@lucern/mcp 0.3.0-alpha.10 → 0.3.0-alpha.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/cli.js +5907 -962
- package/dist/cli.js.map +1 -1
- package/dist/gateway.js +2687 -583
- package/dist/gateway.js.map +1 -1
- package/dist/hosted-route.js +5906 -961
- package/dist/hosted-route.js.map +1 -1
- package/dist/index.js +6636 -1691
- package/dist/index.js.map +1 -1
- package/dist/runtime.js +2304 -253
- package/dist/runtime.js.map +1 -1
- package/package.json +8 -9
package/dist/runtime.js
CHANGED
|
@@ -232,6 +232,20 @@ var autoBranchingHandlers = {
|
|
|
232
232
|
}
|
|
233
233
|
};
|
|
234
234
|
|
|
235
|
+
// ../contracts/src/types/reasoning-method.ts
|
|
236
|
+
var REASONING_METHODS = [
|
|
237
|
+
"deductive",
|
|
238
|
+
"inductive",
|
|
239
|
+
"abductive",
|
|
240
|
+
"analogical",
|
|
241
|
+
"causal",
|
|
242
|
+
"correlational",
|
|
243
|
+
"testimonial",
|
|
244
|
+
"statistical",
|
|
245
|
+
"implicit",
|
|
246
|
+
"pattern_match"
|
|
247
|
+
];
|
|
248
|
+
|
|
235
249
|
// ../contracts/src/graph-intelligence.contract.ts
|
|
236
250
|
var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
|
|
237
251
|
core: [
|
|
@@ -941,7 +955,7 @@ defineTable({
|
|
|
941
955
|
});
|
|
942
956
|
defineTable({
|
|
943
957
|
name: "agents",
|
|
944
|
-
component: "
|
|
958
|
+
component: "control-plane",
|
|
945
959
|
category: "agent",
|
|
946
960
|
shape: z.object({
|
|
947
961
|
"slug": z.string(),
|
|
@@ -972,6 +986,7 @@ defineTable({
|
|
|
972
986
|
category: "tenant",
|
|
973
987
|
shape: z.object({
|
|
974
988
|
"tenantId": idOf("tenants"),
|
|
989
|
+
"workspaceId": idOf("workspaces").optional(),
|
|
975
990
|
"keyPrefix": z.enum(["luc", "stk"]),
|
|
976
991
|
"keyHash": z.string(),
|
|
977
992
|
"keyHint": z.string(),
|
|
@@ -999,7 +1014,7 @@ defineTable({
|
|
|
999
1014
|
shape: z.object({
|
|
1000
1015
|
"tenantId": idOf("tenants").optional(),
|
|
1001
1016
|
"apiKeyId": idOf("apiKeys").optional(),
|
|
1002
|
-
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
1017
|
+
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
1003
1018
|
"actorClerkId": z.string(),
|
|
1004
1019
|
"details": z.any().optional(),
|
|
1005
1020
|
"createdAt": z.number()
|
|
@@ -1878,29 +1893,37 @@ defineTable({
|
|
|
1878
1893
|
component: "mc",
|
|
1879
1894
|
category: "runtime",
|
|
1880
1895
|
shape: z.object({
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
|
|
1891
|
-
|
|
1892
|
-
|
|
1893
|
-
|
|
1896
|
+
shimId: z.string(),
|
|
1897
|
+
gateId: z.string(),
|
|
1898
|
+
removalDate: z.string(),
|
|
1899
|
+
removalPriority: z.enum(["P1", "P2", "P3"]),
|
|
1900
|
+
description: z.string(),
|
|
1901
|
+
owner: z.string(),
|
|
1902
|
+
createdAt: z.string(),
|
|
1903
|
+
status: z.enum(["active", "overdue", "removed"]),
|
|
1904
|
+
bridgeType: z.enum(["tool", "agent"]),
|
|
1905
|
+
bridgeTarget: z.object({
|
|
1906
|
+
type: z.enum(["tool", "agent"]),
|
|
1907
|
+
legacyPath: z.string(),
|
|
1908
|
+
harnessPath: z.string()
|
|
1894
1909
|
}),
|
|
1895
|
-
|
|
1896
|
-
|
|
1897
|
-
|
|
1898
|
-
|
|
1910
|
+
shimBehavior: z.enum([
|
|
1911
|
+
"passthrough_with_logging",
|
|
1912
|
+
"adapter",
|
|
1913
|
+
"feature_flag_gate"
|
|
1914
|
+
]),
|
|
1915
|
+
producesLedgerEntries: z.boolean(),
|
|
1916
|
+
lastAuditedAt: z.number(),
|
|
1917
|
+
metadata: z.record(z.any()).optional()
|
|
1899
1918
|
}),
|
|
1900
1919
|
indices: [
|
|
1901
1920
|
{ kind: "index", name: "by_shimId", columns: ["shimId"] },
|
|
1902
1921
|
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
1903
|
-
{
|
|
1922
|
+
{
|
|
1923
|
+
kind: "index",
|
|
1924
|
+
name: "by_bridgeType_status",
|
|
1925
|
+
columns: ["bridgeType", "status"]
|
|
1926
|
+
}
|
|
1904
1927
|
]
|
|
1905
1928
|
});
|
|
1906
1929
|
defineTable({
|
|
@@ -1908,12 +1931,23 @@ defineTable({
|
|
|
1908
1931
|
component: "mc",
|
|
1909
1932
|
category: "runtime",
|
|
1910
1933
|
shape: z.object({
|
|
1911
|
-
|
|
1912
|
-
|
|
1913
|
-
|
|
1914
|
-
|
|
1915
|
-
|
|
1916
|
-
|
|
1934
|
+
domain: z.enum([
|
|
1935
|
+
"graph",
|
|
1936
|
+
"schema",
|
|
1937
|
+
"identity",
|
|
1938
|
+
"policy",
|
|
1939
|
+
"audit",
|
|
1940
|
+
"admin",
|
|
1941
|
+
"agent",
|
|
1942
|
+
"tool",
|
|
1943
|
+
"prompt",
|
|
1944
|
+
"intelligence"
|
|
1945
|
+
]),
|
|
1946
|
+
state: z.enum(["legacy", "cutover", "disabled"]),
|
|
1947
|
+
metadata: z.record(z.any()).optional(),
|
|
1948
|
+
updatedBy: z.string(),
|
|
1949
|
+
createdAt: z.number(),
|
|
1950
|
+
updatedAt: z.number()
|
|
1917
1951
|
}),
|
|
1918
1952
|
indices: [
|
|
1919
1953
|
{ kind: "index", name: "by_domain", columns: ["domain"] },
|
|
@@ -1925,57 +1959,193 @@ defineTable({
|
|
|
1925
1959
|
component: "mc",
|
|
1926
1960
|
category: "runtime",
|
|
1927
1961
|
shape: z.object({
|
|
1928
|
-
|
|
1929
|
-
|
|
1930
|
-
|
|
1931
|
-
|
|
1932
|
-
|
|
1933
|
-
|
|
1934
|
-
|
|
1935
|
-
|
|
1936
|
-
|
|
1937
|
-
|
|
1938
|
-
|
|
1939
|
-
|
|
1940
|
-
|
|
1941
|
-
|
|
1942
|
-
|
|
1943
|
-
|
|
1944
|
-
|
|
1962
|
+
credentialRef: z.string(),
|
|
1963
|
+
tenantId: idOf("tenants"),
|
|
1964
|
+
workspaceId: idOf("workspaces").optional(),
|
|
1965
|
+
target: z.enum(["kernelDeployment", "appDeployment"]),
|
|
1966
|
+
environment: z.enum(["dev", "staging", "prod"]),
|
|
1967
|
+
encryptedDeployKey: z.string(),
|
|
1968
|
+
encryptionVersion: z.string(),
|
|
1969
|
+
keyFingerprint: z.string(),
|
|
1970
|
+
keyHint: z.string(),
|
|
1971
|
+
status: z.enum(["active", "revoked"]),
|
|
1972
|
+
rotatedFromCredentialRef: z.string().optional(),
|
|
1973
|
+
revokedAt: z.number().optional(),
|
|
1974
|
+
revokedBy: z.string().optional(),
|
|
1975
|
+
lastUsedAt: z.number().optional(),
|
|
1976
|
+
metadata: z.record(z.any()).optional(),
|
|
1977
|
+
createdBy: z.string(),
|
|
1978
|
+
createdAt: z.number(),
|
|
1979
|
+
updatedAt: z.number()
|
|
1945
1980
|
}),
|
|
1946
1981
|
indices: [
|
|
1947
1982
|
{ kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
|
|
1948
1983
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
1949
|
-
{ kind: "index", name: "
|
|
1950
|
-
{
|
|
1951
|
-
|
|
1984
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
1985
|
+
{
|
|
1986
|
+
kind: "index",
|
|
1987
|
+
name: "by_tenant_target",
|
|
1988
|
+
columns: ["tenantId", "target"]
|
|
1989
|
+
},
|
|
1990
|
+
{
|
|
1991
|
+
kind: "index",
|
|
1992
|
+
name: "by_tenant_target_environment",
|
|
1993
|
+
columns: ["tenantId", "target", "environment"]
|
|
1994
|
+
},
|
|
1995
|
+
{
|
|
1996
|
+
kind: "index",
|
|
1997
|
+
name: "by_tenant_target_environment_status",
|
|
1998
|
+
columns: ["tenantId", "target", "environment", "status"]
|
|
1999
|
+
},
|
|
2000
|
+
{
|
|
2001
|
+
kind: "index",
|
|
2002
|
+
name: "by_tenant_workspace_target_environment_status",
|
|
2003
|
+
columns: ["tenantId", "workspaceId", "target", "environment", "status"]
|
|
2004
|
+
},
|
|
1952
2005
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
1953
2006
|
]
|
|
1954
2007
|
});
|
|
2008
|
+
defineTable({
|
|
2009
|
+
name: "permitSyncStates",
|
|
2010
|
+
component: "mc",
|
|
2011
|
+
category: "runtime",
|
|
2012
|
+
shape: z.object({
|
|
2013
|
+
syncKey: z.string(),
|
|
2014
|
+
objectType: z.enum([
|
|
2015
|
+
"resource",
|
|
2016
|
+
"role",
|
|
2017
|
+
"resource_role",
|
|
2018
|
+
"resource_relation",
|
|
2019
|
+
"tenant",
|
|
2020
|
+
"workspace",
|
|
2021
|
+
"principal",
|
|
2022
|
+
"membership",
|
|
2023
|
+
"group",
|
|
2024
|
+
"resource_instance",
|
|
2025
|
+
"relationship_tuple",
|
|
2026
|
+
"role_assignment"
|
|
2027
|
+
]),
|
|
2028
|
+
objectId: z.string(),
|
|
2029
|
+
tenantId: idOf("tenants").optional(),
|
|
2030
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2031
|
+
principalId: z.string().optional(),
|
|
2032
|
+
permitTenantKey: z.string().optional(),
|
|
2033
|
+
permitResourceType: z.string().optional(),
|
|
2034
|
+
permitResourceKey: z.string().optional(),
|
|
2035
|
+
desiredPayload: z.record(z.any()),
|
|
2036
|
+
lastAppliedPayloadHash: z.string().optional(),
|
|
2037
|
+
status: z.enum(["pending", "synced", "error", "skipped"]),
|
|
2038
|
+
attemptCount: z.number(),
|
|
2039
|
+
lastError: z.string().optional(),
|
|
2040
|
+
nextAttemptAt: z.number().optional(),
|
|
2041
|
+
lastSyncedAt: z.number().optional(),
|
|
2042
|
+
createdBy: z.string(),
|
|
2043
|
+
updatedBy: z.string().optional(),
|
|
2044
|
+
createdAt: z.number(),
|
|
2045
|
+
updatedAt: z.number()
|
|
2046
|
+
}),
|
|
2047
|
+
indices: [
|
|
2048
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
2049
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
2050
|
+
{
|
|
2051
|
+
kind: "index",
|
|
2052
|
+
name: "by_tenant_status",
|
|
2053
|
+
columns: ["tenantId", "status"]
|
|
2054
|
+
},
|
|
2055
|
+
{
|
|
2056
|
+
kind: "index",
|
|
2057
|
+
name: "by_workspace_status",
|
|
2058
|
+
columns: ["workspaceId", "status"]
|
|
2059
|
+
},
|
|
2060
|
+
{
|
|
2061
|
+
kind: "index",
|
|
2062
|
+
name: "by_principal_status",
|
|
2063
|
+
columns: ["principalId", "status"]
|
|
2064
|
+
}
|
|
2065
|
+
]
|
|
2066
|
+
});
|
|
2067
|
+
defineTable({
|
|
2068
|
+
name: "secretSyncDriftReports",
|
|
2069
|
+
component: "mc",
|
|
2070
|
+
category: "runtime",
|
|
2071
|
+
shape: z.object({
|
|
2072
|
+
reportId: z.string(),
|
|
2073
|
+
source: z.enum(["infisical_manifest", "manual", "ci"]),
|
|
2074
|
+
generatedAt: z.number(),
|
|
2075
|
+
recordedAt: z.number(),
|
|
2076
|
+
recordedBy: z.string(),
|
|
2077
|
+
status: z.enum([
|
|
2078
|
+
"in_sync",
|
|
2079
|
+
"drift",
|
|
2080
|
+
"exception",
|
|
2081
|
+
"blocked",
|
|
2082
|
+
"not_observed"
|
|
2083
|
+
]),
|
|
2084
|
+
reportHash: z.string(),
|
|
2085
|
+
manifestHash: z.string().optional(),
|
|
2086
|
+
dryRunReceiptId: z.string().optional(),
|
|
2087
|
+
appliedReceiptId: z.string().optional(),
|
|
2088
|
+
summary: z.object({
|
|
2089
|
+
totalPipelines: z.number(),
|
|
2090
|
+
inSync: z.number(),
|
|
2091
|
+
drift: z.number(),
|
|
2092
|
+
exception: z.number(),
|
|
2093
|
+
blocked: z.number(),
|
|
2094
|
+
notObserved: z.number(),
|
|
2095
|
+
missingKeys: z.number(),
|
|
2096
|
+
valueDriftKeys: z.number(),
|
|
2097
|
+
extraKeys: z.number(),
|
|
2098
|
+
deniedConvexLeakage: z.number(),
|
|
2099
|
+
approvedExceptions: z.number()
|
|
2100
|
+
}),
|
|
2101
|
+
redactedReport: z.record(z.any()),
|
|
2102
|
+
metadata: z.record(z.any()).optional()
|
|
2103
|
+
}),
|
|
2104
|
+
indices: [
|
|
2105
|
+
{ kind: "index", name: "by_reportId", columns: ["reportId"] },
|
|
2106
|
+
{ kind: "index", name: "by_reportHash", columns: ["reportHash"] },
|
|
2107
|
+
{ kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
|
|
2108
|
+
{
|
|
2109
|
+
kind: "index",
|
|
2110
|
+
name: "by_status_generatedAt",
|
|
2111
|
+
columns: ["status", "generatedAt"]
|
|
2112
|
+
}
|
|
2113
|
+
]
|
|
2114
|
+
});
|
|
1955
2115
|
defineTable({
|
|
1956
2116
|
name: "controlPlaneTenantModelSlotBindings",
|
|
1957
2117
|
component: "mc",
|
|
1958
2118
|
category: "runtime",
|
|
1959
2119
|
shape: z.object({
|
|
1960
|
-
|
|
1961
|
-
|
|
1962
|
-
"
|
|
1963
|
-
|
|
1964
|
-
|
|
1965
|
-
|
|
1966
|
-
|
|
1967
|
-
|
|
1968
|
-
|
|
1969
|
-
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
2120
|
+
bindingId: z.string(),
|
|
2121
|
+
tenantId: idOf("tenants"),
|
|
2122
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2123
|
+
environment: z.enum(["dev", "staging", "prod"]).optional(),
|
|
2124
|
+
providerId: z.string(),
|
|
2125
|
+
modelSlotId: z.string(),
|
|
2126
|
+
secretRef: z.string(),
|
|
2127
|
+
status: z.enum(["active", "revoked"]),
|
|
2128
|
+
passThroughOnly: z.boolean(),
|
|
2129
|
+
revokedAt: z.number().optional(),
|
|
2130
|
+
revokedBy: z.string().optional(),
|
|
2131
|
+
metadata: z.record(z.any()).optional(),
|
|
2132
|
+
createdBy: z.string(),
|
|
2133
|
+
createdAt: z.number(),
|
|
2134
|
+
updatedAt: z.number()
|
|
1973
2135
|
}),
|
|
1974
2136
|
indices: [
|
|
1975
2137
|
{ kind: "index", name: "by_bindingId", columns: ["bindingId"] },
|
|
1976
2138
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
1977
|
-
{
|
|
1978
|
-
|
|
2139
|
+
{
|
|
2140
|
+
kind: "index",
|
|
2141
|
+
name: "by_tenant_slot",
|
|
2142
|
+
columns: ["tenantId", "modelSlotId"]
|
|
2143
|
+
},
|
|
2144
|
+
{
|
|
2145
|
+
kind: "index",
|
|
2146
|
+
name: "by_tenant_provider_slot",
|
|
2147
|
+
columns: ["tenantId", "providerId", "modelSlotId"]
|
|
2148
|
+
},
|
|
1979
2149
|
{ kind: "index", name: "by_secretRef", columns: ["secretRef"] },
|
|
1980
2150
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
1981
2151
|
]
|
|
@@ -1985,29 +2155,42 @@ defineTable({
|
|
|
1985
2155
|
component: "mc",
|
|
1986
2156
|
category: "runtime",
|
|
1987
2157
|
shape: z.object({
|
|
1988
|
-
|
|
1989
|
-
|
|
1990
|
-
"
|
|
1991
|
-
|
|
1992
|
-
|
|
1993
|
-
|
|
1994
|
-
|
|
1995
|
-
|
|
1996
|
-
|
|
1997
|
-
|
|
1998
|
-
|
|
1999
|
-
|
|
2000
|
-
|
|
2001
|
-
|
|
2002
|
-
|
|
2003
|
-
|
|
2004
|
-
|
|
2158
|
+
secretRef: z.string(),
|
|
2159
|
+
tenantId: idOf("tenants"),
|
|
2160
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2161
|
+
environment: z.enum(["dev", "staging", "prod"]).optional(),
|
|
2162
|
+
providerId: z.string(),
|
|
2163
|
+
label: z.string().optional(),
|
|
2164
|
+
encryptedSecret: z.string().optional(),
|
|
2165
|
+
infisicalPath: z.string().optional(),
|
|
2166
|
+
infisicalSecretKey: z.string().optional(),
|
|
2167
|
+
infisicalProjectId: z.string().optional(),
|
|
2168
|
+
encryptionVersion: z.string(),
|
|
2169
|
+
secretFingerprint: z.string(),
|
|
2170
|
+
keyHint: z.string(),
|
|
2171
|
+
status: z.enum(["active", "revoked"]),
|
|
2172
|
+
rotatedFromSecretRef: z.string().optional(),
|
|
2173
|
+
revokedAt: z.number().optional(),
|
|
2174
|
+
revokedBy: z.string().optional(),
|
|
2175
|
+
lastUsedAt: z.number().optional(),
|
|
2176
|
+
metadata: z.record(z.any()).optional(),
|
|
2177
|
+
createdBy: z.string(),
|
|
2178
|
+
createdAt: z.number(),
|
|
2179
|
+
updatedAt: z.number()
|
|
2005
2180
|
}),
|
|
2006
2181
|
indices: [
|
|
2007
2182
|
{ kind: "index", name: "by_secretRef", columns: ["secretRef"] },
|
|
2008
2183
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
2009
|
-
{
|
|
2010
|
-
|
|
2184
|
+
{
|
|
2185
|
+
kind: "index",
|
|
2186
|
+
name: "by_tenant_provider",
|
|
2187
|
+
columns: ["tenantId", "providerId"]
|
|
2188
|
+
},
|
|
2189
|
+
{
|
|
2190
|
+
kind: "index",
|
|
2191
|
+
name: "by_tenant_provider_status",
|
|
2192
|
+
columns: ["tenantId", "providerId", "status"]
|
|
2193
|
+
},
|
|
2011
2194
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
2012
2195
|
]
|
|
2013
2196
|
});
|
|
@@ -2016,35 +2199,93 @@ defineTable({
|
|
|
2016
2199
|
component: "mc",
|
|
2017
2200
|
category: "runtime",
|
|
2018
2201
|
shape: z.object({
|
|
2019
|
-
|
|
2020
|
-
|
|
2021
|
-
|
|
2022
|
-
|
|
2023
|
-
|
|
2024
|
-
|
|
2025
|
-
|
|
2026
|
-
|
|
2027
|
-
|
|
2028
|
-
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2032
|
-
|
|
2033
|
-
|
|
2034
|
-
|
|
2035
|
-
|
|
2036
|
-
|
|
2037
|
-
|
|
2038
|
-
|
|
2039
|
-
|
|
2040
|
-
|
|
2202
|
+
usageId: z.string(),
|
|
2203
|
+
tenantId: idOf("tenants"),
|
|
2204
|
+
providerId: z.string(),
|
|
2205
|
+
modelSlotId: z.string(),
|
|
2206
|
+
secretRef: z.string(),
|
|
2207
|
+
proxyTokenId: z.string(),
|
|
2208
|
+
sessionId: z.string(),
|
|
2209
|
+
principalId: z.string(),
|
|
2210
|
+
workspaceId: z.string().optional(),
|
|
2211
|
+
modelId: z.string().optional(),
|
|
2212
|
+
requestPath: z.string(),
|
|
2213
|
+
status: z.enum(["success", "error"]),
|
|
2214
|
+
responseStatus: z.number().optional(),
|
|
2215
|
+
inputTokens: z.number().optional(),
|
|
2216
|
+
outputTokens: z.number().optional(),
|
|
2217
|
+
tokenCount: z.number().optional(),
|
|
2218
|
+
latencyMs: z.number(),
|
|
2219
|
+
estimatedCostUsd: z.number().optional(),
|
|
2220
|
+
failureCode: z.string().optional(),
|
|
2221
|
+
metadata: z.record(z.any()).optional(),
|
|
2222
|
+
createdAt: z.number(),
|
|
2223
|
+
updatedAt: z.number()
|
|
2041
2224
|
}),
|
|
2042
2225
|
indices: [
|
|
2043
2226
|
{ kind: "index", name: "by_usageId", columns: ["usageId"] },
|
|
2044
2227
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
|
|
2045
|
-
{
|
|
2046
|
-
|
|
2047
|
-
|
|
2228
