@lucern/mcp 0.3.0-alpha.10 → 0.3.0-alpha.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -0
- package/dist/cli.js +5957 -962
- package/dist/cli.js.map +1 -1
- package/dist/gateway.d.ts +17 -1
- package/dist/gateway.js +2949 -674
- package/dist/gateway.js.map +1 -1
- package/dist/hosted-route.js +5955 -960
- package/dist/hosted-route.js.map +1 -1
- package/dist/index.js +6686 -1691
- package/dist/index.js.map +1 -1
- package/dist/runtime.js +2306 -253
- package/dist/runtime.js.map +1 -1
- package/package.json +8 -9
package/dist/runtime.js
CHANGED
|
@@ -232,6 +232,20 @@ var autoBranchingHandlers = {
|
|
|
232
232
|
}
|
|
233
233
|
};
|
|
234
234
|
|
|
235
|
+
// ../contracts/src/types/reasoning-method.ts
|
|
236
|
+
var REASONING_METHODS = [
|
|
237
|
+
"deductive",
|
|
238
|
+
"inductive",
|
|
239
|
+
"abductive",
|
|
240
|
+
"analogical",
|
|
241
|
+
"causal",
|
|
242
|
+
"correlational",
|
|
243
|
+
"testimonial",
|
|
244
|
+
"statistical",
|
|
245
|
+
"implicit",
|
|
246
|
+
"pattern_match"
|
|
247
|
+
];
|
|
248
|
+
|
|
235
249
|
// ../contracts/src/graph-intelligence.contract.ts
|
|
236
250
|
var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
|
|
237
251
|
core: [
|
|
@@ -941,7 +955,7 @@ defineTable({
|
|
|
941
955
|
});
|
|
942
956
|
defineTable({
|
|
943
957
|
name: "agents",
|
|
944
|
-
component: "
|
|
958
|
+
component: "control-plane",
|
|
945
959
|
category: "agent",
|
|
946
960
|
shape: z.object({
|
|
947
961
|
"slug": z.string(),
|
|
@@ -972,6 +986,7 @@ defineTable({
|
|
|
972
986
|
category: "tenant",
|
|
973
987
|
shape: z.object({
|
|
974
988
|
"tenantId": idOf("tenants"),
|
|
989
|
+
"workspaceId": idOf("workspaces").optional(),
|
|
975
990
|
"keyPrefix": z.enum(["luc", "stk"]),
|
|
976
991
|
"keyHash": z.string(),
|
|
977
992
|
"keyHint": z.string(),
|
|
@@ -999,7 +1014,7 @@ defineTable({
|
|
|
999
1014
|
shape: z.object({
|
|
1000
1015
|
"tenantId": idOf("tenants").optional(),
|
|
1001
1016
|
"apiKeyId": idOf("apiKeys").optional(),
|
|
1002
|
-
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
1017
|
+
"action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
|
|
1003
1018
|
"actorClerkId": z.string(),
|
|
1004
1019
|
"details": z.any().optional(),
|
|
1005
1020
|
"createdAt": z.number()
|
|
@@ -1878,29 +1893,37 @@ defineTable({
|
|
|
1878
1893
|
component: "mc",
|
|
1879
1894
|
category: "runtime",
|
|
1880
1895
|
shape: z.object({
|
|
1881
|
-
|
|
1882
|
-
|
|
1883
|
-
|
|
1884
|
-
|
|
1885
|
-
|
|
1886
|
-
|
|
1887
|
-
|
|
1888
|
-
|
|
1889
|
-
|
|
1890
|
-
|
|
1891
|
-
|
|
1892
|
-
|
|
1893
|
-
|
|
1896
|
+
shimId: z.string(),
|
|
1897
|
+
gateId: z.string(),
|
|
1898
|
+
removalDate: z.string(),
|
|
1899
|
+
removalPriority: z.enum(["P1", "P2", "P3"]),
|
|
1900
|
+
description: z.string(),
|
|
1901
|
+
owner: z.string(),
|
|
1902
|
+
createdAt: z.string(),
|
|
1903
|
+
status: z.enum(["active", "overdue", "removed"]),
|
|
1904
|
+
bridgeType: z.enum(["tool", "agent"]),
|
|
1905
|
+
bridgeTarget: z.object({
|
|
1906
|
+
type: z.enum(["tool", "agent"]),
|
|
1907
|
+
legacyPath: z.string(),
|
|
1908
|
+
harnessPath: z.string()
|
|
1894
1909
|
}),
|
|
1895
|
-
|
|
1896
|
-
|
|
1897
|
-
|
|
1898
|
-
|
|
1910
|
+
shimBehavior: z.enum([
|
|
1911
|
+
"passthrough_with_logging",
|
|
1912
|
+
"adapter",
|
|
1913
|
+
"feature_flag_gate"
|
|
1914
|
+
]),
|
|
1915
|
+
producesLedgerEntries: z.boolean(),
|
|
1916
|
+
lastAuditedAt: z.number(),
|
|
1917
|
+
metadata: z.record(z.any()).optional()
|
|
1899
1918
|
}),
|
|
1900
1919
|
indices: [
|
|
1901
1920
|
{ kind: "index", name: "by_shimId", columns: ["shimId"] },
|
|
1902
1921
|
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
1903
|
-
{
|
|
