@lucern/mcp 0.3.0-alpha.10 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/runtime.js CHANGED
@@ -232,6 +232,20 @@ var autoBranchingHandlers = {
232
232
  }
233
233
  };
234
234
 
235
+ // ../contracts/src/types/reasoning-method.ts
236
+ var REASONING_METHODS = [
237
+ "deductive",
238
+ "inductive",
239
+ "abductive",
240
+ "analogical",
241
+ "causal",
242
+ "correlational",
243
+ "testimonial",
244
+ "statistical",
245
+ "implicit",
246
+ "pattern_match"
247
+ ];
248
+
235
249
  // ../contracts/src/graph-intelligence.contract.ts
236
250
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
237
251
  core: [
@@ -941,7 +955,7 @@ defineTable({
941
955
  });
942
956
  defineTable({
943
957
  name: "agents",
944
- component: "identity",
958
+ component: "control-plane",
945
959
  category: "agent",
946
960
  shape: z.object({
947
961
  "slug": z.string(),
@@ -972,6 +986,7 @@ defineTable({
972
986
  category: "tenant",
973
987
  shape: z.object({
974
988
  "tenantId": idOf("tenants"),
989
+ "workspaceId": idOf("workspaces").optional(),
975
990
  "keyPrefix": z.enum(["luc", "stk"]),
976
991
  "keyHash": z.string(),
977
992
  "keyHint": z.string(),
@@ -999,7 +1014,7 @@ defineTable({
999
1014
  shape: z.object({
1000
1015
  "tenantId": idOf("tenants").optional(),
1001
1016
  "apiKeyId": idOf("apiKeys").optional(),
1002
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1017
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1003
1018
  "actorClerkId": z.string(),
1004
1019
  "details": z.any().optional(),
1005
1020
  "createdAt": z.number()
@@ -1878,29 +1893,37 @@ defineTable({
1878
1893
  component: "mc",
1879
1894
  category: "runtime",
1880
1895
  shape: z.object({
1881
- "shimId": z.string(),
1882
- "gateId": z.string(),
1883
- "removalDate": z.string(),
1884
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1885
- "description": z.string(),
1886
- "owner": z.string(),
1887
- "createdAt": z.string(),
1888
- "status": z.enum(["active", "overdue", "removed"]),
1889
- "bridgeType": z.enum(["tool", "agent"]),
1890
- "bridgeTarget": z.object({
1891
- "type": z.enum(["tool", "agent"]),
1892
- "legacyPath": z.string(),
1893
- "harnessPath": z.string()
1896
+ shimId: z.string(),
1897
+ gateId: z.string(),
1898
+ removalDate: z.string(),
1899
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1900
+ description: z.string(),
1901
+ owner: z.string(),
1902
+ createdAt: z.string(),
1903
+ status: z.enum(["active", "overdue", "removed"]),
1904
+ bridgeType: z.enum(["tool", "agent"]),
1905
+ bridgeTarget: z.object({
1906
+ type: z.enum(["tool", "agent"]),
1907
+ legacyPath: z.string(),
1908
+ harnessPath: z.string()
1894
1909
  }),
1895
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1896
- "producesLedgerEntries": z.boolean(),
1897
- "lastAuditedAt": z.number(),
1898
- "metadata": z.record(z.any()).optional()
1910
+ shimBehavior: z.enum([
1911
+ "passthrough_with_logging",
1912
+ "adapter",
1913
+ "feature_flag_gate"
1914
+ ]),
1915
+ producesLedgerEntries: z.boolean(),
1916
+ lastAuditedAt: z.number(),
1917
+ metadata: z.record(z.any()).optional()
1899
1918
  }),
1900
1919
  indices: [
1901
1920
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1902
1921
  { kind: "index", name: "by_status", columns: ["status"] },
1903
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1922
+ {
1923
+ kind: "index",
1924
+ name: "by_bridgeType_status",
1925
+ columns: ["bridgeType", "status"]
1926
+ }
1904
1927
  ]
1905
1928
  });
1906
1929
  defineTable({
@@ -1908,12 +1931,23 @@ defineTable({
1908
1931
  component: "mc",
1909
1932
  category: "runtime",
1910
1933
  shape: z.object({
1911
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1912
- "state": z.enum(["legacy", "cutover", "disabled"]),
1913
- "metadata": z.record(z.any()).optional(),
1914
- "updatedBy": z.string(),
1915
- "createdAt": z.number(),
1916
- "updatedAt": z.number()
1934
+ domain: z.enum([
1935
+ "graph",
1936
+ "schema",
1937
+ "identity",
1938
+ "policy",
1939
+ "audit",
1940
+ "admin",
1941
+ "agent",
1942
+ "tool",
1943
+ "prompt",
1944
+ "intelligence"
1945
+ ]),
1946
+ state: z.enum(["legacy", "cutover", "disabled"]),
1947
+ metadata: z.record(z.any()).optional(),
1948
+ updatedBy: z.string(),
1949
+ createdAt: z.number(),
1950
+ updatedAt: z.number()
1917
1951
  }),
1918
1952
  indices: [
1919
1953
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1925,57 +1959,193 @@ defineTable({
1925
1959
  component: "mc",
1926
1960
  category: "runtime",
1927
1961
  shape: z.object({
1928
- "credentialRef": z.string(),
1929
- "tenantId": idOf("tenants"),
1930
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1931
- "environment": z.enum(["dev", "staging", "prod"]),
1932
- "encryptedDeployKey": z.string(),
1933
- "encryptionVersion": z.string(),
1934
- "keyFingerprint": z.string(),
1935
- "keyHint": z.string(),
1936
- "status": z.enum(["active", "revoked"]),
1937
- "rotatedFromCredentialRef": z.string().optional(),
1938
- "revokedAt": z.number().optional(),
1939
- "revokedBy": z.string().optional(),
1940
- "lastUsedAt": z.number().optional(),
1941
- "metadata": z.record(z.any()).optional(),
1942
- "createdBy": z.string(),
1943
- "createdAt": z.number(),
1944
- "updatedAt": z.number()
1962
+ credentialRef: z.string(),
1963
+ tenantId: idOf("tenants"),
1964
+ workspaceId: idOf("workspaces").optional(),
1965
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1966
+ environment: z.enum(["dev", "staging", "prod"]),
1967
+ encryptedDeployKey: z.string(),
1968
+ encryptionVersion: z.string(),
1969
+ keyFingerprint: z.string(),
1970
+ keyHint: z.string(),
1971
+ status: z.enum(["active", "revoked"]),
1972
+ rotatedFromCredentialRef: z.string().optional(),
1973
+ revokedAt: z.number().optional(),
1974
+ revokedBy: z.string().optional(),
1975
+ lastUsedAt: z.number().optional(),
1976
+ metadata: z.record(z.any()).optional(),
1977
+ createdBy: z.string(),
1978
+ createdAt: z.number(),
1979
+ updatedAt: z.number()
1945
1980
  }),
1946
1981
  indices: [
1947
1982
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1948
1983
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1949
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1950
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1951
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
1984
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
1985
+ {
1986
+ kind: "index",
1987
+ name: "by_tenant_target",
1988
+ columns: ["tenantId", "target"]
1989
+ },
1990
+ {
1991
+ kind: "index",
1992
+ name: "by_tenant_target_environment",
1993
+ columns: ["tenantId", "target", "environment"]
1994
+ },
1995
+ {
1996
+ kind: "index",
1997
+ name: "by_tenant_target_environment_status",
1998
+ columns: ["tenantId", "target", "environment", "status"]
1999
+ },
2000
+ {
2001
+ kind: "index",
2002
+ name: "by_tenant_workspace_target_environment_status",
2003
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
2004
+ },
1952
2005
  { kind: "index", name: "by_status", columns: ["status"] }
1953
2006
  ]
1954
2007
  });
2008
+ defineTable({
2009
+ name: "permitSyncStates",
2010
+ component: "mc",
2011
+ category: "runtime",
2012
+ shape: z.object({
2013
+ syncKey: z.string(),
2014
+ objectType: z.enum([
2015
+ "resource",
2016
+ "role",
2017
+ "resource_role",
2018
+ "resource_relation",
2019
+ "tenant",
2020
+ "workspace",
2021
+ "principal",
2022
+ "membership",
2023
+ "group",
2024
+ "resource_instance",
2025
+ "relationship_tuple",
2026
+ "role_assignment"
2027
+ ]),
2028
+ objectId: z.string(),
2029
+ tenantId: idOf("tenants").optional(),
2030
+ workspaceId: idOf("workspaces").optional(),
2031
+ principalId: z.string().optional(),
2032
+ permitTenantKey: z.string().optional(),
2033
+ permitResourceType: z.string().optional(),
2034
+ permitResourceKey: z.string().optional(),
2035
+ desiredPayload: z.record(z.any()),
2036
+ lastAppliedPayloadHash: z.string().optional(),
2037
+ status: z.enum(["pending", "synced", "error", "skipped"]),
2038
+ attemptCount: z.number(),
2039
+ lastError: z.string().optional(),
2040
+ nextAttemptAt: z.number().optional(),
2041
+ lastSyncedAt: z.number().optional(),
2042
+ createdBy: z.string(),
2043
+ updatedBy: z.string().optional(),
2044
+ createdAt: z.number(),
2045
+ updatedAt: z.number()
2046
+ }),
2047
+ indices: [
2048
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
2049
+ { kind: "index", name: "by_status", columns: ["status"] },
2050
+ {
2051
+ kind: "index",
2052
+ name: "by_tenant_status",
2053
+ columns: ["tenantId", "status"]
2054
+ },
2055
+ {
2056
+ kind: "index",
2057
+ name: "by_workspace_status",
2058
+ columns: ["workspaceId", "status"]
2059
+ },
2060
+ {
2061
+ kind: "index",
2062
+ name: "by_principal_status",
2063
+ columns: ["principalId", "status"]
2064
+ }
2065
+ ]
2066
+ });
2067
+ defineTable({
2068
+ name: "secretSyncDriftReports",
2069
+ component: "mc",
2070
+ category: "runtime",
2071
+ shape: z.object({
2072
+ reportId: z.string(),
2073
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
2074
+ generatedAt: z.number(),
2075
+ recordedAt: z.number(),
2076
+ recordedBy: z.string(),
2077
+ status: z.enum([
2078
+ "in_sync",
2079
+ "drift",
2080
+ "exception",
2081
+ "blocked",
2082
+ "not_observed"
2083
+ ]),
2084
+ reportHash: z.string(),
2085
+ manifestHash: z.string().optional(),
2086
+ dryRunReceiptId: z.string().optional(),
2087
+ appliedReceiptId: z.string().optional(),
2088
+ summary: z.object({
2089
+ totalPipelines: z.number(),
2090
+ inSync: z.number(),
2091
+ drift: z.number(),
2092
+ exception: z.number(),
2093
+ blocked: z.number(),
2094
+ notObserved: z.number(),
2095
+ missingKeys: z.number(),
2096
+ valueDriftKeys: z.number(),
2097
+ extraKeys: z.number(),
2098
+ deniedConvexLeakage: z.number(),
2099
+ approvedExceptions: z.number()
2100
+ }),
2101
+ redactedReport: z.record(z.any()),
2102
+ metadata: z.record(z.any()).optional()
2103
+ }),
2104
+ indices: [
2105
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2106
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2107
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2108
+ {
2109
+ kind: "index",
2110
+ name: "by_status_generatedAt",
2111
+ columns: ["status", "generatedAt"]
2112
+ }
2113
+ ]
2114
+ });
1955
2115
  defineTable({
1956
2116
  name: "controlPlaneTenantModelSlotBindings",
1957
2117
  component: "mc",
1958
2118
  category: "runtime",
1959
2119
  shape: z.object({
1960
- "bindingId": z.string(),
1961
- "tenantId": idOf("tenants"),
1962
- "providerId": z.string(),
1963
- "modelSlotId": z.string(),
1964
- "secretRef": z.string(),
1965
- "status": z.enum(["active", "revoked"]),
1966
- "passThroughOnly": z.boolean(),
1967
- "revokedAt": z.number().optional(),
1968
- "revokedBy": z.string().optional(),
1969
- "metadata": z.record(z.any()).optional(),
1970
- "createdBy": z.string(),
1971
- "createdAt": z.number(),
1972
- "updatedAt": z.number()
2120
+ bindingId: z.string(),
2121
+ tenantId: idOf("tenants"),
2122
+ workspaceId: idOf("workspaces").optional(),
2123
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2124
+ providerId: z.string(),
2125
+ modelSlotId: z.string(),
2126
+ secretRef: z.string(),
2127
+ status: z.enum(["active", "revoked"]),
2128
+ passThroughOnly: z.boolean(),
2129
+ revokedAt: z.number().optional(),
2130
+ revokedBy: z.string().optional(),
2131
+ metadata: z.record(z.any()).optional(),
2132
+ createdBy: z.string(),
2133
+ createdAt: z.number(),
2134
+ updatedAt: z.number()
1973
2135
  }),
1974
2136
  indices: [
1975
2137
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1976
2138
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1977
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1978
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2139
+ {
2140
+ kind: "index",
2141
+ name: "by_tenant_slot",
2142
+ columns: ["tenantId", "modelSlotId"]
2143
+ },
2144
+ {
2145
+ kind: "index",
2146
+ name: "by_tenant_provider_slot",
2147
+ columns: ["tenantId", "providerId", "modelSlotId"]
2148
+ },
1979
2149
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1980
2150
  { kind: "index", name: "by_status", columns: ["status"] }
1981
2151
  ]
@@ -1985,29 +2155,42 @@ defineTable({
1985
2155
  component: "mc",
1986
2156
  category: "runtime",
1987
2157
  shape: z.object({
1988
- "secretRef": z.string(),
1989
- "tenantId": idOf("tenants"),
1990
- "providerId": z.string(),
1991
- "label": z.string().optional(),
1992
- "encryptedSecret": z.string(),
1993
- "encryptionVersion": z.string(),
1994
- "secretFingerprint": z.string(),
1995
- "keyHint": z.string(),
1996
- "status": z.enum(["active", "revoked"]),
1997
- "rotatedFromSecretRef": z.string().optional(),
1998
- "revokedAt": z.number().optional(),
1999
- "revokedBy": z.string().optional(),
2000
- "lastUsedAt": z.number().optional(),
2001
- "metadata": z.record(z.any()).optional(),
2002
- "createdBy": z.string(),
2003
- "createdAt": z.number(),
2004
- "updatedAt": z.number()
2158
+ secretRef: z.string(),
2159
+ tenantId: idOf("tenants"),
2160
+ workspaceId: idOf("workspaces").optional(),
2161
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2162
+ providerId: z.string(),
2163
+ label: z.string().optional(),
2164
+ encryptedSecret: z.string().optional(),
2165
+ infisicalPath: z.string().optional(),
2166
+ infisicalSecretKey: z.string().optional(),
2167
+ infisicalProjectId: z.string().optional(),
2168
+ encryptionVersion: z.string(),
2169
+ secretFingerprint: z.string(),
2170
+ keyHint: z.string(),
2171
+ status: z.enum(["active", "revoked"]),
2172
+ rotatedFromSecretRef: z.string().optional(),
2173
+ revokedAt: z.number().optional(),
2174
+ revokedBy: z.string().optional(),
2175
+ lastUsedAt: z.number().optional(),
2176
+ metadata: z.record(z.any()).optional(),