|
+
{
|
|
2229
|
+
kind: "index",
|
|
2230
|
+
name: "by_tenant_provider",
|
|
2231
|
+
columns: ["tenantId", "providerId", "createdAt"]
|
|
2232
|
+
},
|
|
2233
|
+
{
|
|
2234
|
+
kind: "index",
|
|
2235
|
+
name: "by_proxyTokenId",
|
|
2236
|
+
columns: ["proxyTokenId", "createdAt"]
|
|
2237
|
+
},
|
|
2238
|
+
{
|
|
2239
|
+
kind: "index",
|
|
2240
|
+
name: "by_sessionId",
|
|
2241
|
+
columns: ["sessionId", "createdAt"]
|
|
2242
|
+
}
|
|
2243
|
+
]
|
|
2244
|
+
});
|
|
2245
|
+
defineTable({
|
|
2246
|
+
name: "controlPlaneTenantProxyTokenLeases",
|
|
2247
|
+
component: "mc",
|
|
2248
|
+
category: "runtime",
|
|
2249
|
+
shape: z.object({
|
|
2250
|
+
leaseId: z.string(),
|
|
2251
|
+
proxyTokenId: z.string(),
|
|
2252
|
+
tenantId: idOf("tenants"),
|
|
2253
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2254
|
+
environment: z.enum(["dev", "staging", "prod"]),
|
|
2255
|
+
providerId: z.string(),
|
|
2256
|
+
modelSlotId: z.string(),
|
|
2257
|
+
bindingId: z.string(),
|
|
2258
|
+
secretRef: z.string(),
|
|
2259
|
+
sessionId: z.string(),
|
|
2260
|
+
principalId: z.string(),
|
|
2261
|
+
agentSessionId: z.string().optional(),
|
|
2262
|
+
status: z.enum(["active", "revoked"]),
|
|
2263
|
+
expiresAt: z.number(),
|
|
2264
|
+
renewedAt: z.number().optional(),
|
|
2265
|
+
revokedAt: z.number().optional(),
|
|
2266
|
+
revokedBy: z.string().optional(),
|
|
2267
|
+
revokeReason: z.string().optional(),
|
|
2268
|
+
permitDecisionLogId: idOf("policyDecisionLogs").optional(),
|
|
2269
|
+
permitTraceId: z.string().optional(),
|
|
2270
|
+
metadata: z.record(z.any()).optional(),
|
|
2271
|
+
createdAt: z.number(),
|
|
2272
|
+
updatedAt: z.number()
|
|
2273
|
+
}),
|
|
2274
|
+
indices: [
|
|
2275
|
+
{ kind: "index", name: "by_leaseId", columns: ["leaseId"] },
|
|
2276
|
+
{ kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
|
|
2277
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
|
|
2278
|
+
{ kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
|
|
2279
|
+
{
|
|
2280
|
+
kind: "index",
|
|
2281
|
+
name: "by_principalId",
|
|
2282
|
+
columns: ["principalId", "createdAt"]
|
|
2283
|
+
},
|
|
2284
|
+
{
|
|
2285
|
+
kind: "index",
|
|
2286
|
+
name: "by_status_expiresAt",
|
|
2287
|
+
columns: ["status", "expiresAt"]
|
|
2288
|
+
}
|
|
2048
2289
|
]
|
|
2049
2290
|
});
|
|
2050
2291
|
defineTable({
|
|
@@ -2377,6 +2618,7 @@ defineTable({
|
|
|
2377
2618
|
"questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
|
|
2378
2619
|
"questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
|
|
2379
2620
|
"answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
|
|
2621
|
+
"themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
|
|
2380
2622
|
"themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
|
|
2381
2623
|
"decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
|
|
2382
2624
|
"decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
|
|
@@ -2527,6 +2769,7 @@ defineTable({
|
|
|
2527
2769
|
indices: [
|
|
2528
2770
|
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
2529
2771
|
{ kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
|
|
2772
|
+
{ kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
|
|
2530
2773
|
{ kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
|
|
2531
2774
|
{ kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
|
|
2532
2775
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
@@ -2558,6 +2801,36 @@ defineTable({
|
|
|
2558
2801
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
2559
2802
|
]
|
|
2560
2803
|
});
|
|
2804
|
+
defineTable({
|
|
2805
|
+
name: "principalIdentityAliases",
|
|
2806
|
+
component: "mc",
|
|
2807
|
+
category: "identity",
|
|
2808
|
+
shape: z.object({
|
|
2809
|
+
"principalId": z.string(),
|
|
2810
|
+
"principalRefId": idOf("principals").optional(),
|
|
2811
|
+
"provider": z.string(),
|
|
2812
|
+
"providerProjectId": z.string().optional(),
|
|
2813
|
+
"externalSubjectId": z.string(),
|
|
2814
|
+
"tenantId": idOf("tenants").optional(),
|
|
2815
|
+
"workspaceId": idOf("workspaces").optional(),
|
|
2816
|
+
"email": z.string().optional(),
|
|
2817
|
+
"status": z.enum(["active", "revoked"]),
|
|
2818
|
+
"metadata": z.record(z.any()).optional(),
|
|
2819
|
+
"createdBy": z.string(),
|
|
2820
|
+
"revokedAt": z.number().optional(),
|
|
2821
|
+
"revokedBy": z.string().optional(),
|
|
2822
|
+
"createdAt": z.number(),
|
|
2823
|
+
"updatedAt": z.number()
|
|
2824
|
+
}),
|
|
2825
|
+
indices: [
|
|
2826
|
+
{ kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
|
|
2827
|
+
{ kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
|
|
2828
|
+
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
2829
|
+
{ kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
|
|
2830
|
+
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
|
|
2831
|
+
{ kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
|
|
2832
|
+
]
|
|
2833
|
+
});
|
|
2561
2834
|
defineTable({
|
|
2562
2835
|
name: "rateLimitWindows",
|
|
2563
2836
|
component: "mc",
|
|
@@ -3147,7 +3420,7 @@ defineTable({
|
|
|
3147
3420
|
});
|
|
3148
3421
|
defineTable({
|
|
3149
3422
|
name: "mcpWritePolicy",
|
|
3150
|
-
component: "
|
|
3423
|
+
component: "control-plane",
|
|
3151
3424
|
category: "platform",
|
|
3152
3425
|
shape: z.object({
|
|
3153
3426
|
"topicId": z.string().optional(),
|
|
@@ -3170,7 +3443,7 @@ defineTable({
|
|
|
3170
3443
|
});
|
|
3171
3444
|
defineTable({
|
|
3172
3445
|
name: "platformAudienceGrants",
|
|
3173
|
-
component: "
|
|
3446
|
+
component: "control-plane",
|
|
3174
3447
|
category: "platform",
|
|
3175
3448
|
shape: z.object({
|
|
3176
3449
|
"tenantId": z.string(),
|
|
@@ -3196,7 +3469,7 @@ defineTable({
|
|
|
3196
3469
|
});
|
|
3197
3470
|
defineTable({
|
|
3198
3471
|
name: "platformAudiences",
|
|
3199
|
-
component: "
|
|
3472
|
+
component: "control-plane",
|
|
3200
3473
|
category: "platform",
|
|
3201
3474
|
shape: z.object({
|
|
3202
3475
|
"tenantId": z.string(),
|
|
@@ -3221,7 +3494,7 @@ defineTable({
|
|
|
3221
3494
|
});
|
|
3222
3495
|
defineTable({
|
|
3223
3496
|
name: "platformPolicyDecisionLogs",
|
|
3224
|
-
component: "
|
|
3497
|
+
component: "control-plane",
|
|
3225
3498
|
category: "platform",
|
|
3226
3499
|
shape: z.object({
|
|
3227
3500
|
"principalId": z.string(),
|
|
@@ -3257,7 +3530,7 @@ defineTable({
|
|
|
3257
3530
|
});
|
|
3258
3531
|
defineTable({
|
|
3259
3532
|
name: "tenantApiKeys",
|
|
3260
|
-
component: "
|
|
3533
|
+
component: "control-plane",
|
|
3261
3534
|
category: "platform",
|
|
3262
3535
|
shape: z.object({
|
|
3263
3536
|
"tenantId": z.string(),
|
|
@@ -3284,7 +3557,7 @@ defineTable({
|
|
|
3284
3557
|
});
|
|
3285
3558
|
defineTable({
|
|
3286
3559
|
name: "tenantConfig",
|
|
3287
|
-
component: "
|
|
3560
|
+
component: "control-plane",
|
|
3288
3561
|
category: "platform",
|
|
3289
3562
|
shape: z.object({
|
|
3290
3563
|
"tenantId": z.string(),
|
|
@@ -3303,7 +3576,7 @@ defineTable({
|
|
|
3303
3576
|
});
|
|
3304
3577
|
defineTable({
|
|
3305
3578
|
name: "tenantIntegrations",
|
|
3306
|
-
component: "
|
|
3579
|
+
component: "control-plane",
|
|
3307
3580
|
category: "platform",
|
|
3308
3581
|
shape: z.object({
|
|
3309
3582
|
"tenantId": z.string(),
|
|
@@ -3358,7 +3631,7 @@ defineTable({
|
|
|
3358
3631
|
});
|
|
3359
3632
|
defineTable({
|
|
3360
3633
|
name: "tenantModelSlotBindings",
|
|
3361
|
-
component: "
|
|
3634
|
+
component: "control-plane",
|
|
3362
3635
|
category: "platform",
|
|
3363
3636
|
shape: z.object({
|
|
3364
3637
|
"bindingId": z.string(),
|
|
@@ -3386,7 +3659,7 @@ defineTable({
|
|
|
3386
3659
|
});
|
|
3387
3660
|
defineTable({
|
|
3388
3661
|
name: "tenantPolicies",
|
|
3389
|
-
component: "
|
|
3662
|
+
component: "control-plane",
|
|
3390
3663
|
category: "platform",
|
|
3391
3664
|
shape: z.object({
|
|
3392
3665
|
"tenantId": z.string(),
|
|
@@ -3411,7 +3684,7 @@ defineTable({
|
|
|
3411
3684
|
});
|
|
3412
3685
|
defineTable({
|
|
3413
3686
|
name: "tenantProviderSecrets",
|
|
3414
|
-
component: "
|
|
3687
|
+
component: "control-plane",
|
|
3415
3688
|
category: "platform",
|
|
3416
3689
|
shape: z.object({
|
|
3417
3690
|
"secretRef": z.string(),
|
|
@@ -3442,7 +3715,7 @@ defineTable({
|
|
|
3442
3715
|
});
|
|
3443
3716
|
defineTable({
|
|
3444
3717
|
name: "tenantProxyGatewayUsage",
|
|
3445
|
-
component: "
|
|
3718
|
+
component: "control-plane",
|
|
3446
3719
|
category: "platform",
|
|
3447
3720
|
shape: z.object({
|
|
3448
3721
|
"usageId": z.string(),
|
|
@@ -3477,7 +3750,7 @@ defineTable({
|
|
|
3477
3750
|
});
|
|
3478
3751
|
defineTable({
|
|
3479
3752
|
name: "tenantProxyTokenMints",
|
|
3480
|
-
component: "
|
|
3753
|
+
component: "control-plane",
|
|
3481
3754
|
category: "platform",
|
|
3482
3755
|
shape: z.object({
|
|
3483
3756
|
"proxyTokenId": z.string(),
|
|
@@ -3500,7 +3773,7 @@ defineTable({
|
|
|
3500
3773
|
});
|
|
3501
3774
|
defineTable({
|
|
3502
3775
|
name: "tenantSandboxAuditEvents",
|
|
3503
|
-
component: "
|
|
3776
|
+
component: "control-plane",
|
|
3504
3777
|
category: "platform",
|
|
3505
3778
|
shape: z.object({
|
|
3506
3779
|
"eventId": z.string(),
|
|
@@ -3534,7 +3807,7 @@ defineTable({
|
|
|
3534
3807
|
});
|
|
3535
3808
|
defineTable({
|
|
3536
3809
|
name: "tenantSecrets",
|
|
3537
|
-
component: "
|
|
3810
|
+
component: "control-plane",
|
|
3538
3811
|
category: "platform",
|
|
3539
3812
|
shape: z.object({
|
|
3540
3813
|
"tenantId": z.string(),
|
|
@@ -3556,7 +3829,7 @@ defineTable({
|
|
|
3556
3829
|
});
|
|
3557
3830
|
defineTable({
|
|
3558
3831
|
name: "toolAcls",
|
|
3559
|
-
component: "
|
|
3832
|
+
component: "control-plane",
|
|
3560
3833
|
category: "platform",
|
|
3561
3834
|
shape: z.object({
|
|
3562
3835
|
"role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
|
|
@@ -3571,7 +3844,7 @@ defineTable({
|
|
|
3571
3844
|
});
|
|
3572
3845
|
defineTable({
|
|
3573
3846
|
name: "toolRegistry",
|
|
3574
|
-
component: "
|
|
3847
|
+
component: "control-plane",
|
|
3575
3848
|
category: "platform",
|
|
3576
3849
|
shape: z.object({
|
|
3577
3850
|
"toolName": z.string(),
|
|
@@ -3652,7 +3925,7 @@ defineTable({
|
|
|
3652
3925
|
});
|
|
3653
3926
|
defineTable({
|
|
3654
3927
|
name: "modelCallLogs",
|
|
3655
|
-
component: "
|
|
3928
|
+
component: "control-plane",
|
|
3656
3929
|
category: "model",
|
|
3657
3930
|
shape: z.object({
|
|
3658
3931
|
"slot": z.string(),
|
|
@@ -3678,7 +3951,7 @@ defineTable({
|
|
|
3678
3951
|
});
|
|
3679
3952
|
defineTable({
|
|
3680
3953
|
name: "modelFunctionSlots",
|
|
3681
|
-
component: "
|
|
3954
|
+
component: "control-plane",
|
|
3682
3955
|
category: "model",
|
|
3683
3956
|
shape: z.object({
|
|
3684
3957
|
"slot": z.string(),
|
|
@@ -3703,7 +3976,7 @@ defineTable({
|
|
|
3703
3976
|
});
|
|
3704
3977
|
defineTable({
|
|
3705
3978
|
name: "modelRegistry",
|
|
3706
|
-
component: "
|
|
3979
|
+
component: "control-plane",
|
|
3707
3980
|
category: "model",
|
|
3708
3981
|
shape: z.object({
|
|
3709
3982
|
"key": z.string(),
|
|
@@ -3730,7 +4003,7 @@ defineTable({
|
|
|
3730
4003
|
});
|
|
3731
4004
|
defineTable({
|
|
3732
4005
|
name: "modelSlotConfigs",
|
|
3733
|
-
component: "
|
|
4006
|
+
component: "control-plane",
|
|
3734
4007
|
category: "model",
|
|
3735
4008
|
shape: z.object({
|
|
3736
4009
|
"slot": z.string(),
|
|
@@ -4117,7 +4390,7 @@ defineTable({
|
|
|
4117
4390
|
"workspaceId": idOf("workspaces").optional(),
|
|
4118
4391
|
"resourceType": z.string(),
|
|
4119
4392
|
"resourceId": z.string(),
|
|
4120
|
-
"action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
|
|
4393
|
+
"action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
|
|
4121
4394
|
"decision": z.enum(["allow", "deny"]),
|
|
4122
4395
|
"reasonCode": z.string(),
|
|
4123
4396
|
"policyVersion": z.string(),
|
|
@@ -4179,7 +4452,7 @@ defineTable({
|
|
|
4179
4452
|
});
|
|
4180
4453
|
defineTable({
|
|
4181
4454
|
name: "projectGrants",
|
|
4182
|
-
component: "
|
|
4455
|
+
component: "control-plane",
|
|
4183
4456
|
category: "project",
|
|
4184
4457
|
shape: z.object({
|
|
4185
4458
|
"projectId": z.string().optional(),
|
|
@@ -4211,9 +4484,648 @@ defineTable({
|
|
|
4211
4484
|
{ kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
|
|
4212
4485
|
]
|
|
4213
4486
|
});
|
|
4487
|
+
var permitActorType = z.enum([
|
|
4488
|
+
"human",
|
|
4489
|
+
"agent",
|
|
4490
|
+
"service_principal",
|
|
4491
|
+
"external_stakeholder",
|
|
4492
|
+
"system"
|
|
4493
|
+
]);
|
|
4494
|
+
var permitMembershipStatus = z.enum([
|
|
4495
|
+
"active",
|
|
4496
|
+
"invited",
|
|
4497
|
+
"revoked",
|
|
4498
|
+
"suspended",
|
|
4499
|
+
"disabled"
|
|
4500
|
+
]);
|
|
4501
|
+
var permitDecision = z.enum(["allow", "deny"]);
|
|
4502
|
+
var permitAccessReviewStatus = z.enum([
|
|
4503
|
+
"open",
|
|
4504
|
+
"in_progress",
|
|
4505
|
+
"approved",
|
|
4506
|
+
"denied",
|
|
4507
|
+
"expired",
|
|
4508
|
+
"cancelled"
|
|
4509
|
+
]);
|
|
4510
|
+
var permitReviewScope = z.enum([
|
|
4511
|
+
"tenant",
|
|
4512
|
+
"workspace",
|
|
4513
|
+
"resource_instance",
|
|
4514
|
+
"group",
|
|
4515
|
+
"principal",
|
|
4516
|
+
"api_key",
|
|
4517
|
+
"admin_action"
|
|
4518
|
+
]);
|
|
4519
|
+
var permitRecordStatus = z.enum([
|
|
4520
|
+
"queued",
|
|
4521
|
+
"inflight",
|
|
4522
|
+
"completed",
|
|
4523
|
+
"failed",
|
|
4524
|
+
"skipped",
|
|
4525
|
+
"stale"
|
|
4526
|
+
]);
|
|
4527
|
+
var permitObjectType = z.enum([
|
|
4528
|
+
"resource",
|
|
4529
|
+
"role",
|
|
4530
|
+
"resource_role",
|
|
4531
|
+
"resource_relation",
|
|
4532
|
+
"tenant",
|
|
4533
|
+
"workspace",
|
|
4534
|
+
"principal",
|
|
4535
|
+
"membership",
|
|
4536
|
+
"group",
|
|
4537
|
+
"resource_instance",
|
|
4538
|
+
"relationship_tuple",
|
|
4539
|
+
"role_assignment"
|
|
4540
|
+
]);
|
|
4541
|
+
var permitOutboxOperation = z.enum([
|
|
4542
|
+
"upsert",
|
|
4543
|
+
"delete",
|
|
4544
|
+
"sync",
|
|
4545
|
+
"resync",
|
|
4546
|
+
"delete_sync",
|
|
4547
|
+
"noop"
|
|
4548
|
+
]);
|
|
4549
|
+
var permitPolicyBundleStatus = z.enum([
|
|
4550
|
+
"draft",
|
|
4551
|
+
"validated",
|
|
4552
|
+
"enforced",
|
|
4553
|
+
"archived"
|
|
4554
|
+
]);
|
|
4555
|
+
var permitSyncStatus = z.enum([
|
|
4556
|
+
"pending",
|
|
4557
|
+
"synced",
|
|
4558
|
+
"error",
|
|
4559
|
+
"skipped"
|
|
4560
|
+
]);
|
|
4561
|
+
var permitAccessReviewSubjectType = z.enum([
|
|
4562
|
+
"principal",
|
|
4563
|
+
"group",
|
|
4564
|
+
"role_assignment",
|
|
4565
|
+
"resource_instance"
|
|
4566
|
+
]);
|
|
4567
|
+
var permitAttributeType = z.enum([
|
|
4568
|
+
"string",
|
|
4569
|
+
"number",
|
|
4570
|
+
"bool",
|
|
4571
|
+
"json",
|
|
4572
|
+
"time"
|
|
4573
|
+
]);
|
|
4574
|
+
var permitAttributeOperator = z.enum([
|
|
4575
|
+
"eq",
|
|
4576
|
+
"neq",
|
|
4577
|
+
"in",
|
|
4578
|
+
"not_in",
|
|
4579
|
+
"gt",
|
|
4580
|
+
"gte",
|
|
4581
|
+
"lt",
|
|
4582
|
+
"lte",
|
|
4583
|
+
"contains",
|
|
4584
|
+
"not_contains",
|
|
4585
|
+
"matches"
|
|
4586
|
+
]);
|
|
4587
|
+
var permitRoleBindingTarget = z.enum([
|
|
4588
|
+
"principal",
|
|
4589
|
+
"group"
|
|
4590
|
+
]);
|
|
4591
|
+
defineTable({
|
|
4592
|
+
name: "permitPrincipals",
|
|
4593
|
+
component: "control-plane",
|
|
4594
|
+
category: "access-control",
|
|
4595
|
+
shape: z.object({
|
|
4596
|
+
principalId: z.string(),
|
|
4597
|
+
tenantId: z.string(),
|
|
4598
|
+
workspaceId: z.optional(z.string()),
|
|
4599
|
+
principalType: permitActorType,
|
|
4600
|
+
status: permitMembershipStatus,
|
|
4601
|
+
displayName: z.string().optional(),
|
|
4602
|
+
metadata: z.record(z.any()).optional(),
|
|
4603
|
+
createdBy: z.string(),
|
|
4604
|
+
createdAt: z.number(),
|
|
4605
|
+
updatedAt: z.number(),
|
|
4606
|
+
updatedBy: z.string().optional(),
|
|
4607
|
+
lastSeenAt: z.number().optional()
|
|
4608
|
+
}),
|
|
4609
|
+
indices: [
|
|
4610
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4611
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4612
|
+
{ kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
|
|
4613
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
4614
|
+
{
|
|
4615
|
+
kind: "index",
|
|
4616
|
+
name: "by_tenant_principalType_status",
|
|
4617
|
+
