957
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1766
1958
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1767
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1768
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
1959
+ {
1960
+ kind: "index",
1961
+ name: "by_tenant_slot",
1962
+ columns: ["tenantId", "modelSlotId"]
1963
+ },
1964
+ {
1965
+ kind: "index",
1966
+ name: "by_tenant_provider_slot",
1967
+ columns: ["tenantId", "providerId", "modelSlotId"]
1968
+ },
1769
1969
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1770
1970
  { kind: "index", name: "by_status", columns: ["status"] }
1771
1971
  ]
@@ -1775,29 +1975,42 @@ defineTable({
1775
1975
  component: "mc",
1776
1976
  category: "runtime",
1777
1977
  shape: z.object({
1778
- "secretRef": z.string(),
1779
- "tenantId": idOf("tenants"),
1780
- "providerId": z.string(),
1781
- "label": z.string().optional(),
1782
- "encryptedSecret": z.string(),
1783
- "encryptionVersion": z.string(),
1784
- "secretFingerprint": z.string(),
1785
- "keyHint": z.string(),
1786
- "status": z.enum(["active", "revoked"]),
1787
- "rotatedFromSecretRef": z.string().optional(),
1788
- "revokedAt": z.number().optional(),
1789
- "revokedBy": z.string().optional(),
1790
- "lastUsedAt": z.number().optional(),
1791
- "metadata": z.record(z.any()).optional(),
1792
- "createdBy": z.string(),
1793
- "createdAt": z.number(),
1794
- "updatedAt": z.number()
1978
+ secretRef: z.string(),
1979
+ tenantId: idOf("tenants"),
1980
+ workspaceId: idOf("workspaces").optional(),
1981
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1982
+ providerId: z.string(),
1983
+ label: z.string().optional(),
1984
+ encryptedSecret: z.string().optional(),
1985
+ infisicalPath: z.string().optional(),
1986
+ infisicalSecretKey: z.string().optional(),
1987
+ infisicalProjectId: z.string().optional(),
1988
+ encryptionVersion: z.string(),
1989
+ secretFingerprint: z.string(),
1990
+ keyHint: z.string(),
1991
+ status: z.enum(["active", "revoked"]),
1992
+ rotatedFromSecretRef: z.string().optional(),
1993
+ revokedAt: z.number().optional(),
1994
+ revokedBy: z.string().optional(),
1995
+ lastUsedAt: z.number().optional(),
1996
+ metadata: z.record(z.any()).optional(),
1997
+ createdBy: z.string(),
1998
+ createdAt: z.number(),
1999
+ updatedAt: z.number()
1795
2000
  }),
1796
2001
  indices: [
1797
2002
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1798
2003
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1799
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1800
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2004
+ {
2005
+ kind: "index",
2006
+ name: "by_tenant_provider",
2007
+ columns: ["tenantId", "providerId"]
2008
+ },
2009
+ {
2010
+ kind: "index",
2011
+ name: "by_tenant_provider_status",
2012
+ columns: ["tenantId", "providerId", "status"]
2013
+ },
1801
2014
  { kind: "index", name: "by_status", columns: ["status"] }
1802
2015
  ]
1803
2016
  });
@@ -1806,35 +2019,93 @@ defineTable({
1806
2019
  component: "mc",
1807
2020
  category: "runtime",
1808
2021
  shape: z.object({
1809
- "usageId": z.string(),
1810
- "tenantId": idOf("tenants"),
1811
- "providerId": z.string(),
1812
- "modelSlotId": z.string(),
1813
- "secretRef": z.string(),
1814
- "proxyTokenId": z.string(),
1815
- "sessionId": z.string(),
1816
- "principalId": z.string(),
1817
- "workspaceId": z.string().optional(),
1818
- "modelId": z.string().optional(),
1819
- "requestPath": z.string(),
1820
- "status": z.enum(["success", "error"]),
1821
- "responseStatus": z.number().optional(),
1822
- "inputTokens": z.number().optional(),
1823
- "outputTokens": z.number().optional(),
1824
- "tokenCount": z.number().optional(),
1825
- "latencyMs": z.number(),
1826
- "estimatedCostUsd": z.number().optional(),
1827
- "failureCode": z.string().optional(),
1828
- "metadata": z.record(z.any()).optional(),
1829
- "createdAt": z.number(),
1830
- "updatedAt": z.number()
2022
+ usageId: z.string(),
2023
+ tenantId: idOf("tenants"),
2024
+ providerId: z.string(),
2025
+ modelSlotId: z.string(),
2026
+ secretRef: z.string(),
2027
+ proxyTokenId: z.string(),
2028
+ sessionId: z.string(),
2029
+ principalId: z.string(),
2030
+ workspaceId: z.string().optional(),
2031
+ modelId: z.string().optional(),
2032
+ requestPath: z.string(),
2033
+ status: z.enum(["success", "error"]),
2034
+ responseStatus: z.number().optional(),
2035
+ inputTokens: z.number().optional(),
2036
+ outputTokens: z.number().optional(),
2037
+ tokenCount: z.number().optional(),
2038
+ latencyMs: z.number(),
2039
+ estimatedCostUsd: z.number().optional(),
2040
+ failureCode: z.string().optional(),
2041
+ metadata: z.record(z.any()).optional(),
2042
+ createdAt: z.number(),
2043
+ updatedAt: z.number()
1831
2044
  }),
1832
2045
  indices: [
1833
2046
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1834
2047
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1835
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1836
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1837
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2048
+ {
2049
+ kind: "index",
2050
+ name: "by_tenant_provider",
2051
+ columns: ["tenantId", "providerId", "createdAt"]
2052
+ },
2053
+ {
2054
+ kind: "index",
2055
+ name: "by_proxyTokenId",
2056
+ columns: ["proxyTokenId", "createdAt"]
2057
+ },
2058
+ {
2059
+ kind: "index",
2060
+ name: "by_sessionId",
2061
+ columns: ["sessionId", "createdAt"]
2062
+ }
2063
+ ]
2064
+ });
2065
+ defineTable({
2066
+ name: "controlPlaneTenantProxyTokenLeases",
2067
+ component: "mc",
2068
+ category: "runtime",
2069
+ shape: z.object({
2070
+ leaseId: z.string(),
2071
+ proxyTokenId: z.string(),
2072
+ tenantId: idOf("tenants"),
2073
+ workspaceId: idOf("workspaces").optional(),
2074
+ environment: z.enum(["dev", "staging", "prod"]),
2075
+ providerId: z.string(),
2076
+ modelSlotId: z.string(),
2077
+ bindingId: z.string(),
2078
+ secretRef: z.string(),
2079
+ sessionId: z.string(),
2080
+ principalId: z.string(),
2081
+ agentSessionId: z.string().optional(),
2082
+ status: z.enum(["active", "revoked"]),
2083
+ expiresAt: z.number(),
2084
+ renewedAt: z.number().optional(),
2085
+ revokedAt: z.number().optional(),
2086
+ revokedBy: z.string().optional(),
2087
+ revokeReason: z.string().optional(),
2088
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2089
+ permitTraceId: z.string().optional(),
2090
+ metadata: z.record(z.any()).optional(),
2091
+ createdAt: z.number(),
2092
+ updatedAt: z.number()
2093
+ }),
2094
+ indices: [
2095
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2096
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2097
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2098
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2099
+ {
2100
+ kind: "index",
2101
+ name: "by_principalId",
2102
+ columns: ["principalId", "createdAt"]
2103
+ },
2104
+ {
2105
+ kind: "index",
2106
+ name: "by_status_expiresAt",
2107
+ columns: ["status", "expiresAt"]
2108
+ }
1838
2109
  ]
1839
2110
  });
1840
2111
  defineTable({
@@ -2167,6 +2438,7 @@ defineTable({
2167
2438
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2168
2439
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2169
2440
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2441
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2170
2442
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2171
2443
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2172
2444
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2317,6 +2589,7 @@ defineTable({
2317
2589
  indices: [
2318
2590
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2319
2591
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2592
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2320
2593
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2321
2594
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2322
2595
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2348,6 +2621,36 @@ defineTable({
2348
2621
  { kind: "index", name: "by_status", columns: ["status"] }
2349
2622
  ]
2350
2623
  });
2624
+ defineTable({
2625
+ name: "principalIdentityAliases",
2626
+ component: "mc",
2627
+ category: "identity",
2628
+ shape: z.object({
2629
+ "principalId": z.string(),
2630
+ "principalRefId": idOf("principals").optional(),
2631
+ "provider": z.string(),
2632
+ "providerProjectId": z.string().optional(),
2633
+ "externalSubjectId": z.string(),
2634
+ "tenantId": idOf("tenants").optional(),
2635
+ "workspaceId": idOf("workspaces").optional(),
2636
+ "email": z.string().optional(),
2637
+ "status": z.enum(["active", "revoked"]),
2638
+ "metadata": z.record(z.any()).optional(),
2639
+ "createdBy": z.string(),
2640
+ "revokedAt": z.number().optional(),
2641
+ "revokedBy": z.string().optional(),
2642
+ "createdAt": z.number(),
2643
+ "updatedAt": z.number()
2644
+ }),
2645
+ indices: [
2646
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2647
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2648
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2649
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2650
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2651
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2652
+ ]
2653
+ });
2351
2654
  defineTable({
2352
2655
  name: "rateLimitWindows",
2353
2656
  component: "mc",
@@ -2937,7 +3240,7 @@ defineTable({
2937
3240
  });
2938
3241
  defineTable({
2939
3242
  name: "mcpWritePolicy",
2940
- component: "identity",
3243
+ component: "control-plane",
2941
3244
  category: "platform",
2942
3245
  shape: z.object({
2943
3246
  "topicId": z.string().optional(),
@@ -2960,7 +3263,7 @@ defineTable({
2960
3263
  });
2961
3264
  defineTable({
2962
3265
  name: "platformAudienceGrants",
2963
- component: "identity",
3266
+ component: "control-plane",
2964
3267
  category: "platform",
2965
3268
  shape: z.object({
2966
3269
  "tenantId": z.string(),
@@ -2986,7 +3289,7 @@ defineTable({
2986
3289
  });
2987
3290
  defineTable({
2988
3291
  name: "platformAudiences",
2989
- component: "identity",
3292
+ component: "control-plane",
2990
3293
  category: "platform",
2991
3294
  shape: z.object({
2992
3295
  "tenantId": z.string(),
@@ -3011,7 +3314,7 @@ defineTable({
3011
3314
  });
3012
3315
  defineTable({
3013
3316
  name: "platformPolicyDecisionLogs",
3014
- component: "identity",
3317
+ component: "control-plane",
3015
3318
  category: "platform",
3016
3319
  shape: z.object({
3017
3320
  "principalId": z.string(),
@@ -3047,7 +3350,7 @@ defineTable({
3047
3350
  });
3048
3351
  defineTable({
3049
3352
  name: "tenantApiKeys",
3050
- component: "identity",
3353
+ component: "control-plane",
3051
3354
  category: "platform",
3052
3355
  shape: z.object({
3053
3356
  "tenantId": z.string(),
@@ -3074,7 +3377,7 @@ defineTable({
3074
3377
  });
3075
3378
  defineTable({
3076
3379
  name: "tenantConfig",
3077
- component: "identity",
3380
+ component: "control-plane",
3078
3381
  category: "platform",
3079
3382
  shape: z.object({
3080
3383
  "tenantId": z.string(),
@@ -3093,7 +3396,7 @@ defineTable({
3093
3396
  });
3094
3397
  defineTable({
3095
3398
  name: "tenantIntegrations",
3096
- component: "identity",
3399
+ component: "control-plane",
3097
3400
  category: "platform",
3098
3401
  shape: z.object({
3099
3402
  "tenantId": z.string(),
@@ -3148,7 +3451,7 @@ defineTable({
3148
3451
  });
3149
3452
  defineTable({
3150
3453
  name: "tenantModelSlotBindings",
3151
- component: "identity",
3454
+ component: "control-plane",
3152
3455
  category: "platform",
3153
3456
  shape: z.object({
3154
3457
  "bindingId": z.string(),
@@ -3176,7 +3479,7 @@ defineTable({
3176
3479
  });
3177
3480
  defineTable({
3178
3481
  name: "tenantPolicies",
3179
- component: "identity",
3482
+ component: "control-plane",
3180
3483
  category: "platform",
3181
3484
  shape: z.object({
3182
3485
  "tenantId": z.string(),
@@ -3201,7 +3504,7 @@ defineTable({
3201
3504
  });
3202
3505
  defineTable({
3203
3506
  name: "tenantProviderSecrets",
3204
- component: "identity",
3507
+ component: "control-plane",
3205
3508
  category: "platform",
3206
3509
  shape: z.object({
3207
3510
  "secretRef": z.string(),
@@ -3232,7 +3535,7 @@ defineTable({
3232
3535
  });
3233
3536
  defineTable({
3234
3537
  name: "tenantProxyGatewayUsage",
3235
- component: "identity",
3538
+ component: "control-plane",
3236
3539
  category: "platform",
3237
3540
  shape: z.object({
3238
3541
  "usageId": z.string(),
@@ -3267,7 +3570,7 @@ defineTable({
3267
3570
  });
3268
3571
  defineTable({
3269
3572
  name: "tenantProxyTokenMints",
3270
- component: "identity",
3573
+ component: "control-plane",
3271
3574
  category: "platform",
3272
3575
  shape: z.object({
3273
3576
  "proxyTokenId": z.string(),
@@ -3290,7 +3593,7 @@ defineTable({
3290
3593
  });
3291
3594
  defineTable({
3292
3595
  name: "tenantSandboxAuditEvents",
3293
- component: "identity",
3596
+ component: "control-plane",
3294
3597
  category: "platform",
3295
3598
  shape: z.object({
3296
3599
  "eventId": z.string(),
@@ -3324,7 +3627,7 @@ defineTable({
3324
3627
  });
3325
3628
  defineTable({
3326
3629
  name: "tenantSecrets",
3327
- component: "identity",
3630
+ component: "control-plane",
3328
3631
  category: "platform",
3329
3632
  shape: z.object({
3330
3633
  "tenantId": z.string(),
@@ -3346,7 +3649,7 @@ defineTable({
3346
3649
  });
3347
3650
  defineTable({
3348
3651
  name: "toolAcls",
3349
- component: "identity",
3652
+ component: "control-plane",
3350
3653
  category: "platform",
3351
3654
  shape: z.object({
3352
3655
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3361,7 +3664,7 @@ defineTable({
3361
3664
  });
3362
3665
  defineTable({
3363
3666
  name: "toolRegistry",
3364
- component: "identity",
3667
+ component: "control-plane",
3365
3668
  category: "platform",
3366
3669
  shape: z.object({
3367
3670
  "toolName": z.string(),
@@ -3442,7 +3745,7 @@ defineTable({
3442
3745
  });
3443
3746
  defineTable({
3444
3747
  name: "modelCallLogs",
3445
- component: "identity",
3748
+ component: "control-plane",
3446
3749
  category: "model",
3447
3750
  shape: z.object({
3448
3751
  "slot": z.string(),
@@ -3468,7 +3771,7 @@ defineTable({
3468
3771
  });
3469
3772
  defineTable({
3470
3773
  name: "modelFunctionSlots",
3471
- component: "identity",
3774
+ component: "control-plane",
3472
3775
  category: "model",
3473
3776
  shape: z.object({
3474
3777
  "slot": z.string(),
@@ -3493,7 +3796,7 @@ defineTable({
3493
3796
  });
3494
3797
  defineTable({
3495
3798
  name: "modelRegistry",
3496
- component: "identity",
3799
+ component: "control-plane",
3497
3800
  category: "model",
3498
3801
  shape: z.object({
3499
3802
  "key": z.string(),
@@ -3520,7 +3823,7 @@ defineTable({
3520
3823
  });
3521
3824
  defineTable({
3522
3825
  name: "modelSlotConfigs",
3523
- component: "identity",
3826
+ component: "control-plane",
3524
3827
  category: "model",
3525
3828
  shape: z.object({
3526
3829
  "slot": z.string(),
@@ -3907,7 +4210,7 @@ defineTable({
3907
4210
  "workspaceId": idOf("workspaces").optional(),
3908
4211
  "resourceType": z.string(),
3909
4212
  "resourceId": z.string(),
3910
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4213
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
3911
4214
  "decision": z.enum(["allow", "deny"]),
3912
4215
  "reasonCode": z.string(),
3913
4216
  "policyVersion": z.string(),
@@ -3969,7 +4272,7 @@ defineTable({
3969
4272
  });
3970
4273
  defineTable({
3971
4274
  name: "projectGrants",
3972
- component: "identity",
4275
+ component: "control-plane",
3973
4276
  category: "project",
3974
4277
  shape: z.object({
3975
4278
  "projectId": z.string().optional(),
@@ -4001,91 +4304,735 @@ defineTable({
4001
4304
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4002
4305
  ]
4003
4306
  });
4307
+ var permitActorType = z.enum([
4308
+ "human",
4309
+ "agent",
4310
+ "service_principal",
4311
+ "external_stakeholder",
4312
+ "system"
4313
+ ]);
4314
+ var permitMembershipStatus = z.enum([
4315
+ "active",
4316
+ "invited",
4317
+ "revoked",
4318
+ "suspended",
4319
+ "disabled"
4320
+ ]);
4321
+ var permitDecision = z.enum(["allow", "deny"]);
4322
+ var permitAccessReviewStatus = z.enum([
4323
+ "open",
4324
+ "in_progress",
4325
+ "approved",
4326
+ "denied",
4327
+ "expired",
4328
+ "cancelled"
4329
+ ]);
4330
+ var permitReviewScope = z.enum([
4331
+ "tenant",
4332
+ "workspace",
4333
+ "resource_instance",
4334
+ "group",
4335
+ "principal",
4336
+ "api_key",
4337
+ "admin_action"
4338
+ ]);
4339
+ var permitRecordStatus = z.enum([
4340
+ "queued",
4341
+ "inflight",
4342
+ "completed",
4343
+ "failed",
4344
+ "skipped",
4345
+ "stale"
4346
+ ]);
4347
+ var permitObjectType = z.enum([
4348
+ "resource",
4349
+ "role",
4350
+ "resource_role",
4351
+ "resource_relation",
4352
+ "tenant",
4353
+ "workspace",
4354
+ "principal",
4355
+ "membership",
4356
+ "group",
4357
+ "resource_instance",
4358
+ "relationship_tuple",
4359
+ "role_assignment",
4360
+ "attribute_binding",
4361
+ "policy_bundle"
4362
+ ]);
4363
+ var permitOutboxOperation = z.enum([
4364
+ "upsert",
4365
+ "delete",
4366
+ "sync",
4367
+ "resync",
4368
+ "delete_sync",
4369
+ "noop"
4370
+ ]);
4371
+ var permitPolicyBundleStatus = z.enum([
4372
+ "draft",
4373
+ "validated",
4374
+ "enforced",
4375
+ "archived"
4376
+ ]);
4377
+ var permitSyncStatus = z.enum([
4378
+ "pending",
4379
+ "synced",
4380
+ "error",
4381
+ "skipped"
4382
+ ]);
4383
+ var permitAccessReviewSubjectType = z.enum([
4384
+ "principal",
4385
+ "group",
4386
+ "role_assignment",
4387
+ "resource_instance"
4388
+ ]);
4389
+ var permitAttributeType = z.enum([
4390
+ "string",
4391
+ "number",
4392
+ "bool",
4393
+ "json",
4394
+ "time"
4395
+ ]);
4396
+ var permitAttributeOperator = z.enum([
4397
+ "eq",
4398
+ "neq",
4399
+ "in",
4400
+ "not_in",
4401
+ "gt",
4402
+ "gte",
4403
+ "lt",
4404
+ "lte",
4405
+ "contains",
4406
+ "not_contains",
4407
+ "matches"
4408
+ ]);
4409
+ var permitRoleBindingTarget = z.enum([
4410
+ "principal",
4411
+ "group"
4412
+ ]);
4004
4413
  defineTable({
4005
- name: "reasoningPermissions",
4006
- component: "identity",
4007
- category: "epistemic",
4414
+ name: "permitPrincipals",
4415
+ component: "control-plane",
4416
+ category: "access-control",
4008
4417
  shape: z.object({
4009
- "topicId": z.string().optional(),
4010
- "principalId": z.string(),
4011
- "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4012
- "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4013
- "effect": z.enum(["allow", "deny"]),
4014
- "policyReference": z.string().optional(),
4015
- "rationale": z.string().optional(),
4016
- "metadata": z.record(z.any()).optional(),
4017
- "createdAt": z.number(),
4018
- "createdBy": z.string(),
4019
- "updatedAt": z.number()
4418
+ principalId: z.string(),
4419
+ tenantId: z.string(),
4420
+ workspaceId: z.optional(z.string()),
4421
+ principalType: permitActorType,
4422
+ status: permitMembershipStatus,
4423
+ displayName: z.string().optional(),
4424
+ metadata: z.record(z.any()).optional(),
4425
+ createdBy: z.string(),
4426
+ createdAt: z.number(),
4427
+ updatedAt: z.number(),
4428
+ updatedBy: z.string().optional(),
4429
+ lastSeenAt: z.number().optional()
4020
4430
  }),
4021
4431
  indices: [
4022
- { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4023
- { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4024
- { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4025
- { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4432
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4433
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4434
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4435
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4436
+ {
4437
+ kind: "index",
4438
+ name: "by_tenant_principalType_status",
4439
+ columns: ["tenantId", "principalType", "status"]
4440
+ }
4026
4441
  ]
4027