1922
|
+
{
|
|
1923
|
+
kind: "index",
|
|
1924
|
+
name: "by_bridgeType_status",
|
|
1925
|
+
columns: ["bridgeType", "status"]
|
|
1926
|
+
}
|
|
1904
1927
|
]
|
|
1905
1928
|
});
|
|
1906
1929
|
defineTable({
|
|
@@ -1908,12 +1931,23 @@ defineTable({
|
|
|
1908
1931
|
component: "mc",
|
|
1909
1932
|
category: "runtime",
|
|
1910
1933
|
shape: z.object({
|
|
1911
|
-
|
|
1912
|
-
|
|
1913
|
-
|
|
1914
|
-
|
|
1915
|
-
|
|
1916
|
-
|
|
1934
|
+
domain: z.enum([
|
|
1935
|
+
"graph",
|
|
1936
|
+
"schema",
|
|
1937
|
+
"identity",
|
|
1938
|
+
"policy",
|
|
1939
|
+
"audit",
|
|
1940
|
+
"admin",
|
|
1941
|
+
"agent",
|
|
1942
|
+
"tool",
|
|
1943
|
+
"prompt",
|
|
1944
|
+
"intelligence"
|
|
1945
|
+
]),
|
|
1946
|
+
state: z.enum(["legacy", "cutover", "disabled"]),
|
|
1947
|
+
metadata: z.record(z.any()).optional(),
|
|
1948
|
+
updatedBy: z.string(),
|
|
1949
|
+
createdAt: z.number(),
|
|
1950
|
+
updatedAt: z.number()
|
|
1917
1951
|
}),
|
|
1918
1952
|
indices: [
|
|
1919
1953
|
{ kind: "index", name: "by_domain", columns: ["domain"] },
|
|
@@ -1925,57 +1959,193 @@ defineTable({
|
|
|
1925
1959
|
component: "mc",
|
|
1926
1960
|
category: "runtime",
|
|
1927
1961
|
shape: z.object({
|
|
1928
|
-
|
|
1929
|
-
|
|
1930
|
-
|
|
1931
|
-
|
|
1932
|
-
|
|
1933
|
-
|
|
1934
|
-
|
|
1935
|
-
|
|
1936
|
-
|
|
1937
|
-
|
|
1938
|
-
|
|
1939
|
-
|
|
1940
|
-
|
|
1941
|
-
|
|
1942
|
-
|
|
1943
|
-
|
|
1944
|
-
|
|
1962
|
+
credentialRef: z.string(),
|
|
1963
|
+
tenantId: idOf("tenants"),
|
|
1964
|
+
workspaceId: idOf("workspaces").optional(),
|
|
1965
|
+
target: z.enum(["kernelDeployment", "appDeployment"]),
|
|
1966
|
+
environment: z.enum(["dev", "staging", "prod"]),
|
|
1967
|
+
encryptedDeployKey: z.string(),
|
|
1968
|
+
encryptionVersion: z.string(),
|
|
1969
|
+
keyFingerprint: z.string(),
|
|
1970
|
+
keyHint: z.string(),
|
|
1971
|
+
status: z.enum(["active", "revoked"]),
|
|
1972
|
+
rotatedFromCredentialRef: z.string().optional(),
|
|
1973
|
+
revokedAt: z.number().optional(),
|
|
1974
|
+
revokedBy: z.string().optional(),
|
|
1975
|
+
lastUsedAt: z.number().optional(),
|
|
1976
|
+
metadata: z.record(z.any()).optional(),
|
|
1977
|
+
createdBy: z.string(),
|
|
1978
|
+
createdAt: z.number(),
|
|
1979
|
+
updatedAt: z.number()
|
|
1945
1980
|
}),
|
|
1946
1981
|
indices: [
|
|
1947
1982
|
{ kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
|
|
1948
1983
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
1949
|
-
{ kind: "index", name: "
|
|
1950
|
-
{
|
|
1951
|
-
|
|
1984
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
1985
|
+
{
|
|
1986
|
+
kind: "index",
|
|
1987
|
+
name: "by_tenant_target",
|
|
1988
|
+
columns: ["tenantId", "target"]
|
|
1989
|
+
},
|
|
1990
|
+
{
|
|
1991
|
+
kind: "index",
|
|
1992
|
+
name: "by_tenant_target_environment",
|
|
1993
|
+
columns: ["tenantId", "target", "environment"]
|
|
1994
|
+
},
|
|
1995
|
+
{
|
|
1996
|
+
kind: "index",
|
|
1997
|
+
name: "by_tenant_target_environment_status",
|
|
1998
|
+
columns: ["tenantId", "target", "environment", "status"]
|
|
1999
|
+
},
|
|
2000
|
+
{
|
|
2001
|
+
kind: "index",
|
|
2002
|
+
name: "by_tenant_workspace_target_environment_status",
|
|
2003
|
+
columns: ["tenantId", "workspaceId", "target", "environment", "status"]
|
|
2004
|
+
},
|
|
1952
2005
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
1953
2006
|
]
|
|
1954
2007
|
});
|
|
2008
|
+
defineTable({
|
|
2009
|
+
name: "permitSyncStates",
|
|
2010
|
+
component: "mc",
|
|
2011
|
+
category: "runtime",
|
|
2012
|
+
shape: z.object({
|
|
2013
|
+
syncKey: z.string(),
|
|
2014
|
+
objectType: z.enum([
|
|
2015
|
+
"resource",
|
|
2016
|
+
"role",
|
|
2017
|
+
