@lucern/events 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/webhooks.js CHANGED
@@ -1,6 +1,20 @@
1
1
  import { z } from 'zod';
2
2
  import { v } from 'convex/values';
3
3
 
4
+ // ../contracts/src/types/reasoning-method.ts
5
+ var REASONING_METHODS = [
6
+ "deductive",
7
+ "inductive",
8
+ "abductive",
9
+ "analogical",
10
+ "causal",
11
+ "correlational",
12
+ "testimonial",
13
+ "statistical",
14
+ "implicit",
15
+ "pattern_match"
16
+ ];
17
+
4
18
  // ../contracts/src/graph-intelligence.contract.ts
5
19
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
6
20
  core: [
@@ -692,7 +706,7 @@ defineTable({
692
706
  });
693
707
  defineTable({
694
708
  name: "agents",
695
- component: "identity",
709
+ component: "control-plane",
696
710
  category: "agent",
697
711
  shape: z.object({
698
712
  "slug": z.string(),
@@ -723,6 +737,8 @@ defineTable({
723
737
  category: "tenant",
724
738
  shape: z.object({
725
739
  "tenantId": idOf("tenants"),
740
+ "workspaceId": idOf("workspaces").optional(),
741
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
726
742
  "keyPrefix": z.enum(["luc", "stk"]),
727
743
  "keyHash": z.string(),
728
744
  "keyHint": z.string(),
@@ -750,7 +766,7 @@ defineTable({
750
766
  shape: z.object({
751
767
  "tenantId": idOf("tenants").optional(),
752
768
  "apiKeyId": idOf("apiKeys").optional(),
753
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
769
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
754
770
  "actorClerkId": z.string(),
755
771
  "details": z.any().optional(),
756
772
  "createdAt": z.number()
@@ -974,6 +990,35 @@ defineTable({
974
990
  { kind: "index", name: "by_source", columns: ["source"] }
975
991
  ]
976
992
  });
993
+ defineTable({
994
+ name: "domainEvents",
995
+ component: "kernel",
996
+ category: "events",
997
+ shape: z.object({
998
+ "eventId": z.string(),
999
+ "type": z.string(),
1000
+ "version": z.string(),
1001
+ "timestamp": z.number(),
1002
+ "tenantId": z.string().optional(),
1003
+ "workspaceId": z.string().optional(),
1004
+ "topicId": z.string(),
1005
+ "resourceId": z.string(),
1006
+ "resourceType": z.string(),
1007
+ "actorId": z.string(),
1008
+ "actorType": z.enum(["human", "agent", "service"]),
1009
+ "data": z.record(z.any()),
1010
+ "correlationId": z.string().optional(),
1011
+ "expiresAt": z.number()
1012
+ }),
1013
+ indices: [
1014
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1015
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1016
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1017
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1018
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1019
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1020
+ ]
1021
+ });
977
1022
  defineTable({
978
1023
  name: "beliefConfidence",
979
1024
  component: "kernel",
@@ -1629,29 +1674,37 @@ defineTable({
1629
1674
  component: "mc",
1630
1675
  category: "runtime",
1631
1676
  shape: z.object({
1632
- "shimId": z.string(),
1633
- "gateId": z.string(),
1634
- "removalDate": z.string(),
1635
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1636
- "description": z.string(),
1637
- "owner": z.string(),
1638
- "createdAt": z.string(),
1639
- "status": z.enum(["active", "overdue", "removed"]),
1640
- "bridgeType": z.enum(["tool", "agent"]),
1641
- "bridgeTarget": z.object({
1642
- "type": z.enum(["tool", "agent"]),
1643
- "legacyPath": z.string(),
1644
- "harnessPath": z.string()
1677
+ shimId: z.string(),
1678
+ gateId: z.string(),
1679
+ removalDate: z.string(),
1680
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1681
+ description: z.string(),
1682
+ owner: z.string(),
1683
+ createdAt: z.string(),
1684
+ status: z.enum(["active", "overdue", "removed"]),
1685
+ bridgeType: z.enum(["tool", "agent"]),
1686
+ bridgeTarget: z.object({
1687
+ type: z.enum(["tool", "agent"]),
1688
+ legacyPath: z.string(),
1689
+ harnessPath: z.string()
1645
1690
  }),
1646
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1647
- "producesLedgerEntries": z.boolean(),
1648
- "lastAuditedAt": z.number(),
1649
- "metadata": z.record(z.any()).optional()
1691
+ shimBehavior: z.enum([
1692
+ "passthrough_with_logging",
1693
+ "adapter",
1694
+ "feature_flag_gate"
1695
+ ]),
1696
+ producesLedgerEntries: z.boolean(),
1697
+ lastAuditedAt: z.number(),
1698
+ metadata: z.record(z.any()).optional()
1650
1699
  }),
1651
1700
  indices: [
1652
1701
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1653
1702
  { kind: "index", name: "by_status", columns: ["status"] },
1654
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1703
+ {
1704
+ kind: "index",
1705
+ name: "by_bridgeType_status",
1706
+ columns: ["bridgeType", "status"]
1707
+ }
1655
1708
  ]
1656
1709
  });
1657
1710
  defineTable({
@@ -1659,12 +1712,23 @@ defineTable({
1659
1712
  component: "mc",
1660
1713
  category: "runtime",
1661
1714
  shape: z.object({
1662
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1663
- "state": z.enum(["legacy", "cutover", "disabled"]),
1664
- "metadata": z.record(z.any()).optional(),
1665
- "updatedBy": z.string(),
1666
- "createdAt": z.number(),
1667
- "updatedAt": z.number()
1715
+ domain: z.enum([
1716
+ "graph",
1717
+ "schema",
1718
+ "identity",
1719
+ "policy",
1720
+ "audit",
1721
+ "admin",
1722
+ "agent",
1723
+ "tool",
1724
+ "prompt",
1725
+ "intelligence"
1726
+ ]),
1727
+ state: z.enum(["legacy", "cutover", "disabled"]),
1728
+ metadata: z.record(z.any()).optional(),
1729
+ updatedBy: z.string(),
1730
+ createdAt: z.number(),
1731
+ updatedAt: z.number()
1668
1732
  }),
1669
1733
  indices: [
1670
1734
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1676,57 +1740,193 @@ defineTable({
1676
1740
  component: "mc",
1677
1741
  category: "runtime",
1678
1742
  shape: z.object({
1679
- "credentialRef": z.string(),
1680
- "tenantId": idOf("tenants"),
1681
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1682
- "environment": z.enum(["dev", "staging", "prod"]),
1683
- "encryptedDeployKey": z.string(),
1684
- "encryptionVersion": z.string(),
1685
- "keyFingerprint": z.string(),
1686
- "keyHint": z.string(),
1687
- "status": z.enum(["active", "revoked"]),
1688
- "rotatedFromCredentialRef": z.string().optional(),
1689
- "revokedAt": z.number().optional(),
1690
- "revokedBy": z.string().optional(),
1691
- "lastUsedAt": z.number().optional(),
1692
- "metadata": z.record(z.any()).optional(),
1693
- "createdBy": z.string(),
1694
- "createdAt": z.number(),
1695
- "updatedAt": z.number()
1743
+ credentialRef: z.string(),
1744
+ tenantId: idOf("tenants"),
1745
+ workspaceId: idOf("workspaces").optional(),
1746
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1747
+ environment: z.enum(["dev", "staging", "prod"]),
1748
+ encryptedDeployKey: z.string(),
1749
+ encryptionVersion: z.string(),
1750
+ keyFingerprint: z.string(),
1751
+ keyHint: z.string(),
1752
+ status: z.enum(["active", "revoked"]),
1753
+ rotatedFromCredentialRef: z.string().optional(),
1754
+ revokedAt: z.number().optional(),
1755
+ revokedBy: z.string().optional(),
1756
+ lastUsedAt: z.number().optional(),
1757
+ metadata: z.record(z.any()).optional(),
1758
+ createdBy: z.string(),
1759
+ createdAt: z.number(),
1760
+ updatedAt: z.number()
1696
1761
  }),
1697
1762
  indices: [
1698
1763
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1699
1764
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1700
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1701
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1702
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1765
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1766
+ {
1767
+ kind: "index",
1768
+ name: "by_tenant_target",
1769
+ columns: ["tenantId", "target"]
1770
+ },
1771
+ {
1772
+ kind: "index",
1773
+ name: "by_tenant_target_environment",
1774
+ columns: ["tenantId", "target", "environment"]
1775
+ },
1776
+ {
1777
+ kind: "index",
1778
+ name: "by_tenant_target_environment_status",
1779
+ columns: ["tenantId", "target", "environment", "status"]
1780
+ },
1781
+ {
1782
+ kind: "index",
1783
+ name: "by_tenant_workspace_target_environment_status",
1784
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
1785
+ },
1703
1786
  { kind: "index", name: "by_status", columns: ["status"] }
1704
1787
  ]
1705
1788
  });
1789
+ defineTable({
1790
+ name: "permitSyncStates",
1791
+ component: "mc",
1792
+ category: "runtime",
1793
+ shape: z.object({
1794
+ syncKey: z.string(),
1795
+ objectType: z.enum([
1796
+ "resource",
1797
+ "role",
1798
+ "resource_role",
1799
+ "resource_relation",
1800
+ "tenant",
1801
+ "workspace",
1802
+ "principal",
1803
+ "membership",
1804
+ "group",
1805
+ "resource_instance",
1806
+ "relationship_tuple",
1807
+ "role_assignment"
1808
+ ]),
1809
+ objectId: z.string(),
1810
+ tenantId: idOf("tenants").optional(),
1811
+ workspaceId: idOf("workspaces").optional(),
1812
+ principalId: z.string().optional(),
1813
+ permitTenantKey: z.string().optional(),
1814
+ permitResourceType: z.string().optional(),
1815
+ permitResourceKey: z.string().optional(),
1816
+ desiredPayload: z.record(z.any()),
1817
+ lastAppliedPayloadHash: z.string().optional(),
1818
+ status: z.enum(["pending", "synced", "error", "skipped"]),
1819
+ attemptCount: z.number(),
1820
+ lastError: z.string().optional(),
1821
+ nextAttemptAt: z.number().optional(),
1822
+ lastSyncedAt: z.number().optional(),
1823
+ createdBy: z.string(),
1824
+ updatedBy: z.string().optional(),
1825
+ createdAt: z.number(),
1826
+ updatedAt: z.number()
1827
+ }),
1828
+ indices: [
1829
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
1830
+ { kind: "index", name: "by_status", columns: ["status"] },
1831
+ {
1832
+ kind: "index",
1833
+ name: "by_tenant_status",
1834
+ columns: ["tenantId", "status"]
1835
+ },
1836
+ {
1837
+ kind: "index",
1838
+ name: "by_workspace_status",
1839
+ columns: ["workspaceId", "status"]
1840
+ },
1841
+ {
1842
+ kind: "index",
1843
+ name: "by_principal_status",
1844
+ columns: ["principalId", "status"]
1845
+ }
1846
+ ]
1847
+ });
1848
+ defineTable({
1849
+ name: "secretSyncDriftReports",
1850
+ component: "mc",
1851
+ category: "runtime",
1852
+ shape: z.object({
1853
+ reportId: z.string(),
1854
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
1855
+ generatedAt: z.number(),
1856
+ recordedAt: z.number(),
1857
+ recordedBy: z.string(),
1858
+ status: z.enum([
1859
+ "in_sync",
1860
+ "drift",
1861
+ "exception",
1862
+ "blocked",
1863
+ "not_observed"
1864
+ ]),
1865
+ reportHash: z.string(),
1866
+ manifestHash: z.string().optional(),
1867
+ dryRunReceiptId: z.string().optional(),
1868
+ appliedReceiptId: z.string().optional(),
1869
+ summary: z.object({
1870
+ totalPipelines: z.number(),
1871
+ inSync: z.number(),
1872
+ drift: z.number(),
1873
+ exception: z.number(),
1874
+ blocked: z.number(),
1875
+ notObserved: z.number(),
1876
+ missingKeys: z.number(),
1877
+ valueDriftKeys: z.number(),
1878
+ extraKeys: z.number(),
1879
+ deniedConvexLeakage: z.number(),
1880
+ approvedExceptions: z.number()
1881
+ }),
1882
+ redactedReport: z.record(z.any()),
1883
+ metadata: z.record(z.any()).optional()
1884
+ }),
1885
+ indices: [
1886
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
1887
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
1888
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
1889
+ {
1890
+ kind: "index",
1891
+ name: "by_status_generatedAt",
1892
+ columns: ["status", "generatedAt"]
1893
+ }
1894
+ ]
1895
+ });
1706
1896
  defineTable({
1707
1897
  name: "controlPlaneTenantModelSlotBindings",
1708
1898
  component: "mc",
1709
1899
  category: "runtime",
1710
1900
  shape: z.object({
1711
- "bindingId": z.string(),
1712
- "tenantId": idOf("tenants"),
1713
- "providerId": z.string(),
1714
- "modelSlotId": z.string(),
1715
- "secretRef": z.string(),
1716
- "status": z.enum(["active", "revoked"]),
1717
- "passThroughOnly": z.boolean(),
1718
- "revokedAt": z.number().optional(),
1719
- "revokedBy": z.string().optional(),
1720
- "metadata": z.record(z.any()).optional(),
1721
- "createdBy": z.string(),
1722
- "createdAt": z.number(),
1723
- "updatedAt": z.number()
1901
+ bindingId: z.string(),
1902
+ tenantId: idOf("tenants"),
1903
+ workspaceId: idOf("workspaces").optional(),
1904
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1905
+ providerId: z.string(),
1906
+ modelSlotId: z.string(),
1907
+ secretRef: z.string(),
1908
+ status: z.enum(["active", "revoked"]),
1909
+ passThroughOnly: z.boolean(),
1910
+ revokedAt: z.number().optional(),
1911
+ revokedBy: z.string().optional(),
1912
+ metadata: z.record(z.any()).optional(),
1913
+ createdBy: z.string(),
1914
+ createdAt: z.number(),
1915
+ updatedAt: z.number()
1724
1916
  }),
1725
1917
  indices: [
1726
1918
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1727
1919
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1728
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1729
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
1920
+ {
1921
+ kind: "index",
1922
+ name: "by_tenant_slot",
1923
+ columns: ["tenantId", "modelSlotId"]
1924
+ },
1925
+ {
1926
+ kind: "index",
1927
+ name: "by_tenant_provider_slot",
1928
+ columns: ["tenantId", "providerId", "modelSlotId"]
1929
+ },
1730
1930
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1731
1931
  { kind: "index", name: "by_status", columns: ["status"] }
1732
1932
  ]
@@ -1736,29 +1936,42 @@ defineTable({
1736
1936
  component: "mc",
1737
1937
  category: "runtime",
1738
1938
  shape: z.object({
1739
- "secretRef": z.string(),
1740
- "tenantId": idOf("tenants"),
1741
- "providerId": z.string(),
1742
- "label": z.string().optional(),
1743
- "encryptedSecret": z.string(),
1744
- "encryptionVersion": z.string(),
1745
- "secretFingerprint": z.string(),
1746
- "keyHint": z.string(),
1747
- "status": z.enum(["active", "revoked"]),
1748
- "rotatedFromSecretRef": z.string().optional(),
1749
- "revokedAt": z.number().optional(),
1750
- "revokedBy": z.string().optional(),
1751
- "lastUsedAt": z.number().optional(),
1752
- "metadata": z.record(z.any()).optional(),
1753
- "createdBy": z.string(),
1754
- "createdAt": z.number(),
1755
- "updatedAt": z.number()
1939
+ secretRef: z.string(),
1940
+ tenantId: idOf("tenants"),
1941
+ workspaceId: idOf("workspaces").optional(),
1942
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
1943
+ providerId: z.string(),
1944
+ label: z.string().optional(),
1945
+ encryptedSecret: z.string().optional(),
1946
+ infisicalPath: z.string().optional(),
1947
+ infisicalSecretKey: z.string().optional(),
1948
+ infisicalProjectId: z.string().optional(),
1949
+ encryptionVersion: z.string(),
1950
+ secretFingerprint: z.string(),
1951
+ keyHint: z.string(),
1952
+ status: z.enum(["active", "revoked"]),
1953
+ rotatedFromSecretRef: z.string().optional(),
1954
+ revokedAt: z.number().optional(),
1955
+ revokedBy: z.string().optional(),
1956
+ lastUsedAt: z.number().optional(),
1957
+ metadata: z.record(z.any()).optional(),
1958
+ createdBy: z.string(),
1959
+ createdAt: z.number(),
1960
+ updatedAt: z.number()
1756
1961
  }),
1757
1962
  indices: [
1758
1963
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1759
1964
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1760
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
1761
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
1965
+ {
1966
+ kind: "index",
1967
+ name: "by_tenant_provider",
1968
+ columns: ["tenantId", "providerId"]
1969
+ },
1970
+ {
1971
+ kind: "index",
1972
+ name: "by_tenant_provider_status",
1973
+ columns: ["tenantId", "providerId", "status"]
1974
+ },
1762
1975
  { kind: "index", name: "by_status", columns: ["status"] }
1763
1976
  ]
1764
1977
  });
@@ -1767,35 +1980,93 @@ defineTable({
1767
1980
  component: "mc",
1768
1981
  category: "runtime",
1769
1982
  shape: z.object({
1770
- "usageId": z.string(),
1771
- "tenantId": idOf("tenants"),
1772
- "providerId": z.string(),
1773
- "modelSlotId": z.string(),
1774
- "secretRef": z.string(),
1775
- "proxyTokenId": z.string(),
1776
- "sessionId": z.string(),
1777
- "principalId": z.string(),
1778
- "workspaceId": z.string().optional(),
1779
- "modelId": z.string().optional(),
1780
- "requestPath": z.string(),
1781
- "status": z.enum(["success", "error"]),
1782
- "responseStatus": z.number().optional(),
1783
- "inputTokens": z.number().optional(),
1784
- "outputTokens": z.number().optional(),
1785
- "tokenCount": z.number().optional(),
1786
- "latencyMs": z.number(),
1787
- "estimatedCostUsd": z.number().optional(),
1788
- "failureCode": z.string().optional(),
1789
- "metadata": z.record(z.any()).optional(),
1790
- "createdAt": z.number(),
1791
- "updatedAt": z.number()
1983
+ usageId: z.string(),
1984
+ tenantId: idOf("tenants"),
1985
+ providerId: z.string(),
1986
+ modelSlotId: z.string(),
1987
+ secretRef: z.string(),
1988
+ proxyTokenId: z.string(),
1989
+ sessionId: z.string(),
1990
+ principalId: z.string(),
1991
+ workspaceId: z.string().optional(),
1992
+ modelId: z.string().optional(),
1993
+ requestPath: z.string(),
1994
+ status: z.enum(["success", "error"]),
1995
+ responseStatus: z.number().optional(),
1996
+ inputTokens: z.number().optional(),
1997
+ outputTokens: z.number().optional(),
1998
+ tokenCount: z.number().optional(),
1999
+ latencyMs: z.number(),
2000
+ estimatedCostUsd: z.number().optional(),
2001
+ failureCode: z.string().optional(),
2002
+ metadata: z.record(z.any()).optional(),
2003
+ createdAt: z.number(),
2004
+ updatedAt: z.number()
1792
2005
  }),
1793
2006
  indices: [
1794
2007
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
1795
2008
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
1796
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
1797
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
1798
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2009
+ {
2010
+ kind: "index",
2011
+ name: "by_tenant_provider",
2012
+ columns: ["tenantId", "providerId", "createdAt"]
2013
+ },
2014
+ {
2015
+ kind: "index",
2016
+ name: "by_proxyTokenId",
2017
+ columns: ["proxyTokenId", "createdAt"]
2018
+ },
2019
+ {
2020
+ kind: "index",
2021
+ name: "by_sessionId",
2022
+ columns: ["sessionId", "createdAt"]
2023
+ }
2024
+ ]
2025
+ });
2026
+ defineTable({
2027
+ name: "controlPlaneTenantProxyTokenLeases",
2028
+ component: "mc",
2029
+ category: "runtime",
2030
+ shape: z.object({
2031
+ leaseId: z.string(),
2032
+ proxyTokenId: z.string(),
2033
+ tenantId: idOf("tenants"),
2034
+ workspaceId: idOf("workspaces").optional(),
2035
+ environment: z.enum(["dev", "staging", "prod"]),
2036
+ providerId: z.string(),
2037
+ modelSlotId: z.string(),
2038
+ bindingId: z.string(),
2039
+ secretRef: z.string(),
2040
+ sessionId: z.string(),
2041
+ principalId: z.string(),
2042
+ agentSessionId: z.string().optional(),
2043
+ status: z.enum(["active", "revoked"]),
2044
+ expiresAt: z.number(),
2045
+ renewedAt: z.number().optional(),
2046
+ revokedAt: z.number().optional(),
2047
+ revokedBy: z.string().optional(),
2048
+ revokeReason: z.string().optional(),
2049
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2050
+ permitTraceId: z.string().optional(),
2051
+ metadata: z.record(z.any()).optional(),
2052
+ createdAt: z.number(),
2053
+ updatedAt: z.number()
2054
+ }),
2055
+ indices: [
2056
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2057
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2058
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2059
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2060
+ {
2061
+ kind: "index",
2062
+ name: "by_principalId",
2063
+ columns: ["principalId", "createdAt"]
2064
+ },
2065
+ {
2066
+ kind: "index",
2067
+ name: "by_status_expiresAt",
2068
+ columns: ["status", "expiresAt"]
2069
+ }
1799
2070
  ]
1800
2071
  });
1801
2072
  defineTable({
@@ -2128,6 +2399,7 @@ defineTable({
2128
2399
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2129
2400
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2130
2401
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2402
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2131
2403
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2132
2404
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2133
2405
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2278,6 +2550,7 @@ defineTable({
2278
2550
  indices: [
2279
2551
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2280
2552
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2553
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2281
2554
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2282
2555
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2283
2556
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2309,6 +2582,36 @@ defineTable({
2309
2582
  { kind: "index", name: "by_status", columns: ["status"] }
2310
2583
  ]
2311
2584
  });
2585
+ defineTable({
2586
+ name: "principalIdentityAliases",
2587
+ component: "mc",
2588
+ category: "identity",
2589
+ shape: z.object({
2590
+ "principalId": z.string(),
2591
+ "principalRefId": idOf("principals").optional(),
2592
+ "provider": z.string(),
2593
+ "providerProjectId": z.string().optional(),
2594
+ "externalSubjectId": z.string(),
2595
+ "tenantId": idOf("tenants").optional(),
2596
+ "workspaceId": idOf("workspaces").optional(),
2597
+ "email": z.string().optional(),
2598
+ "status": z.enum(["active", "revoked"]),
2599
+ "metadata": z.record(z.any()).optional(),
2600
+ "createdBy": z.string(),
2601
+ "revokedAt": z.number().optional(),
2602
+ "revokedBy": z.string().optional(),
2603
+ "createdAt": z.number(),
2604
+ "updatedAt": z.number()
2605
+ }),
2606
+ indices: [
2607
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2608
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2609
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2610
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2611
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2612
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2613
+ ]
2614
+ });
2312
2615
  defineTable({
2313
2616
  name: "rateLimitWindows",
2314
2617
  component: "mc",
@@ -2898,7 +3201,7 @@ defineTable({
2898
3201
  });
2899
3202
  defineTable({
2900
3203
  name: "mcpWritePolicy",
2901
- component: "identity",
3204
+ component: "control-plane",
2902
3205
  category: "platform",
2903
3206
  shape: z.object({
2904
3207
  "topicId": z.string().optional(),
@@ -2921,7 +3224,7 @@ defineTable({
2921
3224
  });
2922
3225
  defineTable({
2923
3226
  name: "platformAudienceGrants",
2924
- component: "identity",
3227
+ component: "control-plane",
2925
3228
  category: "platform",
2926
3229
  shape: z.object({
2927
3230
  "tenantId": z.string(),
@@ -2947,7 +3250,7 @@ defineTable({
2947
3250
  });
2948
3251
  defineTable({
2949
3252
  name: "platformAudiences",
2950
- component: "identity",
3253
+ component: "control-plane",
2951
3254
  category: "platform",
2952
3255
  shape: z.object({
2953
3256
  "tenantId": z.string(),
@@ -2972,7 +3275,7 @@ defineTable({
2972
3275
  });
2973
3276
  defineTable({
2974
3277
  name: "platformPolicyDecisionLogs",
2975
- component: "identity",
3278
+ component: "control-plane",
2976
3279
  category: "platform",
