@lucern/mcp 0.3.0-alpha.10 → 0.3.0-alpha.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/runtime.js CHANGED
@@ -232,6 +232,20 @@ var autoBranchingHandlers = {
232
232
  }
233
233
  };
234
234
 
235
+ // ../contracts/src/types/reasoning-method.ts
236
+ var REASONING_METHODS = [
237
+ "deductive",
238
+ "inductive",
239
+ "abductive",
240
+ "analogical",
241
+ "causal",
242
+ "correlational",
243
+ "testimonial",
244
+ "statistical",
245
+ "implicit",
246
+ "pattern_match"
247
+ ];
248
+
235
249
  // ../contracts/src/graph-intelligence.contract.ts
236
250
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
237
251
  core: [
@@ -941,7 +955,7 @@ defineTable({
941
955
  });
942
956
  defineTable({
943
957
  name: "agents",
944
- component: "identity",
958
+ component: "control-plane",
945
959
  category: "agent",
946
960
  shape: z.object({
947
961
  "slug": z.string(),
@@ -972,6 +986,7 @@ defineTable({
972
986
  category: "tenant",
973
987
  shape: z.object({
974
988
  "tenantId": idOf("tenants"),
989
+ "workspaceId": idOf("workspaces").optional(),
975
990
  "keyPrefix": z.enum(["luc", "stk"]),
976
991
  "keyHash": z.string(),
977
992
  "keyHint": z.string(),
@@ -999,7 +1014,7 @@ defineTable({
999
1014
  shape: z.object({
1000
1015
  "tenantId": idOf("tenants").optional(),
1001
1016
  "apiKeyId": idOf("apiKeys").optional(),
1002
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1017
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1003
1018
  "actorClerkId": z.string(),
1004
1019
  "details": z.any().optional(),
1005
1020
  "createdAt": z.number()
@@ -1878,29 +1893,37 @@ defineTable({
1878
1893
  component: "mc",
1879
1894
  category: "runtime",
1880
1895
  shape: z.object({
1881
- "shimId": z.string(),
1882
- "gateId": z.string(),
1883
- "removalDate": z.string(),
1884
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1885
- "description": z.string(),
1886
- "owner": z.string(),
1887
- "createdAt": z.string(),
1888
- "status": z.enum(["active", "overdue", "removed"]),
1889
- "bridgeType": z.enum(["tool", "agent"]),
1890
- "bridgeTarget": z.object({
1891
- "type": z.enum(["tool", "agent"]),
1892
- "legacyPath": z.string(),
1893
- "harnessPath": z.string()
1896
+ shimId: z.string(),
1897
+ gateId: z.string(),
1898
+ removalDate: z.string(),
1899
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1900
+ description: z.string(),
1901
+ owner: z.string(),
1902
+ createdAt: z.string(),
1903
+ status: z.enum(["active", "overdue", "removed"]),
1904
+ bridgeType: z.enum(["tool", "agent"]),
1905
+ bridgeTarget: z.object({
1906
+ type: z.enum(["tool", "agent"]),
1907
+ legacyPath: z.string(),
1908
+ harnessPath: z.string()
1894
1909
  }),
1895
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1896
- "producesLedgerEntries": z.boolean(),
1897
- "lastAuditedAt": z.number(),
1898
- "metadata": z.record(z.any()).optional()
1910
+ shimBehavior: z.enum([
1911
+ "passthrough_with_logging",
1912
+ "adapter",
1913
+ "feature_flag_gate"
1914
+ ]),
1915
+ producesLedgerEntries: z.boolean(),
1916
+ lastAuditedAt: z.number(),
1917
+ metadata: z.record(z.any()).optional()
1899
1918
  }),
1900
1919
  indices: [
1901
1920
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1902
1921
  { kind: "index", name: "by_status", columns: ["status"] },
1903
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1922
+ {
1923
+ kind: "index",
1924
+ name: "by_bridgeType_status",
1925
+ columns: ["bridgeType", "status"]
1926
+ }
1904
1927
  ]
1905
1928
  });
1906
1929
  defineTable({
@@ -1908,12 +1931,23 @@ defineTable({
1908
1931
  component: "mc",
1909
1932
  category: "runtime",
1910
1933
  shape: z.object({
1911
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1912
- "state": z.enum(["legacy", "cutover", "disabled"]),
1913
- "metadata": z.record(z.any()).optional(),
1914
- "updatedBy": z.string(),
1915
- "createdAt": z.number(),
1916
- "updatedAt": z.number()
1934
+ domain: z.enum([
1935
+ "graph",
1936
+ "schema",
1937
+ "identity",
1938
+ "policy",
1939
+ "audit",
1940
+ "admin",
1941
+ "agent",
1942
+ "tool",
1943
+ "prompt",
1944
+ "intelligence"
1945
+ ]),
1946
+ state: z.enum(["legacy", "cutover", "disabled"]),
1947
+ metadata: z.record(z.any()).optional(),
1948
+ updatedBy: z.string(),
1949
+ createdAt: z.number(),
1950
+ updatedAt: z.number()
1917
1951
  }),
1918
1952
  indices: [
1919
1953
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1925,57 +1959,193 @@ defineTable({
1925
1959
  component: "mc",
1926
1960
  category: "runtime",
1927
1961
  shape: z.object({
1928
- "credentialRef": z.string(),
1929
- "tenantId": idOf("tenants"),
1930
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1931
- "environment": z.enum(["dev", "staging", "prod"]),
1932
- "encryptedDeployKey": z.string(),
1933
- "encryptionVersion": z.string(),
1934
- "keyFingerprint": z.string(),
1935
- "keyHint": z.string(),
1936
- "status": z.enum(["active", "revoked"]),
1937
- "rotatedFromCredentialRef": z.string().optional(),
1938
- "revokedAt": z.number().optional(),
1939
- "revokedBy": z.string().optional(),
1940
- "lastUsedAt": z.number().optional(),
1941
- "metadata": z.record(z.any()).optional(),
1942
- "createdBy": z.string(),
1943
- "createdAt": z.number(),
1944
- "updatedAt": z.number()
1962
+ credentialRef: z.string(),
1963
+ tenantId: idOf("tenants"),
1964
+ workspaceId: idOf("workspaces").optional(),
1965
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1966
+ environment: z.enum(["dev", "staging", "prod"]),
1967
+ encryptedDeployKey: z.string(),
1968
+ encryptionVersion: z.string(),
1969
+ keyFingerprint: z.string(),
1970
+ keyHint: z.string(),
1971
+ status: z.enum(["active", "revoked"]),
1972
+ rotatedFromCredentialRef: z.string().optional(),
1973
+ revokedAt: z.number().optional(),
1974
+ revokedBy: z.string().optional(),
1975
+ lastUsedAt: z.number().optional(),
1976
+ metadata: z.record(z.any()).optional(),
1977
+ createdBy: z.string(),
1978
+ createdAt: z.number(),
1979
+ updatedAt: z.number()
1945
1980
  }),
1946
1981
  indices: [
1947
1982
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1948
1983
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1949
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1950
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1951
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1984
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1985
+ {
1986
+ kind: "index",
1987
+ name: "by_tenant_target",
1988
+ columns: ["tenantId", "target"]
1989
+ },
1990
+ {
1991
+ kind: "index",
1992
+ name: "by_tenant_target_environment",
1993
+ columns: ["tenantId", "target", "environment"]
1994
+ },
1995
+ {
1996
+ kind: "index",
1997
+ name: "by_tenant_target_environment_status",
1998
+ columns: ["tenantId", "target", "environment", "status"]
1999
+ },
2000
+ {
2001
+ kind: "index",
2002
+ name: "by_tenant_workspace_target_environment_status",
2003
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
2004
+ },
1952
2005
  { kind: "index", name: "by_status", columns: ["status"] }
1953
2006
  ]
1954
2007
  });
2008
+ defineTable({
2009
+ name: "permitSyncStates",
2010
+ component: "mc",
2011
+ category: "runtime",
2012
+ shape: z.object({
2013
+ syncKey: z.string(),
2014
+ objectType: z.enum([
2015
+ "resource",
2016
+ "role",
2017
+ "resource_role",
2018
+ "resource_relation",
2019
+ "tenant",
2020
+ "workspace",
2021
+ "principal",
2022
+ "membership",
2023
+ "group",
2024
+ "resource_instance",
2025
+ "relationship_tuple",
2026
+ "role_assignment"
2027
+ ]),
2028
+ objectId: z.string(),
2029
+ tenantId: idOf("tenants").optional(),
2030
+ workspaceId: idOf("workspaces").optional(),
2031
+ principalId: z.string().optional(),
2032
+ permitTenantKey: z.string().optional(),
2033
+ permitResourceType: z.string().optional(),
2034
+ permitResourceKey: z.string().optional(),
2035
+ desiredPayload: z.record(z.any()),
2036
+ lastAppliedPayloadHash: z.string().optional(),
2037
+ status: z.enum(["pending", "synced", "error", "skipped"]),
2038
+ attemptCount: z.number(),
2039
+ lastError: z.string().optional(),
2040
+ nextAttemptAt: z.number().optional(),
2041
+ lastSyncedAt: z.number().optional(),
2042
+ createdBy: z.string(),
2043
+ updatedBy: z.string().optional(),
2044
+ createdAt: z.number(),
2045
+ updatedAt: z.number()
2046
+ }),
2047
+ indices: [
2048
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
2049
+ { kind: "index", name: "by_status", columns: ["status"] },
2050
+ {
2051
+ kind: "index",
2052
+ name: "by_tenant_status",
2053
+ columns: ["tenantId", "status"]
2054
+ },
2055
+ {
2056
+ kind: "index",
2057
+ name: "by_workspace_status",
2058
+ columns: ["workspaceId", "status"]
2059
+ },
2060
+ {
2061
+ kind: "index",
2062
+ name: "by_principal_status",
2063
+ columns: ["principalId", "status"]
2064
+ }
2065
+ ]
2066
+ });
2067
+ defineTable({
2068
+ name: "secretSyncDriftReports",
2069
+ component: "mc",
2070
+ category: "runtime",
2071
+ shape: z.object({
2072
+ reportId: z.string(),
2073
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
2074
+ generatedAt: z.number(),
2075
+ recordedAt: z.number(),
2076
+ recordedBy: z.string(),
2077
+ status: z.enum([
2078
+ "in_sync",
2079
+ "drift",
2080
+ "exception",
2081
+ "blocked",
2082
+ "not_observed"
2083
+ ]),
2084
+ reportHash: z.string(),
2085
+ manifestHash: z.string().optional(),
2086
+ dryRunReceiptId: z.string().optional(),
2087
+ appliedReceiptId: z.string().optional(),
2088
+ summary: z.object({
2089
+ totalPipelines: z.number(),
2090
+ inSync: z.number(),
2091
+ drift: z.number(),
2092
+ exception: z.number(),
2093
+ blocked: z.number(),
2094
+ notObserved: z.number(),
2095
+ missingKeys: z.number(),
2096
+ valueDriftKeys: z.number(),
2097
+ extraKeys: z.number(),
2098
+ deniedConvexLeakage: z.number(),
2099
+ approvedExceptions: z.number()
2100
+ }),
2101
+ redactedReport: z.record(z.any()),
2102
+ metadata: z.record(z.any()).optional()
2103
+ }),
2104
+ indices: [
2105
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2106
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2107
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2108
+ {
2109
+ kind: "index",
2110
+ name: "by_status_generatedAt",
2111
+ columns: ["status", "generatedAt"]
2112
+ }
2113
+ ]
2114
+ });
1955
2115
  defineTable({
1956
2116
  name: "controlPlaneTenantModelSlotBindings",
1957
2117
  component: "mc",
1958
2118
  category: "runtime",
1959
2119
  shape: z.object({
1960
- "bindingId": z.string(),
1961
- "tenantId": idOf("tenants"),
1962
- "providerId": z.string(),
1963
- "modelSlotId": z.string(),
1964
- "secretRef": z.string(),
1965
- "status": z.enum(["active", "revoked"]),
1966
- "passThroughOnly": z.boolean(),
1967
- "revokedAt": z.number().optional(),
1968
- "revokedBy": z.string().optional(),
1969
- "metadata": z.record(z.any()).optional(),
1970
- "createdBy": z.string(),
1971
- "createdAt": z.number(),
1972
- "updatedAt": z.number()
2120
+ bindingId: z.string(),
2121
+ tenantId: idOf("tenants"),
2122
+ workspaceId: idOf("workspaces").optional(),
2123
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2124
+ providerId: z.string(),
2125
+ modelSlotId: z.string(),
2126
+ secretRef: z.string(),
2127
+ status: z.enum(["active", "revoked"]),
2128
+ passThroughOnly: z.boolean(),
2129
+ revokedAt: z.number().optional(),
2130
+ revokedBy: z.string().optional(),
2131
+ metadata: z.record(z.any()).optional(),
2132
+ createdBy: z.string(),
2133
+ createdAt: z.number(),
2134
+ updatedAt: z.number()
1973
2135
  }),
1974
2136
  indices: [
1975
2137
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1976
2138
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1977
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1978
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2139
+ {
2140
+ kind: "index",
2141
+ name: "by_tenant_slot",
2142
+ columns: ["tenantId", "modelSlotId"]
2143
+ },
2144
+ {
2145
+ kind: "index",
2146
+ name: "by_tenant_provider_slot",
2147
+ columns: ["tenantId", "providerId", "modelSlotId"]
2148
+ },
1979
2149
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1980
2150
  { kind: "index", name: "by_status", columns: ["status"] }
1981
2151
  ]
@@ -1985,29 +2155,42 @@ defineTable({
1985
2155
  component: "mc",
1986
2156
  category: "runtime",
1987
2157
  shape: z.object({
1988
- "secretRef": z.string(),
1989
- "tenantId": idOf("tenants"),
1990
- "providerId": z.string(),
1991
- "label": z.string().optional(),
1992
- "encryptedSecret": z.string(),
1993
- "encryptionVersion": z.string(),
1994
- "secretFingerprint": z.string(),
1995
- "keyHint": z.string(),
1996
- "status": z.enum(["active", "revoked"]),
1997
- "rotatedFromSecretRef": z.string().optional(),
1998
- "revokedAt": z.number().optional(),
1999
- "revokedBy": z.string().optional(),
2000
- "lastUsedAt": z.number().optional(),
2001
- "metadata": z.record(z.any()).optional(),
2002
- "createdBy": z.string(),
2003
- "createdAt": z.number(),
2004
- "updatedAt": z.number()
2158
+ secretRef: z.string(),
2159
+ tenantId: idOf("tenants"),
2160
+ workspaceId: idOf("workspaces").optional(),
2161
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2162
+ providerId: z.string(),
2163
+ label: z.string().optional(),
2164
+ encryptedSecret: z.string().optional(),
2165
+ infisicalPath: z.string().optional(),
2166
+ infisicalSecretKey: z.string().optional(),
2167
+ infisicalProjectId: z.string().optional(),
2168
+ encryptionVersion: z.string(),
2169
+ secretFingerprint: z.string(),
2170
+ keyHint: z.string(),
2171
+ status: z.enum(["active", "revoked"]),
2172
+ rotatedFromSecretRef: z.string().optional(),
2173
+ revokedAt: z.number().optional(),
2174
+ revokedBy: z.string().optional(),
2175
+ lastUsedAt: z.number().optional(),
2176