columns: ["tenantId", "principalType", "status"]
|
|
4618
|
+
}
|
|
4619
|
+
]
|
|
4620
|
+
});
|
|
4621
|
+
defineTable({
|
|
4622
|
+
name: "permitPrincipalAliases",
|
|
4623
|
+
component: "control-plane",
|
|
4624
|
+
category: "access-control",
|
|
4625
|
+
shape: z.object({
|
|
4626
|
+
principalId: z.string(),
|
|
4627
|
+
tenantId: z.string(),
|
|
4628
|
+
workspaceId: z.optional(z.string()),
|
|
4629
|
+
provider: z.string(),
|
|
4630
|
+
providerSubjectId: z.string(),
|
|
4631
|
+
providerProjectId: z.string().optional(),
|
|
4632
|
+
alias: z.string(),
|
|
4633
|
+
aliasKind: z.string(),
|
|
4634
|
+
status: permitMembershipStatus,
|
|
4635
|
+
metadata: z.record(z.any()).optional(),
|
|
4636
|
+
createdBy: z.string(),
|
|
4637
|
+
createdAt: z.number(),
|
|
4638
|
+
updatedAt: z.number(),
|
|
4639
|
+
revokedBy: z.string().optional(),
|
|
4640
|
+
revokedAt: z.number().optional(),
|
|
4641
|
+
updatedBy: z.string().optional()
|
|
4642
|
+
}),
|
|
4643
|
+
indices: [
|
|
4644
|
+
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
4645
|
+
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
|
|
4646
|
+
{
|
|
4647
|
+
kind: "index",
|
|
4648
|
+
name: "by_tenant_provider_alias",
|
|
4649
|
+
columns: ["tenantId", "provider", "alias"]
|
|
4650
|
+
},
|
|
4651
|
+
{ kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
|
|
4652
|
+
{
|
|
4653
|
+
kind: "index",
|
|
4654
|
+
name: "by_tenant_provider_status",
|
|
4655
|
+
columns: ["tenantId", "provider", "status"]
|
|
4656
|
+
}
|
|
4657
|
+
]
|
|
4658
|
+
});
|
|
4659
|
+
defineTable({
|
|
4660
|
+
name: "permitGroups",
|
|
4661
|
+
component: "control-plane",
|
|
4662
|
+
category: "access-control",
|
|
4663
|
+
shape: z.object({
|
|
4664
|
+
tenantId: z.string(),
|
|
4665
|
+
workspaceId: z.optional(z.string()),
|
|
4666
|
+
groupId: z.string(),
|
|
4667
|
+
groupKey: z.string(),
|
|
4668
|
+
groupName: z.string(),
|
|
4669
|
+
groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
|
|
4670
|
+
status: permitMembershipStatus,
|
|
4671
|
+
description: z.string().optional(),
|
|
4672
|
+
metadata: z.record(z.any()).optional(),
|
|
4673
|
+
createdBy: z.string(),
|
|
4674
|
+
createdAt: z.number(),
|
|
4675
|
+
updatedAt: z.number(),
|
|
4676
|
+
updatedBy: z.string().optional()
|
|
4677
|
+
}),
|
|
4678
|
+
indices: [
|
|
4679
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4680
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4681
|
+
{ kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
|
|
4682
|
+
{ kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
|
|
4683
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4684
|
+
]
|
|
4685
|
+
});
|
|
4686
|
+
defineTable({
|
|
4687
|
+
name: "permitGroupMemberships",
|
|
4688
|
+
component: "control-plane",
|
|
4689
|
+
category: "access-control",
|
|
4690
|
+
shape: z.object({
|
|
4691
|
+
tenantId: z.string(),
|
|
4692
|
+
workspaceId: z.optional(z.string()),
|
|
4693
|
+
groupId: z.string(),
|
|
4694
|
+
memberType: z.enum(["principal", "group"]),
|
|
4695
|
+
memberId: z.string(),
|
|
4696
|
+
principalId: z.string().optional(),
|
|
4697
|
+
childGroupId: z.string().optional(),
|
|
4698
|
+
status: permitMembershipStatus,
|
|
4699
|
+
addedBy: z.string().optional(),
|
|
4700
|
+
revokedBy: z.string().optional(),
|
|
4701
|
+
expiresAt: z.number().optional(),
|
|
4702
|
+
revocationReason: z.string().optional(),
|
|
4703
|
+
metadata: z.record(z.any()).optional(),
|
|
4704
|
+
createdAt: z.number(),
|
|
4705
|
+
updatedAt: z.number(),
|
|
4706
|
+
updatedBy: z.string().optional()
|
|
4707
|
+
}),
|
|
4708
|
+
indices: [
|
|
4709
|
+
{ kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
|
|
4710
|
+
{ kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
|
|
4711
|
+
{
|
|
4712
|
+
kind: "index",
|
|
4713
|
+
name: "by_tenant_member_group",
|
|
4714
|
+
columns: ["tenantId", "memberType", "memberId", "groupId"]
|
|
4715
|
+
},
|
|
4716
|
+
{ kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
|
|
4717
|
+
{ kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
|
|
4718
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
4719
|
+
{
|
|
4720
|
+
kind: "index",
|
|
4721
|
+
name: "by_workspace_principal",
|
|
4722
|
+
columns: ["workspaceId", "principalId"]
|
|
4723
|
+
}
|
|
4724
|
+
]
|
|
4725
|
+
});
|
|
4726
|
+
defineTable({
|
|
4727
|
+
name: "permitResourceInstances",
|
|
4728
|
+
component: "control-plane",
|
|
4729
|
+
category: "access-control",
|
|
4730
|
+
shape: z.object({
|
|
4731
|
+
tenantId: z.string(),
|
|
4732
|
+
workspaceId: z.optional(z.string()),
|
|
4733
|
+
resourceType: z.string(),
|
|
4734
|
+
resourceKey: z.string(),
|
|
4735
|
+
resourceId: z.string(),
|
|
4736
|
+
status: z.enum(["active", "deleted", "archived"]),
|
|
4737
|
+
attributes: z.record(z.any()).optional(),
|
|
4738
|
+
ownerPrincipalId: z.string().optional(),
|
|
4739
|
+
metadata: z.record(z.any()).optional(),
|
|
4740
|
+
createdBy: z.string(),
|
|
4741
|
+
updatedBy: z.string().optional(),
|
|
4742
|
+
createdAt: z.number(),
|
|
4743
|
+
updatedAt: z.number()
|
|
4744
|
+
}),
|
|
4745
|
+
indices: [
|
|
4746
|
+
{
|
|
4747
|
+
kind: "index",
|
|
4748
|
+
name: "by_tenant_resource_type",
|
|
4749
|
+
columns: ["tenantId", "resourceType"]
|
|
4750
|
+
},
|
|
4751
|
+
{
|
|
4752
|
+
kind: "index",
|
|
4753
|
+
name: "by_tenant_resource_key",
|
|
4754
|
+
columns: ["tenantId", "resourceType", "resourceKey"]
|
|
4755
|
+
},
|
|
4756
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4757
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4758
|
+
{
|
|
4759
|
+
kind: "index",
|
|
4760
|
+
name: "by_tenant_status",
|
|
4761
|
+
columns: ["tenantId", "status"]
|
|
4762
|
+
},
|
|
4763
|
+
{
|
|
4764
|
+
kind: "index",
|
|
4765
|
+
name: "by_ownerPrincipalId",
|
|
4766
|
+
columns: ["ownerPrincipalId"]
|
|
4767
|
+
}
|
|
4768
|
+
]
|
|
4769
|
+
});
|
|
4770
|
+
defineTable({
|
|
4771
|
+
name: "permitRoleAssignments",
|
|
4772
|
+
component: "control-plane",
|
|
4773
|
+
category: "access-control",
|
|
4774
|
+
shape: z.object({
|
|
4775
|
+
tenantId: z.string(),
|
|
4776
|
+
workspaceId: z.optional(z.string()),
|
|
4777
|
+
role: z.string(),
|
|
4778
|
+
targetType: permitRoleBindingTarget,
|
|
4779
|
+
targetId: z.string(),
|
|
4780
|
+
resourceType: z.string(),
|
|
4781
|
+
resourceKey: z.string(),
|
|
4782
|
+
resourceInstanceId: z.string().optional(),
|
|
4783
|
+
status: permitMembershipStatus,
|
|
4784
|
+
expiresAt: z.number().optional(),
|
|
4785
|
+
attributes: z.record(z.any()).optional(),
|
|
4786
|
+
grantedBy: z.string().optional(),
|
|
4787
|
+
updatedBy: z.string().optional(),
|
|
4788
|
+
revokedBy: z.string().optional(),
|
|
4789
|
+
createdAt: z.number(),
|
|
4790
|
+
updatedAt: z.number()
|
|
4791
|
+
}),
|
|
4792
|
+
indices: [
|
|
4793
|
+
{
|
|
4794
|
+
kind: "index",
|
|
4795
|
+
name: "by_tenant_target",
|
|
4796
|
+
columns: ["tenantId", "targetType", "targetId"]
|
|
4797
|
+
},
|
|
4798
|
+
{
|
|
4799
|
+
kind: "index",
|
|
4800
|
+
name: "by_tenant_resource",
|
|
4801
|
+
columns: ["tenantId", "resourceType", "resourceKey"]
|
|
4802
|
+
},
|
|
4803
|
+
{
|
|
4804
|
+
kind: "index",
|
|
4805
|
+
name: "by_tenant_role",
|
|
4806
|
+
columns: ["tenantId", "role", "status"]
|
|
4807
|
+
},
|
|
4808
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4809
|
+
{
|
|
4810
|
+
kind: "index",
|
|
4811
|
+
name: "by_workspace_resource",
|
|
4812
|
+
columns: ["workspaceId", "resourceType", "resourceKey"]
|
|
4813
|
+
}
|
|
4814
|
+
]
|
|
4815
|
+
});
|
|
4816
|
+
defineTable({
|
|
4817
|
+
name: "permitRelationshipTuples",
|
|
4818
|
+
component: "control-plane",
|
|
4819
|
+
category: "access-control",
|
|
4820
|
+
shape: z.object({
|
|
4821
|
+
tenantId: z.string(),
|
|
4822
|
+
workspaceId: z.optional(z.string()),
|
|
4823
|
+
relation: z.string(),
|
|
4824
|
+
subject: z.string(),
|
|
4825
|
+
object: z.string(),
|
|
4826
|
+
resourceType: z.string().optional(),
|
|
4827
|
+
resourceKey: z.string().optional(),
|
|
4828
|
+
status: permitRecordStatus,
|
|
4829
|
+
attributes: z.record(z.any()).optional(),
|
|
4830
|
+
createdBy: z.string(),
|
|
4831
|
+
createdAt: z.number(),
|
|
4832
|
+
updatedAt: z.number(),
|
|
4833
|
+
lastSeenAt: z.number().optional(),
|
|
4834
|
+
updatedBy: z.string().optional()
|
|
4835
|
+
}),
|
|
4836
|
+
indices: [
|
|
4837
|
+
{ kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
|
|
4838
|
+
{ kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
|
|
4839
|
+
{ kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
|
|
4840
|
+
{
|
|
4841
|
+
kind: "index",
|
|
4842
|
+
name: "by_tenant_relation_subject",
|
|
4843
|
+
columns: ["tenantId", "relation", "subject"]
|
|
4844
|
+
},
|
|
4845
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4846
|
+
]
|
|
4847
|
+
});
|
|
4848
|
+
defineTable({
|
|
4849
|
+
name: "permitAttributeBindings",
|
|
4850
|
+
component: "control-plane",
|
|
4851
|
+
category: "access-control",
|
|
4852
|
+
shape: z.object({
|
|
4853
|
+
tenantId: z.string(),
|
|
4854
|
+
workspaceId: z.optional(z.string()),
|
|
4855
|
+
targetType: permitRoleBindingTarget,
|
|
4856
|
+
targetId: z.string(),
|
|
4857
|
+
attributeName: z.string(),
|
|
4858
|
+
attributeType: permitAttributeType,
|
|
4859
|
+
attributeOperator: permitAttributeOperator,
|
|
4860
|
+
attributeValue: z.any(),
|
|
4861
|
+
status: permitRecordStatus,
|
|
4862
|
+
source: z.string().optional(),
|
|
4863
|
+
sourceRef: z.string().optional(),
|
|
4864
|
+
metadata: z.record(z.any()).optional(),
|
|
4865
|
+
createdAt: z.number(),
|
|
4866
|
+
updatedAt: z.number(),
|
|
4867
|
+
createdBy: z.string(),
|
|
4868
|
+
updatedBy: z.string().optional(),
|
|
4869
|
+
expiresAt: z.number().optional()
|
|
4870
|
+
}),
|
|
4871
|
+
indices: [
|
|
4872
|
+
{
|
|
4873
|
+
kind: "index",
|
|
4874
|
+
name: "by_tenant_target",
|
|
4875
|
+
columns: ["tenantId", "targetType", "targetId"]
|
|
4876
|
+
},
|
|
4877
|
+
{
|
|
4878
|
+
kind: "index",
|
|
4879
|
+
name: "by_tenant_target_attribute",
|
|
4880
|
+
columns: ["tenantId", "targetType", "targetId", "attributeName"]
|
|
4881
|
+
},
|
|
4882
|
+
{
|
|
4883
|
+
kind: "index",
|
|
4884
|
+
name: "by_tenant_name",
|
|
4885
|
+
columns: ["tenantId", "attributeName"]
|
|
4886
|
+
},
|
|
4887
|
+
{
|
|
4888
|
+
kind: "index",
|
|
4889
|
+
name: "by_tenant_status",
|
|
4890
|
+
columns: ["tenantId", "status"]
|
|
4891
|
+
}
|
|
4892
|
+
]
|
|
4893
|
+
});
|
|
4894
|
+
defineTable({
|
|
4895
|
+
name: "permitPolicyBundles",
|
|
4896
|
+
component: "control-plane",
|
|
4897
|
+
category: "access-control",
|
|
4898
|
+
shape: z.object({
|
|
4899
|
+
tenantId: z.string(),
|
|
4900
|
+
workspaceId: z.optional(z.string()),
|
|
4901
|
+
bundleKey: z.string(),
|
|
4902
|
+
version: z.number(),
|
|
4903
|
+
status: permitPolicyBundleStatus,
|
|
4904
|
+
policyHash: z.string().optional(),
|
|
4905
|
+
policyPayload: z.record(z.any()),
|
|
4906
|
+
metadata: z.record(z.any()).optional(),
|
|
4907
|
+
createdBy: z.string(),
|
|
4908
|
+
reviewedBy: z.string().optional(),
|
|
4909
|
+
createdAt: z.number(),
|
|
4910
|
+
updatedAt: z.number(),
|
|
4911
|
+
retiredAt: z.number().optional()
|
|
4912
|
+
}),
|
|
4913
|
+
indices: [
|
|
4914
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4915
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4916
|
+
{
|
|
4917
|
+
kind: "index",
|
|
4918
|
+
name: "by_tenant_bundleKey",
|
|
4919
|
+
columns: ["tenantId", "bundleKey"]
|
|
4920
|
+
},
|
|
4921
|
+
{
|
|
4922
|
+
kind: "index",
|
|
4923
|
+
name: "by_tenant_bundle_version",
|
|
4924
|
+
columns: ["tenantId", "bundleKey", "version"]
|
|
4925
|
+
},
|
|
4926
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4927
|
+
]
|
|
4928
|
+
});
|
|
4929
|
+
defineTable({
|
|
4930
|
+
name: "permitProjectionOutbox",
|
|
4931
|
+
component: "control-plane",
|
|
4932
|
+
category: "access-control",
|
|
4933
|
+
shape: z.object({
|
|
4934
|
+
syncKey: z.string(),
|
|
4935
|
+
objectType: permitObjectType,
|
|
4936
|
+
objectId: z.string(),
|
|
4937
|
+
operation: permitOutboxOperation,
|
|
4938
|
+
payload: z.record(z.any()),
|
|
4939
|
+
status: permitRecordStatus,
|
|
4940
|
+
attemptCount: z.number(),
|
|
4941
|
+
nextAttemptAt: z.number().optional(),
|
|
4942
|
+
lastError: z.string().optional(),
|
|
4943
|
+
tenantId: z.string().optional(),
|
|
4944
|
+
workspaceId: z.optional(z.string()),
|
|
4945
|
+
principalId: z.string().optional(),
|
|
4946
|
+
permitTenantKey: z.string().optional(),
|
|
4947
|
+
permitResourceType: z.string().optional(),
|
|
4948
|
+
permitResourceKey: z.string().optional(),
|
|
4949
|
+
createdAt: z.number(),
|
|
4950
|
+
updatedAt: z.number(),
|
|
4951
|
+
lastHandledAt: z.number().optional()
|
|
4952
|
+
}),
|
|
4953
|
+
indices: [
|
|
4954
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
4955
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4956
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4957
|
+
{
|
|
4958
|
+
kind: "index",
|
|
4959
|
+
name: "by_tenant_status",
|
|
4960
|
+
columns: ["tenantId", "status"]
|
|
4961
|
+
},
|
|
4962
|
+
{
|
|
4963
|
+
kind: "index",
|
|
4964
|
+
name: "by_objectType",
|
|
4965
|
+
columns: ["objectType", "status"]
|
|
4966
|
+
}
|
|
4967
|
+
]
|
|
4968
|
+
});
|
|
4969
|
+
defineTable({
|
|
4970
|
+
name: "tenantPermitSyncStates",
|
|
4971
|
+
component: "control-plane",
|
|
4972
|
+
category: "access-control",
|
|
4973
|
+
shape: z.object({
|
|
4974
|
+
syncKey: z.string(),
|
|
4975
|
+
objectType: permitObjectType,
|
|
4976
|
+
objectId: z.string(),
|
|
4977
|
+
tenantId: z.string().optional(),
|
|
4978
|
+
workspaceId: z.string().optional(),
|
|
4979
|
+
principalId: z.string().optional(),
|
|
4980
|
+
permitTenantKey: z.string().optional(),
|
|
4981
|
+
permitResourceType: z.string().optional(),
|
|
4982
|
+
permitResourceKey: z.string().optional(),
|
|
4983
|
+
desiredPayload: z.record(z.any()),
|
|
4984
|
+
lastAppliedPayloadHash: z.string().optional(),
|
|
4985
|
+
status: permitSyncStatus,
|
|
4986
|
+
attemptCount: z.number(),
|
|
4987
|
+
lastError: z.string().optional(),
|
|
4988
|
+
nextAttemptAt: z.number().optional(),
|
|
4989
|
+
lastSyncedAt: z.number().optional(),
|
|
4990
|
+
createdBy: z.string(),
|
|
4991
|
+
updatedBy: z.string().optional(),
|
|
4992
|
+
createdAt: z.number(),
|
|
4993
|
+
updatedAt: z.number()
|
|
4994
|
+
}),
|
|
4995
|
+
indices: [
|
|
4996
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
4997
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4998
|
+
{
|
|
4999
|
+
kind: "index",
|
|
5000
|
+
name: "by_tenant_status",
|
|
5001
|
+
columns: ["tenantId", "status"]
|
|
5002
|
+
},
|
|
5003
|
+
{
|
|
5004
|
+
kind: "index",
|
|
5005
|
+
name: "by_workspace_status",
|
|
5006
|
+
columns: ["workspaceId", "status"]
|
|
5007
|
+
},
|
|
5008
|
+
{
|
|
5009
|
+
kind: "index",
|
|
5010
|
+
name: "by_principal_status",
|
|
5011
|
+
columns: ["principalId", "status"]
|
|
5012
|
+
}
|
|
5013
|
+
]
|
|
5014
|
+
});
|
|
5015
|
+
defineTable({
|
|
5016
|
+
name: "permitPolicyDecisionReceipts",
|
|
5017
|
+
component: "control-plane",
|
|
5018
|
+
category: "access-control",
|
|
5019
|
+
shape: z.object({
|
|
5020
|
+
tenantId: z.string().optional(),
|
|
5021
|
+
workspaceId: z.string().optional(),
|
|
5022
|
+
principalId: z.string(),
|
|
5023
|
+
subjectType: permitAccessReviewSubjectType.optional(),
|
|
5024
|
+
subjectId: z.string().optional(),
|
|
5025
|
+
resourceType: z.string(),
|
|
5026
|
+
resourceId: z.string(),
|
|
5027
|
+
action: z.string(),
|
|
5028
|
+
decision: permitDecision,
|
|
5029
|
+
reasonCode: z.string(),
|
|
5030
|
+
policyBundleId: z.string().optional(),
|
|
5031
|
+
policyVersion: z.string(),
|
|
5032
|
+
traceId: z.string().optional(),
|
|
5033
|
+
requestId: z.string().optional(),
|
|
5034
|
+
audienceMode: z.string().optional(),
|
|
5035
|
+
audienceKey: z.string().optional(),
|
|
5036
|
+
audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
|
|
5037
|
+
metadata: z.record(z.any()).optional(),
|
|
5038
|
+
createdAt: z.number(),
|
|
5039
|
+
expiresAt: z.number().optional(),
|
|
5040
|
+
createdBy: z.string().optional()
|
|
5041
|
+
}),
|
|
5042
|
+
indices: [
|
|
5043
|
+
{ kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