2177
+ createdBy: z.string(),
2178
+ createdAt: z.number(),
2179
+ updatedAt: z.number()
2005
2180
  }),
2006
2181
  indices: [
2007
2182
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
2008
2183
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
2009
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
2010
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2184
+ {
2185
+ kind: "index",
2186
+ name: "by_tenant_provider",
2187
+ columns: ["tenantId", "providerId"]
2188
+ },
2189
+ {
2190
+ kind: "index",
2191
+ name: "by_tenant_provider_status",
2192
+ columns: ["tenantId", "providerId", "status"]
2193
+ },
2011
2194
  { kind: "index", name: "by_status", columns: ["status"] }
2012
2195
  ]
2013
2196
  });
@@ -2016,35 +2199,93 @@ defineTable({
2016
2199
  component: "mc",
2017
2200
  category: "runtime",
2018
2201
  shape: z.object({
2019
- "usageId": z.string(),
2020
- "tenantId": idOf("tenants"),
2021
- "providerId": z.string(),
2022
- "modelSlotId": z.string(),
2023
- "secretRef": z.string(),
2024
- "proxyTokenId": z.string(),
2025
- "sessionId": z.string(),
2026
- "principalId": z.string(),
2027
- "workspaceId": z.string().optional(),
2028
- "modelId": z.string().optional(),
2029
- "requestPath": z.string(),
2030
- "status": z.enum(["success", "error"]),
2031
- "responseStatus": z.number().optional(),
2032
- "inputTokens": z.number().optional(),
2033
- "outputTokens": z.number().optional(),
2034
- "tokenCount": z.number().optional(),
2035
- "latencyMs": z.number(),
2036
- "estimatedCostUsd": z.number().optional(),
2037
- "failureCode": z.string().optional(),
2038
- "metadata": z.record(z.any()).optional(),
2039
- "createdAt": z.number(),
2040
- "updatedAt": z.number()
2202
+ usageId: z.string(),
2203
+ tenantId: idOf("tenants"),
2204
+ providerId: z.string(),
2205
+ modelSlotId: z.string(),
2206
+ secretRef: z.string(),
2207
+ proxyTokenId: z.string(),
2208
+ sessionId: z.string(),
2209
+ principalId: z.string(),
2210
+ workspaceId: z.string().optional(),
2211
+ modelId: z.string().optional(),
2212
+ requestPath: z.string(),
2213
+ status: z.enum(["success", "error"]),
2214
+ responseStatus: z.number().optional(),
2215
+ inputTokens: z.number().optional(),
2216
+ outputTokens: z.number().optional(),
2217
+ tokenCount: z.number().optional(),
2218
+ latencyMs: z.number(),
2219
+ estimatedCostUsd: z.number().optional(),
2220
+ failureCode: z.string().optional(),
2221
+ metadata: z.record(z.any()).optional(),
2222
+ createdAt: z.number(),
2223
+ updatedAt: z.number()
2041
2224
  }),
2042
2225
  indices: [
2043
2226
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
2044
2227
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2045
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
2046
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
2047
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2228
+ {
2229
+ kind: "index",
2230
+ name: "by_tenant_provider",
2231
+ columns: ["tenantId", "providerId", "createdAt"]
2232
+ },
2233
+ {
2234
+ kind: "index",
2235
+ name: "by_proxyTokenId",
2236
+ columns: ["proxyTokenId", "createdAt"]
2237
+ },
2238
+ {
2239
+ kind: "index",
2240
+ name: "by_sessionId",
2241
+ columns: ["sessionId", "createdAt"]
2242
+ }
2243
+ ]
2244
+ });
2245
+ defineTable({
2246
+ name: "controlPlaneTenantProxyTokenLeases",
2247
+ component: "mc",
2248
+ category: "runtime",
2249
+ shape: z.object({
2250
+ leaseId: z.string(),
2251
+ proxyTokenId: z.string(),
2252
+ tenantId: idOf("tenants"),
2253
+ workspaceId: idOf("workspaces").optional(),
2254
+ environment: z.enum(["dev", "staging", "prod"]),
2255
+ providerId: z.string(),
2256
+ modelSlotId: z.string(),
2257
+ bindingId: z.string(),
2258
+ secretRef: z.string(),
2259
+ sessionId: z.string(),
2260
+ principalId: z.string(),
2261
+ agentSessionId: z.string().optional(),
2262
+ status: z.enum(["active", "revoked"]),
2263
+ expiresAt: z.number(),
2264
+ renewedAt: z.number().optional(),
2265
+ revokedAt: z.number().optional(),
2266
+ revokedBy: z.string().optional(),
2267
+ revokeReason: z.string().optional(),
2268
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2269
+ permitTraceId: z.string().optional(),
2270
+ metadata: z.record(z.any()).optional(),
2271
+ createdAt: z.number(),
2272
+ updatedAt: z.number()
2273
+ }),
2274
+ indices: [
2275
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2276
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2277
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2278
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2279
+ {
2280
+ kind: "index",
2281
+ name: "by_principalId",
2282
+ columns: ["principalId", "createdAt"]
2283
+ },
2284
+ {
2285
+ kind: "index",
2286
+ name: "by_status_expiresAt",
2287
+ columns: ["status", "expiresAt"]
2288
+ }
2048
2289
  ]
2049
2290
  });
2050
2291
  defineTable({
@@ -2377,6 +2618,7 @@ defineTable({
2377
2618
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2378
2619
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2379
2620
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2621
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2380
2622
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2381
2623
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2382
2624
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2527,6 +2769,7 @@ defineTable({
2527
2769
  indices: [
2528
2770
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2529
2771
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2772
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2530
2773
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2531
2774
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2532
2775
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2558,6 +2801,36 @@ defineTable({
2558
2801
  { kind: "index", name: "by_status", columns: ["status"] }
2559
2802
  ]
2560
2803
  });
2804
+ defineTable({
2805
+ name: "principalIdentityAliases",
2806
+ component: "mc",
2807
+ category: "identity",
2808
+ shape: z.object({
2809
+ "principalId": z.string(),
2810
+ "principalRefId": idOf("principals").optional(),
2811
+ "provider": z.string(),
2812
+ "providerProjectId": z.string().optional(),
2813
+ "externalSubjectId": z.string(),
2814
+ "tenantId": idOf("tenants").optional(),
2815
+ "workspaceId": idOf("workspaces").optional(),
2816
+ "email": z.string().optional(),
2817
+ "status": z.enum(["active", "revoked"]),
2818
+ "metadata": z.record(z.any()).optional(),
2819
+ "createdBy": z.string(),
2820
+ "revokedAt": z.number().optional(),
2821
+ "revokedBy": z.string().optional(),
2822
+ "createdAt": z.number(),
2823
+ "updatedAt": z.number()
2824
+ }),
2825
+ indices: [
2826
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2827
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2828
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2829
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2830
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2831
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2832
+ ]
2833
+ });
2561
2834
  defineTable({
2562
2835
  name: "rateLimitWindows",
2563
2836
  component: "mc",
@@ -3147,7 +3420,7 @@ defineTable({
3147
3420
  });
3148
3421
  defineTable({
3149
3422
  name: "mcpWritePolicy",
3150
- component: "identity",
3423
+ component: "control-plane",
3151
3424
  category: "platform",
3152
3425
  shape: z.object({
3153
3426
  "topicId": z.string().optional(),
@@ -3170,7 +3443,7 @@ defineTable({
3170
3443
  });
3171
3444
  defineTable({
3172
3445
  name: "platformAudienceGrants",
3173
- component: "identity",
3446
+ component: "control-plane",
3174
3447
  category: "platform",
3175
3448
  shape: z.object({
3176
3449
  "tenantId": z.string(),
@@ -3196,7 +3469,7 @@ defineTable({
3196
3469
  });
3197
3470
  defineTable({
3198
3471
  name: "platformAudiences",
3199
- component: "identity",
3472
+ component: "control-plane",
3200
3473
  category: "platform",
3201
3474
  shape: z.object({
3202
3475
  "tenantId": z.string(),
@@ -3221,7 +3494,7 @@ defineTable({
3221
3494
  });
3222
3495
  defineTable({
3223
3496
  name: "platformPolicyDecisionLogs",
3224
- component: "identity",
3497
+ component: "control-plane",
3225
3498
  category: "platform",
3226
3499
  shape: z.object({
3227
3500
  "principalId": z.string(),
@@ -3257,7 +3530,7 @@ defineTable({
3257
3530
  });
3258
3531
  defineTable({
3259
3532
  name: "tenantApiKeys",
3260
- component: "identity",
3533
+ component: "control-plane",
3261
3534
  category: "platform",
3262
3535
  shape: z.object({
3263
3536
  "tenantId": z.string(),
@@ -3284,7 +3557,7 @@ defineTable({
3284
3557
  });
3285
3558
  defineTable({
3286
3559
  name: "tenantConfig",
3287
- component: "identity",
3560
+ component: "control-plane",
3288
3561
  category: "platform",
3289
3562
  shape: z.object({
3290
3563
  "tenantId": z.string(),
@@ -3303,7 +3576,7 @@ defineTable({
3303
3576
  });
3304
3577
  defineTable({
3305
3578
  name: "tenantIntegrations",
3306
- component: "identity",
3579
+ component: "control-plane",
3307
3580
  category: "platform",
3308
3581
  shape: z.object({
3309
3582
  "tenantId": z.string(),
@@ -3358,7 +3631,7 @@ defineTable({
3358
3631
  });
3359
3632
  defineTable({
3360
3633
  name: "tenantModelSlotBindings",
3361
- component: "identity",
3634
+ component: "control-plane",
3362
3635
  category: "platform",
3363
3636
  shape: z.object({
3364
3637
  "bindingId": z.string(),
@@ -3386,7 +3659,7 @@ defineTable({
3386
3659
  });
3387
3660
  defineTable({
3388
3661
  name: "tenantPolicies",
3389
- component: "identity",
3662
+ component: "control-plane",
3390
3663
  category: "platform",
3391
3664
  shape: z.object({
3392
3665
  "tenantId": z.string(),
@@ -3411,7 +3684,7 @@ defineTable({
3411
3684
  });
3412
3685
  defineTable({
3413
3686
  name: "tenantProviderSecrets",
3414
- component: "identity",
3687
+ component: "control-plane",
3415
3688
  category: "platform",
3416
3689
  shape: z.object({
3417
3690
  "secretRef": z.string(),
@@ -3442,7 +3715,7 @@ defineTable({
3442
3715
  });
3443
3716
  defineTable({
3444
3717
  name: "tenantProxyGatewayUsage",
3445
- component: "identity",
3718
+ component: "control-plane",
3446
3719
  category: "platform",
3447
3720
  shape: z.object({
3448
3721
  "usageId": z.string(),
@@ -3477,7 +3750,7 @@ defineTable({
3477
3750
  });
3478
3751
  defineTable({
3479
3752
  name: "tenantProxyTokenMints",
3480
- component: "identity",
3753
+ component: "control-plane",
3481
3754
  category: "platform",
3482
3755
  shape: z.object({
3483
3756
  "proxyTokenId": z.string(),
@@ -3500,7 +3773,7 @@ defineTable({
3500
3773
  });
3501
3774
  defineTable({
3502
3775
  name: "tenantSandboxAuditEvents",
3503
- component: "identity",
3776
+ component: "control-plane",
3504
3777
  category: "platform",
3505
3778
  shape: z.object({
3506
3779
  "eventId": z.string(),
@@ -3534,7 +3807,7 @@ defineTable({
3534
3807
  });
3535
3808
  defineTable({
3536
3809
  name: "tenantSecrets",
3537
- component: "identity",
3810
+ component: "control-plane",
3538
3811
  category: "platform",
3539
3812
  shape: z.object({
3540
3813
  "tenantId": z.string(),
@@ -3556,7 +3829,7 @@ defineTable({
3556
3829
  });
3557
3830
  defineTable({
3558
3831
  name: "toolAcls",
3559
- component: "identity",
3832
+ component: "control-plane",
3560
3833
  category: "platform",
3561
3834
  shape: z.object({
3562
3835
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3571,7 +3844,7 @@ defineTable({
3571
3844
  });
3572
3845
  defineTable({
3573
3846
  name: "toolRegistry",
3574
- component: "identity",
3847
+ component: "control-plane",
3575
3848
  category: "platform",
3576
3849
  shape: z.object({
3577
3850
  "toolName": z.string(),
@@ -3652,7 +3925,7 @@ defineTable({
3652
3925
  });
3653
3926
  defineTable({
3654
3927
  name: "modelCallLogs",
3655
- component: "identity",
3928
+ component: "control-plane",
3656
3929
  category: "model",
3657
3930
  shape: z.object({
3658
3931
  "slot": z.string(),
@@ -3678,7 +3951,7 @@ defineTable({
3678
3951
  });
3679
3952
  defineTable({
3680
3953
  name: "modelFunctionSlots",
3681
- component: "identity",
3954
+ component: "control-plane",
3682
3955
  category: "model",
3683
3956
  shape: z.object({
3684
3957
  "slot": z.string(),
@@ -3703,7 +3976,7 @@ defineTable({
3703
3976
  });
3704
3977
  defineTable({
3705
3978
  name: "modelRegistry",
3706
- component: "identity",
3979
+ component: "control-plane",
3707
3980
  category: "model",
3708
3981
  shape: z.object({
3709
3982
  "key": z.string(),
@@ -3730,7 +4003,7 @@ defineTable({
3730
4003
  });
3731
4004
  defineTable({
3732
4005
  name: "modelSlotConfigs",
3733
- component: "identity",
4006
+ component: "control-plane",
3734
4007
  category: "model",
3735
4008
  shape: z.object({
3736
4009
  "slot": z.string(),
@@ -4117,7 +4390,7 @@ defineTable({
4117
4390
  "workspaceId": idOf("workspaces").optional(),
4118
4391
  "resourceType": z.string(),
4119
4392
  "resourceId": z.string(),
4120
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4393
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4121
4394
  "decision": z.enum(["allow", "deny"]),
4122
4395
  "reasonCode": z.string(),
4123
4396
  "policyVersion": z.string(),
@@ -4179,7 +4452,7 @@ defineTable({
4179
4452
  });
4180
4453
  defineTable({
4181
4454
  name: "projectGrants",
4182
- component: "identity",
4455
+ component: "control-plane",
4183
4456
  category: "project",
4184
4457
  shape: z.object({
4185
4458
  "projectId": z.string().optional(),
@@ -4211,9 +4484,650 @@ defineTable({
4211
4484
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4212
4485
  ]
4213
4486
  });
4487
+ var permitActorType = z.enum([
4488
+ "human",
4489
+ "agent",
4490
+ "service_principal",
4491
+ "external_stakeholder",
