@lucern/mcp 0.2.0-alpha.1 → 0.2.0-alpha.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/gateway.d.ts +769 -0
- package/dist/gateway.js +10054 -0
- package/dist/gateway.js.map +1 -0
- package/dist/index.d.ts +307 -0
- package/dist/index.js +3430 -1376
- package/dist/index.js.map +1 -1
- package/dist/runtime.d.ts +111 -0
- package/dist/runtime.js +2915 -0
- package/dist/runtime.js.map +1 -0
- package/package.json +16 -2
|
@@ -0,0 +1,111 @@
|
|
|
1
|
+
import { AuthContext } from '@lucern/contracts';
|
|
2
|
+
export { AuthContext } from '@lucern/contracts';
|
|
3
|
+
import { ConvexHttpClient } from 'convex/browser';
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Handler Types — shared types for MCP tool handlers.
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
/**
|
|
10
|
+
* An authenticated tool handler that receives session context as a second argument.
|
|
11
|
+
*
|
|
12
|
+
* New handlers should use this signature. Legacy handlers are adapted by the
|
|
13
|
+
* withAuth wrapper — the dispatch layer passes (args, ctx) but existing
|
|
14
|
+
* handlers only destructure args, silently ignoring ctx.
|
|
15
|
+
*
|
|
16
|
+
* Per Codex finding #7: context is passed via explicit (args, ctx) signature,
|
|
17
|
+
* NOT via args.__auth injection.
|
|
18
|
+
*/
|
|
19
|
+
type AuthenticatedHandler = (args: Record<string, unknown>, ctx: AuthContext) => Promise<Record<string, unknown>>;
|
|
20
|
+
|
|
21
|
+
/**
|
|
22
|
+
* Handler Index — barrel file combining all handler modules into a single map.
|
|
23
|
+
*
|
|
24
|
+
* Each handler module exports a HandlerModule (Record<string, ToolHandler>)
|
|
25
|
+
* keyed by MCP tool name. buildHandlerMap() merges them into a single lookup.
|
|
26
|
+
*/
|
|
27
|
+
|
|
28
|
+
/**
|
|
29
|
+
* Build the complete handler map for all MCP tools.
|
|
30
|
+
*/
|
|
31
|
+
declare function buildHandlerMap(): Record<string, AuthenticatedHandler>;
|
|
32
|
+
|
|
33
|
+
/**
|
|
34
|
+
* Write Policy — S2-13K Graph Compounding
|
|
35
|
+
*
|
|
36
|
+
* Policy enforcement for MCP mutation tools.
|
|
37
|
+
* Queries Convex write policies and tracks per-session write counts.
|
|
38
|
+
*/
|
|
39
|
+
|
|
40
|
+
/**
|
|
41
|
+
* Check if a tool name is a mutation (write) tool.
|
|
42
|
+
*/
|
|
43
|
+
declare function isMutationTool(toolName: string): boolean;
|
|
44
|
+
/**
|
|
45
|
+
* Record a write operation for the current session.
|
|
46
|
+
*/
|
|
47
|
+
declare function recordWrite(toolName: string, topicId?: string, sessionId?: string): void;
|
|
48
|
+
type PolicyCheckResult = {
|
|
49
|
+
allowed: boolean;
|
|
50
|
+
permission: string;
|
|
51
|
+
rationale?: string;
|
|
52
|
+
maxWritesPerSession?: number;
|
|
53
|
+
toolCategory?: string | null;
|
|
54
|
+
policy?: Record<string, unknown> | null;
|
|
55
|
+
explanation?: {
|
|
56
|
+
summary?: string;
|
|
57
|
+
matchedReasonCode?: string;
|
|
58
|
+
steps?: Array<{
|
|
59
|
+
stage?: string;
|
|
60
|
+
outcome?: string;
|
|
61
|
+
reasonCode?: string;
|
|
62
|
+
detail?: string;
|
|
63
|
+
}>;
|
|
64
|
+
[key: string]: unknown;
|
|
65
|
+
};
|
|
66
|
+
reason: string;
|
|
67
|
+
};
|
|
68
|
+
/**
|
|
69
|
+
* Check if a mutation tool call is allowed by write policy.
|
|
70
|
+
*
|
|
71
|
+
* Resolution order:
|
|
72
|
+
* 1. Topic-specific + role match
|
|
73
|
+
* 2. Global (no topic) + role match
|
|
74
|
+
* 3. No matching policy → allow (open by default)
|
|
75
|
+
*
|
|
76
|
+
* Also checks per-session write limits if policy specifies maxWritesPerSession.
|
|
77
|
+
*/
|
|
78
|
+
declare function checkWritePolicy(toolName: string, topicId: string | undefined, authCtx: AuthContext): Promise<PolicyCheckResult>;
|
|
79
|
+
|
|
80
|
+
/**
|
|
81
|
+
* Convex Clients — Lazy-initialized admin-authed ConvexHttpClients for MCP server.
|
|
82
|
+
*
|
|
83
|
+
* LAZY INITIALIZATION: Clients are created on first use, not at import time.
|
|
84
|
+
* This allows index.ts loadLucernEnv() to decode LUCERN_API_KEY and
|
|
85
|
+
* STACK_API_KEY into their respective URL and deploy key env vars before
|
|
86
|
+
* any Convex calls are made.
|
|
87
|
+
*
|
|
88
|
+
* Three clients:
|
|
89
|
+
* - Lucern client → reasoning graph (good-blackbird / precious-dog) [required]
|
|
90
|
+
* - Stack client → StackOS platform (sincere-shepherd / sleek-mink) [optional]
|
|
91
|
+
* - Master Control client → control plane (utmost-ox / successful-clam) [optional]
|
|
92
|
+
*
|
|
93
|
+
* Lucern + Stack are decoded from API keys by index.ts resolveCredentials() at startup.
|
|
94
|
+
* Master Control is resolved from MC_CONVEX_URL + MC_DEPLOY_KEY (set in ~/.lucern/credentials).
|
|
95
|
+
* Uses deploy key auth to call internal mutations/queries directly,
|
|
96
|
+
* bypassing Clerk (standard Convex server-to-server pattern).
|
|
97
|
+
*/
|
|
98
|
+
|
|
99
|
+
/**
|
|
100
|
+
* Run a function with a request-scoped Convex client.
|
|
101
|
+
* All `adminQuery`/`adminMutation`/`adminAction` calls within `fn` will
|
|
102
|
+
* use the provided client instead of the process-level singleton.
|
|
103
|
+
*/
|
|
104
|
+
declare function runWithScopedClient<T>(client: ConvexHttpClient, fn: () => T | Promise<T>): T | Promise<T>;
|
|
105
|
+
/**
|
|
106
|
+
* Create an admin-authed ConvexHttpClient for a specific deployment.
|
|
107
|
+
* Used by the hosted route to create per-instance clients.
|
|
108
|
+
*/
|
|
109
|
+
declare function createAdminClient(url: string, deployKey: string): ConvexHttpClient;
|
|
110
|
+
|
|
111
|
+
export { type AuthenticatedHandler, buildHandlerMap, checkWritePolicy, createAdminClient, isMutationTool, recordWrite, runWithScopedClient };
|