2977
3280
  shape: z.object({
2978
3281
  "principalId": z.string(),
@@ -3008,7 +3311,7 @@ defineTable({
3008
3311
  });
3009
3312
  defineTable({
3010
3313
  name: "tenantApiKeys",
3011
- component: "identity",
3314
+ component: "control-plane",
3012
3315
  category: "platform",
3013
3316
  shape: z.object({
3014
3317
  "tenantId": z.string(),
@@ -3035,7 +3338,7 @@ defineTable({
3035
3338
  });
3036
3339
  defineTable({
3037
3340
  name: "tenantConfig",
3038
- component: "identity",
3341
+ component: "control-plane",
3039
3342
  category: "platform",
3040
3343
  shape: z.object({
3041
3344
  "tenantId": z.string(),
@@ -3054,7 +3357,7 @@ defineTable({
3054
3357
  });
3055
3358
  defineTable({
3056
3359
  name: "tenantIntegrations",
3057
- component: "identity",
3360
+ component: "control-plane",
3058
3361
  category: "platform",
3059
3362
  shape: z.object({
3060
3363
  "tenantId": z.string(),
@@ -3109,7 +3412,7 @@ defineTable({
3109
3412
  });
3110
3413
  defineTable({
3111
3414
  name: "tenantModelSlotBindings",
3112
- component: "identity",
3415
+ component: "control-plane",
3113
3416
  category: "platform",
3114
3417
  shape: z.object({
3115
3418
  "bindingId": z.string(),
@@ -3137,7 +3440,7 @@ defineTable({
3137
3440
  });
3138
3441
  defineTable({
3139
3442
  name: "tenantPolicies",
3140
- component: "identity",
3443
+ component: "control-plane",
3141
3444
  category: "platform",
3142
3445
  shape: z.object({
3143
3446
  "tenantId": z.string(),
@@ -3162,7 +3465,7 @@ defineTable({
3162
3465
  });
3163
3466
  defineTable({
3164
3467
  name: "tenantProviderSecrets",
3165
- component: "identity",
3468
+ component: "control-plane",
3166
3469
  category: "platform",
3167
3470
  shape: z.object({
3168
3471
  "secretRef": z.string(),
@@ -3193,7 +3496,7 @@ defineTable({
3193
3496
  });
3194
3497
  defineTable({
3195
3498
  name: "tenantProxyGatewayUsage",
3196
- component: "identity",
3499
+ component: "control-plane",
3197
3500
  category: "platform",
3198
3501
  shape: z.object({
3199
3502
  "usageId": z.string(),
@@ -3228,7 +3531,7 @@ defineTable({
3228
3531
  });
3229
3532
  defineTable({
3230
3533
  name: "tenantProxyTokenMints",
3231
- component: "identity",
3534
+ component: "control-plane",
3232
3535
  category: "platform",
3233
3536
  shape: z.object({
3234
3537
  "proxyTokenId": z.string(),
@@ -3251,7 +3554,7 @@ defineTable({
3251
3554
  });
3252
3555
  defineTable({
3253
3556
  name: "tenantSandboxAuditEvents",
3254
- component: "identity",
3557
+ component: "control-plane",
3255
3558
  category: "platform",
3256
3559
  shape: z.object({
3257
3560
  "eventId": z.string(),
@@ -3285,7 +3588,7 @@ defineTable({
3285
3588
  });
3286
3589
  defineTable({
3287
3590
  name: "tenantSecrets",
3288
- component: "identity",
3591
+ component: "control-plane",
3289
3592
  category: "platform",
3290
3593
  shape: z.object({
3291
3594
  "tenantId": z.string(),
@@ -3307,7 +3610,7 @@ defineTable({
3307
3610
  });
3308
3611
  defineTable({
3309
3612
  name: "toolAcls",
3310
- component: "identity",
3613
+ component: "control-plane",
3311
3614
  category: "platform",
3312
3615
  shape: z.object({
3313
3616
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3322,7 +3625,7 @@ defineTable({
3322
3625
  });
3323
3626
  defineTable({
3324
3627
  name: "toolRegistry",
3325
- component: "identity",
3628
+ component: "control-plane",
3326
3629
  category: "platform",
3327
3630
  shape: z.object({
3328
3631
  "toolName": z.string(),
@@ -3403,7 +3706,7 @@ defineTable({
3403
3706
  });
3404
3707
  defineTable({
3405
3708
  name: "modelCallLogs",
3406
- component: "identity",
3709
+ component: "control-plane",
3407
3710
  category: "model",
3408
3711
  shape: z.object({
3409
3712
  "slot": z.string(),
@@ -3429,7 +3732,7 @@ defineTable({
3429
3732
  });
3430
3733
  defineTable({
3431
3734
  name: "modelFunctionSlots",
3432
- component: "identity",
3735
+ component: "control-plane",
3433
3736
  category: "model",
3434
3737
  shape: z.object({
3435
3738
  "slot": z.string(),
@@ -3454,7 +3757,7 @@ defineTable({
3454
3757
  });
3455
3758
  defineTable({
3456
3759
  name: "modelRegistry",
3457
- component: "identity",
3760
+ component: "control-plane",
3458
3761
  category: "model",
3459
3762
  shape: z.object({
3460
3763
  "key": z.string(),
@@ -3481,7 +3784,7 @@ defineTable({
3481
3784
  });
3482
3785
  defineTable({
3483
3786
  name: "modelSlotConfigs",
3484
- component: "identity",
3787
+ component: "control-plane",
3485
3788
  category: "model",
3486
3789
  shape: z.object({
3487
3790
  "slot": z.string(),
@@ -3868,7 +4171,7 @@ defineTable({
3868
4171
  "workspaceId": idOf("workspaces").optional(),
3869
4172
  "resourceType": z.string(),
3870
4173
  "resourceId": z.string(),
3871
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4174
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
3872
4175
  "decision": z.enum(["allow", "deny"]),
3873
4176
  "reasonCode": z.string(),
3874
4177
  "policyVersion": z.string(),
@@ -3930,7 +4233,7 @@ defineTable({
3930
4233
  });
3931
4234
  defineTable({
3932
4235
  name: "projectGrants",
3933
- component: "identity",
4236
+ component: "control-plane",
3934
4237
  category: "project",
3935
4238
  shape: z.object({
3936
4239
  "projectId": z.string().optional(),
@@ -3962,91 +4265,735 @@ defineTable({
3962
4265
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
3963
4266
  ]
3964
4267
  });
4268
+ var permitActorType = z.enum([
4269
+ "human",
4270
+ "agent",
4271
+ "service_principal",
4272
+ "external_stakeholder",
4273
+ "system"
4274
+ ]);
4275
+ var permitMembershipStatus = z.enum([
4276
+ "active",
4277
+ "invited",
4278
+ "revoked",
4279
+ "suspended",
4280
+ "disabled"
4281
+ ]);
4282
+ var permitDecision = z.enum(["allow", "deny"]);
4283
+ var permitAccessReviewStatus = z.enum([
4284
+ "open",
4285
+ "in_progress",
4286
+ "approved",
4287
+ "denied",
4288
+ "expired",
4289
+ "cancelled"
4290
+ ]);
4291
+ var permitReviewScope = z.enum([
4292
+ "tenant",
4293
+ "workspace",
4294
+ "resource_instance",
4295
+ "group",
4296
+ "principal",
4297
+ "api_key",
4298
+ "admin_action"
4299
+ ]);
4300
+ var permitRecordStatus = z.enum([
4301
+ "queued",
4302
+ "inflight",
4303
+ "completed",
4304
+ "failed",
4305
+ "skipped",
4306
+ "stale"
4307
+ ]);
4308
+ var permitObjectType = z.enum([
4309
+ "resource",
4310
+ "role",
4311
+ "resource_role",
4312
+ "resource_relation",
4313
+ "tenant",
4314
+ "workspace",
4315
+ "principal",
4316
+ "membership",
4317
+ "group",
4318
+ "resource_instance",
4319
+ "relationship_tuple",
4320
+ "role_assignment",
4321
+ "attribute_binding",
4322
+ "policy_bundle"
4323
+ ]);
4324
+ var permitOutboxOperation = z.enum([
4325
+ "upsert",
4326
+ "delete",
4327
+ "sync",
4328
+ "resync",
4329
+ "delete_sync",
4330
+ "noop"
4331
+ ]);
4332
+ var permitPolicyBundleStatus = z.enum([
4333
+ "draft",
4334
+ "validated",
4335
+ "enforced",
4336
+ "archived"
4337
+ ]);
4338
+ var permitSyncStatus = z.enum([
4339
+ "pending",
4340
+ "synced",
4341
+ "error",
4342
+ "skipped"
4343
+ ]);
4344
+ var permitAccessReviewSubjectType = z.enum([
4345
+ "principal",
4346
+ "group",
4347
+ "role_assignment",
4348
+ "resource_instance"
4349
+ ]);
4350
+ var permitAttributeType = z.enum([
4351
+ "string",
4352
+ "number",
4353
+ "bool",
4354
+ "json",
4355
+ "time"
4356
+ ]);
4357
+ var permitAttributeOperator = z.enum([
4358
+ "eq",
4359
+ "neq",
4360
+ "in",
4361
+ "not_in",
4362
+ "gt",
4363
+ "gte",
4364
+ "lt",
4365
+ "lte",
4366
+ "contains",
4367
+ "not_contains",
4368
+ "matches"
4369
+ ]);
4370
+ var permitRoleBindingTarget = z.enum([
4371
+ "principal",
4372
+ "group"
4373
+ ]);
3965
4374
  defineTable({
3966
- name: "reasoningPermissions",
3967
- component: "identity",
3968
- category: "epistemic",
4375
+ name: "permitPrincipals",
4376
+ component: "control-plane",
4377
+ category: "access-control",
3969
4378
  shape: z.object({
3970
- "topicId": z.string().optional(),
3971
- "principalId": z.string(),
3972
- "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
3973
- "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
3974
- "effect": z.enum(["allow", "deny"]),
3975
- "policyReference": z.string().optional(),
3976
- "rationale": z.string().optional(),
3977
- "metadata": z.record(z.any()).optional(),
3978
- "createdAt": z.number(),
3979
- "createdBy": z.string(),
3980
- "updatedAt": z.number()
4379
+ principalId: z.string(),
4380
+ tenantId: z.string(),
4381
+ workspaceId: z.optional(z.string()),
4382
+ principalType: permitActorType,
4383
+ status: permitMembershipStatus,
4384
+ displayName: z.string().optional(),
4385
+ metadata: z.record(z.any()).optional(),
4386
+ createdBy: z.string(),
4387
+ createdAt: z.number(),
4388
+ updatedAt: z.number(),
4389
+ updatedBy: z.string().optional(),
4390
+ lastSeenAt: z.number().optional()
3981
4391
  }),
3982
4392
  indices: [
3983
- { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
3984
- { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
3985
- { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
3986
- { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4393
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4394
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4395
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4396
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4397
+ {
4398
+ kind: "index",
4399
+ name: "by_tenant_principalType_status",
4400
+ columns: ["tenantId", "principalType", "status"]
4401
+ }
3987
4402
  ]
3988
4403
  });
3989
4404
  defineTable({
3990
- name: "schemaEnumConfig",
3991
- component: "kernel",
3992
- category: "config",
4405
+ name: "permitPrincipalAliases",
4406
+ component: "control-plane",
4407
+ category: "access-control",
3993
4408
  shape: z.object({
3994
- "tenantId": z.string().optional(),
3995
- "category": z.string(),
3996
- "value": z.string(),
3997
- "label": z.string(),
3998
- "description": z.string().optional(),
3999
- "tier": z.enum(["platform", "tenant"]),
4000
- "domainNamespace": z.string().optional(),
4001
- "metadata": z.any().optional(),
4002
- "isDefault": z.boolean().optional(),
4003
- "sortOrder": z.number().optional(),
4004
- "status": z.enum(["active", "deprecated"]),
4005
- "createdAt": z.number(),
4006
- "updatedAt": z.number()
4409
+ principalId: z.string(),
4410
+ tenantId: z.string(),
4411
+ workspaceId: z.optional(z.string()),
4412
+ provider: z.string(),
4413
+ providerSubjectId: z.string(),
4414
+ providerProjectId: z.string().optional(),
4415
+ alias: z.string(),
4416
+ aliasKind: z.string(),
4417
+ status: permitMembershipStatus,
4418
+ metadata: z.record(z.any()).optional(),
4419
+ createdBy: z.string(),
4420
+ createdAt: z.number(),
4421
+ updatedAt: z.number(),
4422
+ revokedBy: z.string().optional(),
4423
+ revokedAt: z.number().optional(),
4424
+ updatedBy: z.string().optional()
4007
4425
  }),
4008
4426
  indices: [
4009
- { kind: "index", name: "by_category", columns: ["category"] },
4010
- { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4011
- { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4427
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4428
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4429
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4430
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4431
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4432
+ {
4433
+ kind: "index",
4434
+ name: "by_tenant_provider_alias",
4435
+ columns: ["tenantId", "provider", "alias"]
4436
+ },
4437
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4438
+ {
4439
+ kind: "index",
4440
+ name: "by_tenant_provider_status",
4441
+ columns: ["tenantId", "provider", "status"]
4442
+ }
4012
4443
  ]
4013
4444
  });
4014
4445
  defineTable({
4015
- name: "tasks",
4016
- component: "kernel",
4017
- category: "task",
4446
+ name: "permitGroups",
4447
+ component: "control-plane",
4448
+ category: "access-control",
4018
4449
  shape: z.object({
4019
- "topicId": z.string().optional(),
4020
- "tenantId": z.string().optional(),
4021
- "workspaceId": z.string().optional(),
4022
- "title": z.string(),
4023
- "description": z.string().optional(),
4024
- "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4025
- "priority": z.enum(["urgent", "high", "medium", "low"]),
4026
- "dueDate": z.number().optional(),
4027
- "linkedWorktreeId": idOf("worktrees").optional(),
4028
- "linkedBeliefId": z.string().optional(),
4029
- "linkedQuestionId": z.string().optional(),
4030
- "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4031
- "assigneeId": z.string().optional(),
4032
- "blockedReason": z.string().optional(),
4033
- "blockedBy": z.array(idOf("tasks")).optional(),
4034
- "blocks": z.array(idOf("tasks")).optional(),
4035
- "sortOrder": z.number().optional(),
4036
- "executionOrder": z.number().optional(),
4037
- "subtasks": z.array(z.object({
4038
- "id": z.string(),
4039
- "title": z.string(),
4040
- "completed": z.boolean(),
4041
- "completedAt": z.number().optional()
4042
- })).optional(),
4043
- "comments": z.array(z.object({
4044
- "id": z.string(),
4045
- "userId": z.string(),
4046
- "content": z.string(),
4047
- "createdAt": z.number()
4048
- })).optional(),
4049
- "attachments": z.array(z.object({
4450
+ tenantId: z.string(),
4451
+ workspaceId: z.optional(z.string()),
4452
+ groupId: z.string(),
4453
+ groupKey: z.string(),
4454
+ groupName: z.string(),
4455
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4456
+ status: permitMembershipStatus,
4457
+ description: z.string().optional(),
4458
+ metadata: z.record(z.any()).optional(),
4459
+ createdBy: z.string(),
4460
+ createdAt: z.number(),
4461
+ updatedAt: z.number(),
4462
+ updatedBy: z.string().optional()
4463
+ }),
4464
+ indices: [
4465
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4466
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4467
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4468
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4469
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4470
+ ]
4471
+ });
4472
+ defineTable({
4473
+ name: "permitGroupMemberships",
4474
+ component: "control-plane",
4475
+ category: "access-control",
4476
+ shape: z.object({
4477
+ tenantId: z.string(),
4478
+ workspaceId: z.optional(z.string()),
4479
+ groupId: z.string(),
4480
+ memberType: z.enum(["principal", "group"]),
4481
+ memberId: z.string(),
4482
+ principalId: z.string().optional(),
4483
+ childGroupId: z.string().optional(),
4484
+ status: permitMembershipStatus,
4485
+ addedBy: z.string().optional(),
4486
+ revokedBy: z.string().optional(),
4487
+ expiresAt: z.number().optional(),
4488
+ revocationReason: z.string().optional(),
4489
+ metadata: z.record(z.any()).optional(),
4490
+ createdAt: z.number(),
4491
+ updatedAt: z.number(),
4492
+ updatedBy: z.string().optional()
4493
+ }),
4494
+ indices: [
4495
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4496
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4497
+ {
4498
+ kind: "index",
4499
+ name: "by_tenant_member_group",
4500
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4501
+ },
4502
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4503
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4504
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4505
+ {
4506
+ kind: "index",
4507
+ name: "by_workspace_principal",
4508
+ columns: ["workspaceId", "principalId"]
4509
+ }
4510
+ ]
4511
+ });
4512
+ defineTable({
4513
+ name: "permitResourceInstances",
4514
+ component: "control-plane",
4515
+ category: "access-control",
4516
+ shape: z.object({
4517
+ tenantId: z.string(),
4518
+ workspaceId: z.optional(z.string()),
4519
+ resourceType: z.string(),
4520
+ resourceKey: z.string(),
4521
+ resourceId: z.string(),
4522
+ status: z.enum(["active", "deleted", "archived"]),
4523
+ attributes: z.record(z.any()).optional(),
4524
+ ownerPrincipalId: z.string().optional(),
4525
+ metadata: z.record(z.any()).optional(),
4526
+ createdBy: z.string(),
4527
+ updatedBy: z.string().optional(),
4528
+ createdAt: z.number(),
4529
+ updatedAt: z.number()
4530
+ }),
4531
+ indices: [
4532
+ {
4533
+ kind: "index",
4534
+ name: "by_tenant_resource_type",
4535
+ columns: ["tenantId", "resourceType"]
4536
+ },
4537
+ {
4538
+ kind: "index",
4539
+ name: "by_tenant_resource_key",
4540
+ columns: ["tenantId", "resourceType", "resourceKey"]
4541
+ },
4542
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4543
+ { kind: "index", name: "by_status", columns: ["status"] },
4544
+ {
4545
+ kind: "index",
4546
+ name: "by_tenant_status",
4547
+ columns: ["tenantId", "status"]
4548
+ },
4549
+ {
4550
+ kind: "index",
4551
+ name: "by_ownerPrincipalId",
4552
+ columns: ["ownerPrincipalId"]
4553
+ }
4554
+ ]
4555
+ });
4556
+ defineTable({
4557
+ name: "permitRoleAssignments",
4558
+ component: "control-plane",
4559
+ category: "access-control",
4560
+ shape: z.object({
4561
+ tenantId: z.string(),
4562
+ workspaceId: z.optional(z.string()),
4563
+ role: z.string(),
4564
+ targetType: permitRoleBindingTarget,
4565
+ targetId: z.string(),
4566
+ resourceType: z.string(),
4567
+ resourceKey: z.string(),
4568
+ resourceInstanceId: z.string().optional(),
4569
+ status: permitMembershipStatus,
4570
+ expiresAt: z.number().optional(),
4571
+ attributes: z.record(z.any()).optional(),
4572
+ grantedBy: z.string().optional(),
4573
+ updatedBy: z.string().optional(),
4574
+ revokedBy: z.string().optional(),
4575
+ createdAt: z.number(),
4576
+ updatedAt: z.number()
4577
+ }),
4578
+ indices: [
4579
+ {
4580
+ kind: "index",
4581
+ name: "by_tenant_target",
4582
+ columns: ["tenantId", "targetType", "targetId"]
4583
+ },
4584
+ {
4585
+ kind: "index",
4586
+ name: "by_tenant_resource",
4587
+ columns: ["tenantId", "resourceType", "resourceKey"]
4588
+ },
4589
+ {
4590
+ kind: "index",
4591
+ name: "by_tenant_role",
4592
+ columns: ["tenantId", "role", "status"]
4593
+ },
4594
+ { kind: "index", name: "by_status", columns: ["status"] },
4595
+ {
4596
+ kind: "index",
4597
+ name: "by_workspace_resource",
4598
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4599
+ }
4600
+ ]
4601
+ });
4602
+ defineTable({
4603
+ name: "permitRelationshipTuples",
4604
+ component: "control-plane",
4605
+ category: "access-control",
4606
+ shape: z.object({
4607
+ tenantId: z.string(),
4608
+ workspaceId: z.optional(z.string()),
4609
+ relation: z.string(),
4610
+ subject: z.string(),
4611
+ object: z.string(),
4612
+ resourceType: z.string().optional(),
4613
+ resourceKey: z.string().optional(),
4614
+ status: permitRecordStatus,
4615
+ attributes: z.record(z.any()).optional(),
4616
+ createdBy: z.string(),
4617
+ createdAt: z.number(),
4618
+ updatedAt: z.number(),
4619
+ lastSeenAt: z.number().optional(),
4620
+ updatedBy: z.string().optional()
4621
+ }),
4622
+ indices: [
4623
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4624
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4625
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4626
+ {
4627
+ kind: "index",
4628
+ name: "by_tenant_relation_subject",
4629
+ columns: ["tenantId", "relation", "subject"]
4630
+ },
4631
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4632
+ ]
4633
+ });
4634
+ defineTable({
4635
+ name: "permitAttributeBindings",
4636
+ component: "control-plane",
4637
+ category: "access-control",
4638
+ shape: z.object({
4639
+ tenantId: z.string(),
4640
+ workspaceId: z.optional(z.string()),
4641
+ targetType: permitRoleBindingTarget,
4642
+ targetId: z.string(),
4643
+ attributeName: z.string(),
4644
+ attributeType: permitAttributeType,
4645
+ attributeOperator: permitAttributeOperator,
4646
+ attributeValue: z.any(),
4647
+ status: permitRecordStatus,
4648
+ source: z.string().optional(),
4649
+ sourceRef: z.string().optional(),
4650
+ metadata: z.record(z.any()).optional(),
4651
+ createdAt: z.number(),
4652
+ updatedAt: z.number(),
4653
+ createdBy: z.string(),
4654
+ updatedBy: z.string().optional(),
4655
+ expiresAt: z.number().optional()
4656
+ }),
4657
+ indices: [
4658
+ {
4659
+ kind: "index",
4660
+ name: "by_tenant_target",
4661
+ columns: ["tenantId", "targetType", "targetId"]
4662
+ },
4663
+ {
4664
+ kind: "index",
4665
+ name: "by_tenant_target_attribute",
4666
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4667
+ },
4668
+ {
4669
+ kind: "index",
4670
+ name: "by_tenant_name",
4671
+ columns: ["tenantId", "attributeName"]
4672
+ },
4673
+ {
4674
+ kind: "index",
4675
+ name: "by_tenant_status",
4676
+ columns: ["tenantId", "status"]
4677
+ }
4678
+ ]
4679
+ });
4680
+ defineTable({
4681
+ name: "permitPolicyBundles",
4682
+ component: "control-plane",
4683
+ category: "access-control",
4684
+ shape: z.object({
4685
+ tenantId: z.string(),
4686
+ workspaceId: z.optional(z.string()),
4687
+ bundleKey: z.string(),
4688
+ version: z.number(),
4689
+ status: permitPolicyBundleStatus,
4690
+ policyHash: z.string().optional(),
4691
+ policyPayload: z.record(z.any()),
4692
+ metadata: z.record(z.any()).optional(),
4693
+ createdBy: z.string(),
4694
+ reviewedBy: z.string().optional(),
4695
+ createdAt: z.number(),
4696
+ updatedAt: z.number(),
4697
+ retiredAt: z.number().optional()
4698
+ }),
4699
+ indices: [
4700
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4701
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4702
+ {
4703
+ kind: "index",
4704
+ name: "by_tenant_bundleKey",
4705
+ columns: ["tenantId", "bundleKey"]
4706
+ },
4707
+ {
4708
+ kind: "index",
4709
+ name: "by_tenant_bundle_version",
4710
+ columns: ["tenantId", "bundleKey", "version"]
4711
+ },
4712
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4713
+ ]
4714
+ });
4715
+ defineTable({
4716
+ name: "permitProjectionOutbox",
4717
+ component: "control-plane",
4718
+ category: "access-control",
4719
+ shape: z.object({
4720
+ syncKey: z.string(),
4721
+ objectType: permitObjectType,
4722
+ objectId: z.string(),
4723
+ operation: permitOutboxOperation,
4724
+ payload: z.record(z.any()),
4725
+ status: permitRecordStatus,
4726
+ attemptCount: z.number(),
4727
+ nextAttemptAt: z.number().optional(),
4728
+ lastError: z.string().optional(),
4729
+ tenantId: z.string().optional(),
4730
+ workspaceId: z.optional(z.string()),
4731
+ principalId: z.string().optional(),
4732
+ permitTenantKey: z.string().optional(),
4733
+ permitResourceType: z.string().optional(),
4734
+ permitResourceKey: z.string().optional(),
4735
+ createdAt: z.number(),
4736
+ updatedAt: z.number(),
4737
+ lastHandledAt: z.number().optional()
4738
+ }),
4739
+ indices: [
4740
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4741
+ { kind: "index", name: "by_status", columns: ["status"] },
4742
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4743
+ {
4744
+ kind: "index",
4745
+ name: "by_tenant_status",
4746
+ columns: ["tenantId", "status"]
4747
+ },
4748
+ {
4749
+ kind: "index",
4750
+ name: "by_objectType",
4751
+ columns: ["objectType", "status"]
4752
+ }
4753
+ ]
4754
+ });
4755
+ defineTable({
4756
+ name: "tenantPermitSyncStates",
4757
+ component: "control-plane",
4758
+ category: "access-control",
4759
+ shape: z.object({
4760
+ syncKey: z.string(),
4761
+ objectType: permitObjectType,
4762
+ objectId: z.string(),