4442
  });
4028
4443
  defineTable({
4029
- name: "schemaEnumConfig",
4030
- component: "kernel",
4031
- category: "config",
4444
+ name: "permitPrincipalAliases",
4445
+ component: "control-plane",
4446
+ category: "access-control",
4032
4447
  shape: z.object({
4033
- "tenantId": z.string().optional(),
4034
- "category": z.string(),
4035
- "value": z.string(),
4036
- "label": z.string(),
4037
- "description": z.string().optional(),
4038
- "tier": z.enum(["platform", "tenant"]),
4039
- "domainNamespace": z.string().optional(),
4040
- "metadata": z.any().optional(),
4041
- "isDefault": z.boolean().optional(),
4042
- "sortOrder": z.number().optional(),
4043
- "status": z.enum(["active", "deprecated"]),
4044
- "createdAt": z.number(),
4045
- "updatedAt": z.number()
4448
+ principalId: z.string(),
4449
+ tenantId: z.string(),
4450
+ workspaceId: z.optional(z.string()),
4451
+ provider: z.string(),
4452
+ providerSubjectId: z.string(),
4453
+ providerProjectId: z.string().optional(),
4454
+ alias: z.string(),
4455
+ aliasKind: z.string(),
4456
+ status: permitMembershipStatus,
4457
+ metadata: z.record(z.any()).optional(),
4458
+ createdBy: z.string(),
4459
+ createdAt: z.number(),
4460
+ updatedAt: z.number(),
4461
+ revokedBy: z.string().optional(),
4462
+ revokedAt: z.number().optional(),
4463
+ updatedBy: z.string().optional()
4046
4464
  }),
4047
4465
  indices: [
4048
- { kind: "index", name: "by_category", columns: ["category"] },
4049
- { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4050
- { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4466
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4467
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4468
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4469
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4470
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4471
+ {
4472
+ kind: "index",
4473
+ name: "by_tenant_provider_alias",
4474
+ columns: ["tenantId", "provider", "alias"]
4475
+ },
4476
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4477
+ {
4478
+ kind: "index",
4479
+ name: "by_tenant_provider_status",
4480
+ columns: ["tenantId", "provider", "status"]
4481
+ }
4051
4482
  ]
4052
4483
  });
4053
4484
  defineTable({
4054
- name: "tasks",
4055
- component: "kernel",
4056
- category: "task",
4485
+ name: "permitGroups",
4486
+ component: "control-plane",
4487
+ category: "access-control",
4057
4488
  shape: z.object({
4058
- "topicId": z.string().optional(),
4059
- "tenantId": z.string().optional(),
4060
- "workspaceId": z.string().optional(),
4061
- "title": z.string(),
4062
- "description": z.string().optional(),
4063
- "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4064
- "priority": z.enum(["urgent", "high", "medium", "low"]),
4065
- "dueDate": z.number().optional(),
4066
- "linkedWorktreeId": idOf("worktrees").optional(),
4067
- "linkedBeliefId": z.string().optional(),
4068
- "linkedQuestionId": z.string().optional(),
4069
- "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4070
- "assigneeId": z.string().optional(),
4071
- "blockedReason": z.string().optional(),
4072
- "blockedBy": z.array(idOf("tasks")).optional(),
4073
- "blocks": z.array(idOf("tasks")).optional(),
4074
- "sortOrder": z.number().optional(),
4075
- "executionOrder": z.number().optional(),
4076
- "subtasks": z.array(z.object({
4077
- "id": z.string(),
4078
- "title": z.string(),
4079
- "completed": z.boolean(),
4080
- "completedAt": z.number().optional()
4081
- })).optional(),
4082
- "comments": z.array(z.object({
4083
- "id": z.string(),
4084
- "userId": z.string(),
4085
- "content": z.string(),
4086
- "createdAt": z.number()
4087
- })).optional(),
4088
- "attachments": z.array(z.object({
4489
+ tenantId: z.string(),
4490
+ workspaceId: z.optional(z.string()),
4491
+ groupId: z.string(),
4492
+ groupKey: z.string(),
4493
+ groupName: z.string(),
4494
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4495
+ status: permitMembershipStatus,
4496
+ description: z.string().optional(),
4497
+ metadata: z.record(z.any()).optional(),
4498
+ createdBy: z.string(),
4499
+ createdAt: z.number(),
4500
+ updatedAt: z.number(),
4501
+ updatedBy: z.string().optional()
4502
+ }),
4503
+ indices: [
4504
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4505
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4506
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4507
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4508
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4509
+ ]
4510
+ });
4511
+ defineTable({
4512
+ name: "permitGroupMemberships",
4513
+ component: "control-plane",
4514
+ category: "access-control",
4515
+ shape: z.object({
4516
+ tenantId: z.string(),
4517
+ workspaceId: z.optional(z.string()),
4518
+ groupId: z.string(),
4519
+ memberType: z.enum(["principal", "group"]),
4520
+ memberId: z.string(),
4521
+ principalId: z.string().optional(),
4522
+ childGroupId: z.string().optional(),
4523
+ status: permitMembershipStatus,
4524
+ addedBy: z.string().optional(),
4525
+ revokedBy: z.string().optional(),
4526
+ expiresAt: z.number().optional(),
4527
+ revocationReason: z.string().optional(),
4528
+ metadata: z.record(z.any()).optional(),
4529
+ createdAt: z.number(),
4530
+ updatedAt: z.number(),
4531
+ updatedBy: z.string().optional()
4532
+ }),
4533
+ indices: [
4534
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4535
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4536
+ {
4537
+ kind: "index",
4538
+ name: "by_tenant_member_group",
4539
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4540
+ },
4541
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4542
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4543
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4544
+ {
4545
+ kind: "index",
4546
+ name: "by_workspace_principal",
4547
+ columns: ["workspaceId", "principalId"]
4548
+ }
4549
+ ]
4550
+ });
4551
+ defineTable({
4552
+ name: "permitResourceInstances",
4553
+ component: "control-plane",
4554
+ category: "access-control",
4555
+ shape: z.object({
4556
+ tenantId: z.string(),
4557
+ workspaceId: z.optional(z.string()),
4558
+ resourceType: z.string(),
4559
+ resourceKey: z.string(),
4560
+ resourceId: z.string(),
4561
+ status: z.enum(["active", "deleted", "archived"]),
4562
+ attributes: z.record(z.any()).optional(),
4563
+ ownerPrincipalId: z.string().optional(),
4564
+ metadata: z.record(z.any()).optional(),
4565
+ createdBy: z.string(),
4566
+ updatedBy: z.string().optional(),
4567
+ createdAt: z.number(),
4568
+ updatedAt: z.number()
4569
+ }),
4570
+ indices: [
4571
+ {
4572
+ kind: "index",
4573
+ name: "by_tenant_resource_type",
4574
+ columns: ["tenantId", "resourceType"]
4575
+ },
4576
+ {
4577
+ kind: "index",
4578
+ name: "by_tenant_resource_key",
4579
+ columns: ["tenantId", "resourceType", "resourceKey"]
4580
+ },
4581
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4582
+ { kind: "index", name: "by_status", columns: ["status"] },
4583
+ {
4584
+ kind: "index",
4585
+ name: "by_tenant_status",
4586
+ columns: ["tenantId", "status"]
4587
+ },
4588
+ {
4589
+ kind: "index",
4590
+ name: "by_ownerPrincipalId",
4591
+ columns: ["ownerPrincipalId"]
4592
+ }
4593
+ ]
4594
+ });
4595
+ defineTable({
4596
+ name: "permitRoleAssignments",
4597
+ component: "control-plane",
4598
+ category: "access-control",
4599
+ shape: z.object({
4600
+ tenantId: z.string(),
4601
+ workspaceId: z.optional(z.string()),
4602
+ role: z.string(),
4603
+ targetType: permitRoleBindingTarget,
4604
+ targetId: z.string(),
4605
+ resourceType: z.string(),
4606
+ resourceKey: z.string(),
4607
+ resourceInstanceId: z.string().optional(),
4608
+ status: permitMembershipStatus,
4609
+ expiresAt: z.number().optional(),
4610
+ attributes: z.record(z.any()).optional(),
4611
+ grantedBy: z.string().optional(),
4612
+ updatedBy: z.string().optional(),
4613
+ revokedBy: z.string().optional(),
4614
+ createdAt: z.number(),
4615
+ updatedAt: z.number()
4616
+ }),
4617
+ indices: [
4618
+ {
4619
+ kind: "index",
4620
+ name: "by_tenant_target",
4621
+ columns: ["tenantId", "targetType", "targetId"]
4622
+ },
4623
+ {
4624
+ kind: "index",
4625
+ name: "by_tenant_resource",
4626
+ columns: ["tenantId", "resourceType", "resourceKey"]
4627
+ },
4628
+ {
4629
+ kind: "index",
4630
+ name: "by_tenant_role",
4631
+ columns: ["tenantId", "role", "status"]
4632
+ },
4633
+ { kind: "index", name: "by_status", columns: ["status"] },
4634
+ {
4635
+ kind: "index",
4636
+ name: "by_workspace_resource",
4637
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4638
+ }
4639
+ ]
4640
+ });
4641
+ defineTable({
4642
+ name: "permitRelationshipTuples",
4643
+ component: "control-plane",
4644
+ category: "access-control",
4645
+ shape: z.object({
4646
+ tenantId: z.string(),
4647
+ workspaceId: z.optional(z.string()),
4648
+ relation: z.string(),
4649
+ subject: z.string(),
4650
+ object: z.string(),
4651
+ resourceType: z.string().optional(),
4652
+ resourceKey: z.string().optional(),
4653
+ status: permitRecordStatus,
4654
+ attributes: z.record(z.any()).optional(),
4655
+ createdBy: z.string(),
4656
+ createdAt: z.number(),
4657
+ updatedAt: z.number(),
4658
+ lastSeenAt: z.number().optional(),
4659
+ updatedBy: z.string().optional()
4660
+ }),
4661
+ indices: [
4662
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4663
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4664
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4665
+ {
4666
+ kind: "index",
4667
+ name: "by_tenant_relation_subject",
4668
+ columns: ["tenantId", "relation", "subject"]
4669
+ },
4670
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4671
+ ]
4672
+ });
4673
+ defineTable({
4674
+ name: "permitAttributeBindings",
4675
+ component: "control-plane",
4676
+ category: "access-control",
4677
+ shape: z.object({
4678
+ tenantId: z.string(),
4679
+ workspaceId: z.optional(z.string()),
4680
+ targetType: permitRoleBindingTarget,
4681
+ targetId: z.string(),
4682
+ attributeName: z.string(),
4683
+ attributeType: permitAttributeType,
4684
+ attributeOperator: permitAttributeOperator,
4685
+ attributeValue: z.any(),
4686
+ status: permitRecordStatus,
4687
+ source: z.string().optional(),
4688
+ sourceRef: z.string().optional(),
4689
+ metadata: z.record(z.any()).optional(),
4690
+ createdAt: z.number(),
4691
+ updatedAt: z.number(),
4692
+ createdBy: z.string(),
4693
+ updatedBy: z.string().optional(),
4694
+ expiresAt: z.number().optional()
4695
+ }),
4696
+ indices: [
4697
+ {
4698
+ kind: "index",
4699
+ name: "by_tenant_target",
4700
+ columns: ["tenantId", "targetType", "targetId"]
4701
+ },
4702
+ {
4703
+ kind: "index",
4704
+ name: "by_tenant_target_attribute",
4705
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4706
+ },
4707
+ {
4708
+ kind: "index",
4709
+ name: "by_tenant_name",
4710
+ columns: ["tenantId", "attributeName"]
4711
+ },
4712
+ {
4713
+ kind: "index",
4714
+ name: "by_tenant_status",
4715
+ columns: ["tenantId", "status"]
4716
+ }
4717
+ ]
4718
+ });
4719
+ defineTable({
4720
+ name: "permitPolicyBundles",
4721
+ component: "control-plane",
4722
+ category: "access-control",
4723
+ shape: z.object({
4724
+ tenantId: z.string(),
4725
+ workspaceId: z.optional(z.string()),
4726
+ bundleKey: z.string(),
4727
+ version: z.number(),
4728
+ status: permitPolicyBundleStatus,
4729
+ policyHash: z.string().optional(),
4730
+ policyPayload: z.record(z.any()),
4731
+ metadata: z.record(z.any()).optional(),
4732
+ createdBy: z.string(),
4733
+ reviewedBy: z.string().optional(),
4734
+ createdAt: z.number(),
4735
+ updatedAt: z.number(),
4736
+ retiredAt: z.number().optional()
4737
+ }),
4738
+ indices: [
4739
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4740
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4741
+ {
4742
+ kind: "index",
4743
+ name: "by_tenant_bundleKey",
4744
+ columns: ["tenantId", "bundleKey"]
4745
+ },
4746
+ {
4747
+ kind: "index",
4748
+ name: "by_tenant_bundle_version",
4749
+ columns: ["tenantId", "bundleKey", "version"]
4750
+ },
4751
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4752
+ ]
4753
+ });
4754
+ defineTable({
4755
+ name: "permitProjectionOutbox",
4756
+ component: "control-plane",
4757
+ category: "access-control",
4758
+ shape: z.object({
4759
+ syncKey: z.string(),
4760
+ objectType: permitObjectType,
4761
+ objectId: z.string(),
4762
+ operation: permitOutboxOperation,
4763
+ payload: z.record(z.any()),
4764
+ status: permitRecordStatus,
4765
+ attemptCount: z.number(),
4766
+ nextAttemptAt: z.number().optional(),
4767
+ lastError: z.string().optional(),
4768
+ tenantId: z.string().optional(),
4769
+ workspaceId: z.optional(z.string()),
4770
+ principalId: z.string().optional(),
4771
+ permitTenantKey: z.string().optional(),
4772
+ permitResourceType: z.string().optional(),
4773
+ permitResourceKey: z.string().optional(),
4774
+ createdAt: z.number(),
4775
+ updatedAt: z.number(),
4776
+ lastHandledAt: z.number().optional()
4777
+ }),
4778
+ indices: [
4779
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4780
+ { kind: "index", name: "by_status", columns: ["status"] },
4781
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4782
+ {
4783
+ kind: "index",
4784
+ name: "by_tenant_status",
4785
+ columns: ["tenantId", "status"]
4786
+ },
4787
+ {
4788
+ kind: "index",
4789
+ name: "by_objectType",
4790
+ columns: ["objectType", "status"]
4791
+ }
4792
+ ]
4793
+ });
4794
+ defineTable({
4795
+ name: "tenantPermitSyncStates",
4796
+ component: "control-plane",
4797
+ category: "access-control",
4798
+ shape: z.object({
4799
+ syncKey: z.string(),
4800
+ objectType: permitObjectType,
4801
+ objectId: z.string(),
4802
+ tenantId: z.string().optional(),
4803
+ workspaceId: z.string().optional(),
4804
+ principalId: z.string().optional(),
4805
+ permitTenantKey: z.string().optional(),
4806
+ permitResourceType: z.string().optional(),
4807
+ permitResourceKey: z.string().optional(),
4808
+ desiredPayload: z.record(z.any()),
4809
+ lastAppliedPayloadHash: z.string().optional(),
4810
+ status: permitSyncStatus,
4811
+ attemptCount: z.number(),
4812
+ lastError: z.string().optional(),
4813
+ nextAttemptAt: z.number().optional(),
4814
+ lastSyncedAt: z.number().optional(),
4815
+ createdBy: z.string(),
4816
+ updatedBy: z.string().optional(),
4817
+ createdAt: z.number(),
4818
+ updatedAt: z.number()
4819
+ }),
4820
+ indices: [
4821
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4822
+ { kind: "index", name: "by_status", columns: ["status"] },
4823
+ {
4824
+ kind: "index",
4825
+ name: "by_tenant_status",
4826
+ columns: ["tenantId", "status"]
4827
+ },
4828
+ {
4829
+ kind: "index",
4830
+ name: "by_workspace_status",
4831
+ columns: ["workspaceId", "status"]
4832
+ },
4833
+ {
4834
+ kind: "index",
4835
+ name: "by_principal_status",
4836
+ columns: ["principalId", "status"]
4837
+ }
4838
+ ]
4839
+ });
4840
+ defineTable({
4841
+ name: "permitPolicyDecisionReceipts",
4842
+ component: "control-plane",
4843
+ category: "access-control",
4844
+ shape: z.object({
4845
+ tenantId: z.string().optional(),
4846
+ workspaceId: z.string().optional(),
4847
+ principalId: z.string(),
4848
+ subjectType: permitAccessReviewSubjectType.optional(),
4849
+ subjectId: z.string().optional(),
4850
+ resourceType: z.string(),
4851
+ resourceId: z.string(),
4852
+ action: z.string(),
4853
+ decision: permitDecision,
4854
+ reasonCode: z.string(),
4855
+ policyBundleId: z.string().optional(),
4856
+ policyVersion: z.string(),
4857
+ traceId: z.string().optional(),
4858
+ requestId: z.string().optional(),
4859
+ audienceMode: z.string().optional(),
4860
+ audienceKey: z.string().optional(),
4861
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4862
+ metadata: z.record(z.any()).optional(),
4863
+ createdAt: z.number(),
4864
+ expiresAt: z.number().optional(),
4865
+ createdBy: z.string().optional()
4866
+ }),
4867
+ indices: [
4868
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4869
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4870
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4871
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4872
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4873
+ { kind: "index", name: "by_action", columns: ["action"] }
4874
+ ]
4875
+ });
4876
+ defineTable({
4877
+ name: "permitAccessReviews",
4878
+ component: "control-plane",
4879
+ category: "access-control",
4880
+ shape: z.object({
4881
+ tenantId: z.string(),
4882
+ workspaceId: z.optional(z.string()),
4883
+ reviewKey: z.string(),
4884
+ scope: permitReviewScope,
4885
+ status: permitAccessReviewStatus,
4886
+ subjectType: permitAccessReviewSubjectType,
4887
+ subjectId: z.string(),
4888
+ resourceType: z.string().optional(),
4889
+ resourceKey: z.string().optional(),
4890
+ outcome: z.enum(["allow", "deny"]).optional(),
4891
+ requestedBy: z.string(),
4892
+ reviewedBy: z.string().optional(),
4893
+ requestedAt: z.number(),
4894
+ reviewedAt: z.number().optional(),
4895
+ dueAt: z.number().optional(),
4896
+ justification: z.string().optional(),
4897
+ rationale: z.string().optional(),
4898
+ policyBundleId: z.string().optional(),
4899
+ metadata: z.record(z.any()).optional(),
4900
+ createdAt: z.number(),
4901
+ updatedAt: z.number()
4902
+ }),
4903
+ indices: [
4904
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4905
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4906
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4907
+ {
4908
+ kind: "index",
4909
+ name: "by_tenant_subject",
4910
+ columns: ["tenantId", "subjectType", "subjectId"]
4911
+ },
4912
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4913
+ {
4914
+ kind: "index",
4915
+ name: "by_workspace_status",
4916
+ columns: ["workspaceId", "status"]
4917
+ }
4918
+ ]
4919
+ });
4920
+ defineTable({
4921
+ name: "permitAccessReviewItems",
4922
+ component: "control-plane",
4923
+ category: "access-control",
4924
+ shape: z.object({
4925
+ reviewKey: z.string(),
4926
+ itemKey: z.string(),
4927
+ tenantId: z.string(),
4928
+ workspaceId: z.string().optional(),
4929
+ subjectType: permitAccessReviewSubjectType,
4930
+ subjectId: z.string(),
4931
+ resourceType: z.string().optional(),
4932
+ resourceKey: z.string().optional(),
4933
+ role: z.string().optional(),
4934
+ relation: z.string().optional(),
4935
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
4936
+ reviewerId: z.string().optional(),
4937
+ decisionAt: z.number().optional(),
4938
+ rationale: z.string().optional(),
4939
+ metadata: z.record(z.any()).optional(),
4940
+ createdAt: z.number(),
4941
+ updatedAt: z.number()
4942
+ }),
4943
+ indices: [
4944
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
4945
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4946
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
4947
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4948
+ { kind: "index", name: "by_status", columns: ["status"] }
4949
+ ]
4950
+ });
4951
+ defineTable({
4952
+ name: "reasoningPermissions",
4953
+ component: "control-plane",
4954
+ category: "epistemic",
4955
+ shape: z.object({
4956
+ "topicId": z.string().optional(),
4957
+ "principalId": z.string(),
4958
+ "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4959
+ "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4960
+ "effect": z.enum(["allow", "deny"]),
4961
+ "policyReference": z.string().optional(),
4962
+ "rationale": z.string().optional(),
4963
+ "metadata": z.record(z.any()).optional(),
4964
+ "createdAt": z.number(),
4965
+ "createdBy": z.string(),
4966
+ "updatedAt": z.number()
4967
+ }),
4968
+ indices: [
4969
+ { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4970
+ { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4971
+ { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4972
+ { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4973
+ ]
4974
+ });
4975
+ defineTable({