4492
+ "system"
4493
+ ]);
4494
+ var permitMembershipStatus = z.enum([
4495
+ "active",
4496
+ "invited",
4497
+ "revoked",
4498
+ "suspended",
4499
+ "disabled"
4500
+ ]);
4501
+ var permitDecision = z.enum(["allow", "deny"]);
4502
+ var permitAccessReviewStatus = z.enum([
4503
+ "open",
4504
+ "in_progress",
4505
+ "approved",
4506
+ "denied",
4507
+ "expired",
4508
+ "cancelled"
4509
+ ]);
4510
+ var permitReviewScope = z.enum([
4511
+ "tenant",
4512
+ "workspace",
4513
+ "resource_instance",
4514
+ "group",
4515
+ "principal",
4516
+ "api_key",
4517
+ "admin_action"
4518
+ ]);
4519
+ var permitRecordStatus = z.enum([
4520
+ "queued",
4521
+ "inflight",
4522
+ "completed",
4523
+ "failed",
4524
+ "skipped",
4525
+ "stale"
4526
+ ]);
4527
+ var permitObjectType = z.enum([
4528
+ "resource",
4529
+ "role",
4530
+ "resource_role",
4531
+ "resource_relation",
4532
+ "tenant",
4533
+ "workspace",
4534
+ "principal",
4535
+ "membership",
4536
+ "group",
4537
+ "resource_instance",
4538
+ "relationship_tuple",
4539
+ "role_assignment",
4540
+ "attribute_binding",
4541
+ "policy_bundle"
4542
+ ]);
4543
+ var permitOutboxOperation = z.enum([
4544
+ "upsert",
4545
+ "delete",
4546
+ "sync",
4547
+ "resync",
4548
+ "delete_sync",
4549
+ "noop"
4550
+ ]);
4551
+ var permitPolicyBundleStatus = z.enum([
4552
+ "draft",
4553
+ "validated",
4554
+ "enforced",
4555
+ "archived"
4556
+ ]);
4557
+ var permitSyncStatus = z.enum([
4558
+ "pending",
4559
+ "synced",
4560
+ "error",
4561
+ "skipped"
4562
+ ]);
4563
+ var permitAccessReviewSubjectType = z.enum([
4564
+ "principal",
4565
+ "group",
4566
+ "role_assignment",
4567
+ "resource_instance"
4568
+ ]);
4569
+ var permitAttributeType = z.enum([
4570
+ "string",
4571
+ "number",
4572
+ "bool",
4573
+ "json",
4574
+ "time"
4575
+ ]);
4576
+ var permitAttributeOperator = z.enum([
4577
+ "eq",
4578
+ "neq",
4579
+ "in",
4580
+ "not_in",
4581
+ "gt",
4582
+ "gte",
4583
+ "lt",
4584
+ "lte",
4585
+ "contains",
4586
+ "not_contains",
4587
+ "matches"
4588
+ ]);
4589
+ var permitRoleBindingTarget = z.enum([
4590
+ "principal",
4591
+ "group"
4592
+ ]);
4593
+ defineTable({
4594
+ name: "permitPrincipals",
4595
+ component: "control-plane",
4596
+ category: "access-control",
4597
+ shape: z.object({
4598
+ principalId: z.string(),
4599
+ tenantId: z.string(),
4600
+ workspaceId: z.optional(z.string()),
4601
+ principalType: permitActorType,
4602
+ status: permitMembershipStatus,
4603
+ displayName: z.string().optional(),
4604
+ metadata: z.record(z.any()).optional(),
4605
+ createdBy: z.string(),
4606
+ createdAt: z.number(),
4607
+ updatedAt: z.number(),
4608
+ updatedBy: z.string().optional(),
4609
+ lastSeenAt: z.number().optional()
4610
+ }),
4611
+ indices: [
4612
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4613
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4614
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4615
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4616
+ {
4617
+ kind: "index",
4618
+ name: "by_tenant_principalType_status",
4619
+ columns: ["tenantId", "principalType", "status"]
4620
+ }
4621
+ ]
4622
+ });
4623
+ defineTable({
4624
+ name: "permitPrincipalAliases",
4625
+ component: "control-plane",
4626
+ category: "access-control",
4627
+ shape: z.object({
4628
+ principalId: z.string(),
4629
+ tenantId: z.string(),
4630
+ workspaceId: z.optional(z.string()),
4631
+ provider: z.string(),
4632
+ providerSubjectId: z.string(),
4633
+ providerProjectId: z.string().optional(),
4634
+ alias: z.string(),
4635
+ aliasKind: z.string(),
4636
+ status: permitMembershipStatus,
4637
+ metadata: z.record(z.any()).optional(),
4638
+ createdBy: z.string(),
4639
+ createdAt: z.number(),
4640
+ updatedAt: z.number(),
4641
+ revokedBy: z.string().optional(),
4642
+ revokedAt: z.number().optional(),
4643
+ updatedBy: z.string().optional()
4644
+ }),
4645
+ indices: [
4646
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4647
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4648
+ {
4649
+ kind: "index",
4650
+ name: "by_tenant_provider_alias",
4651
+ columns: ["tenantId", "provider", "alias"]
4652
+ },
4653
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4654
+ {
4655
+ kind: "index",
4656
+ name: "by_tenant_provider_status",
4657
+ columns: ["tenantId", "provider", "status"]
4658
+ }
4659
+ ]
4660
+ });
4661
+ defineTable({
4662
+ name: "permitGroups",
4663
+ component: "control-plane",
4664
+ category: "access-control",
4665
+ shape: z.object({
4666
+ tenantId: z.string(),
4667
+ workspaceId: z.optional(z.string()),
4668
+ groupId: z.string(),
4669
+ groupKey: z.string(),
4670
+ groupName: z.string(),
4671
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4672
+ status: permitMembershipStatus,
4673
+ description: z.string().optional(),
4674
+ metadata: z.record(z.any()).optional(),
4675
+ createdBy: z.string(),
4676
+ createdAt: z.number(),
4677
+ updatedAt: z.number(),
4678
+ updatedBy: z.string().optional()
4679
+ }),
4680
+ indices: [
4681
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4682
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4683
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4684
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4685
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4686
+ ]
4687
+ });
4688
+ defineTable({
4689
+ name: "permitGroupMemberships",
4690
+ component: "control-plane",
4691
+ category: "access-control",
4692
+ shape: z.object({
4693
+ tenantId: z.string(),
4694
+ workspaceId: z.optional(z.string()),
4695
+ groupId: z.string(),
4696
+ memberType: z.enum(["principal", "group"]),
4697
+ memberId: z.string(),
4698
+ principalId: z.string().optional(),
4699
+ childGroupId: z.string().optional(),
4700
+ status: permitMembershipStatus,
4701
+ addedBy: z.string().optional(),
4702
+ revokedBy: z.string().optional(),
4703
+ expiresAt: z.number().optional(),
4704
+ revocationReason: z.string().optional(),
4705
+ metadata: z.record(z.any()).optional(),
4706
+ createdAt: z.number(),
4707
+ updatedAt: z.number(),
4708
+ updatedBy: z.string().optional()
4709
+ }),
4710
+ indices: [
4711
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4712
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4713
+ {
4714
+ kind: "index",
4715
+ name: "by_tenant_member_group",
4716
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4717
+ },
4718
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4719
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4720
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4721
+ {
4722
+ kind: "index",
4723
+ name: "by_workspace_principal",
4724
+ columns: ["workspaceId", "principalId"]
4725
+ }
4726
+ ]
4727
+ });
4728
+ defineTable({
4729
+ name: "permitResourceInstances",
4730
+ component: "control-plane",
4731
+ category: "access-control",
4732
+ shape: z.object({
4733
+ tenantId: z.string(),
4734
+ workspaceId: z.optional(z.string()),
4735
+ resourceType: z.string(),
4736
+ resourceKey: z.string(),
4737
+ resourceId: z.string(),
4738
+ status: z.enum(["active", "deleted", "archived"]),
4739
+ attributes: z.record(z.any()).optional(),
4740
+ ownerPrincipalId: z.string().optional(),
4741
+ metadata: z.record(z.any()).optional(),
4742
+ createdBy: z.string(),
4743
+ updatedBy: z.string().optional(),
4744
+ createdAt: z.number(),
4745
+ updatedAt: z.number()
4746
+ }),
4747
+ indices: [
4748
+ {
4749
+ kind: "index",
4750
+ name: "by_tenant_resource_type",
4751
+ columns: ["tenantId", "resourceType"]
4752
+ },
4753
+ {
4754
+ kind: "index",
4755
+ name: "by_tenant_resource_key",
4756
+ columns: ["tenantId", "resourceType", "resourceKey"]
4757
+ },
4758
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4759
+ { kind: "index", name: "by_status", columns: ["status"] },
4760
+ {
4761
+ kind: "index",
4762
+ name: "by_tenant_status",
4763
+ columns: ["tenantId", "status"]
4764
+ },
4765
+ {
4766
+ kind: "index",
4767
+ name: "by_ownerPrincipalId",
4768
+ columns: ["ownerPrincipalId"]
4769
+ }
4770
+ ]
4771
+ });
4772
+ defineTable({
4773
+ name: "permitRoleAssignments",
4774
+ component: "control-plane",
4775
+ category: "access-control",
4776
+ shape: z.object({
4777
+ tenantId: z.string(),
4778
+ workspaceId: z.optional(z.string()),
4779
+ role: z.string(),
4780
+ targetType: permitRoleBindingTarget,
4781
+ targetId: z.string(),
4782
+ resourceType: z.string(),
4783
+ resourceKey: z.string(),
4784
+ resourceInstanceId: z.string().optional(),
4785
+ status: permitMembershipStatus,
4786
+ expiresAt: z.number().optional(),
4787
+ attributes: z.record(z.any()).optional(),
4788
+ grantedBy: z.string().optional(),
4789
+ updatedBy: z.string().optional(),
4790
+ revokedBy: z.string().optional(),
4791
+ createdAt: z.number(),
4792
+ updatedAt: z.number()
4793
+ }),
4794
+ indices: [
4795
+ {
4796
+ kind: "index",
4797
+ name: "by_tenant_target",
4798
+ columns: ["tenantId", "targetType", "targetId"]
4799
+ },
4800
+ {
4801
+ kind: "index",
4802
+ name: "by_tenant_resource",
4803
+ columns: ["tenantId", "resourceType", "resourceKey"]
4804
+ },
4805
+ {
4806
+ kind: "index",
4807
+ name: "by_tenant_role",
4808
+ columns: ["tenantId", "role", "status"]
4809
+ },
4810
+ { kind: "index", name: "by_status", columns: ["status"] },
4811
+ {
4812
+ kind: "index",
4813
+ name: "by_workspace_resource",
4814
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4815
+ }
4816
+ ]
4817
+ });
4818
+ defineTable({
4819
+ name: "permitRelationshipTuples",
4820
+ component: "control-plane",
4821
+ category: "access-control",
4822
+ shape: z.object({
4823
+ tenantId: z.string(),
4824
+ workspaceId: z.optional(z.string()),
4825
+ relation: z.string(),
4826
+ subject: z.string(),
4827
+ object: z.string(),
4828
+ resourceType: z.string().optional(),
4829
+ resourceKey: z.string().optional(),
4830
+ status: permitRecordStatus,
4831
+ attributes: z.record(z.any()).optional(),
4832
+ createdBy: z.string(),
4833
+ createdAt: z.number(),
4834
+ updatedAt: z.number(),
4835
+ lastSeenAt: z.number().optional(),
4836
+ updatedBy: z.string().optional()
4837
+ }),
4838
+ indices: [
4839
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4840
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4841
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4842
+ {
4843
+ kind: "index",
4844
+ name: "by_tenant_relation_subject",
4845
+ columns: ["tenantId", "relation", "subject"]
4846
+ },
4847
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4848
+ ]
4849
+ });
4850
+ defineTable({
4851
+ name: "permitAttributeBindings",
4852
+ component: "control-plane",
4853
+ category: "access-control",
4854
+ shape: z.object({
4855
+ tenantId: z.string(),
4856
+ workspaceId: z.optional(z.string()),
4857
+ targetType: permitRoleBindingTarget,
4858
+ targetId: z.string(),
4859
+ attributeName: z.string(),
4860
+ attributeType: permitAttributeType,
4861
+ attributeOperator: permitAttributeOperator,
4862
+ attributeValue: z.any(),
4863
+ status: permitRecordStatus,
4864
+ source: z.string().optional(),
4865
+ sourceRef: z.string().optional(),
4866
+ metadata: z.record(z.any()).optional(),
4867
+ createdAt: z.number(),
4868
+ updatedAt: z.number(),
4869
+ createdBy: z.string(),
4870
+ updatedBy: z.string().optional(),
4871
+ expiresAt: z.number().optional()
4872
+ }),
4873
+ indices: [
4874
+ {
4875
+ kind: "index",
4876
+ name: "by_tenant_target",
4877
+ columns: ["tenantId", "targetType", "targetId"]
4878
+ },
4879
+ {
4880
+ kind: "index",
4881
+ name: "by_tenant_target_attribute",
4882
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4883
+ },
4884
+ {
4885
+ kind: "index",
4886
+ name: "by_tenant_name",
4887
+ columns: ["tenantId", "attributeName"]
4888
+ },
4889
+ {
4890
+ kind: "index",
4891
+ name: "by_tenant_status",
4892
+ columns: ["tenantId", "status"]
4893
+ }
4894
+ ]
4895
+ });
4896
+ defineTable({
4897
+ name: "permitPolicyBundles",
4898
+ component: "control-plane",
4899
+ category: "access-control",
4900
+ shape: z.object({
4901
+ tenantId: z.string(),
4902
+ workspaceId: z.optional(z.string()),
4903
+ bundleKey: z.string(),
4904
+ version: z.number(),
4905
+ status: permitPolicyBundleStatus,
4906
+ policyHash: z.string().optional(),
4907
+ policyPayload: z.record(z.any()),
4908
+ metadata: z.record(z.any()).optional(),
4909
+ createdBy: z.string(),
4910
+ reviewedBy: z.string().optional(),
4911
+ createdAt: z.number(),
4912
+ updatedAt: z.number(),
4913
+ retiredAt: z.number().optional()
4914
+ }),
4915
+ indices: [
4916
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4917
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4918
+ {
4919
+ kind: "index",
4920
+ name: "by_tenant_bundleKey",
4921
+ columns: ["tenantId", "bundleKey"]
4922
+ },
4923
+ {
4924
+ kind: "index",
4925
+ name: "by_tenant_bundle_version",
4926
+ columns: ["tenantId", "bundleKey", "version"]
4927
+ },
4928
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4929
+ ]
4930
+ });
4931
+ defineTable({
4932
+ name: "permitProjectionOutbox",
4933
+ component: "control-plane",
4934
+ category: "access-control",
4935
+ shape: z.object({
4936
+ syncKey: z.string(),
4937
+ objectType: permitObjectType,
4938
+ objectId: z.string(),
4939
+ operation: permitOutboxOperation,
4940
+ payload: z.record(z.any()),
4941
+ status: permitRecordStatus,
4942
+ attemptCount: z.number(),
4943
+ nextAttemptAt: z.number().optional(),
4944
+ lastError: z.string().optional(),
4945
+ tenantId: z.string().optional(),
4946
+ workspaceId: z.optional(z.string()),
4947
+ principalId: z.string().optional(),
4948
+ permitTenantKey: z.string().optional(),
4949
+ permitResourceType: z.string().optional(),
4950
+ permitResourceKey: z.string().optional(),
4951
+ createdAt: z.number(),
4952
+ updatedAt: z.number(),