"resource_role",
|
|
2018
|
+
"resource_relation",
|
|
2019
|
+
"tenant",
|
|
2020
|
+
"workspace",
|
|
2021
|
+
"principal",
|
|
2022
|
+
"membership",
|
|
2023
|
+
"group",
|
|
2024
|
+
"resource_instance",
|
|
2025
|
+
"relationship_tuple",
|
|
2026
|
+
"role_assignment"
|
|
2027
|
+
]),
|
|
2028
|
+
objectId: z.string(),
|
|
2029
|
+
tenantId: idOf("tenants").optional(),
|
|
2030
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2031
|
+
principalId: z.string().optional(),
|
|
2032
|
+
permitTenantKey: z.string().optional(),
|
|
2033
|
+
permitResourceType: z.string().optional(),
|
|
2034
|
+
permitResourceKey: z.string().optional(),
|
|
2035
|
+
desiredPayload: z.record(z.any()),
|
|
2036
|
+
lastAppliedPayloadHash: z.string().optional(),
|
|
2037
|
+
status: z.enum(["pending", "synced", "error", "skipped"]),
|
|
2038
|
+
attemptCount: z.number(),
|
|
2039
|
+
lastError: z.string().optional(),
|
|
2040
|
+
nextAttemptAt: z.number().optional(),
|
|
2041
|
+
lastSyncedAt: z.number().optional(),
|
|
2042
|
+
createdBy: z.string(),
|
|
2043
|
+
updatedBy: z.string().optional(),
|
|
2044
|
+
createdAt: z.number(),
|
|
2045
|
+
updatedAt: z.number()
|
|
2046
|
+
}),
|
|
2047
|
+
indices: [
|
|
2048
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
2049
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
2050
|
+
{
|
|
2051
|
+
kind: "index",
|
|
2052
|
+
name: "by_tenant_status",
|
|
2053
|
+
columns: ["tenantId", "status"]
|
|
2054
|
+
},
|
|
2055
|
+
{
|
|
2056
|
+
kind: "index",
|
|
2057
|
+
name: "by_workspace_status",
|
|
2058
|
+
columns: ["workspaceId", "status"]
|
|
2059
|
+
},
|
|
2060
|
+
{
|
|
2061
|
+
kind: "index",
|
|
2062
|
+
name: "by_principal_status",
|
|
2063
|
+
columns: ["principalId", "status"]
|
|
2064
|
+
}
|
|
2065
|
+
]
|
|
2066
|
+
});
|
|
2067
|
+
defineTable({
|
|
2068
|
+
name: "secretSyncDriftReports",
|
|
2069
|
+
component: "mc",
|
|
2070
|
+
category: "runtime",
|
|
2071
|
+
shape: z.object({
|
|
2072
|
+
reportId: z.string(),
|
|
2073
|
+
source: z.enum(["infisical_manifest", "manual", "ci"]),
|
|
2074
|
+
generatedAt: z.number(),
|
|
2075
|
+
recordedAt: z.number(),
|
|
2076
|
+
recordedBy: z.string(),
|
|
2077
|
+
status: z.enum([
|
|
2078
|
+
"in_sync",
|
|
2079
|
+
"drift",
|
|
2080
|
+
"exception",
|
|
2081
|
+
"blocked",
|
|
2082
|
+
"not_observed"
|
|
2083
|
+
]),
|
|
2084
|
+
reportHash: z.string(),
|
|
2085
|
+
manifestHash: z.string().optional(),
|
|
2086
|
+
dryRunReceiptId: z.string().optional(),
|
|
2087
|
+
appliedReceiptId: z.string().optional(),
|
|
2088
|
+
summary: z.object({
|
|
2089
|
+
totalPipelines: z.number(),
|
|
2090
|
+
inSync: z.number(),
|
|
2091
|
+
drift: z.number(),
|
|
2092
|
+
exception: z.number(),
|
|
2093
|
+
blocked: z.number(),
|
|
2094
|
+
notObserved: z.number(),
|
|
2095
|
+
missingKeys: z.number(),
|
|
2096
|
+
valueDriftKeys: z.number(),
|
|
2097
|
+
extraKeys: z.number(),
|
|
2098
|
+
deniedConvexLeakage: z.number(),
|
|
2099
|
+
approvedExceptions: z.number()
|
|
2100
|
+
}),
|
|
2101
|
+
redactedReport: z.record(z.any()),
|
|
2102
|
+
metadata: z.record(z.any()).optional()
|
|
2103
|
+
}),
|
|
2104
|
+
indices: [
|
|
2105
|
+
{ kind: "index", name: "by_reportId", columns: ["reportId"] },
|
|
2106
|
+
{ kind: "index", name: "by_reportHash", columns: ["reportHash"] },
|
|
2107
|
+
{ kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
|
|
2108
|
+
{
|
|
2109
|
+
kind: "index",
|
|
2110
|
+
name: "by_status_generatedAt",
|
|
2111
|
+
columns: ["status", "generatedAt"]
|
|
2112
|
+
}
|
|
2113
|
+
]
|
|
2114
|
+
});
|
|
1955
2115
|
defineTable({
|
|
1956
2116
|
name: "controlPlaneTenantModelSlotBindings",
|
|
1957
2117
|
component: "mc",
|
|
1958