|
|
5044
|
+
{ kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
|
|
5045
|
+
{ kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
|
|
5046
|
+
{ kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
|
|
5047
|
+
{ kind: "index", name: "by_traceId", columns: ["traceId"] },
|
|
5048
|
+
{ kind: "index", name: "by_action", columns: ["action"] }
|
|
5049
|
+
]
|
|
5050
|
+
});
|
|
5051
|
+
defineTable({
|
|
5052
|
+
name: "permitAccessReviews",
|
|
5053
|
+
component: "control-plane",
|
|
5054
|
+
category: "access-control",
|
|
5055
|
+
shape: z.object({
|
|
5056
|
+
tenantId: z.string(),
|
|
5057
|
+
workspaceId: z.optional(z.string()),
|
|
5058
|
+
reviewKey: z.string(),
|
|
5059
|
+
scope: permitReviewScope,
|
|
5060
|
+
status: permitAccessReviewStatus,
|
|
5061
|
+
subjectType: permitAccessReviewSubjectType,
|
|
5062
|
+
subjectId: z.string(),
|
|
5063
|
+
resourceType: z.string().optional(),
|
|
5064
|
+
resourceKey: z.string().optional(),
|
|
5065
|
+
outcome: z.enum(["allow", "deny"]).optional(),
|
|
5066
|
+
requestedBy: z.string(),
|
|
5067
|
+
reviewedBy: z.string().optional(),
|
|
5068
|
+
requestedAt: z.number(),
|
|
5069
|
+
reviewedAt: z.number().optional(),
|
|
5070
|
+
dueAt: z.number().optional(),
|
|
5071
|
+
justification: z.string().optional(),
|
|
5072
|
+
rationale: z.string().optional(),
|
|
5073
|
+
policyBundleId: z.string().optional(),
|
|
5074
|
+
metadata: z.record(z.any()).optional(),
|
|
5075
|
+
createdAt: z.number(),
|
|
5076
|
+
updatedAt: z.number()
|
|
5077
|
+
}),
|
|
5078
|
+
indices: [
|
|
5079
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
5080
|
+
{ kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
|
|
5081
|
+
{ kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
|
|
5082
|
+
{
|
|
5083
|
+
kind: "index",
|
|
5084
|
+
name: "by_tenant_subject",
|
|
5085
|
+
columns: ["tenantId", "subjectType", "subjectId"]
|
|
5086
|
+
},
|
|
5087
|
+
{ kind: "index", name: "by_outcome", columns: ["outcome"] },
|
|
5088
|
+
{
|
|
5089
|
+
kind: "index",
|
|
5090
|
+
name: "by_workspace_status",
|
|
5091
|
+
columns: ["workspaceId", "status"]
|
|
5092
|
+
}
|
|
5093
|
+
]
|
|
5094
|
+
});
|
|
5095
|
+
defineTable({
|
|
5096
|
+
name: "permitAccessReviewItems",
|
|
5097
|
+
component: "control-plane",
|
|
5098
|
+
category: "access-control",
|
|
5099
|
+
shape: z.object({
|
|
5100
|
+
reviewKey: z.string(),
|
|
5101
|
+
itemKey: z.string(),
|
|
5102
|
+
tenantId: z.string(),
|
|
5103
|
+
workspaceId: z.string().optional(),
|
|
5104
|
+
subjectType: permitAccessReviewSubjectType,
|
|
5105
|
+
subjectId: z.string(),
|
|
5106
|
+
resourceType: z.string().optional(),
|
|
5107
|
+
resourceKey: z.string().optional(),
|
|
5108
|
+
role: z.string().optional(),
|
|
5109
|
+
relation: z.string().optional(),
|
|
5110
|
+
status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
|
|
5111
|
+
reviewerId: z.string().optional(),
|
|
5112
|
+
decisionAt: z.number().optional(),
|
|
5113
|
+
rationale: z.string().optional(),
|
|
5114
|
+
metadata: z.record(z.any()).optional(),
|
|
5115
|
+
createdAt: z.number(),
|
|
5116
|
+
updatedAt: z.number()
|
|
5117
|
+
}),
|
|
5118
|
+
indices: [
|
|
5119
|
+
{ kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
|
|
5120
|
+
{ kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
|
|
5121
|
+
{ kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
|
|
5122
|
+
{ kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
|
|
5123
|
+
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
5124
|
+
]
|
|
5125
|
+
});
|
|
4214
5126
|
defineTable({
|
|
4215
5127
|
name: "reasoningPermissions",
|
|
4216
|
-
component: "
|
|
5128
|
+
component: "control-plane",
|
|
4217
5129
|
category: "epistemic",
|
|
4218
5130
|
shape: z.object({
|
|
4219
5131
|
"topicId": z.string().optional(),
|
|
@@ -4460,7 +5372,7 @@ defineTable({
|
|
|
4460
5372
|
});
|
|
4461
5373
|
defineTable({
|
|
4462
5374
|
name: "users",
|
|
4463
|
-
component: "
|
|
5375
|
+
component: "control-plane",
|
|
4464
5376
|
category: "user",
|
|
4465
5377
|
shape: z.object({
|
|
4466
5378
|
"clerkId": z.string(),
|
|
@@ -4574,7 +5486,6 @@ defineTable({
|
|
|
4574
5486
|
"deployments": z.record(z.object({
|
|
4575
5487
|
"url": z.string(),
|
|
4576
5488
|
"target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
|
|
4577
|
-
"encryptedDeployKey": z.string().optional(),
|
|
4578
5489
|
"credentialRef": z.string().optional()
|
|
4579
5490
|
})).optional(),
|
|
4580
5491
|
"metadata": z.record(z.any()).optional(),
|
|
@@ -4589,6 +5500,39 @@ defineTable({
|
|
|
4589
5500
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
4590
5501
|
]
|
|
4591
5502
|
});
|
|
5503
|
+
defineTable({
|
|
5504
|
+
name: "deploymentHosts",
|
|
5505
|
+
component: "mc",
|
|
5506
|
+
category: "workspace",
|
|
5507
|
+
shape: z.object({
|
|
5508
|
+
"host": z.string(),
|
|
5509
|
+
"tenantId": idOf("tenants"),
|
|
5510
|
+
"workspaceId": idOf("workspaces"),
|
|
5511
|
+
"environment": z.enum(["dev", "staging", "prod"]),
|
|
5512
|
+
"target": z.enum(["kernelDeployment", "appDeployment"]),
|
|
5513
|
+
"deploymentUrl": z.string().optional(),
|
|
5514
|
+
"deploymentName": z.string().optional(),
|
|
5515
|
+
"vercelProjectName": z.string().optional(),
|
|
5516
|
+
"vercelProjectId": z.string().optional(),
|
|
5517
|
+
"vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
|
|
5518
|
+
"source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
|
|
5519
|
+
"status": z.enum(["active", "revoked"]),
|
|
5520
|
+
"metadata": z.record(z.any()).optional(),
|
|
5521
|
+
"createdBy": z.string(),
|
|
5522
|
+
"createdAt": z.number(),
|
|
5523
|
+
"updatedAt": z.number(),
|
|
5524
|
+
"revokedAt": z.number().optional(),
|
|
5525
|
+
"revokedBy": z.string().optional()
|
|
5526
|
+
}),
|
|
5527
|
+
indices: [
|
|
5528
|
+
{ kind: "index", name: "by_host", columns: ["host"] },
|
|
5529
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
5530
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
5531
|
+
{ kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
|
|
5532
|
+
{ kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
|
|
5533
|
+
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
5534
|
+
]
|
|
5535
|
+
});
|
|
4592
5536
|
defineTable({
|
|
4593
5537
|
name: "worktreeBeliefCluster",
|
|
4594
5538
|
component: "kernel",
|
|
@@ -4896,8 +5840,8 @@ defineTable({
|
|
|
4896
5840
|
});
|
|
4897
5841
|
z.object({
|
|
4898
5842
|
manifestVersion: z.string(),
|
|
4899
|
-
componentName: z.enum(["kernel", "
|
|
4900
|
-
tier: z.enum(["K", "
|
|
5843
|
+
componentName: z.enum(["kernel", "control-plane"]),
|
|
5844
|
+
tier: z.enum(["K", "CP"]),
|
|
4901
5845
|
packageVersion: z.string(),
|
|
4902
5846
|
tables: z.array(
|
|
4903
5847
|
z.object({
|
|
@@ -5033,119 +5977,984 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
5033
5977
|
directTenantImport: false
|
|
5034
5978
|
},
|
|
5035
5979
|
{
|
|
5036
|
-
packageName: "@lucern/auth",
|
|
5037
|
-
role: "sdk_dependency",
|
|
5038
|
-
directTenantImport: false
|
|
5980
|
+
packageName: "@lucern/auth",
|
|
5981
|
+
role: "sdk_dependency",
|
|
5982
|
+
directTenantImport: false
|
|
5983
|
+
},
|
|
5984
|
+
{
|
|
5985
|
+
packageName: "@lucern/cli",
|
|
5986
|
+
role: "developer_tool",
|
|
5987
|
+
directTenantImport: false
|
|
5988
|
+
},
|
|
5989
|
+
{
|
|
5990
|
+
packageName: "@lucern/client-core",
|
|
5991
|
+
role: "sdk_dependency",
|
|
5992
|
+
directTenantImport: false
|
|
5993
|
+
},
|
|
5994
|
+
{
|
|
5995
|
+
packageName: "@lucern/confidence",
|
|
5996
|
+
role: "sdk_dependency",
|
|
5997
|
+
directTenantImport: false
|
|
5998
|
+
},
|
|
5999
|
+
{
|
|
6000
|
+
packageName: "@lucern/config",
|
|
6001
|
+
role: "configuration",
|
|
6002
|
+
directTenantImport: false
|
|
6003
|
+
},
|
|
6004
|
+
{
|
|
6005
|
+
packageName: "@lucern/contracts",
|
|
6006
|
+
role: "contract_entrypoint",
|
|
6007
|
+
directTenantImport: true
|
|
6008
|
+
},
|
|
6009
|
+
{
|
|
6010
|
+
packageName: "@lucern/control-plane",
|
|
6011
|
+
role: "component_runtime",
|
|
6012
|
+
directTenantImport: false
|
|
6013
|
+
},
|
|
6014
|
+
{
|
|
6015
|
+
packageName: "@lucern/developer-kit",
|
|
6016
|
+
role: "developer_tool",
|
|
6017
|
+
directTenantImport: false
|
|
6018
|
+
},
|
|
6019
|
+
{
|
|
6020
|
+
packageName: "@lucern/events",
|
|
6021
|
+
role: "sdk_dependency",
|
|
6022
|
+
directTenantImport: false
|
|
6023
|
+
},
|
|
6024
|
+
{
|
|
6025
|
+
packageName: "@lucern/graph-primitives",
|
|
6026
|
+
role: "sdk_dependency",
|
|
6027
|
+
directTenantImport: false
|
|
6028
|
+
},
|
|
6029
|
+
{
|
|
6030
|
+
packageName: "@lucern/graph-sync",
|
|
6031
|
+
role: "host_addon_runtime",
|
|
6032
|
+
directTenantImport: true
|
|
6033
|
+
},
|
|
6034
|
+
{
|
|
6035
|
+
packageName: "@lucern/mcp",
|
|
6036
|
+
role: "runtime_entrypoint",
|
|
6037
|
+
directTenantImport: true
|
|
6038
|
+
},
|
|
6039
|
+
{
|
|
6040
|
+
packageName: "@lucern/pack-host",
|
|
6041
|
+
role: "platform_runtime",
|
|
6042
|
+
directTenantImport: false
|
|
6043
|
+
},
|
|
6044
|
+
{
|
|
6045
|
+
packageName: "@lucern/pack-installer",
|
|
6046
|
+
role: "developer_tool",
|
|
6047
|
+
directTenantImport: false
|
|
6048
|
+
},
|
|
6049
|
+
{
|
|
6050
|
+
packageName: "@lucern/proof-compiler",
|
|
6051
|
+
role: "developer_tool",
|
|
6052
|
+
directTenantImport: false
|
|
6053
|
+
},
|
|
6054
|
+
{
|
|
6055
|
+
packageName: "@lucern/react",
|
|
6056
|
+
role: "runtime_entrypoint",
|
|
6057
|
+
directTenantImport: true
|
|
6058
|
+
},
|
|
6059
|
+
{
|
|
6060
|
+
packageName: "@lucern/reasoning-kernel",
|
|
6061
|
+
role: "component_runtime",
|
|
6062
|
+
directTenantImport: false
|
|
6063
|
+
},
|
|
6064
|
+
{
|
|
6065
|
+
packageName: "@lucern/sdk",
|
|
6066
|
+
role: "runtime_entrypoint",
|
|
6067
|
+
directTenantImport: true
|
|
6068
|
+
},
|
|
6069
|
+
{
|
|
6070
|
+
packageName: "@lucern/secrets",
|
|
6071
|
+
role: "sdk_dependency",
|
|
6072
|
+
directTenantImport: false
|
|
6073
|
+
},
|
|
6074
|
+
{
|
|
6075
|
+
packageName: "@lucern/server-core",
|
|
6076
|
+
role: "platform_runtime",
|
|
6077
|
+
directTenantImport: false
|
|
6078
|
+
},
|
|
6079
|
+
{
|
|
6080
|
+
packageName: "@lucern/testing",
|
|
6081
|
+
role: "test_support",
|
|
6082
|
+
directTenantImport: false
|
|
6083
|
+
},
|
|
6084
|
+
{
|
|
6085
|
+
packageName: "@lucern/types",
|
|
6086
|
+
role: "contract_entrypoint",
|
|
6087
|
+
directTenantImport: true
|
|
6088
|
+
}
|
|
6089
|
+
];
|
|
6090
|
+
TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
|
|
6091
|
+
(entry) => entry.packageName
|
|
6092
|
+
);
|
|
6093
|
+
|
|
6094
|
+
// ../contracts/src/infisical-runtime.contract.ts
|
|
6095
|
+
var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
|
|
6096
|
+
{
|
|
6097
|
+
id: "stack-frontend",
|
|
6098
|
+
tenantKey: "stack",
|
|
6099
|
+
workspaceKey: "frontend",
|
|
6100
|
+
vercelProjectName: "ai-chatbot-diao",
|
|
6101
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6102
|
+
vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
|
|
6103
|
+
repository: {
|
|
6104
|
+
owner: "stack-vc",
|
|
6105
|
+
name: "front-end"
|
|
6106
|
+
},
|
|
6107
|
+
sharedSourcePath: "/tenants/stack",
|
|
6108
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6109
|
+
convex: {
|
|
6110
|
+
urlEnv: "CONVEX_FRONTEND_URL",
|
|
6111
|
+
deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
|
|
6112
|
+
preprodDeployment: "rugged-lobster-664",
|
|
6113
|
+
prodDeployment: "wonderful-toucan-0"
|
|
6114
|
+
}
|
|
6115
|
+
},
|
|
6116
|
+
{
|
|
6117
|
+
id: "stackos",
|
|
6118
|
+
tenantKey: "stack",
|
|
6119
|
+
workspaceKey: "stackos",
|
|
6120
|
+
vercelProjectName: "stackos",
|
|
6121
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6122
|
+
vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
|
|
6123
|
+
repository: {
|
|
6124
|
+
owner: "stack-vc",
|
|
6125
|
+
name: "stackos"
|
|
6126
|
+
},
|
|
6127
|
+
sharedSourcePath: "/tenants/stack",
|
|
6128
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6129
|
+
convex: {
|
|
6130
|
+
urlEnv: "CONVEX_STACKOS_URL",
|
|
6131
|
+
deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
|
|
6132
|
+
preprodDeployment: "giant-mandrill-761",
|
|
6133
|
+
prodDeployment: "good-snake-515"
|
|
6134
|
+
}
|
|
6135
|
+
},
|
|
6136
|
+
{
|
|
6137
|
+
id: "stack-eng",
|
|
6138
|
+
tenantKey: "stack",
|
|
6139
|
+
workspaceKey: "engineering",
|
|
6140
|
+
vercelProjectName: "stackos-engineering-graph",
|
|
6141
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6142
|
+
vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
|
|
6143
|
+
repository: {
|
|
6144
|
+
owner: "stack-vc",
|
|
6145
|
+
name: "stackos-engineering-graph"
|
|
6146
|
+
},
|
|
6147
|
+
sharedSourcePath: "/tenants/stack/engineering",
|
|
6148
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6149
|
+
convex: {
|
|
6150
|
+
urlEnv: "CONVEX_STACK_ENG_URL",
|
|
6151
|
+
deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
|
|
6152
|
+
preprodDeployment: "small-oyster-270",
|
|
6153
|
+
prodDeployment: "bold-cuttlefish-804"
|
|
6154
|
+
}
|
|
6155
|
+
},
|
|
6156
|
+
{
|
|
6157
|
+
id: "lucern-graph",
|
|
6158
|
+
tenantKey: "lucern",
|
|
6159
|
+
workspaceKey: "lucern",
|
|
6160
|
+
vercelProjectName: "lucern-graph",
|
|
6161
|
+
vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
|
|
6162
|
+
vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
|
|
6163
|
+
repository: {
|
|
6164
|
+
owner: "LucernAI",
|
|
6165
|
+
name: "lucern-graph"
|
|
6166
|
+
},
|
|
6167
|
+
sharedSourcePath: "/tenants/lucern/shared",
|
|
6168
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6169
|
+
convex: {
|
|
6170
|
+
urlEnv: "CONVEX_LUCERN_URL",
|
|
6171
|
+
deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
|
|
6172
|
+
preprodDeployment: "good-blackbird-774",
|
|
6173
|
+
prodDeployment: "precious-dog-365"
|
|
6174
|
+
}
|
|
6175
|
+
}
|
|
6176
|
+
];
|
|
6177
|
+
var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
|
|
6178
|
+
{
|
|
6179
|
+
idSuffix: "clerk.publishable",
|
|
6180
|
+
canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
|
|
6181
|
+
aliases: ["CLERK_PUBLISHABLE_KEY"],
|
|
6182
|
+
required: true,
|
|
6183
|
+
secret: false,
|
|
6184
|
+
public: true,
|
|
6185
|
+
description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
|
|
6186
|
+
},
|
|
6187
|
+
{
|
|
6188
|
+
idSuffix: "clerk.secret",
|
|
6189
|
+
canonicalName: "CLERK_SECRET_KEY",
|
|
6190
|
+
required: true,
|
|
6191
|
+
secret: true,
|
|
6192
|
+
public: false,
|
|
6193
|
+
description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
|
|
6194
|
+
},
|
|
6195
|
+
{
|
|
6196
|
+
idSuffix: "clerk.project",
|
|
6197
|
+
canonicalName: "CLERK_PROJECT_ID",
|
|
6198
|
+
required: true,
|
|
6199
|
+
secret: false,
|
|
6200
|
+
public: false,
|
|
6201
|
+
description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
|
|
6202
|
+
},
|
|
6203
|
+
{
|
|
6204
|
+
idSuffix: "clerk.jwks",
|
|
6205
|
+
canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
|
|
6206
|
+
aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
|
|
6207
|
+
required: false,
|
|
6208
|
+
secret: false,
|
|
6209
|
+
public: false,
|
|
6210
|
+
description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
|
|
6211
|
+
},
|
|
6212
|
+
{
|
|
6213
|
+
idSuffix: "clerk.jwt-key",
|
|
6214
|
+
canonicalName: "CLERK_JWT_KEY",
|
|
6215
|
+
required: false,
|
|
6216
|
+
secret: true,
|
|
6217
|
+
public: false,
|
|
6218
|
+
description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
|
|
6219
|
+
},
|
|
6220
|
+
{
|
|
6221
|
+
idSuffix: "clerk.authorized-parties",
|
|
6222
|
+
canonicalName: "CLERK_AUTHORIZED_PARTIES",
|
|
6223
|
+
aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
|
|
6224
|
+
required: false,
|
|
6225
|
+
secret: false,
|
|
6226
|
+
public: false,
|
|
6227
|
+
description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
|
|
6228
|
+
},
|
|
6229
|
+
{
|
|
6230
|
+
idSuffix: "clerk.sign-in-url",
|
|
6231
|
+
canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
|
|
6232
|
+
required: false,
|
|
6233
|
+
secret: false,
|
|
6234
|
+
public: true,
|
|
6235
|
+
description: "Tenant Clerk sign-in route for custom app login surfaces."