+ metadata: z.record(z.any()).optional(),
2177
+ createdBy: z.string(),
2178
+ createdAt: z.number(),
2179
+ updatedAt: z.number()
2005
2180
  }),
2006
2181
  indices: [
2007
2182
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
2008
2183
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
2009
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
2010
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2184
+ {
2185
+ kind: "index",
2186
+ name: "by_tenant_provider",
2187
+ columns: ["tenantId", "providerId"]
2188
+ },
2189
+ {
2190
+ kind: "index",
2191
+ name: "by_tenant_provider_status",
2192
+ columns: ["tenantId", "providerId", "status"]
2193
+ },
2011
2194
  { kind: "index", name: "by_status", columns: ["status"] }
2012
2195
  ]
2013
2196
  });
@@ -2016,35 +2199,93 @@ defineTable({
2016
2199
  component: "mc",
2017
2200
  category: "runtime",
2018
2201
  shape: z.object({
2019
- "usageId": z.string(),
2020
- "tenantId": idOf("tenants"),
2021
- "providerId": z.string(),
2022
- "modelSlotId": z.string(),
2023
- "secretRef": z.string(),
2024
- "proxyTokenId": z.string(),
2025
- "sessionId": z.string(),
2026
- "principalId": z.string(),
2027
- "workspaceId": z.string().optional(),
2028
- "modelId": z.string().optional(),
2029
- "requestPath": z.string(),
2030
- "status": z.enum(["success", "error"]),
2031
- "responseStatus": z.number().optional(),
2032
- "inputTokens": z.number().optional(),
2033
- "outputTokens": z.number().optional(),
2034
- "tokenCount": z.number().optional(),
2035
- "latencyMs": z.number(),
2036
- "estimatedCostUsd": z.number().optional(),
2037
- "failureCode": z.string().optional(),
2038
- "metadata": z.record(z.any()).optional(),
2039
- "createdAt": z.number(),
2040
- "updatedAt": z.number()
2202
+ usageId: z.string(),
2203
+ tenantId: idOf("tenants"),
2204
+ providerId: z.string(),
2205
+ modelSlotId: z.string(),
2206
+ secretRef: z.string(),
2207
+ proxyTokenId: z.string(),
2208
+ sessionId: z.string(),
2209
+ principalId: z.string(),
2210
+ workspaceId: z.string().optional(),
2211
+ modelId: z.string().optional(),
2212
+ requestPath: z.string(),
2213
+ status: z.enum(["success", "error"]),
2214
+ responseStatus: z.number().optional(),
2215
+ inputTokens: z.number().optional(),
2216
+ outputTokens: z.number().optional(),
2217
+ tokenCount: z.number().optional(),
2218
+ latencyMs: z.number(),
2219
+ estimatedCostUsd: z.number().optional(),
2220
+ failureCode: z.string().optional(),
2221
+ metadata: z.record(z.any()).optional(),
2222
+ createdAt: z.number(),
2223
+ updatedAt: z.number()
2041
2224
  }),
2042
2225
  indices: [
2043
2226
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
2044
2227
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2045
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
2046
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
2047
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2228
+ {
2229
+ kind: "index",
2230
+ name: "by_tenant_provider",
2231
+ columns: ["tenantId", "providerId", "createdAt"]
2232
+ },
2233
+ {
2234
+ kind: "index",
2235
+ name: "by_proxyTokenId",
2236
+ columns: ["proxyTokenId", "createdAt"]
2237
+ },
2238
+ {
2239
+ kind: "index",
2240
+ name: "by_sessionId",
2241
+ columns: ["sessionId", "createdAt"]
2242
+ }
2243
+ ]
2244
+ });
2245
+ defineTable({
2246
+ name: "controlPlaneTenantProxyTokenLeases",
2247
+ component: "mc",
2248
+ category: "runtime",
2249
+ shape: z.object({
2250
+ leaseId: z.string(),
2251
+ proxyTokenId: z.string(),
2252
+ tenantId: idOf("tenants"),
2253
+ workspaceId: idOf("workspaces").optional(),
2254
+ environment: z.enum(["dev", "staging", "prod"]),
2255
+ providerId: z.string(),
2256
+ modelSlotId: z.string(),
2257
+ bindingId: z.string(),
2258
+ secretRef: z.string(),
2259
+ sessionId: z.string(),
2260
+ principalId: z.string(),
2261
+ agentSessionId: z.string().optional(),
2262
+ status: z.enum(["active", "revoked"]),
2263
+ expiresAt: z.number(),
2264
+ renewedAt: z.number().optional(),
2265
+ revokedAt: z.number().optional(),
2266
+ revokedBy: z.string().optional(),
2267
+ revokeReason: z.string().optional(),
2268
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2269
+ permitTraceId: z.string().optional(),
2270
+ metadata: z.record(z.any()).optional(),
2271
+ createdAt: z.number(),
2272
+ updatedAt: z.number()
2273
+ }),
2274
+ indices: [
2275
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2276
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2277
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2278
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2279
+ {
2280
+ kind: "index",
2281
+ name: "by_principalId",
2282
+ columns: ["principalId", "createdAt"]
2283
+ },
2284
+ {
2285
+ kind: "index",
2286
+ name: "by_status_expiresAt",
2287
+ columns: ["status", "expiresAt"]
2288
+ }
2048
2289
  ]
2049
2290
  });
2050
2291
  defineTable({
@@ -2377,6 +2618,7 @@ defineTable({
2377
2618
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2378
2619
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2379
2620
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2621
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2380
2622
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2381
2623
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2382
2624
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2527,6 +2769,7 @@ defineTable({
2527
2769
  indices: [
2528
2770
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2529
2771
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2772
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2530
2773
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2531
2774
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2532
2775
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2558,6 +2801,36 @@ defineTable({
2558
2801
  { kind: "index", name: "by_status", columns: ["status"] }
2559
2802
  ]
2560
2803
  });
2804
+ defineTable({
2805
+ name: "principalIdentityAliases",
2806
+ component: "mc",
2807
+ category: "identity",
2808
+ shape: z.object({
2809
+ "principalId": z.string(),
2810
+ "principalRefId": idOf("principals").optional(),
2811
+ "provider": z.string(),
2812
+ "providerProjectId": z.string().optional(),
2813
+ "externalSubjectId": z.string(),
2814
+ "tenantId": idOf("tenants").optional(),
2815
+ "workspaceId": idOf("workspaces").optional(),
2816
+ "email": z.string().optional(),
2817
+ "status": z.enum(["active", "revoked"]),
2818
+ "metadata": z.record(z.any()).optional(),
2819
+ "createdBy": z.string(),
2820
+ "revokedAt": z.number().optional(),
2821
+ "revokedBy": z.string().optional(),
2822
+ "createdAt": z.number(),
2823
+ "updatedAt": z.number()
2824
+ }),
2825
+ indices: [
2826
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2827
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2828
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2829
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2830
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2831
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2832
+ ]
2833
+ });
2561
2834
  defineTable({
2562
2835
  name: "rateLimitWindows",
2563
2836
  component: "mc",
@@ -3147,7 +3420,7 @@ defineTable({
3147
3420
  });
3148
3421
  defineTable({
3149
3422
  name: "mcpWritePolicy",
3150
- component: "identity",
3423
+ component: "control-plane",
3151
3424
  category: "platform",
3152
3425
  shape: z.object({
3153
3426
  "topicId": z.string().optional(),
@@ -3170,7 +3443,7 @@ defineTable({
3170
3443
  });
3171
3444
  defineTable({
3172
3445
  name: "platformAudienceGrants",
3173
- component: "identity",
3446
+ component: "control-plane",
3174
3447
  category: "platform",
3175
3448
  shape: z.object({
3176
3449
  "tenantId": z.string(),
@@ -3196,7 +3469,7 @@ defineTable({
3196
3469
  });
3197
3470
  defineTable({
3198
3471
  name: "platformAudiences",
3199
- component: "identity",
3472
+ component: "control-plane",
3200
3473
  category: "platform",
3201
3474
  shape: z.object({
3202
3475
  "tenantId": z.string(),
@@ -3221,7 +3494,7 @@ defineTable({
3221
3494
  });
3222
3495
  defineTable({
3223
3496
  name: "platformPolicyDecisionLogs",
3224
- component: "identity",
3497
+ component: "control-plane",
3225
3498
  category: "platform",
3226
3499
  shape: z.object({
3227
3500
  "principalId": z.string(),
@@ -3257,7 +3530,7 @@ defineTable({
3257
3530
  });
3258
3531
  defineTable({
3259
3532
  name: "tenantApiKeys",
3260
- component: "identity",
3533
+ component: "control-plane",
3261
3534
  category: "platform",
3262
3535
  shape: z.object({
3263
3536
  "tenantId": z.string(),
@@ -3284,7 +3557,7 @@ defineTable({
3284
3557
  });
3285
3558
  defineTable({
3286
3559
  name: "tenantConfig",
3287
- component: "identity",
3560
+ component: "control-plane",
3288
3561
  category: "platform",
3289
3562
  shape: z.object({
3290
3563
  "tenantId": z.string(),
@@ -3303,7 +3576,7 @@ defineTable({
3303
3576
  });
3304
3577
  defineTable({
3305
3578
  name: "tenantIntegrations",
3306
- component: "identity",
3579
+ component: "control-plane",
3307
3580
  category: "platform",
3308
3581
  shape: z.object({
3309
3582
  "tenantId": z.string(),
@@ -3358,7 +3631,7 @@ defineTable({
3358
3631
  });
3359
3632
  defineTable({
3360
3633
  name: "tenantModelSlotBindings",
3361
- component: "identity",
3634
+ component: "control-plane",
3362
3635
  category: "platform",
3363
3636
  shape: z.object({
3364
3637
  "bindingId": z.string(),
@@ -3386,7 +3659,7 @@ defineTable({
3386
3659
  });
3387
3660
  defineTable({
3388
3661
  name: "tenantPolicies",
3389
- component: "identity",
3662
+ component: "control-plane",
3390
3663
  category: "platform",
3391
3664
  shape: z.object({
3392
3665
  "tenantId": z.string(),
@@ -3411,7 +3684,7 @@ defineTable({
3411
3684
  });
3412
3685
  defineTable({
3413
3686
  name: "tenantProviderSecrets",
3414
- component: "identity",
3687
+ component: "control-plane",
3415
3688
  category: "platform",
3416
3689
  shape: z.object({
3417
3690
  "secretRef": z.string(),
@@ -3442,7 +3715,7 @@ defineTable({
3442
3715
  });
3443
3716
  defineTable({
3444
3717
  name: "tenantProxyGatewayUsage",
3445
- component: "identity",
3718
+ component: "control-plane",
3446
3719
  category: "platform",
3447
3720
  shape: z.object({
3448
3721
  "usageId": z.string(),
@@ -3477,7 +3750,7 @@ defineTable({
3477
3750
  });
3478
3751
  defineTable({
3479
3752
  name: "tenantProxyTokenMints",
3480
- component: "identity",
3753
+ component: "control-plane",
3481
3754
  category: "platform",
3482
3755
  shape: z.object({
3483
3756
  "proxyTokenId": z.string(),
@@ -3500,7 +3773,7 @@ defineTable({
3500
3773
  });
3501
3774
  defineTable({
3502
3775
  name: "tenantSandboxAuditEvents",
3503
- component: "identity",
3776
+ component: "control-plane",
3504
3777
  category: "platform",
3505
3778
  shape: z.object({
3506
3779
  "eventId": z.string(),
@@ -3534,7 +3807,7 @@ defineTable({
3534
3807
  });
3535
3808
  defineTable({
3536
3809
  name: "tenantSecrets",
3537
- component: "identity",
3810
+ component: "control-plane",
3538
3811
  category: "platform",
3539
3812
  shape: z.object({
3540
3813
  "tenantId": z.string(),
@@ -3556,7 +3829,7 @@ defineTable({
3556
3829
  });
3557
3830
  defineTable({
3558
3831
  name: "toolAcls",
3559
- component: "identity",
3832
+ component: "control-plane",
3560
3833
  category: "platform",
3561
3834
  shape: z.object({
3562
3835
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3571,7 +3844,7 @@ defineTable({
3571
3844
  });
3572
3845
  defineTable({
3573
3846
  name: "toolRegistry",
3574
- component: "identity",
3847
+ component: "control-plane",
3575
3848
  category: "platform",
3576
3849
  shape: z.object({
3577
3850
  "toolName": z.string(),
@@ -3652,7 +3925,7 @@ defineTable({
3652
3925
  });
3653
3926
  defineTable({
3654
3927
  name: "modelCallLogs",
3655
- component: "identity",
3928
+ component: "control-plane",
3656
3929
  category: "model",
3657
3930
  shape: z.object({
3658
3931
  "slot": z.string(),
@@ -3678,7 +3951,7 @@ defineTable({
3678
3951
  });
3679
3952
  defineTable({
3680
3953
  name: "modelFunctionSlots",
3681
- component: "identity",
3954
+ component: "control-plane",
3682
3955
  category: "model",
3683
3956
  shape: z.object({
3684
3957
  "slot": z.string(),
@@ -3703,7 +3976,7 @@ defineTable({
3703
3976
  });
3704
3977
  defineTable({
3705
3978
  name: "modelRegistry",
3706
- component: "identity",
3979
+ component: "control-plane",
3707
3980
  category: "model",
3708
3981
  shape: z.object({
3709
3982
  "key": z.string(),
@@ -3730,7 +4003,7 @@ defineTable({
3730
4003
  });
3731
4004
  defineTable({
3732
4005
  name: "modelSlotConfigs",
3733
- component: "identity",
4006
+ component: "control-plane",
3734
4007
  category: "model",
3735
4008
  shape: z.object({
3736
4009
  "slot": z.string(),
@@ -4117,7 +4390,7 @@ defineTable({
4117
4390
  "workspaceId": idOf("workspaces").optional(),
4118
4391
  "resourceType": z.string(),
4119
4392
  "resourceId": z.string(),
4120
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4393
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4121
4394
  "decision": z.enum(["allow", "deny"]),
4122
4395
  "reasonCode": z.string(),
4123
4396
  "policyVersion": z.string(),
@@ -4179,7 +4452,7 @@ defineTable({
4179
4452
  });
4180
4453
  defineTable({
4181
4454
  name: "projectGrants",
4182
- component: "identity",
4455
+ component: "control-plane",
4183
4456
  category: "project",
4184
4457
  shape: z.object({
4185
4458
  "projectId": z.string().optional(),
@@ -4211,9 +4484,648 @@ defineTable({
4211
4484
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4212
4485
  ]
4213
4486
  });
4487
+ var permitActorType = z.enum([
4488
+ "human",
4489
+ "agent",
4490
+ "service_principal",