2118
|
category: "runtime",
|
|
1959
2119
|
shape: z.object({
|
|
1960
|
-
|
|
1961
|
-
|
|
1962
|
-
"
|
|
1963
|
-
|
|
1964
|
-
|
|
1965
|
-
|
|
1966
|
-
|
|
1967
|
-
|
|
1968
|
-
|
|
1969
|
-
|
|
1970
|
-
|
|
1971
|
-
|
|
1972
|
-
|
|
2120
|
+
bindingId: z.string(),
|
|
2121
|
+
tenantId: idOf("tenants"),
|
|
2122
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2123
|
+
environment: z.enum(["dev", "staging", "prod"]).optional(),
|
|
2124
|
+
providerId: z.string(),
|
|
2125
|
+
modelSlotId: z.string(),
|
|
2126
|
+
secretRef: z.string(),
|
|
2127
|
+
status: z.enum(["active", "revoked"]),
|
|
2128
|
+
passThroughOnly: z.boolean(),
|
|
2129
|
+
revokedAt: z.number().optional(),
|
|
2130
|
+
revokedBy: z.string().optional(),
|
|
2131
|
+
metadata: z.record(z.any()).optional(),
|
|
2132
|
+
createdBy: z.string(),
|
|
2133
|
+
createdAt: z.number(),
|
|
2134
|
+
updatedAt: z.number()
|
|
1973
2135
|
}),
|
|
1974
2136
|
indices: [
|
|
1975
2137
|
{ kind: "index", name: "by_bindingId", columns: ["bindingId"] },
|
|
1976
2138
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
1977
|
-
{
|
|
1978
|
-
|
|
2139
|
+
{
|
|
2140
|
+
kind: "index",
|
|
2141
|
+
name: "by_tenant_slot",
|
|
2142
|
+
columns: ["tenantId", "modelSlotId"]
|
|
2143
|
+
},
|
|
2144
|
+
{
|
|
2145
|
+
kind: "index",
|
|
2146
|
+
name: "by_tenant_provider_slot",
|
|
2147
|
+
columns: ["tenantId", "providerId", "modelSlotId"]
|
|
2148
|
+
},
|
|
1979
2149
|
{ kind: "index", name: "by_secretRef", columns: ["secretRef"] },
|
|
1980
2150
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
1981
2151
|
]
|
|
@@ -1985,29 +2155,42 @@ defineTable({
|
|
|
1985
2155
|
component: "mc",
|
|
1986
2156
|
category: "runtime",
|
|
1987
2157
|
shape: z.object({
|
|
1988
|
-
|
|
1989
|
-
|
|
1990
|
-
"
|
|
1991
|
-
|
|
1992
|
-
|
|
1993
|
-
|
|
1994
|
-
|
|
1995
|
-
|
|
1996
|
-
|
|
1997
|
-
|
|
1998
|
-
|
|
1999
|
-
|
|
2000
|
-
|
|
2001
|
-
|
|
2002
|
-
|
|
2003
|
-
|
|
2004
|
-
|
|
2158
|
+
secretRef: z.string(),
|
|
2159
|
+
tenantId: idOf("tenants"),
|
|
2160
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2161
|
+
environment: z.enum(["dev", "staging", "prod"]).optional(),
|
|
2162
|
+
providerId: z.string(),
|
|
2163
|
+
label: z.string().optional(),
|
|
2164
|
+
encryptedSecret: z.string().optional(),
|
|
2165
|
+
infisicalPath: z.string().optional(),
|
|
2166
|
+
infisicalSecretKey: z.string().optional(),
|
|
2167
|
+
infisicalProjectId: z.string().optional(),
|
|
2168
|
+
encryptionVersion: z.string(),
|
|
2169
|
+
secretFingerprint: z.string(),
|
|
2170
|
+
keyHint: z.string(),
|
|
2171
|
+
status: z.enum(["active", "revoked"]),
|
|
2172
|
+
rotatedFromSecretRef: z.string().optional(),
|
|
2173
|
+
revokedAt: z.number().optional(),
|
|
2174
|
+
revokedBy: z.string().optional(),
|
|
2175
|
+
lastUsedAt: z.number().optional(),
|
|
2176
|
+
metadata: z.record(z.any()).optional(),
|
|
2177
|
+
createdBy: z.string(),
|
|
2178
|
+
createdAt: z.number(),
|
|
2179
|
+
updatedAt: z.number()
|
|
2005
2180
|
}),
|
|
2006
2181
|
indices: [
|
|
2007
2182
|
{ kind: "index", name: "by_secretRef", columns: ["secretRef"] },
|
|
2008
2183
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
2009
|
-
{
|
|
2010
|
-
|
|
2184
|
+
{
|
|
2185
|
+
kind: "index",
|
|
2186
|
+
name: "by_tenant_provider",
|
|
2187
|
+
columns: ["tenantId", "providerId"]
|
|
2188
|
+
},
|
|
2189
|
+
{
|
|
2190
|
+
kind: "index",
|
|
2191
|
+
name: "by_tenant_provider_status",
|
|
2192
|
+
columns: ["tenantId", "providerId", "status"]
|
|
2193
|
+
},
|
|
2011
2194
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
2012
2195
|
]
|
|
2013
2196
|
});
|
|
@@ -2016,35 +2199,93 @@ defineTable({
|
|
|