4763
+ tenantId: z.string().optional(),
4764
+ workspaceId: z.string().optional(),
4765
+ principalId: z.string().optional(),
4766
+ permitTenantKey: z.string().optional(),
4767
+ permitResourceType: z.string().optional(),
4768
+ permitResourceKey: z.string().optional(),
4769
+ desiredPayload: z.record(z.any()),
4770
+ lastAppliedPayloadHash: z.string().optional(),
4771
+ status: permitSyncStatus,
4772
+ attemptCount: z.number(),
4773
+ lastError: z.string().optional(),
4774
+ nextAttemptAt: z.number().optional(),
4775
+ lastSyncedAt: z.number().optional(),
4776
+ createdBy: z.string(),
4777
+ updatedBy: z.string().optional(),
4778
+ createdAt: z.number(),
4779
+ updatedAt: z.number()
4780
+ }),
4781
+ indices: [
4782
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4783
+ { kind: "index", name: "by_status", columns: ["status"] },
4784
+ {
4785
+ kind: "index",
4786
+ name: "by_tenant_status",
4787
+ columns: ["tenantId", "status"]
4788
+ },
4789
+ {
4790
+ kind: "index",
4791
+ name: "by_workspace_status",
4792
+ columns: ["workspaceId", "status"]
4793
+ },
4794
+ {
4795
+ kind: "index",
4796
+ name: "by_principal_status",
4797
+ columns: ["principalId", "status"]
4798
+ }
4799
+ ]
4800
+ });
4801
+ defineTable({
4802
+ name: "permitPolicyDecisionReceipts",
4803
+ component: "control-plane",
4804
+ category: "access-control",
4805
+ shape: z.object({
4806
+ tenantId: z.string().optional(),
4807
+ workspaceId: z.string().optional(),
4808
+ principalId: z.string(),
4809
+ subjectType: permitAccessReviewSubjectType.optional(),
4810
+ subjectId: z.string().optional(),
4811
+ resourceType: z.string(),
4812
+ resourceId: z.string(),
4813
+ action: z.string(),
4814
+ decision: permitDecision,
4815
+ reasonCode: z.string(),
4816
+ policyBundleId: z.string().optional(),
4817
+ policyVersion: z.string(),
4818
+ traceId: z.string().optional(),
4819
+ requestId: z.string().optional(),
4820
+ audienceMode: z.string().optional(),
4821
+ audienceKey: z.string().optional(),
4822
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
4823
+ metadata: z.record(z.any()).optional(),
4824
+ createdAt: z.number(),
4825
+ expiresAt: z.number().optional(),
4826
+ createdBy: z.string().optional()
4827
+ }),
4828
+ indices: [
4829
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
4830
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
4831
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
4832
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
4833
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
4834
+ { kind: "index", name: "by_action", columns: ["action"] }
4835
+ ]
4836
+ });
4837
+ defineTable({
4838
+ name: "permitAccessReviews",
4839
+ component: "control-plane",
4840
+ category: "access-control",
4841
+ shape: z.object({
4842
+ tenantId: z.string(),
4843
+ workspaceId: z.optional(z.string()),
4844
+ reviewKey: z.string(),
4845
+ scope: permitReviewScope,
4846
+ status: permitAccessReviewStatus,
4847
+ subjectType: permitAccessReviewSubjectType,
4848
+ subjectId: z.string(),
4849
+ resourceType: z.string().optional(),
4850
+ resourceKey: z.string().optional(),
4851
+ outcome: z.enum(["allow", "deny"]).optional(),
4852
+ requestedBy: z.string(),
4853
+ reviewedBy: z.string().optional(),
4854
+ requestedAt: z.number(),
4855
+ reviewedAt: z.number().optional(),
4856
+ dueAt: z.number().optional(),
4857
+ justification: z.string().optional(),
4858
+ rationale: z.string().optional(),
4859
+ policyBundleId: z.string().optional(),
4860
+ metadata: z.record(z.any()).optional(),
4861
+ createdAt: z.number(),
4862
+ updatedAt: z.number()
4863
+ }),
4864
+ indices: [
4865
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4866
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4867
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4868
+ {
4869
+ kind: "index",
4870
+ name: "by_tenant_subject",
4871
+ columns: ["tenantId", "subjectType", "subjectId"]
4872
+ },
4873
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
4874
+ {
4875
+ kind: "index",
4876
+ name: "by_workspace_status",
4877
+ columns: ["workspaceId", "status"]
4878
+ }
4879
+ ]
4880
+ });
4881
+ defineTable({
4882
+ name: "permitAccessReviewItems",
4883
+ component: "control-plane",
4884
+ category: "access-control",
4885
+ shape: z.object({
4886
+ reviewKey: z.string(),
4887
+ itemKey: z.string(),
4888
+ tenantId: z.string(),
4889
+ workspaceId: z.string().optional(),
4890
+ subjectType: permitAccessReviewSubjectType,
4891
+ subjectId: z.string(),
4892
+ resourceType: z.string().optional(),
4893
+ resourceKey: z.string().optional(),
4894
+ role: z.string().optional(),
4895
+ relation: z.string().optional(),
4896
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
4897
+ reviewerId: z.string().optional(),
4898
+ decisionAt: z.number().optional(),
4899
+ rationale: z.string().optional(),
4900
+ metadata: z.record(z.any()).optional(),
4901
+ createdAt: z.number(),
4902
+ updatedAt: z.number()
4903
+ }),
4904
+ indices: [
4905
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
4906
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
4907
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
4908
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
4909
+ { kind: "index", name: "by_status", columns: ["status"] }
4910
+ ]
4911
+ });
4912
+ defineTable({
4913
+ name: "reasoningPermissions",
4914
+ component: "control-plane",
4915
+ category: "epistemic",
4916
+ shape: z.object({
4917
+ "topicId": z.string().optional(),
4918
+ "principalId": z.string(),
4919
+ "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4920
+ "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4921
+ "effect": z.enum(["allow", "deny"]),
4922
+ "policyReference": z.string().optional(),
4923
+ "rationale": z.string().optional(),
4924
+ "metadata": z.record(z.any()).optional(),
4925
+ "createdAt": z.number(),
4926
+ "createdBy": z.string(),
4927
+ "updatedAt": z.number()
4928
+ }),
4929
+ indices: [
4930
+ { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4931
+ { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4932
+ { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4933
+ { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4934
+ ]
4935
+ });
4936
+ defineTable({
4937
+ name: "schemaEnumConfig",
4938
+ component: "kernel",
4939
+ category: "config",
4940
+ shape: z.object({
4941
+ "tenantId": z.string().optional(),
4942
+ "category": z.string(),
4943
+ "value": z.string(),
4944
+ "label": z.string(),
4945
+ "description": z.string().optional(),
4946
+ "tier": z.enum(["platform", "tenant"]),
4947
+ "domainNamespace": z.string().optional(),
4948
+ "metadata": z.any().optional(),
4949
+ "isDefault": z.boolean().optional(),
4950
+ "sortOrder": z.number().optional(),
4951
+ "status": z.enum(["active", "deprecated"]),
4952
+ "createdAt": z.number(),
4953
+ "updatedAt": z.number()
4954
+ }),
4955
+ indices: [
4956
+ { kind: "index", name: "by_category", columns: ["category"] },
4957
+ { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4958
+ { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4959
+ ]
4960
+ });
4961
+ defineTable({
4962
+ name: "tasks",
4963
+ component: "kernel",
4964
+ category: "task",
4965
+ shape: z.object({
4966
+ "topicId": z.string().optional(),
4967
+ "tenantId": z.string().optional(),
4968
+ "workspaceId": z.string().optional(),
4969
+ "title": z.string(),
4970
+ "description": z.string().optional(),
4971
+ "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4972
+ "priority": z.enum(["urgent", "high", "medium", "low"]),
4973
+ "dueDate": z.number().optional(),
4974
+ "linkedWorktreeId": idOf("worktrees").optional(),
4975
+ "linkedBeliefId": z.string().optional(),
4976
+ "linkedQuestionId": z.string().optional(),
4977
+ "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4978
+ "assigneeId": z.string().optional(),
4979
+ "blockedReason": z.string().optional(),
4980
+ "blockedBy": z.array(idOf("tasks")).optional(),
4981
+ "blocks": z.array(idOf("tasks")).optional(),
4982
+ "sortOrder": z.number().optional(),
4983
+ "executionOrder": z.number().optional(),
4984
+ "subtasks": z.array(z.object({
4985
+ "id": z.string(),
4986
+ "title": z.string(),
4987
+ "completed": z.boolean(),
4988
+ "completedAt": z.number().optional()
4989
+ })).optional(),
4990
+ "comments": z.array(z.object({
4991
+ "id": z.string(),
4992
+ "userId": z.string(),
4993
+ "content": z.string(),
4994
+ "createdAt": z.number()
4995
+ })).optional(),
4996
+ "attachments": z.array(z.object({
4050
4997
  "id": z.string(),
4051
4998
  "type": z.enum(["call_script", "email_template", "research_plan", "framework", "checklist", "note", "file", "transcript"]),
4052
4999
  "title": z.string(),
@@ -4199,6 +5146,7 @@ defineTable({
4199
5146
  "updatedAt": z.number()
4200
5147
  }),
4201
5148
  indices: [
5149
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
4202
5150
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
4203
5151
  { kind: "index", name: "by_type", columns: ["type"] },
4204
5152
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -4210,7 +5158,7 @@ defineTable({
4210
5158
  });
4211
5159
  defineTable({
4212
5160
  name: "users",
4213
- component: "identity",
5161
+ component: "control-plane",
4214
5162
  category: "user",
4215
5163
  shape: z.object({
4216
5164
  "clerkId": z.string(),
@@ -4324,7 +5272,6 @@ defineTable({
4324
5272
  "deployments": z.record(z.object({
4325
5273
  "url": z.string(),
4326
5274
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4327
- "encryptedDeployKey": z.string().optional(),
4328
5275
  "credentialRef": z.string().optional()
4329
5276
  })).optional(),
4330
5277
  "metadata": z.record(z.any()).optional(),
@@ -4339,6 +5286,39 @@ defineTable({
4339
5286
  { kind: "index", name: "by_status", columns: ["status"] }
4340
5287
  ]
4341
5288
  });
5289
+ defineTable({
5290
+ name: "deploymentHosts",
5291
+ component: "mc",
5292
+ category: "workspace",
5293
+ shape: z.object({
5294
+ "host": z.string(),
5295
+ "tenantId": idOf("tenants"),
5296
+ "workspaceId": idOf("workspaces"),
5297
+ "environment": z.enum(["dev", "staging", "prod"]),
5298
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5299
+ "deploymentUrl": z.string().optional(),
5300
+ "deploymentName": z.string().optional(),
5301
+ "vercelProjectName": z.string().optional(),
5302
+ "vercelProjectId": z.string().optional(),
5303
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5304
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5305
+ "status": z.enum(["active", "revoked"]),
5306
+ "metadata": z.record(z.any()).optional(),
5307
+ "createdBy": z.string(),
5308
+ "createdAt": z.number(),
5309
+ "updatedAt": z.number(),
5310
+ "revokedAt": z.number().optional(),
5311
+ "revokedBy": z.string().optional()
5312
+ }),
5313
+ indices: [
5314
+ { kind: "index", name: "by_host", columns: ["host"] },
5315
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5316
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5317
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5318
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5319
+ { kind: "index", name: "by_status", columns: ["status"] }
5320
+ ]
5321
+ });
4342
5322
  defineTable({
4343
5323
  name: "worktreeBeliefCluster",
4344
5324
  component: "kernel",
@@ -4646,8 +5626,8 @@ defineTable({
4646
5626
  });
4647
5627
  z.object({
4648
5628
  manifestVersion: z.string(),
4649
- componentName: z.enum(["kernel", "identity"]),
4650
- tier: z.enum(["K", "I"]),
5629
+ componentName: z.enum(["kernel", "control-plane"]),
5630
+ tier: z.enum(["K", "CP"]),
4651
5631
  packageVersion: z.string(),
4652
5632
  tables: z.array(
4653
5633
  z.object({
@@ -4814,7 +5794,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4814
5794
  },
4815
5795
  {
4816
5796
  packageName: "@lucern/control-plane",
4817
- role: "platform_runtime",
5797
+ role: "component_runtime",
4818
5798
  directTenantImport: false
4819
5799
  },
4820
5800
  {
@@ -4823,79 +5803,948 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
4823
5803
  directTenantImport: false
4824
5804
  },
4825
5805
  {
4826
- packageName: "@lucern/events",
4827
- role: "sdk_dependency",
4828
- directTenantImport: false
5806
+ packageName: "@lucern/events",
5807
+ role: "sdk_dependency",
5808
+ directTenantImport: false
5809
+ },
5810
+ {
5811
+ packageName: "@lucern/graph-primitives",
5812
+ role: "sdk_dependency",
5813
+ directTenantImport: false
5814
+ },
5815
+ {
5816
+ packageName: "@lucern/graph-sync",
5817
+ role: "host_addon_runtime",
5818
+ directTenantImport: true
5819
+ },
5820
+ {
5821
+ packageName: "@lucern/mcp",
5822
+ role: "runtime_entrypoint",
5823
+ directTenantImport: true
5824
+ },
5825
+ {
5826
+ packageName: "@lucern/pack-host",
5827
+ role: "platform_runtime",
5828
+ directTenantImport: false
5829
+ },
5830
+ {
5831
+ packageName: "@lucern/pack-installer",
5832
+ role: "developer_tool",
5833
+ directTenantImport: false
5834
+ },
5835
+ {
5836
+ packageName: "@lucern/proof-compiler",
5837
+ role: "developer_tool",
5838
+ directTenantImport: false
5839
+ },
5840
+ {
5841
+ packageName: "@lucern/react",
5842
+ role: "runtime_entrypoint",
5843
+ directTenantImport: true
5844
+ },
5845
+ {
5846
+ packageName: "@lucern/reasoning-kernel",
5847
+ role: "component_runtime",
5848
+ directTenantImport: false
5849
+ },
5850
+ {
5851
+ packageName: "@lucern/sdk",
5852
+ role: "runtime_entrypoint",
5853
+ directTenantImport: true
5854
+ },
5855
+ {
5856
+ packageName: "@lucern/secrets",
5857
+ role: "sdk_dependency",
5858
+ directTenantImport: false
5859
+ },
5860
+ {
5861
+ packageName: "@lucern/server-core",
5862
+ role: "platform_runtime",
5863
+ directTenantImport: false
5864
+ },
5865
+ {
5866
+ packageName: "@lucern/testing",
5867
+ role: "test_support",
5868
+ directTenantImport: false
5869
+ },
5870
+ {
5871
+ packageName: "@lucern/types",
5872
+ role: "contract_entrypoint",
5873
+ directTenantImport: true
5874
+ }
5875
+ ];
5876
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5877
+ (entry) => entry.packageName
5878
+ );
5879
+
5880
+ // ../contracts/src/infisical-runtime.contract.ts
5881
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
5882
+ {
5883
+ id: "stack-frontend",
5884
+ tenantKey: "stack",
5885
+ workspaceKey: "frontend",
5886
+ vercelProjectName: "ai-chatbot-diao",
5887
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5888
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
5889
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5890
+ repository: {
5891
+ owner: "stack-vc",
5892
+ name: "front-end"
5893
+ },
5894
+ sharedSourcePath: "/tenants/stack",
5895
+ sharedVariablePolicy: "tenant_shared_all_systems",
5896
+ convex: {
5897
+ urlEnv: "CONVEX_FRONTEND_URL",
5898
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
5899
+ preprodDeployment: "rugged-lobster-664",
5900
+ prodDeployment: "wonderful-toucan-0"
5901
+ }
5902
+ },
5903
+ {
5904
+ id: "stackos",
5905
+ tenantKey: "stack",
5906
+ workspaceKey: "stackos",
5907
+ vercelProjectName: "stackos",
5908
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5909
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
5910
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5911
+ repository: {
5912
+ owner: "stack-vc",
5913
+ name: "stackos"
5914
+ },
5915
+ sharedSourcePath: "/tenants/stack",
5916
+ sharedVariablePolicy: "tenant_shared_all_systems",
5917
+ convex: {
5918
+ urlEnv: "CONVEX_STACKOS_URL",
5919
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
5920
+ preprodDeployment: "giant-mandrill-761",
5921
+ prodDeployment: "good-snake-515"
5922
+ }
5923
+ },
5924
+ {
5925
+ id: "stack-eng",
5926
+ tenantKey: "stack",
5927
+ workspaceKey: "engineering",
5928
+ vercelProjectName: "stackos-engineering-graph",
5929
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
5930
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
5931
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
5932
+ repository: {
5933
+ owner: "stack-vc",
5934
+ name: "stackos-engineering-graph"
5935
+ },
5936
+ sharedSourcePath: "/tenants/stack/engineering",
5937
+ sharedVariablePolicy: "tenant_shared_all_systems",
5938
+ convex: {
5939
+ urlEnv: "CONVEX_STACK_ENG_URL",
5940
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
5941
+ preprodDeployment: "small-oyster-270",
5942
+ prodDeployment: "bold-cuttlefish-804"
5943
+ }
5944
+ },
5945
+ {
5946
+ id: "lucern-graph",
5947
+ tenantKey: "lucern",
5948
+ workspaceKey: "lucern",
5949
+ vercelProjectName: "lucern-graph",
5950
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
5951
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
5952
+ vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
5953
+ repository: {
5954
+ owner: "LucernAI",
5955
+ name: "lucern-graph"
5956
+ },
5957
+ sharedSourcePath: "/tenants/lucern/shared",
5958
+ sharedVariablePolicy: "tenant_shared_all_systems",
5959
+ convex: {
5960
+ urlEnv: "CONVEX_LUCERN_URL",
5961
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
5962
+ preprodDeployment: "good-blackbird-774",
5963
+ prodDeployment: "precious-dog-365"
5964
+ }
5965
+ }
5966
+ ];
5967
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
5968
+ {
5969
+ idSuffix: "clerk.publishable",
5970
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
5971
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
5972
+ required: true,
5973
+ secret: false,
5974
+ public: true,
5975
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
5976
+ },
5977
+ {
5978
+ idSuffix: "clerk.secret",
5979
+ canonicalName: "CLERK_SECRET_KEY",
5980
+ required: true,
5981
+ secret: true,
5982
+ public: false,
5983
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
5984
+ },
5985
+ {
5986
+ idSuffix: "clerk.project",
5987
+ canonicalName: "CLERK_PROJECT_ID",
5988
+ required: true,
5989
+ secret: false,
5990
+ public: false,
5991
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
5992
+ },
5993
+ {
5994
+ idSuffix: "clerk.jwks",
5995
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
5996
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
5997
+ required: false,
5998
+ secret: false,
5999
+ public: false,
6000
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6001
+ },
6002
+ {
6003
+ idSuffix: "clerk.jwt-key",
6004
+ canonicalName: "CLERK_JWT_KEY",
6005
+ required: false,
6006
+ secret: true,
6007
+ public: false,
6008
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6009
+ },
6010
+ {
6011
+ idSuffix: "clerk.authorized-parties",
6012
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6013
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6014
+ required: false,
6015
+ secret: false,
6016
+ public: false,
6017
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6018
+ },
6019
+ {
6020
+ idSuffix: "clerk.sign-in-url",
6021
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6022
+ required: false,
6023
+ secret: false,
6024
+ public: true,
6025
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6026
+ },
6027
+ {
6028
+ idSuffix: "clerk.sign-up-url",
6029
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6030
+ required: false,
6031
+ secret: false,
6032
+ public: true,
6033
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6034
+ }
6035
+ ];
6036
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6037
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6038
+ (template) => ({
6039
+ id: `tenant.${system.id}.${template.idSuffix}`,
6040
+ canonicalName: template.canonicalName,
6041
+ aliases: "aliases" in template ? template.aliases : void 0,
6042
+ owner: "tenant",
6043
+ scope: "tenant",
6044
+ sourcePath: system.sharedSourcePath,
6045
+ environmentPolicy: "environment_specific",
6046
+ required: template.required,
6047
+ secret: template.secret,
6048
+ public: template.public,
6049
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6050
+ destinations: [
6051
+ {
6052
+ kind: "vercel",
6053
+ target: system.vercelProjectName,
6054
+ environmentPolicy: "preprod_staging_prod_prod"
6055
+ },
6056
+ {
6057
+ kind: "convex",
6058
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6059
+ environmentPolicy: "preprod_staging_prod_prod"
6060
+ }
6061
+ ],
6062
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6063
+ })
6064
+ )
6065
+ );
6066
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6067
+ (system) => ({
6068
+ id: `tenant.${system.id}.install-lucern-npm`,
6069
+ canonicalName: "INSTALL_LUCERN_NPM",
6070
+ owner: "provider",
6071
+ scope: "global",
6072
+ sourcePath: "/tenants/shared",
6073
+ environmentPolicy: "same_all_environments",
6074
+ required: true,
6075
+ secret: true,
6076
+ public: false,
6077
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6078
+ destinations: [
6079
+ {
6080
+ kind: "vercel",
6081
+ target: system.vercelProjectName,
6082
+ environmentPolicy: "same_all_environments"
6083
+ },
6084
+ {
6085
+ kind: "github_actions",
6086
+ target: `${system.repository.owner}/${system.repository.name}`,
6087
+ environmentPolicy: "same_all_environments"
6088
+ }
6089
+ ],
6090
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6091
+ })
6092
+ );
6093
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6094
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6095
+ {
6096
+ idSuffix: "ai.openai-api-key",
6097
+ canonicalName: "OPENAI_API_KEY",
6098
+ required: false,
6099
+ secret: true,
6100
+ public: false,
6101
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6102
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6103
+ },
6104
+ {
6105
+ idSuffix: "ai.anthropic-api-key",
6106
+ canonicalName: "ANTHROPIC_API_KEY",
6107
+ required: false,
6108
+ secret: true,
6109
+ public: false,
6110
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6111
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6112
+ },
6113
+ {
6114
+ idSuffix: "ai.gemini-api-key",
6115
+ canonicalName: "GEMINI_API_KEY",
6116
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6117
+ required: false,
6118
+ secret: true,
6119
+ public: false,
6120
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6121
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6122
+ },
6123
+ {
6124
+ idSuffix: "langfuse.secret-key",
6125
+ canonicalName: "LANGFUSE_SECRET_KEY",
6126
+ required: false,
6127
+ secret: true,
6128
+ public: false,
6129
+ consumers: [
6130
+ "tenant-vercel-app",
6131
+ "tenant-convex-deployment",
6132
+ "tenant-observability"
6133
+ ],
6134
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6135
+ },
6136
+ {
6137
+ idSuffix: "langfuse.public-key",
6138
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6139
+ required: false,
6140
+ secret: false,
6141
+ public: false,
6142
+ consumers: [
6143
+ "tenant-vercel-app",
6144
+ "tenant-convex-deployment",
6145
+ "tenant-observability"
6146
+ ],
6147
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6148
+ },
6149
+ {
6150
+ idSuffix: "langfuse.base-url",
6151
+ canonicalName: "LANGFUSE_BASE_URL",
6152
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6153
+ required: false,
6154
+ secret: false,
6155
+ public: false,
6156
+ consumers: [
6157
+ "tenant-vercel-app",
6158
+ "tenant-convex-deployment",
6159
+ "tenant-observability"
6160
+ ],
6161
+ description: "Tenant-owned Langfuse API origin."