4491
+ "external_stakeholder",
4492
+ "system"
4493
+ ]);
4494
+ var permitMembershipStatus = z.enum([
4495
+ "active",
4496
+ "invited",
4497
+ "revoked",
4498
+ "suspended",
4499
+ "disabled"
4500
+ ]);
4501
+ var permitDecision = z.enum(["allow", "deny"]);
4502
+ var permitAccessReviewStatus = z.enum([
4503
+ "open",
4504
+ "in_progress",
4505
+ "approved",
4506
+ "denied",
4507
+ "expired",
4508
+ "cancelled"
4509
+ ]);
4510
+ var permitReviewScope = z.enum([
4511
+ "tenant",
4512
+ "workspace",
4513
+ "resource_instance",
4514
+ "group",
4515
+ "principal",
4516
+ "api_key",
4517
+ "admin_action"
4518
+ ]);
4519
+ var permitRecordStatus = z.enum([
4520
+ "queued",
4521
+ "inflight",
4522
+ "completed",
4523
+ "failed",
4524
+ "skipped",
4525
+ "stale"
4526
+ ]);
4527
+ var permitObjectType = z.enum([
4528
+ "resource",
4529
+ "role",
4530
+ "resource_role",
4531
+ "resource_relation",
4532
+ "tenant",
4533
+ "workspace",
4534
+ "principal",
4535
+ "membership",
4536
+ "group",
4537
+ "resource_instance",
4538
+ "relationship_tuple",
4539
+ "role_assignment"
4540
+ ]);
4541
+ var permitOutboxOperation = z.enum([
4542
+ "upsert",
4543
+ "delete",
4544
+ "sync",
4545
+ "resync",
4546
+ "delete_sync",
4547
+ "noop"
4548
+ ]);
4549
+ var permitPolicyBundleStatus = z.enum([
4550
+ "draft",
4551
+ "validated",
4552
+ "enforced",
4553
+ "archived"
4554
+ ]);
4555
+ var permitSyncStatus = z.enum([
4556
+ "pending",
4557
+ "synced",
4558
+ "error",
4559
+ "skipped"
4560
+ ]);
4561
+ var permitAccessReviewSubjectType = z.enum([
4562
+ "principal",
4563
+ "group",
4564
+ "role_assignment",
4565
+ "resource_instance"
4566
+ ]);
4567
+ var permitAttributeType = z.enum([
4568
+ "string",
4569
+ "number",
4570
+ "bool",
4571
+ "json",
4572
+ "time"
4573
+ ]);
4574
+ var permitAttributeOperator = z.enum([
4575
+ "eq",
4576
+ "neq",
4577
+ "in",
4578
+ "not_in",
4579
+ "gt",
4580
+ "gte",
4581
+ "lt",
4582
+ "lte",
4583
+ "contains",
4584
+ "not_contains",
4585
+ "matches"
4586
+ ]);
4587
+ var permitRoleBindingTarget = z.enum([
4588
+ "principal",
4589
+ "group"
4590
+ ]);
4591
+ defineTable({
4592
+ name: "permitPrincipals",
4593
+ component: "control-plane",
4594
+ category: "access-control",
4595
+ shape: z.object({
4596
+ principalId: z.string(),
4597
+ tenantId: z.string(),
4598
+ workspaceId: z.optional(z.string()),
4599
+ principalType: permitActorType,
4600
+ status: permitMembershipStatus,
4601
+ displayName: z.string().optional(),
4602
+ metadata: z.record(z.any()).optional(),
4603
+ createdBy: z.string(),
4604
+ createdAt: z.number(),
4605
+ updatedAt: z.number(),
4606
+ updatedBy: z.string().optional(),
4607
+ lastSeenAt: z.number().optional()
4608
+ }),
4609
+ indices: [
4610
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4611
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4612
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4613
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4614
+ {
4615
+ kind: "index",
4616
+ name: "by_tenant_principalType_status",
4617
+ columns: ["tenantId", "principalType", "status"]
4618
+ }
4619
+ ]
4620
+ });
4621
+ defineTable({
4622
+ name: "permitPrincipalAliases",
4623
+ component: "control-plane",
4624
+ category: "access-control",
4625
+ shape: z.object({
4626
+ principalId: z.string(),
4627
+ tenantId: z.string(),
4628
+ workspaceId: z.optional(z.string()),
4629
+ provider: z.string(),
4630
+ providerSubjectId: z.string(),
4631
+ providerProjectId: z.string().optional(),
4632
+ alias: z.string(),
4633
+ aliasKind: z.string(),
4634
+ status: permitMembershipStatus,
4635
+ metadata: z.record(z.any()).optional(),
4636
+ createdBy: z.string(),
4637
+ createdAt: z.number(),
4638
+ updatedAt: z.number(),
4639
+ revokedBy: z.string().optional(),
4640
+ revokedAt: z.number().optional(),
4641
+ updatedBy: z.string().optional()
4642
+ }),
4643
+ indices: [
4644
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4645
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4646
+ {
4647
+ kind: "index",
4648
+ name: "by_tenant_provider_alias",
4649
+ columns: ["tenantId", "provider", "alias"]
4650
+ },
4651
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4652
+ {
4653
+ kind: "index",
4654
+ name: "by_tenant_provider_status",
4655
+ columns: ["tenantId", "provider", "status"]
4656
+ }
4657
+ ]
4658
+ });
4659
+ defineTable({
4660
+ name: "permitGroups",
4661
+ component: "control-plane",
4662
+ category: "access-control",
4663
+ shape: z.object({
4664
+ tenantId: z.string(),
4665
+ workspaceId: z.optional(z.string()),
4666
+ groupId: z.string(),
4667
+ groupKey: z.string(),
4668
+ groupName: z.string(),
4669
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4670
+ status: permitMembershipStatus,
4671
+ description: z.string().optional(),
4672
+ metadata: z.record(z.any()).optional(),
4673
+ createdBy: z.string(),
4674
+ createdAt: z.number(),
4675
+ updatedAt: z.number(),
4676
+ updatedBy: z.string().optional()
4677
+ }),
4678
+ indices: [
4679
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4680
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4681
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4682
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4683
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4684
+ ]
4685
+ });
4686
+ defineTable({
4687
+ name: "permitGroupMemberships",
4688
+ component: "control-plane",
4689
+ category: "access-control",
4690
+ shape: z.object({
4691
+ tenantId: z.string(),
4692
+ workspaceId: z.optional(z.string()),
4693
+ groupId: z.string(),
4694
+ memberType: z.enum(["principal", "group"]),
4695
+ memberId: z.string(),
4696
+ principalId: z.string().optional(),
4697
+ childGroupId: z.string().optional(),
4698
+ status: permitMembershipStatus,
4699
+ addedBy: z.string().optional(),
4700
+ revokedBy: z.string().optional(),
4701
+ expiresAt: z.number().optional(),
4702
+ revocationReason: z.string().optional(),
4703
+ metadata: z.record(z.any()).optional(),
4704
+ createdAt: z.number(),
4705
+ updatedAt: z.number(),
4706
+ updatedBy: z.string().optional()
4707
+ }),
4708
+ indices: [
4709
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4710
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4711
+ {
4712
+ kind: "index",
4713
+ name: "by_tenant_member_group",
4714
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4715
+ },
4716
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4717
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4718
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4719
+ {
4720
+ kind: "index",
4721
+ name: "by_workspace_principal",
4722
+ columns: ["workspaceId", "principalId"]
4723
+ }
4724
+ ]
4725
+ });
4726
+ defineTable({
4727
+ name: "permitResourceInstances",
4728
+ component: "control-plane",
4729
+ category: "access-control",
4730
+ shape: z.object({
4731
+ tenantId: z.string(),
4732
+ workspaceId: z.optional(z.string()),
4733
+ resourceType: z.string(),
4734
+ resourceKey: z.string(),
4735
+ resourceId: z.string(),
4736
+ status: z.enum(["active", "deleted", "archived"]),
4737
+ attributes: z.record(z.any()).optional(),
4738
+ ownerPrincipalId: z.string().optional(),
4739
+ metadata: z.record(z.any()).optional(),
4740
+ createdBy: z.string(),
4741
+ updatedBy: z.string().optional(),
4742
+ createdAt: z.number(),
4743
+ updatedAt: z.number()
4744
+ }),
4745
+ indices: [
4746
+ {
4747
+ kind: "index",
4748
+ name: "by_tenant_resource_type",
4749
+ columns: ["tenantId", "resourceType"]
4750
+ },
4751
+ {
4752
+ kind: "index",
4753
+ name: "by_tenant_resource_key",
4754
+ columns: ["tenantId", "resourceType", "resourceKey"]
4755
+ },
4756
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4757
+ { kind: "index", name: "by_status", columns: ["status"] },
4758
+ {
4759
+ kind: "index",
4760
+ name: "by_tenant_status",
4761
+ columns: ["tenantId", "status"]
4762
+ },
4763
+ {
4764
+ kind: "index",
4765
+ name: "by_ownerPrincipalId",
4766
+ columns: ["ownerPrincipalId"]
4767
+ }
4768
+ ]
4769
+ });
4770
+ defineTable({
4771
+ name: "permitRoleAssignments",
4772
+ component: "control-plane",
4773
+ category: "access-control",
4774
+ shape: z.object({
4775
+ tenantId: z.string(),
4776
+ workspaceId: z.optional(z.string()),
4777
+ role: z.string(),
4778
+ targetType: permitRoleBindingTarget,
4779
+ targetId: z.string(),
4780
+ resourceType: z.string(),
4781
+ resourceKey: z.string(),
4782
+ resourceInstanceId: z.string().optional(),
4783
+ status: permitMembershipStatus,
4784
+ expiresAt: z.number().optional(),
4785
+ attributes: z.record(z.any()).optional(),
4786
+ grantedBy: z.string().optional(),
4787
+ updatedBy: z.string().optional(),
4788
+ revokedBy: z.string().optional(),
4789
+ createdAt: z.number(),
4790
+ updatedAt: z.number()
4791
+ }),
4792
+ indices: [
4793
+ {
4794
+ kind: "index",
4795
+ name: "by_tenant_target",
4796
+ columns: ["tenantId", "targetType", "targetId"]
4797
+ },
4798
+ {
4799
+ kind: "index",
4800
+ name: "by_tenant_resource",
4801
+ columns: ["tenantId", "resourceType", "resourceKey"]
4802
+ },
4803
+ {
4804
+ kind: "index",
4805
+ name: "by_tenant_role",
4806
+ columns: ["tenantId", "role", "status"]
4807
+ },
4808
+ { kind: "index", name: "by_status", columns: ["status"] },
4809
+ {
4810
+ kind: "index",
4811
+ name: "by_workspace_resource",
4812
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4813
+ }
4814
+ ]
4815
+ });
4816
+ defineTable({
4817
+ name: "permitRelationshipTuples",
4818
+ component: "control-plane",
4819
+ category: "access-control",
4820
+ shape: z.object({
4821
+ tenantId: z.string(),
4822
+ workspaceId: z.optional(z.string()),
4823
+ relation: z.string(),
4824
+ subject: z.string(),
4825
+ object: z.string(),
4826
+ resourceType: z.string().optional(),
4827
+ resourceKey: z.string().optional(),
4828
+ status: permitRecordStatus,
4829
+ attributes: z.record(z.any()).optional(),
4830
+ createdBy: z.string(),
4831
+ createdAt: z.number(),
4832
+ updatedAt: z.number(),
4833
+ lastSeenAt: z.number().optional(),
4834
+ updatedBy: z.string().optional()
4835
+ }),
4836
+ indices: [
4837
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4838
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4839
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4840
+ {
4841
+ kind: "index",
4842
+ name: "by_tenant_relation_subject",
4843
+ columns: ["tenantId", "relation", "subject"]
4844
+ },
4845
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4846
+ ]
4847
+ });
4848
+ defineTable({
4849
+ name: "permitAttributeBindings",
4850
+ component: "control-plane",
4851
+ category: "access-control",
4852
+ shape: z.object({
4853
+ tenantId: z.string(),
4854
+ workspaceId: z.optional(z.string()),
4855
+ targetType: permitRoleBindingTarget,
4856
+ targetId: z.string(),
4857
+ attributeName: z.string(),
4858
+ attributeType: permitAttributeType,
4859
+ attributeOperator: permitAttributeOperator,
4860
+ attributeValue: z.any(),
4861
+ status: permitRecordStatus,
4862
+ source: z.string().optional(),
4863
+ sourceRef: z.string().optional(),
4864
+ metadata: z.record(z.any()).optional(),
4865
+ createdAt: z.number(),
4866
+ updatedAt: z.number(),
4867
+ createdBy: z.string(),
4868
+ updatedBy: z.string().optional(),
4869
+ expiresAt: z.number().optional()
4870
+ }),
4871
+ indices: [
4872
+ {
4873
+ kind: "index",
4874
+ name: "by_tenant_target",
4875
+ columns: ["tenantId", "targetType", "targetId"]
4876
+ },
4877
+ {
4878
+ kind: "index",
4879
+ name: "by_tenant_target_attribute",
4880
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4881
+ },
4882
+ {
4883
+ kind: "index",
4884
+ name: "by_tenant_name",
4885
+ columns: ["tenantId", "attributeName"]
4886
+ },
4887
+ {
4888
+ kind: "index",
4889
+ name: "by_tenant_status",
4890
+ columns: ["tenantId", "status"]
4891
+ }
4892
+ ]
4893
+ });
4894
+ defineTable({
4895
+ name: "permitPolicyBundles",
4896
+ component: "control-plane",
4897
+ category: "access-control",
4898
+ shape: z.object({
4899
+ tenantId: z.string(),
4900
+ workspaceId: z.optional(z.string()),
4901
+ bundleKey: z.string(),
4902
+ version: z.number(),
4903
+ status: permitPolicyBundleStatus,
4904
+ policyHash: z.string().optional(),
4905
+ policyPayload: z.record(z.any()),
4906
+ metadata: z.record(z.any()).optional(),
4907
+ createdBy: z.string(),
4908
+ reviewedBy: z.string().optional(),
4909
+ createdAt: z.number(),
4910
+ updatedAt: z.number(),
4911
+ retiredAt: z.number().optional()
4912
+ }),
4913
+ indices: [
4914
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4915
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4916
+ {
4917
+ kind: "index",
4918
+ name: "by_tenant_bundleKey",
4919
+ columns: ["tenantId", "bundleKey"]
4920
+ },
4921
+ {
4922
+ kind: "index",
4923
+ name: "by_tenant_bundle_version",
4924
+ columns: ["tenantId", "bundleKey", "version"]
4925
+ },
4926
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4927
+ ]
4928
+ });
4929
+ defineTable({
4930
+ name: "permitProjectionOutbox",
4931
+ component: "control-plane",
4932
+ category: "access-control",
4933
+ shape: z.object({
4934
+ syncKey: z.string(),
4935
+ objectType: permitObjectType,
4936
+ objectId: z.string(),
4937
+ operation: permitOutboxOperation,
4938
+ payload: z.record(z.any()),
4939
+ status: permitRecordStatus,
4940
+ attemptCount: z.number(),
4941
+ nextAttemptAt: z.number().optional(),
4942
+ lastError: z.string().optional(),
4943
+ tenantId: z.string().optional(),
4944
+ workspaceId: z.optional(z.string()),
4945
+ principalId: z.string().optional(),
4946
+ permitTenantKey: z.string().optional(),
4947
+ permitResourceType: z.string().optional(),
4948
+ permitResourceKey: z.string().optional(),
4949
+ createdAt: z.number(),
4950
+ updatedAt: z.number(),
4951