4953
+ lastHandledAt: z.number().optional()
4954
+ }),
4955
+ indices: [
4956
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4957
+ { kind: "index", name: "by_status", columns: ["status"] },
4958
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4959
+ {
4960
+ kind: "index",
4961
+ name: "by_tenant_status",
4962
+ columns: ["tenantId", "status"]
4963
+ },
4964
+ {
4965
+ kind: "index",
4966
+ name: "by_objectType",
4967
+ columns: ["objectType", "status"]
4968
+ }
4969
+ ]
4970
+ });
4971
+ defineTable({
4972
+ name: "tenantPermitSyncStates",
4973
+ component: "control-plane",
4974
+ category: "access-control",
4975
+ shape: z.object({
4976
+ syncKey: z.string(),
4977
+ objectType: permitObjectType,
4978
+ objectId: z.string(),
4979
+ tenantId: z.string().optional(),
4980
+ workspaceId: z.string().optional(),
4981
+ principalId: z.string().optional(),
4982
+ permitTenantKey: z.string().optional(),
4983
+ permitResourceType: z.string().optional(),
4984
+ permitResourceKey: z.string().optional(),
4985
+ desiredPayload: z.record(z.any()),
4986
+ lastAppliedPayloadHash: z.string().optional(),
4987
+ status: permitSyncStatus,
4988
+ attemptCount: z.number(),
4989
+ lastError: z.string().optional(),
4990
+ nextAttemptAt: z.number().optional(),
4991
+ lastSyncedAt: z.number().optional(),
4992
+ createdBy: z.string(),
4993
+ updatedBy: z.string().optional(),
4994
+ createdAt: z.number(),
4995
+ updatedAt: z.number()
4996
+ }),
4997
+ indices: [
4998
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4999
+ { kind: "index", name: "by_status", columns: ["status"] },
5000
+ {
5001
+ kind: "index",
5002
+ name: "by_tenant_status",
5003
+ columns: ["tenantId", "status"]
5004
+ },
5005
+ {
5006
+ kind: "index",
5007
+ name: "by_workspace_status",
5008
+ columns: ["workspaceId", "status"]
5009
+ },
5010
+ {
5011
+ kind: "index",
5012
+ name: "by_principal_status",
5013
+ columns: ["principalId", "status"]
5014
+ }
5015
+ ]
5016
+ });
5017
+ defineTable({
5018
+ name: "permitPolicyDecisionReceipts",
5019
+ component: "control-plane",
5020
+ category: "access-control",
5021
+ shape: z.object({
5022
+ tenantId: z.string().optional(),
5023
+ workspaceId: z.string().optional(),
5024
+ principalId: z.string(),
5025
+ subjectType: permitAccessReviewSubjectType.optional(),
5026
+ subjectId: z.string().optional(),
5027
+ resourceType: z.string(),
5028
+ resourceId: z.string(),
5029
+ action: z.string(),
5030
+ decision: permitDecision,
5031
+ reasonCode: z.string(),
5032
+ policyBundleId: z.string().optional(),
5033
+ policyVersion: z.string(),
5034
+ traceId: z.string().optional(),
5035
+ requestId: z.string().optional(),
5036
+ audienceMode: z.string().optional(),
5037
+ audienceKey: z.string().optional(),
5038
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
5039
+ metadata: z.record(z.any()).optional(),
5040
+ createdAt: z.number(),
5041
+ expiresAt: z.number().optional(),
5042
+ createdBy: z.string().optional()
5043
+ }),
5044
+ indices: [
5045
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
5046
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
5047
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
5048
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
5049
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
5050
+ { kind: "index", name: "by_action", columns: ["action"] }
5051
+ ]
5052
+ });
5053
+ defineTable({
5054
+ name: "permitAccessReviews",
5055
+ component: "control-plane",
5056
+ category: "access-control",
5057
+ shape: z.object({
5058
+ tenantId: z.string(),
5059
+ workspaceId: z.optional(z.string()),
5060
+ reviewKey: z.string(),
5061
+ scope: permitReviewScope,
5062
+ status: permitAccessReviewStatus,
5063
+ subjectType: permitAccessReviewSubjectType,
5064
+ subjectId: z.string(),
5065
+ resourceType: z.string().optional(),
5066
+ resourceKey: z.string().optional(),
5067
+ outcome: z.enum(["allow", "deny"]).optional(),
5068
+ requestedBy: z.string(),
5069
+ reviewedBy: z.string().optional(),
5070
+ requestedAt: z.number(),
5071
+ reviewedAt: z.number().optional(),
5072
+ dueAt: z.number().optional(),
5073
+ justification: z.string().optional(),
5074
+ rationale: z.string().optional(),
5075
+ policyBundleId: z.string().optional(),
5076
+ metadata: z.record(z.any()).optional(),
5077
+ createdAt: z.number(),
5078
+ updatedAt: z.number()
5079
+ }),
5080
+ indices: [
5081
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
5082
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5083
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5084
+ {
5085
+ kind: "index",
5086
+ name: "by_tenant_subject",
5087
+ columns: ["tenantId", "subjectType", "subjectId"]
5088
+ },
5089
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
5090
+ {
5091
+ kind: "index",
5092
+ name: "by_workspace_status",
5093
+ columns: ["workspaceId", "status"]
5094
+ }
5095
+ ]
5096
+ });
5097
+ defineTable({
5098
+ name: "permitAccessReviewItems",
5099
+ component: "control-plane",
5100
+ category: "access-control",
5101
+ shape: z.object({
5102
+ reviewKey: z.string(),
5103
+ itemKey: z.string(),
5104
+ tenantId: z.string(),
5105
+ workspaceId: z.string().optional(),
5106
+ subjectType: permitAccessReviewSubjectType,
5107
+ subjectId: z.string(),
5108
+ resourceType: z.string().optional(),
5109
+ resourceKey: z.string().optional(),
5110
+ role: z.string().optional(),
5111
+ relation: z.string().optional(),
5112
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5113
+ reviewerId: z.string().optional(),
5114
+ decisionAt: z.number().optional(),
5115
+ rationale: z.string().optional(),
5116
+ metadata: z.record(z.any()).optional(),
5117
+ createdAt: z.number(),
5118
+ updatedAt: z.number()
5119
+ }),
5120
+ indices: [
5121
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5122
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5123
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5124
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5125
+ { kind: "index", name: "by_status", columns: ["status"] }
5126
+ ]
5127
+ });
4214
5128
  defineTable({
4215
5129
  name: "reasoningPermissions",
4216
- component: "identity",
5130
+ component: "control-plane",
4217
5131
  category: "epistemic",
4218
5132
  shape: z.object({
4219
5133
  "topicId": z.string().optional(),
@@ -4460,7 +5374,7 @@ defineTable({
4460
5374
  });
4461
5375
  defineTable({
4462
5376
  name: "users",
4463
- component: "identity",
5377
+ component: "control-plane",
4464
5378
  category: "user",
4465
5379
  shape: z.object({
4466
5380
  "clerkId": z.string(),
@@ -4574,7 +5488,6 @@ defineTable({
4574
5488
  "deployments": z.record(z.object({
4575
5489
  "url": z.string(),
4576
5490
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4577
- "encryptedDeployKey": z.string().optional(),
4578
5491
  "credentialRef": z.string().optional()
4579
5492
  })).optional(),
4580
5493
  "metadata": z.record(z.any()).optional(),
@@ -4589,6 +5502,39 @@ defineTable({
4589
5502
  { kind: "index", name: "by_status", columns: ["status"] }
4590
5503
  ]
4591
5504
  });
5505
+ defineTable({
5506
+ name: "deploymentHosts",
5507
+ component: "mc",
5508
+ category: "workspace",
5509
+ shape: z.object({
5510
+ "host": z.string(),
5511
+ "tenantId": idOf("tenants"),
5512
+ "workspaceId": idOf("workspaces"),
5513
+ "environment": z.enum(["dev", "staging", "prod"]),
5514
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5515
+ "deploymentUrl": z.string().optional(),
5516
+ "deploymentName": z.string().optional(),
5517
+ "vercelProjectName": z.string().optional(),
5518
+ "vercelProjectId": z.string().optional(),
5519
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5520
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5521
+ "status": z.enum(["active", "revoked"]),
5522
+ "metadata": z.record(z.any()).optional(),
5523
+ "createdBy": z.string(),
5524
+ "createdAt": z.number(),
5525
+ "updatedAt": z.number(),
5526
+ "revokedAt": z.number().optional(),
5527
+ "revokedBy": z.string().optional()
5528
+ }),
5529
+ indices: [
5530
+ { kind: "index", name: "by_host", columns: ["host"] },
5531
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5532
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5533
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5534
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5535
+ { kind: "index", name: "by_status", columns: ["status"] }
5536
+ ]
5537
+ });
4592
5538
  defineTable({
4593
5539
  name: "worktreeBeliefCluster",
4594
5540
  component: "kernel",
@@ -4896,8 +5842,8 @@ defineTable({
4896
5842
  });
4897
5843
  z.object({
4898
5844
  manifestVersion: z.string(),
4899
- componentName: z.enum(["kernel", "identity"]),
4900
- tier: z.enum(["K", "I"]),
5845
+ componentName: z.enum(["kernel", "control-plane"]),
5846
+ tier: z.enum(["K", "CP"]),
4901
5847
  packageVersion: z.string(),
4902
5848
  tables: z.array(
4903
5849
  z.object({
@@ -5033,119 +5979,984 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
5033
5979
  directTenantImport: false
5034
5980
  },
5035
5981
  {
5036
- packageName: "@lucern/auth",
5037
- role: "sdk_dependency",
5038
- directTenantImport: false
5982
+ packageName: "@lucern/auth",
5983
+ role: "sdk_dependency",
5984
+ directTenantImport: false
5985
+ },
5986
+ {
5987
+ packageName: "@lucern/cli",
5988
+ role: "developer_tool",
5989
+ directTenantImport: false
5990
+ },
5991
+ {
5992
+ packageName: "@lucern/client-core",
5993
+ role: "sdk_dependency",
5994
+ directTenantImport: false
5995
+ },
5996
+ {
5997
+ packageName: "@lucern/confidence",
5998
+ role: "sdk_dependency",
5999
+ directTenantImport: false
6000
+ },
6001
+ {
6002
+ packageName: "@lucern/config",
6003
+ role: "configuration",
6004
+ directTenantImport: false
6005
+ },
6006
+ {
6007
+ packageName: "@lucern/contracts",
6008
+ role: "contract_entrypoint",
6009
+ directTenantImport: true
6010
+ },
6011
+ {
6012
+ packageName: "@lucern/control-plane",
6013
+ role: "component_runtime",
6014
+ directTenantImport: false
6015
+ },
6016
+ {
6017
+ packageName: "@lucern/developer-kit",
6018
+ role: "developer_tool",
6019
+ directTenantImport: false
6020
+ },
6021
+ {
6022
+ packageName: "@lucern/events",
6023
+ role: "sdk_dependency",
6024
+ directTenantImport: false
6025
+ },
6026
+ {
6027
+ packageName: "@lucern/graph-primitives",
6028
+ role: "sdk_dependency",
6029
+ directTenantImport: false
6030
+ },
6031
+ {
6032
+ packageName: "@lucern/graph-sync",
6033
+ role: "host_addon_runtime",
6034
+ directTenantImport: true
6035
+ },
6036
+ {
6037
+ packageName: "@lucern/mcp",
6038
+ role: "runtime_entrypoint",
6039
+ directTenantImport: true
6040
+ },
6041
+ {
6042
+ packageName: "@lucern/pack-host",
6043
+ role: "platform_runtime",
6044
+ directTenantImport: false
6045
+ },
6046
+ {
6047
+ packageName: "@lucern/pack-installer",
6048
+ role: "developer_tool",
6049
+ directTenantImport: false
6050
+ },
6051
+ {
6052
+ packageName: "@lucern/proof-compiler",
6053
+ role: "developer_tool",
6054
+ directTenantImport: false
6055
+ },
6056
+ {
6057
+ packageName: "@lucern/react",
6058
+ role: "runtime_entrypoint",
6059
+ directTenantImport: true
6060
+ },
6061
+ {
6062
+ packageName: "@lucern/reasoning-kernel",
6063
+ role: "component_runtime",
6064
+ directTenantImport: false
6065
+ },
6066
+ {
6067
+ packageName: "@lucern/sdk",
6068
+ role: "runtime_entrypoint",
6069
+ directTenantImport: true
6070
+ },
6071
+ {
6072
+ packageName: "@lucern/secrets",
6073
+ role: "sdk_dependency",
6074
+ directTenantImport: false
6075
+ },
6076
+ {
6077
+ packageName: "@lucern/server-core",
6078
+ role: "platform_runtime",
6079
+ directTenantImport: false
6080
+ },
6081
+ {
6082
+ packageName: "@lucern/testing",
6083
+ role: "test_support",
6084
+ directTenantImport: false
6085
+ },
6086
+ {
6087
+ packageName: "@lucern/types",
6088
+ role: "contract_entrypoint",
6089
+ directTenantImport: true
6090
+ }
6091
+ ];
6092
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
6093
+ (entry) => entry.packageName
6094
+ );
6095
+
6096
+ // ../contracts/src/infisical-runtime.contract.ts
6097
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6098
+ {
6099
+ id: "stack-frontend",
6100
+ tenantKey: "stack",
6101
+ workspaceKey: "frontend",
6102
+ vercelProjectName: "ai-chatbot-diao",
6103
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6104
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6105
+ repository: {
6106
+ owner: "stack-vc",
6107
+ name: "front-end"
6108
+ },
6109
+ sharedSourcePath: "/tenants/stack",
6110
+ sharedVariablePolicy: "tenant_shared_all_systems",
6111
+ convex: {
6112
+ urlEnv: "CONVEX_FRONTEND_URL",
6113
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6114
+ preprodDeployment: "rugged-lobster-664",
6115
+ prodDeployment: "wonderful-toucan-0"
6116
+ }
6117
+ },
6118
+ {
6119
+ id: "stackos",
6120
+ tenantKey: "stack",
6121
+ workspaceKey: "stackos",
6122
+ vercelProjectName: "stackos",
6123
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6124
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6125
+ repository: {
6126
+ owner: "stack-vc",
6127
+ name: "stackos"
6128
+ },
6129
+ sharedSourcePath: "/tenants/stack",
6130
+ sharedVariablePolicy: "tenant_shared_all_systems",
6131
+ convex: {
6132
+ urlEnv: "CONVEX_STACKOS_URL",
6133
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6134
+ preprodDeployment: "giant-mandrill-761",
6135
+ prodDeployment: "good-snake-515"
6136
+ }
6137
+ },
6138
+ {
6139
+ id: "stack-eng",
6140
+ tenantKey: "stack",
6141
+ workspaceKey: "engineering",
6142
+ vercelProjectName: "stackos-engineering-graph",
6143
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6144
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6145
+ repository: {
6146
+ owner: "stack-vc",
6147