|
|
6236
|
+
},
|
|
6237
|
+
{
|
|
6238
|
+
idSuffix: "clerk.sign-up-url",
|
|
6239
|
+
canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
|
|
6240
|
+
required: false,
|
|
6241
|
+
secret: false,
|
|
6242
|
+
public: true,
|
|
6243
|
+
description: "Tenant Clerk sign-up route for custom app login surfaces."
|
|
6244
|
+
}
|
|
6245
|
+
];
|
|
6246
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
|
|
6247
|
+
(system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
|
|
6248
|
+
(template) => ({
|
|
6249
|
+
id: `tenant.${system.id}.${template.idSuffix}`,
|
|
6250
|
+
canonicalName: template.canonicalName,
|
|
6251
|
+
aliases: "aliases" in template ? template.aliases : void 0,
|
|
6252
|
+
owner: "tenant",
|
|
6253
|
+
scope: "tenant",
|
|
6254
|
+
sourcePath: system.sharedSourcePath,
|
|
6255
|
+
environmentPolicy: "environment_specific",
|
|
6256
|
+
required: template.required,
|
|
6257
|
+
secret: template.secret,
|
|
6258
|
+
public: template.public,
|
|
6259
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6260
|
+
destinations: [
|
|
6261
|
+
{
|
|
6262
|
+
kind: "vercel",
|
|
6263
|
+
target: system.vercelProjectName,
|
|
6264
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6265
|
+
},
|
|
6266
|
+
{
|
|
6267
|
+
kind: "convex",
|
|
6268
|
+
target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
|
|
6269
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6270
|
+
}
|
|
6271
|
+
],
|
|
6272
|
+
description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
|
|
6273
|
+
})
|
|
6274
|
+
)
|
|
6275
|
+
);
|
|
6276
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
|
|
6277
|
+
(system) => ({
|
|
6278
|
+
id: `tenant.${system.id}.install-lucern-npm`,
|
|
6279
|
+
canonicalName: "INSTALL_LUCERN_NPM",
|
|
6280
|
+
owner: "provider",
|
|
6281
|
+
scope: "global",
|
|
6282
|
+
sourcePath: "/tenants/shared",
|
|
6283
|
+
environmentPolicy: "same_all_environments",
|
|
6284
|
+
required: true,
|
|
6285
|
+
secret: true,
|
|
6286
|
+
public: false,
|
|
6287
|
+
consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
|
|
6288
|
+
destinations: [
|
|
6289
|
+
{
|
|
6290
|
+
kind: "vercel",
|
|
6291
|
+
target: system.vercelProjectName,
|
|
6292
|
+
environmentPolicy: "same_all_environments"
|
|
6293
|
+
},
|
|
6294
|
+
{
|
|
6295
|
+
kind: "github_actions",
|
|
6296
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6297
|
+
environmentPolicy: "same_all_environments"
|
|
6298
|
+
}
|
|
6299
|
+
],
|
|
6300
|
+
description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
|
|
6301
|
+
})
|
|
6302
|
+
);
|
|
6303
|
+
var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
|
|
6304
|
+
var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
|
|
6305
|
+
{
|
|
6306
|
+
idSuffix: "ai.openai-api-key",
|
|
6307
|
+
canonicalName: "OPENAI_API_KEY",
|
|
6308
|
+
required: false,
|
|
6309
|
+
secret: true,
|
|
6310
|
+
public: false,
|
|
6311
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6312
|
+
description: "Tenant-owned OpenAI key for product runtime LLM calls."
|
|
6313
|
+
},
|
|
6314
|
+
{
|
|
6315
|
+
idSuffix: "ai.anthropic-api-key",
|
|
6316
|
+
canonicalName: "ANTHROPIC_API_KEY",
|
|
6317
|
+
required: false,
|
|
6318
|
+
secret: true,
|
|
6319
|
+
public: false,
|
|
6320
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6321
|
+
description: "Tenant-owned Anthropic key for product runtime LLM calls."
|
|
6322
|
+
},
|
|
6323
|
+
{
|
|
6324
|
+
idSuffix: "ai.gemini-api-key",
|
|
6325
|
+
canonicalName: "GEMINI_API_KEY",
|
|
6326
|
+
aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
|
|
6327
|
+
required: false,
|
|
6328
|
+
secret: true,
|
|
6329
|
+
public: false,
|
|
6330
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6331
|
+
description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
|
|
6332
|
+
},
|
|
6333
|
+
{
|
|
6334
|
+
idSuffix: "langfuse.secret-key",
|
|
6335
|
+
canonicalName: "LANGFUSE_SECRET_KEY",
|
|
6336
|
+
required: false,
|
|
6337
|
+
secret: true,
|
|
6338
|
+
public: false,
|
|
6339
|
+
consumers: [
|
|
6340
|
+
"tenant-vercel-app",
|
|
6341
|
+
"tenant-convex-deployment",
|
|
6342
|
+
"tenant-observability"
|
|
6343
|
+
],
|
|
6344
|
+
description: "Tenant-owned Langfuse secret key for product AI tracing."
|
|
6345
|
+
},
|
|
6346
|
+
{
|
|
6347
|
+
idSuffix: "langfuse.public-key",
|
|
6348
|
+
canonicalName: "LANGFUSE_PUBLIC_KEY",
|
|
6349
|
+
required: false,
|
|
6350
|
+
secret: false,
|
|
6351
|
+
public: false,
|
|
6352
|
+
consumers: [
|
|
6353
|
+
"tenant-vercel-app",
|
|
6354
|
+
"tenant-convex-deployment",
|
|
6355
|
+
"tenant-observability"
|
|
6356
|
+
],
|
|
6357
|
+
description: "Tenant-owned Langfuse public key for product AI tracing."
|
|
6358
|
+
},
|
|
6359
|
+
{
|
|
6360
|
+
idSuffix: "langfuse.base-url",
|
|
6361
|
+
canonicalName: "LANGFUSE_BASE_URL",
|
|
6362
|
+
aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
|
|
6363
|
+
required: false,
|
|
6364
|
+
secret: false,
|
|
6365
|
+
public: false,
|
|
6366
|
+
consumers: [
|
|
6367
|
+
"tenant-vercel-app",
|
|
6368
|
+
"tenant-convex-deployment",
|
|
6369
|
+
"tenant-observability"
|
|
6370
|
+
],
|
|
6371
|
+
description: "Tenant-owned Langfuse API origin."
|
|
6372
|
+
},
|
|
6373
|
+
{
|
|
6374
|
+
idSuffix: "graph.neo4j-uri",
|
|
6375
|
+
canonicalName: "NEO4J_URI",
|
|
6376
|
+
required: false,
|
|
6377
|
+
secret: false,
|
|
6378
|
+
public: false,
|
|
6379
|
+
consumers: [
|
|
6380
|
+
"tenant-vercel-app",
|
|
6381
|
+
"tenant-convex-deployment",
|
|
6382
|
+
"tenant-graph-sync"
|
|
6383
|
+
],
|
|
6384
|
+
description: "Tenant-owned Neo4j URI for product graph-sync."
|
|
6385
|
+
},
|
|
6386
|
+
{
|
|
6387
|
+
idSuffix: "graph.neo4j-user",
|
|
6388
|
+
canonicalName: "NEO4J_USER",
|
|
6389
|
+
aliases: ["NEO4J_USERNAME"],
|
|
6390
|
+
required: false,
|
|
6391
|
+
secret: false,
|
|
6392
|
+
public: false,
|
|
6393
|
+
consumers: [
|
|
6394
|
+
"tenant-vercel-app",
|
|
6395
|
+
"tenant-convex-deployment",
|
|
6396
|
+
"tenant-graph-sync"
|
|
6397
|
+
],
|
|
6398
|
+
description: "Tenant-owned Neo4j user for product graph-sync."
|
|
6399
|
+
},
|
|
6400
|
+
{
|
|
6401
|
+
idSuffix: "graph.neo4j-password",
|
|
6402
|
+
canonicalName: "NEO4J_PASSWORD",
|
|
6403
|
+
required: false,
|
|
6404
|
+
secret: true,
|
|
6405
|
+
public: false,
|
|
6406
|
+
consumers: [
|
|
6407
|
+
"tenant-vercel-app",
|
|
6408
|
+
"tenant-convex-deployment",
|
|
6409
|
+
"tenant-graph-sync"
|
|
6410
|
+
],
|
|
6411
|
+
description: "Tenant-owned Neo4j password for product graph-sync."
|
|
6412
|
+
},
|
|
6413
|
+
{
|
|
6414
|
+
idSuffix: "graph.neo4j-sync-secret",
|
|
6415
|
+
canonicalName: "NEO4J_SYNC_SECRET",
|
|
6416
|
+
required: false,
|
|
6417
|
+
secret: true,
|
|
6418
|
+
public: false,
|
|
6419
|
+
consumers: [
|
|
6420
|
+
"tenant-vercel-app",
|
|
6421
|
+
"tenant-convex-deployment",
|
|
6422
|
+
"tenant-graph-sync"
|
|
6423
|
+
],
|
|
6424
|
+
description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
|
|
5039
6425
|
},
|
|
5040
6426
|
{
|
|
5041
|
-
|
|
5042
|
-
|
|
5043
|
-
|
|
6427
|
+
idSuffix: "graph.neo4j-database",
|
|
6428
|
+
canonicalName: "NEO4J_DATABASE",
|
|
6429
|
+
required: false,
|
|
6430
|
+
secret: false,
|
|
6431
|
+
public: false,
|
|
6432
|
+
consumers: [
|
|
6433
|
+
"tenant-vercel-app",
|
|
6434
|
+
"tenant-convex-deployment",
|
|
6435
|
+
"tenant-graph-sync"
|
|
6436
|
+
],
|
|
6437
|
+
description: "Tenant-owned Neo4j database name for product graph-sync."
|
|
5044
6438
|
},
|
|
5045
6439
|
{
|
|
5046
|
-
|
|
5047
|
-
|
|
5048
|
-
|
|
6440
|
+
idSuffix: "vector.pinecone-api-key",
|
|
6441
|
+
canonicalName: "PINECONE_API_KEY",
|
|
6442
|
+
required: false,
|
|
6443
|
+
secret: true,
|
|
6444
|
+
public: false,
|
|
6445
|
+
consumers: [
|
|
6446
|
+
"tenant-vercel-app",
|
|
6447
|
+
"tenant-convex-deployment",
|
|
6448
|
+
"tenant-vector-store"
|
|
6449
|
+
],
|
|
6450
|
+
description: "Tenant-owned Pinecone API key for product vector search."
|
|
5049
6451
|
},
|
|
5050
6452
|
{
|
|
5051
|
-
|
|
5052
|
-
|
|
5053
|
-
|
|
6453
|
+
idSuffix: "vector.pinecone-index-name",
|
|
6454
|
+
canonicalName: "PINECONE_INDEX_NAME",
|
|
6455
|
+
aliases: ["PINECONE_INDEX"],
|
|
6456
|
+
required: false,
|
|
6457
|
+
secret: false,
|
|
6458
|
+
public: false,
|
|
6459
|
+
consumers: [
|
|
6460
|
+
"tenant-vercel-app",
|
|
6461
|
+
"tenant-convex-deployment",
|
|
6462
|
+
"tenant-vector-store"
|
|
6463
|
+
],
|
|
6464
|
+
description: "Tenant-owned Pinecone index name for product vector search."
|
|
5054
6465
|
},
|
|
5055
6466
|
{
|
|
5056
|
-
|
|
5057
|
-
|
|
5058
|
-
|
|
6467
|
+
idSuffix: "vector.pinecone-host",
|
|
6468
|
+
canonicalName: "PINECONE_HOST",
|
|
6469
|
+
aliases: ["PINECONE_INDEX_HOST"],
|
|
6470
|
+
required: false,
|
|
6471
|
+
secret: false,
|
|
6472
|
+
public: false,
|
|
6473
|
+
consumers: [
|
|
6474
|
+
"tenant-vercel-app",
|
|
6475
|
+
"tenant-convex-deployment",
|
|
6476
|
+
"tenant-vector-store"
|
|
6477
|
+
],
|
|
6478
|
+
description: "Tenant-owned Pinecone host for product vector search."
|
|
5059
6479
|
},
|
|
5060
6480
|
{
|
|
5061
|
-
|
|
5062
|
-
|
|
5063
|
-
|
|
6481
|
+
idSuffix: "vector.pinecone-namespace",
|
|
6482
|
+
canonicalName: "PINECONE_NAMESPACE",
|
|
6483
|
+
required: false,
|
|
6484
|
+
secret: false,
|
|
6485
|
+
public: false,
|
|
6486
|
+
consumers: [
|
|
6487
|
+
"tenant-vercel-app",
|
|
6488
|
+
"tenant-convex-deployment",
|
|
6489
|
+
"tenant-vector-store"
|
|
6490
|
+
],
|
|
6491
|
+
description: "Tenant-owned Pinecone namespace for product vector search isolation."
|
|
5064
6492
|
},
|
|
5065
6493
|
{
|
|
5066
|
-
|
|
5067
|
-
|
|
5068
|
-
|
|
6494
|
+
idSuffix: "storage.aws-access-key-id",
|
|
6495
|
+
canonicalName: "AWS_ACCESS_KEY_ID",
|
|
6496
|
+
required: false,
|
|
6497
|
+
secret: true,
|
|
6498
|
+
public: false,
|
|
6499
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6500
|
+
description: "Tenant-owned AWS access key id for document/file ingestion."
|
|
5069
6501
|
},
|
|
5070
6502
|
{
|
|
5071
|
-
|
|
5072
|
-
|
|
5073
|
-
|
|
6503
|
+
idSuffix: "storage.aws-secret-access-key",
|
|
6504
|
+
canonicalName: "AWS_SECRET_ACCESS_KEY",
|
|
6505
|
+
required: false,
|
|
6506
|
+
secret: true,
|
|
6507
|
+
public: false,
|
|
6508
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6509
|
+
description: "Tenant-owned AWS secret access key for document/file ingestion."
|
|
5074
6510
|
},
|
|
5075
6511
|
{
|
|
5076
|
-
|
|
5077
|
-
|
|
5078
|
-
|
|
6512
|
+
idSuffix: "storage.aws-region",
|
|
6513
|
+
canonicalName: "AWS_REGION",
|
|
6514
|
+
required: false,
|
|
6515
|
+
secret: false,
|
|
6516
|
+
public: false,
|
|
6517
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6518
|
+
description: "Tenant-owned AWS region for document/file ingestion."
|
|
5079
6519
|
},
|
|
5080
6520
|
{
|
|
5081
|
-
|
|
5082
|
-
|
|
5083
|
-
|
|
6521
|
+
idSuffix: "observability.sentry-dsn",
|
|
6522
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
|
|
6523
|
+
aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
|
|
6524
|
+
required: false,
|
|
6525
|
+
secret: false,
|
|
6526
|
+
public: true,
|
|
6527
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6528
|
+
description: "Tenant-owned Sentry DSN for app telemetry."
|
|
5084
6529
|
},
|
|
5085
6530
|
{
|
|
5086
|
-
|
|
5087
|
-
|
|
5088
|
-
|
|
6531
|
+
idSuffix: "observability.sentry-auth-token",
|
|
6532
|
+
canonicalName: "SENTRY_AUTH_TOKEN",
|
|
6533
|
+
required: false,
|
|
6534
|
+
secret: true,
|
|
6535
|
+
public: false,
|
|
6536
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6537
|
+
description: "Tenant-owned Sentry release token for app deployments."
|
|
5089
6538
|
},
|
|
5090
6539
|
{
|
|
5091
|
-
|
|
5092
|
-
|
|
5093
|
-
|
|
6540
|
+
idSuffix: "observability.sentry-org",
|
|
6541
|
+
canonicalName: "SENTRY_ORG",
|
|
6542
|
+
aliases: ["SENTRY_ORG_SLUG"],
|
|
6543
|
+
required: false,
|
|
6544
|
+
secret: false,
|
|
6545
|
+
public: false,
|
|
6546
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6547
|
+
description: "Tenant-owned Sentry org slug for release uploads."