2016
2199
|
component: "mc",
|
|
2017
2200
|
category: "runtime",
|
|
2018
2201
|
shape: z.object({
|
|
2019
|
-
|
|
2020
|
-
|
|
2021
|
-
|
|
2022
|
-
|
|
2023
|
-
|
|
2024
|
-
|
|
2025
|
-
|
|
2026
|
-
|
|
2027
|
-
|
|
2028
|
-
|
|
2029
|
-
|
|
2030
|
-
|
|
2031
|
-
|
|
2032
|
-
|
|
2033
|
-
|
|
2034
|
-
|
|
2035
|
-
|
|
2036
|
-
|
|
2037
|
-
|
|
2038
|
-
|
|
2039
|
-
|
|
2040
|
-
|
|
2202
|
+
usageId: z.string(),
|
|
2203
|
+
tenantId: idOf("tenants"),
|
|
2204
|
+
providerId: z.string(),
|
|
2205
|
+
modelSlotId: z.string(),
|
|
2206
|
+
secretRef: z.string(),
|
|
2207
|
+
proxyTokenId: z.string(),
|
|
2208
|
+
sessionId: z.string(),
|
|
2209
|
+
principalId: z.string(),
|
|
2210
|
+
workspaceId: z.string().optional(),
|
|
2211
|
+
modelId: z.string().optional(),
|
|
2212
|
+
requestPath: z.string(),
|
|
2213
|
+
status: z.enum(["success", "error"]),
|
|
2214
|
+
responseStatus: z.number().optional(),
|
|
2215
|
+
inputTokens: z.number().optional(),
|
|
2216
|
+
outputTokens: z.number().optional(),
|
|
2217
|
+
tokenCount: z.number().optional(),
|
|
2218
|
+
latencyMs: z.number(),
|
|
2219
|
+
estimatedCostUsd: z.number().optional(),
|
|
2220
|
+
failureCode: z.string().optional(),
|
|
2221
|
+
metadata: z.record(z.any()).optional(),
|
|
2222
|
+
createdAt: z.number(),
|
|
2223
|
+
updatedAt: z.number()
|
|
2041
2224
|
}),
|
|
2042
2225
|
indices: [
|
|
2043
2226
|
{ kind: "index", name: "by_usageId", columns: ["usageId"] },
|
|
2044
2227
|
{ kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
|
|
2045
|
-
{
|
|
2046
|
-
|
|
2047
|
-
|
|
2228
|
+
{
|
|
2229
|
+
kind: "index",
|
|
2230
|
+
name: "by_tenant_provider",
|
|
2231
|
+
columns: ["tenantId", "providerId", "createdAt"]
|
|
2232
|
+
},
|
|
2233
|
+
{
|
|
2234
|
+
kind: "index",
|
|
2235
|
+
name: "by_proxyTokenId",
|
|
2236
|
+
columns: ["proxyTokenId", "createdAt"]
|
|
2237
|
+
},
|
|
2238
|
+
{
|
|
2239
|
+
kind: "index",
|
|
2240
|
+
name: "by_sessionId",
|
|
2241
|
+
columns: ["sessionId", "createdAt"]
|
|
2242
|
+
}
|
|
2243
|
+
]
|
|
2244
|
+
});
|
|
2245
|
+
defineTable({
|
|
2246
|
+
name: "controlPlaneTenantProxyTokenLeases",
|
|
2247
|
+
component: "mc",
|
|
2248
|
+
category: "runtime",
|
|
2249
|
+
shape: z.object({
|
|
2250
|
+
leaseId: z.string(),
|
|
2251
|
+
proxyTokenId: z.string(),
|
|
2252
|
+
tenantId: idOf("tenants"),
|
|
2253
|
+
workspaceId: idOf("workspaces").optional(),
|
|
2254
|
+
environment: z.enum(["dev", "staging", "prod"]),
|
|
2255
|
+
providerId: z.string(),
|
|
2256
|
+
modelSlotId: z.string(),
|
|
2257
|
+
bindingId: z.string(),
|
|
2258
|
+
secretRef: z.string(),
|
|
2259
|
+
sessionId: z.string(),
|
|
2260
|
+
principalId: z.string(),
|
|
2261
|
+
agentSessionId: z.string().optional(),
|
|
2262
|
+
status: z.enum(["active", "revoked"]),
|
|
2263
|
+
expiresAt: z.number(),
|
|
2264
|
+
renewedAt: z.number().optional(),
|
|
2265
|
+
revokedAt: z.number().optional(),
|
|
2266
|
+
revokedBy: z.string().optional(),
|
|
2267
|
+
revokeReason: z.string().optional(),
|
|
2268
|
+
permitDecisionLogId: idOf("policyDecisionLogs").optional(),
|
|
2269
|
+
permitTraceId: z.string().optional(),
|
|
2270
|
+
metadata: z.record(z.any()).optional(),
|
|
2271
|
+
createdAt: z.number(),
|
|
2272
|
+
updatedAt: z.number()
|
|
2273
|
+
}),
|
|
2274
|
+
indices: [
|
|
2275
|
+
{ kind: "index", name: "by_leaseId", columns: ["leaseId"] },
|
|
2276
|
+
{ kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
|
|
2277
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
|
|
2278
|
+
{ kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
|
|
2279
|
+
{
|
|
2280
|
+
kind: "index",
|
|
2281
|
+
name: "by_principalId",
|
|
2282
|
+
columns: ["principalId", "createdAt"]