+ name: "stackos-engineering-graph"
6148
+ },
6149
+ sharedSourcePath: "/tenants/stack/engineering",
6150
+ sharedVariablePolicy: "tenant_shared_all_systems",
6151
+ convex: {
6152
+ urlEnv: "CONVEX_STACK_ENG_URL",
6153
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6154
+ preprodDeployment: "small-oyster-270",
6155
+ prodDeployment: "bold-cuttlefish-804"
6156
+ }
6157
+ },
6158
+ {
6159
+ id: "lucern-graph",
6160
+ tenantKey: "lucern",
6161
+ workspaceKey: "lucern",
6162
+ vercelProjectName: "lucern-graph",
6163
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6164
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6165
+ repository: {
6166
+ owner: "LucernAI",
6167
+ name: "lucern-graph"
6168
+ },
6169
+ sharedSourcePath: "/tenants/lucern/shared",
6170
+ sharedVariablePolicy: "tenant_shared_all_systems",
6171
+ convex: {
6172
+ urlEnv: "CONVEX_LUCERN_URL",
6173
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6174
+ preprodDeployment: "good-blackbird-774",
6175
+ prodDeployment: "precious-dog-365"
6176
+ }
6177
+ }
6178
+ ];
6179
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6180
+ {
6181
+ idSuffix: "clerk.publishable",
6182
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6183
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6184
+ required: true,
6185
+ secret: false,
6186
+ public: true,
6187
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6188
+ },
6189
+ {
6190
+ idSuffix: "clerk.secret",
6191
+ canonicalName: "CLERK_SECRET_KEY",
6192
+ required: true,
6193
+ secret: true,
6194
+ public: false,
6195
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6196
+ },
6197
+ {
6198
+ idSuffix: "clerk.project",
6199
+ canonicalName: "CLERK_PROJECT_ID",
6200
+ required: true,
6201
+ secret: false,
6202
+ public: false,
6203
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6204
+ },
6205
+ {
6206
+ idSuffix: "clerk.jwks",
6207
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6208
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6209
+ required: false,
6210
+ secret: false,
6211
+ public: false,
6212
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6213
+ },
6214
+ {
6215
+ idSuffix: "clerk.jwt-key",
6216
+ canonicalName: "CLERK_JWT_KEY",
6217
+ required: false,
6218
+ secret: true,
6219
+ public: false,
6220
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6221
+ },
6222
+ {
6223
+ idSuffix: "clerk.authorized-parties",
6224
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6225
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6226
+ required: false,
6227
+ secret: false,
6228
+ public: false,
6229
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6230
+ },
6231
+ {
6232
+ idSuffix: "clerk.sign-in-url",
6233
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6234
+ required: false,
6235
+ secret: false,
6236
+ public: true,
6237
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6238
+ },
6239
+ {
6240
+ idSuffix: "clerk.sign-up-url",
6241
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6242
+ required: false,
6243
+ secret: false,
6244
+ public: true,
6245
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6246
+ }
6247
+ ];
6248
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6249
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6250
+ (template) => ({
6251
+ id: `tenant.${system.id}.${template.idSuffix}`,
6252
+ canonicalName: template.canonicalName,
6253
+ aliases: "aliases" in template ? template.aliases : void 0,
6254
+ owner: "tenant",
6255
+ scope: "tenant",
6256
+ sourcePath: system.sharedSourcePath,
6257
+ environmentPolicy: "environment_specific",
6258
+ required: template.required,
6259
+ secret: template.secret,
6260
+ public: template.public,
6261
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6262
+ destinations: [
6263
+ {
6264
+ kind: "vercel",
6265
+ target: system.vercelProjectName,
6266
+ environmentPolicy: "preprod_staging_prod_prod"
6267
+ },
6268
+ {
6269
+ kind: "convex",
6270
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6271
+ environmentPolicy: "preprod_staging_prod_prod"
6272
+ }
6273
+ ],
6274
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6275
+ })
6276
+ )
6277
+ );
6278
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6279
+ (system) => ({
6280
+ id: `tenant.${system.id}.install-lucern-npm`,
6281
+ canonicalName: "INSTALL_LUCERN_NPM",
6282
+ owner: "provider",
6283
+ scope: "global",
6284
+ sourcePath: "/tenants/shared",
6285
+ environmentPolicy: "same_all_environments",
6286
+ required: true,
6287
+ secret: true,
6288
+ public: false,
6289
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6290
+ destinations: [
6291
+ {
6292
+ kind: "vercel",
6293
+ target: system.vercelProjectName,
6294
+ environmentPolicy: "same_all_environments"
6295
+ },
6296
+ {
6297
+ kind: "github_actions",
6298
+ target: `${system.repository.owner}/${system.repository.name}`,
6299
+ environmentPolicy: "same_all_environments"
6300
+ }
6301
+ ],
6302
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6303
+ })
6304
+ );
6305
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6306
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6307
+ {
6308
+ idSuffix: "ai.openai-api-key",
6309
+ canonicalName: "OPENAI_API_KEY",
6310
+ required: false,
6311
+ secret: true,
6312
+ public: false,
6313
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6314
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6315
+ },
6316
+ {
6317
+ idSuffix: "ai.anthropic-api-key",
6318
+ canonicalName: "ANTHROPIC_API_KEY",
6319
+ required: false,
6320
+ secret: true,
6321
+ public: false,
6322
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6323
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6324
+ },
6325
+ {
6326
+ idSuffix: "ai.gemini-api-key",
6327
+ canonicalName: "GEMINI_API_KEY",
6328
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6329
+ required: false,
6330
+ secret: true,
6331
+ public: false,
6332
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6333
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6334
+ },
6335
+ {
6336
+ idSuffix: "langfuse.secret-key",
6337
+ canonicalName: "LANGFUSE_SECRET_KEY",
6338
+ required: false,
6339
+ secret: true,
6340
+ public: false,
6341
+ consumers: [
6342
+ "tenant-vercel-app",
6343
+ "tenant-convex-deployment",
6344
+ "tenant-observability"
6345
+ ],
6346
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6347
+ },
6348
+ {
6349
+ idSuffix: "langfuse.public-key",
6350
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6351
+ required: false,
6352
+ secret: false,
6353
+ public: false,
6354
+ consumers: [
6355
+ "tenant-vercel-app",
6356
+ "tenant-convex-deployment",
6357
+ "tenant-observability"
6358
+ ],
6359
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6360
+ },
6361
+ {
6362
+ idSuffix: "langfuse.base-url",
6363
+ canonicalName: "LANGFUSE_BASE_URL",
6364
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6365
+ required: false,
6366
+ secret: false,
6367
+ public: false,
6368
+ consumers: [
6369
+ "tenant-vercel-app",
6370
+ "tenant-convex-deployment",
6371
+ "tenant-observability"
6372
+ ],
6373
+ description: "Tenant-owned Langfuse API origin."
6374
+ },
6375
+ {
6376
+ idSuffix: "graph.neo4j-uri",
6377
+ canonicalName: "NEO4J_URI",
6378
+ required: false,
6379
+ secret: false,
6380
+ public: false,
6381
+ consumers: [
6382
+ "tenant-vercel-app",
6383
+ "tenant-convex-deployment",
6384
+ "tenant-graph-sync"
6385
+ ],
6386
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6387
+ },
6388
+ {
6389
+ idSuffix: "graph.neo4j-user",
6390
+ canonicalName: "NEO4J_USER",
6391
+ aliases: ["NEO4J_USERNAME"],
6392
+ required: false,
6393
+ secret: false,
6394
+ public: false,
6395
+ consumers: [
6396
+ "tenant-vercel-app",
6397
+ "tenant-convex-deployment",
6398
+ "tenant-graph-sync"
6399
+ ],
6400
+ description: "Tenant-owned Neo4j user for product graph-sync."
6401
+ },
6402
+ {
6403
+ idSuffix: "graph.neo4j-password",
6404
+ canonicalName: "NEO4J_PASSWORD",
6405
+ required: false,
6406
+ secret: true,
6407
+ public: false,
6408
+ consumers: [
6409
+ "tenant-vercel-app",
6410
+ "tenant-convex-deployment",
6411
+ "tenant-graph-sync"
6412
+ ],
6413
+ description: "Tenant-owned Neo4j password for product graph-sync."
6414
+ },
6415
+ {
6416
+ idSuffix: "graph.neo4j-sync-secret",
6417
+ canonicalName: "NEO4J_SYNC_SECRET",
6418
+ required: false,
6419
+ secret: true,
6420
+ public: false,
6421
+ consumers: [
6422
+ "tenant-vercel-app",
6423
+ "tenant-convex-deployment",
6424
+ "tenant-graph-sync"
6425
+ ],
6426
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
5039
6427
  },
5040
6428
  {
5041
- packageName: "@lucern/cli",
5042
- role: "developer_tool",
5043
- directTenantImport: false
6429
+ idSuffix: "graph.neo4j-database",
6430
+ canonicalName: "NEO4J_DATABASE",
6431
+ required: false,
6432
+ secret: false,
6433
+ public: false,
6434
+ consumers: [
6435
+ "tenant-vercel-app",
6436
+ "tenant-convex-deployment",
6437
+ "tenant-graph-sync"
6438
+ ],
6439
+ description: "Tenant-owned Neo4j database name for product graph-sync."
5044
6440
  },
5045
6441
  {
5046
- packageName: "@lucern/client-core",
5047
- role: "sdk_dependency",
5048
- directTenantImport: false
6442
+ idSuffix: "vector.pinecone-api-key",
6443
+ canonicalName: "PINECONE_API_KEY",
6444
+ required: false,
6445
+ secret: true,
6446
+ public: false,
6447
+ consumers: [
6448
+ "tenant-vercel-app",
6449
+ "tenant-convex-deployment",
6450
+ "tenant-vector-store"
6451
+ ],
6452
+ description: "Tenant-owned Pinecone API key for product vector search."
5049
6453
  },
5050
6454
  {
5051
- packageName: "@lucern/confidence",
5052
- role: "sdk_dependency",
5053
- directTenantImport: false
6455
+ idSuffix: "vector.pinecone-index-name",
6456
+ canonicalName: "PINECONE_INDEX_NAME",
6457
+ aliases: ["PINECONE_INDEX"],
6458
+ required: false,
6459
+ secret: false,
6460
+ public: false,
6461
+ consumers: [
6462
+ "tenant-vercel-app",
6463
+ "tenant-convex-deployment",
6464
+ "tenant-vector-store"
6465
+ ],
6466
+ description: "Tenant-owned Pinecone index name for product vector search."
5054
6467
  },
5055
6468
  {
5056
- packageName: "@lucern/config",
5057
- role: "configuration",
5058
- directTenantImport: false
6469
+ idSuffix: "vector.pinecone-host",
6470
+ canonicalName: "PINECONE_HOST",
6471
+ aliases: ["PINECONE_INDEX_HOST"],
6472
+ required: false,
6473
+ secret: false,
6474
+ public: false,
6475
+ consumers: [
6476
+ "tenant-vercel-app",
6477
+ "tenant-convex-deployment",
6478
+ "tenant-vector-store"
6479
+ ],
6480
+ description: "Tenant-owned Pinecone host for product vector search."
5059
6481
  },
5060
6482
  {
5061
- packageName: "@lucern/contracts",
5062
- role: "contract_entrypoint",
5063
- directTenantImport: true
6483
+ idSuffix: "vector.pinecone-namespace",
6484
+ canonicalName: "PINECONE_NAMESPACE",
6485
+ required: false,
6486
+ secret: false,
6487
+ public: false,
6488
+ consumers: [
6489
+ "tenant-vercel-app",
6490
+ "tenant-convex-deployment",
6491
+ "tenant-vector-store"
6492
+ ],
6493
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
5064
6494
  },
5065
6495
  {
5066
- packageName: "@lucern/control-plane",
5067
- role: "platform_runtime",
5068
- directTenantImport: false
6496
+ idSuffix: "storage.aws-access-key-id",
6497
+ canonicalName: "AWS_ACCESS_KEY_ID",
6498
+ required: false,
6499
+ secret: true,
6500
+ public: false,
6501
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6502
+ description: "Tenant-owned AWS access key id for document/file ingestion."
5069
6503
  },
5070
6504
  {
5071
- packageName: "@lucern/developer-kit",
5072
- role: "developer_tool",
5073
- directTenantImport: false
6505
+ idSuffix: "storage.aws-secret-access-key",
6506
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6507
+ required: false,
6508
+ secret: true,
6509
+ public: false,
6510
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6511
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
5074
6512
  },
5075
6513
  {
5076
- packageName: "@lucern/events",
5077
- role: "sdk_dependency",
5078
- directTenantImport: false
6514
+ idSuffix: "storage.aws-region",
6515
+ canonicalName: "AWS_REGION",
6516
+ required: false,
6517
+ secret: false,
6518
+ public: false,
6519
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6520
+ description: "Tenant-owned AWS region for document/file ingestion."
5079
6521
  },
5080
6522
  {
5081
- packageName: "@lucern/graph-primitives",
5082
- role: "sdk_dependency",
5083
- directTenantImport: false
6523
+ idSuffix: "observability.sentry-dsn",
6524
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6525
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6526
+ required: false,
6527
+ secret: false,
6528
+ public: true,
6529
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6530
+ description: "Tenant-owned Sentry DSN for app telemetry."
5084
6531
  },
5085
6532
  {
5086
- packageName: "@lucern/graph-sync",
5087
- role: "host_addon_runtime",
5088
- directTenantImport: true
6533
+ idSuffix: "observability.sentry-auth-token",
6534
+ canonicalName: "SENTRY_AUTH_TOKEN",
6535
+ required: false,
6536
+ secret: true,
6537
+ public: false,
6538
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6539
+ description: "Tenant-owned Sentry release token for app deployments."
5089
6540
  },
5090
6541
  {
5091
- packageName: "@lucern/identity",
5092
- role: "component_runtime",
5093
- directTenantImport: false
6542
+ idSuffix: "observability.sentry-org",
6543
+ canonicalName: "SENTRY_ORG",
6544
+ aliases: ["SENTRY_ORG_SLUG"],
6545
+ required: false,
6546
+ secret: false,
6547
+ public: false,
6548
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6549
+ description: "Tenant-owned Sentry org slug for release uploads."