+ lastHandledAt: z.number().optional()
4952
+ }),
4953
+ indices: [
4954
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4955
+ { kind: "index", name: "by_status", columns: ["status"] },
4956
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4957
+ {
4958
+ kind: "index",
4959
+ name: "by_tenant_status",
4960
+ columns: ["tenantId", "status"]
4961
+ },
4962
+ {
4963
+ kind: "index",
4964
+ name: "by_objectType",
4965
+ columns: ["objectType", "status"]
4966
+ }
4967
+ ]
4968
+ });
4969
+ defineTable({
4970
+ name: "tenantPermitSyncStates",
4971
+ component: "control-plane",
4972
+ category: "access-control",
4973
+ shape: z.object({
4974
+ syncKey: z.string(),
4975
+ objectType: permitObjectType,
4976
+ objectId: z.string(),
4977
+ tenantId: z.string().optional(),
4978
+ workspaceId: z.string().optional(),
4979
+ principalId: z.string().optional(),
4980
+ permitTenantKey: z.string().optional(),
4981
+ permitResourceType: z.string().optional(),
4982
+ permitResourceKey: z.string().optional(),
4983
+ desiredPayload: z.record(z.any()),
4984
+ lastAppliedPayloadHash: z.string().optional(),
4985
+ status: permitSyncStatus,
4986
+ attemptCount: z.number(),
4987
+ lastError: z.string().optional(),
4988
+ nextAttemptAt: z.number().optional(),
4989
+ lastSyncedAt: z.number().optional(),
4990
+ createdBy: z.string(),
4991
+ updatedBy: z.string().optional(),
4992
+ createdAt: z.number(),
4993
+ updatedAt: z.number()
4994
+ }),
4995
+ indices: [
4996
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4997
+ { kind: "index", name: "by_status", columns: ["status"] },
4998
+ {
4999
+ kind: "index",
5000
+ name: "by_tenant_status",
5001
+ columns: ["tenantId", "status"]
5002
+ },
5003
+ {
5004
+ kind: "index",
5005
+ name: "by_workspace_status",
5006
+ columns: ["workspaceId", "status"]
5007
+ },
5008
+ {
5009
+ kind: "index",
5010
+ name: "by_principal_status",
5011
+ columns: ["principalId", "status"]
5012
+ }
5013
+ ]
5014
+ });
5015
+ defineTable({
5016
+ name: "permitPolicyDecisionReceipts",
5017
+ component: "control-plane",
5018
+ category: "access-control",
5019
+ shape: z.object({
5020
+ tenantId: z.string().optional(),
5021
+ workspaceId: z.string().optional(),
5022
+ principalId: z.string(),
5023
+ subjectType: permitAccessReviewSubjectType.optional(),
5024
+ subjectId: z.string().optional(),
5025
+ resourceType: z.string(),
5026
+ resourceId: z.string(),
5027
+ action: z.string(),
5028
+ decision: permitDecision,
5029
+ reasonCode: z.string(),
5030
+ policyBundleId: z.string().optional(),
5031
+ policyVersion: z.string(),
5032
+ traceId: z.string().optional(),
5033
+ requestId: z.string().optional(),
5034
+ audienceMode: z.string().optional(),
5035
+ audienceKey: z.string().optional(),
5036
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
5037
+ metadata: z.record(z.any()).optional(),
5038
+ createdAt: z.number(),
5039
+ expiresAt: z.number().optional(),
5040
+ createdBy: z.string().optional()
5041
+ }),
5042
+ indices: [
5043
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
5044
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
5045
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
5046
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
5047
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
5048
+ { kind: "index", name: "by_action", columns: ["action"] }
5049
+ ]
5050
+ });
5051
+ defineTable({
5052
+ name: "permitAccessReviews",
5053
+ component: "control-plane",
5054
+ category: "access-control",
5055
+ shape: z.object({
5056
+ tenantId: z.string(),
5057
+ workspaceId: z.optional(z.string()),
5058
+ reviewKey: z.string(),
5059
+ scope: permitReviewScope,
5060
+ status: permitAccessReviewStatus,
5061
+ subjectType: permitAccessReviewSubjectType,
5062
+ subjectId: z.string(),
5063
+ resourceType: z.string().optional(),
5064
+ resourceKey: z.string().optional(),
5065
+ outcome: z.enum(["allow", "deny"]).optional(),
5066
+ requestedBy: z.string(),
5067
+ reviewedBy: z.string().optional(),
5068
+ requestedAt: z.number(),
5069
+ reviewedAt: z.number().optional(),
5070
+ dueAt: z.number().optional(),
5071
+ justification: z.string().optional(),
5072
+ rationale: z.string().optional(),
5073
+ policyBundleId: z.string().optional(),
5074
+ metadata: z.record(z.any()).optional(),
5075
+ createdAt: z.number(),
5076
+ updatedAt: z.number()
5077
+ }),
5078
+ indices: [
5079
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
5080
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5081
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5082
+ {
5083
+ kind: "index",
5084
+ name: "by_tenant_subject",
5085
+ columns: ["tenantId", "subjectType", "subjectId"]
5086
+ },
5087
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
5088
+ {
5089
+ kind: "index",
5090
+ name: "by_workspace_status",
5091
+ columns: ["workspaceId", "status"]
5092
+ }
5093
+ ]
5094
+ });
5095
+ defineTable({
5096
+ name: "permitAccessReviewItems",
5097
+ component: "control-plane",
5098
+ category: "access-control",
5099
+ shape: z.object({
5100
+ reviewKey: z.string(),
5101
+ itemKey: z.string(),
5102
+ tenantId: z.string(),
5103
+ workspaceId: z.string().optional(),
5104
+ subjectType: permitAccessReviewSubjectType,
5105
+ subjectId: z.string(),
5106
+ resourceType: z.string().optional(),
5107
+ resourceKey: z.string().optional(),
5108
+ role: z.string().optional(),
5109
+ relation: z.string().optional(),
5110
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5111
+ reviewerId: z.string().optional(),
5112
+ decisionAt: z.number().optional(),
5113
+ rationale: z.string().optional(),
5114
+ metadata: z.record(z.any()).optional(),
5115
+ createdAt: z.number(),
5116
+ updatedAt: z.number()
5117
+ }),
5118
+ indices: [
5119
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5120
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5121
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5122
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5123
+ { kind: "index", name: "by_status", columns: ["status"] }
5124
+ ]
5125
+ });
4214
5126
  defineTable({
4215
5127
  name: "reasoningPermissions",
4216
- component: "identity",
5128
+ component: "control-plane",
4217
5129
  category: "epistemic",
4218
5130
  shape: z.object({
4219
5131
  "topicId": z.string().optional(),
@@ -4460,7 +5372,7 @@ defineTable({
4460
5372
  });
4461
5373
  defineTable({
4462
5374
  name: "users",
4463
- component: "identity",
5375
+ component: "control-plane",
4464
5376
  category: "user",
4465
5377
  shape: z.object({
4466
5378
  "clerkId": z.string(),
@@ -4574,7 +5486,6 @@ defineTable({
4574
5486
  "deployments": z.record(z.object({
4575
5487
  "url": z.string(),
4576
5488
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4577
- "encryptedDeployKey": z.string().optional(),
4578
5489
  "credentialRef": z.string().optional()
4579
5490
  })).optional(),
4580
5491
  "metadata": z.record(z.any()).optional(),
@@ -4589,6 +5500,39 @@ defineTable({
4589
5500
  { kind: "index", name: "by_status", columns: ["status"] }
4590
5501
  ]
4591
5502
  });
5503
+ defineTable({
5504
+ name: "deploymentHosts",
5505
+ component: "mc",
5506
+ category: "workspace",
5507
+ shape: z.object({
5508
+ "host": z.string(),
5509
+ "tenantId": idOf("tenants"),
5510
+ "workspaceId": idOf("workspaces"),
5511
+ "environment": z.enum(["dev", "staging", "prod"]),
5512
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5513
+ "deploymentUrl": z.string().optional(),
5514
+ "deploymentName": z.string().optional(),
5515
+ "vercelProjectName": z.string().optional(),
5516
+ "vercelProjectId": z.string().optional(),
5517
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5518
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5519
+ "status": z.enum(["active", "revoked"]),
5520
+ "metadata": z.record(z.any()).optional(),
5521
+ "createdBy": z.string(),
5522
+ "createdAt": z.number(),
5523
+ "updatedAt": z.number(),
5524
+ "revokedAt": z.number().optional(),
5525
+ "revokedBy": z.string().optional()
5526
+ }),
5527
+ indices: [
5528
+ { kind: "index", name: "by_host", columns: ["host"] },
5529
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5530
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5531
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5532
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5533
+ { kind: "index", name: "by_status", columns: ["status"] }
5534
+ ]
5535
+ });
4592
5536
  defineTable({
4593
5537
  name: "worktreeBeliefCluster",
4594
5538
  component: "kernel",
@@ -4896,8 +5840,8 @@ defineTable({
4896
5840
  });
4897
5841
  z.object({
4898
5842
  manifestVersion: z.string(),
4899
- componentName: z.enum(["kernel", "identity"]),
4900
- tier: z.enum(["K", "I"]),
5843
+ componentName: z.enum(["kernel", "control-plane"]),
5844
+ tier: z.enum(["K", "CP"]),
4901
5845
  packageVersion: z.string(),
4902
5846
  tables: z.array(
4903
5847
  z.object({
@@ -5033,119 +5977,984 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
5033
5977
  directTenantImport: false
5034
5978
  },
5035
5979
  {
5036
- packageName: "@lucern/auth",
5037
- role: "sdk_dependency",
5038
- directTenantImport: false
5980
+ packageName: "@lucern/auth",
5981
+ role: "sdk_dependency",
5982
+ directTenantImport: false
5983
+ },
5984
+ {
5985
+ packageName: "@lucern/cli",
5986
+ role: "developer_tool",
5987
+ directTenantImport: false
5988
+ },
5989
+ {
5990
+ packageName: "@lucern/client-core",
5991
+ role: "sdk_dependency",
5992
+ directTenantImport: false
5993
+ },
5994
+ {
5995
+ packageName: "@lucern/confidence",
5996
+ role: "sdk_dependency",
5997
+ directTenantImport: false
5998
+ },
5999
+ {
6000
+ packageName: "@lucern/config",
6001
+ role: "configuration",
6002
+ directTenantImport: false
6003
+ },
6004
+ {
6005
+ packageName: "@lucern/contracts",
6006
+ role: "contract_entrypoint",
6007
+ directTenantImport: true
6008
+ },
6009
+ {
6010
+ packageName: "@lucern/control-plane",
6011
+ role: "component_runtime",
6012
+ directTenantImport: false
6013
+ },
6014
+ {
6015
+ packageName: "@lucern/developer-kit",
6016
+ role: "developer_tool",
6017
+ directTenantImport: false
6018
+ },
6019
+ {
6020
+ packageName: "@lucern/events",
6021
+ role: "sdk_dependency",
6022
+ directTenantImport: false
6023
+ },
6024
+ {
6025
+ packageName: "@lucern/graph-primitives",
6026
+ role: "sdk_dependency",
6027
+ directTenantImport: false
6028
+ },
6029
+ {
6030
+ packageName: "@lucern/graph-sync",
6031
+ role: "host_addon_runtime",
6032
+ directTenantImport: true
6033
+ },
6034
+ {
6035
+ packageName: "@lucern/mcp",
6036
+ role: "runtime_entrypoint",
6037
+ directTenantImport: true
6038
+ },
6039
+ {
6040
+ packageName: "@lucern/pack-host",
6041
+ role: "platform_runtime",
6042
+ directTenantImport: false
6043
+ },
6044
+ {
6045
+ packageName: "@lucern/pack-installer",
6046
+ role: "developer_tool",
6047
+ directTenantImport: false
6048
+ },
6049
+ {
6050
+ packageName: "@lucern/proof-compiler",
6051
+ role: "developer_tool",
6052
+ directTenantImport: false
6053
+ },
6054
+ {
6055
+ packageName: "@lucern/react",
6056
+ role: "runtime_entrypoint",
6057
+ directTenantImport: true
6058
+ },
6059
+ {
6060
+ packageName: "@lucern/reasoning-kernel",
6061
+ role: "component_runtime",
6062
+ directTenantImport: false
6063
+ },
6064
+ {
6065
+ packageName: "@lucern/sdk",
6066
+ role: "runtime_entrypoint",
6067
+ directTenantImport: true
6068
+ },
6069
+ {
6070
+ packageName: "@lucern/secrets",
6071
+ role: "sdk_dependency",
6072
+ directTenantImport: false
6073
+ },
6074
+ {
6075
+ packageName: "@lucern/server-core",
6076
+ role: "platform_runtime",
6077
+ directTenantImport: false
6078
+ },
6079
+ {
6080
+ packageName: "@lucern/testing",
6081
+ role: "test_support",
6082
+ directTenantImport: false
6083
+ },
6084
+ {
6085
+ packageName: "@lucern/types",
6086
+ role: "contract_entrypoint",
6087
+ directTenantImport: true
6088
+ }
6089
+ ];
6090
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
6091
+ (entry) => entry.packageName
6092
+ );
6093
+
6094
+ // ../contracts/src/infisical-runtime.contract.ts
6095
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6096
+ {
6097
+ id: "stack-frontend",
6098
+ tenantKey: "stack",
6099
+ workspaceKey: "frontend",
6100
+ vercelProjectName: "ai-chatbot-diao",
6101
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6102
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6103
+ repository: {
6104
+ owner: "stack-vc",
6105
+ name: "front-end"
6106
+ },
6107
+ sharedSourcePath: "/tenants/stack",
6108
+ sharedVariablePolicy: "tenant_shared_all_systems",
6109
+ convex: {
6110
+ urlEnv: "CONVEX_FRONTEND_URL",
6111
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6112
+ preprodDeployment: "rugged-lobster-664",
6113
+ prodDeployment: "wonderful-toucan-0"
6114
+ }
6115
+ },
6116
+ {
6117
+ id: "stackos",
6118
+ tenantKey: "stack",
6119
+ workspaceKey: "stackos",
6120
+ vercelProjectName: "stackos",
6121
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6122
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6123
+ repository: {
6124
+ owner: "stack-vc",
6125
+ name: "stackos"
6126
+ },
6127
+ sharedSourcePath: "/tenants/stack",
6128
+ sharedVariablePolicy: "tenant_shared_all_systems",
6129
+ convex: {
6130
+ urlEnv: "CONVEX_STACKOS_URL",
6131
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6132
+ preprodDeployment: "giant-mandrill-761",
6133
+ prodDeployment: "good-snake-515"
6134
+ }
6135
+ },
6136
+ {
6137
+ id: "stack-eng",
6138
+ tenantKey: "stack",
6139
+ workspaceKey: "engineering",
6140
+ vercelProjectName: "stackos-engineering-graph",
6141
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6142
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6143
+ repository: {
6144
+ owner: "stack-vc",
6145