6162
+ },
6163
+ {
6164
+ idSuffix: "graph.neo4j-uri",
6165
+ canonicalName: "NEO4J_URI",
6166
+ required: false,
6167
+ secret: false,
6168
+ public: false,
6169
+ consumers: [
6170
+ "tenant-vercel-app",
6171
+ "tenant-convex-deployment",
6172
+ "tenant-graph-sync"
6173
+ ],
6174
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6175
+ },
6176
+ {
6177
+ idSuffix: "graph.neo4j-user",
6178
+ canonicalName: "NEO4J_USER",
6179
+ aliases: ["NEO4J_USERNAME"],
6180
+ required: false,
6181
+ secret: false,
6182
+ public: false,
6183
+ consumers: [
6184
+ "tenant-vercel-app",
6185
+ "tenant-convex-deployment",
6186
+ "tenant-graph-sync"
6187
+ ],
6188
+ description: "Tenant-owned Neo4j user for product graph-sync."
6189
+ },
6190
+ {
6191
+ idSuffix: "graph.neo4j-password",
6192
+ canonicalName: "NEO4J_PASSWORD",
6193
+ required: false,
6194
+ secret: true,
6195
+ public: false,
6196
+ consumers: [
6197
+ "tenant-vercel-app",
6198
+ "tenant-convex-deployment",
6199
+ "tenant-graph-sync"
6200
+ ],
6201
+ description: "Tenant-owned Neo4j password for product graph-sync."
6202
+ },
6203
+ {
6204
+ idSuffix: "graph.neo4j-sync-secret",
6205
+ canonicalName: "NEO4J_SYNC_SECRET",
6206
+ required: false,
6207
+ secret: true,
6208
+ public: false,
6209
+ consumers: [
6210
+ "tenant-vercel-app",
6211
+ "tenant-convex-deployment",
6212
+ "tenant-graph-sync"
6213
+ ],
6214
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
6215
+ },
6216
+ {
6217
+ idSuffix: "graph.neo4j-database",
6218
+ canonicalName: "NEO4J_DATABASE",
6219
+ required: false,
6220
+ secret: false,
6221
+ public: false,
6222
+ consumers: [
6223
+ "tenant-vercel-app",
6224
+ "tenant-convex-deployment",
6225
+ "tenant-graph-sync"
6226
+ ],
6227
+ description: "Tenant-owned Neo4j database name for product graph-sync."
6228
+ },
6229
+ {
6230
+ idSuffix: "vector.pinecone-api-key",
6231
+ canonicalName: "PINECONE_API_KEY",
6232
+ required: false,
6233
+ secret: true,
6234
+ public: false,
6235
+ consumers: [
6236
+ "tenant-vercel-app",
6237
+ "tenant-convex-deployment",
6238
+ "tenant-vector-store"
6239
+ ],
6240
+ description: "Tenant-owned Pinecone API key for product vector search."
6241
+ },
6242
+ {
6243
+ idSuffix: "vector.pinecone-index-name",
6244
+ canonicalName: "PINECONE_INDEX_NAME",
6245
+ aliases: ["PINECONE_INDEX"],
6246
+ required: false,
6247
+ secret: false,
6248
+ public: false,
6249
+ consumers: [
6250
+ "tenant-vercel-app",
6251
+ "tenant-convex-deployment",
6252
+ "tenant-vector-store"
6253
+ ],
6254
+ description: "Tenant-owned Pinecone index name for product vector search."
6255
+ },
6256
+ {
6257
+ idSuffix: "vector.pinecone-host",
6258
+ canonicalName: "PINECONE_HOST",
6259
+ aliases: ["PINECONE_INDEX_HOST"],
6260
+ required: false,
6261
+ secret: false,
6262
+ public: false,
6263
+ consumers: [
6264
+ "tenant-vercel-app",
6265
+ "tenant-convex-deployment",
6266
+ "tenant-vector-store"
6267
+ ],
6268
+ description: "Tenant-owned Pinecone host for product vector search."
6269
+ },
6270
+ {
6271
+ idSuffix: "vector.pinecone-namespace",
6272
+ canonicalName: "PINECONE_NAMESPACE",
6273
+ required: false,
6274
+ secret: false,
6275
+ public: false,
6276
+ consumers: [
6277
+ "tenant-vercel-app",
6278
+ "tenant-convex-deployment",
6279
+ "tenant-vector-store"
6280
+ ],
6281
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
6282
+ },
6283
+ {
6284
+ idSuffix: "storage.aws-access-key-id",
6285
+ canonicalName: "AWS_ACCESS_KEY_ID",
6286
+ required: false,
6287
+ secret: true,
6288
+ public: false,
6289
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6290
+ description: "Tenant-owned AWS access key id for document/file ingestion."
6291
+ },
6292
+ {
6293
+ idSuffix: "storage.aws-secret-access-key",
6294
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6295
+ required: false,
6296
+ secret: true,
6297
+ public: false,
6298
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6299
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
4829
6300
  },
4830
6301
  {
4831
- packageName: "@lucern/graph-primitives",
4832
- role: "sdk_dependency",
4833
- directTenantImport: false
6302
+ idSuffix: "storage.aws-region",
6303
+ canonicalName: "AWS_REGION",
6304
+ required: false,
6305
+ secret: false,
6306
+ public: false,
6307
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6308
+ description: "Tenant-owned AWS region for document/file ingestion."
4834
6309
  },
4835
6310
  {
4836
- packageName: "@lucern/graph-sync",
4837
- role: "host_addon_runtime",
4838
- directTenantImport: true
6311
+ idSuffix: "observability.sentry-dsn",
6312
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6313
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6314
+ required: false,
6315
+ secret: false,
6316
+ public: true,
6317
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6318
+ description: "Tenant-owned Sentry DSN for app telemetry."
4839
6319
  },
4840
6320
  {
4841
- packageName: "@lucern/identity",
4842
- role: "component_runtime",
4843
- directTenantImport: false
6321
+ idSuffix: "observability.sentry-auth-token",
6322
+ canonicalName: "SENTRY_AUTH_TOKEN",
6323
+ required: false,
6324
+ secret: true,
6325
+ public: false,
6326
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6327
+ description: "Tenant-owned Sentry release token for app deployments."
4844
6328
  },
4845
6329
  {
4846
- packageName: "@lucern/mcp",
4847
- role: "runtime_entrypoint",
4848
- directTenantImport: true
6330
+ idSuffix: "observability.sentry-org",
6331
+ canonicalName: "SENTRY_ORG",
6332
+ aliases: ["SENTRY_ORG_SLUG"],
6333
+ required: false,
6334
+ secret: false,
6335
+ public: false,
6336
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6337
+ description: "Tenant-owned Sentry org slug for release uploads."
4849
6338
  },
4850
6339
  {
4851
- packageName: "@lucern/pack-host",
4852
- role: "platform_runtime",
4853
- directTenantImport: false
6340
+ idSuffix: "observability.sentry-project",
6341
+ canonicalName: "SENTRY_PROJECT",
6342
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6343
+ required: false,
6344
+ secret: false,
6345
+ public: false,
6346
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6347
+ description: "Tenant-owned Sentry project slug for release uploads."
4854
6348
  },
4855
6349
  {
4856
- packageName: "@lucern/pack-installer",
4857
- role: "developer_tool",
4858
- directTenantImport: false
6350
+ idSuffix: "observability.sentry-environment",
6351
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6352
+ aliases: ["SENTRY_ENVIRONMENT"],
6353
+ required: false,
6354
+ secret: false,
6355
+ public: true,
6356
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6357
+ description: "Tenant-owned Sentry environment label."
4859
6358
  },
4860
6359
  {
4861
- packageName: "@lucern/proof-compiler",
4862
- role: "developer_tool",
4863
- directTenantImport: false
6360
+ idSuffix: "observability.sentry-release",
6361
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6362
+ aliases: ["SENTRY_RELEASE"],
6363
+ required: false,
6364
+ secret: false,
6365
+ public: true,
6366
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6367
+ description: "Tenant-owned Sentry release label."
4864
6368
  },
4865
6369
  {
4866
- packageName: "@lucern/react",
4867
- role: "runtime_entrypoint",
4868
- directTenantImport: true
6370
+ idSuffix: "observability.sentry-client-options",
6371
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6372
+ aliases: [
6373
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6374
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6375
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6376
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6377
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6378
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6379
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6380
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6381
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6382
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6383
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6384
+ ],
6385
+ required: false,
6386
+ secret: false,
6387
+ public: true,
6388
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6389
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
4869
6390
  },
4870
6391
  {
4871
- packageName: "@lucern/reasoning-kernel",
4872
- role: "component_runtime",
4873
- directTenantImport: false
6392
+ idSuffix: "observability.sentry-webhook-secret",
6393
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6394
+ required: false,
6395
+ secret: true,
6396
+ public: false,
6397
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6398
+ description: "Tenant-owned Sentry webhook verification secret."
4874
6399
  },
4875
6400
  {
4876
- packageName: "@lucern/sdk",
4877
- role: "runtime_entrypoint",
4878
- directTenantImport: true
6401
+ idSuffix: "lucern.gateway-api-key",
6402
+ canonicalName: "LUCERN_API_KEY",
6403
+ aliases: ["STACK_API_KEY"],
6404
+ required: false,
6405
+ secret: true,
6406
+ public: false,
6407
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6408
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
4879
6409
  },
4880
6410
  {
4881
- packageName: "@lucern/server-core",
4882
- role: "platform_runtime",
4883
- directTenantImport: false
6411
+ idSuffix: "lucern.gateway-base-url",
6412
+ canonicalName: "LUCERN_BASE_URL",
6413
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6414
+ required: false,
6415
+ secret: false,
6416
+ public: false,
6417
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6418
+ description: "Lucern/MC gateway base URL used by tenant product apps."
4884
6419
  },
4885
6420
  {
4886
- packageName: "@lucern/testing",
4887
- role: "test_support",
4888
- directTenantImport: false
6421
+ idSuffix: "lucern.proxy-token-secret",
6422
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6423
+ required: false,
6424
+ secret: true,
6425
+ public: false,
6426
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6427
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
4889
6428
  },
4890
6429
  {
4891
- packageName: "@lucern/types",
4892
- role: "contract_entrypoint",
4893
- directTenantImport: true
6430
+ idSuffix: "tenant.integrations.linear-api-key",
6431
+ canonicalName: "LINEAR_API_KEY",
6432
+ required: false,
6433
+ secret: true,
6434
+ public: false,
6435
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6436
+ description: "Tenant-owned Linear API key for support/slash-command flows."
6437
+ },
6438
+ {
6439
+ idSuffix: "tenant.vercel.bypass-token",
6440
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6441
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6442
+ required: false,
6443
+ secret: true,
6444
+ public: false,
6445
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6446
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
4894
6447
  }
4895
6448
  ];
4896
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
4897
- (entry) => entry.packageName
6449
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6450
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6451
+ ).flatMap(
6452
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6453
+ (template) => ({
6454
+ id: `tenant.${system.id}.${template.idSuffix}`,
6455
+ canonicalName: template.canonicalName,
6456
+ aliases: "aliases" in template ? template.aliases : void 0,
6457
+ owner: "tenant",
6458
+ scope: "tenant",
6459
+ sourcePath: system.sharedSourcePath,
6460
+ environmentPolicy: "environment_specific",
6461
+ required: template.required,
6462
+ secret: template.secret,
6463
+ public: template.public,
6464
+ consumers: template.consumers,
6465
+ destinations: [
6466
+ {
6467
+ kind: "vercel",
6468
+ target: system.vercelProjectName,
6469
+ environmentPolicy: "preprod_staging_prod_prod"
6470
+ },
6471
+ {
6472
+ kind: "convex",
6473
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6474
+ environmentPolicy: "preprod_staging_prod_prod"
6475
+ },
6476
+ {
6477
+ kind: "github_actions",
6478
+ target: `${system.repository.owner}/${system.repository.name}`,
6479
+ environmentPolicy: "preprod_staging_prod_prod"
6480
+ }
6481
+ ],
6482
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6483
+ })
6484
+ )
6485
+ );
6486
+ function tenantVercelConvexUrlWriteNames(system) {
6487
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6488
+ if (system.id === "stack-eng") {
6489
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6490
+ }
6491
+ return names;
6492
+ }
6493
+ function tenantRepositoryConvexUrlWriteNames(system) {
6494
+ if (system.id === "stack-eng") {
6495
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6496
+ }
6497
+ return [system.convex.urlEnv];
6498
+ }
6499
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6500
+ if (system.id === "stack-eng") {
6501
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6502
+ }
6503
+ return [system.convex.deployKeyEnv];
6504
+ }
6505
+ function tenantConvexUrlAliases(system) {
6506
+ if (system.id === "stack-frontend") {
6507
+ return [
6508
+ "CONVEX_PROD_URL",
6509
+ "CONVEX_STACK_V2_PROD_URL",
6510
+ "CONVEX_STACK_V2_STAGING_URL",
6511
+ "STACK_CONVEX_URL"
6512
+ ];
6513
+ }
6514
+ if (system.id === "stackos") {
6515
+ return [
6516
+ "CONVEX_CLOUD_URL",
6517
+ "CONVEX_STACK_URL",
6518
+ "CONVEX_URL",
6519
+ "CONVEX_URL_DEVELOPMENT",
6520
+ "CONVEX_URL_PRODUCTION",
6521
+ "STACK_CONVEX_URL"
6522
+ ];
6523
+ }
6524
+ if (system.id === "stack-eng") {
6525
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6526
+ }
6527
+ if (system.id === "lucern-graph") {
6528
+ return [
6529
+ "CONVEX_GRAPH_URL",
6530
+ "LUCERN_PROD_URL",
6531
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6532
+ ];
6533
+ }
6534
+ return void 0;
6535
+ }
6536
+ function tenantConvexDeployKeyAliases(system) {
6537
+ if (system.id === "stack-frontend") {
6538
+ return [
6539
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6540
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6541
+ "STACK_DEPLOY_KEY"
6542
+ ];
6543
+ }
6544
+ if (system.id === "stackos") {
6545
+ return [
6546
+ "CONVEX_DEPLOY_KEY",
6547
+ "CONVEX_DEV_DEPLOY_KEY",
6548
+ "CONVEX_PROD_DEPLOY_KEY",
6549
+ "CONVEX_STACK_DEPLOY_KEY",
6550
+ "STACK_DEPLOY_KEY"
6551
+ ];
6552
+ }
6553
+ if (system.id === "stack-eng") {
6554
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6555
+ }
6556
+ if (system.id === "lucern-graph") {
6557
+ return [
6558
+ "CONVEX_DEPLOY_KEY",
6559
+ "CONVEX_GRAPH_DEPLOY_KEY",
6560
+ "LUCERN_CONVEX_DEPLOY_KEY",
6561
+ "LUCERN_DEV_DEPLOY_KEY",
6562
+ "LUCERN_PROD_DEPLOY_KEY"
6563
+ ];
6564
+ }
6565
+ return void 0;
6566
+ }
6567
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6568
+ (system) => {
6569
+ if (system.id === "lucern-graph") {
6570
+ return [
6571
+ {
6572
+ id: "tenant.lucern-graph.public.tenant-id",
6573
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6574
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6575
+ owner: "tenant",
6576
+ scope: "workspace",
6577
+ sourcePath: system.sharedSourcePath,
6578
+ environmentPolicy: "environment_specific",
6579
+ required: false,
6580
+ secret: false,
6581
+ public: true,
6582
+ consumers: ["tenant-vercel-app"],
6583
+ destinations: [
6584
+ {
6585
+ kind: "vercel",
6586
+ target: system.vercelProjectName,
6587
+ environmentPolicy: "preprod_staging_prod_prod"
6588
+ }
6589
+ ],
6590
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6591
+ },
6592
+ {
6593
+ id: "tenant.lucern-graph.public.tenant-label",
6594
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6595
+ owner: "tenant",
6596
+ scope: "workspace",
6597
+ sourcePath: system.sharedSourcePath,
6598
+ environmentPolicy: "environment_specific",
6599
+ required: false,
6600
+ secret: false,
6601
+ public: true,
6602
+ consumers: ["tenant-vercel-app"],
6603
+ destinations: [
6604
+ {
6605
+ kind: "vercel",
6606
+ target: system.vercelProjectName,
6607
+ environmentPolicy: "preprod_staging_prod_prod"
6608
+ }
6609
+ ],
6610
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6611
+ }
6612
+ ];
6613
+ }
6614
+ if (system.id === "stack-eng") {
6615
+ return [
6616
+ {
6617
+ id: "tenant.stack-eng.public.tenant-id",
6618
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6619
+ owner: "tenant",
6620
+ scope: "workspace",
6621
+ sourcePath: system.sharedSourcePath,
6622
+ environmentPolicy: "environment_specific",
6623
+ required: false,
6624
+ secret: false,
6625
+ public: true,
6626
+ consumers: ["tenant-vercel-app"],
6627
+ destinations: [
6628
+ {
6629
+ kind: "vercel",
6630
+ target: system.vercelProjectName,
6631
+ environmentPolicy: "preprod_staging_prod_prod"
6632
+ }
6633
+ ],
6634
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6635
+ },
6636
+ {
6637
+ id: "tenant.stack-eng.public.tenant-label",
6638
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6639
+ owner: "tenant",
6640
+ scope: "workspace",
6641
+ sourcePath: system.sharedSourcePath,
6642
+ environmentPolicy: "environment_specific",
6643
+ required: false,
6644
+ secret: false,
6645
+ public: true,
6646
+ consumers: ["tenant-vercel-app"],
6647
+ destinations: [
6648
+ {
6649
+ kind: "vercel",
6650
+ target: system.vercelProjectName,
6651
+ environmentPolicy: "preprod_staging_prod_prod"
6652
+ }
6653
+ ],
6654
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6655
+ },
6656
+ {
6657
+ id: "tenant.stack-eng.public.environment",
6658
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6659
+ owner: "tenant",
6660
+ scope: "workspace",
6661
+ sourcePath: system.sharedSourcePath,
6662
+ environmentPolicy: "environment_specific",
6663
+ required: false,
6664
+ secret: false,
6665
+ public: true,
6666
+ consumers: ["tenant-vercel-app"],
6667
+ destinations: [
6668
+ {
6669
+ kind: "vercel",
6670
+ target: system.vercelProjectName,
6671
+ environmentPolicy: "preprod_staging_prod_prod"
6672
+ }
6673
+ ],
6674
+ description: "Stack engineering graph public environment label used by the graph explorer."