4976
+ name: "schemaEnumConfig",
4977
+ component: "kernel",
4978
+ category: "config",
4979
+ shape: z.object({
4980
+ "tenantId": z.string().optional(),
4981
+ "category": z.string(),
4982
+ "value": z.string(),
4983
+ "label": z.string(),
4984
+ "description": z.string().optional(),
4985
+ "tier": z.enum(["platform", "tenant"]),
4986
+ "domainNamespace": z.string().optional(),
4987
+ "metadata": z.any().optional(),
4988
+ "isDefault": z.boolean().optional(),
4989
+ "sortOrder": z.number().optional(),
4990
+ "status": z.enum(["active", "deprecated"]),
4991
+ "createdAt": z.number(),
4992
+ "updatedAt": z.number()
4993
+ }),
4994
+ indices: [
4995
+ { kind: "index", name: "by_category", columns: ["category"] },
4996
+ { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4997
+ { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4998
+ ]
4999
+ });
5000
+ defineTable({
5001
+ name: "tasks",
5002
+ component: "kernel",
5003
+ category: "task",
5004
+ shape: z.object({
5005
+ "topicId": z.string().optional(),
5006
+ "tenantId": z.string().optional(),
5007
+ "workspaceId": z.string().optional(),
5008
+ "title": z.string(),
5009
+ "description": z.string().optional(),
5010
+ "status": z.enum(["todo", "in_progress", "blocked", "done"]),
5011
+ "priority": z.enum(["urgent", "high", "medium", "low"]),
5012
+ "dueDate": z.number().optional(),
5013
+ "linkedWorktreeId": idOf("worktrees").optional(),
5014
+ "linkedBeliefId": z.string().optional(),
5015
+ "linkedQuestionId": z.string().optional(),
5016
+ "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
5017
+ "assigneeId": z.string().optional(),
5018
+ "blockedReason": z.string().optional(),
5019
+ "blockedBy": z.array(idOf("tasks")).optional(),
5020
+ "blocks": z.array(idOf("tasks")).optional(),
5021
+ "sortOrder": z.number().optional(),
5022
+ "executionOrder": z.number().optional(),
5023
+ "subtasks": z.array(z.object({
5024
+ "id": z.string(),
5025
+ "title": z.string(),
5026
+ "completed": z.boolean(),
5027
+ "completedAt": z.number().optional()
5028
+ })).optional(),
5029
+ "comments": z.array(z.object({
5030
+ "id": z.string(),
5031
+ "userId": z.string(),
5032
+ "content": z.string(),
5033
+ "createdAt": z.number()
5034
+ })).optional(),
5035
+ "attachments": z.array(z.object({
4089
5036
  "id": z.string(),
4090
5037
  "type": z.enum(["call_script", "email_template", "research_plan", "framework", "checklist", "note", "file", "transcript"]),
4091
5038
  "title": z.string(),
@@ -4238,6 +5185,7 @@ defineTable({
4238
5185
  "updatedAt": z.number()
4239
5186
  }),
4240
5187
  indices: [
5188
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
4241
5189
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
4242
5190
  { kind: "index", name: "by_type", columns: ["type"] },
4243
5191
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -4249,7 +5197,7 @@ defineTable({
4249
5197
  });
4250
5198
  defineTable({
4251
5199
  name: "users",
4252
- component: "identity",
5200
+ component: "control-plane",
4253
5201
  category: "user",
4254
5202
  shape: z.object({
4255
5203
  "clerkId": z.string(),
@@ -4363,7 +5311,6 @@ defineTable({
4363
5311
  "deployments": z.record(z.object({
4364
5312
  "url": z.string(),
4365
5313
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4366
- "encryptedDeployKey": z.string().optional(),
4367
5314
  "credentialRef": z.string().optional()
4368
5315
  })).optional(),
4369
5316
  "metadata": z.record(z.any()).optional(),
@@ -4378,6 +5325,39 @@ defineTable({
4378
5325
  { kind: "index", name: "by_status", columns: ["status"] }
4379
5326
  ]
4380
5327
  });
5328
+ defineTable({
5329
+ name: "deploymentHosts",
5330
+ component: "mc",
5331
+ category: "workspace",
5332
+ shape: z.object({
5333
+ "host": z.string(),
5334
+ "tenantId": idOf("tenants"),
5335
+ "workspaceId": idOf("workspaces"),
5336
+ "environment": z.enum(["dev", "staging", "prod"]),
5337
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5338
+ "deploymentUrl": z.string().optional(),
5339
+ "deploymentName": z.string().optional(),
5340
+ "vercelProjectName": z.string().optional(),
5341
+ "vercelProjectId": z.string().optional(),
5342
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5343
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5344
+ "status": z.enum(["active", "revoked"]),
5345
+ "metadata": z.record(z.any()).optional(),
5346
+ "createdBy": z.string(),
5347
+ "createdAt": z.number(),
5348
+ "updatedAt": z.number(),
5349
+ "revokedAt": z.number().optional(),
5350
+ "revokedBy": z.string().optional()
5351
+ }),
5352
+ indices: [
5353
+ { kind: "index", name: "by_host", columns: ["host"] },
5354
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5355
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5356
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5357
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5358
+ { kind: "index", name: "by_status", columns: ["status"] }
5359
+ ]
5360
+ });
4381
5361
  defineTable({
4382
5362
  name: "worktreeBeliefCluster",
4383
5363
  component: "kernel",
@@ -4685,8 +5665,8 @@ defineTable({
4685
5665
  });
4686
5666
  z.object({
4687
5667
  manifestVersion: z.string(),
4688
- componentName: z.enum(["kernel", "identity"]),
4689
- tier: z.enum(["K", "I"]),
5668
+ componentName: z.enum(["kernel", "control-plane"]),
5669
+ tier: z.enum(["K", "CP"]),
4690
5670
  packageVersion: z.string(),
4691
5671
  tables: z.array(
4692
5672
  z.object({
@@ -4853,88 +5833,957 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4853
5833
  },
4854
5834
  {
4855
5835
  packageName: "@lucern/control-plane",
5836
+ role: "component_runtime",
5837
+ directTenantImport: false
5838
+ },
5839
+ {
5840
+ packageName: "@lucern/developer-kit",
5841
+ role: "developer_tool",
5842
+ directTenantImport: false
5843
+ },
5844
+ {
5845
+ packageName: "@lucern/events",
5846
+ role: "sdk_dependency",
5847
+ directTenantImport: false
5848
+ },
5849
+ {
5850
+ packageName: "@lucern/graph-primitives",
5851
+ role: "sdk_dependency",
5852
+ directTenantImport: false
5853
+ },
5854
+ {
5855
+ packageName: "@lucern/graph-sync",
5856
+ role: "host_addon_runtime",
5857
+ directTenantImport: true
5858
+ },
5859
+ {
5860
+ packageName: "@lucern/mcp",
5861
+ role: "runtime_entrypoint",
5862
+ directTenantImport: true
5863
+ },
5864
+ {
5865
+ packageName: "@lucern/pack-host",
5866
+ role: "platform_runtime",
5867
+ directTenantImport: false
5868
+ },
5869
+ {
5870
+ packageName: "@lucern/pack-installer",
5871
+ role: "developer_tool",
5872
+ directTenantImport: false
5873
+ },
5874
+ {
5875
+ packageName: "@lucern/proof-compiler",
5876
+ role: "developer_tool",
5877
+ directTenantImport: false
5878
+ },
5879
+ {
5880
+ packageName: "@lucern/react",
5881
+ role: "runtime_entrypoint",
5882
+ directTenantImport: true
5883
+ },
5884
+ {
5885
+ packageName: "@lucern/reasoning-kernel",
5886
+ role: "component_runtime",
5887
+ directTenantImport: false
5888
+ },
5889
+ {
5890
+ packageName: "@lucern/sdk",
5891
+ role: "runtime_entrypoint",
5892
+ directTenantImport: true
5893
+ },
5894
+ {
5895
+ packageName: "@lucern/secrets",
5896
+ role: "sdk_dependency",
5897
+ directTenantImport: false
5898
+ },
5899
+ {
5900
+ packageName: "@lucern/server-core",
4856
5901
  role: "platform_runtime",
4857
5902
  directTenantImport: false
4858
5903
  },
4859
5904
  {
4860
- packageName: "@lucern/developer-kit",
4861
- role: "developer_tool",
4862
- directTenantImport: false
5905
+ packageName: "@lucern/testing",
5906
+ role: "test_support",
5907
+ directTenantImport: false
5908
+ },
5909
+ {
5910
+ packageName: "@lucern/types",
5911
+ role: "contract_entrypoint",
5912
+ directTenantImport: true
5913
+ }
5914
+ ];
5915
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5916
+ (entry) => entry.packageName
5917
+ );
5918
+
5919
+ // ../contracts/src/infisical-runtime.contract.ts
5920
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
5921
+ {
5922
+ id: "stack-frontend",
5923
+ tenantKey: "stack",
5924
+ workspaceKey: "frontend",
5925
+ vercelProjectName: "ai-chatbot-diao",
5926
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5927
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
5928
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5929
+ repository: {
5930
+ owner: "stack-vc",
5931
+ name: "front-end"
5932
+ },
5933
+ sharedSourcePath: "/tenants/stack",
5934
+ sharedVariablePolicy: "tenant_shared_all_systems",
5935
+ convex: {
5936
+ urlEnv: "CONVEX_FRONTEND_URL",
5937
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
5938
+ preprodDeployment: "rugged-lobster-664",
5939
+ prodDeployment: "wonderful-toucan-0"
5940
+ }
5941
+ },
5942
+ {
5943
+ id: "stackos",
5944
+ tenantKey: "stack",
5945
+ workspaceKey: "stackos",
5946
+ vercelProjectName: "stackos",
5947
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5948
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
5949
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5950
+ repository: {
5951
+ owner: "stack-vc",
5952
+ name: "stackos"
5953
+ },
5954
+ sharedSourcePath: "/tenants/stack",
5955
+ sharedVariablePolicy: "tenant_shared_all_systems",
5956
+ convex: {
5957
+ urlEnv: "CONVEX_STACKOS_URL",
5958
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
5959
+ preprodDeployment: "giant-mandrill-761",
5960
+ prodDeployment: "good-snake-515"
5961
+ }
5962
+ },
5963
+ {
5964
+ id: "stack-eng",
5965
+ tenantKey: "stack",
5966
+ workspaceKey: "engineering",
5967
+ vercelProjectName: "stackos-engineering-graph",
5968
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5969
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
5970
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5971
+ repository: {
5972
+ owner: "stack-vc",
5973
+ name: "stackos-engineering-graph"
5974
+ },
5975
+ sharedSourcePath: "/tenants/stack/engineering",
5976
+ sharedVariablePolicy: "tenant_shared_all_systems",
5977
+ convex: {
5978
+ urlEnv: "CONVEX_STACK_ENG_URL",
5979
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
5980
+ preprodDeployment: "small-oyster-270",
5981
+ prodDeployment: "bold-cuttlefish-804"
5982
+ }
5983
+ },
5984
+ {
5985
+ id: "lucern-graph",
5986
+ tenantKey: "lucern",
5987
+ workspaceKey: "lucern",
5988
+ vercelProjectName: "lucern-graph",
5989
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
5990
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
5991
+ vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
5992
+ repository: {
5993
+ owner: "LucernAI",
5994
+ name: "lucern-graph"
5995
+ },
5996
+ sharedSourcePath: "/tenants/lucern/shared",
5997
+ sharedVariablePolicy: "tenant_shared_all_systems",
5998
+ convex: {
5999
+ urlEnv: "CONVEX_LUCERN_URL",
6000
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6001
+ preprodDeployment: "good-blackbird-774",
6002
+ prodDeployment: "precious-dog-365"
6003
+ }
6004
+ }
6005
+ ];
6006
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6007
+ {
6008
+ idSuffix: "clerk.publishable",
6009
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6010
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6011
+ required: true,
6012
+ secret: false,
6013
+ public: true,
6014
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6015
+ },
6016
+ {
6017
+ idSuffix: "clerk.secret",
6018
+ canonicalName: "CLERK_SECRET_KEY",
6019
+ required: true,
6020
+ secret: true,
6021
+ public: false,
6022
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6023
+ },
6024
+ {
6025
+ idSuffix: "clerk.project",
6026
+ canonicalName: "CLERK_PROJECT_ID",
6027
+ required: true,
6028
+ secret: false,
6029
+ public: false,
6030
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6031
+ },
6032
+ {
6033
+ idSuffix: "clerk.jwks",
6034
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6035
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6036
+ required: false,
6037
+ secret: false,
6038
+ public: false,
6039
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6040
+ },
6041
+ {
6042
+ idSuffix: "clerk.jwt-key",
6043
+ canonicalName: "CLERK_JWT_KEY",
6044
+ required: false,
6045
+ secret: true,
6046
+ public: false,
6047
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6048
+ },
6049
+ {
6050
+ idSuffix: "clerk.authorized-parties",
6051
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6052
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6053
+ required: false,
6054
+ secret: false,
6055
+ public: false,
6056
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6057
+ },
6058
+ {
6059
+ idSuffix: "clerk.sign-in-url",
6060
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6061
+ required: false,
6062
+ secret: false,
6063
+ public: true,
6064
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6065
+ },
6066
+ {
6067
+ idSuffix: "clerk.sign-up-url",
6068
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6069
+ required: false,
6070
+ secret: false,
6071
+ public: true,
6072
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6073
+ }
6074
+ ];
6075
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6076
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6077
+ (template) => ({
6078
+ id: `tenant.${system.id}.${template.idSuffix}`,
6079
+ canonicalName: template.canonicalName,
6080
+ aliases: "aliases" in template ? template.aliases : void 0,
6081
+ owner: "tenant",
6082
+ scope: "tenant",
6083
+ sourcePath: system.sharedSourcePath,
6084
+ environmentPolicy: "environment_specific",
6085
+ required: template.required,
6086
+ secret: template.secret,
6087
+ public: template.public,
6088
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6089
+ destinations: [
6090
+ {
6091
+ kind: "vercel",
6092
+ target: system.vercelProjectName,
6093
+ environmentPolicy: "preprod_staging_prod_prod"
6094
+ },
6095
+ {
6096
+ kind: "convex",
6097
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6098
+ environmentPolicy: "preprod_staging_prod_prod"
6099
+ }
6100
+ ],
6101
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6102
+ })
6103
+ )
6104
+ );
6105
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6106
+ (system) => ({
6107
+ id: `tenant.${system.id}.install-lucern-npm`,
6108
+ canonicalName: "INSTALL_LUCERN_NPM",
6109
+ owner: "provider",
6110
+ scope: "global",
6111
+ sourcePath: "/tenants/shared",
6112
+ environmentPolicy: "same_all_environments",
6113
+ required: true,
6114
+ secret: true,
6115
+ public: false,
6116
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6117
+ destinations: [
6118
+ {
6119
+ kind: "vercel",
6120
+ target: system.vercelProjectName,
6121
+ environmentPolicy: "same_all_environments"
6122
+ },
6123
+ {
6124
+ kind: "github_actions",
6125
+ target: `${system.repository.owner}/${system.repository.name}`,
6126
+ environmentPolicy: "same_all_environments"
6127
+ }
6128
+ ],
6129
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6130
+ })
6131
+ );
6132
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6133
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6134
+ {
6135
+ idSuffix: "ai.openai-api-key",
6136
+ canonicalName: "OPENAI_API_KEY",
6137
+ required: false,
6138
+ secret: true,
6139
+ public: false,
6140
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6141
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6142
+ },
6143
+ {
6144
+ idSuffix: "ai.anthropic-api-key",
6145
+ canonicalName: "ANTHROPIC_API_KEY",
6146
+ required: false,
6147
+ secret: true,
6148
+ public: false,
6149
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6150
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6151
+ },
6152
+ {
6153
+ idSuffix: "ai.gemini-api-key",
6154
+ canonicalName: "GEMINI_API_KEY",
6155
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6156
+ required: false,
6157
+ secret: true,
6158
+ public: false,
6159
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6160
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6161
+ },
6162
+ {
6163
+ idSuffix: "langfuse.secret-key",
6164
+ canonicalName: "LANGFUSE_SECRET_KEY",
6165
+ required: false,
6166
+ secret: true,
6167
+ public: false,
6168
+ consumers: [
6169
+ "tenant-vercel-app",
6170
+ "tenant-convex-deployment",
6171
+ "tenant-observability"
6172
+ ],
6173
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6174
+ },
6175
+ {
6176
+ idSuffix: "langfuse.public-key",
6177
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6178
+ required: false,
6179
+ secret: false,
6180
+ public: false,
6181
+ consumers: [
6182
+ "tenant-vercel-app",
6183
+ "tenant-convex-deployment",
6184
+ "tenant-observability"
6185
+ ],
6186
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6187
+ },
6188
+ {
6189
+ idSuffix: "langfuse.base-url",
6190
+ canonicalName: "LANGFUSE_BASE_URL",
6191
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6192
+ required: false,
6193
+ secret: false,
6194
+ public: false,
6195
+ consumers: [
6196
+ "tenant-vercel-app",
6197
+ "tenant-convex-deployment",
6198
+ "tenant-observability"
6199
+ ],
6200
+ description: "Tenant-owned Langfuse API origin."
6201
+ },
6202
+ {
6203
+ idSuffix: "graph.neo4j-uri",
6204
+ canonicalName: "NEO4J_URI",
6205
+ required: false,
6206
+ secret: false,
6207
+ public: false,
6208
+ consumers: [
6209
+ "tenant-vercel-app",
6210
+ "tenant-convex-deployment",
6211
+ "tenant-graph-sync"
6212
+ ],
6213
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6214
+ },
6215
+ {
6216
+ idSuffix: "graph.neo4j-user",
6217
+ canonicalName: "NEO4J_USER",
6218
+ aliases: ["NEO4J_USERNAME"],
6219
+ required: false,
6220
+ secret: false,
6221
+ public: false,
6222
+ consumers: [
6223
+ "tenant-vercel-app",
6224
+ "tenant-convex-deployment",
6225
+ "tenant-graph-sync"
6226
+ ],
6227
+ description: "Tenant-owned Neo4j user for product graph-sync."
6228
+ },
6229
+ {
6230
+ idSuffix: "graph.neo4j-password",
6231
+ canonicalName: "NEO4J_PASSWORD",
6232
+ required: false,
6233
+ secret: true,
6234
+ public: false,
6235
+ consumers: [
6236
+ "tenant-vercel-app",
6237
+ "tenant-convex-deployment",
6238
+ "tenant-graph-sync"
6239
+ ],
6240
+ description: "Tenant-owned Neo4j password for product graph-sync."
6241
+ },
6242
+ {
6243
+ idSuffix: "graph.neo4j-sync-secret",
6244
+ canonicalName: "NEO4J_SYNC_SECRET",
6245
+ required: false,
6246
+ secret: true,
6247
+ public: false,
6248
+ consumers: [
6249
+ "tenant-vercel-app",
6250
+ "tenant-convex-deployment",
6251
+ "tenant-graph-sync"
6252
+ ],
6253
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
6254
+ },
6255
+ {
6256
+ idSuffix: "graph.neo4j-database",
6257
+ canonicalName: "NEO4J_DATABASE",
6258
+ required: false,
6259
+ secret: false,
6260
+ public: false,
6261
+ consumers: [
6262
+ "tenant-vercel-app",
6263
+ "tenant-convex-deployment",
6264
+ "tenant-graph-sync"
6265
+ ],
6266
+ description: "Tenant-owned Neo4j database name for product graph-sync."
6267
+ },
6268
+ {
6269
+ idSuffix: "vector.pinecone-api-key",
6270
+ canonicalName: "PINECONE_API_KEY",
6271
+ required: false,
6272
+ secret: true,
6273
+ public: false,
6274
+ consumers: [
6275
+ "tenant-vercel-app",
6276
+ "tenant-convex-deployment",
6277
+ "tenant-vector-store"
6278
+ ],
6279
+ description: "Tenant-owned Pinecone API key for product vector search."
6280
+ },
6281
+ {
6282
+ idSuffix: "vector.pinecone-index-name",
6283
+ canonicalName: "PINECONE_INDEX_NAME",
6284
+ aliases: ["PINECONE_INDEX"],
6285
+ required: false,
6286
+ secret: false,
6287
+ public: false,
6288
+ consumers: [
6289
+ "tenant-vercel-app",
6290
+ "tenant-convex-deployment",
6291
+ "tenant-vector-store"
6292
+ ],
6293
+ description: "Tenant-owned Pinecone index name for product vector search."
6294
+ },
6295
+ {
6296
+ idSuffix: "vector.pinecone-host",
6297
+ canonicalName: "PINECONE_HOST",
6298
+ aliases: ["PINECONE_INDEX_HOST"],
6299
+ required: false,
6300
+ secret: false,
6301
+ public: false,
6302
+ consumers: [
6303
+ "tenant-vercel-app",
6304
+ "tenant-convex-deployment",
6305
+ "tenant-vector-store"
6306
+ ],
6307
+ description: "Tenant-owned Pinecone host for product vector search."