|
|
2283
|
+
},
|
|
2284
|
+
{
|
|
2285
|
+
kind: "index",
|
|
2286
|
+
name: "by_status_expiresAt",
|
|
2287
|
+
columns: ["status", "expiresAt"]
|
|
2288
|
+
}
|
|
2048
2289
|
]
|
|
2049
2290
|
});
|
|
2050
2291
|
defineTable({
|
|
@@ -2377,6 +2618,7 @@ defineTable({
|
|
|
2377
2618
|
"questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
|
|
2378
2619
|
"questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
|
|
2379
2620
|
"answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
|
|
2621
|
+
"themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
|
|
2380
2622
|
"themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
|
|
2381
2623
|
"decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
|
|
2382
2624
|
"decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
|
|
@@ -2527,6 +2769,7 @@ defineTable({
|
|
|
2527
2769
|
indices: [
|
|
2528
2770
|
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
2529
2771
|
{ kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
|
|
2772
|
+
{ kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
|
|
2530
2773
|
{ kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
|
|
2531
2774
|
{ kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
|
|
2532
2775
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
@@ -2558,6 +2801,36 @@ defineTable({
|
|
|
2558
2801
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
2559
2802
|
]
|
|
2560
2803
|
});
|
|
2804
|
+
defineTable({
|
|
2805
|
+
name: "principalIdentityAliases",
|
|
2806
|
+
component: "mc",
|
|
2807
|
+
category: "identity",
|
|
2808
|
+
shape: z.object({
|
|
2809
|
+
"principalId": z.string(),
|
|
2810
|
+
"principalRefId": idOf("principals").optional(),
|
|
2811
|
+
"provider": z.string(),
|
|
2812
|
+
"providerProjectId": z.string().optional(),
|
|
2813
|
+
"externalSubjectId": z.string(),
|
|
2814
|
+
"tenantId": idOf("tenants").optional(),
|
|
2815
|
+
"workspaceId": idOf("workspaces").optional(),
|
|
2816
|
+
"email": z.string().optional(),
|
|
2817
|
+
"status": z.enum(["active", "revoked"]),
|
|
2818
|
+
"metadata": z.record(z.any()).optional(),
|
|
2819
|
+
"createdBy": z.string(),
|
|
2820
|
+
"revokedAt": z.number().optional(),
|
|
2821
|
+
"revokedBy": z.string().optional(),
|
|
2822
|
+
"createdAt": z.number(),
|
|
2823
|
+
"updatedAt": z.number()
|
|
2824
|
+
}),
|
|
2825
|
+
indices: [
|
|
2826
|
+
{ kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
|
|
2827
|
+
{ kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
|
|
2828
|
+
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
2829
|
+
{ kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
|
|
2830
|
+
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
|
|
2831
|
+
{ kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
|
|
2832
|
+
]
|
|
2833
|
+
});
|
|
2561
2834
|
defineTable({
|
|
2562
2835
|
name: "rateLimitWindows",
|
|
2563
2836
|
component: "mc",
|
|
@@ -3147,7 +3420,7 @@ defineTable({
|
|
|
3147
3420
|
});
|
|
3148
3421
|
defineTable({
|
|
3149
3422
|
name: "mcpWritePolicy",
|
|
3150
|
-
component: "
|
|
3423
|
+
component: "control-plane",
|
|
3151
3424
|
category: "platform",
|
|
3152
3425
|
shape: z.object({
|
|
3153
3426
|
"topicId": z.string().optional(),
|
|
@@ -3170,7 +3443,7 @@ defineTable({
|
|
|
3170
3443
|
});
|
|
3171
3444
|
defineTable({
|
|
3172
3445
|
name: "platformAudienceGrants",
|
|
3173
|
-
component: "
|
|
3446
|
+
component: "control-plane",
|
|
3174
3447
|
category: "platform",
|
|
3175
3448
|
shape: z.object({
|
|
3176
3449
|
"tenantId": z.string(),
|
|
@@ -3196,7 +3469,7 @@ defineTable({
|
|
|
3196
3469
|
});
|
|
3197
3470
|
defineTable({
|
|
3198
3471
|
name: "platformAudiences",