6675
+ }
6676
+ ];
6677
+ }
6678
+ return [];
6679
+ }
4898
6680
  );
6681
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6682
+ {
6683
+ id: `tenant.${system.id}.convex.url`,
6684
+ canonicalName: system.convex.urlEnv,
6685
+ aliases: tenantConvexUrlAliases(system),
6686
+ owner: "tenant",
6687
+ scope: "software_system",
6688
+ sourcePath: system.sharedSourcePath,
6689
+ environmentPolicy: "preprod_staging_prod_prod",
6690
+ required: true,
6691
+ secret: false,
6692
+ public: false,
6693
+ consumers: [
6694
+ "tenant-vercel-app",
6695
+ "tenant-agent-runtime",
6696
+ "mc-operator-tooling"
6697
+ ],
6698
+ destinations: [
6699
+ {
6700
+ kind: "vercel",
6701
+ target: system.vercelProjectName,
6702
+ environmentPolicy: "preprod_staging_prod_prod",
6703
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6704
+ },
6705
+ {
6706
+ kind: "github_actions",
6707
+ target: `${system.repository.owner}/${system.repository.name}`,
6708
+ environmentPolicy: "preprod_staging_prod_prod",
6709
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6710
+ notes: "Only if that repository deploy/test workflow owns this software system."
6711
+ }
6712
+ ],
6713
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6714
+ },
6715
+ {
6716
+ id: `tenant.${system.id}.convex.deploy-key`,
6717
+ canonicalName: system.convex.deployKeyEnv,
6718
+ aliases: tenantConvexDeployKeyAliases(system),
6719
+ owner: "tenant",
6720
+ scope: "software_system",
6721
+ sourcePath: system.sharedSourcePath,
6722
+ environmentPolicy: "preprod_staging_prod_prod",
6723
+ required: true,
6724
+ secret: true,
6725
+ public: false,
6726
+ consumers: [
6727
+ "tenant-vercel-app",
6728
+ "tenant-agent-runtime",
6729
+ "mc-operator-tooling"
6730
+ ],
6731
+ destinations: [
6732
+ {
6733
+ kind: "vercel",
6734
+ target: system.vercelProjectName,
6735
+ environmentPolicy: "preprod_staging_prod_prod"
6736
+ },
6737
+ {
6738
+ kind: "github_actions",
6739
+ target: `${system.repository.owner}/${system.repository.name}`,
6740
+ environmentPolicy: "preprod_staging_prod_prod",
6741
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6742
+ notes: "Only if that repository deploy/test workflow owns this software system."
6743
+ }
6744
+ ],
6745
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6746
+ }
6747
+ ]);
4899
6748
  z.object({
4900
6749
  manifestVersion: z.literal("1.0.0"),
4901
6750
  rules: z.array(
@@ -4936,7 +6785,7 @@ var createEvidenceInputSchemaBase = z.object({
4936
6785
  targetId: z.string().optional(),
4937
6786
  targetNodeId: z.string().optional(),
4938
6787
  linkedBeliefNodeId: z.string().optional(),
4939
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6788
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
4940
6789
  confidence: z.number().optional(),
4941
6790
  weight: z.number().optional(),
4942
6791
  reasoning: z.string().optional(),
@@ -5021,8 +6870,7 @@ var createEvidenceProjection = defineProjection({
5021
6870
  evidenceRelation: v.optional(
5022
6871
  v.union(
5023
6872
  v.literal("supports"),
5024
- v.literal("contradicts"),
5025
- v.literal("neutral")
6873
+ v.literal("contradicts")
5026
6874
  )
5027
6875
  ),
5028
6876
  confidence: v.optional(v.number()),
@@ -5047,7 +6895,7 @@ function compactRecord2(input) {
5047
6895
  Object.entries(input).filter(([, value]) => value !== void 0)
5048
6896
  );
5049
6897
  }
5050
- var listBeliefsProjection = defineProjection({
6898
+ defineProjection({
5051
6899
  contractName: "list_beliefs",
5052
6900
  inputSchema: listBeliefsInputSchema,
5053
6901
  project: (input) => compactRecord2({
@@ -5071,12 +6919,17 @@ var listBeliefsProjection = defineProjection({
5071
6919
  });
5072
6920
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5073
6921
  var listTasksInputSchema = z.object({
5074
- topicId: z.string().describe("Topic scope"),
6922
+ topicId: z.string().optional().describe("Topic scope"),
5075
6923
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5076
6924
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5077
6925
  status: taskStatusSchema,
5078
6926
  limit: z.number().optional().describe("Maximum results")
5079
- });
6927
+ }).refine(
6928
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
6929
+ {
6930
+ message: "topicId or worktreeId is required"
6931
+ }
6932
+ );
5080
6933
  function compactRecord3(input) {
5081
6934
  return Object.fromEntries(
5082
6935
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5093,7 +6946,7 @@ var listTasksProjection = defineProjection({
5093
6946
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5094
6947
  }),
5095
6948
  convexArgsValidator: v.object({
5096
- topicId: v.string(),
6949
+ topicId: v.optional(v.string()),
5097
6950
  status: v.optional(
5098
6951
  v.union(
5099
6952
  v.literal("todo"),
@@ -6071,19 +7924,23 @@ var FIND_CONTRADICTIONS = {
6071
7924
  };
6072
7925
  var CREATE_EDGE = {
6073
7926
  name: "create_edge",
6074
- description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. The engine enforces layer transition rules \u2014 for example, L1 \u2192 L3 direct edges are forbidden (must go through L2).",
7927
+ description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. Accepts any public epistemic edge type between public graph node refs so agents can author the full spine.",
6075
7928
  parameters: {
6076
- sourceId: {
6077
- type: "string",
6078
- description: "Source node of the relationship"
7929
+ from: {
7930
+ type: "object",
7931
+ description: "Source graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'topic' }"
6079
7932
  },
6080
- targetId: {
6081
- type: "string",
6082
- description: "Target node of the relationship"
7933
+ to: {
7934
+ type: "object",
7935
+ description: "Target graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'belief' }"
6083
7936
  },
6084
7937
  edgeType: {
6085
7938
  type: "string",
6086
- description: "Relationship type (informs, tests, depends_on, supersedes, etc.)"
7939
+ description: "Relationship type from the public epistemic edge enum."
7940
+ },
7941
+ globalId: {
7942
+ type: "string",
7943
+ description: "Optional idempotent edge global ID."
6087
7944
  },
6088
7945
  weight: {
6089
7946
  type: "number",
@@ -6093,10 +7950,14 @@ var CREATE_EDGE = {
6093
7950
  reasoningMethod: {
6094
7951
  type: "string",
6095
7952
  description: "How this was determined",
6096
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
7953
+ enum: [...REASONING_METHODS]
7954
+ },
7955
+ metadata: {
7956
+ type: "object",
7957
+ description: "Optional edge metadata."
6097
7958
  }
6098
7959
  },
6099
- required: ["sourceId", "targetId", "edgeType"],
7960
+ required: ["from", "to", "edgeType"],
6100
7961
  response: {
6101
7962
  description: "The created edge",
6102
7963
  fields: {
@@ -6110,6 +7971,240 @@ var CREATE_EDGE = {
6110
7971
  ontologyPrimitive: "edge",
6111
7972
  tier: "showcase"
6112
7973
  };
7974
+ var UPDATE_EDGE = {
7975
+ name: "update_edge",
7976
+ description: "Amend metadata on an existing graph edge. Like `git commit --amend` \u2014 changes the edge annotation without recreating the relationship.",
7977
+ parameters: {
7978
+ edgeId: { type: "string", description: "Edge ID or global ID to update" },
7979
+ weight: { type: "number", description: "Updated edge weight" },
7980
+ confidence: { type: "number", description: "Updated confidence" },
7981
+ context: { type: "string", description: "Updated human-readable context" },
7982
+ derivationType: { type: "string", description: "Updated derivation type" },
7983
+ metadata: { type: "object", description: "Updated metadata" }
7984
+ },
7985
+ required: ["edgeId"],
7986
+ response: {
7987
+ description: "Edge update result",
7988
+ fields: { success: "boolean" }
7989
+ },
7990
+ ownerModule: "graph-primitives",
7991
+ ontologyPrimitive: "edge",
7992
+ tier: "workhorse"
7993
+ };
7994
+ var REMOVE_EDGE = {
7995
+ name: "remove_edge",
7996
+ description: "Remove one graph edge by ID. Like `git rm` \u2014 deletes a single explicit relationship from the spine.",
7997
+ parameters: {
7998
+ edgeId: { type: "string", description: "Edge ID or global ID to remove" }
7999
+ },
8000
+ required: ["edgeId"],
8001
+ response: {
8002
+ description: "Edge removal result",
8003
+ fields: { success: "boolean" }
8004
+ },
8005
+ ownerModule: "graph-primitives",
8006
+ ontologyPrimitive: "edge",
8007
+ tier: "workhorse"
8008
+ };
8009
+ var REMOVE_EDGES_BETWEEN = {
8010
+ name: "remove_edges_between",
8011
+ description: "Remove graph edges between two nodes. Like `git rm <pathspec>` \u2014 deletes relationships matching a source, target, and optional type.",
8012
+ parameters: {
8013
+ fromNodeId: { type: "string", description: "Source node ID or global ID" },
8014
+ toNodeId: { type: "string", description: "Target node ID or global ID" },
8015
+ edgeType: { type: "string", description: "Optional edge type filter" }
8016
+ },
8017
+ required: ["fromNodeId", "toNodeId"],
8018
+ response: {
8019
+ description: "Matched edge removal result",
8020
+ fields: { deleted: "number" }
8021
+ },
8022
+ ownerModule: "graph-primitives",
8023
+ ontologyPrimitive: "edge",
8024
+ tier: "workhorse"
8025
+ };
8026
+ var BATCH_CREATE_EDGES = {
8027
+ name: "batch_create_edges",
8028
+ description: "Commit multiple typed graph edges. Like `git commit` with many staged paths \u2014 writes a batch of explicit relationships atomically per edge.",
8029
+ parameters: {
8030
+ edges: {
8031
+ type: "array",
8032
+ description: "Edges to create, each with from, to, edgeType, and optional weight/confidence/context."
8033
+ },
8034
+ skipLayerValidation: {
8035
+ type: "boolean",
8036
+ description: "Skip kernel layer validation for trusted materialization flows."
8037
+ }
8038
+ },
8039
+ required: ["edges"],
8040
+ response: {
8041
+ description: "Batch edge creation result",
8042
+ fields: {
8043
+ created: "number",
8044
+ results: "array",
8045
+ errors: "array"
8046
+ }
8047
+ },
8048
+ ownerModule: "graph-primitives",
8049
+ ontologyPrimitive: "edge",
8050
+ tier: "workhorse"
8051
+ };
8052
+ var CREATE_EPISTEMIC_NODE = {
8053
+ name: "create_epistemic_node",
8054
+ description: "Commit a generic epistemic graph node. Like `git commit` \u2014 creates a canonical node in the public spine for topics, beliefs, evidence, questions, answers, sources, and entities.",
8055
+ parameters: {
8056
+ globalId: { type: "string", description: "Optional idempotent node global ID" },
8057
+ nodeType: { type: "string", description: "Public epistemic node type" },
8058
+ canonicalText: { type: "string", description: "Canonical node text" },
8059
+ text: { type: "string", description: "Alias for canonicalText" },
8060
+ contentHash: { type: "string", description: "Optional idempotency content hash" },
8061
+ sourceType: { type: "string", description: "Source type for provenance" },
8062
+ topicId: { type: "string", description: "Optional topic scope" },
8063
+ content: { type: "string", description: "Extended content" },
8064
+ title: { type: "string", description: "Display title" },
8065
+ metadata: { type: "object", description: "Optional node metadata" }
8066
+ },
8067
+ required: ["nodeType"],
8068
+ response: {
8069
+ description: "Created node result",
8070
+ fields: {
8071
+ nodeId: "string",
8072
+ nodeGlobalId: "string",
8073
+ isDuplicate: "boolean"
8074
+ }
8075
+ },
8076
+ ownerModule: "reasoning-kernel",
8077
+ ontologyPrimitive: "graph",
8078
+ tier: "showcase"
8079
+ };
8080
+ var GET_EPISTEMIC_NODE = {
8081
+ name: "get_epistemic_node",
8082
+ description: "Read one epistemic graph node. Like `git show` \u2014 resolves a canonical spine node by ID or global ID.",
8083
+ parameters: {
8084
+ nodeId: { type: "string", description: "Node ID or global ID" }
8085
+ },
8086
+ required: ["nodeId"],
8087
+ response: {
8088
+ description: "The resolved node",
8089
+ fields: { node: "object" }
8090
+ },
8091
+ ownerModule: "reasoning-kernel",
8092
+ ontologyPrimitive: "graph",
8093
+ tier: "workhorse"
8094
+ };
8095
+ var LIST_EPISTEMIC_NODES = {
8096
+ name: "list_epistemic_nodes",
8097
+ description: "List epistemic graph nodes. Like `git ls-tree` \u2014 lists canonical spine nodes by topic, type, status, or search query.",
8098
+ parameters: {
8099
+ topicId: { type: "string", description: "Optional topic scope" },
8100
+ nodeType: { type: "string", description: "Optional node type filter" },
8101
+ status: { type: "string", description: "Optional lifecycle status" },
8102
+ searchQuery: { type: "string", description: "Optional text search query" },
8103
+ limit: { type: "number", description: "Maximum nodes to return" }
8104
+ },
8105
+ required: [],
8106
+ response: {
8107
+ description: "Matching nodes",
8108
+ fields: { nodes: "array" }
8109
+ },
8110
+ ownerModule: "reasoning-kernel",
8111
+ ontologyPrimitive: "graph",
8112
+ tier: "workhorse"
8113
+ };
8114
+ var UPDATE_EPISTEMIC_NODE = {
8115
+ name: "update_epistemic_node",
8116
+ description: "Amend an epistemic graph node. Like `git commit --amend` \u2014 updates mutable node metadata, text, status, or verification fields.",
8117
+ parameters: {
8118
+ nodeId: { type: "string", description: "Node ID or global ID" },
8119
+ canonicalText: { type: "string", description: "Updated canonical text" },
8120
+ text: { type: "string", description: "Alias for canonicalText" },
8121
+ contentHash: { type: "string", description: "Updated content hash" },
8122
+ content: { type: "string", description: "Updated content" },
8123
+ title: { type: "string", description: "Updated display title" },
8124
+ metadata: { type: "object", description: "Updated metadata" },
8125
+ confidence: { type: "number", description: "Updated confidence" },
8126
+ verificationStatus: { type: "string", description: "Updated verification status" },
8127
+ status: { type: "string", description: "Updated lifecycle status" }
8128
+ },
8129
+ required: ["nodeId"],
8130
+ response: {
8131
+ description: "Node update result",
8132
+ fields: { success: "boolean" }
8133
+ },
8134
+ ownerModule: "reasoning-kernel",
8135
+ ontologyPrimitive: "graph",
8136
+ tier: "workhorse"
8137
+ };
8138
+ var ARCHIVE_EPISTEMIC_NODE = {
8139
+ name: "archive_epistemic_node",
8140
+ description: "Archive an epistemic graph node. Like `git rm --cached` \u2014 removes a node from active traversal without hard-deleting it.",
8141
+ parameters: {
8142
+ nodeId: { type: "string", description: "Node ID or global ID" }
8143
+ },
8144
+ required: ["nodeId"],
8145
+ response: {
8146
+ description: "Archive result",
8147
+ fields: { success: "boolean", effectiveStatus: "string" }
8148
+ },
8149
+ ownerModule: "reasoning-kernel",
8150
+ ontologyPrimitive: "graph",
8151
+ tier: "workhorse"
8152
+ };
8153
+ var VERIFY_EPISTEMIC_NODE = {
8154
+ name: "verify_epistemic_node",
8155
+ description: "Record verification state on an epistemic graph node. Like `git tag` \u2014 marks the node with a reviewed verification state.",
8156
+ parameters: {
8157
+ nodeId: { type: "string", description: "Node ID or global ID" },
8158
+ verificationStatus: { type: "string", description: "Verification status" },
8159
+ confidence: { type: "number", description: "Optional confidence update" }
8160
+ },
8161
+ required: ["nodeId", "verificationStatus"],
8162
+ response: {
8163
+ description: "Verification result",
8164
+ fields: { success: "boolean" }
8165
+ },
8166
+ ownerModule: "reasoning-kernel",
8167
+ ontologyPrimitive: "graph",
8168
+ tier: "workhorse"
8169
+ };
8170
+ var SUPERSEDE_EPISTEMIC_NODE = {
8171
+ name: "supersede_epistemic_node",
8172
+ description: "Supersede an epistemic graph node with a new version. Like `git commit --amend` on an immutable history branch \u2014 creates the replacement and marks the old node superseded.",
8173
+ parameters: {
8174
+ oldNodeId: { type: "string", description: "Node ID or global ID to supersede" },
8175
+ newGlobalId: { type: "string", description: "Optional replacement global ID" },
8176
+ newCanonicalText: { type: "string", description: "Replacement canonical text" },
8177
+ text: { type: "string", description: "Alias for newCanonicalText" },
8178
+ newContentHash: { type: "string", description: "Optional replacement content hash" },
8179
+ reason: { type: "string", description: "Reason for superseding" }
8180
+ },
8181
+ required: ["oldNodeId"],
8182
+ response: {
8183
+ description: "Supersede result",
8184
+ fields: { oldNodeId: "string", newNodeId: "string" }
8185
+ },
8186
+ ownerModule: "reasoning-kernel",
8187
+ ontologyPrimitive: "graph",
8188
+ tier: "workhorse"
8189
+ };
8190
+ var BATCH_CREATE_EPISTEMIC_NODES = {
8191
+ name: "batch_create_epistemic_nodes",
8192
+ description: "Commit multiple epistemic graph nodes. Like `git commit` with many staged files \u2014 writes a batch of canonical spine nodes.",
8193
+ parameters: {
8194
+ nodes: {
8195
+ type: "array",
8196
+ description: "Nodes to create with nodeType, canonicalText/text, and optional metadata."