+ name: "stackos-engineering-graph"
6146
+ },
6147
+ sharedSourcePath: "/tenants/stack/engineering",
6148
+ sharedVariablePolicy: "tenant_shared_all_systems",
6149
+ convex: {
6150
+ urlEnv: "CONVEX_STACK_ENG_URL",
6151
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6152
+ preprodDeployment: "small-oyster-270",
6153
+ prodDeployment: "bold-cuttlefish-804"
6154
+ }
6155
+ },
6156
+ {
6157
+ id: "lucern-graph",
6158
+ tenantKey: "lucern",
6159
+ workspaceKey: "lucern",
6160
+ vercelProjectName: "lucern-graph",
6161
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6162
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6163
+ repository: {
6164
+ owner: "LucernAI",
6165
+ name: "lucern-graph"
6166
+ },
6167
+ sharedSourcePath: "/tenants/lucern/shared",
6168
+ sharedVariablePolicy: "tenant_shared_all_systems",
6169
+ convex: {
6170
+ urlEnv: "CONVEX_LUCERN_URL",
6171
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6172
+ preprodDeployment: "good-blackbird-774",
6173
+ prodDeployment: "precious-dog-365"
6174
+ }
6175
+ }
6176
+ ];
6177
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6178
+ {
6179
+ idSuffix: "clerk.publishable",
6180
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6181
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6182
+ required: true,
6183
+ secret: false,
6184
+ public: true,
6185
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6186
+ },
6187
+ {
6188
+ idSuffix: "clerk.secret",
6189
+ canonicalName: "CLERK_SECRET_KEY",
6190
+ required: true,
6191
+ secret: true,
6192
+ public: false,
6193
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6194
+ },
6195
+ {
6196
+ idSuffix: "clerk.project",
6197
+ canonicalName: "CLERK_PROJECT_ID",
6198
+ required: true,
6199
+ secret: false,
6200
+ public: false,
6201
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6202
+ },
6203
+ {
6204
+ idSuffix: "clerk.jwks",
6205
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6206
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6207
+ required: false,
6208
+ secret: false,
6209
+ public: false,
6210
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6211
+ },
6212
+ {
6213
+ idSuffix: "clerk.jwt-key",
6214
+ canonicalName: "CLERK_JWT_KEY",
6215
+ required: false,
6216
+ secret: true,
6217
+ public: false,
6218
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6219
+ },
6220
+ {
6221
+ idSuffix: "clerk.authorized-parties",
6222
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6223
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6224
+ required: false,
6225
+ secret: false,
6226
+ public: false,
6227
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6228
+ },
6229
+ {
6230
+ idSuffix: "clerk.sign-in-url",
6231
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6232
+ required: false,
6233
+ secret: false,
6234
+ public: true,
6235
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6236
+ },
6237
+ {
6238
+ idSuffix: "clerk.sign-up-url",
6239
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6240
+ required: false,
6241
+ secret: false,
6242
+ public: true,
6243
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6244
+ }
6245
+ ];
6246
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6247
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6248
+ (template) => ({
6249
+ id: `tenant.${system.id}.${template.idSuffix}`,
6250
+ canonicalName: template.canonicalName,
6251
+ aliases: "aliases" in template ? template.aliases : void 0,
6252
+ owner: "tenant",
6253
+ scope: "tenant",
6254
+ sourcePath: system.sharedSourcePath,
6255
+ environmentPolicy: "environment_specific",
6256
+ required: template.required,
6257
+ secret: template.secret,
6258
+ public: template.public,
6259
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6260
+ destinations: [
6261
+ {
6262
+ kind: "vercel",
6263
+ target: system.vercelProjectName,
6264
+ environmentPolicy: "preprod_staging_prod_prod"
6265
+ },
6266
+ {
6267
+ kind: "convex",
6268
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6269
+ environmentPolicy: "preprod_staging_prod_prod"
6270
+ }
6271
+ ],
6272
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6273
+ })
6274
+ )
6275
+ );
6276
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6277
+ (system) => ({
6278
+ id: `tenant.${system.id}.install-lucern-npm`,
6279
+ canonicalName: "INSTALL_LUCERN_NPM",
6280
+ owner: "provider",
6281
+ scope: "global",
6282
+ sourcePath: "/tenants/shared",
6283
+ environmentPolicy: "same_all_environments",
6284
+ required: true,
6285
+ secret: true,
6286
+ public: false,
6287
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6288
+ destinations: [
6289
+ {
6290
+ kind: "vercel",
6291
+ target: system.vercelProjectName,
6292
+ environmentPolicy: "same_all_environments"
6293
+ },
6294
+ {
6295
+ kind: "github_actions",
6296
+ target: `${system.repository.owner}/${system.repository.name}`,
6297
+ environmentPolicy: "same_all_environments"
6298
+ }
6299
+ ],
6300
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6301
+ })
6302
+ );
6303
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6304
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6305
+ {
6306
+ idSuffix: "ai.openai-api-key",
6307
+ canonicalName: "OPENAI_API_KEY",
6308
+ required: false,
6309
+ secret: true,
6310
+ public: false,
6311
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6312
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6313
+ },
6314
+ {
6315
+ idSuffix: "ai.anthropic-api-key",
6316
+ canonicalName: "ANTHROPIC_API_KEY",
6317
+ required: false,
6318
+ secret: true,
6319
+ public: false,
6320
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6321
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6322
+ },
6323
+ {
6324
+ idSuffix: "ai.gemini-api-key",
6325
+ canonicalName: "GEMINI_API_KEY",
6326
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6327
+ required: false,
6328
+ secret: true,
6329
+ public: false,
6330
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6331
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6332
+ },
6333
+ {
6334
+ idSuffix: "langfuse.secret-key",
6335
+ canonicalName: "LANGFUSE_SECRET_KEY",
6336
+ required: false,
6337
+ secret: true,
6338
+ public: false,
6339
+ consumers: [
6340
+ "tenant-vercel-app",
6341
+ "tenant-convex-deployment",
6342
+ "tenant-observability"
6343
+ ],
6344
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6345
+ },
6346
+ {
6347
+ idSuffix: "langfuse.public-key",
6348
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6349
+ required: false,
6350
+ secret: false,
6351
+ public: false,
6352
+ consumers: [
6353
+ "tenant-vercel-app",
6354
+ "tenant-convex-deployment",
6355
+ "tenant-observability"
6356
+ ],
6357
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6358
+ },
6359
+ {
6360
+ idSuffix: "langfuse.base-url",
6361
+ canonicalName: "LANGFUSE_BASE_URL",
6362
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6363
+ required: false,
6364
+ secret: false,
6365
+ public: false,
6366
+ consumers: [
6367
+ "tenant-vercel-app",
6368
+ "tenant-convex-deployment",
6369
+ "tenant-observability"
6370
+ ],
6371
+ description: "Tenant-owned Langfuse API origin."
6372
+ },
6373
+ {
6374
+ idSuffix: "graph.neo4j-uri",
6375
+ canonicalName: "NEO4J_URI",
6376
+ required: false,
6377
+ secret: false,
6378
+ public: false,
6379
+ consumers: [
6380
+ "tenant-vercel-app",
6381
+ "tenant-convex-deployment",
6382
+ "tenant-graph-sync"
6383
+ ],
6384
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6385
+ },
6386
+ {
6387
+ idSuffix: "graph.neo4j-user",
6388
+ canonicalName: "NEO4J_USER",
6389
+ aliases: ["NEO4J_USERNAME"],
6390
+ required: false,
6391
+ secret: false,
6392
+ public: false,
6393
+ consumers: [
6394
+ "tenant-vercel-app",
6395
+ "tenant-convex-deployment",
6396
+ "tenant-graph-sync"
6397
+ ],
6398
+ description: "Tenant-owned Neo4j user for product graph-sync."
6399
+ },
6400
+ {
6401
+ idSuffix: "graph.neo4j-password",
6402
+ canonicalName: "NEO4J_PASSWORD",
6403
+ required: false,
6404
+ secret: true,
6405
+ public: false,
6406
+ consumers: [
6407
+ "tenant-vercel-app",
6408
+ "tenant-convex-deployment",
6409
+ "tenant-graph-sync"
6410
+ ],
6411
+ description: "Tenant-owned Neo4j password for product graph-sync."
6412
+ },
6413
+ {
6414
+ idSuffix: "graph.neo4j-sync-secret",
6415
+ canonicalName: "NEO4J_SYNC_SECRET",
6416
+ required: false,
6417
+ secret: true,
6418
+ public: false,
6419
+ consumers: [
6420
+ "tenant-vercel-app",
6421
+ "tenant-convex-deployment",
6422
+ "tenant-graph-sync"
6423
+ ],
6424
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
5039
6425
  },
5040
6426
  {
5041
- packageName: "@lucern/cli",
5042
- role: "developer_tool",
5043
- directTenantImport: false
6427
+ idSuffix: "graph.neo4j-database",
6428
+ canonicalName: "NEO4J_DATABASE",
6429
+ required: false,
6430
+ secret: false,
6431
+ public: false,
6432
+ consumers: [
6433
+ "tenant-vercel-app",
6434
+ "tenant-convex-deployment",
6435
+ "tenant-graph-sync"
6436
+ ],
6437
+ description: "Tenant-owned Neo4j database name for product graph-sync."
5044
6438
  },
5045
6439
  {
5046
- packageName: "@lucern/client-core",
5047
- role: "sdk_dependency",
5048
- directTenantImport: false
6440
+ idSuffix: "vector.pinecone-api-key",
6441
+ canonicalName: "PINECONE_API_KEY",
6442
+ required: false,
6443
+ secret: true,
6444
+ public: false,
6445
+ consumers: [
6446
+ "tenant-vercel-app",
6447
+ "tenant-convex-deployment",
6448
+ "tenant-vector-store"
6449
+ ],
6450
+ description: "Tenant-owned Pinecone API key for product vector search."
5049
6451
  },
5050
6452
  {
5051
- packageName: "@lucern/confidence",
5052
- role: "sdk_dependency",
5053
- directTenantImport: false
6453
+ idSuffix: "vector.pinecone-index-name",
6454
+ canonicalName: "PINECONE_INDEX_NAME",
6455
+ aliases: ["PINECONE_INDEX"],
6456
+ required: false,
6457
+ secret: false,
6458
+ public: false,
6459
+ consumers: [
6460
+ "tenant-vercel-app",
6461
+ "tenant-convex-deployment",
6462
+ "tenant-vector-store"
6463
+ ],
6464
+ description: "Tenant-owned Pinecone index name for product vector search."
5054
6465
  },
5055
6466
  {
5056
- packageName: "@lucern/config",
5057
- role: "configuration",
5058
- directTenantImport: false
6467
+ idSuffix: "vector.pinecone-host",
6468
+ canonicalName: "PINECONE_HOST",
6469
+ aliases: ["PINECONE_INDEX_HOST"],
6470
+ required: false,
6471
+ secret: false,
6472
+ public: false,
6473
+ consumers: [
6474
+ "tenant-vercel-app",
6475
+ "tenant-convex-deployment",
6476
+ "tenant-vector-store"
6477
+ ],
6478
+ description: "Tenant-owned Pinecone host for product vector search."
5059
6479
  },
5060
6480
  {
5061
- packageName: "@lucern/contracts",
5062
- role: "contract_entrypoint",
5063
- directTenantImport: true
6481
+ idSuffix: "vector.pinecone-namespace",
6482
+ canonicalName: "PINECONE_NAMESPACE",
6483
+ required: false,
6484
+ secret: false,
6485
+ public: false,
6486
+ consumers: [
6487
+ "tenant-vercel-app",
6488
+ "tenant-convex-deployment",
6489
+ "tenant-vector-store"
6490
+ ],
6491
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
5064
6492
  },
5065
6493
  {
5066
- packageName: "@lucern/control-plane",
5067
- role: "platform_runtime",
5068
- directTenantImport: false
6494
+ idSuffix: "storage.aws-access-key-id",
6495
+ canonicalName: "AWS_ACCESS_KEY_ID",
6496
+ required: false,
6497
+ secret: true,
6498
+ public: false,
6499
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6500
+ description: "Tenant-owned AWS access key id for document/file ingestion."
5069
6501
  },
5070
6502
  {
5071
- packageName: "@lucern/developer-kit",
5072
- role: "developer_tool",
5073
- directTenantImport: false
6503
+ idSuffix: "storage.aws-secret-access-key",
6504
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6505
+ required: false,
6506
+ secret: true,
6507
+ public: false,
6508
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6509
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
5074
6510
  },
5075
6511
  {
5076
- packageName: "@lucern/events",
5077
- role: "sdk_dependency",
5078
- directTenantImport: false
6512
+ idSuffix: "storage.aws-region",
6513
+ canonicalName: "AWS_REGION",
6514
+ required: false,
6515
+ secret: false,
6516
+ public: false,
6517
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6518
+ description: "Tenant-owned AWS region for document/file ingestion."
5079
6519
  },
5080
6520
  {
5081
- packageName: "@lucern/graph-primitives",
5082
- role: "sdk_dependency",
5083
- directTenantImport: false
6521
+ idSuffix: "observability.sentry-dsn",
6522
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6523
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6524
+ required: false,
6525
+ secret: false,
6526
+ public: true,
6527
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6528
+ description: "Tenant-owned Sentry DSN for app telemetry."
5084
6529
  },
5085
6530
  {
5086
- packageName: "@lucern/graph-sync",
5087
- role: "host_addon_runtime",
5088
- directTenantImport: true
6531
+ idSuffix: "observability.sentry-auth-token",
6532
+ canonicalName: "SENTRY_AUTH_TOKEN",
6533
+ required: false,
6534
+ secret: true,
6535
+ public: false,
6536
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6537
+ description: "Tenant-owned Sentry release token for app deployments."
5089
6538
  },
5090
6539
  {
5091
- packageName: "@lucern/identity",
5092
- role: "component_runtime",
5093
- directTenantImport: false
6540
+ idSuffix: "observability.sentry-org",
6541
+ canonicalName: "SENTRY_ORG",
6542
+ aliases: ["SENTRY_ORG_SLUG"],
6543
+ required: false,
6544
+ secret: false,
6545
+ public: false,
6546
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6547
+ description: "Tenant-owned Sentry org slug for release uploads."