5094
6550
  },
5095
6551
  {
5096
- packageName: "@lucern/mcp",
5097
- role: "runtime_entrypoint",
5098
- directTenantImport: true
6552
+ idSuffix: "observability.sentry-project",
6553
+ canonicalName: "SENTRY_PROJECT",
6554
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6555
+ required: false,
6556
+ secret: false,
6557
+ public: false,
6558
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6559
+ description: "Tenant-owned Sentry project slug for release uploads."
5099
6560
  },
5100
6561
  {
5101
- packageName: "@lucern/pack-host",
5102
- role: "platform_runtime",
5103
- directTenantImport: false
6562
+ idSuffix: "observability.sentry-environment",
6563
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6564
+ aliases: ["SENTRY_ENVIRONMENT"],
6565
+ required: false,
6566
+ secret: false,
6567
+ public: true,
6568
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6569
+ description: "Tenant-owned Sentry environment label."
5104
6570
  },
5105
6571
  {
5106
- packageName: "@lucern/pack-installer",
5107
- role: "developer_tool",
5108
- directTenantImport: false
6572
+ idSuffix: "observability.sentry-release",
6573
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6574
+ aliases: ["SENTRY_RELEASE"],
6575
+ required: false,
6576
+ secret: false,
6577
+ public: true,
6578
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6579
+ description: "Tenant-owned Sentry release label."
5109
6580
  },
5110
6581
  {
5111
- packageName: "@lucern/proof-compiler",
5112
- role: "developer_tool",
5113
- directTenantImport: false
6582
+ idSuffix: "observability.sentry-client-options",
6583
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6584
+ aliases: [
6585
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6586
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6587
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6588
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6589
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6590
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6591
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6592
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6593
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6594
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6595
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6596
+ ],
6597
+ required: false,
6598
+ secret: false,
6599
+ public: true,
6600
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6601
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
5114
6602
  },
5115
6603
  {
5116
- packageName: "@lucern/react",
5117
- role: "runtime_entrypoint",
5118
- directTenantImport: true
6604
+ idSuffix: "observability.sentry-webhook-secret",
6605
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6606
+ required: false,
6607
+ secret: true,
6608
+ public: false,
6609
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6610
+ description: "Tenant-owned Sentry webhook verification secret."
5119
6611
  },
5120
6612
  {
5121
- packageName: "@lucern/reasoning-kernel",
5122
- role: "component_runtime",
5123
- directTenantImport: false
6613
+ idSuffix: "lucern.gateway-api-key",
6614
+ canonicalName: "LUCERN_API_KEY",
6615
+ aliases: ["STACK_API_KEY"],
6616
+ required: false,
6617
+ secret: true,
6618
+ public: false,
6619
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6620
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
5124
6621
  },
5125
6622
  {
5126
- packageName: "@lucern/sdk",
5127
- role: "runtime_entrypoint",
5128
- directTenantImport: true
6623
+ idSuffix: "lucern.gateway-base-url",
6624
+ canonicalName: "LUCERN_BASE_URL",
6625
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6626
+ required: false,
6627
+ secret: false,
6628
+ public: false,
6629
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6630
+ description: "Lucern/MC gateway base URL used by tenant product apps."
5129
6631
  },
5130
6632
  {
5131
- packageName: "@lucern/server-core",
5132
- role: "platform_runtime",
5133
- directTenantImport: false
6633
+ idSuffix: "lucern.proxy-token-secret",
6634
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6635
+ required: false,
6636
+ secret: true,
6637
+ public: false,
6638
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6639
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
5134
6640
  },
5135
6641
  {
5136
- packageName: "@lucern/testing",
5137
- role: "test_support",
5138
- directTenantImport: false
6642
+ idSuffix: "tenant.integrations.linear-api-key",
6643
+ canonicalName: "LINEAR_API_KEY",
6644
+ required: false,
6645
+ secret: true,
6646
+ public: false,
6647
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6648
+ description: "Tenant-owned Linear API key for support/slash-command flows."
5139
6649
  },
5140
6650
  {
5141
- packageName: "@lucern/types",
5142
- role: "contract_entrypoint",
5143
- directTenantImport: true
6651
+ idSuffix: "tenant.vercel.bypass-token",
6652
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6653
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6654
+ required: false,
6655
+ secret: true,
6656
+ public: false,
6657
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6658
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
5144
6659
  }
5145
6660
  ];
5146
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5147
- (entry) => entry.packageName
6661
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6662
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6663
+ ).flatMap(
6664
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6665
+ (template) => ({
6666
+ id: `tenant.${system.id}.${template.idSuffix}`,
6667
+ canonicalName: template.canonicalName,
6668
+ aliases: "aliases" in template ? template.aliases : void 0,
6669
+ owner: "tenant",
6670
+ scope: "tenant",
6671
+ sourcePath: system.sharedSourcePath,
6672
+ environmentPolicy: "environment_specific",
6673
+ required: template.required,
6674
+ secret: template.secret,
6675
+ public: template.public,
6676
+ consumers: template.consumers,
6677
+ destinations: [
6678
+ {
6679
+ kind: "vercel",
6680
+ target: system.vercelProjectName,
6681
+ environmentPolicy: "preprod_staging_prod_prod"
6682
+ },
6683
+ {
6684
+ kind: "convex",
6685
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6686
+ environmentPolicy: "preprod_staging_prod_prod"
6687
+ },
6688
+ {
6689
+ kind: "github_actions",
6690
+ target: `${system.repository.owner}/${system.repository.name}`,
6691
+ environmentPolicy: "preprod_staging_prod_prod"
6692
+ }
6693
+ ],
6694
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6695
+ })
6696
+ )
6697
+ );
6698
+ function tenantVercelConvexUrlWriteNames(system) {
6699
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6700
+ if (system.id === "stack-eng") {
6701
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6702
+ }
6703
+ return names;
6704
+ }
6705
+ function tenantRepositoryConvexUrlWriteNames(system) {
6706
+ if (system.id === "stack-eng") {
6707
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6708
+ }
6709
+ return [system.convex.urlEnv];
6710
+ }
6711
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6712
+ if (system.id === "stack-eng") {
6713
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6714
+ }
6715
+ return [system.convex.deployKeyEnv];
6716
+ }
6717
+ function tenantConvexUrlAliases(system) {
6718
+ if (system.id === "stack-frontend") {
6719
+ return [
6720
+ "CONVEX_PROD_URL",
6721
+ "CONVEX_STACK_V2_PROD_URL",
6722
+ "CONVEX_STACK_V2_STAGING_URL",
6723
+ "STACK_CONVEX_URL"
6724
+ ];
6725
+ }
6726
+ if (system.id === "stackos") {
6727
+ return [
6728
+ "CONVEX_CLOUD_URL",
6729
+ "CONVEX_STACK_URL",
6730
+ "CONVEX_URL",
6731
+ "CONVEX_URL_DEVELOPMENT",
6732
+ "CONVEX_URL_PRODUCTION",
6733
+ "STACK_CONVEX_URL"
6734
+ ];
6735
+ }
6736
+ if (system.id === "stack-eng") {
6737
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6738
+ }
6739
+ if (system.id === "lucern-graph") {
6740
+ return [
6741
+ "CONVEX_GRAPH_URL",
6742
+ "LUCERN_PROD_URL",
6743
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6744
+ ];
6745
+ }
6746
+ return void 0;
6747
+ }
6748
+ function tenantConvexDeployKeyAliases(system) {
6749
+ if (system.id === "stack-frontend") {
6750
+ return [
6751
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6752
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6753
+ "STACK_DEPLOY_KEY"
6754
+ ];
6755
+ }
6756
+ if (system.id === "stackos") {
6757
+ return [
6758
+ "CONVEX_DEPLOY_KEY",
6759
+ "CONVEX_DEV_DEPLOY_KEY",
6760
+ "CONVEX_PROD_DEPLOY_KEY",
6761
+ "CONVEX_STACK_DEPLOY_KEY",
6762
+ "STACK_DEPLOY_KEY"
6763
+ ];
6764
+ }
6765
+ if (system.id === "stack-eng") {
6766
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6767
+ }
6768
+ if (system.id === "lucern-graph") {
6769
+ return [
6770
+ "CONVEX_DEPLOY_KEY",
6771
+ "CONVEX_GRAPH_DEPLOY_KEY",
6772
+ "LUCERN_CONVEX_DEPLOY_KEY",
6773
+ "LUCERN_DEV_DEPLOY_KEY",
6774
+ "LUCERN_PROD_DEPLOY_KEY"
6775
+ ];
6776
+ }
6777
+ return void 0;
6778
+ }
6779
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6780
+ (system) => {
6781
+ if (system.id === "lucern-graph") {
6782
+ return [
6783
+ {
6784
+ id: "tenant.lucern-graph.public.tenant-id",
6785
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6786
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6787
+ owner: "tenant",
6788
+ scope: "workspace",
6789
+ sourcePath: system.sharedSourcePath,
6790
+ environmentPolicy: "environment_specific",
6791
+ required: false,
6792
+ secret: false,
6793
+ public: true,
6794
+ consumers: ["tenant-vercel-app"],
6795
+ destinations: [
6796
+ {
6797
+ kind: "vercel",
6798
+ target: system.vercelProjectName,
6799
+ environmentPolicy: "preprod_staging_prod_prod"
6800
+ }
6801
+ ],
6802
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6803
+ },
6804
+ {
6805
+ id: "tenant.lucern-graph.public.tenant-label",
6806
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6807
+ owner: "tenant",
6808
+ scope: "workspace",
6809
+ sourcePath: system.sharedSourcePath,
6810
+ environmentPolicy: "environment_specific",
6811
+ required: false,
6812
+ secret: false,
6813
+ public: true,
6814
+ consumers: ["tenant-vercel-app"],
6815
+ destinations: [
6816
+ {
6817
+ kind: "vercel",
6818
+ target: system.vercelProjectName,
6819
+ environmentPolicy: "preprod_staging_prod_prod"
6820
+ }
6821
+ ],
6822
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6823
+ }
6824
+ ];
6825
+ }
6826
+ if (system.id === "stack-eng") {
6827
+ return [
6828
+ {
6829
+ id: "tenant.stack-eng.public.tenant-id",
6830
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6831
+ owner: "tenant",
6832
+ scope: "workspace",
6833
+ sourcePath: system.sharedSourcePath,
6834
+ environmentPolicy: "environment_specific",
6835
+ required: false,
6836
+ secret: false,
6837
+ public: true,
6838
+ consumers: ["tenant-vercel-app"],
6839
+ destinations: [
6840
+ {
6841
+ kind: "vercel",
6842
+ target: system.vercelProjectName,
6843
+ environmentPolicy: "preprod_staging_prod_prod"
6844
+ }
6845
+ ],
6846
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6847
+ },
6848
+ {
6849
+ id: "tenant.stack-eng.public.tenant-label",
6850
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6851
+ owner: "tenant",
6852
+ scope: "workspace",
6853
+ sourcePath: system.sharedSourcePath,
6854
+ environmentPolicy: "environment_specific",
6855
+ required: false,
6856
+ secret: false,
6857
+ public: true,
6858
+ consumers: ["tenant-vercel-app"],
6859
+ destinations: [
6860
+ {
6861
+ kind: "vercel",
6862
+ target: system.vercelProjectName,
6863
+ environmentPolicy: "preprod_staging_prod_prod"
6864
+ }
6865
+ ],
6866
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6867
+ },
6868
+ {
6869
+ id: "tenant.stack-eng.public.environment",
6870
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6871
+ owner: "tenant",
6872
+ scope: "workspace",
6873
+ sourcePath: system.sharedSourcePath,
6874
+ environmentPolicy: "environment_specific",
6875
+ required: false,
6876
+ secret: false,
6877
+ public: true,
6878
+ consumers: ["tenant-vercel-app"],
6879
+ destinations: [
6880
+ {
6881
+ kind: "vercel",
6882
+ target: system.vercelProjectName,
6883
+ environmentPolicy: "preprod_staging_prod_prod"
6884
+ }
6885
+ ],
6886
+ description: "Stack engineering graph public environment label used by the graph explorer."
6887
+ }
6888
+ ];
6889
+ }
6890
+ return [];
6891
+ }
5148
6892
  );
6893
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6894
+ {
6895
+ id: `tenant.${system.id}.convex.url`,
6896
+ canonicalName: system.convex.urlEnv,
6897
+ aliases: tenantConvexUrlAliases(system),
6898
+ owner: "tenant",
6899
+ scope: "software_system",
6900
+ sourcePath: system.sharedSourcePath,
6901
+ environmentPolicy: "preprod_staging_prod_prod",
6902
+ required: true,
6903
+ secret: false,
6904
+ public: false,
6905
+ consumers: [
6906
+ "tenant-vercel-app",
6907
+ "tenant-agent-runtime",
6908
+ "mc-operator-tooling"
6909
+ ],
6910
+ destinations: [
6911
+ {
6912
+ kind: "vercel",
6913
+ target: system.vercelProjectName,
6914
+ environmentPolicy: "preprod_staging_prod_prod",
6915
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6916
+ },
6917
+ {
6918
+ kind: "github_actions",
6919
+ target: `${system.repository.owner}/${system.repository.name}`,
6920
+ environmentPolicy: "preprod_staging_prod_prod",
6921
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6922
+ notes: "Only if that repository deploy/test workflow owns this software system."
6923
+ }
6924
+ ],
6925
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
6926
+ },
6927
+ {
6928
+ id: `tenant.${system.id}.convex.deploy-key`,
6929
+ canonicalName: system.convex.deployKeyEnv,
6930
+ aliases: tenantConvexDeployKeyAliases(system),
6931
+ owner: "tenant",
6932
+ scope: "software_system",
6933
+ sourcePath: system.sharedSourcePath,
6934
+ environmentPolicy: "preprod_staging_prod_prod",
6935
+ required: true,
6936
+ secret: true,
6937
+ public: false,
6938
+ consumers: [
6939
+ "tenant-vercel-app",
6940
+ "tenant-agent-runtime",
6941
+ "mc-operator-tooling"
6942
+ ],
6943
+ destinations: [
6944
+ {
6945
+ kind: "vercel",
6946
+ target: system.vercelProjectName,
6947
+ environmentPolicy: "preprod_staging_prod_prod"
6948
+ },
6949
+ {
6950
+ kind: "github_actions",
6951
+ target: `${system.repository.owner}/${system.repository.name}`,
6952
+ environmentPolicy: "preprod_staging_prod_prod",
6953
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6954
+ notes: "Only if that repository deploy/test workflow owns this software system."