6308
+ },
6309
+ {
6310
+ idSuffix: "vector.pinecone-namespace",
6311
+ canonicalName: "PINECONE_NAMESPACE",
6312
+ required: false,
6313
+ secret: false,
6314
+ public: false,
6315
+ consumers: [
6316
+ "tenant-vercel-app",
6317
+ "tenant-convex-deployment",
6318
+ "tenant-vector-store"
6319
+ ],
6320
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
6321
+ },
6322
+ {
6323
+ idSuffix: "storage.aws-access-key-id",
6324
+ canonicalName: "AWS_ACCESS_KEY_ID",
6325
+ required: false,
6326
+ secret: true,
6327
+ public: false,
6328
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6329
+ description: "Tenant-owned AWS access key id for document/file ingestion."
6330
+ },
6331
+ {
6332
+ idSuffix: "storage.aws-secret-access-key",
6333
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6334
+ required: false,
6335
+ secret: true,
6336
+ public: false,
6337
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6338
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
4863
6339
  },
4864
6340
  {
4865
- packageName: "@lucern/events",
4866
- role: "sdk_dependency",
4867
- directTenantImport: false
6341
+ idSuffix: "storage.aws-region",
6342
+ canonicalName: "AWS_REGION",
6343
+ required: false,
6344
+ secret: false,
6345
+ public: false,
6346
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6347
+ description: "Tenant-owned AWS region for document/file ingestion."
4868
6348
  },
4869
6349
  {
4870
- packageName: "@lucern/graph-primitives",
4871
- role: "sdk_dependency",
4872
- directTenantImport: false
6350
+ idSuffix: "observability.sentry-dsn",
6351
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6352
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6353
+ required: false,
6354
+ secret: false,
6355
+ public: true,
6356
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6357
+ description: "Tenant-owned Sentry DSN for app telemetry."
4873
6358
  },
4874
6359
  {
4875
- packageName: "@lucern/graph-sync",
4876
- role: "host_addon_runtime",
4877
- directTenantImport: true
6360
+ idSuffix: "observability.sentry-auth-token",
6361
+ canonicalName: "SENTRY_AUTH_TOKEN",
6362
+ required: false,
6363
+ secret: true,
6364
+ public: false,
6365
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6366
+ description: "Tenant-owned Sentry release token for app deployments."
4878
6367
  },
4879
6368
  {
4880
- packageName: "@lucern/identity",
4881
- role: "component_runtime",
4882
- directTenantImport: false
6369
+ idSuffix: "observability.sentry-org",
6370
+ canonicalName: "SENTRY_ORG",
6371
+ aliases: ["SENTRY_ORG_SLUG"],
6372
+ required: false,
6373
+ secret: false,
6374
+ public: false,
6375
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6376
+ description: "Tenant-owned Sentry org slug for release uploads."
4883
6377
  },
4884
6378
  {
4885
- packageName: "@lucern/mcp",
4886
- role: "runtime_entrypoint",
4887
- directTenantImport: true
6379
+ idSuffix: "observability.sentry-project",
6380
+ canonicalName: "SENTRY_PROJECT",
6381
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6382
+ required: false,
6383
+ secret: false,
6384
+ public: false,
6385
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6386
+ description: "Tenant-owned Sentry project slug for release uploads."
4888
6387
  },
4889
6388
  {
4890
- packageName: "@lucern/pack-host",
4891
- role: "platform_runtime",
4892
- directTenantImport: false
6389
+ idSuffix: "observability.sentry-environment",
6390
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6391
+ aliases: ["SENTRY_ENVIRONMENT"],
6392
+ required: false,
6393
+ secret: false,
6394
+ public: true,
6395
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6396
+ description: "Tenant-owned Sentry environment label."
4893
6397
  },
4894
6398
  {
4895
- packageName: "@lucern/pack-installer",
4896
- role: "developer_tool",
4897
- directTenantImport: false
6399
+ idSuffix: "observability.sentry-release",
6400
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6401
+ aliases: ["SENTRY_RELEASE"],
6402
+ required: false,
6403
+ secret: false,
6404
+ public: true,
6405
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6406
+ description: "Tenant-owned Sentry release label."
4898
6407
  },
4899
6408
  {
4900
- packageName: "@lucern/proof-compiler",
4901
- role: "developer_tool",
4902
- directTenantImport: false
6409
+ idSuffix: "observability.sentry-client-options",
6410
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6411
+ aliases: [
6412
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6413
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6414
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6415
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6416
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6417
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6418
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6419
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6420
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6421
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6422
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6423
+ ],
6424
+ required: false,
6425
+ secret: false,
6426
+ public: true,
6427
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6428
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
4903
6429
  },
4904
6430
  {
4905
- packageName: "@lucern/react",
4906
- role: "runtime_entrypoint",
4907
- directTenantImport: true
6431
+ idSuffix: "observability.sentry-webhook-secret",
6432
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6433
+ required: false,
6434
+ secret: true,
6435
+ public: false,
6436
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6437
+ description: "Tenant-owned Sentry webhook verification secret."
4908
6438
  },
4909
6439
  {
4910
- packageName: "@lucern/reasoning-kernel",
4911
- role: "component_runtime",
4912
- directTenantImport: false
6440
+ idSuffix: "lucern.gateway-api-key",
6441
+ canonicalName: "LUCERN_API_KEY",
6442
+ aliases: ["STACK_API_KEY"],
6443
+ required: false,
6444
+ secret: true,
6445
+ public: false,
6446
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6447
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
4913
6448
  },
4914
6449
  {
4915
- packageName: "@lucern/sdk",
4916
- role: "runtime_entrypoint",
4917
- directTenantImport: true
6450
+ idSuffix: "lucern.gateway-base-url",
6451
+ canonicalName: "LUCERN_BASE_URL",
6452
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6453
+ required: false,
6454
+ secret: false,
6455
+ public: false,
6456
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6457
+ description: "Lucern/MC gateway base URL used by tenant product apps."
4918
6458
  },
4919
6459
  {
4920
- packageName: "@lucern/server-core",
4921
- role: "platform_runtime",
4922
- directTenantImport: false
6460
+ idSuffix: "lucern.proxy-token-secret",
6461
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6462
+ required: false,
6463
+ secret: true,
6464
+ public: false,
6465
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6466
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
4923
6467
  },
4924
6468
  {
4925
- packageName: "@lucern/testing",
4926
- role: "test_support",
4927
- directTenantImport: false
6469
+ idSuffix: "tenant.integrations.linear-api-key",
6470
+ canonicalName: "LINEAR_API_KEY",
6471
+ required: false,
6472
+ secret: true,
6473
+ public: false,
6474
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6475
+ description: "Tenant-owned Linear API key for support/slash-command flows."
4928
6476
  },
4929
6477
  {
4930
- packageName: "@lucern/types",
4931
- role: "contract_entrypoint",
4932
- directTenantImport: true
6478
+ idSuffix: "tenant.vercel.bypass-token",
6479
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6480
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6481
+ required: false,
6482
+ secret: true,
6483
+ public: false,
6484
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6485
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
4933
6486
  }
4934
6487
  ];
4935
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
4936
- (entry) => entry.packageName
6488
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6489
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6490
+ ).flatMap(
6491
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6492
+ (template) => ({
6493
+ id: `tenant.${system.id}.${template.idSuffix}`,
6494
+ canonicalName: template.canonicalName,
6495
+ aliases: "aliases" in template ? template.aliases : void 0,
6496
+ owner: "tenant",
6497
+ scope: "tenant",
6498
+ sourcePath: system.sharedSourcePath,
6499
+ environmentPolicy: "environment_specific",
6500
+ required: template.required,
6501
+ secret: template.secret,
6502
+ public: template.public,
6503
+ consumers: template.consumers,
6504
+ destinations: [
6505
+ {
6506
+ kind: "vercel",
6507
+ target: system.vercelProjectName,
6508
+ environmentPolicy: "preprod_staging_prod_prod"
6509
+ },
6510
+ {
6511
+ kind: "convex",
6512
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6513
+ environmentPolicy: "preprod_staging_prod_prod"
6514
+ },
6515
+ {
6516
+ kind: "github_actions",
6517
+ target: `${system.repository.owner}/${system.repository.name}`,
6518
+ environmentPolicy: "preprod_staging_prod_prod"
6519
+ }
6520
+ ],
6521
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6522
+ })
6523
+ )
6524
+ );
6525
+ function tenantVercelConvexUrlWriteNames(system) {
6526
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6527
+ if (system.id === "stack-eng") {
6528
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6529
+ }
6530
+ return names;
6531
+ }
6532
+ function tenantRepositoryConvexUrlWriteNames(system) {
6533
+ if (system.id === "stack-eng") {
6534
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6535
+ }
6536
+ return [system.convex.urlEnv];
6537
+ }
6538
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6539
+ if (system.id === "stack-eng") {
6540
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6541
+ }
6542
+ return [system.convex.deployKeyEnv];
6543
+ }
6544
+ function tenantConvexUrlAliases(system) {
6545
+ if (system.id === "stack-frontend") {
6546
+ return [
6547
+ "CONVEX_PROD_URL",
6548
+ "CONVEX_STACK_V2_PROD_URL",
6549
+ "CONVEX_STACK_V2_STAGING_URL",
6550
+ "STACK_CONVEX_URL"
6551
+ ];
6552
+ }
6553
+ if (system.id === "stackos") {
6554
+ return [
6555
+ "CONVEX_CLOUD_URL",
6556
+ "CONVEX_STACK_URL",
6557
+ "CONVEX_URL",
6558
+ "CONVEX_URL_DEVELOPMENT",
6559
+ "CONVEX_URL_PRODUCTION",
6560
+ "STACK_CONVEX_URL"
6561
+ ];
6562
+ }
6563
+ if (system.id === "stack-eng") {
6564
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6565
+ }
6566
+ if (system.id === "lucern-graph") {
6567
+ return [
6568
+ "CONVEX_GRAPH_URL",
6569
+ "LUCERN_PROD_URL",
6570
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6571
+ ];
6572
+ }
6573
+ return void 0;
6574
+ }
6575
+ function tenantConvexDeployKeyAliases(system) {
6576
+ if (system.id === "stack-frontend") {
6577
+ return [
6578
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6579
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6580
+ "STACK_DEPLOY_KEY"
6581
+ ];
6582
+ }
6583
+ if (system.id === "stackos") {
6584
+ return [
6585
+ "CONVEX_DEPLOY_KEY",
6586
+ "CONVEX_DEV_DEPLOY_KEY",
6587
+ "CONVEX_PROD_DEPLOY_KEY",
6588
+ "CONVEX_STACK_DEPLOY_KEY",
6589
+ "STACK_DEPLOY_KEY"
6590
+ ];
6591
+ }
6592
+ if (system.id === "stack-eng") {
6593
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6594
+ }
6595
+ if (system.id === "lucern-graph") {
6596
+ return [
6597
+ "CONVEX_DEPLOY_KEY",
6598
+ "CONVEX_GRAPH_DEPLOY_KEY",
6599
+ "LUCERN_CONVEX_DEPLOY_KEY",
6600
+ "LUCERN_DEV_DEPLOY_KEY",
6601
+ "LUCERN_PROD_DEPLOY_KEY"
6602
+ ];
6603
+ }
6604
+ return void 0;
6605
+ }
6606
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6607
+ (system) => {
6608
+ if (system.id === "lucern-graph") {
6609
+ return [
6610
+ {
6611
+ id: "tenant.lucern-graph.public.tenant-id",
6612
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6613
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6614
+ owner: "tenant",
6615
+ scope: "workspace",
6616
+ sourcePath: system.sharedSourcePath,
6617
+ environmentPolicy: "environment_specific",
6618
+ required: false,
6619
+ secret: false,
6620
+ public: true,
6621
+ consumers: ["tenant-vercel-app"],
6622
+ destinations: [
6623
+ {
6624
+ kind: "vercel",
6625
+ target: system.vercelProjectName,
6626
+ environmentPolicy: "preprod_staging_prod_prod"
6627
+ }
6628
+ ],
6629
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6630
+ },
6631
+ {
6632
+ id: "tenant.lucern-graph.public.tenant-label",
6633
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6634
+ owner: "tenant",
6635
+ scope: "workspace",
6636
+ sourcePath: system.sharedSourcePath,
6637
+ environmentPolicy: "environment_specific",
6638
+ required: false,
6639
+ secret: false,
6640
+ public: true,
6641
+ consumers: ["tenant-vercel-app"],
6642
+ destinations: [
6643
+ {
6644
+ kind: "vercel",
6645
+ target: system.vercelProjectName,
6646
+ environmentPolicy: "preprod_staging_prod_prod"
6647
+ }
6648
+ ],
6649
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6650
+ }
6651
+ ];
6652
+ }
6653
+ if (system.id === "stack-eng") {
6654
+ return [
6655
+ {
6656
+ id: "tenant.stack-eng.public.tenant-id",
6657
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6658
+ owner: "tenant",
6659
+ scope: "workspace",
6660
+ sourcePath: system.sharedSourcePath,
6661
+ environmentPolicy: "environment_specific",
6662
+ required: false,
6663
+ secret: false,
6664
+ public: true,
6665
+ consumers: ["tenant-vercel-app"],
6666
+ destinations: [
6667
+ {
6668
+ kind: "vercel",
6669
+ target: system.vercelProjectName,
6670
+ environmentPolicy: "preprod_staging_prod_prod"
6671
+ }
6672
+ ],
6673
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6674
+ },
6675
+ {
6676
+ id: "tenant.stack-eng.public.tenant-label",
6677
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6678
+ owner: "tenant",
6679
+ scope: "workspace",
6680
+ sourcePath: system.sharedSourcePath,
6681
+ environmentPolicy: "environment_specific",
6682
+ required: false,
6683
+ secret: false,
6684
+ public: true,
6685
+ consumers: ["tenant-vercel-app"],
6686
+ destinations: [
6687
+ {
6688
+ kind: "vercel",
6689
+ target: system.vercelProjectName,
6690
+ environmentPolicy: "preprod_staging_prod_prod"
6691
+ }
6692
+ ],
6693
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6694
+ },
6695
+ {
6696
+ id: "tenant.stack-eng.public.environment",
6697
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6698
+ owner: "tenant",
6699
+ scope: "workspace",
6700
+ sourcePath: system.sharedSourcePath,
6701
+ environmentPolicy: "environment_specific",
6702
+ required: false,
6703
+ secret: false,
6704
+ public: true,
6705
+ consumers: ["tenant-vercel-app"],
6706
+ destinations: [
6707
+ {
6708
+ kind: "vercel",
6709
+ target: system.vercelProjectName,
6710
+ environmentPolicy: "preprod_staging_prod_prod"
6711
+ }
6712
+ ],
6713
+ description: "Stack engineering graph public environment label used by the graph explorer."
6714
+ }
6715
+ ];
6716
+ }
6717
+ return [];
6718
+ }
4937
6719
  );
6720
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6721
+ {
6722
+ id: `tenant.${system.id}.convex.url`,
6723
+ canonicalName: system.convex.urlEnv,
6724
+ aliases: tenantConvexUrlAliases(system),
6725
+ owner: "tenant",
6726
+ scope: "software_system",
6727
+ sourcePath: system.sharedSourcePath,
6728
+ environmentPolicy: "preprod_staging_prod_prod",
6729
+ required: true,
6730
+ secret: false,
6731
+ public: false,
6732
+ consumers: [
6733
+ "tenant-vercel-app",
6734
+ "tenant-agent-runtime",
6735
+ "mc-operator-tooling"
6736
+ ],
6737
+ destinations: [
6738
+ {
6739
+ kind: "vercel",
6740
+ target: system.vercelProjectName,
6741
+ environmentPolicy: "preprod_staging_prod_prod",
6742
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6743
+ },
6744
+ {
6745
+ kind: "github_actions",
6746
+ target: `${system.repository.owner}/${system.repository.name}`,
6747
+ environmentPolicy: "preprod_staging_prod_prod",
6748
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6749
+ notes: "Only if that repository deploy/test workflow owns this software system."
6750
+ }
6751
+ ],
6752
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6753
+ },
6754
+ {
6755
+ id: `tenant.${system.id}.convex.deploy-key`,
6756
+ canonicalName: system.convex.deployKeyEnv,
6757
+ aliases: tenantConvexDeployKeyAliases(system),
6758
+ owner: "tenant",
6759
+ scope: "software_system",
6760
+ sourcePath: system.sharedSourcePath,
6761
+ environmentPolicy: "preprod_staging_prod_prod",
6762
+ required: true,
6763
+ secret: true,
6764
+ public: false,
6765
+ consumers: [
6766
+ "tenant-vercel-app",
6767
+ "tenant-agent-runtime",
6768
+ "mc-operator-tooling"
6769
+ ],
6770
+ destinations: [
6771
+ {
6772
+ kind: "vercel",
6773
+ target: system.vercelProjectName,
6774
+ environmentPolicy: "preprod_staging_prod_prod"
6775
+ },
6776
+ {
6777
+ kind: "github_actions",
6778
+ target: `${system.repository.owner}/${system.repository.name}`,
6779
+ environmentPolicy: "preprod_staging_prod_prod",
6780
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6781
+ notes: "Only if that repository deploy/test workflow owns this software system."
6782
+ }
6783
+ ],
6784
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6785
+ }
6786
+ ]);
4938
6787
  z.object({
4939
6788
  manifestVersion: z.literal("1.0.0"),
4940
6789
  rules: z.array(
@@ -4975,7 +6824,7 @@ var createEvidenceInputSchemaBase = z.object({
4975
6824
  targetId: z.string().optional(),
4976
6825
  targetNodeId: z.string().optional(),
4977
6826
  linkedBeliefNodeId: z.string().optional(),
4978
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6827
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
4979
6828
  confidence: z.number().optional(),
4980
6829
  weight: z.number().optional(),
4981
6830
  reasoning: z.string().optional(),
@@ -5060,8 +6909,7 @@ var createEvidenceProjection = defineProjection({
5060
6909
  evidenceRelation: v.optional(
5061
6910
  v.union(
5062
6911
  v.literal("supports"),
5063
- v.literal("contradicts"),
5064
- v.literal("neutral")
6912
+ v.literal("contradicts")
5065
6913
  )
5066
6914
  ),
5067
6915
  confidence: v.optional(v.number()),
@@ -5086,7 +6934,7 @@ function compactRecord2(input) {
5086
6934
  Object.entries(input).filter(([, value]) => value !== void 0)
5087
6935
  );
5088
6936
  }
5089
- var listBeliefsProjection = defineProjection({
6937
+ defineProjection({
5090
6938
  contractName: "list_beliefs",
5091
6939
  inputSchema: listBeliefsInputSchema,
5092
6940
  project: (input) => compactRecord2({
@@ -5110,12 +6958,17 @@ var listBeliefsProjection = defineProjection({
5110
6958
  });
5111
6959
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5112
6960
  var listTasksInputSchema = z.object({
5113
- topicId: z.string().describe("Topic scope"),
6961
+ topicId: z.string().optional().describe("Topic scope"),
5114
6962
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5115
6963
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5116
6964
  status: taskStatusSchema,
5117
6965
  limit: z.number().optional().describe("Maximum results")
5118
- });
6966
+ }).refine(
6967
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
6968
+ {
6969
+ message: "topicId or worktreeId is required"
6970
+ }
6971
+ );
5119
6972
  function compactRecord3(input) {
5120
6973
  return Object.fromEntries(
5121
6974
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5132,7 +6985,7 @@ var listTasksProjection = defineProjection({
5132
6985
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5133
6986
  }),
5134
6987
  convexArgsValidator: v.object({
5135
- topicId: v.string(),
6988
+ topicId: v.optional(v.string()),
5136
6989
  status: v.optional(
5137
6990
  v.union(
5138
6991
  v.literal("todo"),
@@ -6110,19 +7963,23 @@ var FIND_CONTRADICTIONS = {
6110
7963
  };
6111
7964
  var CREATE_EDGE = {
6112
7965
  name: "create_edge",
6113
- description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. The engine enforces layer transition rules \u2014 for example, L1 \u2192 L3 direct edges are forbidden (must go through L2).",
7966
+ description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. Accepts any public epistemic edge type between public graph node refs so agents can author the full spine.",
6114
7967
  parameters: {
6115
- sourceId: {
6116
- type: "string",
6117
- description: "Source node of the relationship"
7968
+ from: {
7969
+ type: "object",
7970
+ description: "Source graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'topic' }"
6118
7971
  },
6119
- targetId: {
6120
- type: "string",
6121
- description: "Target node of the relationship"
7972
+ to: {
7973
+ type: "object",
7974
+ description: "Target graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'belief' }"
6122
7975
  },
6123
7976
  edgeType: {
6124
7977
  type: "string",
6125
- description: "Relationship type (informs, tests, depends_on, supersedes, etc.)"
7978
+ description: "Relationship type from the public epistemic edge enum."
7979
+ },
7980
+ globalId: {
7981
+ type: "string",
7982
+ description: "Optional idempotent edge global ID."