|
|
5094
6548
|
},
|
|
5095
6549
|
{
|
|
5096
|
-
|
|
5097
|
-
|
|
5098
|
-
|
|
6550
|
+
idSuffix: "observability.sentry-project",
|
|
6551
|
+
canonicalName: "SENTRY_PROJECT",
|
|
6552
|
+
aliases: ["SENTRY_PROJECT_NEXTJS"],
|
|
6553
|
+
required: false,
|
|
6554
|
+
secret: false,
|
|
6555
|
+
public: false,
|
|
6556
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6557
|
+
description: "Tenant-owned Sentry project slug for release uploads."
|
|
5099
6558
|
},
|
|
5100
6559
|
{
|
|
5101
|
-
|
|
5102
|
-
|
|
5103
|
-
|
|
6560
|
+
idSuffix: "observability.sentry-environment",
|
|
6561
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
|
|
6562
|
+
aliases: ["SENTRY_ENVIRONMENT"],
|
|
6563
|
+
required: false,
|
|
6564
|
+
secret: false,
|
|
6565
|
+
public: true,
|
|
6566
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6567
|
+
description: "Tenant-owned Sentry environment label."
|
|
5104
6568
|
},
|
|
5105
6569
|
{
|
|
5106
|
-
|
|
5107
|
-
|
|
5108
|
-
|
|
6570
|
+
idSuffix: "observability.sentry-release",
|
|
6571
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
|
|
6572
|
+
aliases: ["SENTRY_RELEASE"],
|
|
6573
|
+
required: false,
|
|
6574
|
+
secret: false,
|
|
6575
|
+
public: true,
|
|
6576
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6577
|
+
description: "Tenant-owned Sentry release label."
|
|
5109
6578
|
},
|
|
5110
6579
|
{
|
|
5111
|
-
|
|
5112
|
-
|
|
5113
|
-
|
|
6580
|
+
idSuffix: "observability.sentry-client-options",
|
|
6581
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
|
|
6582
|
+
aliases: [
|
|
6583
|
+
"NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
|
|
6584
|
+
"NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
|
|
6585
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
|
|
6586
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
|
|
6587
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
|
|
6588
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
|
|
6589
|
+
"NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
|
|
6590
|
+
"NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
|
|
6591
|
+
"NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
|
|
6592
|
+
"NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
|
|
6593
|
+
"NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
|
|
6594
|
+
],
|
|
6595
|
+
required: false,
|
|
6596
|
+
secret: false,
|
|
6597
|
+
public: true,
|
|
6598
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6599
|
+
description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
|
|
5114
6600
|
},
|
|
5115
6601
|
{
|
|
5116
|
-
|
|
5117
|
-
|
|
5118
|
-
|
|
6602
|
+
idSuffix: "observability.sentry-webhook-secret",
|
|
6603
|
+
canonicalName: "SENTRY_WEBHOOK_SECRET",
|
|
6604
|
+
required: false,
|
|
6605
|
+
secret: true,
|
|
6606
|
+
public: false,
|
|
6607
|
+
consumers: ["tenant-convex-deployment", "tenant-observability"],
|
|
6608
|
+
description: "Tenant-owned Sentry webhook verification secret."
|
|
5119
6609
|
},
|
|
5120
6610
|
{
|
|
5121
|
-
|
|
5122
|
-
|
|
5123
|
-
|
|
6611
|
+
idSuffix: "lucern.gateway-api-key",
|
|
6612
|
+
canonicalName: "LUCERN_API_KEY",
|
|
6613
|
+
aliases: ["STACK_API_KEY"],
|
|
6614
|
+
required: false,
|
|
6615
|
+
secret: true,
|
|
6616
|
+
public: false,
|
|
6617
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6618
|
+
description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
|
|
5124
6619
|
},
|
|
5125
6620
|
{
|
|
5126
|
-
|
|
5127
|
-
|
|
5128
|
-
|
|
6621
|
+
idSuffix: "lucern.gateway-base-url",
|
|
6622
|
+
canonicalName: "LUCERN_BASE_URL",
|
|
6623
|
+
aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
|
|
6624
|
+
required: false,
|
|
6625
|
+
secret: false,
|
|
6626
|
+
public: false,
|
|
6627
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6628
|
+
description: "Lucern/MC gateway base URL used by tenant product apps."
|
|
5129
6629
|
},
|
|
5130
6630
|
{
|
|
5131
|
-
|
|
5132
|
-
|
|
5133
|
-
|
|
6631
|
+
idSuffix: "lucern.proxy-token-secret",
|
|
6632
|
+
canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
|
|
6633
|
+
required: false,
|
|
6634
|
+
secret: true,
|
|
6635
|
+
public: false,
|
|
6636
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6637
|
+
description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
|
|
5134
6638
|
},
|
|
5135
6639
|
{
|
|
5136
|
-
|
|
5137
|
-
|
|
5138
|
-
|
|
6640
|
+
idSuffix: "tenant.integrations.linear-api-key",
|
|
6641
|
+
canonicalName: "LINEAR_API_KEY",
|
|
6642
|
+
required: false,
|
|
6643
|
+
secret: true,
|
|
6644
|
+
public: false,
|
|
6645
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6646
|
+
description: "Tenant-owned Linear API key for support/slash-command flows."
|
|
5139
6647
|
},
|
|
5140
6648
|
{
|
|
5141
|
-
|
|
5142
|
-
|
|
5143
|
-
|
|
6649
|
+
idSuffix: "tenant.vercel.bypass-token",
|
|
6650
|
+
canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
|
|
6651
|
+
aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
|
|
6652
|
+
required: false,
|
|
6653
|
+
secret: true,
|
|
6654
|
+
public: false,
|
|
6655
|
+
consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
|
|
6656
|
+
description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
|
|
5144
6657
|
}
|
|
5145
6658
|
];
|
|
5146
|
-
|
|
5147
|
-
(
|
|
6659
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
|
|
6660
|
+
(system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
|
|
6661
|
+
).flatMap(
|
|
6662
|
+
(system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
|
|
6663
|
+
(template) => ({
|
|
6664
|
+
id: `tenant.${system.id}.${template.idSuffix}`,
|
|
6665
|
+
canonicalName: template.canonicalName,
|
|
6666
|
+
aliases: "aliases" in template ? template.aliases : void 0,
|
|
6667
|
+
owner: "tenant",
|
|
6668
|
+
scope: "tenant",
|
|
6669
|
+
sourcePath: system.sharedSourcePath,
|
|
6670
|
+
environmentPolicy: "environment_specific",
|
|
6671
|
+
required: template.required,
|
|
6672
|
+
secret: template.secret,
|
|
6673
|
+
public: template.public,
|
|
6674
|
+
consumers: template.consumers,
|
|
6675
|
+
destinations: [
|
|
6676
|
+
{
|
|
6677
|
+
kind: "vercel",
|
|
6678
|
+
target: system.vercelProjectName,
|
|
6679
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6680
|
+
},
|
|
6681
|
+
{
|
|
6682
|
+
kind: "convex",
|
|
6683
|
+
target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
|
|
6684
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6685
|
+
},
|
|
6686
|
+
{
|
|
6687
|
+
kind: "github_actions",
|
|
6688
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6689
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6690
|
+
}
|
|
6691
|
+
],
|
|
6692
|
+
description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
|
|
6693
|
+
})
|
|
6694
|
+
)
|
|
6695
|
+
);
|
|
6696
|
+
function tenantVercelConvexUrlWriteNames(system) {
|
|
6697
|
+
const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
|
|
6698
|
+
if (system.id === "stack-eng") {
|
|
6699
|
+
return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6700
|
+
}
|
|
6701
|
+
return names;
|
|
6702
|
+
}
|
|
6703
|
+
function tenantRepositoryConvexUrlWriteNames(system) {
|
|
6704
|
+
if (system.id === "stack-eng") {
|
|
6705
|
+
return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6706
|
+
}
|
|
6707
|
+
return [system.convex.urlEnv];
|
|
6708
|
+
}
|
|
6709
|
+
function tenantRepositoryConvexDeployKeyWriteNames(system) {
|
|
6710
|
+
if (system.id === "stack-eng") {
|
|
6711
|
+
return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
|
|
6712
|
+
}
|
|
6713
|
+
return [system.convex.deployKeyEnv];
|
|
6714
|
+
}
|
|
6715
|
+
function tenantConvexUrlAliases(system) {
|
|
6716
|
+
if (system.id === "stack-frontend") {
|
|
6717
|
+
return [
|
|
6718
|
+
"CONVEX_PROD_URL",
|
|
6719
|
+
"CONVEX_STACK_V2_PROD_URL",
|
|
6720
|
+
"CONVEX_STACK_V2_STAGING_URL",
|
|
6721
|
+
"STACK_CONVEX_URL"
|
|
6722
|
+
];
|
|
6723
|
+
}
|
|
6724
|
+
if (system.id === "stackos") {
|
|
6725
|
+
return [
|
|
6726
|
+
"CONVEX_CLOUD_URL",
|
|
6727
|
+
"CONVEX_STACK_URL",
|
|
6728
|
+
"CONVEX_URL",
|
|
6729
|
+
"CONVEX_URL_DEVELOPMENT",
|
|
6730
|
+
"CONVEX_URL_PRODUCTION",
|
|
6731
|
+
"STACK_CONVEX_URL"
|
|
6732
|
+
];
|
|
6733
|
+
}
|
|
6734
|
+
if (system.id === "stack-eng") {
|
|
6735
|
+
return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6736
|
+
}
|
|
6737
|
+
if (system.id === "lucern-graph") {
|
|
6738
|
+
return [
|
|
6739
|
+
"CONVEX_GRAPH_URL",
|
|
6740
|
+
"LUCERN_PROD_URL",
|
|
6741
|
+
"NEXT_PUBLIC_LUCERN_GRAPH_URL"
|
|
6742
|
+
];
|
|
6743
|
+
}
|
|
6744
|
+
return void 0;
|
|
6745
|
+
}
|
|
6746
|
+
function tenantConvexDeployKeyAliases(system) {
|
|
6747
|
+
if (system.id === "stack-frontend") {
|
|
6748
|
+
return [
|
|
6749
|
+
"CONVEX_STACK_V2_PROD_DEPLOY_KEY",
|
|
6750
|
+
"CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
|
|
6751
|
+
"STACK_DEPLOY_KEY"
|
|
6752
|
+
];
|
|
6753
|
+
}
|
|
6754
|
+
if (system.id === "stackos") {
|
|
6755
|
+
return [
|
|
6756
|
+
"CONVEX_DEPLOY_KEY",
|
|
6757
|
+
"CONVEX_DEV_DEPLOY_KEY",
|
|
6758
|
+
"CONVEX_PROD_DEPLOY_KEY",
|
|
6759
|
+
"CONVEX_STACK_DEPLOY_KEY",
|
|
6760
|
+
"STACK_DEPLOY_KEY"
|
|
6761
|
+
];
|
|
6762
|
+
}
|
|
6763
|
+
if (system.id === "stack-eng") {
|
|
6764
|
+
return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
|
|
6765
|
+
}
|
|
6766
|
+
if (system.id === "lucern-graph") {
|
|
6767
|
+
return [
|
|
6768
|
+
"CONVEX_DEPLOY_KEY",
|
|
6769
|
+
"CONVEX_GRAPH_DEPLOY_KEY",
|
|
6770
|
+
"LUCERN_CONVEX_DEPLOY_KEY",
|
|
6771
|
+
"LUCERN_DEV_DEPLOY_KEY",
|
|
6772
|
+
"LUCERN_PROD_DEPLOY_KEY"
|
|
6773
|
+
];
|
|
6774
|
+
}
|
|
6775
|
+
return void 0;
|
|
6776
|
+
}
|
|
6777
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
|
|
6778
|
+
(system) => {
|
|
6779
|
+
if (system.id === "lucern-graph") {
|
|
6780
|
+
return [
|
|
6781
|
+
{
|
|
6782
|
+
id: "tenant.lucern-graph.public.tenant-id",
|
|
6783
|
+
canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
|
|
6784
|
+
aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
|
|
6785
|
+
owner: "tenant",
|
|
6786
|
+
scope: "workspace",
|
|
6787
|
+
sourcePath: system.sharedSourcePath,
|
|
6788
|
+
environmentPolicy: "environment_specific",
|
|
6789
|
+
required: false,
|
|
6790
|
+
secret: false,
|
|
6791
|
+
public: true,
|
|
6792
|
+
consumers: ["tenant-vercel-app"],
|
|
6793
|
+
destinations: [
|
|
6794
|
+
{
|
|
6795
|
+
kind: "vercel",
|
|
6796
|
+
target: system.vercelProjectName,
|
|
6797
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6798
|
+
}
|
|
6799
|
+
],
|
|
6800
|
+
description: "Lucern graph public tenant id used by the standalone graph explorer."
|
|
6801
|
+
},
|
|
6802
|
+
{
|
|
6803
|
+
id: "tenant.lucern-graph.public.tenant-label",
|
|
6804
|
+
canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
|
|
6805
|
+
owner: "tenant",
|
|
6806
|
+
scope: "workspace",
|
|
6807
|
+
sourcePath: system.sharedSourcePath,
|
|
6808
|
+
environmentPolicy: "environment_specific",
|
|
6809
|
+
required: false,
|
|
6810
|
+
secret: false,
|
|
6811
|
+
public: true,
|
|
6812
|
+
consumers: ["tenant-vercel-app"],
|
|
6813
|
+
destinations: [
|
|
6814
|
+
{
|
|
6815
|
+
kind: "vercel",
|
|
6816
|
+
target: system.vercelProjectName,
|
|
6817
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6818
|
+
}
|
|
6819
|
+
],
|
|
6820
|
+
description: "Lucern graph public tenant label used by the standalone graph explorer."
|
|
6821
|
+
}
|
|
6822
|
+
];
|
|
6823
|
+
}
|
|
6824
|
+
if (system.id === "stack-eng") {
|
|
6825
|
+
return [
|
|
6826
|
+
{
|
|
6827
|
+
id: "tenant.stack-eng.public.tenant-id",
|
|
6828
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
|
|
6829
|
+
owner: "tenant",
|
|
6830
|
+
scope: "workspace",
|
|
6831
|
+
sourcePath: system.sharedSourcePath,
|
|
6832
|
+
environmentPolicy: "environment_specific",
|
|
6833
|
+
required: false,
|
|
6834
|
+
secret: false,
|
|
6835
|
+
public: true,
|
|
6836
|
+
consumers: ["tenant-vercel-app"],
|
|
6837
|
+
destinations: [
|
|
6838
|
+
{
|
|
6839
|
+
kind: "vercel",
|
|
6840
|
+
target: system.vercelProjectName,
|
|
6841
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6842
|
+
}
|
|
6843
|
+
],
|
|
6844
|
+
description: "Stack engineering graph public tenant id used by the graph explorer."
|
|
6845
|
+
},
|
|
6846
|
+
{
|
|
6847
|
+
id: "tenant.stack-eng.public.tenant-label",
|
|
6848
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
|
|
6849
|
+
owner: "tenant",
|
|
6850
|
+
scope: "workspace",
|
|
6851
|
+
sourcePath: system.sharedSourcePath,
|
|
6852
|
+
environmentPolicy: "environment_specific",
|
|
6853
|
+
required: false,
|
|
6854
|
+
secret: false,
|
|
6855
|
+
public: true,
|
|
6856
|
+
consumers: ["tenant-vercel-app"],
|
|
6857
|
+
destinations: [
|
|
6858
|
+
{
|
|
6859
|
+
kind: "vercel",
|
|
6860
|
+
target: system.vercelProjectName,
|
|
6861
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6862
|
+
}
|
|
6863
|
+
],
|
|
6864
|
+
description: "Stack engineering graph public tenant label used by the graph explorer."
|
|
6865
|
+
},
|
|
6866
|
+
{
|
|
6867
|
+
id: "tenant.stack-eng.public.environment",
|
|
6868
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
|
|
6869
|
+
owner: "tenant",
|
|
6870
|
+
scope: "workspace",
|
|
6871
|
+
sourcePath: system.sharedSourcePath,
|
|
6872
|
+
environmentPolicy: "environment_specific",
|
|
6873
|
+
required: false,
|
|
6874
|
+
secret: false,
|
|
6875
|
+
public: true,
|
|
6876
|
+
consumers: ["tenant-vercel-app"],
|
|
6877
|
+
destinations: [
|
|
6878
|
+
{
|
|
6879
|
+
kind: "vercel",
|
|
6880
|
+
target: system.vercelProjectName,
|
|
6881
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6882
|
+
}
|
|
6883
|
+
],
|
|
6884
|
+
description: "Stack engineering graph public environment label used by the graph explorer."
|
|
6885
|
+
}
|
|
6886
|
+
];
|
|
6887
|
+
}
|
|
6888
|
+
return [];
|
|
6889
|
+
}
|
|
5148
6890
|
);
|
|
6891
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
|
|
6892
|
+
{
|
|
6893
|
+
id: `tenant.${system.id}.convex.url`,
|
|
6894
|
+
canonicalName: system.convex.urlEnv,
|
|
6895
|
+
aliases: tenantConvexUrlAliases(system),
|
|
6896
|
+
owner: "tenant",
|
|
6897
|
+
scope: "software_system",
|
|
6898
|
+
sourcePath: system.sharedSourcePath,
|
|
6899
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6900
|
+
required: true,
|
|
6901
|
+
secret: false,
|
|
6902
|
+
public: false,
|
|
6903
|
+
consumers: [
|
|
6904
|
+
"tenant-vercel-app",
|
|
6905
|
+
"tenant-agent-runtime",
|
|
6906
|
+
"mc-operator-tooling"
|
|
6907
|
+
],
|
|
6908
|
+
destinations: [
|
|
6909
|
+
{
|
|
6910
|
+
kind: "vercel",
|
|
6911
|
+
target: system.vercelProjectName,
|
|
6912
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6913
|
+
writeNames: tenantVercelConvexUrlWriteNames(system)
|
|
6914
|
+
},
|
|
6915
|
+
{
|
|
6916
|
+
kind: "github_actions",
|
|
6917
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6918
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6919
|
+
writeNames: tenantRepositoryConvexUrlWriteNames(system),
|
|
6920
|
+
notes: "Only if that repository deploy/test workflow owns this software system."
|
|
6921
|
+
}
|
|
6922
|
+
],
|
|
6923
|
+
description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
|
|
6924
|
+
},
|
|
6925
|
+
{
|
|
6926
|
+
id: `tenant.${system.id}.convex.deploy-key`,
|
|
6927
|
+
canonicalName: system.convex.deployKeyEnv,
|
|
6928
|
+
aliases: tenantConvexDeployKeyAliases(system),
|
|
6929
|
+
owner: "tenant",
|
|
6930
|
+
scope: "software_system",
|
|
6931
|
+
sourcePath: system.sharedSourcePath,
|
|
6932
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6933
|
+
required: true,
|
|
6934
|
+
secret: true,
|
|
6935
|
+
public: false,
|
|
6936
|
+
consumers: [
|
|
6937
|
+
"tenant-vercel-app",
|
|
6938
|
+
"tenant-agent-runtime",
|
|
6939
|
+
"mc-operator-tooling"
|
|
6940
|
+
],
|
|
6941
|
+
destinations: [
|
|
6942
|
+
{
|
|
6943
|
+
kind: "vercel",
|
|
6944
|
+
target: system.vercelProjectName,
|
|
6945
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6946
|
+
},
|
|
6947
|
+
{
|
|
6948
|
+
kind: "github_actions",
|
|
6949
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6950
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6951
|
+
writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
|
|
6952
|
+
notes: "Only if that repository deploy/test workflow owns this software system."