8197
+ }
8198
+ },
8199
+ required: ["nodes"],
8200
+ response: {
8201
+ description: "Batch node creation result",
8202
+ fields: { created: "number", results: "array" }
8203
+ },
8204
+ ownerModule: "reasoning-kernel",
8205
+ ontologyPrimitive: "graph",
8206
+ tier: "workhorse"
8207
+ };
6113
8208
  var RECORD_JUDGMENT = {
6114
8209
  name: "record_judgment",
6115
8210
  description: "Record a judgment \u2014 an irreversible commitment based on the current epistemic state. Like a `git tag` marking a release. A judgment synthesizes beliefs, evidence, and uncertainties into a determination. Once issued, a judgment is evaluated against the epistemic state that existed when it was made (knowledge horizon evaluation, Invariant #10).",
@@ -7309,8 +9404,8 @@ var IDENTITY_WHOAMI = {
7309
9404
  response: {
7310
9405
  description: "Canonical identity summary for the current session",
7311
9406
  fields: {
7312
- principalId: "string \u2014 canonical federated principal identifier",
7313
- principalType: "string \u2014 human, service, or agent",
9407
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
9408
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
7314
9409
  tenantId: "string | undefined \u2014 resolved tenant scope",
7315
9410
  workspaceId: "string | undefined \u2014 resolved workspace scope",
7316
9411
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -7321,6 +9416,49 @@ var IDENTITY_WHOAMI = {
7321
9416
  ontologyPrimitive: "identity",
7322
9417
  tier: "workhorse"
7323
9418
  };
9419
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9420
+ name: "resolve_interactive_principal",
9421
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
9422
+ parameters: {
9423
+ clerkId: {
9424
+ type: "string",
9425
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9426
+ },
9427
+ tenantId: {
9428
+ type: "string",
9429
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9430
+ },
9431
+ workspaceId: {
9432
+ type: "string",
9433
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9434
+ },
9435
+ providerProjectId: {
9436
+ type: "string",
9437
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9438
+ }
9439
+ },
9440
+ required: ["clerkId"],
9441
+ response: {
9442
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9443
+ fields: {
9444
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
9445
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9446
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9447
+ tenantId: "string \u2014 resolved tenant scope",
9448
+ workspaceId: "string | null \u2014 resolved workspace scope",
9449
+ roles: "string[] \u2014 effective Permit roles",
9450
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9451
+ groupIds: "string[] \u2014 active Permit group memberships",
9452
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9453
+ tenantStatus: "string \u2014 projected tenant resource status",
9454
+ workspaceStatus: "string \u2014 projected workspace resource status",
9455
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9456
+ }
9457
+ },
9458
+ ownerModule: "control-plane",
9459
+ ontologyPrimitive: "identity",
9460
+ tier: "workhorse"
9461
+ };
7324
9462
  var COMPILE_CONTEXT = {
7325
9463
  name: "compile_context",
7326
9464
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -7582,6 +9720,10 @@ var CREATE_TASK = {
7582
9720
  tags: {
7583
9721
  type: "array",
7584
9722
  description: "Free-form string tags"
9723
+ },
9724
+ metadata: {
9725
+ type: "object",
9726
+ description: "Structured task metadata for handoff context and routing hints"
7585
9727
  }
7586
9728
  },
7587
9729
  required: ["title"],
@@ -7655,6 +9797,10 @@ var UPDATE_TASK = {
7655
9797
  type: "string",
7656
9798
  description: "Updated status",
7657
9799
  enum: ["todo", "in_progress", "blocked", "done"]
9800
+ },
9801
+ metadata: {
9802
+ type: "object",
9803
+ description: "Structured task metadata to replace or refine"
7658
9804
  }
7659
9805
  },
7660
9806
  required: ["taskId"],
@@ -7702,6 +9848,10 @@ var CREATE_TOPIC = {
7702
9848
  name: "create_topic",
7703
9849
  description: "Create a new topic container for scoping knowledge. Like `git init` \u2014 initializes a new repository for a knowledge domain. Topics are hierarchical: a deal topic can nest under a theme topic. Types: domain, theme, deal, strategy, constitution, project, portfolio.",
7704
9850
  parameters: {
9851
+ globalId: {
9852
+ type: "string",
9853
+ description: "Optional idempotent topic global ID"
9854
+ },
7705
9855
  name: { type: "string", description: "Topic name" },
7706
9856
  type: {
7707
9857
  type: "string",
@@ -7712,6 +9862,18 @@ var CREATE_TOPIC = {
7712
9862
  type: "string",
7713
9863
  description: "Optional parent topic for nesting"
7714
9864
  },
9865
+ parentTopicGlobalId: {
9866
+ type: "string",
9867
+ description: "Optional parent topic global ID for nesting"
9868
+ },
9869
+ tenantId: { type: "string", description: "Optional tenant scope" },
9870
+ workspaceId: { type: "string", description: "Optional workspace scope" },
9871
+ visibility: {
9872
+ type: "string",
9873
+ description: "Topic visibility",
9874
+ enum: ["private", "team", "firm", "external", "public"]
9875
+ },
9876
+ metadata: { type: "object", description: "Optional topic metadata" },
7715
9877
  createdBy: { type: "string", description: "Who created this topic" }
7716
9878
  },
7717
9879
  required: ["name", "type"],
@@ -7720,6 +9882,9 @@ var CREATE_TOPIC = {
7720
9882
  fields: {
7721
9883
  id: "string \u2014 topic ID",
7722
9884
  globalId: "string \u2014 globally unique ID",
9885
+ topicGlobalId: "string \u2014 topic global ID",
9886
+ epistemicNodeId: "string \u2014 materialized topic node ID",
9887
+ epistemicNodeGlobalId: "string \u2014 materialized topic node global ID",
7723
9888
  depth: "number \u2014 nesting depth"
7724
9889
  }
7725
9890
  },
@@ -7850,6 +10015,65 @@ var GET_TOPIC_TREE = {
7850
10015
  ontologyPrimitive: "graph",
7851
10016
  tier: "workhorse"
7852
10017
  };
10018
+ var MATERIALIZE_TOPIC_GRAPH = {
10019
+ name: "materialize_topic_graph",
10020
+ description: "Backfill the topic graph spine. Like `git fsck --connectivity-only` with repair enabled \u2014 creates missing topic nodes and parent-child edges idempotently.",
10021
+ parameters: {
10022
+ rootTopicId: {
10023
+ type: "string",
10024
+ description: "Optional root topic for a bounded materialization pass"
10025
+ },
10026
+ dryRun: {
10027
+ type: "boolean",
10028
+ description: "When true, report missing rows without writing them"
10029
+ }
10030
+ },
10031
+ required: [],
10032
+ response: {
10033
+ description: "Topic graph materialization counts",
10034
+ fields: {
10035
+ topicsSeen: "number",
10036
+ nodesCreated: "number",
10037
+ nodesExisting: "number",
10038
+ edgesCreated: "number",
10039
+ edgesExisting: "number",
10040
+ errors: "array"
10041
+ }
10042
+ },
10043
+ ownerModule: "reasoning-kernel",
10044
+ ontologyPrimitive: "graph",
10045
+ tier: "workhorse"
10046
+ };
10047
+ var GET_TOPIC_GRAPH_SPINE = {
10048
+ name: "get_topic_graph_spine",
10049
+ description: "Verify the topic graph spine. Like `git fsck` \u2014 reads topics, materialized topic nodes, parent-child edges, and missing spine rows.",
10050
+ parameters: {
10051
+ rootTopicId: {
10052
+ type: "string",
10053
+ description: "Optional root topic for a bounded verifier pass"
10054
+ },
10055
+ includeTopicBeliefEdges: {
10056
+ type: "boolean",
10057
+ description: "Include topic -> belief edges in the verifier payload"
10058
+ }
10059
+ },
10060
+ required: [],
10061
+ response: {
10062
+ description: "Topic graph spine verification payload",
10063
+ fields: {
10064
+ ok: "boolean",
10065
+ counts: "object",
10066
+ topics: "array",
10067
+ topicNodes: "array",
10068
+ parentEdges: "array",
10069
+ missingTopicNodes: "array",
10070
+ missingParentEdges: "array"
10071
+ }
10072
+ },
10073
+ ownerModule: "reasoning-kernel",
10074
+ ontologyPrimitive: "graph",
10075
+ tier: "workhorse"
10076
+ };
7853
10077
  var GET_CODE_CONTEXT = {
7854
10078
  name: "get_code_context",
7855
10079
  description: "Returns code-grounded beliefs, contracts, migration states, and failed attempts anchored to a specific file or function path. Like `git log -- <path>` \u2014 filters the knowledge graph to nodes anchored to a file path via metadata.codeAnchors. Results are separated by coding belief type: decisions, contracts, migrations, patterns, deprecations, and failures.",
@@ -8045,7 +10269,7 @@ var MANAGE_WRITE_POLICY = {
8045
10269
  },
8046
10270
  role: {
8047
10271
  type: "string",
8048
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
10272
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
8049
10273
  },
8050
10274
  permission: {
8051
10275
  type: "string",
@@ -9032,6 +11256,9 @@ var BEGIN_BUILD_SESSION = {
9032
11256
  sessionMode: "string \u2014 async | interactive",
9033
11257
  targetBeliefIds: "array \u2014 scoped belief IDs",
9034
11258
  targetQuestionIds: "array \u2014 scoped question IDs",
11259
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11260
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11261
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9035
11262
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9036
11263
  openQuestions: "array \u2014 open scoped questions",
9037
11264
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -9087,6 +11314,19 @@ var MCP_TOOL_CONTRACTS = {
9087
11314
  bisect_confidence: BISECT_CONFIDENCE,
9088
11315
  // Edges (commit)
9089
11316
  create_edge: CREATE_EDGE,
11317
+ update_edge: UPDATE_EDGE,
11318
+ remove_edge: REMOVE_EDGE,
11319
+ remove_edges_between: REMOVE_EDGES_BETWEEN,
11320
+ batch_create_edges: BATCH_CREATE_EDGES,
11321
+ // Epistemic node spine (commit/amend/show)
11322
+ create_epistemic_node: CREATE_EPISTEMIC_NODE,
11323
+ get_epistemic_node: GET_EPISTEMIC_NODE,
11324
+ list_epistemic_nodes: LIST_EPISTEMIC_NODES,
11325
+ update_epistemic_node: UPDATE_EPISTEMIC_NODE,
11326
+ archive_epistemic_node: ARCHIVE_EPISTEMIC_NODE,
11327
+ verify_epistemic_node: VERIFY_EPISTEMIC_NODE,
11328
+ supersede_epistemic_node: SUPERSEDE_EPISTEMIC_NODE,
11329
+ batch_create_epistemic_nodes: BATCH_CREATE_EPISTEMIC_NODES,
9090
11330
  // Judgments (tag)
9091
11331
  record_judgment: RECORD_JUDGMENT,
9092
11332
  // Graph intelligence (showcase)
@@ -9121,6 +11361,7 @@ var MCP_TOOL_CONTRACTS = {
9121
11361
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
9122
11362
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
9123
11363
  identity_whoami: IDENTITY_WHOAMI,
11364
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
9124
11365
  compile_context: COMPILE_CONTEXT,
9125
11366
  record_scope_learning: RECORD_SCOPE_LEARNING,
9126
11367
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -9160,6 +11401,8 @@ var MCP_TOOL_CONTRACTS = {
9160
11401
  get_topic: GET_TOPIC,
9161
11402
  update_topic: UPDATE_TOPIC,
9162
11403
  get_topic_tree: GET_TOPIC_TREE,
11404
+ materialize_topic_graph: MATERIALIZE_TOPIC_GRAPH,
11405
+ get_topic_graph_spine: GET_TOPIC_GRAPH_SPINE,
9163
11406
  // Coding intelligence (code-grounded knowledge)
9164
11407
  get_code_context: GET_CODE_CONTEXT,
9165
11408
  get_change_history: GET_CHANGE_HISTORY,
@@ -9236,6 +11479,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
9236
11479
  var MCP_CORE_OPERATION_NAMES = [
9237
11480
  "compile_context",
9238
11481
  "identity_whoami",
11482
+ "resolve_interactive_principal",
9239
11483
  "check_permission",
9240
11484
  "filter_by_permission",
9241
11485
  "create_belief",
@@ -9264,14 +11508,28 @@ var MCP_CORE_OPERATION_NAMES = [
9264
11508
  "find_missing_questions",
9265
11509
  "get_high_priority_questions",
9266
11510
  "get_falsification_questions",
11511
+ "create_epistemic_node",
11512
+ "get_epistemic_node",
11513
+ "list_epistemic_nodes",
11514
+ "update_epistemic_node",
11515
+ "archive_epistemic_node",
11516
+ "verify_epistemic_node",
11517
+ "supersede_epistemic_node",
11518
+ "batch_create_epistemic_nodes",
9267
11519
  "create_topic",
9268
11520
  "get_topic",
9269
11521
  "list_topics",
9270
11522
  "update_topic",
9271
- "get_topic_tree"
11523
+ "get_topic_tree",
11524
+ "materialize_topic_graph",
11525
+ "get_topic_graph_spine"
9272
11526
  ];
9273
11527
  var MCP_ANALYSIS_PLATFORM_OPERATION_NAMES = [
9274
11528
  "create_edge",
11529
+ "update_edge",
11530
+ "remove_edge",
11531
+ "remove_edges_between",
11532
+ "batch_create_edges",
9275
11533
  "query_lineage",
9276
11534
  "traverse_graph",
9277
11535
  "get_graph_neighborhood",
@@ -9603,12 +11861,20 @@ function unwrapMcpParameterSchema(schema) {
9603
11861
  current = current._def.schema;
9604
11862
  continue;
9605
11863
  default:
9606
- return { schema: current, required, description: description ?? current.description };
11864
+ return {
11865
+ schema: current,
11866
+ required,
11867
+ description: description ?? current.description
11868
+ };
9607
11869
  }
9608
11870
  }
9609
11871
  }
9610
11872
  function mcpParameterFromZod(fieldName, schema, contractName) {
9611
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
11873
+ const {
11874
+ schema: unwrapped,
11875
+ required,
11876
+ description: schemaDescription
11877
+ } = unwrapMcpParameterSchema(schema);
9612
11878
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
9613
11879
  switch (unwrapped._def.typeName) {
9614
11880
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -9653,10 +11919,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
9653
11919
  const entries2 = Object.entries(getObjectShape(args)).sort(
9654
11920
  ([left], [right]) => left.localeCompare(right)
9655
11921
  );
9656
- const converted = entries2.map(([fieldName, schema]) => [
9657
- fieldName,
9658
- mcpParameterFromZod(fieldName, schema, contractName)
9659
- ]);
11922
+ const converted = entries2.map(
11923
+ ([fieldName, schema]) => [
11924
+ fieldName,
11925
+ mcpParameterFromZod(fieldName, schema, contractName)
11926
+ ]
11927
+ );
9660
11928
  return {
9661
11929
  ...base,
9662
11930
  parameters: Object.fromEntries(
@@ -9765,9 +12033,16 @@ function surfaceContract(args) {
9765
12033
  scopes: args.scopes ?? [
9766
12034
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
9767
12035
  ],
9768
- allowedPrincipalTypes: ["user", "service", "agent"]
12036
+ allowedPrincipalTypes: [
12037
+ "user",
12038
+ "service",
12039
+ "agent",
12040
+ "group",
12041
+ "external_viewer"
12042
+ ]
9769
12043
  },
9770
12044
  convex: args.convex,
12045
+ gateway: args.gateway,
9771
12046
  args: canonicalArgs,
9772
12047
  returns: canonicalReturns,
9773
12048
  input,
@@ -9906,8 +12181,6 @@ var contextContracts = [
9906
12181
  args: observationContextArgs
9907
12182
  })
9908
12183
  ];
9909
-
9910
- // ../contracts/src/function-registry/identity.ts
9911
12184
  var withPrincipal = (input, context) => ({
9912
12185
  ...input,
9913
12186
  tenantId: input.tenantId ?? context.tenantId,
@@ -9926,11 +12199,30 @@ var identityContracts = [
9926
12199
  sdkNamespace: "identity",
9927
12200
  sdkMethod: "whoami",
9928
12201
  summary: "Describe the current gateway principal.",
12202
+ gateway: {
12203
+ handler: "identity.whoami"
12204
+ }
12205
+ }),
12206
+ surfaceContract({
12207
+ name: "resolve_interactive_principal",
12208
+ kind: "query",
12209
+ domain: "controlPlane",
12210
+ surfaceClass: "platform_public",
12211
+ method: "POST",
12212
+ path: "/control-plane/identity/resolve-interactive-principal",
12213
+ sdkNamespace: "controlPlane.identity",
12214
+ sdkMethod: "resolveInteractivePrincipal",
12215
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12216
+ args: z.object({
12217
+ clerkId: z.string().min(1),
12218
+ tenantId: z.string().min(1).optional(),
12219
+ workspaceId: z.string().min(1).optional(),
12220
+ providerProjectId: z.string().min(1).optional()
12221
+ }),
9929
12222
  convex: {
9930
- module: "identity",
9931
- functionName: "whoami",
9932
- kind: "query",
9933
- inputProjection: withPrincipal
12223
+ module: "platform",
12224
+ functionName: "resolveInteractivePrincipal",
12225
+ kind: "query"
9934
12226
  }
9935
12227
  }),
9936
12228
  surfaceContract({
@@ -10012,15 +12304,6 @@ var beliefLookupInput = (input) => compactRecord4({
10012
12304
  var beliefNodeInput = (input) => compactRecord4({
10013
12305
  nodeId: input.nodeId ?? input.id ?? input.beliefId
10014
12306
  });
10015
- var beliefTopicInput = (input) => {
10016
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
10017
- if (!parsed.success) {
10018
- throw new Error(
10019
- `list_beliefs projection input rejected: ${parsed.error.message}`
10020
- );
10021
- }
10022
- return compactRecord4(listBeliefsProjection.project(parsed.data));
10023
- };
10024
12307
  var createBeliefInput = (input, context) => {
10025
12308
  return withUserId(
10026
12309
  compactRecord4({
@@ -10109,11 +12392,8 @@ var beliefsContracts = [
10109
12392
  sdkNamespace: "beliefs",
10110
12393
  sdkMethod: "listBeliefs",
10111
12394
  summary: "List beliefs for a topic.",
10112
- convex: {
10113
- module: "beliefs",
10114
- functionName: "getByTopic",
10115
- kind: "query",
10116
- inputProjection: beliefTopicInput
12395
+ gateway: {
12396
+ handler: "beliefs.list"
10117
12397
  },
10118
12398
  args: listBeliefsInputSchema
10119
12399
  }),
@@ -10254,7 +12534,7 @@ var beliefsContracts = [
10254
12534
  })
10255
12535
  ];
10256
12536
  var jsonRecordSchema4 = z.record(z.unknown());
10257
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12537
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10258
12538
  var createEvidenceArgs = z.object({
10259
12539
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10260
12540
  text: z.string().describe("Canonical evidence text."),
@@ -10298,12 +12578,6 @@ var evidenceIdInput = (input) => compactRecord4({
10298
12578
  insightId: input.insightId,
10299
12579
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
10300
12580
  });
10301
- var evidenceTopicInput = (input) => compactRecord4({
10302
- topicId: input.topicId,
10303
- status: input.status,
10304
- userId: input.userId,
10305
- limit: input.limit
10306
- });
10307
12581
  var createEvidenceInput = (input, context) => {
10308
12582
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
10309
12583
  if (!parsed.success) {
@@ -10434,11 +12708,8 @@ var evidenceContracts = [
10434
12708
  sdkNamespace: "evidence",
10435
12709
  sdkMethod: "listEvidence",
10436
12710
  summary: "List evidence for a topic.",
10437
- convex: {
10438
- module: "evidence",
10439
- functionName: "getByTopic",
10440
- kind: "query",
10441
- inputProjection: evidenceTopicInput
12711
+ gateway: {
12712
+ handler: "evidence.list"
10442
12713
  }
10443
12714
  }),
10444
12715
  surfaceContract({
@@ -10673,11 +12944,8 @@ var questionsContracts = [
10673
12944
  sdkNamespace: "questions",
10674
12945
  sdkMethod: "listQuestions",
10675
12946
  summary: "List questions for a topic.",
10676
- convex: {
10677
- module: "questions",
10678
- functionName: "getByTopic",
10679
- kind: "query",
10680
- inputProjection: questionTopicInput
12947
+ gateway: {
12948
+ handler: "questions.list"
10681
12949
  }
10682
12950
  }),
10683
12951
  surfaceContract({
@@ -10880,18 +13148,50 @@ var questionsContracts = [
10880
13148
  args: falsificationQuestionsArgs
10881
13149
  })
10882
13150
  ];
13151
+ var topicVisibilitySchema = z.enum([
13152
+ "private",
13153
+ "team",
13154
+ "firm",
13155
+ "external",
13156
+ "public"
13157
+ ]);
13158
+ var topicStatusSchema = z.enum(["active", "archived", "watching"]);
13159
+ var createTopicArgs = z.object({
13160
+ globalId: z.string().optional().describe("Optional idempotent topic global ID."),
13161
+ name: z.string().describe("Topic name."),
13162
+ description: z.string().optional().describe("Topic description."),
13163
+ type: z.string().describe("Topic type."),
13164
+ parentTopicId: z.string().optional().describe("Optional parent topic ID."),
13165
+ parentTopicGlobalId: z.string().optional().describe("Optional parent topic global ID."),
13166
+ ontologyId: z.string().optional().describe("Ontology to bind."),
13167
+ tenantId: z.string().optional().describe("Optional tenant scope."),
13168
+ workspaceId: z.string().optional().describe("Optional workspace scope."),
13169
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
13170
+ metadata: z.record(z.unknown()).optional().describe("Topic metadata."),
13171
+ graphScopeProjectId: z.string().optional(),
13172
+ createdBy: z.string().optional()
13173
+ });
10883
13174
  var updateTopicArgs = z.object({
10884
13175
  id: z.string().describe("Topic ID."),
10885
13176
  topicId: z.string().optional().describe("Topic ID alias."),
10886
13177
  name: z.string().optional().describe("Topic name."),
10887
13178
  description: z.string().optional().describe("Topic description."),
10888
13179
  type: z.string().optional().describe("Topic type."),
10889
- status: z.string().optional().describe("Topic status."),
10890
- visibility: z.string().optional().describe("Topic visibility."),
13180
+ status: topicStatusSchema.optional().describe("Topic status."),
13181
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
10891
13182
  ontologyId: z.string().optional().describe("Ontology to bind."),
10892
13183
  clearOntologyId: z.boolean().optional().describe("Whether to clear the ontology binding."),
10893
13184
  metadata: z.record(z.unknown()).optional().describe("Topic metadata.")
10894
13185
  });
13186
+ var materializeTopicGraphArgs = z.object({
13187
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13188
+ dryRun: z.boolean().optional().describe("Report missing rows without writing."),
13189
+ createdBy: z.string().optional()
13190
+ });
13191
+ var getTopicGraphSpineArgs = z.object({
13192
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13193
+ includeTopicBeliefEdges: z.boolean().optional()
13194
+ });
10895
13195
  var topicIdInput = (input) => compactRecord4({
10896
13196
  id: input.id ?? input.topicId
10897
13197
  });
@@ -10909,87 +13209,488 @@ var updateTopicInput = (input) => compactRecord4({
10909
13209
  });
10910
13210
  var topicsContracts = [
10911
13211
  surfaceContract({
10912
- name: "create_topic",
13212
+ name: "create_topic",
13213
+ kind: "mutation",
13214
+ domain: "topics",
13215
+ surfaceClass: "platform_public",
13216
+ path: "/topics",
13217
+ sdkNamespace: "topics",
13218
+ sdkMethod: "createTopic",
13219
+ summary: "Create a topic.",
13220
+ convex: {
13221
+ module: "topics",
13222
+ functionName: "create",
13223
+ kind: "mutation",
13224
+ inputProjection: withCreatedBy
13225
+ },
13226
+ args: createTopicArgs
13227
+ }),
13228
+ surfaceContract({
13229
+ name: "get_topic",
13230
+ kind: "query",
13231
+ domain: "topics",
13232
+ surfaceClass: "platform_public",
13233
+ method: "GET",
13234
+ path: "/topics/get",
13235
+ sdkNamespace: "topics",
13236
+ sdkMethod: "getTopic",
13237
+ summary: "Get a topic.",
13238
+ convex: {
13239
+ module: "topics",
13240
+ functionName: "get",
13241
+ kind: "query",
13242
+ inputProjection: topicIdInput
13243
+ }
13244
+ }),
13245
+ surfaceContract({
13246
+ name: "list_topics",
13247
+ kind: "query",
13248
+ domain: "topics",
13249
+ surfaceClass: "platform_public",
13250
+ method: "GET",
13251
+ path: "/topics",
13252
+ sdkNamespace: "topics",
13253
+ sdkMethod: "listTopics",
13254
+ summary: "List topics.",
13255
+ convex: {
13256
+ module: "topics",
13257
+ functionName: "list",
13258
+ kind: "query"
13259
+ }
13260
+ }),
13261
+ surfaceContract({
13262
+ name: "update_topic",
13263
+ kind: "mutation",
13264
+ domain: "topics",
13265
+ surfaceClass: "platform_public",
13266
+ method: "PATCH",
13267
+ path: "/topics",
13268
+ sdkNamespace: "topics",
13269
+ sdkMethod: "updateTopic",
13270
+ summary: "Update a topic.",
13271
+ convex: {
13272
+ module: "topics",
13273
+ functionName: "update",
13274
+ kind: "mutation",
13275
+ inputProjection: updateTopicInput
13276
+ },
13277
+ args: updateTopicArgs
13278
+ }),
13279
+ surfaceContract({
13280
+ name: "get_topic_tree",
13281
+ kind: "query",
13282
+ domain: "topics",
13283
+ surfaceClass: "platform_public",
13284
+ method: "GET",
13285
+ path: "/topics/tree",
13286
+ sdkNamespace: "topics",
13287
+ sdkMethod: "getTopicTree",
13288
+ summary: "Get a topic tree.",
13289
+ convex: {
13290
+ module: "topics",
13291
+ functionName: "getTree",
13292
+ kind: "query"
13293
+ }
13294
+ }),
13295
+ surfaceContract({
13296
+ name: "materialize_topic_graph",
13297
+ kind: "mutation",
13298
+ domain: "topics",
13299
+ surfaceClass: "platform_public",
13300
+ path: "/topics/materialize-graph",
13301
+ sdkNamespace: "topics",
13302
+ sdkMethod: "materializeTopicGraph",
13303
+ summary: "Materialize topic nodes and parent-child graph edges.",
13304
+ convex: {
13305
+ module: "topics",
13306
+ functionName: "materializeTopicGraph",
13307
+ kind: "mutation",
13308
+ inputProjection: withCreatedBy
13309
+ },
13310
+ args: materializeTopicGraphArgs
13311
+ }),
13312
+ surfaceContract({
13313
+ name: "get_topic_graph_spine",
13314
+ kind: "query",
13315
+ domain: "topics",
13316
+ surfaceClass: "platform_public",
13317
+ method: "GET",
13318
+ path: "/topics/graph-spine",
13319
+ sdkNamespace: "topics",
13320
+ sdkMethod: "getTopicGraphSpine",
13321
+ summary: "Verify topic nodes and parent-child graph edges.",
13322
+ convex: {
13323
+ module: "topics",
13324
+ functionName: "getTopicGraphSpine",
13325
+ kind: "query"
13326
+ },
13327
+ args: getTopicGraphSpineArgs
13328
+ })
13329
+ ];
13330
+ var sourceTypeSchema2 = z.enum([
13331
+ "human",
13332
+ "ai_extracted",
13333
+ "ai_generated",
13334
+ "imported",
13335
+ "system",
13336
+ "verified",
13337
+ "proprietary"
13338
+ ]);
13339
+ var verificationStatusSchema = z.enum([
13340
+ "unverified",
13341
+ "human_verified",
13342
+ "ai_verified",
13343
+ "contradicted",
13344
+ "outdated"
13345
+ ]);
13346
+ var nodeStatusSchema = z.enum([
13347
+ "active",
13348
+ "superseded",
13349
+ "archived",
13350
+ "deleted"
13351
+ ]);
13352
+ var externalIdsArgs = z.object({
13353
+ crunchbase: z.string().optional(),
13354
+ linkedin: z.string().optional(),
13355
+ pitchbook: z.string().optional(),
13356
+ twitter: z.string().optional(),
13357
+ website: z.string().optional()
13358
+ }).optional();
13359
+ var createEpistemicNodeItemArgs = z.object({
13360
+ globalId: z.string().optional().describe("Optional idempotent node global ID."),
13361
+ nodeType: NODE_TYPE.describe("Public epistemic node type."),
13362
+ subtype: z.string().optional(),
13363
+ canonicalText: z.string().optional().describe("Canonical node text."),
13364
+ text: z.string().optional().describe("Alias for canonicalText."),
13365
+ contentHash: z.string().optional().describe("Optional idempotency content hash."),
13366
+ content: z.string().optional(),
13367
+ contentType: z.string().optional(),
13368
+ title: z.string().optional(),
13369
+ tags: z.array(z.string()).optional(),
13370
+ domain: z.string().optional(),
13371
+ metadata: z.record(z.unknown()).optional(),
13372
+ externalIds: externalIdsArgs,
13373
+ sourceType: sourceTypeSchema2.optional(),
13374
+ aiProvider: z.string().optional(),
13375
+ extractedFromNodeId: z.string().optional(),
13376
+ confidence: z.number().optional(),
13377
+ verificationStatus: verificationStatusSchema.optional(),
13378
+ topicId: z.string().optional(),
13379
+ projectId: z.string().optional(),
13380
+ createdBy: z.string().optional(),
13381
+ trustedBypassAccessCheck: z.boolean().optional()
13382
+ });
13383
+ var createEpistemicNodeArgs = createEpistemicNodeItemArgs;
13384
+ var batchCreateEpistemicNodesArgs = z.object({
13385
+ nodes: z.array(createEpistemicNodeItemArgs)
13386
+ });
13387
+ var getEpistemicNodeArgs = z.object({
13388
+ nodeId: z.string().describe("Node ID or global ID."),
13389
+ globalId: z.string().optional().describe("Node global ID alias.")