6126
7983
  },
6127
7984
  weight: {
6128
7985
  type: "number",
@@ -6132,10 +7989,14 @@ var CREATE_EDGE = {
6132
7989
  reasoningMethod: {
6133
7990
  type: "string",
6134
7991
  description: "How this was determined",
6135
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
7992
+ enum: [...REASONING_METHODS]
7993
+ },
7994
+ metadata: {
7995
+ type: "object",
7996
+ description: "Optional edge metadata."
6136
7997
  }
6137
7998
  },
6138
- required: ["sourceId", "targetId", "edgeType"],
7999
+ required: ["from", "to", "edgeType"],
6139
8000
  response: {
6140
8001
  description: "The created edge",
6141
8002
  fields: {
@@ -6149,6 +8010,240 @@ var CREATE_EDGE = {
6149
8010
  ontologyPrimitive: "edge",
6150
8011
  tier: "showcase"
6151
8012
  };
8013
+ var UPDATE_EDGE = {
8014
+ name: "update_edge",
8015
+ description: "Amend metadata on an existing graph edge. Like `git commit --amend` \u2014 changes the edge annotation without recreating the relationship.",
8016
+ parameters: {
8017
+ edgeId: { type: "string", description: "Edge ID or global ID to update" },
8018
+ weight: { type: "number", description: "Updated edge weight" },
8019
+ confidence: { type: "number", description: "Updated confidence" },
8020
+ context: { type: "string", description: "Updated human-readable context" },
8021
+ derivationType: { type: "string", description: "Updated derivation type" },
8022
+ metadata: { type: "object", description: "Updated metadata" }
8023
+ },
8024
+ required: ["edgeId"],
8025
+ response: {
8026
+ description: "Edge update result",
8027
+ fields: { success: "boolean" }
8028
+ },
8029
+ ownerModule: "graph-primitives",
8030
+ ontologyPrimitive: "edge",
8031
+ tier: "workhorse"
8032
+ };
8033
+ var REMOVE_EDGE = {
8034
+ name: "remove_edge",
8035
+ description: "Remove one graph edge by ID. Like `git rm` \u2014 deletes a single explicit relationship from the spine.",
8036
+ parameters: {
8037
+ edgeId: { type: "string", description: "Edge ID or global ID to remove" }
8038
+ },
8039
+ required: ["edgeId"],
8040
+ response: {
8041
+ description: "Edge removal result",
8042
+ fields: { success: "boolean" }
8043
+ },
8044
+ ownerModule: "graph-primitives",
8045
+ ontologyPrimitive: "edge",
8046
+ tier: "workhorse"
8047
+ };
8048
+ var REMOVE_EDGES_BETWEEN = {
8049
+ name: "remove_edges_between",
8050
+ description: "Remove graph edges between two nodes. Like `git rm <pathspec>` \u2014 deletes relationships matching a source, target, and optional type.",
8051
+ parameters: {
8052
+ fromNodeId: { type: "string", description: "Source node ID or global ID" },
8053
+ toNodeId: { type: "string", description: "Target node ID or global ID" },
8054
+ edgeType: { type: "string", description: "Optional edge type filter" }
8055
+ },
8056
+ required: ["fromNodeId", "toNodeId"],
8057
+ response: {
8058
+ description: "Matched edge removal result",
8059
+ fields: { deleted: "number" }
8060
+ },
8061
+ ownerModule: "graph-primitives",
8062
+ ontologyPrimitive: "edge",
8063
+ tier: "workhorse"
8064
+ };
8065
+ var BATCH_CREATE_EDGES = {
8066
+ name: "batch_create_edges",
8067
+ description: "Commit multiple typed graph edges. Like `git commit` with many staged paths \u2014 writes a batch of explicit relationships atomically per edge.",
8068
+ parameters: {
8069
+ edges: {
8070
+ type: "array",
8071
+ description: "Edges to create, each with from, to, edgeType, and optional weight/confidence/context."
8072
+ },
8073
+ skipLayerValidation: {
8074
+ type: "boolean",
8075
+ description: "Skip kernel layer validation for trusted materialization flows."
8076
+ }
8077
+ },
8078
+ required: ["edges"],
8079
+ response: {
8080
+ description: "Batch edge creation result",
8081
+ fields: {
8082
+ created: "number",
8083
+ results: "array",
8084
+ errors: "array"
8085
+ }
8086
+ },
8087
+ ownerModule: "graph-primitives",
8088
+ ontologyPrimitive: "edge",
8089
+ tier: "workhorse"
8090
+ };
8091
+ var CREATE_EPISTEMIC_NODE = {
8092
+ name: "create_epistemic_node",
8093
+ description: "Commit a generic epistemic graph node. Like `git commit` \u2014 creates a canonical node in the public spine for topics, beliefs, evidence, questions, answers, sources, and entities.",
8094
+ parameters: {
8095
+ globalId: { type: "string", description: "Optional idempotent node global ID" },
8096
+ nodeType: { type: "string", description: "Public epistemic node type" },
8097
+ canonicalText: { type: "string", description: "Canonical node text" },
8098
+ text: { type: "string", description: "Alias for canonicalText" },
8099
+ contentHash: { type: "string", description: "Optional idempotency content hash" },
8100
+ sourceType: { type: "string", description: "Source type for provenance" },
8101
+ topicId: { type: "string", description: "Optional topic scope" },
8102
+ content: { type: "string", description: "Extended content" },
8103
+ title: { type: "string", description: "Display title" },
8104
+ metadata: { type: "object", description: "Optional node metadata" }
8105
+ },
8106
+ required: ["nodeType"],
8107
+ response: {
8108
+ description: "Created node result",
8109
+ fields: {
8110
+ nodeId: "string",
8111
+ nodeGlobalId: "string",
8112
+ isDuplicate: "boolean"
8113
+ }
8114
+ },
8115
+ ownerModule: "reasoning-kernel",
8116
+ ontologyPrimitive: "graph",
8117
+ tier: "showcase"
8118
+ };
8119
+ var GET_EPISTEMIC_NODE = {
8120
+ name: "get_epistemic_node",
8121
+ description: "Read one epistemic graph node. Like `git show` \u2014 resolves a canonical spine node by ID or global ID.",
8122
+ parameters: {
8123
+ nodeId: { type: "string", description: "Node ID or global ID" }
8124
+ },
8125
+ required: ["nodeId"],
8126
+ response: {
8127
+ description: "The resolved node",
8128
+ fields: { node: "object" }
8129
+ },
8130
+ ownerModule: "reasoning-kernel",
8131
+ ontologyPrimitive: "graph",
8132
+ tier: "workhorse"
8133
+ };
8134
+ var LIST_EPISTEMIC_NODES = {
8135
+ name: "list_epistemic_nodes",
8136
+ description: "List epistemic graph nodes. Like `git ls-tree` \u2014 lists canonical spine nodes by topic, type, status, or search query.",
8137
+ parameters: {
8138
+ topicId: { type: "string", description: "Optional topic scope" },
8139
+ nodeType: { type: "string", description: "Optional node type filter" },
8140
+ status: { type: "string", description: "Optional lifecycle status" },
8141
+ searchQuery: { type: "string", description: "Optional text search query" },
8142
+ limit: { type: "number", description: "Maximum nodes to return" }
8143
+ },
8144
+ required: [],
8145
+ response: {
8146
+ description: "Matching nodes",
8147
+ fields: { nodes: "array" }
8148
+ },
8149
+ ownerModule: "reasoning-kernel",
8150
+ ontologyPrimitive: "graph",
8151
+ tier: "workhorse"
8152
+ };
8153
+ var UPDATE_EPISTEMIC_NODE = {
8154
+ name: "update_epistemic_node",
8155
+ description: "Amend an epistemic graph node. Like `git commit --amend` \u2014 updates mutable node metadata, text, status, or verification fields.",
8156
+ parameters: {
8157
+ nodeId: { type: "string", description: "Node ID or global ID" },
8158
+ canonicalText: { type: "string", description: "Updated canonical text" },
8159
+ text: { type: "string", description: "Alias for canonicalText" },
8160
+ contentHash: { type: "string", description: "Updated content hash" },
8161
+ content: { type: "string", description: "Updated content" },
8162
+ title: { type: "string", description: "Updated display title" },
8163
+ metadata: { type: "object", description: "Updated metadata" },
8164
+ confidence: { type: "number", description: "Updated confidence" },
8165
+ verificationStatus: { type: "string", description: "Updated verification status" },
8166
+ status: { type: "string", description: "Updated lifecycle status" }
8167
+ },
8168
+ required: ["nodeId"],
8169
+ response: {
8170
+ description: "Node update result",
8171
+ fields: { success: "boolean" }
8172
+ },
8173
+ ownerModule: "reasoning-kernel",
8174
+ ontologyPrimitive: "graph",
8175
+ tier: "workhorse"
8176
+ };
8177
+ var ARCHIVE_EPISTEMIC_NODE = {
8178
+ name: "archive_epistemic_node",
8179
+ description: "Archive an epistemic graph node. Like `git rm --cached` \u2014 removes a node from active traversal without hard-deleting it.",
8180
+ parameters: {
8181
+ nodeId: { type: "string", description: "Node ID or global ID" }
8182
+ },
8183
+ required: ["nodeId"],
8184
+ response: {
8185
+ description: "Archive result",
8186
+ fields: { success: "boolean", effectiveStatus: "string" }
8187
+ },
8188
+ ownerModule: "reasoning-kernel",
8189
+ ontologyPrimitive: "graph",
8190
+ tier: "workhorse"
8191
+ };
8192
+ var VERIFY_EPISTEMIC_NODE = {
8193
+ name: "verify_epistemic_node",
8194
+ description: "Record verification state on an epistemic graph node. Like `git tag` \u2014 marks the node with a reviewed verification state.",
8195
+ parameters: {
8196
+ nodeId: { type: "string", description: "Node ID or global ID" },
8197
+ verificationStatus: { type: "string", description: "Verification status" },
8198
+ confidence: { type: "number", description: "Optional confidence update" }
8199
+ },
8200
+ required: ["nodeId", "verificationStatus"],
8201
+ response: {
8202
+ description: "Verification result",
8203
+ fields: { success: "boolean" }
8204
+ },
8205
+ ownerModule: "reasoning-kernel",
8206
+ ontologyPrimitive: "graph",
8207
+ tier: "workhorse"
8208
+ };
8209
+ var SUPERSEDE_EPISTEMIC_NODE = {
8210
+ name: "supersede_epistemic_node",
8211
+ description: "Supersede an epistemic graph node with a new version. Like `git commit --amend` on an immutable history branch \u2014 creates the replacement and marks the old node superseded.",
8212
+ parameters: {
8213
+ oldNodeId: { type: "string", description: "Node ID or global ID to supersede" },
8214
+ newGlobalId: { type: "string", description: "Optional replacement global ID" },
8215
+ newCanonicalText: { type: "string", description: "Replacement canonical text" },
8216
+ text: { type: "string", description: "Alias for newCanonicalText" },
8217
+ newContentHash: { type: "string", description: "Optional replacement content hash" },
8218
+ reason: { type: "string", description: "Reason for superseding" }
8219
+ },
8220
+ required: ["oldNodeId"],
8221
+ response: {
8222
+ description: "Supersede result",
8223
+ fields: { oldNodeId: "string", newNodeId: "string" }
8224
+ },
8225
+ ownerModule: "reasoning-kernel",
8226
+ ontologyPrimitive: "graph",
8227
+ tier: "workhorse"
8228
+ };
8229
+ var BATCH_CREATE_EPISTEMIC_NODES = {
8230
+ name: "batch_create_epistemic_nodes",
8231
+ description: "Commit multiple epistemic graph nodes. Like `git commit` with many staged files \u2014 writes a batch of canonical spine nodes.",
8232
+ parameters: {
8233
+ nodes: {
8234
+ type: "array",
8235
+ description: "Nodes to create with nodeType, canonicalText/text, and optional metadata."
8236
+ }
8237
+ },
8238
+ required: ["nodes"],
8239
+ response: {
8240
+ description: "Batch node creation result",
8241
+ fields: { created: "number", results: "array" }
8242
+ },
8243
+ ownerModule: "reasoning-kernel",
8244
+ ontologyPrimitive: "graph",
8245
+ tier: "workhorse"
8246
+ };
6152
8247
  var RECORD_JUDGMENT = {
6153
8248
  name: "record_judgment",
6154
8249
  description: "Record a judgment \u2014 an irreversible commitment based on the current epistemic state. Like a `git tag` marking a release. A judgment synthesizes beliefs, evidence, and uncertainties into a determination. Once issued, a judgment is evaluated against the epistemic state that existed when it was made (knowledge horizon evaluation, Invariant #10).",
@@ -7348,8 +9443,8 @@ var IDENTITY_WHOAMI = {
7348
9443
  response: {
7349
9444
  description: "Canonical identity summary for the current session",
7350
9445
  fields: {
7351
- principalId: "string \u2014 canonical federated principal identifier",
7352
- principalType: "string \u2014 human, service, or agent",
9446
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
9447
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
7353
9448
  tenantId: "string | undefined \u2014 resolved tenant scope",
7354
9449
  workspaceId: "string | undefined \u2014 resolved workspace scope",
7355
9450
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -7360,6 +9455,49 @@ var IDENTITY_WHOAMI = {
7360
9455
  ontologyPrimitive: "identity",
7361
9456
  tier: "workhorse"
7362
9457
  };
9458
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9459
+ name: "resolve_interactive_principal",
9460
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
9461
+ parameters: {
9462
+ clerkId: {
9463
+ type: "string",
9464
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9465
+ },
9466
+ tenantId: {
9467
+ type: "string",
9468
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9469
+ },
9470
+ workspaceId: {
9471
+ type: "string",
9472
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9473
+ },
9474
+ providerProjectId: {
9475
+ type: "string",
9476
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9477
+ }
9478
+ },
9479
+ required: ["clerkId"],
9480
+ response: {
9481
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9482
+ fields: {
9483
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
9484
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9485
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9486
+ tenantId: "string \u2014 resolved tenant scope",
9487
+ workspaceId: "string | null \u2014 resolved workspace scope",
9488
+ roles: "string[] \u2014 effective Permit roles",
9489
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9490
+ groupIds: "string[] \u2014 active Permit group memberships",
9491
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9492
+ tenantStatus: "string \u2014 projected tenant resource status",
9493
+ workspaceStatus: "string \u2014 projected workspace resource status",
9494
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9495
+ }
9496
+ },
9497
+ ownerModule: "control-plane",
9498
+ ontologyPrimitive: "identity",
9499
+ tier: "workhorse"
9500
+ };
7363
9501
  var COMPILE_CONTEXT = {
7364
9502
  name: "compile_context",
7365
9503
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -7621,6 +9759,10 @@ var CREATE_TASK = {
7621
9759
  tags: {
7622
9760
  type: "array",
7623
9761
  description: "Free-form string tags"
9762
+ },
9763
+ metadata: {
9764
+ type: "object",
9765
+ description: "Structured task metadata for handoff context and routing hints"
7624
9766
  }
7625
9767
  },
7626
9768
  required: ["title"],
@@ -7694,6 +9836,10 @@ var UPDATE_TASK = {
7694
9836
  type: "string",
7695
9837
  description: "Updated status",
7696
9838
  enum: ["todo", "in_progress", "blocked", "done"]
9839
+ },
9840
+ metadata: {
9841
+ type: "object",
9842
+ description: "Structured task metadata to replace or refine"
7697
9843
  }
7698
9844
  },
7699
9845
  required: ["taskId"],
@@ -7741,6 +9887,10 @@ var CREATE_TOPIC = {
7741
9887
  name: "create_topic",
7742
9888
  description: "Create a new topic container for scoping knowledge. Like `git init` \u2014 initializes a new repository for a knowledge domain. Topics are hierarchical: a deal topic can nest under a theme topic. Types: domain, theme, deal, strategy, constitution, project, portfolio.",
7743
9889
  parameters: {
9890
+ globalId: {
9891
+ type: "string",
9892
+ description: "Optional idempotent topic global ID"
9893
+ },
7744
9894
  name: { type: "string", description: "Topic name" },
7745
9895
  type: {
7746
9896
  type: "string",
@@ -7751,6 +9901,18 @@ var CREATE_TOPIC = {
7751
9901
  type: "string",
7752
9902
  description: "Optional parent topic for nesting"
7753
9903
  },
9904
+ parentTopicGlobalId: {
9905
+ type: "string",
9906
+ description: "Optional parent topic global ID for nesting"
9907
+ },
9908
+ tenantId: { type: "string", description: "Optional tenant scope" },
9909
+ workspaceId: { type: "string", description: "Optional workspace scope" },
9910
+ visibility: {
9911
+ type: "string",
9912
+ description: "Topic visibility",
9913
+ enum: ["private", "team", "firm", "external", "public"]
9914
+ },
9915
+ metadata: { type: "object", description: "Optional topic metadata" },
7754
9916
  createdBy: { type: "string", description: "Who created this topic" }
7755
9917
  },
7756
9918
  required: ["name", "type"],
@@ -7759,6 +9921,9 @@ var CREATE_TOPIC = {
7759
9921
  fields: {
7760
9922
  id: "string \u2014 topic ID",
7761
9923
  globalId: "string \u2014 globally unique ID",
9924
+ topicGlobalId: "string \u2014 topic global ID",
9925
+ epistemicNodeId: "string \u2014 materialized topic node ID",
9926
+ epistemicNodeGlobalId: "string \u2014 materialized topic node global ID",
7762
9927
  depth: "number \u2014 nesting depth"
7763
9928
  }
7764
9929
  },
@@ -7889,6 +10054,65 @@ var GET_TOPIC_TREE = {
7889
10054
  ontologyPrimitive: "graph",
7890
10055
  tier: "workhorse"
7891
10056
  };
10057
+ var MATERIALIZE_TOPIC_GRAPH = {
10058
+ name: "materialize_topic_graph",
10059
+ description: "Backfill the topic graph spine. Like `git fsck --connectivity-only` with repair enabled \u2014 creates missing topic nodes and parent-child edges idempotently.",
10060
+ parameters: {
10061
+ rootTopicId: {
10062
+ type: "string",
10063
+ description: "Optional root topic for a bounded materialization pass"
10064
+ },
10065
+ dryRun: {
10066
+ type: "boolean",
10067
+ description: "When true, report missing rows without writing them"
10068
+ }
10069
+ },
10070
+ required: [],
10071
+ response: {
10072
+ description: "Topic graph materialization counts",
10073
+ fields: {
10074
+ topicsSeen: "number",
10075
+ nodesCreated: "number",
10076
+ nodesExisting: "number",
10077
+ edgesCreated: "number",
10078
+ edgesExisting: "number",
10079
+ errors: "array"
10080
+ }
10081
+ },
10082
+ ownerModule: "reasoning-kernel",
10083
+ ontologyPrimitive: "graph",
10084
+ tier: "workhorse"
10085
+ };
10086
+ var GET_TOPIC_GRAPH_SPINE = {
10087
+ name: "get_topic_graph_spine",
10088
+ description: "Verify the topic graph spine. Like `git fsck` \u2014 reads topics, materialized topic nodes, parent-child edges, and missing spine rows.",
10089
+ parameters: {
10090
+ rootTopicId: {
10091
+ type: "string",
10092
+ description: "Optional root topic for a bounded verifier pass"
10093
+ },
10094
+ includeTopicBeliefEdges: {
10095
+ type: "boolean",
10096
+ description: "Include topic -> belief edges in the verifier payload"
10097
+ }
10098
+ },
10099
+ required: [],
10100
+ response: {
10101
+ description: "Topic graph spine verification payload",
10102
+ fields: {
10103
+ ok: "boolean",
10104
+ counts: "object",
10105
+ topics: "array",
10106
+ topicNodes: "array",
10107
+ parentEdges: "array",
10108
+ missingTopicNodes: "array",
10109
+ missingParentEdges: "array"
10110
+ }
10111
+ },
10112
+ ownerModule: "reasoning-kernel",
10113
+ ontologyPrimitive: "graph",
10114
+ tier: "workhorse"
10115
+ };
7892
10116
  var GET_CODE_CONTEXT = {
7893
10117
  name: "get_code_context",
7894
10118
  description: "Returns code-grounded beliefs, contracts, migration states, and failed attempts anchored to a specific file or function path. Like `git log -- <path>` \u2014 filters the knowledge graph to nodes anchored to a file path via metadata.codeAnchors. Results are separated by coding belief type: decisions, contracts, migrations, patterns, deprecations, and failures.",
@@ -8084,7 +10308,7 @@ var MANAGE_WRITE_POLICY = {
8084
10308
  },
8085
10309