5094
6548
  },
5095
6549
  {
5096
- packageName: "@lucern/mcp",
5097
- role: "runtime_entrypoint",
5098
- directTenantImport: true
6550
+ idSuffix: "observability.sentry-project",
6551
+ canonicalName: "SENTRY_PROJECT",
6552
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6553
+ required: false,
6554
+ secret: false,
6555
+ public: false,
6556
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6557
+ description: "Tenant-owned Sentry project slug for release uploads."
5099
6558
  },
5100
6559
  {
5101
- packageName: "@lucern/pack-host",
5102
- role: "platform_runtime",
5103
- directTenantImport: false
6560
+ idSuffix: "observability.sentry-environment",
6561
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6562
+ aliases: ["SENTRY_ENVIRONMENT"],
6563
+ required: false,
6564
+ secret: false,
6565
+ public: true,
6566
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6567
+ description: "Tenant-owned Sentry environment label."
5104
6568
  },
5105
6569
  {
5106
- packageName: "@lucern/pack-installer",
5107
- role: "developer_tool",
5108
- directTenantImport: false
6570
+ idSuffix: "observability.sentry-release",
6571
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6572
+ aliases: ["SENTRY_RELEASE"],
6573
+ required: false,
6574
+ secret: false,
6575
+ public: true,
6576
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6577
+ description: "Tenant-owned Sentry release label."
5109
6578
  },
5110
6579
  {
5111
- packageName: "@lucern/proof-compiler",
5112
- role: "developer_tool",
5113
- directTenantImport: false
6580
+ idSuffix: "observability.sentry-client-options",
6581
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6582
+ aliases: [
6583
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6584
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6585
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6586
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6587
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6588
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6589
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6590
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6591
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6592
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6593
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6594
+ ],
6595
+ required: false,
6596
+ secret: false,
6597
+ public: true,
6598
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6599
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
5114
6600
  },
5115
6601
  {
5116
- packageName: "@lucern/react",
5117
- role: "runtime_entrypoint",
5118
- directTenantImport: true
6602
+ idSuffix: "observability.sentry-webhook-secret",
6603
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6604
+ required: false,
6605
+ secret: true,
6606
+ public: false,
6607
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6608
+ description: "Tenant-owned Sentry webhook verification secret."
5119
6609
  },
5120
6610
  {
5121
- packageName: "@lucern/reasoning-kernel",
5122
- role: "component_runtime",
5123
- directTenantImport: false
6611
+ idSuffix: "lucern.gateway-api-key",
6612
+ canonicalName: "LUCERN_API_KEY",
6613
+ aliases: ["STACK_API_KEY"],
6614
+ required: false,
6615
+ secret: true,
6616
+ public: false,
6617
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6618
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
5124
6619
  },
5125
6620
  {
5126
- packageName: "@lucern/sdk",
5127
- role: "runtime_entrypoint",
5128
- directTenantImport: true
6621
+ idSuffix: "lucern.gateway-base-url",
6622
+ canonicalName: "LUCERN_BASE_URL",
6623
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6624
+ required: false,
6625
+ secret: false,
6626
+ public: false,
6627
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6628
+ description: "Lucern/MC gateway base URL used by tenant product apps."
5129
6629
  },
5130
6630
  {
5131
- packageName: "@lucern/server-core",
5132
- role: "platform_runtime",
5133
- directTenantImport: false
6631
+ idSuffix: "lucern.proxy-token-secret",
6632
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6633
+ required: false,
6634
+ secret: true,
6635
+ public: false,
6636
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6637
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
5134
6638
  },
5135
6639
  {
5136
- packageName: "@lucern/testing",
5137
- role: "test_support",
5138
- directTenantImport: false
6640
+ idSuffix: "tenant.integrations.linear-api-key",
6641
+ canonicalName: "LINEAR_API_KEY",
6642
+ required: false,
6643
+ secret: true,
6644
+ public: false,
6645
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6646
+ description: "Tenant-owned Linear API key for support/slash-command flows."
5139
6647
  },
5140
6648
  {
5141
- packageName: "@lucern/types",
5142
- role: "contract_entrypoint",
5143
- directTenantImport: true
6649
+ idSuffix: "tenant.vercel.bypass-token",
6650
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6651
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6652
+ required: false,
6653
+ secret: true,
6654
+ public: false,
6655
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6656
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
5144
6657
  }
5145
6658
  ];
5146
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5147
- (entry) => entry.packageName
6659
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6660
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6661
+ ).flatMap(
6662
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6663
+ (template) => ({
6664
+ id: `tenant.${system.id}.${template.idSuffix}`,
6665
+ canonicalName: template.canonicalName,
6666
+ aliases: "aliases" in template ? template.aliases : void 0,
6667
+ owner: "tenant",
6668
+ scope: "tenant",
6669
+ sourcePath: system.sharedSourcePath,
6670
+ environmentPolicy: "environment_specific",
6671
+ required: template.required,
6672
+ secret: template.secret,
6673
+ public: template.public,
6674
+ consumers: template.consumers,
6675
+ destinations: [
6676
+ {
6677
+ kind: "vercel",
6678
+ target: system.vercelProjectName,
6679
+ environmentPolicy: "preprod_staging_prod_prod"
6680
+ },
6681
+ {
6682
+ kind: "convex",
6683
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6684
+ environmentPolicy: "preprod_staging_prod_prod"
6685
+ },
6686
+ {
6687
+ kind: "github_actions",
6688
+ target: `${system.repository.owner}/${system.repository.name}`,
6689
+ environmentPolicy: "preprod_staging_prod_prod"
6690
+ }
6691
+ ],
6692
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6693
+ })
6694
+ )
6695
+ );
6696
+ function tenantVercelConvexUrlWriteNames(system) {
6697
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6698
+ if (system.id === "stack-eng") {
6699
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6700
+ }
6701
+ return names;
6702
+ }
6703
+ function tenantRepositoryConvexUrlWriteNames(system) {
6704
+ if (system.id === "stack-eng") {
6705
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6706
+ }
6707
+ return [system.convex.urlEnv];
6708
+ }
6709
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6710
+ if (system.id === "stack-eng") {
6711
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6712
+ }
6713
+ return [system.convex.deployKeyEnv];
6714
+ }
6715
+ function tenantConvexUrlAliases(system) {
6716
+ if (system.id === "stack-frontend") {
6717
+ return [
6718
+ "CONVEX_PROD_URL",
6719
+ "CONVEX_STACK_V2_PROD_URL",
6720
+ "CONVEX_STACK_V2_STAGING_URL",
6721
+ "STACK_CONVEX_URL"
6722
+ ];
6723
+ }
6724
+ if (system.id === "stackos") {
6725
+ return [
6726
+ "CONVEX_CLOUD_URL",
6727
+ "CONVEX_STACK_URL",
6728
+ "CONVEX_URL",
6729
+ "CONVEX_URL_DEVELOPMENT",
6730
+ "CONVEX_URL_PRODUCTION",
6731
+ "STACK_CONVEX_URL"
6732
+ ];
6733
+ }
6734
+ if (system.id === "stack-eng") {
6735
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6736
+ }
6737
+ if (system.id === "lucern-graph") {
6738
+ return [
6739
+ "CONVEX_GRAPH_URL",
6740
+ "LUCERN_PROD_URL",
6741
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6742
+ ];
6743
+ }
6744
+ return void 0;
6745
+ }
6746
+ function tenantConvexDeployKeyAliases(system) {
6747
+ if (system.id === "stack-frontend") {
6748
+ return [
6749
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6750
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6751
+ "STACK_DEPLOY_KEY"
6752
+ ];
6753
+ }
6754
+ if (system.id === "stackos") {
6755
+ return [
6756
+ "CONVEX_DEPLOY_KEY",
6757
+ "CONVEX_DEV_DEPLOY_KEY",
6758
+ "CONVEX_PROD_DEPLOY_KEY",
6759
+ "CONVEX_STACK_DEPLOY_KEY",
6760
+ "STACK_DEPLOY_KEY"
6761
+ ];
6762
+ }
6763
+ if (system.id === "stack-eng") {
6764
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6765
+ }
6766
+ if (system.id === "lucern-graph") {
6767
+ return [
6768
+ "CONVEX_DEPLOY_KEY",
6769
+ "CONVEX_GRAPH_DEPLOY_KEY",
6770
+ "LUCERN_CONVEX_DEPLOY_KEY",
6771
+ "LUCERN_DEV_DEPLOY_KEY",
6772
+ "LUCERN_PROD_DEPLOY_KEY"
6773
+ ];
6774
+ }
6775
+ return void 0;
6776
+ }
6777
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6778
+ (system) => {
6779
+ if (system.id === "lucern-graph") {
6780
+ return [
6781
+ {
6782
+ id: "tenant.lucern-graph.public.tenant-id",
6783
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6784
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6785
+ owner: "tenant",
6786
+ scope: "workspace",
6787
+ sourcePath: system.sharedSourcePath,
6788
+ environmentPolicy: "environment_specific",
6789
+ required: false,
6790
+ secret: false,
6791
+ public: true,
6792
+ consumers: ["tenant-vercel-app"],
6793
+ destinations: [
6794
+ {
6795
+ kind: "vercel",
6796
+ target: system.vercelProjectName,
6797
+ environmentPolicy: "preprod_staging_prod_prod"
6798
+ }
6799
+ ],
6800
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6801
+ },
6802
+ {
6803
+ id: "tenant.lucern-graph.public.tenant-label",
6804
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6805
+ owner: "tenant",
6806
+ scope: "workspace",
6807
+ sourcePath: system.sharedSourcePath,
6808
+ environmentPolicy: "environment_specific",
6809
+ required: false,
6810
+ secret: false,
6811
+ public: true,
6812
+ consumers: ["tenant-vercel-app"],
6813
+ destinations: [
6814
+ {
6815
+ kind: "vercel",
6816
+ target: system.vercelProjectName,
6817
+ environmentPolicy: "preprod_staging_prod_prod"
6818
+ }
6819
+ ],
6820
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6821
+ }
6822
+ ];
6823
+ }
6824
+ if (system.id === "stack-eng") {
6825
+ return [
6826
+ {
6827
+ id: "tenant.stack-eng.public.tenant-id",
6828
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6829
+ owner: "tenant",
6830
+ scope: "workspace",
6831
+ sourcePath: system.sharedSourcePath,
6832
+ environmentPolicy: "environment_specific",
6833
+ required: false,
6834
+ secret: false,
6835
+ public: true,
6836
+ consumers: ["tenant-vercel-app"],
6837
+ destinations: [
6838
+ {
6839
+ kind: "vercel",
6840
+ target: system.vercelProjectName,
6841
+ environmentPolicy: "preprod_staging_prod_prod"
6842
+ }
6843
+ ],
6844
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6845
+ },
6846
+ {
6847
+ id: "tenant.stack-eng.public.tenant-label",
6848
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6849
+ owner: "tenant",
6850
+ scope: "workspace",
6851
+ sourcePath: system.sharedSourcePath,
6852
+ environmentPolicy: "environment_specific",
6853
+ required: false,
6854
+ secret: false,
6855
+ public: true,
6856
+ consumers: ["tenant-vercel-app"],
6857
+ destinations: [
6858
+ {
6859
+ kind: "vercel",
6860
+ target: system.vercelProjectName,
6861
+ environmentPolicy: "preprod_staging_prod_prod"
6862
+ }
6863
+ ],
6864
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6865
+ },
6866
+ {
6867
+ id: "tenant.stack-eng.public.environment",
6868
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6869
+ owner: "tenant",
6870
+ scope: "workspace",
6871
+ sourcePath: system.sharedSourcePath,
6872
+ environmentPolicy: "environment_specific",
6873
+ required: false,
6874
+ secret: false,
6875
+ public: true,
6876
+ consumers: ["tenant-vercel-app"],
6877
+ destinations: [
6878
+ {
6879
+ kind: "vercel",
6880
+ target: system.vercelProjectName,
6881
+ environmentPolicy: "preprod_staging_prod_prod"
6882
+ }
6883
+ ],
6884
+ description: "Stack engineering graph public environment label used by the graph explorer."
6885
+ }
6886
+ ];
6887
+ }
6888
+ return [];
6889
+ }
5148
6890
  );
6891
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6892
+ {
6893
+ id: `tenant.${system.id}.convex.url`,
6894
+ canonicalName: system.convex.urlEnv,
6895
+ aliases: tenantConvexUrlAliases(system),
6896
+ owner: "tenant",
6897
+ scope: "software_system",
6898
+ sourcePath: system.sharedSourcePath,
6899
+ environmentPolicy: "preprod_staging_prod_prod",
6900
+ required: true,
6901
+ secret: false,
6902
+ public: false,
6903
+ consumers: [
6904
+ "tenant-vercel-app",
6905
+ "tenant-agent-runtime",
6906
+ "mc-operator-tooling"
6907
+ ],
6908
+ destinations: [
6909
+ {
6910
+ kind: "vercel",
6911
+ target: system.vercelProjectName,
6912
+ environmentPolicy: "preprod_staging_prod_prod",
6913
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6914
+ },
6915
+ {
6916
+ kind: "github_actions",
6917
+ target: `${system.repository.owner}/${system.repository.name}`,
6918
+ environmentPolicy: "preprod_staging_prod_prod",
6919
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6920
+ notes: "Only if that repository deploy/test workflow owns this software system."
6921
+ }
6922
+ ],
6923
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6924
+ },
6925
+ {
6926
+ id: `tenant.${system.id}.convex.deploy-key`,
6927
+ canonicalName: system.convex.deployKeyEnv,
6928
+ aliases: tenantConvexDeployKeyAliases(system),
6929
+ owner: "tenant",
6930
+ scope: "software_system",
6931
+ sourcePath: system.sharedSourcePath,
6932
+ environmentPolicy: "preprod_staging_prod_prod",
6933
+ required: true,
6934
+ secret: true,
6935
+ public: false,
6936
+ consumers: [
6937
+ "tenant-vercel-app",
6938
+ "tenant-agent-runtime",
6939
+ "mc-operator-tooling"
6940
+ ],
6941
+ destinations: [
6942
+ {
6943
+ kind: "vercel",
6944
+ target: system.vercelProjectName,
6945
+ environmentPolicy: "preprod_staging_prod_prod"
6946
+ },
6947
+ {
6948
+ kind: "github_actions",
6949
+ target: `${system.repository.owner}/${system.repository.name}`,
6950
+ environmentPolicy: "preprod_staging_prod_prod",
6951
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6952
+ notes: "Only if that repository deploy/test workflow owns this software system."