13390
+ });
13391
+ var listEpistemicNodesArgs = z.object({
13392
+ topicId: z.string().optional(),
13393
+ projectId: z.string().optional(),
13394
+ nodeType: NODE_TYPE.optional(),
13395
+ status: nodeStatusSchema.optional(),
13396
+ searchQuery: z.string().optional(),
13397
+ query: z.string().optional(),
13398
+ limit: z.number().optional()
13399
+ });
13400
+ var updateEpistemicNodeArgs = z.object({
13401
+ nodeId: z.string().describe("Node ID or global ID."),
13402
+ id: z.string().optional().describe("Node ID alias."),
13403
+ subtype: z.string().optional(),
13404
+ canonicalText: z.string().optional(),
13405
+ text: z.string().optional(),
13406
+ contentHash: z.string().optional(),
13407
+ content: z.string().optional(),
13408
+ contentType: z.string().optional(),
13409
+ title: z.string().optional(),
13410
+ tags: z.array(z.string()).optional(),
13411
+ domain: z.string().optional(),
13412
+ metadata: z.record(z.unknown()).optional(),
13413
+ externalIds: externalIdsArgs,
13414
+ confidence: z.number().optional(),
13415
+ verificationStatus: verificationStatusSchema.optional(),
13416
+ status: nodeStatusSchema.optional(),
13417
+ userId: z.string().optional(),
13418
+ trustedBypassAccessCheck: z.boolean().optional()
13419
+ });
13420
+ var archiveEpistemicNodeArgs = z.object({
13421
+ nodeId: z.string().describe("Node ID or global ID."),
13422
+ id: z.string().optional().describe("Node ID alias."),
13423
+ userId: z.string().optional(),
13424
+ trustedBypassAccessCheck: z.boolean().optional()
13425
+ });
13426
+ var verifyEpistemicNodeArgs = z.object({
13427
+ nodeId: z.string().describe("Node ID or global ID."),
13428
+ id: z.string().optional().describe("Node ID alias."),
13429
+ verificationStatus: verificationStatusSchema,
13430
+ confidence: z.number().optional(),
13431
+ userId: z.string().optional()
13432
+ });
13433
+ var supersedeEpistemicNodeArgs = z.object({
13434
+ oldNodeId: z.string().describe("Node ID or global ID to supersede."),
13435
+ nodeId: z.string().optional().describe("Old node ID alias."),
13436
+ newGlobalId: z.string().optional(),
13437
+ newCanonicalText: z.string().optional(),
13438
+ text: z.string().optional(),
13439
+ canonicalText: z.string().optional(),
13440
+ newContentHash: z.string().optional(),
13441
+ reason: z.string().optional(),
13442
+ createdBy: z.string().optional(),
13443
+ trustedBypassAccessCheck: z.boolean().optional()
13444
+ });
13445
+ function generatedGlobalId(prefix) {
13446
+ return `${prefix}:${crypto.randomUUID()}`;
13447
+ }
13448
+ function resolveCanonicalText(input) {
13449
+ const text = input.canonicalText ?? input.text ?? input.title ?? input.content;
13450
+ if (typeof text !== "string" || text.trim().length === 0) {
13451
+ throw new Error("canonicalText or text is required.");
13452
+ }
13453
+ return text;
13454
+ }
13455
+ function createNodeInput(input, context) {
13456
+ const canonicalText = resolveCanonicalText(input);
13457
+ const nodeType = String(input.nodeType);
13458
+ return withCreatedBy(
13459
+ compactRecord4({
13460
+ globalId: typeof input.globalId === "string" && input.globalId.trim() ? input.globalId : generatedGlobalId(nodeType),
13461
+ nodeType,
13462
+ subtype: input.subtype,
13463
+ canonicalText,
13464
+ contentHash: typeof input.contentHash === "string" && input.contentHash.trim() ? input.contentHash : `${nodeType}:${canonicalText}`,
13465
+ content: input.content,
13466
+ contentType: input.contentType,
13467
+ title: input.title,
13468
+ tags: input.tags,
13469
+ domain: input.domain,
13470
+ metadata: input.metadata,
13471
+ externalIds: input.externalIds,
13472
+ sourceType: typeof input.sourceType === "string" && input.sourceType.trim() ? input.sourceType : "human",
13473
+ aiProvider: input.aiProvider,
13474
+ extractedFromNodeId: input.extractedFromNodeId,
13475
+ confidence: input.confidence,
13476
+ verificationStatus: input.verificationStatus,
13477
+ topicId: input.topicId,
13478
+ projectId: input.projectId
13479
+ }),
13480
+ context
13481
+ );
13482
+ }
13483
+ var getNodeInput = (input) => compactRecord4({
13484
+ nodeId: input.nodeId ?? input.globalId
13485
+ });
13486
+ var listNodesInput = (input) => compactRecord4({
13487
+ topicId: input.topicId,
13488
+ projectId: input.projectId,
13489
+ nodeType: input.nodeType,
13490
+ status: input.status,
13491
+ searchQuery: input.searchQuery ?? input.query,
13492
+ limit: input.limit
13493
+ });
13494
+ var updateNodeInput = (input, context) => withUserId(
13495
+ compactRecord4({
13496
+ nodeId: input.nodeId ?? input.id,
13497
+ subtype: input.subtype,
13498
+ canonicalText: input.canonicalText ?? input.text,
13499
+ contentHash: input.contentHash,
13500
+ content: input.content,
13501
+ contentType: input.contentType,
13502
+ title: input.title,
13503
+ tags: input.tags,
13504
+ domain: input.domain,
13505
+ metadata: input.metadata,
13506
+ externalIds: input.externalIds,
13507
+ confidence: input.confidence,
13508
+ verificationStatus: input.verificationStatus,
13509
+ status: input.status,
13510
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13511
+ }),
13512
+ context
13513
+ );
13514
+ var archiveNodeInput = (input, context) => withUserId(
13515
+ compactRecord4({
13516
+ nodeId: input.nodeId ?? input.id,
13517
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13518
+ }),
13519
+ context
13520
+ );
13521
+ var verifyNodeInput = (input, context) => withUserId(
13522
+ compactRecord4({
13523
+ nodeId: input.nodeId ?? input.id,
13524
+ verificationStatus: input.verificationStatus,
13525
+ confidence: input.confidence
13526
+ }),
13527
+ context
13528
+ );
13529
+ var supersedeNodeInput = (input, context) => {
13530
+ const newCanonicalText = input.newCanonicalText ?? input.canonicalText ?? input.text;
13531
+ if (typeof newCanonicalText !== "string" || newCanonicalText.trim().length === 0) {
13532
+ throw new Error("newCanonicalText or text is required.");
13533
+ }
13534
+ return {
13535
+ oldNodeId: input.oldNodeId ?? input.nodeId,
13536
+ newGlobalId: typeof input.newGlobalId === "string" && input.newGlobalId.trim() ? input.newGlobalId : generatedGlobalId("node"),
13537
+ newCanonicalText,
13538
+ newContentHash: typeof input.newContentHash === "string" && input.newContentHash.trim() ? input.newContentHash : `superseded:${newCanonicalText}`,
13539
+ createdBy: typeof input.createdBy === "string" ? input.createdBy : authUserId(context),
13540
+ reason: input.reason,
13541
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13542
+ };
13543
+ };
13544
+ var batchCreateNodesInput = (input, context) => {
13545
+ const nodes = Array.isArray(input.nodes) ? input.nodes : [];
13546
+ return {
13547
+ nodes: nodes.map(
13548
+ (node) => createNodeInput(
13549
+ node && typeof node === "object" ? node : {},
13550
+ context
13551
+ )
13552
+ )
13553
+ };
13554
+ };
13555
+ var nodesContracts = [
13556
+ surfaceContract({
13557
+ name: "create_epistemic_node",
10913
13558
  kind: "mutation",
10914
- domain: "topics",
13559
+ domain: "nodes",
10915
13560
  surfaceClass: "platform_public",
10916
- path: "/topics",
10917
- sdkNamespace: "topics",
10918
- sdkMethod: "createTopic",
10919
- summary: "Create a topic.",
13561
+ path: "/nodes",
13562
+ sdkNamespace: "nodes",
13563
+ sdkMethod: "createEpistemicNode",
13564
+ summary: "Create a generic epistemic graph node.",
10920
13565
  convex: {
10921
- module: "topics",
13566
+ module: "nodes",
10922
13567
  functionName: "create",
10923
13568
  kind: "mutation",
10924
- inputProjection: withCreatedBy
10925
- }
13569
+ inputProjection: createNodeInput
13570
+ },
13571
+ args: createEpistemicNodeArgs
10926
13572
  }),
10927
13573
  surfaceContract({
10928
- name: "get_topic",
13574
+ name: "get_epistemic_node",
10929
13575
  kind: "query",
10930
- domain: "topics",
13576
+ domain: "nodes",
10931
13577
  surfaceClass: "platform_public",
10932
13578
  method: "GET",
10933
- path: "/topics/get",
10934
- sdkNamespace: "topics",
10935
- sdkMethod: "getTopic",
10936
- summary: "Get a topic.",
13579
+ path: "/nodes/get",
13580
+ sdkNamespace: "nodes",
13581
+ sdkMethod: "getEpistemicNode",
13582
+ summary: "Get a generic epistemic graph node.",
10937
13583
  convex: {
10938
- module: "topics",
13584
+ module: "nodes",
10939
13585
  functionName: "get",
10940
13586
  kind: "query",
10941
- inputProjection: topicIdInput
10942
- }
13587
+ inputProjection: getNodeInput
13588
+ },
13589
+ args: getEpistemicNodeArgs
10943
13590
  }),
10944
13591
  surfaceContract({
10945
- name: "list_topics",
13592
+ name: "list_epistemic_nodes",
10946
13593
  kind: "query",
10947
- domain: "topics",
13594
+ domain: "nodes",
10948
13595
  surfaceClass: "platform_public",
10949
13596
  method: "GET",
10950
- path: "/topics",
10951
- sdkNamespace: "topics",
10952
- sdkMethod: "listTopics",
10953
- summary: "List topics.",
13597
+ path: "/nodes",
13598
+ sdkNamespace: "nodes",
13599
+ sdkMethod: "listEpistemicNodes",
13600
+ summary: "List generic epistemic graph nodes.",
10954
13601
  convex: {
10955
- module: "topics",
13602
+ module: "nodes",
10956
13603
  functionName: "list",
10957
- kind: "query"
10958
- }
13604
+ kind: "query",
13605
+ inputProjection: listNodesInput
13606
+ },
13607
+ args: listEpistemicNodesArgs
10959
13608
  }),
10960
13609
  surfaceContract({
10961
- name: "update_topic",
13610
+ name: "update_epistemic_node",
10962
13611
  kind: "mutation",
10963
- domain: "topics",
13612
+ domain: "nodes",
10964
13613
  surfaceClass: "platform_public",
10965
13614
  method: "PATCH",
10966
- path: "/topics",
10967
- sdkNamespace: "topics",
10968
- sdkMethod: "updateTopic",
10969
- summary: "Update a topic.",
13615
+ path: "/nodes",
13616
+ sdkNamespace: "nodes",
13617
+ sdkMethod: "updateEpistemicNode",
13618
+ summary: "Update a generic epistemic graph node.",
10970
13619
  convex: {
10971
- module: "topics",
13620
+ module: "nodes",
10972
13621
  functionName: "update",
10973
13622
  kind: "mutation",
10974
- inputProjection: updateTopicInput
13623
+ inputProjection: updateNodeInput
10975
13624
  },
10976
- args: updateTopicArgs
13625
+ args: updateEpistemicNodeArgs
10977
13626
  }),
10978
13627
  surfaceContract({
10979
- name: "get_topic_tree",
10980
- kind: "query",
10981
- domain: "topics",
13628
+ name: "archive_epistemic_node",
13629
+ kind: "mutation",
13630
+ domain: "nodes",
10982
13631
  surfaceClass: "platform_public",
10983
- method: "GET",
10984
- path: "/topics/tree",
10985
- sdkNamespace: "topics",
10986
- sdkMethod: "getTopicTree",
10987
- summary: "Get a topic tree.",
13632
+ path: "/nodes/archive",
13633
+ sdkNamespace: "nodes",
13634
+ sdkMethod: "archiveEpistemicNode",
13635
+ summary: "Archive a generic epistemic graph node.",
10988
13636
  convex: {
10989
- module: "topics",
10990
- functionName: "getTree",
10991
- kind: "query"
10992
- }
13637
+ module: "nodes",
13638
+ functionName: "archive",
13639
+ kind: "mutation",
13640
+ inputProjection: archiveNodeInput
13641
+ },
13642
+ args: archiveEpistemicNodeArgs
13643
+ }),
13644
+ surfaceContract({
13645
+ name: "verify_epistemic_node",
13646
+ kind: "mutation",
13647
+ domain: "nodes",
13648
+ surfaceClass: "platform_public",
13649
+ path: "/nodes/verify",
13650
+ sdkNamespace: "nodes",
13651
+ sdkMethod: "verifyEpistemicNode",
13652
+ summary: "Verify a generic epistemic graph node.",
13653
+ convex: {
13654
+ module: "nodes",
13655
+ functionName: "verify",
13656
+ kind: "mutation",
13657
+ inputProjection: verifyNodeInput
13658
+ },
13659
+ args: verifyEpistemicNodeArgs
13660
+ }),
13661
+ surfaceContract({
13662
+ name: "supersede_epistemic_node",
13663
+ kind: "mutation",
13664
+ domain: "nodes",
13665
+ surfaceClass: "platform_public",
13666
+ path: "/nodes/supersede",
13667
+ sdkNamespace: "nodes",
13668
+ sdkMethod: "supersedeEpistemicNode",
13669
+ summary: "Supersede a generic epistemic graph node.",
13670
+ convex: {
13671
+ module: "nodes",
13672
+ functionName: "supersede",
13673
+ kind: "mutation",
13674
+ inputProjection: supersedeNodeInput
13675
+ },
13676
+ args: supersedeEpistemicNodeArgs
13677
+ }),
13678
+ surfaceContract({
13679
+ name: "batch_create_epistemic_nodes",
13680
+ kind: "mutation",
13681
+ domain: "nodes",
13682
+ surfaceClass: "platform_public",
13683
+ path: "/nodes/batch",
13684
+ sdkNamespace: "nodes",
13685
+ sdkMethod: "batchCreateEpistemicNodes",
13686
+ summary: "Batch create generic epistemic graph nodes.",
13687
+ convex: {
13688
+ module: "nodes",
13689
+ functionName: "batchCreate",
13690
+ kind: "mutation",
13691
+ inputProjection: batchCreateNodesInput
13692
+ },
13693
+ args: batchCreateEpistemicNodesArgs
10993
13694
  })
10994
13695
  ];
10995
13696
  var lensPerspectiveSchema = z.enum([
@@ -11349,6 +14050,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
11349
14050
  progress: z.string().optional().describe("Collection progress note for the signal."),
11350
14051
  notes: z.string().optional().describe("Additional evidence collection notes.")
11351
14052
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
14053
+ var worktreeDocCompanionTargetSchema = z.object({
14054
+ docPath: z.string().describe(
14055
+ "Repo-relative path to a documentation file the worktree promises to update."
14056
+ ),
14057
+ sectionAnchor: z.string().optional().describe(
14058
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
14059
+ ),
14060
+ reason: z.string().describe(
14061
+ "Why this doc section must be updated for the worktree to be complete."