  role: {
8086
10310
  type: "string",
8087
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
10311
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
8088
10312
  },
8089
10313
  permission: {
8090
10314
  type: "string",
@@ -9071,6 +11295,9 @@ var BEGIN_BUILD_SESSION = {
9071
11295
  sessionMode: "string \u2014 async | interactive",
9072
11296
  targetBeliefIds: "array \u2014 scoped belief IDs",
9073
11297
  targetQuestionIds: "array \u2014 scoped question IDs",
11298
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11299
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11300
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9074
11301
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9075
11302
  openQuestions: "array \u2014 open scoped questions",
9076
11303
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -9126,6 +11353,19 @@ var MCP_TOOL_CONTRACTS = {
9126
11353
  bisect_confidence: BISECT_CONFIDENCE,
9127
11354
  // Edges (commit)
9128
11355
  create_edge: CREATE_EDGE,
11356
+ update_edge: UPDATE_EDGE,
11357
+ remove_edge: REMOVE_EDGE,
11358
+ remove_edges_between: REMOVE_EDGES_BETWEEN,
11359
+ batch_create_edges: BATCH_CREATE_EDGES,
11360
+ // Epistemic node spine (commit/amend/show)
11361
+ create_epistemic_node: CREATE_EPISTEMIC_NODE,
11362
+ get_epistemic_node: GET_EPISTEMIC_NODE,
11363
+ list_epistemic_nodes: LIST_EPISTEMIC_NODES,
11364
+ update_epistemic_node: UPDATE_EPISTEMIC_NODE,
11365
+ archive_epistemic_node: ARCHIVE_EPISTEMIC_NODE,
11366
+ verify_epistemic_node: VERIFY_EPISTEMIC_NODE,
11367
+ supersede_epistemic_node: SUPERSEDE_EPISTEMIC_NODE,
11368
+ batch_create_epistemic_nodes: BATCH_CREATE_EPISTEMIC_NODES,
9129
11369
  // Judgments (tag)
9130
11370
  record_judgment: RECORD_JUDGMENT,
9131
11371
  // Graph intelligence (showcase)
@@ -9160,6 +11400,7 @@ var MCP_TOOL_CONTRACTS = {
9160
11400
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
9161
11401
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
9162
11402
  identity_whoami: IDENTITY_WHOAMI,
11403
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
9163
11404
  compile_context: COMPILE_CONTEXT,
9164
11405
  record_scope_learning: RECORD_SCOPE_LEARNING,
9165
11406
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -9199,6 +11440,8 @@ var MCP_TOOL_CONTRACTS = {
9199
11440
  get_topic: GET_TOPIC,
9200
11441
  update_topic: UPDATE_TOPIC,
9201
11442
  get_topic_tree: GET_TOPIC_TREE,
11443
+ materialize_topic_graph: MATERIALIZE_TOPIC_GRAPH,
11444
+ get_topic_graph_spine: GET_TOPIC_GRAPH_SPINE,
9202
11445
  // Coding intelligence (code-grounded knowledge)
9203
11446
  get_code_context: GET_CODE_CONTEXT,
9204
11447
  get_change_history: GET_CHANGE_HISTORY,
@@ -9275,6 +11518,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
9275
11518
  var MCP_CORE_OPERATION_NAMES = [
9276
11519
  "compile_context",
9277
11520
  "identity_whoami",
11521
+ "resolve_interactive_principal",
9278
11522
  "check_permission",
9279
11523
  "filter_by_permission",
9280
11524
  "create_belief",
@@ -9303,14 +11547,28 @@ var MCP_CORE_OPERATION_NAMES = [
9303
11547
  "find_missing_questions",
9304
11548
  "get_high_priority_questions",
9305
11549
  "get_falsification_questions",
11550
+ "create_epistemic_node",
11551
+ "get_epistemic_node",
11552
+ "list_epistemic_nodes",
11553
+ "update_epistemic_node",
11554
+ "archive_epistemic_node",
11555
+ "verify_epistemic_node",
11556
+ "supersede_epistemic_node",
11557
+ "batch_create_epistemic_nodes",
9306
11558
  "create_topic",
9307
11559
  "get_topic",
9308
11560
  "list_topics",
9309
11561
  "update_topic",
9310
- "get_topic_tree"
11562
+ "get_topic_tree",
11563
+ "materialize_topic_graph",
11564
+ "get_topic_graph_spine"
9311
11565
  ];
9312
11566
  var MCP_ANALYSIS_PLATFORM_OPERATION_NAMES = [
9313
11567
  "create_edge",
11568
+ "update_edge",
11569
+ "remove_edge",
11570
+ "remove_edges_between",
11571
+ "batch_create_edges",
9314
11572
  "query_lineage",
9315
11573
  "traverse_graph",
9316
11574
  "get_graph_neighborhood",
@@ -9642,12 +11900,20 @@ function unwrapMcpParameterSchema(schema) {
9642
11900
  current = current._def.schema;
9643
11901
  continue;
9644
11902
  default:
9645
- return { schema: current, required, description: description ?? current.description };
11903
+ return {
11904
+ schema: current,
11905
+ required,
11906
+ description: description ?? current.description
11907
+ };
9646
11908
  }
9647
11909
  }
9648
11910
  }
9649
11911
  function mcpParameterFromZod(fieldName, schema, contractName) {
9650
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
11912
+ const {
11913
+ schema: unwrapped,
11914
+ required,
11915
+ description: schemaDescription
11916
+ } = unwrapMcpParameterSchema(schema);
9651
11917
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
9652
11918
  switch (unwrapped._def.typeName) {
9653
11919
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -9692,10 +11958,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
9692
11958
  const entries2 = Object.entries(getObjectShape(args)).sort(
9693
11959
  ([left], [right]) => left.localeCompare(right)
9694
11960
  );
9695
- const converted = entries2.map(([fieldName, schema]) => [
9696
- fieldName,
9697
- mcpParameterFromZod(fieldName, schema, contractName)
9698
- ]);
11961
+ const converted = entries2.map(
11962
+ ([fieldName, schema]) => [
11963
+ fieldName,
11964
+ mcpParameterFromZod(fieldName, schema, contractName)
11965
+ ]
11966
+ );
9699
11967
  return {
9700
11968
  ...base,
9701
11969
  parameters: Object.fromEntries(
@@ -9804,9 +12072,16 @@ function surfaceContract(args) {
9804
12072
  scopes: args.scopes ?? [
9805
12073
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
9806
12074
  ],
9807
- allowedPrincipalTypes: ["user", "service", "agent"]
12075
+ allowedPrincipalTypes: [
12076
+ "user",
12077
+ "service",
12078
+ "agent",
12079
+ "group",
12080
+ "external_viewer"
12081
+ ]
9808
12082
  },
9809
12083
  convex: args.convex,
12084
+ gateway: args.gateway,
9810
12085
  args: canonicalArgs,
9811
12086
  returns: canonicalReturns,
9812
12087
  input,
@@ -9945,8 +12220,6 @@ var contextContracts = [
9945
12220
  args: observationContextArgs
9946
12221
  })
9947
12222
  ];
9948
-
9949
- // ../contracts/src/function-registry/identity.ts
9950
12223
  var withPrincipal = (input, context) => ({
9951
12224
  ...input,
9952
12225
  tenantId: input.tenantId ?? context.tenantId,
@@ -9965,11 +12238,30 @@ var identityContracts = [
9965
12238
  sdkNamespace: "identity",
9966
12239
  sdkMethod: "whoami",
9967
12240
  summary: "Describe the current gateway principal.",
12241
+ gateway: {
12242
+ handler: "identity.whoami"
12243
+ }
12244
+ }),
12245
+ surfaceContract({
12246
+ name: "resolve_interactive_principal",
12247
+ kind: "query",
12248
+ domain: "controlPlane",
12249
+ surfaceClass: "platform_public",
12250
+ method: "POST",
12251
+ path: "/control-plane/identity/resolve-interactive-principal",
12252
+ sdkNamespace: "controlPlane.identity",
12253
+ sdkMethod: "resolveInteractivePrincipal",
12254
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12255
+ args: z.object({
12256
+ clerkId: z.string().min(1),
12257
+ tenantId: z.string().min(1).optional(),
12258
+ workspaceId: z.string().min(1).optional(),
12259
+ providerProjectId: z.string().min(1).optional()
12260
+ }),
9968
12261
  convex: {
9969
- module: "identity",
9970
- functionName: "whoami",
9971
- kind: "query",
9972
- inputProjection: withPrincipal
12262
+ module: "platform",
12263
+ functionName: "resolveInteractivePrincipal",
12264
+ kind: "query"
9973
12265
  }
9974
12266
  }),
9975
12267
  surfaceContract({
@@ -10051,15 +12343,6 @@ var beliefLookupInput = (input) => compactRecord4({
10051
12343
  var beliefNodeInput = (input) => compactRecord4({
10052
12344
  nodeId: input.nodeId ?? input.id ?? input.beliefId
10053
12345
  });
10054
- var beliefTopicInput = (input) => {
10055
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
10056
- if (!parsed.success) {
10057
- throw new Error(
10058
- `list_beliefs projection input rejected: ${parsed.error.message}`
10059
- );
10060
- }
10061
- return compactRecord4(listBeliefsProjection.project(parsed.data));
10062
- };
10063
12346
  var createBeliefInput = (input, context) => {
10064
12347
  return withUserId(
10065
12348
  compactRecord4({
@@ -10148,11 +12431,8 @@ var beliefsContracts = [
10148
12431
  sdkNamespace: "beliefs",
10149
12432
  sdkMethod: "listBeliefs",
10150
12433
  summary: "List beliefs for a topic.",
10151
- convex: {
10152
- module: "beliefs",
10153
- functionName: "getByTopic",
10154
- kind: "query",
10155
- inputProjection: beliefTopicInput
12434
+ gateway: {
12435
+ handler: "beliefs.list"
10156
12436
  },
10157
12437
  args: listBeliefsInputSchema
10158
12438
  }),
@@ -10293,7 +12573,7 @@ var beliefsContracts = [
10293
12573
  })
10294
12574
  ];
10295
12575
  var jsonRecordSchema4 = z.record(z.unknown());
10296
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12576
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10297
12577
  var createEvidenceArgs = z.object({
10298
12578
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10299
12579
  text: z.string().describe("Canonical evidence text."),
@@ -10337,12 +12617,6 @@ var evidenceIdInput = (input) => compactRecord4({
10337
12617
  insightId: input.insightId,
10338
12618
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
10339
12619
  });
10340
- var evidenceTopicInput = (input) => compactRecord4({
10341
- topicId: input.topicId,
10342
- status: input.status,
10343
- userId: input.userId,
10344
- limit: input.limit
10345
- });
10346
12620
  var createEvidenceInput = (input, context) => {
10347
12621
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
10348
12622
  if (!parsed.success) {
@@ -10473,11 +12747,8 @@ var evidenceContracts = [
10473
12747
  sdkNamespace: "evidence",
10474
12748
  sdkMethod: "listEvidence",
10475
12749
  summary: "List evidence for a topic.",
10476
- convex: {
10477
- module: "evidence",
10478
- functionName: "getByTopic",
10479
- kind: "query",
10480
- inputProjection: evidenceTopicInput
12750
+ gateway: {
12751
+ handler: "evidence.list"
10481
12752
  }
10482
12753
  }),
10483
12754
  surfaceContract({
@@ -10712,11 +12983,8 @@ var questionsContracts = [
10712
12983
  sdkNamespace: "questions",
10713
12984
  sdkMethod: "listQuestions",
10714
12985
  summary: "List questions for a topic.",
10715
- convex: {
10716
- module: "questions",
10717
- functionName: "getByTopic",
10718
- kind: "query",
10719
- inputProjection: questionTopicInput
12986
+ gateway: {
12987
+ handler: "questions.list"
10720
12988
  }
10721
12989
  }),
10722
12990
  surfaceContract({
@@ -10919,18 +13187,50 @@ var questionsContracts = [
10919
13187
  args: falsificationQuestionsArgs
10920
13188
  })
10921
13189
  ];
13190
+ var topicVisibilitySchema = z.enum([
13191
+ "private",
13192
+ "team",
13193
+ "firm",
13194
+ "external",
13195
+ "public"
13196
+ ]);
13197
+ var topicStatusSchema = z.enum(["active", "archived", "watching"]);
13198
+ var createTopicArgs = z.object({
13199
+ globalId: z.string().optional().describe("Optional idempotent topic global ID."),
13200
+ name: z.string().describe("Topic name."),
13201
+ description: z.string().optional().describe("Topic description."),
13202
+ type: z.string().describe("Topic type."),
13203
+ parentTopicId: z.string().optional().describe("Optional parent topic ID."),
13204
+ parentTopicGlobalId: z.string().optional().describe("Optional parent topic global ID."),
13205
+ ontologyId: z.string().optional().describe("Ontology to bind."),
13206
+ tenantId: z.string().optional().describe("Optional tenant scope."),
13207
+ workspaceId: z.string().optional().describe("Optional workspace scope."),
13208
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
13209
+ metadata: z.record(z.unknown()).optional().describe("Topic metadata."),
13210
+ graphScopeProjectId: z.string().optional(),
13211
+ createdBy: z.string().optional()
13212
+ });
10922
13213
  var updateTopicArgs = z.object({
10923
13214
  id: z.string().describe("Topic ID."),
10924
13215
  topicId: z.string().optional().describe("Topic ID alias."),
10925
13216
  name: z.string().optional().describe("Topic name."),
10926
13217
  description: z.string().optional().describe("Topic description."),
10927
13218
  type: z.string().optional().describe("Topic type."),
10928
- status: z.string().optional().describe("Topic status."),
10929
- visibility: z.string().optional().describe("Topic visibility."),
13219
+ status: topicStatusSchema.optional().describe("Topic status."),
13220
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
10930
13221
  ontologyId: z.string().optional().describe("Ontology to bind."),
10931
13222
  clearOntologyId: z.boolean().optional().describe("Whether to clear the ontology binding."),
10932
13223
  metadata: z.record(z.unknown()).optional().describe("Topic metadata.")
10933
13224
  });
13225
+ var materializeTopicGraphArgs = z.object({
13226
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13227
+ dryRun: z.boolean().optional().describe("Report missing rows without writing."),
13228
+ createdBy: z.string().optional()
13229
+ });
13230
+ var getTopicGraphSpineArgs = z.object({
13231
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13232
+ includeTopicBeliefEdges: z.boolean().optional()
13233
+ });
10934
13234
  var topicIdInput = (input) => compactRecord4({
10935
13235
  id: input.id ?? input.topicId
10936
13236
  });
@@ -10948,87 +13248,488 @@ var updateTopicInput = (input) => compactRecord4({
10948
13248
  });
10949
13249
  var topicsContracts = [
10950
13250
  surfaceContract({
10951
- name: "create_topic",
13251
+ name: "create_topic",
13252
+ kind: "mutation",
13253
+ domain: "topics",
13254
+ surfaceClass: "platform_public",
13255
+ path: "/topics",
13256
+ sdkNamespace: "topics",
13257
+ sdkMethod: "createTopic",
13258
+ summary: "Create a topic.",
13259
+ convex: {
13260
+ module: "topics",
13261
+ functionName: "create",
13262
+ kind: "mutation",
13263
+ inputProjection: withCreatedBy
13264
+ },
13265
+ args: createTopicArgs
13266
+ }),
13267
+ surfaceContract({
13268
+ name: "get_topic",
13269
+ kind: "query",
13270
+ domain: "topics",
13271
+ surfaceClass: "platform_public",
13272
+ method: "GET",
13273
+ path: "/topics/get",
13274
+ sdkNamespace: "topics",
13275
+ sdkMethod: "getTopic",
13276
+ summary: "Get a topic.",
13277
+ convex: {
13278
+ module: "topics",
13279
+ functionName: "get",
13280
+ kind: "query",
13281
+ inputProjection: topicIdInput
13282
+ }
13283
+ }),
13284
+ surfaceContract({
13285
+ name: "list_topics",
13286
+ kind: "query",
13287
+ domain: "topics",
13288
+ surfaceClass: "platform_public",
13289
+ method: "GET",
13290
+ path: "/topics",
13291
+ sdkNamespace: "topics",
13292
+ sdkMethod: "listTopics",
13293
+ summary: "List topics.",
13294
+ convex: {
13295
+ module: "topics",
13296
+ functionName: "list",
13297
+ kind: "query"
13298
+ }
13299
+ }),
13300
+ surfaceContract({
13301
+ name: "update_topic",
13302
+ kind: "mutation",
13303
+ domain: "topics",
13304
+ surfaceClass: "platform_public",
13305
+ method: "PATCH",
13306
+ path: "/topics",
13307
+ sdkNamespace: "topics",
13308
+ sdkMethod: "updateTopic",
13309
+ summary: "Update a topic.",
13310
+ convex: {
13311
+ module: "topics",
13312
+ functionName: "update",
13313
+ kind: "mutation",
13314
+ inputProjection: updateTopicInput
13315
+ },
13316
+ args: updateTopicArgs
13317
+ }),
13318
+ surfaceContract({
13319
+ name: "get_topic_tree",
13320
+ kind: "query",
13321
+ domain: "topics",
13322
+ surfaceClass: "platform_public",
13323
+ method: "GET",
13324
+ path: "/topics/tree",
13325
+ sdkNamespace: "topics",
13326
+ sdkMethod: "getTopicTree",
13327
+ summary: "Get a topic tree.",
13328
+ convex: {
13329
+ module: "topics",
13330
+ functionName: "getTree",
13331
+ kind: "query"
13332
+ }
13333
+ }),
13334
+ surfaceContract({
13335
+ name: "materialize_topic_graph",
13336
+ kind: "mutation",
13337
+ domain: "topics",
13338
+ surfaceClass: "platform_public",
13339
+ path: "/topics/materialize-graph",
13340
+ sdkNamespace: "topics",
13341
+ sdkMethod: "materializeTopicGraph",
13342
+ summary: "Materialize topic nodes and parent-child graph edges.",
13343
+ convex: {
13344
+ module: "topics",
13345
+ functionName: "materializeTopicGraph",
13346
+ kind: "mutation",
13347
+ inputProjection: withCreatedBy
13348
+ },
13349
+ args: materializeTopicGraphArgs
13350
+ }),
13351
+ surfaceContract({
13352
+ name: "get_topic_graph_spine",
13353
+ kind: "query",
13354
+ domain: "topics",
13355
+ surfaceClass: "platform_public",
13356
+ method: "GET",
13357
+ path: "/topics/graph-spine",
13358
+ sdkNamespace: "topics",
13359
+ sdkMethod: "getTopicGraphSpine",
13360
+ summary: "Verify topic nodes and parent-child graph edges.",
13361
+ convex: {
13362
+ module: "topics",
13363
+ functionName: "getTopicGraphSpine",
13364
+ kind: "query"
13365
+ },
13366
+ args: getTopicGraphSpineArgs
13367
+ })
13368
+ ];
13369
+ var sourceTypeSchema2 = z.enum([
13370
+ "human",
13371
+ "ai_extracted",
13372
+ "ai_generated",
13373
+ "imported",
13374
+ "system",
13375
+ "verified",
13376
+ "proprietary"
13377
+ ]);
13378
+ var verificationStatusSchema = z.enum([
13379
+ "unverified",
13380
+ "human_verified",
13381
+ "ai_verified",
13382
+ "contradicted",
13383
+ "outdated"
13384
+ ]);
13385
+ var nodeStatusSchema = z.enum([
13386
+ "active",
13387
+ "superseded",
13388
+ "archived",
13389
+ "deleted"
13390
+ ]);
13391
+ var externalIdsArgs = z.object({
13392
+ crunchbase: z.string().optional(),
13393
+ linkedin: z.string().optional(),
13394
+ pitchbook: z.string().optional(),
13395
+ twitter: z.string().optional(),
13396
+ website: z.string().optional()
13397
+ }).optional();
13398
+ var createEpistemicNodeItemArgs = z.object({
13399
+ globalId: z.string().optional().describe("Optional idempotent node global ID."),
13400
+ nodeType: NODE_TYPE.describe("Public epistemic node type."),
13401
+ subtype: z.string().optional(),
13402
+ canonicalText: z.string().optional().describe("Canonical node text."),
13403
+ text: z.string().optional().describe("Alias for canonicalText."),
13404
+ contentHash: z.string().optional().describe("Optional idempotency content hash."),
13405
+ content: z.string().optional(),
13406
+ contentType: z.string().optional(),
13407
+ title: z.string().optional(),
13408
+ tags: z.array(z.string()).optional(),
13409
+ domain: z.string().optional(),
13410
+ metadata: z.record(z.unknown()).optional(),
13411
+ externalIds: externalIdsArgs,
13412
+ sourceType: sourceTypeSchema2.optional(),
13413
+ aiProvider: z.string().optional(),
13414
+ extractedFromNodeId: z.string().optional(),
13415
+ confidence: z.number().optional(),
13416
+ verificationStatus: verificationStatusSchema.optional(),
13417
+ topicId: z.string().optional(),
13418
+ projectId: z.string().optional(),
13419
+ createdBy: z.string().optional(),
13420
+ trustedBypassAccessCheck: z.boolean().optional()
13421
+ });
13422
+ var createEpistemicNodeArgs = createEpistemicNodeItemArgs;
13423
+ var batchCreateEpistemicNodesArgs = z.object({
13424
+ nodes: z.array(createEpistemicNodeItemArgs)
13425
+ });
13426
+ var getEpistemicNodeArgs = z.object({
13427
+ nodeId: z.string().describe("Node ID or global ID."),
13428
+ globalId: z.string().optional().describe("Node global ID alias.")