|
|
3199
|
-
component: "
|
|
3472
|
+
component: "control-plane",
|
|
3200
3473
|
category: "platform",
|
|
3201
3474
|
shape: z.object({
|
|
3202
3475
|
"tenantId": z.string(),
|
|
@@ -3221,7 +3494,7 @@ defineTable({
|
|
|
3221
3494
|
});
|
|
3222
3495
|
defineTable({
|
|
3223
3496
|
name: "platformPolicyDecisionLogs",
|
|
3224
|
-
component: "
|
|
3497
|
+
component: "control-plane",
|
|
3225
3498
|
category: "platform",
|
|
3226
3499
|
shape: z.object({
|
|
3227
3500
|
"principalId": z.string(),
|
|
@@ -3257,7 +3530,7 @@ defineTable({
|
|
|
3257
3530
|
});
|
|
3258
3531
|
defineTable({
|
|
3259
3532
|
name: "tenantApiKeys",
|
|
3260
|
-
component: "
|
|
3533
|
+
component: "control-plane",
|
|
3261
3534
|
category: "platform",
|
|
3262
3535
|
shape: z.object({
|
|
3263
3536
|
"tenantId": z.string(),
|
|
@@ -3284,7 +3557,7 @@ defineTable({
|
|
|
3284
3557
|
});
|
|
3285
3558
|
defineTable({
|
|
3286
3559
|
name: "tenantConfig",
|
|
3287
|
-
component: "
|
|
3560
|
+
component: "control-plane",
|
|
3288
3561
|
category: "platform",
|
|
3289
3562
|
shape: z.object({
|
|
3290
3563
|
"tenantId": z.string(),
|
|
@@ -3303,7 +3576,7 @@ defineTable({
|
|
|
3303
3576
|
});
|
|
3304
3577
|
defineTable({
|
|
3305
3578
|
name: "tenantIntegrations",
|
|
3306
|
-
component: "
|
|
3579
|
+
component: "control-plane",
|
|
3307
3580
|
category: "platform",
|
|
3308
3581
|
shape: z.object({
|
|
3309
3582
|
"tenantId": z.string(),
|
|
@@ -3358,7 +3631,7 @@ defineTable({
|
|
|
3358
3631
|
});
|
|
3359
3632
|
defineTable({
|
|
3360
3633
|
name: "tenantModelSlotBindings",
|
|
3361
|
-
component: "
|
|
3634
|
+
component: "control-plane",
|
|
3362
3635
|
category: "platform",
|
|
3363
3636
|
shape: z.object({
|
|
3364
3637
|
"bindingId": z.string(),
|
|
@@ -3386,7 +3659,7 @@ defineTable({
|
|
|
3386
3659
|
});
|
|
3387
3660
|
defineTable({
|
|
3388
3661
|
name: "tenantPolicies",
|
|
3389
|
-
component: "
|
|
3662
|
+
component: "control-plane",
|
|
3390
3663
|
category: "platform",
|
|
3391
3664
|
shape: z.object({
|
|
3392
3665
|
"tenantId": z.string(),
|
|
@@ -3411,7 +3684,7 @@ defineTable({
|
|
|
3411
3684
|
});
|
|
3412
3685
|
defineTable({
|
|
3413
3686
|
name: "tenantProviderSecrets",
|
|
3414
|
-
component: "
|
|
3687
|
+
component: "control-plane",
|
|
3415
3688
|
category: "platform",
|
|
3416
3689
|
shape: z.object({
|
|
3417
3690
|
"secretRef": z.string(),
|
|
@@ -3442,7 +3715,7 @@ defineTable({
|
|
|
3442
3715
|
});
|
|
3443
3716
|
defineTable({
|
|
3444
3717
|
name: "tenantProxyGatewayUsage",
|
|
3445
|
-
component: "
|
|
3718
|
+
component: "control-plane",
|
|
3446
3719
|
category: "platform",
|
|
3447
3720
|
shape: z.object({
|
|
3448
3721
|
"usageId": z.string(),
|
|
@@ -3477,7 +3750,7 @@ defineTable({
|
|
|
3477
3750
|
});
|
|
3478
3751
|
defineTable({
|
|
3479
3752
|
name: "tenantProxyTokenMints",
|
|
3480
|
-
component: "
|
|
3753
|
+
component: "control-plane",
|
|
3481
3754
|
category: "platform",
|
|
3482
3755
|
shape: z.object({
|
|
3483
3756
|
"proxyTokenId": z.string(),
|
|
@@ -3500,7 +3773,7 @@ defineTable({
|
|
|
3500
3773
|
});
|
|
3501
3774
|
defineTable({
|
|
3502
3775
|
name: "tenantSandboxAuditEvents",
|
|
3503
|
-
component: "
|
|
3776
|
+
component: "control-plane",
|
|
3504
3777
|
category: "platform",
|
|
3505
3778
|
shape: z.object({
|
|
3506
3779
|
"eventId": z.string(),
|
|
@@ -3534,7 +3807,7 @@ defineTable({
|
|
|
3534
3807
|
});
|
|
3535
3808
|
defineTable({
|
|
3536
3809
|
name: "tenantSecrets",
|
|
3537
|
-
component: "
|
|
3810
|
+
component: "control-plane",
|
|
3538
3811
|
category: "platform",
|
|
3539
3812
|
shape: z.object({
|
|
3540
3813
|
"tenantId": z.string(),
|
|
@@ -3556,7 +3829,7 @@ defineTable({