6953
+ }
6954
+ ],
6955
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6956
+ }
6957
+ ]);
5149
6958
  z.object({
5150
6959
  manifestVersion: z.literal("1.0.0"),
5151
6960
  rules: z.array(
@@ -5186,7 +6995,7 @@ var createEvidenceInputSchemaBase = z.object({
5186
6995
  targetId: z.string().optional(),
5187
6996
  targetNodeId: z.string().optional(),
5188
6997
  linkedBeliefNodeId: z.string().optional(),
5189
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
6998
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5190
6999
  confidence: z.number().optional(),
5191
7000
  weight: z.number().optional(),
5192
7001
  reasoning: z.string().optional(),
@@ -5271,8 +7080,7 @@ var createEvidenceProjection = defineProjection({
5271
7080
  evidenceRelation: v.optional(
5272
7081
  v.union(
5273
7082
  v.literal("supports"),
5274
- v.literal("contradicts"),
5275
- v.literal("neutral")
7083
+ v.literal("contradicts")
5276
7084
  )
5277
7085
  ),
5278
7086
  confidence: v.optional(v.number()),
@@ -5321,12 +7129,17 @@ var listBeliefsProjection = defineProjection({
5321
7129
  });
5322
7130
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5323
7131
  var listTasksInputSchema = z.object({
5324
- topicId: z.string().describe("Topic scope"),
7132
+ topicId: z.string().optional().describe("Topic scope"),
5325
7133
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5326
7134
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5327
7135
  status: taskStatusSchema,
5328
7136
  limit: z.number().optional().describe("Maximum results")
5329
- });
7137
+ }).refine(
7138
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7139
+ {
7140
+ message: "topicId or worktreeId is required"
7141
+ }
7142
+ );
5330
7143
  function compactRecord3(input) {
5331
7144
  return Object.fromEntries(
5332
7145
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5343,7 +7156,7 @@ var listTasksProjection = defineProjection({
5343
7156
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5344
7157
  }),
5345
7158
  convexArgsValidator: v.object({
5346
- topicId: v.string(),
7159
+ topicId: v.optional(v.string()),
5347
7160
  status: v.optional(
5348
7161
  v.union(
5349
7162
  v.literal("todo"),
@@ -6416,7 +8229,7 @@ var CREATE_EDGE = {
6416
8229
  reasoningMethod: {
6417
8230
  type: "string",
6418
8231
  description: "How this was determined",
6419
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8232
+ enum: [...REASONING_METHODS]
6420
8233
  },
6421
8234
  metadata: {
6422
8235
  type: "object",
@@ -8143,6 +9956,10 @@ var CREATE_TASK = {
8143
9956
  tags: {
8144
9957
  type: "array",
8145
9958
  description: "Free-form string tags"
9959
+ },
9960
+ metadata: {
9961
+ type: "object",
9962
+ description: "Structured task metadata for handoff context and routing hints"
8146
9963
  }
8147
9964
  },
8148
9965
  required: ["title"],
@@ -8216,6 +10033,10 @@ var UPDATE_TASK = {
8216
10033
  type: "string",
8217
10034
  description: "Updated status",
8218
10035
  enum: ["todo", "in_progress", "blocked", "done"]
10036
+ },
10037
+ metadata: {
10038
+ type: "object",
10039
+ description: "Structured task metadata to replace or refine"
8219
10040
  }
8220
10041
  },
8221
10042
  required: ["taskId"],
@@ -9671,6 +11492,9 @@ var BEGIN_BUILD_SESSION = {
9671
11492
  sessionMode: "string \u2014 async | interactive",
9672
11493
  targetBeliefIds: "array \u2014 scoped belief IDs",
9673
11494
  targetQuestionIds: "array \u2014 scoped question IDs",
11495
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11496
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11497
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9674
11498
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9675
11499
  openQuestions: "array \u2014 open scoped questions",
9676
11500
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -10271,12 +12095,20 @@ function unwrapMcpParameterSchema(schema) {
10271
12095
  current = current._def.schema;
10272
12096
  continue;
10273
12097
  default:
10274
- return { schema: current, required, description: description ?? current.description };
12098
+ return {
12099
+ schema: current,
12100
+ required,
12101
+ description: description ?? current.description
12102
+ };
10275
12103
  }
10276
12104
  }
10277
12105
  }
10278
12106
  function mcpParameterFromZod(fieldName, schema, contractName) {
10279
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
12107
+ const {
12108
+ schema: unwrapped,
12109
+ required,
12110
+ description: schemaDescription
12111
+ } = unwrapMcpParameterSchema(schema);
10280
12112
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
10281
12113
  switch (unwrapped._def.typeName) {
10282
12114
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -10321,10 +12153,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
10321
12153
  const entries2 = Object.entries(getObjectShape(args)).sort(
10322
12154
  ([left], [right]) => left.localeCompare(right)
10323
12155
  );
10324
- const converted = entries2.map(([fieldName, schema]) => [
10325
- fieldName,
10326
- mcpParameterFromZod(fieldName, schema, contractName)
10327
- ]);
12156
+ const converted = entries2.map(
12157
+ ([fieldName, schema]) => [
12158
+ fieldName,
12159
+ mcpParameterFromZod(fieldName, schema, contractName)
12160
+ ]
12161
+ );
10328
12162
  return {
10329
12163
  ...base,
10330
12164
  parameters: Object.fromEntries(
@@ -10436,6 +12270,7 @@ function surfaceContract(args) {
10436
12270
  allowedPrincipalTypes: ["user", "service", "agent"]
10437
12271
  },
10438
12272
  convex: args.convex,
12273
+ gateway: args.gateway,
10439
12274
  args: canonicalArgs,
10440
12275
  returns: canonicalReturns,
10441
12276
  input,
@@ -10922,7 +12757,7 @@ var beliefsContracts = [
10922
12757
  })
10923
12758
  ];
10924
12759
  var jsonRecordSchema4 = z.record(z.unknown());
10925
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12760
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10926
12761
  var createEvidenceArgs = z.object({
10927
12762
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10928
12763
  text: z.string().describe("Canonical evidence text."),
@@ -12845,7 +14680,8 @@ var createTaskArgs = z.object({
12845
14680
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
12846
14681
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
12847
14682
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
12848
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14683
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14684
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
12849
14685
  });
12850
14686
  var createTaskInput = (input) => compactRecord4({
12851
14687
  title: input.title,
@@ -12859,7 +14695,8 @@ var createTaskInput = (input) => compactRecord4({
12859
14695
  linkedQuestionId: input.linkedQuestionId,
12860
14696
  assigneeId: input.assigneeId,
12861
14697
  dueDate: input.dueDate,
12862
- tags: input.tags
14698
+ tags: input.tags,
14699
+ metadata: input.metadata
12863
14700
  });
12864
14701
  var taskInput = (input) => compactRecord4({
12865
14702
  ...input,
@@ -12876,8 +14713,7 @@ var taskTopicInput = (input) => {
12876
14713
  };
12877
14714
  var completeTaskInput = (input) => compactRecord4({
12878
14715
  taskId: input.taskId ?? input.id,
12879
- outputSummary: input.outputSummary ?? input.summary,
12880
- userId: input.userId
14716
+ outputSummary: input.outputSummary ?? input.summary
12881
14717
  });
12882
14718
  var tasksContracts = [
12883
14719
  surfaceContract({
@@ -12895,6 +14731,7 @@ var tasksContracts = [
12895
14731
  kind: "mutation",
12896
14732
  inputProjection: createTaskInput
12897
14733
  },
14734
+ gateway: { handler: "tasks.create" },
12898
14735
  args: createTaskArgs
12899
14736
  }),
12900
14737
  surfaceContract({
@@ -12913,6 +14750,7 @@ var tasksContracts = [
12913
14750
  kind: "query",
12914
14751
  inputProjection: taskTopicInput
12915
14752
  },
14753
+ gateway: { handler: "tasks.list" },
12916
14754
  args: listTasksInputSchema
12917
14755
  }),
12918
14756
  surfaceContract({
@@ -12930,7 +14768,8 @@ var tasksContracts = [
12930
14768
  functionName: "update",
12931
14769
  kind: "mutation",
12932
14770
  inputProjection: taskInput
12933
- }
14771
+ },
14772
+ gateway: { handler: "tasks.update" }
12934
14773
  }),
12935
14774
  surfaceContract({
12936
14775
  name: "complete_task",
@@ -12946,12 +14785,14 @@ var tasksContracts = [
12946
14785
  functionName: "complete",
12947
14786
  kind: "mutation",
12948
14787
  inputProjection: completeTaskInput
12949
- }
14788
+ },
14789
+ gateway: { handler: "tasks.complete" }
12950
14790
  })
12951
14791
  ];
12952
14792
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12953
14793
  (policy) => policy.edgeType
12954
14794
  );
14795
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12955
14796
  var createEdgeArgs = z.object({
12956
14797
  from: GraphRefSchema,
12957
14798
  to: GraphRefSchema,
@@ -12961,6 +14802,7 @@ var createEdgeArgs = z.object({
12961
14802
  confidence: z.number().optional(),
12962
14803
  context: z.string().optional(),
12963
14804
  reasoning: z.string().optional(),
14805
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12964
14806
  derivationType: z.string().optional(),
12965
14807
  metadata: z.record(z.unknown()).optional(),
12966
14808
  topicId: z.string().optional(),
@@ -13039,6 +14881,7 @@ var edgesContracts = [
13039
14881
  weight: parsed.weight,
13040
14882
  confidence: parsed.confidence,
13041
14883
  context: parsed.context ?? parsed.reasoning,
14884
+ reasoningMethod: parsed.reasoningMethod,
13042
14885
  derivationType: parsed.derivationType,
13043
14886
  metadata: parsed.metadata,
13044
14887
  skipLayerValidation: true,
@@ -13163,6 +15006,7 @@ var edgesContracts = [
13163
15006
  weight: edge.weight,
13164
15007
  confidence: edge.confidence,
13165
15008
  context: edge.context ?? edge.reasoning,
15009
+ reasoningMethod: edge.reasoningMethod,
13166
15010
  derivationType: edge.derivationType,
13167
15011
  metadata: edge.metadata,
13168
15012
  topicId: edge.topicId
@@ -13897,6 +15741,69 @@ var pipelineContracts = [
13897
15741
  }
13898
15742
  })
13899
15743
  ];
15744
+ function isRecord4(value) {
15745
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15746
+ }
15747
+ function stringValues(value) {
15748
+ if (typeof value === "string") {
15749
+ return [value];
15750
+ }
15751
+ if (Array.isArray(value)) {
15752
+ return value.flatMap((item) => stringValues(item));
15753
+ }
15754
+ return [];
15755
+ }
15756
+ function nestedEvidenceRows(value) {
15757
+ if (Array.isArray(value)) {
15758
+ return value.flatMap((item) => nestedEvidenceRows(item));
15759
+ }
15760
+ if (!isRecord4(value)) {
15761
+ return [];
15762
+ }
15763
+ const nestedKeys = ["evidence", "items", "nodes"];
15764
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15765
+ return nestedRows.length > 0 ? nestedRows : [value];
15766
+ }
15767
+ function isFailedAttemptRow(row) {
15768
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15769
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15770
+ }
15771
+ function failureLogSearchFields(row) {
15772
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15773
+ return [
15774
+ ...stringValues(row.id),
15775
+ ...stringValues(row._id),
15776
+ ...stringValues(row.title),
15777
+ ...stringValues(row.text),
15778
+ ...stringValues(row.canonicalText),
15779
+ ...stringValues(row.content),
15780
+ ...stringValues(metadata?.codeAnchor),
15781
+ ...stringValues(metadata?.codeAnchors),
15782
+ ...stringValues(metadata?.anchor),
15783
+ ...stringValues(metadata?.anchors),
15784
+ ...stringValues(metadata?.filePath),
15785
+ ...stringValues(metadata?.filePaths),
15786
+ ...stringValues(metadata?.path),
15787
+ ...stringValues(metadata?.paths),
15788
+ ...stringValues(metadata?.sourceRef),
15789
+ ...stringValues(metadata?.touchedPaths)
15790
+ ];
15791
+ }
15792
+ function projectFailureLog(output, input) {
15793
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15794
+ const searchKey = rawQuery?.toLowerCase();
15795
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15796
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15797
+ (field) => field.toLowerCase().includes(searchKey)
15798
+ )
15799
+ );
15800
+ return {
15801
+ query: rawQuery,
15802
+ failures,
15803
+ totalFound: failures.length,
15804
+ showing: failures.length
15805
+ };
15806
+ }
13900
15807
  var recordScopeLearningArgs = z.object({
13901
15808
  topicId: z.string().optional().describe("Topic scope ID"),
13902
15809
  summary: z.string().describe("Atomic learning statement"),
@@ -13986,6 +15893,8 @@ var attemptInput = (input, context) => withUserId(
13986
15893
  tags: ["code_attempt"],
13987
15894
  metadata: compactRecord4({
13988
15895
  ...recordValue2(input.metadata),
15896
+ failedApproach: true,
15897
+ isFailedAttempt: true,
13989
15898
  filePaths: input.filePaths,
13990
15899
  filePath: input.filePath,
13991
15900
  errorMessage: input.errorMessage,
@@ -14116,7 +16025,8 @@ var codingContracts = [
14116
16025
  limit: input.limit,
14117
16026
  status: input.status,
14118
16027
  userId: input.userId
14119
- })
16028
+ }),
16029
+ outputProjection: (output, input) => projectFailureLog(output, input)
14120
16030
  }
14121
16031
  })
14122
16032
  ];
@@ -14578,14 +16488,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14578
16488
  description: "Worktrees are tenant/runtime planning data."
14579
16489
  },
14580
16490
  {
14581
- component: "identity",
16491
+ component: "control-plane",
14582
16492
  table: "agents",
14583
16493
  prepopulation: "runtime_bootstrap",
14584
16494
  copyMode: "none",
14585
16495
  description: "Service agents are provisioned per tenant or service, not copied."
14586
16496
  },
14587
16497
  {
14588
- component: "identity",
16498
+ component: "control-plane",
14589
16499
  table: "mcpWritePolicy",
14590
16500
  prepopulation: "required_template",
14591
16501
  copyMode: "template_global",
@@ -14594,14 +16504,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14594
16504
  description: "Global write policy defaults govern service and interactive MCP writes."
14595
16505
  },
14596
16506
  {
14597
- component: "identity",
16507
+ component: "control-plane",
14598
16508
  table: "modelCallLogs",
14599
16509
  prepopulation: "runtime_log",
14600
16510
  copyMode: "none",
14601
16511
  description: "Model call logs are runtime telemetry."
14602
16512
  },
14603
16513
  {
14604
- component: "identity",
16514
+ component: "control-plane",
14605
16515
  table: "modelFunctionSlots",
14606
16516
  prepopulation: "required_template",
14607
16517
  copyMode: "template_global",
@@ -14610,7 +16520,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14610
16520
  description: "Function-to-model slots are required by model runtime resolution."
14611
16521
  },
14612
16522
  {
14613
- component: "identity",
16523
+ component: "control-plane",
14614
16524
  table: "modelRegistry",
14615
16525
  prepopulation: "required_template",
14616
16526
  copyMode: "template_global",
@@ -14619,7 +16529,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14619
16529
  description: "Model catalog defaults are required by model runtime clients."