13429
+ });
13430
+ var listEpistemicNodesArgs = z.object({
13431
+ topicId: z.string().optional(),
13432
+ projectId: z.string().optional(),
13433
+ nodeType: NODE_TYPE.optional(),
13434
+ status: nodeStatusSchema.optional(),
13435
+ searchQuery: z.string().optional(),
13436
+ query: z.string().optional(),
13437
+ limit: z.number().optional()
13438
+ });
13439
+ var updateEpistemicNodeArgs = z.object({
13440
+ nodeId: z.string().describe("Node ID or global ID."),
13441
+ id: z.string().optional().describe("Node ID alias."),
13442
+ subtype: z.string().optional(),
13443
+ canonicalText: z.string().optional(),
13444
+ text: z.string().optional(),
13445
+ contentHash: z.string().optional(),
13446
+ content: z.string().optional(),
13447
+ contentType: z.string().optional(),
13448
+ title: z.string().optional(),
13449
+ tags: z.array(z.string()).optional(),
13450
+ domain: z.string().optional(),
13451
+ metadata: z.record(z.unknown()).optional(),
13452
+ externalIds: externalIdsArgs,
13453
+ confidence: z.number().optional(),
13454
+ verificationStatus: verificationStatusSchema.optional(),
13455
+ status: nodeStatusSchema.optional(),
13456
+ userId: z.string().optional(),
13457
+ trustedBypassAccessCheck: z.boolean().optional()
13458
+ });
13459
+ var archiveEpistemicNodeArgs = z.object({
13460
+ nodeId: z.string().describe("Node ID or global ID."),
13461
+ id: z.string().optional().describe("Node ID alias."),
13462
+ userId: z.string().optional(),
13463
+ trustedBypassAccessCheck: z.boolean().optional()
13464
+ });
13465
+ var verifyEpistemicNodeArgs = z.object({
13466
+ nodeId: z.string().describe("Node ID or global ID."),
13467
+ id: z.string().optional().describe("Node ID alias."),
13468
+ verificationStatus: verificationStatusSchema,
13469
+ confidence: z.number().optional(),
13470
+ userId: z.string().optional()
13471
+ });
13472
+ var supersedeEpistemicNodeArgs = z.object({
13473
+ oldNodeId: z.string().describe("Node ID or global ID to supersede."),
13474
+ nodeId: z.string().optional().describe("Old node ID alias."),
13475
+ newGlobalId: z.string().optional(),
13476
+ newCanonicalText: z.string().optional(),
13477
+ text: z.string().optional(),
13478
+ canonicalText: z.string().optional(),
13479
+ newContentHash: z.string().optional(),
13480
+ reason: z.string().optional(),
13481
+ createdBy: z.string().optional(),
13482
+ trustedBypassAccessCheck: z.boolean().optional()
13483
+ });
13484
+ function generatedGlobalId(prefix) {
13485
+ return `${prefix}:${crypto.randomUUID()}`;
13486
+ }
13487
+ function resolveCanonicalText(input) {
13488
+ const text = input.canonicalText ?? input.text ?? input.title ?? input.content;
13489
+ if (typeof text !== "string" || text.trim().length === 0) {
13490
+ throw new Error("canonicalText or text is required.");
13491
+ }
13492
+ return text;
13493
+ }
13494
+ function createNodeInput(input, context) {
13495
+ const canonicalText = resolveCanonicalText(input);
13496
+ const nodeType = String(input.nodeType);
13497
+ return withCreatedBy(
13498
+ compactRecord4({
13499
+ globalId: typeof input.globalId === "string" && input.globalId.trim() ? input.globalId : generatedGlobalId(nodeType),
13500
+ nodeType,
13501
+ subtype: input.subtype,
13502
+ canonicalText,
13503
+ contentHash: typeof input.contentHash === "string" && input.contentHash.trim() ? input.contentHash : `${nodeType}:${canonicalText}`,
13504
+ content: input.content,
13505
+ contentType: input.contentType,
13506
+ title: input.title,
13507
+ tags: input.tags,
13508
+ domain: input.domain,
13509
+ metadata: input.metadata,
13510
+ externalIds: input.externalIds,
13511
+ sourceType: typeof input.sourceType === "string" && input.sourceType.trim() ? input.sourceType : "human",
13512
+ aiProvider: input.aiProvider,
13513
+ extractedFromNodeId: input.extractedFromNodeId,
13514
+ confidence: input.confidence,
13515
+ verificationStatus: input.verificationStatus,
13516
+ topicId: input.topicId,
13517
+ projectId: input.projectId
13518
+ }),
13519
+ context
13520
+ );
13521
+ }
13522
+ var getNodeInput = (input) => compactRecord4({
13523
+ nodeId: input.nodeId ?? input.globalId
13524
+ });
13525
+ var listNodesInput = (input) => compactRecord4({
13526
+ topicId: input.topicId,
13527
+ projectId: input.projectId,
13528
+ nodeType: input.nodeType,
13529
+ status: input.status,
13530
+ searchQuery: input.searchQuery ?? input.query,
13531
+ limit: input.limit
13532
+ });
13533
+ var updateNodeInput = (input, context) => withUserId(
13534
+ compactRecord4({
13535
+ nodeId: input.nodeId ?? input.id,
13536
+ subtype: input.subtype,
13537
+ canonicalText: input.canonicalText ?? input.text,
13538
+ contentHash: input.contentHash,
13539
+ content: input.content,
13540
+ contentType: input.contentType,
13541
+ title: input.title,
13542
+ tags: input.tags,
13543
+ domain: input.domain,
13544
+ metadata: input.metadata,
13545
+ externalIds: input.externalIds,
13546
+ confidence: input.confidence,
13547
+ verificationStatus: input.verificationStatus,
13548
+ status: input.status,
13549
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13550
+ }),
13551
+ context
13552
+ );
13553
+ var archiveNodeInput = (input, context) => withUserId(
13554
+ compactRecord4({
13555
+ nodeId: input.nodeId ?? input.id,
13556
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13557
+ }),
13558
+ context
13559
+ );
13560
+ var verifyNodeInput = (input, context) => withUserId(
13561
+ compactRecord4({
13562
+ nodeId: input.nodeId ?? input.id,
13563
+ verificationStatus: input.verificationStatus,
13564
+ confidence: input.confidence
13565
+ }),
13566
+ context
13567
+ );
13568
+ var supersedeNodeInput = (input, context) => {
13569
+ const newCanonicalText = input.newCanonicalText ?? input.canonicalText ?? input.text;
13570
+ if (typeof newCanonicalText !== "string" || newCanonicalText.trim().length === 0) {
13571
+ throw new Error("newCanonicalText or text is required.");
13572
+ }
13573
+ return {
13574
+ oldNodeId: input.oldNodeId ?? input.nodeId,
13575
+ newGlobalId: typeof input.newGlobalId === "string" && input.newGlobalId.trim() ? input.newGlobalId : generatedGlobalId("node"),
13576
+ newCanonicalText,
13577
+ newContentHash: typeof input.newContentHash === "string" && input.newContentHash.trim() ? input.newContentHash : `superseded:${newCanonicalText}`,
13578
+ createdBy: typeof input.createdBy === "string" ? input.createdBy : authUserId(context),
13579
+ reason: input.reason,
13580
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13581
+ };
13582
+ };
13583
+ var batchCreateNodesInput = (input, context) => {
13584
+ const nodes = Array.isArray(input.nodes) ? input.nodes : [];
13585
+ return {
13586
+ nodes: nodes.map(
13587
+ (node) => createNodeInput(
13588
+ node && typeof node === "object" ? node : {},
13589
+ context
13590
+ )
13591
+ )
13592
+ };
13593
+ };
13594
+ var nodesContracts = [
13595
+ surfaceContract({
13596
+ name: "create_epistemic_node",
10952
13597
  kind: "mutation",
10953
- domain: "topics",
13598
+ domain: "nodes",
10954
13599
  surfaceClass: "platform_public",
10955
- path: "/topics",
10956
- sdkNamespace: "topics",
10957
- sdkMethod: "createTopic",
10958
- summary: "Create a topic.",
13600
+ path: "/nodes",
13601
+ sdkNamespace: "nodes",
13602
+ sdkMethod: "createEpistemicNode",
13603
+ summary: "Create a generic epistemic graph node.",
10959
13604
  convex: {
10960
- module: "topics",
13605
+ module: "nodes",
10961
13606
  functionName: "create",
10962
13607
  kind: "mutation",
10963
- inputProjection: withCreatedBy
10964
- }
13608
+ inputProjection: createNodeInput
13609
+ },
13610
+ args: createEpistemicNodeArgs
10965
13611
  }),
10966
13612
  surfaceContract({
10967
- name: "get_topic",
13613
+ name: "get_epistemic_node",
10968
13614
  kind: "query",
10969
- domain: "topics",
13615
+ domain: "nodes",
10970
13616
  surfaceClass: "platform_public",
10971
13617
  method: "GET",
10972
- path: "/topics/get",
10973
- sdkNamespace: "topics",
10974
- sdkMethod: "getTopic",
10975
- summary: "Get a topic.",
13618
+ path: "/nodes/get",
13619
+ sdkNamespace: "nodes",
13620
+ sdkMethod: "getEpistemicNode",
13621
+ summary: "Get a generic epistemic graph node.",
10976
13622
  convex: {
10977
- module: "topics",
13623
+ module: "nodes",
10978
13624
  functionName: "get",
10979
13625
  kind: "query",
10980
- inputProjection: topicIdInput
10981
- }
13626
+ inputProjection: getNodeInput
13627
+ },
13628
+ args: getEpistemicNodeArgs
10982
13629
  }),
10983
13630
  surfaceContract({
10984
- name: "list_topics",
13631
+ name: "list_epistemic_nodes",
10985
13632
  kind: "query",
10986
- domain: "topics",
13633
+ domain: "nodes",
10987
13634
  surfaceClass: "platform_public",
10988
13635
  method: "GET",
10989
- path: "/topics",
10990
- sdkNamespace: "topics",
10991
- sdkMethod: "listTopics",
10992
- summary: "List topics.",
13636
+ path: "/nodes",
13637
+ sdkNamespace: "nodes",
13638
+ sdkMethod: "listEpistemicNodes",
13639
+ summary: "List generic epistemic graph nodes.",
10993
13640
  convex: {
10994
- module: "topics",
13641
+ module: "nodes",
10995
13642
  functionName: "list",
10996
- kind: "query"
10997
- }
13643
+ kind: "query",
13644
+ inputProjection: listNodesInput
13645
+ },
13646
+ args: listEpistemicNodesArgs
10998
13647
  }),
10999
13648
  surfaceContract({
11000
- name: "update_topic",
13649
+ name: "update_epistemic_node",
11001
13650
  kind: "mutation",
11002
- domain: "topics",
13651
+ domain: "nodes",
11003
13652
  surfaceClass: "platform_public",
11004
13653
  method: "PATCH",
11005
- path: "/topics",
11006
- sdkNamespace: "topics",
11007
- sdkMethod: "updateTopic",
11008
- summary: "Update a topic.",
13654
+ path: "/nodes",
13655
+ sdkNamespace: "nodes",
13656
+ sdkMethod: "updateEpistemicNode",
13657
+ summary: "Update a generic epistemic graph node.",
11009
13658
  convex: {
11010
- module: "topics",
13659
+ module: "nodes",
11011
13660
  functionName: "update",
11012
13661
  kind: "mutation",
11013
- inputProjection: updateTopicInput
13662
+ inputProjection: updateNodeInput
11014
13663
  },
11015
- args: updateTopicArgs
13664
+ args: updateEpistemicNodeArgs
11016
13665
  }),
11017
13666
  surfaceContract({
11018
- name: "get_topic_tree",
11019
- kind: "query",
11020
- domain: "topics",
13667
+ name: "archive_epistemic_node",
13668
+ kind: "mutation",
13669
+ domain: "nodes",
11021
13670
  surfaceClass: "platform_public",
11022
- method: "GET",
11023
- path: "/topics/tree",
11024
- sdkNamespace: "topics",
11025
- sdkMethod: "getTopicTree",
11026
- summary: "Get a topic tree.",
13671
+ path: "/nodes/archive",
13672
+ sdkNamespace: "nodes",
13673
+ sdkMethod: "archiveEpistemicNode",
13674
+ summary: "Archive a generic epistemic graph node.",
11027
13675
  convex: {
11028
- module: "topics",
11029
- functionName: "getTree",
11030
- kind: "query"
11031
- }
13676
+ module: "nodes",
13677
+ functionName: "archive",
13678
+ kind: "mutation",
13679
+ inputProjection: archiveNodeInput
13680
+ },
13681
+ args: archiveEpistemicNodeArgs
13682
+ }),
13683
+ surfaceContract({
13684
+ name: "verify_epistemic_node",
13685
+ kind: "mutation",
13686
+ domain: "nodes",
13687
+ surfaceClass: "platform_public",
13688
+ path: "/nodes/verify",
13689
+ sdkNamespace: "nodes",
13690
+ sdkMethod: "verifyEpistemicNode",
13691
+ summary: "Verify a generic epistemic graph node.",
13692
+ convex: {
13693
+ module: "nodes",
13694
+ functionName: "verify",
13695
+ kind: "mutation",
13696
+ inputProjection: verifyNodeInput
13697
+ },
13698
+ args: verifyEpistemicNodeArgs
13699
+ }),
13700
+ surfaceContract({
13701
+ name: "supersede_epistemic_node",
13702
+ kind: "mutation",
13703
+ domain: "nodes",
13704
+ surfaceClass: "platform_public",
13705
+ path: "/nodes/supersede",
13706
+ sdkNamespace: "nodes",
13707
+ sdkMethod: "supersedeEpistemicNode",
13708
+ summary: "Supersede a generic epistemic graph node.",
13709
+ convex: {
13710
+ module: "nodes",
13711
+ functionName: "supersede",
13712
+ kind: "mutation",
13713
+ inputProjection: supersedeNodeInput
13714
+ },
13715
+ args: supersedeEpistemicNodeArgs
13716
+ }),
13717
+ surfaceContract({
13718
+ name: "batch_create_epistemic_nodes",
13719
+ kind: "mutation",
13720
+ domain: "nodes",
13721
+ surfaceClass: "platform_public",
13722
+ path: "/nodes/batch",
13723
+ sdkNamespace: "nodes",
13724
+ sdkMethod: "batchCreateEpistemicNodes",
13725
+ summary: "Batch create generic epistemic graph nodes.",
13726
+ convex: {
13727
+ module: "nodes",
13728
+ functionName: "batchCreate",
13729
+ kind: "mutation",
13730
+ inputProjection: batchCreateNodesInput
13731
+ },
13732
+ args: batchCreateEpistemicNodesArgs
11032
13733
  })
11033
13734
  ];
11034
13735
  var lensPerspectiveSchema = z.enum([
@@ -11388,6 +14089,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
11388
14089
  progress: z.string().optional().describe("Collection progress note for the signal."),
11389
14090
  notes: z.string().optional().describe("Additional evidence collection notes.")
11390
14091
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
14092
+ var worktreeDocCompanionTargetSchema = z.object({
14093
+ docPath: z.string().describe(
14094
+ "Repo-relative path to a documentation file the worktree promises to update."
14095
+ ),
14096
+ sectionAnchor: z.string().optional().describe(
14097
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
14098
+ ),
14099
+ reason: z.string().describe(
14100
+ "Why this doc section must be updated for the worktree to be complete."