6955
+ }
6956
+ ],
6957
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
6958
+ }
6959
+ ]);
5149
6960
  z.object({
5150
6961
  manifestVersion: z.literal("1.0.0"),
5151
6962
  rules: z.array(
@@ -5186,7 +6997,7 @@ var createEvidenceInputSchemaBase = z.object({
5186
6997
  targetId: z.string().optional(),
5187
6998
  targetNodeId: z.string().optional(),
5188
6999
  linkedBeliefNodeId: z.string().optional(),
5189
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
7000
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5190
7001
  confidence: z.number().optional(),
5191
7002
  weight: z.number().optional(),
5192
7003
  reasoning: z.string().optional(),
@@ -5271,8 +7082,7 @@ var createEvidenceProjection = defineProjection({
5271
7082
  evidenceRelation: v.optional(
5272
7083
  v.union(
5273
7084
  v.literal("supports"),
5274
- v.literal("contradicts"),
5275
- v.literal("neutral")
7085
+ v.literal("contradicts")
5276
7086
  )
5277
7087
  ),
5278
7088
  confidence: v.optional(v.number()),
@@ -5321,12 +7131,17 @@ var listBeliefsProjection = defineProjection({
5321
7131
  });
5322
7132
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5323
7133
  var listTasksInputSchema = z.object({
5324
- topicId: z.string().describe("Topic scope"),
7134
+ topicId: z.string().optional().describe("Topic scope"),
5325
7135
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5326
7136
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5327
7137
  status: taskStatusSchema,
5328
7138
  limit: z.number().optional().describe("Maximum results")
5329
- });
7139
+ }).refine(
7140
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7141
+ {
7142
+ message: "topicId or worktreeId is required"
7143
+ }
7144
+ );
5330
7145
  function compactRecord3(input) {
5331
7146
  return Object.fromEntries(
5332
7147
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5343,7 +7158,7 @@ var listTasksProjection = defineProjection({
5343
7158
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5344
7159
  }),
5345
7160
  convexArgsValidator: v.object({
5346
- topicId: v.string(),
7161
+ topicId: v.optional(v.string()),
5347
7162
  status: v.optional(
5348
7163
  v.union(
5349
7164
  v.literal("todo"),
@@ -6416,7 +8231,7 @@ var CREATE_EDGE = {
6416
8231
  reasoningMethod: {
6417
8232
  type: "string",
6418
8233
  description: "How this was determined",
6419
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8234
+ enum: [...REASONING_METHODS]
6420
8235
  },
6421
8236
  metadata: {
6422
8237
  type: "object",
@@ -8143,6 +9958,10 @@ var CREATE_TASK = {
8143
9958
  tags: {
8144
9959
  type: "array",
8145
9960
  description: "Free-form string tags"
9961
+ },
9962
+ metadata: {
9963
+ type: "object",
9964
+ description: "Structured task metadata for handoff context and routing hints"
8146
9965
  }
8147
9966
  },
8148
9967
  required: ["title"],
@@ -8216,6 +10035,10 @@ var UPDATE_TASK = {
8216
10035
  type: "string",
8217
10036
  description: "Updated status",
8218
10037
  enum: ["todo", "in_progress", "blocked", "done"]
10038
+ },
10039
+ metadata: {
10040
+ type: "object",
10041
+ description: "Structured task metadata to replace or refine"
8219
10042
  }
8220
10043
  },
8221
10044
  required: ["taskId"],
@@ -9671,6 +11494,9 @@ var BEGIN_BUILD_SESSION = {
9671
11494
  sessionMode: "string \u2014 async | interactive",
9672
11495
  targetBeliefIds: "array \u2014 scoped belief IDs",
9673
11496
  targetQuestionIds: "array \u2014 scoped question IDs",
11497
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11498
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11499
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9674
11500
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9675
11501
  openQuestions: "array \u2014 open scoped questions",
9676
11502
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -10271,12 +12097,20 @@ function unwrapMcpParameterSchema(schema) {
10271
12097
  current = current._def.schema;
10272
12098
  continue;
10273
12099
  default:
10274
- return { schema: current, required, description: description ?? current.description };
12100
+ return {
12101
+ schema: current,
12102
+ required,
12103
+ description: description ?? current.description
12104
+ };
10275
12105
  }
10276
12106
  }
10277
12107
  }
10278
12108
  function mcpParameterFromZod(fieldName, schema, contractName) {
10279
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
12109
+ const {
12110
+ schema: unwrapped,
12111
+ required,
12112
+ description: schemaDescription
12113
+ } = unwrapMcpParameterSchema(schema);
10280
12114
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
10281
12115
  switch (unwrapped._def.typeName) {
10282
12116
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -10321,10 +12155,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
10321
12155
  const entries2 = Object.entries(getObjectShape(args)).sort(
10322
12156
  ([left], [right]) => left.localeCompare(right)
10323
12157
  );
10324
- const converted = entries2.map(([fieldName, schema]) => [
10325
- fieldName,
10326
- mcpParameterFromZod(fieldName, schema, contractName)
10327
- ]);
12158
+ const converted = entries2.map(
12159
+ ([fieldName, schema]) => [
12160
+ fieldName,
12161
+ mcpParameterFromZod(fieldName, schema, contractName)
12162
+ ]
12163
+ );
10328
12164
  return {
10329
12165
  ...base,
10330
12166
  parameters: Object.fromEntries(
@@ -10436,6 +12272,7 @@ function surfaceContract(args) {
10436
12272
  allowedPrincipalTypes: ["user", "service", "agent"]
10437
12273
  },
10438
12274
  convex: args.convex,
12275
+ gateway: args.gateway,
10439
12276
  args: canonicalArgs,
10440
12277
  returns: canonicalReturns,
10441
12278
  input,
@@ -10922,7 +12759,7 @@ var beliefsContracts = [
10922
12759
  })
10923
12760
  ];
10924
12761
  var jsonRecordSchema4 = z.record(z.unknown());
10925
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12762
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10926
12763
  var createEvidenceArgs = z.object({
10927
12764
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10928
12765
  text: z.string().describe("Canonical evidence text."),
@@ -12845,7 +14682,8 @@ var createTaskArgs = z.object({
12845
14682
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
12846
14683
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
12847
14684
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
12848
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14685
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14686
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
12849
14687
  });
12850
14688
  var createTaskInput = (input) => compactRecord4({
12851
14689
  title: input.title,
@@ -12859,7 +14697,8 @@ var createTaskInput = (input) => compactRecord4({
12859
14697
  linkedQuestionId: input.linkedQuestionId,
12860
14698
  assigneeId: input.assigneeId,
12861
14699
  dueDate: input.dueDate,
12862
- tags: input.tags
14700
+ tags: input.tags,
14701
+ metadata: input.metadata
12863
14702
  });
12864
14703
  var taskInput = (input) => compactRecord4({
12865
14704
  ...input,
@@ -12876,8 +14715,7 @@ var taskTopicInput = (input) => {
12876
14715
  };
12877
14716
  var completeTaskInput = (input) => compactRecord4({
12878
14717
  taskId: input.taskId ?? input.id,
12879
- outputSummary: input.outputSummary ?? input.summary,
12880
- userId: input.userId
14718
+ outputSummary: input.outputSummary ?? input.summary
12881
14719
  });
12882
14720
  var tasksContracts = [
12883
14721
  surfaceContract({
@@ -12895,6 +14733,7 @@ var tasksContracts = [
12895
14733
  kind: "mutation",
12896
14734
  inputProjection: createTaskInput
12897
14735
  },
14736
+ gateway: { handler: "tasks.create" },
12898
14737
  args: createTaskArgs
12899
14738
  }),
12900
14739
  surfaceContract({
@@ -12913,6 +14752,7 @@ var tasksContracts = [
12913
14752
  kind: "query",
12914
14753
  inputProjection: taskTopicInput
12915
14754
  },
14755
+ gateway: { handler: "tasks.list" },
12916
14756
  args: listTasksInputSchema
12917
14757
  }),
12918
14758
  surfaceContract({
@@ -12930,7 +14770,8 @@ var tasksContracts = [
12930
14770
  functionName: "update",
12931
14771
  kind: "mutation",
12932
14772
  inputProjection: taskInput
12933
- }
14773
+ },
14774
+ gateway: { handler: "tasks.update" }
12934
14775
  }),
12935
14776
  surfaceContract({
12936
14777
  name: "complete_task",
@@ -12946,12 +14787,14 @@ var tasksContracts = [
12946
14787
  functionName: "complete",
12947
14788
  kind: "mutation",
12948
14789
  inputProjection: completeTaskInput
12949
- }
14790
+ },
14791
+ gateway: { handler: "tasks.complete" }
12950
14792
  })
12951
14793
  ];
12952
14794
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12953
14795
  (policy) => policy.edgeType
12954
14796
  );
14797
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12955
14798
  var createEdgeArgs = z.object({
12956
14799
  from: GraphRefSchema,
12957
14800
  to: GraphRefSchema,
@@ -12961,6 +14804,7 @@ var createEdgeArgs = z.object({
12961
14804
  confidence: z.number().optional(),
12962
14805
  context: z.string().optional(),
12963
14806
  reasoning: z.string().optional(),
14807
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12964
14808
  derivationType: z.string().optional(),
12965
14809
  metadata: z.record(z.unknown()).optional(),
12966
14810
  topicId: z.string().optional(),
@@ -13039,6 +14883,7 @@ var edgesContracts = [
13039
14883
  weight: parsed.weight,
13040
14884
  confidence: parsed.confidence,
13041
14885
  context: parsed.context ?? parsed.reasoning,
14886
+ reasoningMethod: parsed.reasoningMethod,
13042
14887
  derivationType: parsed.derivationType,
13043
14888
  metadata: parsed.metadata,
13044
14889
  skipLayerValidation: true,
@@ -13163,6 +15008,7 @@ var edgesContracts = [
13163
15008
  weight: edge.weight,
13164
15009
  confidence: edge.confidence,
13165
15010
  context: edge.context ?? edge.reasoning,
15011
+ reasoningMethod: edge.reasoningMethod,
13166
15012
  derivationType: edge.derivationType,
13167
15013
  metadata: edge.metadata,
13168
15014
  topicId: edge.topicId
@@ -13897,6 +15743,69 @@ var pipelineContracts = [
13897
15743
  }
13898
15744
  })
13899
15745
  ];
15746
+ function isRecord4(value) {
15747
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15748
+ }
15749
+ function stringValues(value) {
15750
+ if (typeof value === "string") {
15751
+ return [value];
15752
+ }
15753
+ if (Array.isArray(value)) {
15754
+ return value.flatMap((item) => stringValues(item));
15755
+ }
15756
+ return [];
15757
+ }
15758
+ function nestedEvidenceRows(value) {
15759
+ if (Array.isArray(value)) {
15760
+ return value.flatMap((item) => nestedEvidenceRows(item));
15761
+ }
15762
+ if (!isRecord4(value)) {
15763
+ return [];
15764
+ }
15765
+ const nestedKeys = ["evidence", "items", "nodes"];
15766
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15767
+ return nestedRows.length > 0 ? nestedRows : [value];
15768
+ }
15769
+ function isFailedAttemptRow(row) {
15770
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15771
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15772
+ }
15773
+ function failureLogSearchFields(row) {
15774
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15775
+ return [
15776
+ ...stringValues(row.id),
15777
+ ...stringValues(row._id),
15778
+ ...stringValues(row.title),
15779
+ ...stringValues(row.text),
15780
+ ...stringValues(row.canonicalText),
15781
+ ...stringValues(row.content),
15782
+ ...stringValues(metadata?.codeAnchor),
15783
+ ...stringValues(metadata?.codeAnchors),
15784
+ ...stringValues(metadata?.anchor),
15785
+ ...stringValues(metadata?.anchors),
15786
+ ...stringValues(metadata?.filePath),
15787
+ ...stringValues(metadata?.filePaths),
15788
+ ...stringValues(metadata?.path),
15789
+ ...stringValues(metadata?.paths),
15790
+ ...stringValues(metadata?.sourceRef),
15791
+ ...stringValues(metadata?.touchedPaths)
15792
+ ];
15793
+ }
15794
+ function projectFailureLog(output, input) {
15795
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15796
+ const searchKey = rawQuery?.toLowerCase();
15797
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15798
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15799
+ (field) => field.toLowerCase().includes(searchKey)
15800
+ )
15801
+ );
15802
+ return {
15803
+ query: rawQuery,
15804
+ failures,
15805
+ totalFound: failures.length,
15806
+ showing: failures.length
15807
+ };
15808
+ }
13900
15809
  var recordScopeLearningArgs = z.object({
13901
15810
  topicId: z.string().optional().describe("Topic scope ID"),
13902
15811
  summary: z.string().describe("Atomic learning statement"),
@@ -13986,6 +15895,8 @@ var attemptInput = (input, context) => withUserId(
13986
15895
  tags: ["code_attempt"],
13987
15896
  metadata: compactRecord4({
13988
15897
  ...recordValue2(input.metadata),
15898
+ failedApproach: true,
15899
+ isFailedAttempt: true,
13989
15900
  filePaths: input.filePaths,
13990
15901
  filePath: input.filePath,
13991
15902
  errorMessage: input.errorMessage,
@@ -14116,7 +16027,8 @@ var codingContracts = [
14116
16027
  limit: input.limit,
14117
16028
  status: input.status,
14118
16029
  userId: input.userId
14119
- })
16030
+ }),
16031
+ outputProjection: (output, input) => projectFailureLog(output, input)
14120
16032
  }
14121
16033
  })
14122
16034
  ];
@@ -14578,14 +16490,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14578
16490
  description: "Worktrees are tenant/runtime planning data."
14579
16491
  },
14580
16492
  {
14581
- component: "identity",
16493
+ component: "control-plane",
14582
16494
  table: "agents",
14583
16495
  prepopulation: "runtime_bootstrap",
14584
16496
  copyMode: "none",
14585
16497
  description: "Service agents are provisioned per tenant or service, not copied."
14586
16498
  },
14587
16499
  {
14588
- component: "identity",
16500
+ component: "control-plane",
14589
16501
  table: "mcpWritePolicy",
14590
16502
  prepopulation: "required_template",
14591
16503
  copyMode: "template_global",
@@ -14594,14 +16506,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14594
16506
  description: "Global write policy defaults govern service and interactive MCP writes."
14595
16507
  },
14596
16508
  {
14597
- component: "identity",
16509
+ component: "control-plane",
14598
16510
  table: "modelCallLogs",
14599
16511
  prepopulation: "runtime_log",
14600
16512
  copyMode: "none",
14601
16513
  description: "Model call logs are runtime telemetry."
14602
16514
  },
14603
16515
  {
14604
- component: "identity",
16516
+ component: "control-plane",
14605
16517
  table: "modelFunctionSlots",
14606
16518
  prepopulation: "required_template",
14607
16519
  copyMode: "template_global",
@@ -14610,7 +16522,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14610
16522
  description: "Function-to-model slots are required by model runtime resolution."
14611
16523
  },
14612
16524
  {
14613
- component: "identity",
16525
+ component: "control-plane",
14614
16526
  table: "modelRegistry",
14615
16527
  prepopulation: "required_template",
14616
16528
  copyMode: "template_global",
@@ -14619,7 +16531,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14619
16531
  description: "Model catalog defaults are required by model runtime clients."