|
|
6953
|
+
}
|
|
6954
|
+
],
|
|
6955
|
+
description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
|
|
6956
|
+
}
|
|
6957
|
+
]);
|
|
5149
6958
|
z.object({
|
|
5150
6959
|
manifestVersion: z.literal("1.0.0"),
|
|
5151
6960
|
rules: z.array(
|
|
@@ -5186,7 +6995,7 @@ var createEvidenceInputSchemaBase = z.object({
|
|
|
5186
6995
|
targetId: z.string().optional(),
|
|
5187
6996
|
targetNodeId: z.string().optional(),
|
|
5188
6997
|
linkedBeliefNodeId: z.string().optional(),
|
|
5189
|
-
evidenceRelation: z.enum(["supports", "contradicts"
|
|
6998
|
+
evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
|
|
5190
6999
|
confidence: z.number().optional(),
|
|
5191
7000
|
weight: z.number().optional(),
|
|
5192
7001
|
reasoning: z.string().optional(),
|
|
@@ -5271,8 +7080,7 @@ var createEvidenceProjection = defineProjection({
|
|
|
5271
7080
|
evidenceRelation: v.optional(
|
|
5272
7081
|
v.union(
|
|
5273
7082
|
v.literal("supports"),
|
|
5274
|
-
v.literal("contradicts")
|
|
5275
|
-
v.literal("neutral")
|
|
7083
|
+
v.literal("contradicts")
|
|
5276
7084
|
)
|
|
5277
7085
|
),
|
|
5278
7086
|
confidence: v.optional(v.number()),
|
|
@@ -5321,12 +7129,17 @@ var listBeliefsProjection = defineProjection({
|
|
|
5321
7129
|
});
|
|
5322
7130
|
var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
|
|
5323
7131
|
var listTasksInputSchema = z.object({
|
|
5324
|
-
topicId: z.string().describe("Topic scope"),
|
|
7132
|
+
topicId: z.string().optional().describe("Topic scope"),
|
|
5325
7133
|
worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
|
|
5326
7134
|
linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
|
|
5327
7135
|
status: taskStatusSchema,
|
|
5328
7136
|
limit: z.number().optional().describe("Maximum results")
|
|
5329
|
-
})
|
|
7137
|
+
}).refine(
|
|
7138
|
+
(input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
|
|
7139
|
+
{
|
|
7140
|
+
message: "topicId or worktreeId is required"
|
|
7141
|
+
}
|
|
7142
|
+
);
|
|
5330
7143
|
function compactRecord3(input) {
|
|
5331
7144
|
return Object.fromEntries(
|
|
5332
7145
|
Object.entries(input).filter(([, value]) => value !== void 0)
|
|
@@ -5343,7 +7156,7 @@ var listTasksProjection = defineProjection({
|
|
|
5343
7156
|
linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
|
|
5344
7157
|
}),
|
|
5345
7158
|
convexArgsValidator: v.object({
|
|
5346
|
-
topicId: v.string(),
|
|
7159
|
+
topicId: v.optional(v.string()),
|
|
5347
7160
|
status: v.optional(
|
|
5348
7161
|
v.union(
|
|
5349
7162
|
v.literal("todo"),
|
|
@@ -6416,7 +8229,7 @@ var CREATE_EDGE = {
|
|
|
6416
8229
|
reasoningMethod: {
|
|
6417
8230
|
type: "string",
|
|
6418
8231
|
description: "How this was determined",
|
|
6419
|
-
enum: [
|
|
8232
|
+
enum: [...REASONING_METHODS]
|
|
6420
8233
|
},
|
|
6421
8234
|
metadata: {
|
|
6422
8235
|
type: "object",
|
|
@@ -8143,6 +9956,10 @@ var CREATE_TASK = {
|
|
|
8143
9956
|
tags: {
|
|
8144
9957
|
type: "array",
|
|
8145
9958
|
description: "Free-form string tags"
|
|
9959
|
+
},
|
|
9960
|
+
metadata: {
|
|
9961
|
+
type: "object",
|
|
9962
|
+
description: "Structured task metadata for handoff context and routing hints"
|
|
8146
9963
|
}
|
|
8147
9964
|
},
|
|
8148
9965
|
required: ["title"],
|
|
@@ -8216,6 +10033,10 @@ var UPDATE_TASK = {
|
|
|
8216
10033
|
type: "string",
|
|
8217
10034
|
description: "Updated status",
|
|
8218
10035
|
enum: ["todo", "in_progress", "blocked", "done"]
|
|
10036
|
+
},
|
|
10037
|
+
metadata: {
|
|
10038
|
+
type: "object",
|
|
10039
|
+
description: "Structured task metadata to replace or refine"
|
|
8219
10040
|
}
|
|
8220
10041
|
},
|
|
8221
10042
|
required: ["taskId"],
|
|
@@ -9671,6 +11492,9 @@ var BEGIN_BUILD_SESSION = {
|
|
|
9671
11492
|
sessionMode: "string \u2014 async | interactive",
|
|
9672
11493
|
targetBeliefIds: "array \u2014 scoped belief IDs",
|
|
9673
11494
|
targetQuestionIds: "array \u2014 scoped question IDs",
|
|
11495
|
+
taskIds: "array \u2014 assigned task IDs for this worktree",
|
|
11496
|
+
incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
|
|
11497
|
+
tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
|
|
9674
11498
|
topBeliefs: "array \u2014 highest-confidence scoped beliefs",
|
|
9675
11499
|
openQuestions: "array \u2014 open scoped questions",
|
|
9676
11500
|
resolvedDecisions: "array \u2014 answered questions summarized for the session",
|
|
@@ -10271,12 +12095,20 @@ function unwrapMcpParameterSchema(schema) {
|
|
|
10271
12095
|
current = current._def.schema;
|
|
10272
12096
|
continue;
|
|
10273
12097
|
default:
|
|
10274
|
-
return {
|
|
12098
|
+
return {
|
|
12099
|
+
schema: current,
|
|
12100
|
+
required,
|
|
12101
|
+
description: description ?? current.description
|
|
12102
|
+
};
|
|
10275
12103
|
}
|
|
10276
12104
|
}
|
|
10277
12105
|
}
|
|
10278
12106
|
function mcpParameterFromZod(fieldName, schema, contractName) {
|
|
10279
|
-
const {
|
|
12107
|
+
const {
|
|
12108
|
+
schema: unwrapped,
|
|
12109
|
+
required,
|
|
12110
|
+
description: schemaDescription
|
|
12111
|
+
} = unwrapMcpParameterSchema(schema);
|
|
10280
12112
|
const description = schemaDescription ?? unwrapped.description ?? fieldName;
|
|
10281
12113
|
switch (unwrapped._def.typeName) {
|
|
10282
12114
|
case z.ZodFirstPartyTypeKind.ZodString:
|
|
@@ -10321,10 +12153,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
|
|
|
10321
12153
|
const entries2 = Object.entries(getObjectShape(args)).sort(
|
|
10322
12154
|
([left], [right]) => left.localeCompare(right)
|
|
10323
12155
|
);
|
|
10324
|
-
const converted = entries2.map(
|
|
10325
|
-
fieldName,
|
|
10326
|
-
|
|
10327
|
-
|
|
12156
|
+
const converted = entries2.map(
|
|
12157
|
+
([fieldName, schema]) => [
|
|
12158
|
+
fieldName,
|
|
12159
|
+
mcpParameterFromZod(fieldName, schema, contractName)
|
|
12160
|
+
]
|
|
12161
|
+
);
|
|
10328
12162
|
return {
|
|
10329
12163
|
...base,
|
|
10330
12164
|
parameters: Object.fromEntries(
|
|
@@ -10436,6 +12270,7 @@ function surfaceContract(args) {
|
|
|
10436
12270
|
allowedPrincipalTypes: ["user", "service", "agent"]
|
|
10437
12271
|
},
|
|
10438
12272
|
convex: args.convex,
|
|
12273
|
+
gateway: args.gateway,
|
|
10439
12274
|
args: canonicalArgs,
|
|
10440
12275
|
returns: canonicalReturns,
|
|
10441
12276
|
input,
|
|
@@ -10922,7 +12757,7 @@ var beliefsContracts = [
|
|
|
10922
12757
|
})
|
|
10923
12758
|
];
|
|
10924
12759
|
var jsonRecordSchema4 = z.record(z.unknown());
|
|
10925
|
-
var evidenceRelationSchema = z.enum(["supports", "contradicts"
|
|
12760
|
+
var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
|
|
10926
12761
|
var createEvidenceArgs = z.object({
|
|
10927
12762
|
topicId: z.string().optional().describe("Topic scope for the evidence."),
|
|
10928
12763
|
text: z.string().describe("Canonical evidence text."),
|
|
@@ -12845,7 +14680,8 @@ var createTaskArgs = z.object({
|
|
|
12845
14680
|
linkedQuestionId: z.string().optional().describe("Question this task addresses."),
|
|
12846
14681
|
assigneeId: z.string().optional().describe("Principal assigned to the task."),
|
|
12847
14682
|
dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
|
|
12848
|
-
tags: z.array(z.string()).optional().describe("Free-form tags.")
|
|
14683
|
+
tags: z.array(z.string()).optional().describe("Free-form tags."),
|
|
14684
|
+
metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
|
|
12849
14685
|
});
|
|
12850
14686
|
var createTaskInput = (input) => compactRecord4({
|
|
12851
14687
|
title: input.title,
|
|
@@ -12859,7 +14695,8 @@ var createTaskInput = (input) => compactRecord4({
|
|
|
12859
14695
|
linkedQuestionId: input.linkedQuestionId,
|
|
12860
14696
|
assigneeId: input.assigneeId,
|
|
12861
14697
|
dueDate: input.dueDate,
|
|
12862
|
-
tags: input.tags
|
|
14698
|
+
tags: input.tags,
|
|
14699
|
+
metadata: input.metadata
|
|
12863
14700
|
});
|
|
12864
14701
|
var taskInput = (input) => compactRecord4({
|
|
12865
14702
|
...input,
|
|
@@ -12876,8 +14713,7 @@ var taskTopicInput = (input) => {
|
|
|
12876
14713
|
};
|
|
12877
14714
|
var completeTaskInput = (input) => compactRecord4({
|
|
12878
14715
|
taskId: input.taskId ?? input.id,
|
|
12879
|
-
outputSummary: input.outputSummary ?? input.summary
|
|
12880
|
-
userId: input.userId
|
|
14716
|
+
outputSummary: input.outputSummary ?? input.summary
|
|
12881
14717
|
});
|
|
12882
14718
|
var tasksContracts = [
|
|
12883
14719
|
surfaceContract({
|
|
@@ -12895,6 +14731,7 @@ var tasksContracts = [
|
|
|
12895
14731
|
kind: "mutation",
|
|
12896
14732
|
inputProjection: createTaskInput
|
|
12897
14733
|
},
|
|
14734
|
+
gateway: { handler: "tasks.create" },
|
|
12898
14735
|
args: createTaskArgs
|
|
12899
14736
|
}),
|
|
12900
14737
|
surfaceContract({
|
|
@@ -12913,6 +14750,7 @@ var tasksContracts = [
|
|
|
12913
14750
|
kind: "query",
|
|
12914
14751
|
inputProjection: taskTopicInput
|
|
12915
14752
|
},
|
|
14753
|
+
gateway: { handler: "tasks.list" },
|
|
12916
14754
|
args: listTasksInputSchema
|
|
12917
14755
|
}),
|
|
12918
14756
|
surfaceContract({
|
|
@@ -12930,7 +14768,8 @@ var tasksContracts = [
|
|
|
12930
14768
|
functionName: "update",
|
|
12931
14769
|
kind: "mutation",
|
|
12932
14770
|
inputProjection: taskInput
|
|
12933
|
-
}
|
|
14771
|
+
},
|
|
14772
|
+
gateway: { handler: "tasks.update" }
|
|
12934
14773
|
}),
|
|
12935
14774
|
surfaceContract({
|
|
12936
14775
|
name: "complete_task",
|
|
@@ -12946,12 +14785,14 @@ var tasksContracts = [
|
|
|
12946
14785
|
functionName: "complete",
|
|
12947
14786
|
kind: "mutation",
|
|
12948
14787
|
inputProjection: completeTaskInput
|
|
12949
|
-
}
|
|
14788
|
+
},
|
|
14789
|
+
gateway: { handler: "tasks.complete" }
|
|
12950
14790
|
})
|
|
12951
14791
|
];
|
|
12952
14792
|
var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
|
|
12953
14793
|
(policy) => policy.edgeType
|
|
12954
14794
|
);
|
|
14795
|
+
var REASONING_METHOD_TYPES = [...REASONING_METHODS];
|
|
12955
14796
|
var createEdgeArgs = z.object({
|
|
12956
14797
|
from: GraphRefSchema,
|
|
12957
14798
|
to: GraphRefSchema,
|
|
@@ -12961,6 +14802,7 @@ var createEdgeArgs = z.object({
|
|
|
12961
14802
|
confidence: z.number().optional(),
|
|
12962
14803
|
context: z.string().optional(),
|
|
12963
14804
|
reasoning: z.string().optional(),
|
|
14805
|
+
reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
|
|
12964
14806
|
derivationType: z.string().optional(),
|
|
12965
14807
|
metadata: z.record(z.unknown()).optional(),
|
|
12966
14808
|
topicId: z.string().optional(),
|
|
@@ -13039,6 +14881,7 @@ var edgesContracts = [
|
|
|
13039
14881
|
weight: parsed.weight,
|
|
13040
14882
|
confidence: parsed.confidence,
|
|
13041
14883
|
context: parsed.context ?? parsed.reasoning,
|
|
14884
|
+
reasoningMethod: parsed.reasoningMethod,
|
|
13042
14885
|
derivationType: parsed.derivationType,
|
|
13043
14886
|
metadata: parsed.metadata,
|
|
13044
14887
|
skipLayerValidation: true,
|
|
@@ -13163,6 +15006,7 @@ var edgesContracts = [
|
|
|
13163
15006
|
weight: edge.weight,
|
|
13164
15007
|
confidence: edge.confidence,
|
|
13165
15008
|
context: edge.context ?? edge.reasoning,
|
|
15009
|
+
reasoningMethod: edge.reasoningMethod,
|
|
13166
15010
|
derivationType: edge.derivationType,
|
|
13167
15011
|
metadata: edge.metadata,
|
|
13168
15012
|
topicId: edge.topicId
|
|
@@ -13897,6 +15741,69 @@ var pipelineContracts = [
|
|
|
13897
15741
|
}
|
|
13898
15742
|
})
|
|
13899
15743
|
];
|
|
15744
|
+
function isRecord4(value) {
|
|
15745
|
+
return Boolean(value) && typeof value === "object" && !Array.isArray(value);
|
|
15746
|
+
}
|
|
15747
|
+
function stringValues(value) {
|
|
15748
|
+
if (typeof value === "string") {
|
|
15749
|
+
return [value];
|
|
15750
|
+
}
|
|
15751
|
+
if (Array.isArray(value)) {
|
|
15752
|
+
return value.flatMap((item) => stringValues(item));
|
|
15753
|
+
}
|
|
15754
|
+
return [];
|
|
15755
|
+
}
|
|
15756
|
+
function nestedEvidenceRows(value) {
|
|
15757
|
+
if (Array.isArray(value)) {
|
|
15758
|
+
return value.flatMap((item) => nestedEvidenceRows(item));
|
|
15759
|
+
}
|
|
15760
|
+
if (!isRecord4(value)) {
|
|
15761
|
+
return [];
|
|
15762
|
+
}
|
|
15763
|
+
const nestedKeys = ["evidence", "items", "nodes"];
|
|
15764
|
+
const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
|
|
15765
|
+
return nestedRows.length > 0 ? nestedRows : [value];
|
|
15766
|
+
}
|
|
15767
|
+
function isFailedAttemptRow(row) {
|
|
15768
|
+
const metadata = isRecord4(row.metadata) ? row.metadata : null;
|
|
15769
|
+
return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
|
|
15770
|
+
}
|
|
15771
|
+
function failureLogSearchFields(row) {
|
|
15772
|
+
const metadata = isRecord4(row.metadata) ? row.metadata : null;
|
|
15773
|
+
return [
|
|
15774
|
+
...stringValues(row.id),
|
|
15775
|
+
...stringValues(row._id),
|
|
15776
|
+
...stringValues(row.title),
|
|
15777
|
+
...stringValues(row.text),
|
|
15778
|
+
...stringValues(row.canonicalText),
|
|
15779
|
+
...stringValues(row.content),
|
|
15780
|
+
...stringValues(metadata?.codeAnchor),
|
|
15781
|
+
...stringValues(metadata?.codeAnchors),
|
|
15782
|
+
...stringValues(metadata?.anchor),
|
|
15783
|
+
...stringValues(metadata?.anchors),
|
|
15784
|
+
...stringValues(metadata?.filePath),
|
|
15785
|
+
...stringValues(metadata?.filePaths),
|
|
15786
|
+
...stringValues(metadata?.path),
|
|
15787
|
+
...stringValues(metadata?.paths),
|
|
15788
|
+
...stringValues(metadata?.sourceRef),
|
|
15789
|
+
...stringValues(metadata?.touchedPaths)
|
|
15790
|
+
];
|
|
15791
|
+
}
|
|
15792
|
+
function projectFailureLog(output, input) {
|
|
15793
|
+
const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
|
|
15794
|
+
const searchKey = rawQuery?.toLowerCase();
|
|
15795
|
+
const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
|
|
15796
|
+
(row) => !searchKey ? true : failureLogSearchFields(row).some(
|
|
15797
|
+
(field) => field.toLowerCase().includes(searchKey)
|
|
15798
|
+
)
|
|
15799
|
+
);
|
|
15800
|
+
return {
|
|
15801
|
+
query: rawQuery,
|
|
15802
|
+
failures,
|
|
15803
|
+
totalFound: failures.length,
|
|
15804
|
+
showing: failures.length
|
|
15805
|
+
};
|
|
15806
|
+
}
|
|
13900
15807
|
var recordScopeLearningArgs = z.object({
|
|
13901
15808
|
topicId: z.string().optional().describe("Topic scope ID"),
|
|
13902
15809
|
summary: z.string().describe("Atomic learning statement"),
|
|
@@ -13986,6 +15893,8 @@ var attemptInput = (input, context) => withUserId(
|
|
|
13986
15893
|
tags: ["code_attempt"],
|
|
13987
15894
|
metadata: compactRecord4({
|
|
13988
15895
|
...recordValue2(input.metadata),
|
|
15896
|
+
failedApproach: true,
|
|
15897
|
+
isFailedAttempt: true,
|
|
13989
15898
|
filePaths: input.filePaths,
|
|
13990
15899
|
filePath: input.filePath,
|
|
13991
15900
|
errorMessage: input.errorMessage,
|
|
@@ -14116,7 +16025,8 @@ var codingContracts = [
|
|
|
14116
16025
|
limit: input.limit,
|
|
14117
16026
|
status: input.status,
|
|
14118
16027
|
userId: input.userId
|
|
14119
|
-
})
|
|
16028
|
+
}),
|
|
16029
|
+
outputProjection: (output, input) => projectFailureLog(output, input)
|
|
14120
16030
|
}
|
|
14121
16031
|
})
|
|
14122
16032
|
];
|
|
@@ -14578,14 +16488,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14578
16488
|
description: "Worktrees are tenant/runtime planning data."
|
|
14579
16489
|
},
|
|
14580
16490
|
{
|
|
14581
|
-
component: "
|
|
16491
|
+
component: "control-plane",
|
|
14582
16492
|
table: "agents",
|
|
14583
16493
|
prepopulation: "runtime_bootstrap",
|
|
14584
16494
|
copyMode: "none",
|
|
14585
16495
|
description: "Service agents are provisioned per tenant or service, not copied."
|
|
14586
16496
|
},
|
|
14587
16497
|
{
|
|
14588
|
-
component: "
|
|
16498
|
+
component: "control-plane",
|
|
14589
16499
|
table: "mcpWritePolicy",
|
|
14590
16500
|
prepopulation: "required_template",
|
|
14591
16501
|
copyMode: "template_global",
|
|
@@ -14594,14 +16504,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14594
16504
|
description: "Global write policy defaults govern service and interactive MCP writes."
|
|
14595
16505
|
},
|
|
14596
16506
|
{
|
|
14597
|
-
component: "
|
|
16507
|
+
component: "control-plane",
|
|
14598
16508
|
table: "modelCallLogs",
|
|
14599
16509
|
prepopulation: "runtime_log",
|
|
14600
16510
|
copyMode: "none",
|
|
14601
16511
|
description: "Model call logs are runtime telemetry."
|
|
14602
16512
|
},
|
|
14603
16513
|
{
|
|
14604
|
-
component: "
|
|
16514
|
+
component: "control-plane",
|
|
14605
16515
|
table: "modelFunctionSlots",
|
|
14606
16516
|
prepopulation: "required_template",
|
|
14607
16517
|
copyMode: "template_global",
|
|
@@ -14610,7 +16520,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14610
16520
|
description: "Function-to-model slots are required by model runtime resolution."