14062
+ )
14063
+ }).passthrough().describe(
14064
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
14065
+ );
11352
14066
  var worktreeDecisionGateInputSchema = z.object({
11353
14067
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
11354
14068
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -11381,6 +14095,9 @@ var addWorktreeArgs = z.object({
11381
14095
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
11382
14096
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
11383
14097
  decisionGate: worktreeDecisionGateInputSchema.optional(),
14098
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
14099
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
14100
+ ),
11384
14101
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
11385
14102
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
11386
14103
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -11744,7 +14461,21 @@ var createTaskArgs = z.object({
11744
14461
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
11745
14462
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
11746
14463
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
11747
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14464
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14465
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
14466
+ });
14467
+ var updateTaskArgs = z.object({
14468
+ taskId: z.string().describe("Task to update."),
14469
+ title: z.string().optional().describe("Updated task title."),
14470
+ description: z.string().optional().describe("Updated task description."),
14471
+ priority: taskPrioritySchema.optional().describe("Updated priority."),
14472
+ status: taskStatusSchema2.optional().describe("Updated status."),
14473
+ linkedWorktreeId: z.string().optional().describe("Worktree this task belongs to."),
14474
+ linkedBeliefId: z.string().optional().describe("Belief this task supports."),
14475
+ linkedQuestionId: z.string().optional().describe("Question this task addresses."),
14476
+ assigneeId: z.string().optional().describe("Principal assigned to the task."),
14477
+ blockedReason: z.string().optional().describe("Reason the task is blocked or deferred."),
14478
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
11748
14479
  });
11749
14480
  var createTaskInput = (input) => compactRecord4({
11750
14481
  title: input.title,
@@ -11758,7 +14489,8 @@ var createTaskInput = (input) => compactRecord4({
11758
14489
  linkedQuestionId: input.linkedQuestionId,
11759
14490
  assigneeId: input.assigneeId,
11760
14491
  dueDate: input.dueDate,
11761
- tags: input.tags
14492
+ tags: input.tags,
14493
+ metadata: input.metadata
11762
14494
  });
11763
14495
  var taskInput = (input) => compactRecord4({
11764
14496
  ...input,
@@ -11775,8 +14507,7 @@ var taskTopicInput = (input) => {
11775
14507
  };
11776
14508
  var completeTaskInput = (input) => compactRecord4({
11777
14509
  taskId: input.taskId ?? input.id,
11778
- outputSummary: input.outputSummary ?? input.summary,
11779
- userId: input.userId
14510
+ outputSummary: input.outputSummary ?? input.summary
11780
14511
  });
11781
14512
  var tasksContracts = [
11782
14513
  surfaceContract({
@@ -11794,6 +14525,7 @@ var tasksContracts = [
11794
14525
  kind: "mutation",
11795
14526
  inputProjection: createTaskInput
11796
14527
  },
14528
+ gateway: { handler: "tasks.create" },
11797
14529
  args: createTaskArgs
11798
14530
  }),
11799
14531
  surfaceContract({
@@ -11812,6 +14544,7 @@ var tasksContracts = [
11812
14544
  kind: "query",
11813
14545
  inputProjection: taskTopicInput
11814
14546
  },
14547
+ gateway: { handler: "tasks.list" },
11815
14548
  args: listTasksInputSchema
11816
14549
  }),
11817
14550
  surfaceContract({
@@ -11829,7 +14562,9 @@ var tasksContracts = [
11829
14562
  functionName: "update",
11830
14563
  kind: "mutation",
11831
14564
  inputProjection: taskInput
11832
- }
14565
+ },
14566
+ gateway: { handler: "tasks.update" },
14567
+ args: updateTaskArgs
11833
14568
  }),
11834
14569
  surfaceContract({
11835
14570
  name: "complete_task",
@@ -11845,12 +14580,14 @@ var tasksContracts = [
11845
14580
  functionName: "complete",
11846
14581
  kind: "mutation",
11847
14582
  inputProjection: completeTaskInput
11848
- }
14583
+ },
14584
+ gateway: { handler: "tasks.complete" }
11849
14585
  })
11850
14586
  ];
11851
14587
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
11852
14588
  (policy) => policy.edgeType
11853
14589
  );
14590
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
11854
14591
  var createEdgeArgs = z.object({
11855
14592
  from: GraphRefSchema,
11856
14593
  to: GraphRefSchema,
@@ -11860,10 +14597,37 @@ var createEdgeArgs = z.object({
11860
14597
  confidence: z.number().optional(),
11861
14598
  context: z.string().optional(),
11862
14599
  reasoning: z.string().optional(),
14600
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
11863
14601
  derivationType: z.string().optional(),
14602
+ metadata: z.record(z.unknown()).optional(),
11864
14603
  topicId: z.string().optional(),
11865
14604
  trustedBypassAccessCheck: z.boolean().optional()
11866
14605
  });
14606
+ var updateEdgeArgs = z.object({
14607
+ edgeId: z.string().describe("Edge ID or global ID."),
14608
+ weight: z.number().optional(),
14609
+ confidence: z.number().optional(),
14610
+ context: z.string().optional(),
14611
+ reasoning: z.string().optional(),
14612
+ derivationType: z.string().optional(),
14613
+ metadata: z.record(z.unknown()).optional(),
14614
+ userId: z.string().optional()
14615
+ });
14616
+ var removeEdgeArgs = z.object({
14617
+ edgeId: z.string().describe("Edge ID or global ID."),
14618
+ userId: z.string().optional()
14619
+ });
14620
+ var removeEdgesBetweenArgs = z.object({
14621
+ from: GraphRefSchema.optional(),
14622
+ to: GraphRefSchema.optional(),
14623
+ fromNodeId: z.string().optional(),
14624
+ toNodeId: z.string().optional(),
14625
+ edgeType: z.enum(CREATE_EDGE_TYPES).optional()
14626
+ });
14627
+ var batchCreateEdgesArgs = z.object({
14628
+ edges: z.array(createEdgeArgs),
14629
+ skipLayerValidation: z.boolean().optional()
14630
+ });
11867
14631
  var queryLineageArgs = z.object({
11868
14632
  nodeId: z.string().describe("Starting node to trace from."),
11869
14633
  startNode: z.string().optional().describe("Starting node alias accepted by traversal callers."),
@@ -11912,7 +14676,9 @@ var edgesContracts = [
11912
14676
  weight: parsed.weight,
11913
14677
  confidence: parsed.confidence,
11914
14678
  context: parsed.context ?? parsed.reasoning,
14679
+ reasoningMethod: parsed.reasoningMethod,
11915
14680
  derivationType: parsed.derivationType,
14681
+ metadata: parsed.metadata,
11916
14682
  skipLayerValidation: true,
11917
14683
  topicId: parsed.topicId,
11918
14684
  trustedBypassAccessCheck: parsed.trustedBypassAccessCheck
@@ -11923,6 +14689,131 @@ var edgesContracts = [
11923
14689
  },
11924
14690
  args: createEdgeArgs
11925
14691
  }),
14692
+ surfaceContract({
14693
+ name: "update_edge",
14694
+ kind: "mutation",
14695
+ domain: "edges",
14696
+ surfaceClass: "platform_public",
14697
+ method: "PATCH",
14698
+ path: "/edges",
14699
+ sdkNamespace: "edges",
14700
+ sdkMethod: "updateEdge",
14701
+ summary: "Update an epistemic edge.",
14702
+ convex: {
14703
+ module: "edges",
14704
+ functionName: "update",
14705
+ kind: "mutation",
14706
+ inputProjection: (input, context) => compactRecord4({
14707
+ edgeId: input.edgeId,
14708
+ weight: input.weight,
14709
+ confidence: input.confidence,
14710
+ context: input.context ?? input.reasoning,
14711
+ derivationType: input.derivationType,
14712
+ metadata: input.metadata,
14713
+ userId: input.userId ?? context.userId ?? context.principalId
14714
+ })
14715
+ },
14716
+ args: updateEdgeArgs
14717
+ }),
14718
+ surfaceContract({
14719
+ name: "remove_edge",
14720
+ kind: "mutation",
14721
+ domain: "edges",
14722
+ surfaceClass: "platform_public",
14723
+ method: "DELETE",
14724
+ path: "/edges",
14725
+ sdkNamespace: "edges",
14726
+ sdkMethod: "removeEdge",
14727
+ summary: "Remove an epistemic edge.",
14728
+ convex: {
14729
+ module: "edges",
14730
+ functionName: "remove",
14731
+ kind: "mutation",
14732
+ inputProjection: (input, context) => compactRecord4({
14733
+ edgeId: input.edgeId,
14734
+ userId: input.userId ?? context.userId ?? context.principalId
14735
+ })
14736
+ },
14737
+ args: removeEdgeArgs
14738
+ }),
14739
+ surfaceContract({
14740
+ name: "remove_edges_between",
14741
+ kind: "mutation",
14742
+ domain: "edges",
14743
+ surfaceClass: "platform_public",
14744
+ method: "DELETE",
14745
+ path: "/edges/between",
14746
+ sdkNamespace: "edges",
14747
+ sdkMethod: "removeEdgesBetween",
14748
+ summary: "Remove epistemic edges between two nodes.",
14749
+ convex: {
14750
+ module: "edges",
14751
+ functionName: "removeBetween",
14752
+ kind: "mutation",
14753
+ inputProjection: (input) => {
14754
+ const parsed = removeEdgesBetweenArgs.parse(input);
14755
+ const fromNodeId = parsed.from ? graphRefNodeId(parsed.from) : parsed.fromNodeId;
14756
+ const toNodeId = parsed.to ? graphRefNodeId(parsed.to) : parsed.toNodeId;
14757
+ if (!fromNodeId || !toNodeId) {
14758
+ throw new Error("from/to or fromNodeId/toNodeId are required.");
14759
+ }
14760
+ return compactRecord4({
14761
+ fromNodeId,
14762
+ toNodeId,
14763
+ edgeType: parsed.edgeType
14764
+ });
14765
+ }
14766
+ },
14767
+ args: removeEdgesBetweenArgs
14768
+ }),
14769
+ surfaceContract({
14770
+ name: "batch_create_edges",
14771
+ kind: "mutation",
14772
+ domain: "edges",
14773
+ surfaceClass: "platform_public",
14774
+ path: "/edges/batch",
14775
+ sdkNamespace: "edges",
14776
+ sdkMethod: "batchCreateEdges",
14777
+ summary: "Batch create epistemic edges.",
14778
+ convex: {
14779
+ module: "edges",
14780
+ functionName: "batchCreate",
14781
+ kind: "mutation",
14782
+ inputProjection: (input, context) => {
14783
+ const parsed = batchCreateEdgesArgs.parse(input);
14784
+ return {
14785
+ skipLayerValidation: parsed.skipLayerValidation ?? true,
14786
+ edges: parsed.edges.map((edge) => {
14787
+ assertEdgePolicyAllowed(
14788
+ edgePolicyManifest,
14789
+ edge.edgeType,
14790
+ edge.from,
14791
+ edge.to
14792
+ );
14793
+ const fromNodeId = graphRefNodeId(edge.from);
14794
+ const toNodeId = graphRefNodeId(edge.to);
14795
+ return withCreatedBy(
14796
+ compactRecord4({
14797
+ fromNodeId,
14798
+ toNodeId,
14799
+ edgeType: edge.edgeType,
14800
+ globalId: edge.globalId ?? `edge:${fromNodeId}:${toNodeId}:${edge.edgeType}`,
14801
+ weight: edge.weight,
14802
+ confidence: edge.confidence,
14803
+ context: edge.context ?? edge.reasoning,
14804
+ reasoningMethod: edge.reasoningMethod,
14805
+ derivationType: edge.derivationType,
14806
+ metadata: edge.metadata,
14807
+ topicId: edge.topicId
14808
+ }),
14809
+ context
14810
+ );
14811
+ })
14812
+ };
14813
+ }
14814
+ },
14815
+ args: batchCreateEdgesArgs
14816
+ }),
11926
14817
  surfaceContract({
11927
14818
  name: "query_lineage",
11928
14819
  kind: "query",
@@ -12645,6 +15536,69 @@ var pipelineContracts = [
12645
15536
  }
12646
15537
  })
12647
15538
  ];
15539
+ function isRecord3(value) {
15540
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15541
+ }
15542
+ function stringValues(value) {
15543
+ if (typeof value === "string") {
15544
+ return [value];
15545
+ }
15546
+ if (Array.isArray(value)) {
15547
+ return value.flatMap((item) => stringValues(item));
15548
+ }
15549
+ return [];
15550
+ }
15551
+ function nestedEvidenceRows(value) {
15552
+ if (Array.isArray(value)) {
15553
+ return value.flatMap((item) => nestedEvidenceRows(item));
15554
+ }
15555
+ if (!isRecord3(value)) {
15556
+ return [];
15557
+ }
15558
+ const nestedKeys = ["evidence", "items", "nodes"];
15559
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15560
+ return nestedRows.length > 0 ? nestedRows : [value];
15561
+ }
15562
+ function isFailedAttemptRow(row) {
15563
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15564
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15565
+ }
15566
+ function failureLogSearchFields(row) {
15567
+ const metadata = isRecord3(row.metadata) ? row.metadata : null;
15568
+ return [
15569
+ ...stringValues(row.id),
15570
+ ...stringValues(row._id),
15571
+ ...stringValues(row.title),
15572
+ ...stringValues(row.text),
15573
+ ...stringValues(row.canonicalText),
15574
+ ...stringValues(row.content),
15575
+ ...stringValues(metadata?.codeAnchor),
15576
+ ...stringValues(metadata?.codeAnchors),
15577
+ ...stringValues(metadata?.anchor),
15578
+ ...stringValues(metadata?.anchors),
15579
+ ...stringValues(metadata?.filePath),
15580
+ ...stringValues(metadata?.filePaths),
15581
+ ...stringValues(metadata?.path),
15582
+ ...stringValues(metadata?.paths),
15583
+ ...stringValues(metadata?.sourceRef),
15584
+ ...stringValues(metadata?.touchedPaths)
15585
+ ];
15586
+ }
15587
+ function projectFailureLog(output, input) {
15588
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15589
+ const searchKey = rawQuery?.toLowerCase();
15590
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15591
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15592
+ (field) => field.toLowerCase().includes(searchKey)
15593
+ )
15594
+ );
15595
+ return {
15596
+ query: rawQuery,
15597
+ failures,
15598
+ totalFound: failures.length,
15599
+ showing: failures.length
15600
+ };
15601
+ }
12648
15602
  var recordScopeLearningArgs = z.object({
12649
15603
  topicId: z.string().optional().describe("Topic scope ID"),
12650
15604
  summary: z.string().describe("Atomic learning statement"),
@@ -12734,6 +15688,8 @@ var attemptInput = (input, context) => withUserId(
12734
15688
  tags: ["code_attempt"],
12735
15689
  metadata: compactRecord4({
12736
15690
  ...recordValue2(input.metadata),
15691
+ failedApproach: true,
15692
+ isFailedAttempt: true,
12737
15693
  filePaths: input.filePaths,
12738
15694
  filePath: input.filePath,
12739
15695
  errorMessage: input.errorMessage,
@@ -12864,7 +15820,8 @@ var codingContracts = [
12864
15820
  limit: input.limit,
12865
15821
  status: input.status,
12866
15822
  userId: input.userId
12867
- })
15823
+ }),
15824
+ outputProjection: (output, input) => projectFailureLog(output, input)
12868
15825
  }
12869
15826
  })
12870
15827
  ];
@@ -12901,6 +15858,7 @@ var ALL_FUNCTION_CONTRACTS = [
12901
15858
  ...evidenceContracts,
12902
15859
  ...questionsContracts,
12903
15860
  ...topicsContracts,
15861
+ ...nodesContracts,
12904
15862
  ...lensesContracts,
12905
15863
  ...ontologiesContracts,
12906
15864
  ...worktreesContracts,
@@ -13076,6 +16034,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13076
16034
  copyMode: "none",
13077
16035
  description: "Deliberation sessions are created by tenant workflows."
13078
16036
  },
16037
+ {
16038
+ component: "kernel",
16039
+ table: "domainEvents",
16040
+ prepopulation: "runtime_log",
16041
+ copyMode: "none",
16042
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16043
+ },
13079
16044
  {
13080
16045
  component: "kernel",
13081
16046
  table: "epistemicAudit",
@@ -13325,14 +16290,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13325
16290
  description: "Worktrees are tenant/runtime planning data."
13326
16291
  },
13327
16292
  {
13328
- component: "identity",
16293
+ component: "control-plane",
13329
16294
  table: "agents",
13330
16295
  prepopulation: "runtime_bootstrap",
13331
16296
  copyMode: "none",
13332
16297
  description: "Service agents are provisioned per tenant or service, not copied."
13333
16298
  },
13334
16299
  {
13335
- component: "identity",
16300
+ component: "control-plane",
13336
16301
  table: "mcpWritePolicy",
13337
16302
  prepopulation: "required_template",
13338
16303
  copyMode: "template_global",
@@ -13341,14 +16306,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13341
16306
  description: "Global write policy defaults govern service and interactive MCP writes."
13342
16307
  },
13343
16308
  {
13344
- component: "identity",
16309
+ component: "control-plane",
13345
16310
  table: "modelCallLogs",
13346
16311
  prepopulation: "runtime_log",
13347
16312
  copyMode: "none",
13348
16313
  description: "Model call logs are runtime telemetry."
13349
16314
  },
13350
16315
  {
13351
- component: "identity",
16316
+ component: "control-plane",
13352
16317
  table: "modelFunctionSlots",
13353
16318
  prepopulation: "required_template",
13354
16319
  copyMode: "template_global",
@@ -13357,7 +16322,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13357
16322
  description: "Function-to-model slots are required by model runtime resolution."
13358
16323
  },
13359
16324
  {
13360
- component: "identity",
16325
+ component: "control-plane",
13361
16326
  table: "modelRegistry",
13362
16327
  prepopulation: "required_template",
13363
16328
  copyMode: "template_global",
@@ -13366,7 +16331,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13366
16331
  description: "Model catalog defaults are required by model runtime clients."
13367
16332
  },
13368
16333
  {
13369
- component: "identity",
16334
+ component: "control-plane",
13370
16335
  table: "modelSlotConfigs",
13371
16336
  prepopulation: "required_template",
13372
16337
  copyMode: "template_global",
@@ -13375,14 +16340,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13375
16340
  description: "Slot-level defaults are required before tenant overrides exist."
13376
16341
  },
13377
16342
  {
13378
- component: "identity",
16343
+ component: "control-plane",
16344
+ table: "permitAccessReviewItems",
16345
+ prepopulation: "runtime_data",
16346
+ copyMode: "none",
16347
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16348
+ },
16349
+ {
16350
+ component: "control-plane",
16351
+ table: "permitAccessReviews",
16352
+ prepopulation: "runtime_data",
16353
+ copyMode: "none",
16354
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16355
+ },
16356
+ {
16357
+ component: "control-plane",
16358
+ table: "permitAttributeBindings",
16359
+ prepopulation: "runtime_data",
16360
+ copyMode: "none",
16361
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16362
+ },
16363
+ {
16364
+ component: "control-plane",
16365
+ table: "permitGroups",
16366
+ prepopulation: "runtime_data",
16367
+ copyMode: "none",
16368
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16369
+ },
16370
+ {
16371
+ component: "control-plane",
16372
+ table: "permitGroupMemberships",
16373
+ prepopulation: "runtime_data",
16374
+ copyMode: "none",
16375
+ description: "Permit group memberships are tenant-specific policy projection rows."
16376
+ },
16377
+ {
16378
+ component: "control-plane",
16379
+ table: "permitPolicyBundles",
16380
+ prepopulation: "runtime_derived",
16381
+ copyMode: "none",
16382
+ description: "Permit policy bundles are derived from the Permit control plane."
16383
+ },
16384
+ {
16385
+ component: "control-plane",
16386
+ table: "permitPolicyDecisionReceipts",
16387
+ prepopulation: "runtime_log",
16388
+ copyMode: "none",
16389
+ description: "Permit decision receipts are runtime authorization audit logs."
16390
+ },
16391
+ {
16392
+ component: "control-plane",
16393
+ table: "permitPrincipalAliases",
16394
+ prepopulation: "runtime_data",
16395
+ copyMode: "none",
16396
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16397
+ },
16398
+ {
16399
+ component: "control-plane",
16400
+ table: "permitPrincipals",
16401
+ prepopulation: "runtime_data",
16402
+ copyMode: "none",
16403
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16404
+ },
16405
+ {
16406
+ component: "control-plane",
16407
+ table: "permitProjectionOutbox",
16408
+ prepopulation: "runtime_queue",
16409
+ copyMode: "none",
16410
+ description: "Permit projection outbox rows are runtime sync queue data."
16411
+ },
16412
+ {
16413
+ component: "control-plane",
16414
+ table: "permitRelationshipTuples",
16415
+ prepopulation: "runtime_data",
16416
+ copyMode: "none",
16417
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16418
+ },
16419
+ {
16420
+ component: "control-plane",
16421
+ table: "permitResourceInstances",
16422
+ prepopulation: "runtime_data",
16423
+ copyMode: "none",
16424
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16425
+ },
16426
+ {
16427
+ component: "control-plane",
16428
+ table: "permitRoleAssignments",
16429
+ prepopulation: "runtime_data",
16430
+ copyMode: "none",
16431
+ description: "Permit role assignments are tenant-specific policy projection rows."
16432
+ },
16433
+ {
16434
+ component: "control-plane",
13379
16435
  table: "platformAudienceGrants",
13380
16436
  prepopulation: "runtime_data",
13381
16437
  copyMode: "none",
13382
16438
  description: "Audience grants are principal/group-specific access rows."
13383
16439
  },
13384
16440
  {
13385
- component: "identity",
16441
+ component: "control-plane",
13386
16442
  table: "platformAudiences",
13387
16443
  prepopulation: "required_template",
13388
16444
  copyMode: "template_tenant_rewrite",
@@ -13391,35 +16447,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13391
16447
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
13392
16448
  },
13393
16449
  {
13394
- component: "identity",
16450
+ component: "control-plane",
13395
16451
  table: "platformPolicyDecisionLogs",
13396
16452
  prepopulation: "runtime_log",
13397
16453
  copyMode: "none",
13398
16454
  description: "Policy decisions are runtime audit logs."
13399
16455
  },
13400
16456
  {
13401
- component: "identity",
16457
+ component: "control-plane",
13402
16458
  table: "projectGrants",
13403
16459
  prepopulation: "runtime_data",
13404
16460
  copyMode: "none",
13405
16461
  description: "Project/topic grants are principal or group-specific access rows."
13406
16462
  },
13407
16463
  {
13408
- component: "identity",
16464
+ component: "control-plane",
13409
16465
  table: "reasoningPermissions",
13410
16466
  prepopulation: "runtime_data",
13411
16467
  copyMode: "none",
13412
16468
  description: "Reasoning permissions are principal-specific policy rows."
13413
16469
  },
13414
16470
  {
13415
- component: "identity",
16471
+ component: "control-plane",
13416
16472
  table: "tenantApiKeys",
13417
16473
  prepopulation: "runtime_secret",
13418
16474
  copyMode: "none",
13419
16475
  description: "API keys are tenant credentials and must never be copied."
13420
16476
  },
13421
16477
  {
13422
- component: "identity",
16478
+ component: "control-plane",
13423
16479
  table: "tenantConfig",
13424
16480
  prepopulation: "required_template",
13425
16481
  copyMode: "template_tenant_rewrite",
@@ -13428,7 +16484,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13428
16484
  description: "Tenant-local config defaults are rewritten during bootstrap."
13429
16485
  },
13430
16486
  {
13431
- component: "identity",
16487
+ component: "control-plane",
13432
16488
  table: "tenantIntegrations",
13433
16489
  prepopulation: "required_template",
13434
16490
  copyMode: "template_tenant_rewrite",
@@ -13437,14 +16493,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13437
16493
  description: "Non-secret integration descriptors are rewritten into each tenant."
13438
16494
  },
13439
16495
  {
13440
- component: "identity",
16496
+ component: "control-plane",
13441
16497
  table: "tenantModelSlotBindings",
13442
16498
  prepopulation: "runtime_secret",
13443
16499
  copyMode: "none",
13444
16500
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
13445
16501
  },
13446
16502
  {
13447
- component: "identity",
16503
+ component: "control-plane",
16504
+ table: "tenantPermitSyncStates",
16505
+ prepopulation: "runtime_derived",
16506
+ copyMode: "none",
16507
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16508
+ },
16509
+ {
16510
+ component: "control-plane",
13448
16511
  table: "tenantPolicies",
13449
16512
  prepopulation: "required_template",
13450
16513
  copyMode: "template_tenant_rewrite",
@@ -13453,42 +16516,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13453
16516
  description: "Default tenant policy roles are rewritten during bootstrap."
13454
16517
  },
13455
16518
  {
13456
- component: "identity",
16519
+ component: "control-plane",
13457
16520
  table: "tenantProviderSecrets",
13458
16521
  prepopulation: "runtime_secret",
13459
16522
  copyMode: "none",
13460
16523
  description: "Provider secrets are credentials and must never be copied."
13461
16524
  },
13462
16525
  {
13463
- component: "identity",
16526
+ component: "control-plane",
13464
16527
  table: "tenantProxyGatewayUsage",
13465
16528
  prepopulation: "runtime_log",
13466
16529
  copyMode: "none",
13467
16530
  description: "Proxy gateway usage rows are runtime telemetry."
13468
16531
  },
13469
16532
  {
13470
- component: "identity",
16533
+ component: "control-plane",
13471
16534
  table: "tenantProxyTokenMints",
13472
16535
  prepopulation: "runtime_secret",
13473
16536
  copyMode: "none",
13474
16537
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
13475
16538
  },
13476
16539
  {
13477
- component: "identity",
16540
+ component: "control-plane",
13478
16541
  table: "tenantSandboxAuditEvents",
13479
16542
  prepopulation: "runtime_log",
13480
16543
  copyMode: "none",
13481
16544
  description: "Sandbox audit rows are runtime security logs."
13482
16545
  },
13483
16546
  {
13484
- component: "identity",
16547
+ component: "control-plane",
13485
16548
  table: "tenantSecrets",
13486
16549
  prepopulation: "runtime_secret",
13487
16550
  copyMode: "none",
13488
16551
  description: "Tenant secrets are credentials and must never be copied."
13489
16552
  },
13490
16553
  {
13491
- component: "identity",
16554
+ component: "control-plane",
13492
16555
  table: "toolAcls",
13493
16556
  prepopulation: "required_template",
13494
16557
  copyMode: "template_global",
@@ -13497,7 +16560,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13497
16560
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
13498
16561
  },
13499
16562
  {
13500
- component: "identity",
16563
+ component: "control-plane",
13501
16564
  table: "toolRegistry",
13502
16565
  prepopulation: "required_template",
13503
16566
  copyMode: "template_global",
@@ -13506,7 +16569,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13506
16569
  description: "Core tool catalog rows are required before pack or tenant tools exist."
13507
16570
  },
13508
16571
  {
13509
- component: "identity",
16572
+ component: "control-plane",
13510
16573
  table: "users",
13511
16574
  prepopulation: "runtime_bootstrap",
13512
16575
  copyMode: "none",