14620
16532
  },
14621
16533
  {
14622
- component: "identity",
16534
+ component: "control-plane",
14623
16535
  table: "modelSlotConfigs",
14624
16536
  prepopulation: "required_template",
14625
16537
  copyMode: "template_global",
@@ -14628,14 +16540,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14628
16540
  description: "Slot-level defaults are required before tenant overrides exist."
14629
16541
  },
14630
16542
  {
14631
- component: "identity",
16543
+ component: "control-plane",
16544
+ table: "permitAccessReviewItems",
16545
+ prepopulation: "runtime_data",
16546
+ copyMode: "none",
16547
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16548
+ },
16549
+ {
16550
+ component: "control-plane",
16551
+ table: "permitAccessReviews",
16552
+ prepopulation: "runtime_data",
16553
+ copyMode: "none",
16554
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16555
+ },
16556
+ {
16557
+ component: "control-plane",
16558
+ table: "permitAttributeBindings",
16559
+ prepopulation: "runtime_data",
16560
+ copyMode: "none",
16561
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16562
+ },
16563
+ {
16564
+ component: "control-plane",
16565
+ table: "permitGroups",
16566
+ prepopulation: "runtime_data",
16567
+ copyMode: "none",
16568
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16569
+ },
16570
+ {
16571
+ component: "control-plane",
16572
+ table: "permitGroupMemberships",
16573
+ prepopulation: "runtime_data",
16574
+ copyMode: "none",
16575
+ description: "Permit group memberships are tenant-specific policy projection rows."
16576
+ },
16577
+ {
16578
+ component: "control-plane",
16579
+ table: "permitPolicyBundles",
16580
+ prepopulation: "runtime_derived",
16581
+ copyMode: "none",
16582
+ description: "Permit policy bundles are derived from the Permit control plane."
16583
+ },
16584
+ {
16585
+ component: "control-plane",
16586
+ table: "permitPolicyDecisionReceipts",
16587
+ prepopulation: "runtime_log",
16588
+ copyMode: "none",
16589
+ description: "Permit decision receipts are runtime authorization audit logs."
16590
+ },
16591
+ {
16592
+ component: "control-plane",
16593
+ table: "permitPrincipalAliases",
16594
+ prepopulation: "runtime_data",
16595
+ copyMode: "none",
16596
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16597
+ },
16598
+ {
16599
+ component: "control-plane",
16600
+ table: "permitPrincipals",
16601
+ prepopulation: "runtime_data",
16602
+ copyMode: "none",
16603
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16604
+ },
16605
+ {
16606
+ component: "control-plane",
16607
+ table: "permitProjectionOutbox",
16608
+ prepopulation: "runtime_queue",
16609
+ copyMode: "none",
16610
+ description: "Permit projection outbox rows are runtime sync queue data."
16611
+ },
16612
+ {
16613
+ component: "control-plane",
16614
+ table: "permitRelationshipTuples",
16615
+ prepopulation: "runtime_data",
16616
+ copyMode: "none",
16617
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16618
+ },
16619
+ {
16620
+ component: "control-plane",
16621
+ table: "permitResourceInstances",
16622
+ prepopulation: "runtime_data",
16623
+ copyMode: "none",
16624
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16625
+ },
16626
+ {
16627
+ component: "control-plane",
16628
+ table: "permitRoleAssignments",
16629
+ prepopulation: "runtime_data",
16630
+ copyMode: "none",
16631
+ description: "Permit role assignments are tenant-specific policy projection rows."
16632
+ },
16633
+ {
16634
+ component: "control-plane",
14632
16635
  table: "platformAudienceGrants",
14633
16636
  prepopulation: "runtime_data",
14634
16637
  copyMode: "none",
14635
16638
  description: "Audience grants are principal/group-specific access rows."
14636
16639
  },
14637
16640
  {
14638
- component: "identity",
16641
+ component: "control-plane",
14639
16642
  table: "platformAudiences",
14640
16643
  prepopulation: "required_template",
14641
16644
  copyMode: "template_tenant_rewrite",
@@ -14644,35 +16647,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14644
16647
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
14645
16648
  },
14646
16649
  {
14647
- component: "identity",
16650
+ component: "control-plane",
14648
16651
  table: "platformPolicyDecisionLogs",
14649
16652
  prepopulation: "runtime_log",
14650
16653
  copyMode: "none",
14651
16654
  description: "Policy decisions are runtime audit logs."
14652
16655
  },
14653
16656
  {
14654
- component: "identity",
16657
+ component: "control-plane",
14655
16658
  table: "projectGrants",
14656
16659
  prepopulation: "runtime_data",
14657
16660
  copyMode: "none",
14658
16661
  description: "Project/topic grants are principal or group-specific access rows."
14659
16662
  },
14660
16663
  {
14661
- component: "identity",
16664
+ component: "control-plane",
14662
16665
  table: "reasoningPermissions",
14663
16666
  prepopulation: "runtime_data",
14664
16667
  copyMode: "none",
14665
16668
  description: "Reasoning permissions are principal-specific policy rows."
14666
16669
  },
14667
16670
  {
14668
- component: "identity",
16671
+ component: "control-plane",
14669
16672
  table: "tenantApiKeys",
14670
16673
  prepopulation: "runtime_secret",
14671
16674
  copyMode: "none",
14672
16675
  description: "API keys are tenant credentials and must never be copied."
14673
16676
  },
14674
16677
  {
14675
- component: "identity",
16678
+ component: "control-plane",
14676
16679
  table: "tenantConfig",
14677
16680
  prepopulation: "required_template",
14678
16681
  copyMode: "template_tenant_rewrite",
@@ -14681,7 +16684,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14681
16684
  description: "Tenant-local config defaults are rewritten during bootstrap."
14682
16685
  },
14683
16686
  {
14684
- component: "identity",
16687
+ component: "control-plane",
14685
16688
  table: "tenantIntegrations",
14686
16689
  prepopulation: "required_template",
14687
16690
  copyMode: "template_tenant_rewrite",
@@ -14690,14 +16693,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14690
16693
  description: "Non-secret integration descriptors are rewritten into each tenant."
14691
16694
  },
14692
16695
  {
14693
- component: "identity",
16696
+ component: "control-plane",
14694
16697
  table: "tenantModelSlotBindings",
14695
16698
  prepopulation: "runtime_secret",
14696
16699
  copyMode: "none",
14697
16700
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
14698
16701
  },
14699
16702
  {
14700
- component: "identity",
16703
+ component: "control-plane",
16704
+ table: "tenantPermitSyncStates",
16705
+ prepopulation: "runtime_derived",
16706
+ copyMode: "none",
16707
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16708
+ },
16709
+ {
16710
+ component: "control-plane",
14701
16711
  table: "tenantPolicies",
14702
16712
  prepopulation: "required_template",
14703
16713
  copyMode: "template_tenant_rewrite",
@@ -14706,42 +16716,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14706
16716
  description: "Default tenant policy roles are rewritten during bootstrap."
14707
16717
  },
14708
16718
  {
14709
- component: "identity",
16719
+ component: "control-plane",
14710
16720
  table: "tenantProviderSecrets",
14711
16721
  prepopulation: "runtime_secret",
14712
16722
  copyMode: "none",
14713
16723
  description: "Provider secrets are credentials and must never be copied."
14714
16724
  },
14715
16725
  {
14716
- component: "identity",
16726
+ component: "control-plane",
14717
16727
  table: "tenantProxyGatewayUsage",
14718
16728
  prepopulation: "runtime_log",
14719
16729
  copyMode: "none",
14720
16730
  description: "Proxy gateway usage rows are runtime telemetry."
14721
16731
  },
14722
16732
  {
14723
- component: "identity",
16733
+ component: "control-plane",
14724
16734
  table: "tenantProxyTokenMints",
14725
16735
  prepopulation: "runtime_secret",
14726
16736
  copyMode: "none",
14727
16737
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
14728
16738
  },
14729
16739
  {
14730
- component: "identity",
16740
+ component: "control-plane",
14731
16741
  table: "tenantSandboxAuditEvents",
14732
16742
  prepopulation: "runtime_log",
14733
16743
  copyMode: "none",
14734
16744
  description: "Sandbox audit rows are runtime security logs."
14735
16745
  },
14736
16746
  {
14737
- component: "identity",
16747
+ component: "control-plane",
14738
16748
  table: "tenantSecrets",
14739
16749
  prepopulation: "runtime_secret",
14740
16750
  copyMode: "none",
14741
16751
  description: "Tenant secrets are credentials and must never be copied."
14742
16752
  },
14743
16753
  {
14744
- component: "identity",
16754
+ component: "control-plane",
14745
16755
  table: "toolAcls",
14746
16756
  prepopulation: "required_template",
14747
16757
  copyMode: "template_global",
@@ -14750,7 +16760,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14750
16760
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
14751
16761
  },
14752
16762
  {
14753
- component: "identity",
16763
+ component: "control-plane",
14754
16764
  table: "toolRegistry",
14755
16765
  prepopulation: "required_template",
14756
16766
  copyMode: "template_global",
@@ -14759,7 +16769,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
14759
16769
  description: "Core tool catalog rows are required before pack or tenant tools exist."
14760
16770
  },
14761
16771
  {
14762
- component: "identity",
16772
+ component: "control-plane",
14763
16773
  table: "users",
14764
16774
  prepopulation: "runtime_bootstrap",
14765
16775
  copyMode: "none",
@@ -15144,11 +17154,11 @@ function readString2(value) {
15144
17154
  function readNullableNumber(value) {
15145
17155
  return typeof value === "number" && Number.isFinite(value) ? value : null;
15146
17156
  }
15147
- function isRecord4(value) {
17157
+ function isRecord5(value) {
15148
17158
  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15149
17159
  }
15150
17160
  function refreshLucernContextFromBuildSession(payload, args) {
15151
- if (!isRecord4(payload)) {
17161
+ if (!isRecord5(payload)) {
15152
17162
  return;
15153
17163
  }
15154
17164
  const topicId = readString2(payload.topicId);
@@ -15353,7 +17363,8 @@ var edgeHandlers = {
15353
17363
  topicId: readString(args.topicId ?? args.projectId),
15354
17364
  confidence: readNumber(args.confidence),
15355
17365
  weight: readNumber(args.weight),
15356
- context: readString(args.context) ?? readString(args.reasoning)
17366
+ context: readString(args.context) ?? readString(args.reasoning),
17367
+ reasoningMethod: readString(args.reasoningMethod)
15357
17368
  })
15358
17369
  );
15359
17370
  },
@@ -16782,7 +18793,7 @@ function readStringArray2(value) {
16782
18793
  }
16783
18794
  return value.map((entry) => readString3(entry)).filter((entry) => Boolean(entry));
16784
18795
  }
16785
- function isRecord5(value) {
18796
+ function isRecord6(value) {
16786
18797
  return value !== null && typeof value === "object" && !Array.isArray(value);
16787
18798
  }
16788
18799
  function decodePrefixedIdOrNull(value) {
@@ -16797,7 +18808,7 @@ function decodePrefixedIdOrNull(value) {
16797
18808
  };
16798
18809
  }
16799
18810
  function asRecord2(value) {
16800
- return isRecord5(value) ? value : {};
18811
+ return isRecord6(value) ? value : {};
16801
18812
  }
16802
18813
  function normalizeTopicId(value) {
16803
18814
  const normalized = readString3(value);
@@ -17932,7 +19943,7 @@ var researchVerificationHandlers = {
17932
19943
  function cleanString(value) {
17933
19944
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
17934
19945
  }
17935
- function isRecord6(value) {
19946
+ function isRecord7(value) {
17936
19947
  return value !== null && typeof value === "object" && !Array.isArray(value);
17937
19948
  }
17938
19949
  function prefixId(prefix, value) {
@@ -17988,7 +19999,7 @@ function toPublicCompiledContext(pack) {
17988
19999
  scopedTopicIds: (pack.scopedTopicIds ?? []).map((id) => prefixId("top", id)),
17989
20000
  generatedAt: pack.generatedAt,
17990
20001
  ranking: pack.rankingProfile,
17991
- summary: isRecord6(pack.summary) ? pack.summary : {},
20002
+ summary: isRecord7(pack.summary) ? pack.summary : {},
17992
20003
  invariants: (pack.invariants ?? []).map((belief) => ({
17993
20004
  beliefId: prefixId("bel", belief.nodeId),
17994
20005
  text: belief.canonicalText,
@@ -18059,7 +20070,7 @@ function toPublicCompiledContext(pack) {
18059
20070
  }))
18060
20071
  } : {}
18061
20072
  },
18062
- diagnostics: isRecord6(pack.diagnostics) ? pack.diagnostics : {},
20073
+ diagnostics: isRecord7(pack.diagnostics) ? pack.diagnostics : {},
18063
20074
  ...pack.compilationMode ? { compilationMode: pack.compilationMode } : {},
18064
20075
  ...pack.failureContext ? {
18065
20076
  failureContext: {
@@ -18567,6 +20578,21 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
18567
20578
  authCtx
18568
20579
  });
18569
20580
  if (!result) {
20581
+ if (authCtx.sessionType === "agent") {
20582
+ return {
20583
+ allowed: false,
20584
+ permission: "deny",
20585
+ toolCategory: null,
20586
+ policy: null,
20587
+ reason: "no_policy_response",
20588
+ explanation: {
20589
+ summary: "Denied because agent write-policy checks fail closed when no policy response is returned.",
20590
+ toolName,
20591
+ role: authCtx.role,
20592
+ topicId
20593
+ }
20594
+ };
20595
+ }
18570
20596
  return {
18571
20597
  allowed: true,
18572
20598
  permission: "allow",
@@ -18600,6 +20626,33 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
18600
20626
  }
18601
20627
  return result;
18602
20628
  } catch (err) {
20629
+ if (authCtx.sessionType === "agent") {
20630
+ return {
20631
+ allowed: false,
20632
+ permission: "deny",
20633
+ toolCategory: null,
20634
+ policy: null,
20635
+ explanation: {
20636
+ summary: "Denied because agent write-policy checks fail closed on policy evaluation errors.",
20637
+ matchedReasonCode: "WRITE_POLICY_CHECK_ERROR",
20638
+ steps: [
20639
+ {
20640
+ stage: "policy_lookup",
20641
+ outcome: "failed",
20642
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20643
+ detail: err instanceof Error ? err.message : "Unknown policy evaluation error."
20644
+ },
20645
+ {
20646
+ stage: "decision",
20647
+ outcome: "failed",
20648
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20649
+ detail: "Agent sessions cannot convert a write-policy infrastructure error into an allow."
20650
+ }
20651
+ ]
20652
+ },
20653
+ reason: "policy_check_error"
20654
+ };
20655
+ }
18603
20656
  console.error(
18604
20657
  `[write-policy] Policy check failed for ${toolName}: ${err instanceof Error ? err.message : err}. Allowing (fail-open).`
18605
20658
  );