|
|
14611
16521
|
},
|
|
14612
16522
|
{
|
|
14613
|
-
component: "
|
|
16523
|
+
component: "control-plane",
|
|
14614
16524
|
table: "modelRegistry",
|
|
14615
16525
|
prepopulation: "required_template",
|
|
14616
16526
|
copyMode: "template_global",
|
|
@@ -14619,7 +16529,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14619
16529
|
description: "Model catalog defaults are required by model runtime clients."
|
|
14620
16530
|
},
|
|
14621
16531
|
{
|
|
14622
|
-
component: "
|
|
16532
|
+
component: "control-plane",
|
|
14623
16533
|
table: "modelSlotConfigs",
|
|
14624
16534
|
prepopulation: "required_template",
|
|
14625
16535
|
copyMode: "template_global",
|
|
@@ -14628,14 +16538,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14628
16538
|
description: "Slot-level defaults are required before tenant overrides exist."
|
|
14629
16539
|
},
|
|
14630
16540
|
{
|
|
14631
|
-
component: "
|
|
16541
|
+
component: "control-plane",
|
|
16542
|
+
table: "permitAccessReviewItems",
|
|
16543
|
+
prepopulation: "runtime_data",
|
|
16544
|
+
copyMode: "none",
|
|
16545
|
+
description: "Permit access-review item rows are tenant review data projected from Permit."
|
|
16546
|
+
},
|
|
16547
|
+
{
|
|
16548
|
+
component: "control-plane",
|
|
16549
|
+
table: "permitAccessReviews",
|
|
16550
|
+
prepopulation: "runtime_data",
|
|
16551
|
+
copyMode: "none",
|
|
16552
|
+
description: "Permit access-review campaigns are tenant review data projected from Permit."
|
|
16553
|
+
},
|
|
16554
|
+
{
|
|
16555
|
+
component: "control-plane",
|
|
16556
|
+
table: "permitAttributeBindings",
|
|
16557
|
+
prepopulation: "runtime_data",
|
|
16558
|
+
copyMode: "none",
|
|
16559
|
+
description: "Permit ABAC attribute bindings are tenant policy projection rows."
|
|
16560
|
+
},
|
|
16561
|
+
{
|
|
16562
|
+
component: "control-plane",
|
|
16563
|
+
table: "permitGroups",
|
|
16564
|
+
prepopulation: "runtime_data",
|
|
16565
|
+
copyMode: "none",
|
|
16566
|
+
description: "Permit groups are tenant-defined policy subjects, not template data."
|
|
16567
|
+
},
|
|
16568
|
+
{
|
|
16569
|
+
component: "control-plane",
|
|
16570
|
+
table: "permitGroupMemberships",
|
|
16571
|
+
prepopulation: "runtime_data",
|
|
16572
|
+
copyMode: "none",
|
|
16573
|
+
description: "Permit group memberships are tenant-specific policy projection rows."
|
|
16574
|
+
},
|
|
16575
|
+
{
|
|
16576
|
+
component: "control-plane",
|
|
16577
|
+
table: "permitPolicyBundles",
|
|
16578
|
+
prepopulation: "runtime_derived",
|
|
16579
|
+
copyMode: "none",
|
|
16580
|
+
description: "Permit policy bundles are derived from the Permit control plane."
|
|
16581
|
+
},
|
|
16582
|
+
{
|
|
16583
|
+
component: "control-plane",
|
|
16584
|
+
table: "permitPolicyDecisionReceipts",
|
|
16585
|
+
prepopulation: "runtime_log",
|
|
16586
|
+
copyMode: "none",
|
|
16587
|
+
description: "Permit decision receipts are runtime authorization audit logs."
|
|
16588
|
+
},
|
|
16589
|
+
{
|
|
16590
|
+
component: "control-plane",
|
|
16591
|
+
table: "permitPrincipalAliases",
|
|
16592
|
+
prepopulation: "runtime_data",
|
|
16593
|
+
copyMode: "none",
|
|
16594
|
+
description: "Permit principal aliases are tenant-specific identity projection rows."
|
|
16595
|
+
},
|
|
16596
|
+
{
|
|
16597
|
+
component: "control-plane",
|
|
16598
|
+
table: "permitPrincipals",
|
|
16599
|
+
prepopulation: "runtime_data",
|
|
16600
|
+
copyMode: "none",
|
|
16601
|
+
description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
|
|
16602
|
+
},
|
|
16603
|
+
{
|
|
16604
|
+
component: "control-plane",
|
|
16605
|
+
table: "permitProjectionOutbox",
|
|
16606
|
+
prepopulation: "runtime_queue",
|
|
16607
|
+
copyMode: "none",
|
|
16608
|
+
description: "Permit projection outbox rows are runtime sync queue data."
|
|
16609
|
+
},
|
|
16610
|
+
{
|
|
16611
|
+
component: "control-plane",
|
|
16612
|
+
table: "permitRelationshipTuples",
|
|
16613
|
+
prepopulation: "runtime_data",
|
|
16614
|
+
copyMode: "none",
|
|
16615
|
+
description: "Permit ReBAC relationship tuples are tenant policy projection rows."
|
|
16616
|
+
},
|
|
16617
|
+
{
|
|
16618
|
+
component: "control-plane",
|
|
16619
|
+
table: "permitResourceInstances",
|
|
16620
|
+
prepopulation: "runtime_data",
|
|
16621
|
+
copyMode: "none",
|
|
16622
|
+
description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
|
|
16623
|
+
},
|
|
16624
|
+
{
|
|
16625
|
+
component: "control-plane",
|
|
16626
|
+
table: "permitRoleAssignments",
|
|
16627
|
+
prepopulation: "runtime_data",
|
|
16628
|
+
copyMode: "none",
|
|
16629
|
+
description: "Permit role assignments are tenant-specific policy projection rows."
|
|
16630
|
+
},
|
|
16631
|
+
{
|
|
16632
|
+
component: "control-plane",
|
|
14632
16633
|
table: "platformAudienceGrants",
|
|
14633
16634
|
prepopulation: "runtime_data",
|
|
14634
16635
|
copyMode: "none",
|
|
14635
16636
|
description: "Audience grants are principal/group-specific access rows."
|
|
14636
16637
|
},
|
|
14637
16638
|
{
|
|
14638
|
-
component: "
|
|
16639
|
+
component: "control-plane",
|
|
14639
16640
|
table: "platformAudiences",
|
|
14640
16641
|
prepopulation: "required_template",
|
|
14641
16642
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14644,35 +16645,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14644
16645
|
description: "Default tenant audience taxonomy rows are rewritten into each tenant."
|
|
14645
16646
|
},
|
|
14646
16647
|
{
|
|
14647
|
-
component: "
|
|
16648
|
+
component: "control-plane",
|
|
14648
16649
|
table: "platformPolicyDecisionLogs",
|
|
14649
16650
|
prepopulation: "runtime_log",
|
|
14650
16651
|
copyMode: "none",
|
|
14651
16652
|
description: "Policy decisions are runtime audit logs."
|
|
14652
16653
|
},
|
|
14653
16654
|
{
|
|
14654
|
-
component: "
|
|
16655
|
+
component: "control-plane",
|
|
14655
16656
|
table: "projectGrants",
|
|
14656
16657
|
prepopulation: "runtime_data",
|
|
14657
16658
|
copyMode: "none",
|
|
14658
16659
|
description: "Project/topic grants are principal or group-specific access rows."
|
|
14659
16660
|
},
|
|
14660
16661
|
{
|
|
14661
|
-
component: "
|
|
16662
|
+
component: "control-plane",
|
|
14662
16663
|
table: "reasoningPermissions",
|
|
14663
16664
|
prepopulation: "runtime_data",
|
|
14664
16665
|
copyMode: "none",
|
|
14665
16666
|
description: "Reasoning permissions are principal-specific policy rows."
|
|
14666
16667
|
},
|
|
14667
16668
|
{
|
|
14668
|
-
component: "
|
|
16669
|
+
component: "control-plane",
|
|
14669
16670
|
table: "tenantApiKeys",
|
|
14670
16671
|
prepopulation: "runtime_secret",
|
|
14671
16672
|
copyMode: "none",
|
|
14672
16673
|
description: "API keys are tenant credentials and must never be copied."
|
|
14673
16674
|
},
|
|
14674
16675
|
{
|
|
14675
|
-
component: "
|
|
16676
|
+
component: "control-plane",
|
|
14676
16677
|
table: "tenantConfig",
|
|
14677
16678
|
prepopulation: "required_template",
|
|
14678
16679
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14681,7 +16682,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14681
16682
|
description: "Tenant-local config defaults are rewritten during bootstrap."
|
|
14682
16683
|
},
|
|
14683
16684
|
{
|
|
14684
|
-
component: "
|
|
16685
|
+
component: "control-plane",
|
|
14685
16686
|
table: "tenantIntegrations",
|
|
14686
16687
|
prepopulation: "required_template",
|
|
14687
16688
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14690,14 +16691,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14690
16691
|
description: "Non-secret integration descriptors are rewritten into each tenant."
|
|
14691
16692
|
},
|
|
14692
16693
|
{
|
|
14693
|
-
component: "
|
|
16694
|
+
component: "control-plane",
|
|
14694
16695
|
table: "tenantModelSlotBindings",
|
|
14695
16696
|
prepopulation: "runtime_secret",
|
|
14696
16697
|
copyMode: "none",
|
|
14697
16698
|
description: "Tenant model slot bindings reference provider secrets and are runtime-only."
|
|
14698
16699
|
},
|
|
14699
16700
|
{
|
|
14700
|
-
component: "
|
|
16701
|
+
component: "control-plane",
|
|
16702
|
+
table: "tenantPermitSyncStates",
|
|
16703
|
+
prepopulation: "runtime_derived",
|
|
16704
|
+
copyMode: "none",
|
|
16705
|
+
description: "Tenant Permit sync state rows are runtime reconciliation state."
|
|
16706
|
+
},
|
|
16707
|
+
{
|
|
16708
|
+
component: "control-plane",
|
|
14701
16709
|
table: "tenantPolicies",
|
|
14702
16710
|
prepopulation: "required_template",
|
|
14703
16711
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14706,42 +16714,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14706
16714
|
description: "Default tenant policy roles are rewritten during bootstrap."
|
|
14707
16715
|
},
|
|
14708
16716
|
{
|
|
14709
|
-
component: "
|
|
16717
|
+
component: "control-plane",
|
|
14710
16718
|
table: "tenantProviderSecrets",
|
|
14711
16719
|
prepopulation: "runtime_secret",
|
|
14712
16720
|
copyMode: "none",
|
|
14713
16721
|
description: "Provider secrets are credentials and must never be copied."
|
|
14714
16722
|
},
|
|
14715
16723
|
{
|
|
14716
|
-
component: "
|
|
16724
|
+
component: "control-plane",
|
|
14717
16725
|
table: "tenantProxyGatewayUsage",
|
|
14718
16726
|
prepopulation: "runtime_log",
|
|
14719
16727
|
copyMode: "none",
|
|
14720
16728
|
description: "Proxy gateway usage rows are runtime telemetry."
|
|
14721
16729
|
},
|
|
14722
16730
|
{
|
|
14723
|
-
component: "
|
|
16731
|
+
component: "control-plane",
|
|
14724
16732
|
table: "tenantProxyTokenMints",
|
|
14725
16733
|
prepopulation: "runtime_secret",
|
|
14726
16734
|
copyMode: "none",
|
|
14727
16735
|
description: "Proxy token mints are ephemeral secret-bearing runtime rows."
|
|
14728
16736
|
},
|
|
14729
16737
|
{
|
|
14730
|
-
component: "
|
|
16738
|
+
component: "control-plane",
|
|
14731
16739
|
table: "tenantSandboxAuditEvents",
|
|
14732
16740
|
prepopulation: "runtime_log",
|
|
14733
16741
|
copyMode: "none",
|
|
14734
16742
|
description: "Sandbox audit rows are runtime security logs."
|
|
14735
16743
|
},
|
|
14736
16744
|
{
|
|
14737
|
-
component: "
|
|
16745
|
+
component: "control-plane",
|
|
14738
16746
|
table: "tenantSecrets",
|
|
14739
16747
|
prepopulation: "runtime_secret",
|
|
14740
16748
|
copyMode: "none",
|
|
14741
16749
|
description: "Tenant secrets are credentials and must never be copied."
|
|
14742
16750
|
},
|
|
14743
16751
|
{
|
|
14744
|
-
component: "
|
|
16752
|
+
component: "control-plane",
|
|
14745
16753
|
table: "toolAcls",
|
|
14746
16754
|
prepopulation: "required_template",
|
|
14747
16755
|
copyMode: "template_global",
|
|
@@ -14750,7 +16758,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14750
16758
|
description: "Default role-to-tool grants are required for SDK/MCP tool access."
|
|
14751
16759
|
},
|
|
14752
16760
|
{
|
|
14753
|
-
component: "
|
|
16761
|
+
component: "control-plane",
|
|
14754
16762
|
table: "toolRegistry",
|
|
14755
16763
|
prepopulation: "required_template",
|
|
14756
16764
|
copyMode: "template_global",
|
|
@@ -14759,7 +16767,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14759
16767
|
description: "Core tool catalog rows are required before pack or tenant tools exist."
|
|
14760
16768
|
},
|
|
14761
16769
|
{
|
|
14762
|
-
component: "
|
|
16770
|
+
component: "control-plane",
|
|
14763
16771
|
table: "users",
|
|
14764
16772
|
prepopulation: "runtime_bootstrap",
|
|
14765
16773
|
copyMode: "none",
|
|
@@ -15144,11 +17152,11 @@ function readString2(value) {
|
|
|
15144
17152
|
function readNullableNumber(value) {
|
|
15145
17153
|
return typeof value === "number" && Number.isFinite(value) ? value : null;
|
|
15146
17154
|
}
|
|
15147
|
-
function
|
|
17155
|
+
function isRecord5(value) {
|
|
15148
17156
|
return Boolean(value) && typeof value === "object" && !Array.isArray(value);
|
|
15149
17157
|
}
|
|
15150
17158
|
function refreshLucernContextFromBuildSession(payload, args) {
|
|
15151
|
-
if (!
|
|
17159
|
+
if (!isRecord5(payload)) {
|
|
15152
17160
|
return;
|
|
15153
17161
|
}
|
|
15154
17162
|
const topicId = readString2(payload.topicId);
|
|
@@ -15353,7 +17361,8 @@ var edgeHandlers = {
|
|
|
15353
17361
|
topicId: readString(args.topicId ?? args.projectId),
|
|
15354
17362
|
confidence: readNumber(args.confidence),
|
|
15355
17363
|
weight: readNumber(args.weight),
|
|
15356
|
-
context: readString(args.context) ?? readString(args.reasoning)
|
|
17364
|
+
context: readString(args.context) ?? readString(args.reasoning),
|
|
17365
|
+
reasoningMethod: readString(args.reasoningMethod)
|
|
15357
17366
|
})
|
|
15358
17367
|
);
|
|
15359
17368
|
},
|
|
@@ -16782,7 +18791,7 @@ function readStringArray2(value) {
|
|
|
16782
18791
|
}
|
|
16783
18792
|
return value.map((entry) => readString3(entry)).filter((entry) => Boolean(entry));
|
|
16784
18793
|
}
|
|
16785
|
-
function
|
|
18794
|
+
function isRecord6(value) {
|
|
16786
18795
|
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
16787
18796
|
}
|
|
16788
18797
|
function decodePrefixedIdOrNull(value) {
|
|
@@ -16797,7 +18806,7 @@ function decodePrefixedIdOrNull(value) {
|
|
|
16797
18806
|
};
|
|
16798
18807
|
}
|
|
16799
18808
|
function asRecord2(value) {
|
|
16800
|
-
return
|
|
18809
|
+
return isRecord6(value) ? value : {};
|
|
16801
18810
|
}
|
|
16802
18811
|
function normalizeTopicId(value) {
|
|
16803
18812
|
const normalized = readString3(value);
|
|
@@ -17932,7 +19941,7 @@ var researchVerificationHandlers = {
|
|
|
17932
19941
|
function cleanString(value) {
|
|
17933
19942
|
return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
|
|
17934
19943
|
}
|
|
17935
|
-
function
|
|
19944
|
+
function isRecord7(value) {
|
|
17936
19945
|
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
17937
19946
|
}
|
|
17938
19947
|
function prefixId(prefix, value) {
|
|
@@ -17988,7 +19997,7 @@ function toPublicCompiledContext(pack) {
|
|
|
17988
19997
|
scopedTopicIds: (pack.scopedTopicIds ?? []).map((id) => prefixId("top", id)),
|
|
17989
19998
|
generatedAt: pack.generatedAt,
|
|
17990
19999
|
ranking: pack.rankingProfile,
|
|
17991
|
-
summary:
|
|
20000
|
+
summary: isRecord7(pack.summary) ? pack.summary : {},
|
|
17992
20001
|
invariants: (pack.invariants ?? []).map((belief) => ({
|
|
17993
20002
|
beliefId: prefixId("bel", belief.nodeId),
|
|
17994
20003
|
text: belief.canonicalText,
|
|
@@ -18059,7 +20068,7 @@ function toPublicCompiledContext(pack) {
|
|
|
18059
20068
|
}))
|
|
18060
20069
|
} : {}
|
|
18061
20070
|
},
|
|
18062
|
-
diagnostics:
|
|
20071
|
+
diagnostics: isRecord7(pack.diagnostics) ? pack.diagnostics : {},
|
|
18063
20072
|
...pack.compilationMode ? { compilationMode: pack.compilationMode } : {},
|
|
18064
20073
|
...pack.failureContext ? {
|
|
18065
20074
|
failureContext: {
|
|
@@ -18567,6 +20576,21 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
|
|
|
18567
20576
|
authCtx
|
|
18568
20577
|
});
|
|
18569
20578
|
if (!result) {
|
|
20579
|
+
if (authCtx.sessionType === "agent") {
|
|
20580
|
+
return {
|
|
20581
|
+
allowed: false,
|
|
20582
|
+
permission: "deny",
|
|
20583
|
+
toolCategory: null,
|
|
20584
|
+
policy: null,
|
|
20585
|
+
reason: "no_policy_response",
|
|
20586
|
+
explanation: {
|
|
20587
|
+
summary: "Denied because agent write-policy checks fail closed when no policy response is returned.",
|
|
20588
|
+
toolName,
|
|
20589
|
+
role: authCtx.role,
|
|
20590
|
+
topicId
|
|
20591
|
+
}
|
|
20592
|
+
};
|
|
20593
|
+
}
|
|
18570
20594
|
return {
|
|
18571
20595
|
allowed: true,
|
|
18572
20596
|
permission: "allow",
|
|
@@ -18600,6 +20624,33 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
|
|
|
18600
20624
|
}
|
|
18601
20625
|
return result;
|
|
18602
20626
|
} catch (err) {
|
|
20627
|
+
if (authCtx.sessionType === "agent") {
|
|
20628
|
+
return {
|
|
20629
|
+
allowed: false,
|
|
20630
|
+
permission: "deny",
|
|
20631
|
+
toolCategory: null,
|
|
20632
|
+
policy: null,
|
|
20633
|
+
explanation: {
|
|
20634
|
+
summary: "Denied because agent write-policy checks fail closed on policy evaluation errors.",
|
|
20635
|
+
matchedReasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20636
|
+
steps: [
|
|
20637
|
+
{
|
|
20638
|
+
stage: "policy_lookup",
|
|
20639
|
+
outcome: "failed",
|
|
20640
|
+
reasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20641
|
+
detail: err instanceof Error ? err.message : "Unknown policy evaluation error."
|
|
20642
|
+
},
|
|
20643
|
+
{
|
|
20644
|
+
stage: "decision",
|
|
20645
|
+
outcome: "failed",
|
|
20646
|
+
reasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20647
|
+
detail: "Agent sessions cannot convert a write-policy infrastructure error into an allow."
|
|
20648
|
+
}
|
|
20649
|
+
]
|
|
20650
|
+
},
|
|
20651
|
+
reason: "policy_check_error"
|
|
20652
|
+
};
|
|
20653
|
+
}
|
|
18603
20654
|
console.error(
|
|
18604
20655
|
`[write-policy] Policy check failed for ${toolName}: ${err instanceof Error ? err.message : err}. Allowing (fail-open).`
|
|
18605
20656
|
);
|