14620
16530
  },
14621
16531
  {
14622
- component: "identity",
16532
+ component: "control-plane",
14623
16533
  table: "modelSlotConfigs",
14624
16534
  prepopulation: "required_template",
14625
16535
  copyMode: "template_global",
@@ -14628,14 +16538,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14628
16538
  description: "Slot-level defaults are required before tenant overrides exist."
14629
16539
  },
14630
16540
  {
14631
- component: "identity",
16541
+ component: "control-plane",
16542
+ table: "permitAccessReviewItems",
16543
+ prepopulation: "runtime_data",
16544
+ copyMode: "none",
16545
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16546
+ },
16547
+ {
16548
+ component: "control-plane",
16549
+ table: "permitAccessReviews",
16550
+ prepopulation: "runtime_data",
16551
+ copyMode: "none",
16552
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16553
+ },
16554
+ {
16555
+ component: "control-plane",
16556
+ table: "permitAttributeBindings",
16557
+ prepopulation: "runtime_data",
16558
+ copyMode: "none",
16559
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16560
+ },
16561
+ {
16562
+ component: "control-plane",
16563
+ table: "permitGroups",
16564
+ prepopulation: "runtime_data",
16565
+ copyMode: "none",
16566
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16567
+ },
16568
+ {
16569
+ component: "control-plane",
16570
+ table: "permitGroupMemberships",
16571
+ prepopulation: "runtime_data",
16572
+ copyMode: "none",
16573
+ description: "Permit group memberships are tenant-specific policy projection rows."
16574
+ },
16575
+ {
16576
+ component: "control-plane",
16577
+ table: "permitPolicyBundles",
16578
+ prepopulation: "runtime_derived",
16579
+ copyMode: "none",
16580
+ description: "Permit policy bundles are derived from the Permit control plane."
16581
+ },
16582
+ {
16583
+ component: "control-plane",
16584
+ table: "permitPolicyDecisionReceipts",
16585
+ prepopulation: "runtime_log",
16586
+ copyMode: "none",
16587
+ description: "Permit decision receipts are runtime authorization audit logs."
16588
+ },
16589
+ {
16590
+ component: "control-plane",
16591
+ table: "permitPrincipalAliases",
16592
+ prepopulation: "runtime_data",
16593
+ copyMode: "none",
16594
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16595
+ },
16596
+ {
16597
+ component: "control-plane",
16598
+ table: "permitPrincipals",
16599
+ prepopulation: "runtime_data",
16600
+ copyMode: "none",
16601
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16602
+ },
16603
+ {
16604
+ component: "control-plane",
16605
+ table: "permitProjectionOutbox",
16606
+ prepopulation: "runtime_queue",
16607
+ copyMode: "none",
16608
+ description: "Permit projection outbox rows are runtime sync queue data."
16609
+ },
16610
+ {
16611
+ component: "control-plane",
16612
+ table: "permitRelationshipTuples",
16613
+ prepopulation: "runtime_data",
16614
+ copyMode: "none",
16615
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16616
+ },
16617
+ {
16618
+ component: "control-plane",
16619
+ table: "permitResourceInstances",
16620
+ prepopulation: "runtime_data",
16621
+ copyMode: "none",
16622
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16623
+ },
16624
+ {
16625
+ component: "control-plane",
16626
+ table: "permitRoleAssignments",
16627
+ prepopulation: "runtime_data",
16628
+ copyMode: "none",
16629
+ description: "Permit role assignments are tenant-specific policy projection rows."
16630
+ },
16631
+ {
16632
+ component: "control-plane",
14632
16633
  table: "platformAudienceGrants",
14633
16634
  prepopulation: "runtime_data",
14634
16635
  copyMode: "none",
14635
16636
  description: "Audience grants are principal/group-specific access rows."
14636
16637
  },
14637
16638
  {
14638
- component: "identity",
16639
+ component: "control-plane",
14639
16640
  table: "platformAudiences",
14640
16641
  prepopulation: "required_template",
14641
16642
  copyMode: "template_tenant_rewrite",
@@ -14644,35 +16645,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14644
16645
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
14645
16646
  },
14646
16647
  {
14647
- component: "identity",
16648
+ component: "control-plane",
14648
16649
  table: "platformPolicyDecisionLogs",
14649
16650
  prepopulation: "runtime_log",
14650
16651
  copyMode: "none",
14651
16652
  description: "Policy decisions are runtime audit logs."
14652
16653
  },
14653
16654
  {
14654
- component: "identity",
16655
+ component: "control-plane",
14655
16656
  table: "projectGrants",
14656
16657
  prepopulation: "runtime_data",
14657
16658
  copyMode: "none",
14658
16659
  description: "Project/topic grants are principal or group-specific access rows."
14659
16660
  },
14660
16661
  {
14661
- component: "identity",
16662
+ component: "control-plane",
14662
16663
  table: "reasoningPermissions",
14663
16664
  prepopulation: "runtime_data",
14664
16665
  copyMode: "none",
14665
16666
  description: "Reasoning permissions are principal-specific policy rows."
14666
16667
  },
14667
16668
  {
14668
- component: "identity",
16669
+ component: "control-plane",
14669
16670
  table: "tenantApiKeys",
14670
16671
  prepopulation: "runtime_secret",
14671
16672
  copyMode: "none",
14672
16673
  description: "API keys are tenant credentials and must never be copied."
14673
16674
  },
14674
16675
  {
14675
- component: "identity",
16676
+ component: "control-plane",
14676
16677
  table: "tenantConfig",
14677
16678
  prepopulation: "required_template",
14678
16679
  copyMode: "template_tenant_rewrite",
@@ -14681,7 +16682,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14681
16682
  description: "Tenant-local config defaults are rewritten during bootstrap."
14682
16683
  },
14683
16684
  {
14684
- component: "identity",
16685
+ component: "control-plane",
14685
16686
  table: "tenantIntegrations",
14686
16687
  prepopulation: "required_template",
14687
16688
  copyMode: "template_tenant_rewrite",
@@ -14690,14 +16691,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14690
16691
  description: "Non-secret integration descriptors are rewritten into each tenant."
14691
16692
  },
14692
16693
  {
14693
- component: "identity",
16694
+ component: "control-plane",
14694
16695
  table: "tenantModelSlotBindings",
14695
16696
  prepopulation: "runtime_secret",
14696
16697
  copyMode: "none",
14697
16698
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
14698
16699
  },
14699
16700
  {
14700
- component: "identity",
16701
+ component: "control-plane",
16702
+ table: "tenantPermitSyncStates",
16703
+ prepopulation: "runtime_derived",
16704
+ copyMode: "none",
16705
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16706
+ },
16707
+ {
16708
+ component: "control-plane",
14701
16709
  table: "tenantPolicies",
14702
16710
  prepopulation: "required_template",
14703
16711
  copyMode: "template_tenant_rewrite",
@@ -14706,42 +16714,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14706
16714
  description: "Default tenant policy roles are rewritten during bootstrap."
14707
16715
  },
14708
16716
  {
14709
- component: "identity",
16717
+ component: "control-plane",
14710
16718
  table: "tenantProviderSecrets",
14711
16719
  prepopulation: "runtime_secret",
14712
16720
  copyMode: "none",
14713
16721
  description: "Provider secrets are credentials and must never be copied."
14714
16722
  },
14715
16723
  {
14716
- component: "identity",
16724
+ component: "control-plane",
14717
16725
  table: "tenantProxyGatewayUsage",
14718
16726
  prepopulation: "runtime_log",
14719
16727
  copyMode: "none",
14720
16728
  description: "Proxy gateway usage rows are runtime telemetry."
14721
16729
  },
14722
16730
  {
14723
- component: "identity",
16731
+ component: "control-plane",
14724
16732
  table: "tenantProxyTokenMints",
14725
16733
  prepopulation: "runtime_secret",
14726
16734
  copyMode: "none",
14727
16735
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
14728
16736
  },
14729
16737
  {
14730
- component: "identity",
16738
+ component: "control-plane",
14731
16739
  table: "tenantSandboxAuditEvents",
14732
16740
  prepopulation: "runtime_log",
14733
16741
  copyMode: "none",
14734
16742
  description: "Sandbox audit rows are runtime security logs."
14735
16743
  },
14736
16744
  {
14737
- component: "identity",
16745
+ component: "control-plane",
14738
16746
  table: "tenantSecrets",
14739
16747
  prepopulation: "runtime_secret",
14740
16748
  copyMode: "none",
14741
16749
  description: "Tenant secrets are credentials and must never be copied."
14742
16750
  },
14743
16751
  {
14744
- component: "identity",
16752
+ component: "control-plane",
14745
16753
  table: "toolAcls",
14746
16754
  prepopulation: "required_template",
14747
16755
  copyMode: "template_global",
@@ -14750,7 +16758,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14750
16758
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
14751
16759
  },
14752
16760
  {
14753
- component: "identity",
16761
+ component: "control-plane",
14754
16762
  table: "toolRegistry",
14755
16763
  prepopulation: "required_template",
14756
16764
  copyMode: "template_global",
@@ -14759,7 +16767,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14759
16767
  description: "Core tool catalog rows are required before pack or tenant tools exist."
14760
16768
  },
14761
16769
  {
14762
- component: "identity",
16770
+ component: "control-plane",
14763
16771
  table: "users",
14764
16772
  prepopulation: "runtime_bootstrap",
14765
16773
  copyMode: "none",
@@ -15144,11 +17152,11 @@ function readString2(value) {
15144
17152
  function readNullableNumber(value) {
15145
17153
  return typeof value === "number" && Number.isFinite(value) ? value : null;
15146
17154
  }
15147
- function isRecord4(value) {
17155
+ function isRecord5(value) {
15148
17156
  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15149
17157
  }
15150
17158
  function refreshLucernContextFromBuildSession(payload, args) {
15151
- if (!isRecord4(payload)) {
17159
+ if (!isRecord5(payload)) {
15152
17160
  return;
15153
17161
  }
15154
17162
  const topicId = readString2(payload.topicId);
@@ -15353,7 +17361,8 @@ var edgeHandlers = {
15353
17361
  topicId: readString(args.topicId ?? args.projectId),
15354
17362
  confidence: readNumber(args.confidence),
15355
17363
  weight: readNumber(args.weight),
15356
- context: readString(args.context) ?? readString(args.reasoning)
17364
+ context: readString(args.context) ?? readString(args.reasoning),
17365
+ reasoningMethod: readString(args.reasoningMethod)
15357
17366
  })
15358
17367
  );
15359
17368
  },
@@ -16782,7 +18791,7 @@ function readStringArray2(value) {
16782
18791
  }
16783
18792
  return value.map((entry) => readString3(entry)).filter((entry) => Boolean(entry));
16784
18793
  }
16785
- function isRecord5(value) {
18794
+ function isRecord6(value) {
16786
18795
  return value !== null && typeof value === "object" && !Array.isArray(value);
16787
18796
  }
16788
18797
  function decodePrefixedIdOrNull(value) {
@@ -16797,7 +18806,7 @@ function decodePrefixedIdOrNull(value) {
16797
18806
  };
16798
18807
  }
16799
18808
  function asRecord2(value) {
16800
- return isRecord5(value) ? value : {};
18809
+ return isRecord6(value) ? value : {};
16801
18810
  }
16802
18811
  function normalizeTopicId(value) {
16803
18812
  const normalized = readString3(value);
@@ -17932,7 +19941,7 @@ var researchVerificationHandlers = {
17932
19941
  function cleanString(value) {
17933
19942
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
17934
19943
  }
17935
- function isRecord6(value) {
19944
+ function isRecord7(value) {
17936
19945
  return value !== null && typeof value === "object" && !Array.isArray(value);
17937
19946
  }
17938
19947
  function prefixId(prefix, value) {
@@ -17988,7 +19997,7 @@ function toPublicCompiledContext(pack) {
17988
19997
  scopedTopicIds: (pack.scopedTopicIds ?? []).map((id) => prefixId("top", id)),
17989
19998
  generatedAt: pack.generatedAt,
17990
19999
  ranking: pack.rankingProfile,
17991
- summary: isRecord6(pack.summary) ? pack.summary : {},
20000
+ summary: isRecord7(pack.summary) ? pack.summary : {},
17992
20001
  invariants: (pack.invariants ?? []).map((belief) => ({
17993
20002
  beliefId: prefixId("bel", belief.nodeId),
17994
20003
  text: belief.canonicalText,
@@ -18059,7 +20068,7 @@ function toPublicCompiledContext(pack) {
18059
20068
  }))
18060
20069
  } : {}
18061
20070
  },
18062
- diagnostics: isRecord6(pack.diagnostics) ? pack.diagnostics : {},
20071
+ diagnostics: isRecord7(pack.diagnostics) ? pack.diagnostics : {},
18063
20072
  ...pack.compilationMode ? { compilationMode: pack.compilationMode } : {},
18064
20073
  ...pack.failureContext ? {
18065
20074
  failureContext: {
@@ -18567,6 +20576,21 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
18567
20576
  authCtx
18568
20577
  });
18569
20578
  if (!result) {
20579
+ if (authCtx.sessionType === "agent") {
20580
+ return {
20581
+ allowed: false,
20582
+ permission: "deny",
20583
+ toolCategory: null,
20584
+ policy: null,
20585
+ reason: "no_policy_response",
20586
+ explanation: {
20587
+ summary: "Denied because agent write-policy checks fail closed when no policy response is returned.",
20588
+ toolName,
20589
+ role: authCtx.role,
20590
+ topicId
20591
+ }
20592
+ };
20593
+ }
18570
20594
  return {
18571
20595
  allowed: true,
18572
20596
  permission: "allow",
@@ -18600,6 +20624,33 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
18600
20624
  }
18601
20625
  return result;
18602
20626
  } catch (err) {
20627
+ if (authCtx.sessionType === "agent") {
20628
+ return {
20629
+ allowed: false,
20630
+ permission: "deny",
20631
+ toolCategory: null,
20632
+ policy: null,
20633
+ explanation: {
20634
+ summary: "Denied because agent write-policy checks fail closed on policy evaluation errors.",
20635
+ matchedReasonCode: "WRITE_POLICY_CHECK_ERROR",
20636
+ steps: [
20637
+ {
20638
+ stage: "policy_lookup",
20639
+ outcome: "failed",
20640
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20641
+ detail: err instanceof Error ? err.message : "Unknown policy evaluation error."
20642
+ },
20643
+ {
20644
+ stage: "decision",
20645
+ outcome: "failed",
20646
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20647
+ detail: "Agent sessions cannot convert a write-policy infrastructure error into an allow."
20648
+ }
20649
+ ]
20650
+ },
20651
+ reason: "policy_check_error"
20652
+ };
20653
+ }
18603
20654
  console.error(
18604
20655
  `[write-policy] Policy check failed for ${toolName}: ${err instanceof Error ? err.message : err}. Allowing (fail-open).`
18605
20656
  );