14101
+ )
14102
+ }).passthrough().describe(
14103
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
14104
+ );
11391
14105
  var worktreeDecisionGateInputSchema = z.object({
11392
14106
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
11393
14107
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -11420,6 +14134,9 @@ var addWorktreeArgs = z.object({
11420
14134
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
11421
14135
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
11422
14136
  decisionGate: worktreeDecisionGateInputSchema.optional(),
14137
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
14138
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
14139
+ ),
11423
14140
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
11424
14141
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
11425
14142
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -11783,7 +14500,21 @@ var createTaskArgs = z.object({
11783
14500
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
11784
14501
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
11785
14502
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
11786
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14503
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14504
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
14505
+ });
14506
+ var updateTaskArgs = z.object({
14507
+ taskId: z.string().describe("Task to update."),
14508
+ title: z.string().optional().describe("Updated task title."),
14509
+ description: z.string().optional().describe("Updated task description."),
14510
+ priority: taskPrioritySchema.optional().describe("Updated priority."),
14511
+ status: taskStatusSchema2.optional().describe("Updated status."),
14512
+ linkedWorktreeId: z.string().optional().describe("Worktree this task belongs to."),
14513
+ linkedBeliefId: z.string().optional().describe("Belief this task supports."),
14514
+ linkedQuestionId: z.string().optional().describe("Question this task addresses."),
14515
+ assigneeId: z.string().optional().describe("Principal assigned to the task."),
14516
+ blockedReason: z.string().optional().describe("Reason the task is blocked or deferred."),
14517
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
11787
14518
  });
11788
14519
  var createTaskInput = (input) => compactRecord4({
11789
14520
  title: input.title,
@@ -11797,7 +14528,8 @@ var createTaskInput = (input) => compactRecord4({
11797
14528
  linkedQuestionId: input.linkedQuestionId,
11798
14529
  assigneeId: input.assigneeId,
11799
14530
  dueDate: input.dueDate,
11800
- tags: input.tags
14531
+ tags: input.tags,
14532
+ metadata: input.metadata
11801
14533
  });
11802
14534
  var taskInput = (input) => compactRecord4({
11803
14535
  ...input,
@@ -11814,8 +14546,7 @@ var taskTopicInput = (input) => {
11814
14546
  };
11815
14547
  var completeTaskInput = (input) => compactRecord4({
11816
14548
  taskId: input.taskId ?? input.id,
11817
- outputSummary: input.outputSummary ?? input.summary,
11818
- userId: input.userId
14549
+ outputSummary: input.outputSummary ?? input.summary
11819
14550
  });
11820
14551
  var tasksContracts = [
11821
14552
  surfaceContract({
@@ -11833,6 +14564,7 @@ var tasksContracts = [
11833
14564
  kind: "mutation",
11834
14565
  inputProjection: createTaskInput
11835
14566
  },
14567
+ gateway: { handler: "tasks.create" },
11836
14568
  args: createTaskArgs
11837
14569
  }),
11838
14570
  surfaceContract({
@@ -11851,6 +14583,7 @@ var tasksContracts = [
11851
14583
  kind: "query",
11852
14584
  inputProjection: taskTopicInput
11853
14585
  },
14586
+ gateway: { handler: "tasks.list" },
11854
14587
  args: listTasksInputSchema
11855
14588
  }),
11856
14589
  surfaceContract({
@@ -11868,7 +14601,9 @@ var tasksContracts = [
11868
14601
  functionName: "update",
11869
14602
  kind: "mutation",
11870
14603
  inputProjection: taskInput
11871
- }
14604
+ },
14605
+ gateway: { handler: "tasks.update" },
14606
+ args: updateTaskArgs
11872
14607
  }),
11873
14608
  surfaceContract({
11874
14609
  name: "complete_task",
@@ -11884,12 +14619,14 @@ var tasksContracts = [
11884
14619
  functionName: "complete",
11885
14620
  kind: "mutation",
11886
14621
  inputProjection: completeTaskInput
11887
- }
14622
+ },
14623
+ gateway: { handler: "tasks.complete" }
11888
14624
  })
11889
14625
  ];
11890
14626
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
11891
14627
  (policy) => policy.edgeType
11892
14628
  );
14629
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
11893
14630
  var createEdgeArgs = z.object({
11894
14631
  from: GraphRefSchema,
11895
14632
  to: GraphRefSchema,
@@ -11899,10 +14636,37 @@ var createEdgeArgs = z.object({
11899
14636
  confidence: z.number().optional(),
11900
14637
  context: z.string().optional(),
11901
14638
  reasoning: z.string().optional(),
14639
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
11902
14640
  derivationType: z.string().optional(),
14641
+ metadata: z.record(z.unknown()).optional(),
11903
14642
  topicId: z.string().optional(),
11904
14643
  trustedBypassAccessCheck: z.boolean().optional()
11905
14644
  });
14645
+ var updateEdgeArgs = z.object({
14646
+ edgeId: z.string().describe("Edge ID or global ID."),
14647
+ weight: z.number().optional(),
14648
+ confidence: z.number().optional(),
14649
+ context: z.string().optional(),
14650
+ reasoning: z.string().optional(),
14651
+ derivationType: z.string().optional(),
14652
+ metadata: z.record(z.unknown()).optional(),
14653
+ userId: z.string().optional()
14654
+ });
14655
+ var removeEdgeArgs = z.object({
14656
+ edgeId: z.string().describe("Edge ID or global ID."),
14657
+ userId: z.string().optional()
14658
+ });
14659
+ var removeEdgesBetweenArgs = z.object({
14660
+ from: GraphRefSchema.optional(),
14661
+ to: GraphRefSchema.optional(),
14662
+ fromNodeId: z.string().optional(),
14663
+ toNodeId: z.string().optional(),
14664
+ edgeType: z.enum(CREATE_EDGE_TYPES).optional()
14665
+ });
14666
+ var batchCreateEdgesArgs = z.object({
14667
+ edges: z.array(createEdgeArgs),
14668
+ skipLayerValidation: z.boolean().optional()
14669
+ });
11906
14670
  var queryLineageArgs = z.object({
11907
14671
  nodeId: z.string().describe("Starting node to trace from."),
11908
14672
  startNode: z.string().optional().describe("Starting node alias accepted by traversal callers."),
@@ -11951,7 +14715,9 @@ var edgesContracts = [
11951
14715
  weight: parsed.weight,
11952
14716
  confidence: parsed.confidence,
11953
14717
  context: parsed.context ?? parsed.reasoning,
14718
+ reasoningMethod: parsed.reasoningMethod,
11954
14719
  derivationType: parsed.derivationType,
14720
+ metadata: parsed.metadata,
11955
14721
  skipLayerValidation: true,
11956
14722
  topicId: parsed.topicId,
11957
14723
  trustedBypassAccessCheck: parsed.trustedBypassAccessCheck
@@ -11962,6 +14728,131 @@ var edgesContracts = [
11962
14728
  },
11963
14729
  args: createEdgeArgs
11964
14730
  }),
14731
+ surfaceContract({
14732
+ name: "update_edge",
14733
+ kind: "mutation",
14734
+ domain: "edges",
14735
+ surfaceClass: "platform_public",
14736
+ method: "PATCH",
14737
+ path: "/edges",
14738
+ sdkNamespace: "edges",
14739
+ sdkMethod: "updateEdge",
14740
+ summary: "Update an epistemic edge.",
14741
+ convex: {
14742
+ module: "edges",
14743
+ functionName: "update",
14744
+ kind: "mutation",
14745
+ inputProjection: (input, context) => compactRecord4({
14746
+ edgeId: input.edgeId,
14747
+ weight: input.weight,
14748
+ confidence: input.confidence,
14749
+ context: input.context ?? input.reasoning,
14750
+ derivationType: input.derivationType,
14751
+ metadata: input.metadata,
14752
+ userId: input.userId ?? context.userId ?? context.principalId
14753
+ })
14754
+ },
14755
+ args: updateEdgeArgs
14756
+ }),
14757
+ surfaceContract({
14758
+ name: "remove_edge",
14759
+ kind: "mutation",
14760
+ domain: "edges",
14761
+ surfaceClass: "platform_public",
14762
+ method: "DELETE",
14763
+ path: "/edges",
14764
+ sdkNamespace: "edges",
14765
+ sdkMethod: "removeEdge",
14766
+ summary: "Remove an epistemic edge.",
14767
+ convex: {
14768
+ module: "edges",
14769
+ functionName: "remove",
14770
+ kind: "mutation",
14771
+ inputProjection: (input, context) => compactRecord4({
14772
+ edgeId: input.edgeId,
14773
+ userId: input.userId ?? context.userId ?? context.principalId
14774
+ })
14775
+ },
14776
+ args: removeEdgeArgs
14777
+ }),
14778
+ surfaceContract({
14779
+ name: "remove_edges_between",
14780
+ kind: "mutation",
14781
+ domain: "edges",
14782
+ surfaceClass: "platform_public",
14783
+ method: "DELETE",
14784
+ path: "/edges/between",
14785
+ sdkNamespace: "edges",
14786
+ sdkMethod: "removeEdgesBetween",
14787
+ summary: "Remove epistemic edges between two nodes.",
14788
+ convex: {
14789
+ module: "edges",
14790
+ functionName: "removeBetween",
14791
+ kind: "mutation",
14792
+ inputProjection: (input) => {
14793
+ const parsed = removeEdgesBetweenArgs.parse(input);
14794
+ const fromNodeId = parsed.from ? graphRefNodeId(parsed.from) : parsed.fromNodeId;
14795
+ const toNodeId = parsed.to ? graphRefNodeId(parsed.to) : parsed.toNodeId;
14796
+ if (!fromNodeId || !toNodeId) {
14797
+ throw new Error("from/to or fromNodeId/toNodeId are required.");
14798
+ }
14799
+ return compactRecord4({
14800
+ fromNodeId,
14801
+ toNodeId,
14802
+ edgeType: parsed.edgeType
14803
+ });
14804
+ }
14805
+ },
14806
+ args: removeEdgesBetweenArgs
14807
+ }),
14808
+ surfaceContract({
14809
+ name: "batch_create_edges",
14810
+ kind: "mutation",
14811
+ domain: "edges",
14812
+ surfaceClass: "platform_public",
14813
+ path: "/edges/batch",
14814
+ sdkNamespace: "edges",
14815
+ sdkMethod: "batchCreateEdges",
14816
+ summary: "Batch create epistemic edges.",
14817
+ convex: {
14818
+ module: "edges",
14819
+ functionName: "batchCreate",
14820
+ kind: "mutation",
14821
+ inputProjection: (input, context) => {
14822
+ const parsed = batchCreateEdgesArgs.parse(input);
14823
+ return {
14824
+ skipLayerValidation: parsed.skipLayerValidation ?? true,
14825
+ edges: parsed.edges.map((edge) => {
14826
+ assertEdgePolicyAllowed(
14827
+ edgePolicyManifest,
14828
+ edge.edgeType,
14829
+ edge.from,
14830
+ edge.to
14831
+ );
14832
+ const fromNodeId = graphRefNodeId(edge.from);
14833
+ const toNodeId = graphRefNodeId(edge.to);
14834
+ return withCreatedBy(
14835
+ compactRecord4({
14836
+ fromNodeId,
14837
+ toNodeId,
14838
+ edgeType: edge.edgeType,
14839
+ globalId: edge.globalId ?? `edge:${fromNodeId}:${toNodeId}:${edge.edgeType}`,
14840
+ weight: edge.weight,
14841
+ confidence: edge.confidence,
14842
+ context: edge.context ?? edge.reasoning,
14843
+ reasoningMethod: edge.reasoningMethod,
14844
+ derivationType: edge.derivationType,
14845
+ metadata: edge.metadata,
14846
+ topicId: edge.topicId
14847
+ }),
14848
+ context
14849
+ );
14850
+ })
14851
+ };
14852
+ }
14853
+ },
14854
+ args: batchCreateEdgesArgs
14855
+ }),
11965
14856
  surfaceContract({
11966
14857
  name: "query_lineage",
11967
14858
  kind: "query",
@@ -12684,6 +15575,69 @@ var pipelineContracts = [
12684
15575
  }
12685
15576
  })
12686
15577
  ];
15578
+ function isRecord3(value) {
15579
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15580
+ }
15581
+ function stringValues(value) {
15582
+ if (typeof value === "string") {
15583
+ return [value];
15584
+ }
15585
+ if (Array.isArray(value)) {
15586
+ return value.flatMap((item) => stringValues(item));
15587
+ }
15588
+ return [];
15589
+ }
15590
+ function nestedEvidenceRows(value) {
15591
+ if (Array.isArray(value)) {
15592
+ return value.flatMap((item) => nestedEvidenceRows(item));
15593
+ }
15594
+ if (!isRecord3(value)) {
15595
+ return [];
15596
+ }
15597
+ const nestedKeys = ["evidence", "items", "nodes"];
15598
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15599
+ return nestedRows.length > 0 ? nestedRows : [value];
15600
+ }
15601
+ function isFailedAttemptRow(row) {
15602
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15603
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15604
+ }
15605
+ function failureLogSearchFields(row) {
15606
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15607
+ return [
15608
+ ...stringValues(row.id),
15609
+ ...stringValues(row._id),
15610
+ ...stringValues(row.title),
15611
+ ...stringValues(row.text),
15612
+ ...stringValues(row.canonicalText),
15613
+ ...stringValues(row.content),
15614
+ ...stringValues(metadata?.codeAnchor),
15615
+ ...stringValues(metadata?.codeAnchors),
15616
+ ...stringValues(metadata?.anchor),
15617
+ ...stringValues(metadata?.anchors),
15618
+ ...stringValues(metadata?.filePath),
15619
+ ...stringValues(metadata?.filePaths),
15620
+ ...stringValues(metadata?.path),
15621
+ ...stringValues(metadata?.paths),
15622
+ ...stringValues(metadata?.sourceRef),
15623
+ ...stringValues(metadata?.touchedPaths)
15624
+ ];
15625
+ }
15626
+ function projectFailureLog(output, input) {
15627
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15628
+ const searchKey = rawQuery?.toLowerCase();
15629
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15630
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15631
+ (field) => field.toLowerCase().includes(searchKey)
15632
+ )
15633
+ );
15634
+ return {
15635
+ query: rawQuery,
15636
+ failures,
15637
+ totalFound: failures.length,
15638
+ showing: failures.length
15639
+ };
15640
+ }
12687
15641
  var recordScopeLearningArgs = z.object({
12688
15642
  topicId: z.string().optional().describe("Topic scope ID"),
12689
15643
  summary: z.string().describe("Atomic learning statement"),
@@ -12773,6 +15727,8 @@ var attemptInput = (input, context) => withUserId(
12773
15727
  tags: ["code_attempt"],
12774
15728
  metadata: compactRecord4({
12775
15729
  ...recordValue2(input.metadata),
15730
+ failedApproach: true,
15731
+ isFailedAttempt: true,
12776
15732
  filePaths: input.filePaths,
12777
15733
  filePath: input.filePath,
12778
15734
  errorMessage: input.errorMessage,
@@ -12903,7 +15859,8 @@ var codingContracts = [
12903
15859
  limit: input.limit,
12904
15860
  status: input.status,
12905
15861
  userId: input.userId
12906
- })
15862
+ }),
15863
+ outputProjection: (output, input) => projectFailureLog(output, input)
12907
15864
  }
12908
15865
  })
12909
15866
  ];
@@ -12940,6 +15897,7 @@ var ALL_FUNCTION_CONTRACTS = [
12940
15897
  ...evidenceContracts,
12941
15898
  ...questionsContracts,
12942
15899
  ...topicsContracts,
15900
+ ...nodesContracts,
12943
15901
  ...lensesContracts,
12944
15902
  ...ontologiesContracts,
12945
15903
  ...worktreesContracts,
@@ -13115,6 +16073,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13115
16073
  copyMode: "none",
13116
16074
  description: "Deliberation sessions are created by tenant workflows."
13117
16075
  },
16076
+ {
16077
+ component: "kernel",
16078
+ table: "domainEvents",
16079
+ prepopulation: "runtime_log",
16080
+ copyMode: "none",
16081
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16082
+ },
13118
16083
  {
13119
16084
  component: "kernel",
13120
16085
  table: "epistemicAudit",
@@ -13364,14 +16329,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13364
16329
  description: "Worktrees are tenant/runtime planning data."
13365
16330
  },
13366
16331
  {
13367
- component: "identity",
16332
+ component: "control-plane",
13368
16333
  table: "agents",
13369
16334
  prepopulation: "runtime_bootstrap",
13370
16335
  copyMode: "none",
13371
16336
  description: "Service agents are provisioned per tenant or service, not copied."
13372
16337
  },
13373
16338
  {
13374
- component: "identity",
16339
+ component: "control-plane",
13375
16340
  table: "mcpWritePolicy",
13376
16341
  prepopulation: "required_template",
13377
16342
  copyMode: "template_global",
@@ -13380,14 +16345,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13380
16345
  description: "Global write policy defaults govern service and interactive MCP writes."
13381
16346
  },
13382
16347
  {
13383
- component: "identity",
16348
+ component: "control-plane",
13384
16349
  table: "modelCallLogs",
13385
16350
  prepopulation: "runtime_log",
13386
16351
  copyMode: "none",
13387
16352
  description: "Model call logs are runtime telemetry."
13388
16353
  },
13389
16354
  {
13390
- component: "identity",
16355
+ component: "control-plane",
13391
16356
  table: "modelFunctionSlots",
13392
16357
  prepopulation: "required_template",
13393
16358
  copyMode: "template_global",
@@ -13396,7 +16361,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13396
16361
  description: "Function-to-model slots are required by model runtime resolution."
13397
16362
  },
13398
16363
  {
13399
- component: "identity",
16364
+ component: "control-plane",
13400
16365
  table: "modelRegistry",
13401
16366
  prepopulation: "required_template",
13402
16367
  copyMode: "template_global",
@@ -13405,7 +16370,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13405
16370
  description: "Model catalog defaults are required by model runtime clients."
13406
16371
  },
13407
16372
  {
13408
- component: "identity",
16373
+ component: "control-plane",
13409
16374
  table: "modelSlotConfigs",
13410
16375
  prepopulation: "required_template",
13411
16376
  copyMode: "template_global",
@@ -13414,14 +16379,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13414
16379
  description: "Slot-level defaults are required before tenant overrides exist."
13415
16380
  },
13416
16381
  {
13417
- component: "identity",
16382
+ component: "control-plane",
16383
+ table: "permitAccessReviewItems",
16384
+ prepopulation: "runtime_data",
16385
+ copyMode: "none",
16386
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16387
+ },
16388
+ {
16389
+ component: "control-plane",
16390
+ table: "permitAccessReviews",
16391
+ prepopulation: "runtime_data",
16392
+ copyMode: "none",
16393
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16394
+ },
16395
+ {
16396
+ component: "control-plane",
16397
+ table: "permitAttributeBindings",
16398
+ prepopulation: "runtime_data",
16399
+ copyMode: "none",
16400
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16401
+ },
16402
+ {
16403
+ component: "control-plane",
16404
+ table: "permitGroups",
16405
+ prepopulation: "runtime_data",
16406
+ copyMode: "none",
16407
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16408
+ },
16409
+ {
16410
+ component: "control-plane",
16411
+ table: "permitGroupMemberships",
16412
+ prepopulation: "runtime_data",
16413
+ copyMode: "none",
16414
+ description: "Permit group memberships are tenant-specific policy projection rows."
16415
+ },
16416
+ {
16417
+ component: "control-plane",
16418
+ table: "permitPolicyBundles",
16419
+ prepopulation: "runtime_derived",
16420
+ copyMode: "none",
16421
+ description: "Permit policy bundles are derived from the Permit control plane."
16422
+ },
16423
+ {
16424
+ component: "control-plane",
16425
+ table: "permitPolicyDecisionReceipts",
16426
+ prepopulation: "runtime_log",
16427
+ copyMode: "none",
16428
+ description: "Permit decision receipts are runtime authorization audit logs."
16429
+ },
16430
+ {
16431
+ component: "control-plane",
16432
+ table: "permitPrincipalAliases",
16433
+ prepopulation: "runtime_data",
16434
+ copyMode: "none",
16435
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16436
+ },
16437
+ {
16438
+ component: "control-plane",
16439
+ table: "permitPrincipals",
16440
+ prepopulation: "runtime_data",
16441
+ copyMode: "none",
16442
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16443
+ },
16444
+ {
16445
+ component: "control-plane",
16446
+ table: "permitProjectionOutbox",
16447
+ prepopulation: "runtime_queue",
16448
+ copyMode: "none",
16449
+ description: "Permit projection outbox rows are runtime sync queue data."
16450
+ },
16451
+ {
16452
+ component: "control-plane",
16453
+ table: "permitRelationshipTuples",
16454
+ prepopulation: "runtime_data",
16455
+ copyMode: "none",
16456
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16457
+ },
16458
+ {
16459
+ component: "control-plane",
16460
+ table: "permitResourceInstances",
16461
+ prepopulation: "runtime_data",
16462
+ copyMode: "none",
16463
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16464
+ },
16465
+ {
16466
+ component: "control-plane",
16467
+ table: "permitRoleAssignments",
16468
+ prepopulation: "runtime_data",
16469
+ copyMode: "none",
16470
+ description: "Permit role assignments are tenant-specific policy projection rows."
16471
+ },
16472
+ {
16473
+ component: "control-plane",
13418
16474
  table: "platformAudienceGrants",
13419
16475
  prepopulation: "runtime_data",
13420
16476
  copyMode: "none",
13421
16477
  description: "Audience grants are principal/group-specific access rows."
13422
16478
  },
13423
16479
  {
13424
- component: "identity",
16480
+ component: "control-plane",
13425
16481
  table: "platformAudiences",
13426
16482
  prepopulation: "required_template",
13427
16483
  copyMode: "template_tenant_rewrite",
@@ -13430,35 +16486,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13430
16486
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
13431
16487
  },
13432
16488
  {
13433
- component: "identity",
16489
+ component: "control-plane",
13434
16490
  table: "platformPolicyDecisionLogs",
13435
16491
  prepopulation: "runtime_log",
13436
16492
  copyMode: "none",
13437
16493
  description: "Policy decisions are runtime audit logs."
13438
16494
  },
13439
16495
  {
13440
- component: "identity",
16496
+ component: "control-plane",
13441
16497
  table: "projectGrants",
13442
16498
  prepopulation: "runtime_data",
13443
16499
  copyMode: "none",
13444
16500
  description: "Project/topic grants are principal or group-specific access rows."
13445
16501
  },
13446
16502
  {
13447
- component: "identity",
16503
+ component: "control-plane",
13448
16504
  table: "reasoningPermissions",
13449
16505
  prepopulation: "runtime_data",
13450
16506
  copyMode: "none",
13451
16507
  description: "Reasoning permissions are principal-specific policy rows."
13452
16508
  },
13453
16509
  {
13454
- component: "identity",
16510
+ component: "control-plane",
13455
16511
  table: "tenantApiKeys",
13456
16512
  prepopulation: "runtime_secret",
13457
16513
  copyMode: "none",
13458
16514
  description: "API keys are tenant credentials and must never be copied."
13459
16515
  },
13460
16516
  {
13461
- component: "identity",
16517
+ component: "control-plane",
13462
16518
  table: "tenantConfig",
13463
16519
  prepopulation: "required_template",
13464
16520
  copyMode: "template_tenant_rewrite",
@@ -13467,7 +16523,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13467
16523
  description: "Tenant-local config defaults are rewritten during bootstrap."
13468
16524
  },
13469
16525
  {
13470
- component: "identity",
16526
+ component: "control-plane",
13471
16527
  table: "tenantIntegrations",
13472
16528
  prepopulation: "required_template",
13473
16529
  copyMode: "template_tenant_rewrite",
@@ -13476,14 +16532,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13476
16532
  description: "Non-secret integration descriptors are rewritten into each tenant."
13477
16533
  },
13478
16534
  {
13479
- component: "identity",
16535
+ component: "control-plane",
13480
16536
  table: "tenantModelSlotBindings",
13481
16537
  prepopulation: "runtime_secret",
13482
16538
  copyMode: "none",
13483
16539
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
13484
16540
  },
13485
16541
  {
13486
- component: "identity",
16542
+ component: "control-plane",
16543
+ table: "tenantPermitSyncStates",
16544
+ prepopulation: "runtime_derived",
16545
+ copyMode: "none",
16546
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16547
+ },
16548
+ {
16549
+ component: "control-plane",
13487
16550
  table: "tenantPolicies",
13488
16551
  prepopulation: "required_template",
13489
16552
  copyMode: "template_tenant_rewrite",
@@ -13492,42 +16555,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13492
16555
  description: "Default tenant policy roles are rewritten during bootstrap."
13493
16556
  },
13494
16557
  {
13495
- component: "identity",
16558
+ component: "control-plane",
13496
16559
  table: "tenantProviderSecrets",
13497
16560
  prepopulation: "runtime_secret",
13498
16561
  copyMode: "none",
13499
16562
  description: "Provider secrets are credentials and must never be copied."
13500
16563
  },
13501
16564
  {
13502
- component: "identity",
16565
+ component: "control-plane",
13503
16566
  table: "tenantProxyGatewayUsage",
13504
16567
  prepopulation: "runtime_log",
13505
16568
  copyMode: "none",
13506
16569
  description: "Proxy gateway usage rows are runtime telemetry."
13507
16570
  },
13508
16571
  {
13509
- component: "identity",
16572
+ component: "control-plane",
13510
16573
  table: "tenantProxyTokenMints",
13511
16574
  prepopulation: "runtime_secret",
13512
16575
  copyMode: "none",
13513
16576
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
13514
16577
  },
13515
16578
  {
13516
- component: "identity",
16579
+ component: "control-plane",
13517
16580
  table: "tenantSandboxAuditEvents",
13518
16581
  prepopulation: "runtime_log",
13519
16582
  copyMode: "none",
13520
16583
  description: "Sandbox audit rows are runtime security logs."
13521
16584
  },
13522
16585
  {
13523
- component: "identity",
16586
+ component: "control-plane",
13524
16587
  table: "tenantSecrets",
13525
16588
  prepopulation: "runtime_secret",
13526
16589
  copyMode: "none",
13527
16590
  description: "Tenant secrets are credentials and must never be copied."
13528
16591
  },
13529
16592
  {
13530
- component: "identity",
16593
+ component: "control-plane",
13531
16594
  table: "toolAcls",
13532
16595
  prepopulation: "required_template",
13533
16596
  copyMode: "template_global",
@@ -13536,7 +16599,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13536
16599
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
13537
16600
  },
13538
16601
  {
13539
- component: "identity",
16602
+ component: "control-plane",
13540
16603
  table: "toolRegistry",
13541
16604
  prepopulation: "required_template",
13542
16605
  copyMode: "template_global",
@@ -13545,7 +16608,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13545
16608
  description: "Core tool catalog rows are required before pack or tenant tools exist."
13546
16609
  },
13547
16610
  {
13548
- component: "identity",
16611
+ component: "control-plane",
13549
16612
  table: "users",
13550
16613
  prepopulation: "runtime_bootstrap",
13551
16614
  copyMode: "none",