|
|
|
3556
3829
|
});
|
|
3557
3830
|
defineTable({
|
|
3558
3831
|
name: "toolAcls",
|
|
3559
|
-
component: "
|
|
3832
|
+
component: "control-plane",
|
|
3560
3833
|
category: "platform",
|
|
3561
3834
|
shape: z.object({
|
|
3562
3835
|
"role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
|
|
@@ -3571,7 +3844,7 @@ defineTable({
|
|
|
3571
3844
|
});
|
|
3572
3845
|
defineTable({
|
|
3573
3846
|
name: "toolRegistry",
|
|
3574
|
-
component: "
|
|
3847
|
+
component: "control-plane",
|
|
3575
3848
|
category: "platform",
|
|
3576
3849
|
shape: z.object({
|
|
3577
3850
|
"toolName": z.string(),
|
|
@@ -3652,7 +3925,7 @@ defineTable({
|
|
|
3652
3925
|
});
|
|
3653
3926
|
defineTable({
|
|
3654
3927
|
name: "modelCallLogs",
|
|
3655
|
-
component: "
|
|
3928
|
+
component: "control-plane",
|
|
3656
3929
|
category: "model",
|
|
3657
3930
|
shape: z.object({
|
|
3658
3931
|
"slot": z.string(),
|
|
@@ -3678,7 +3951,7 @@ defineTable({
|
|
|
3678
3951
|
});
|
|
3679
3952
|
defineTable({
|
|
3680
3953
|
name: "modelFunctionSlots",
|
|
3681
|
-
component: "
|
|
3954
|
+
component: "control-plane",
|
|
3682
3955
|
category: "model",
|
|
3683
3956
|
shape: z.object({
|
|
3684
3957
|
"slot": z.string(),
|
|
@@ -3703,7 +3976,7 @@ defineTable({
|
|
|
3703
3976
|
});
|
|
3704
3977
|
defineTable({
|
|
3705
3978
|
name: "modelRegistry",
|
|
3706
|
-
component: "
|
|
3979
|
+
component: "control-plane",
|
|
3707
3980
|
category: "model",
|
|
3708
3981
|
shape: z.object({
|
|
3709
3982
|
"key": z.string(),
|
|
@@ -3730,7 +4003,7 @@ defineTable({
|
|
|
3730
4003
|
});
|
|
3731
4004
|
defineTable({
|
|
3732
4005
|
name: "modelSlotConfigs",
|
|
3733
|
-
component: "
|
|
4006
|
+
component: "control-plane",
|
|
3734
4007
|
category: "model",
|
|
3735
4008
|
shape: z.object({
|
|
3736
4009
|
"slot": z.string(),
|
|
@@ -4117,7 +4390,7 @@ defineTable({
|
|
|
4117
4390
|
"workspaceId": idOf("workspaces").optional(),
|
|
4118
4391
|
"resourceType": z.string(),
|
|
4119
4392
|
"resourceId": z.string(),
|
|
4120
|
-
"action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
|
|
4393
|
+
"action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
|
|
4121
4394
|
"decision": z.enum(["allow", "deny"]),
|
|
4122
4395
|
"reasonCode": z.string(),
|
|
4123
4396
|
"policyVersion": z.string(),
|
|
@@ -4179,7 +4452,7 @@ defineTable({
|
|
|
4179
4452
|
});
|
|
4180
4453
|
defineTable({
|
|
4181
4454
|
name: "projectGrants",
|
|
4182
|
-
component: "
|
|
4455
|
+
component: "control-plane",
|
|
4183
4456
|
category: "project",
|
|
4184
4457
|
shape: z.object({
|
|
4185
4458
|
"projectId": z.string().optional(),
|
|
@@ -4211,9 +4484,650 @@ defineTable({
|
|
|
4211
4484
|
{ kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
|
|
4212
4485
|
]
|
|
4213
4486
|
});
|
|
4487
|
+
var permitActorType = z.enum([
|
|
4488
|
+
"human",
|
|
4489
|
+
"agent",
|
|
4490
|
+
"service_principal",
|
|
4491
|
+
"external_stakeholder",
|
|
4492
|
+
"system"
|
|
4493
|
+
]);
|
|
4494
|
+
var permitMembershipStatus = z.enum([
|
|
4495
|
+
"active",
|
|
4496
|
+
"invited",
|
|
4497
|
+
"revoked",
|
|
4498
|
+
"suspended",
|
|
4499
|
+
"disabled"
|
|
4500
|
+
]);
|
|
4501
|
+
var permitDecision = z.enum(["allow", "deny"]);
|
|
4502
|
+
var permitAccessReviewStatus = z.enum([
|
|
4503
|
+
"open",
|
|
4504
|
+
"in_progress",
|
|
4505
|
+
"approved",
|
|
4506
|
+
"denied",
|
|
4507
|
+
"expired",
|
|
4508
|
+
"cancelled"
|
|
4509
|
+
]);
|
|
4510
|
+
var permitReviewScope = z.enum([
|
|
4511
|
+
"tenant",
|
|
4512
|
+
"workspace",
|
|
4513
|
+
"resource_instance",
|
|
4514
|
+
"group",
|
|
4515
|
+
"principal",
|
|
4516
|
+
"api_key",
|
|
4517
|
+
"admin_action"
|
|
4518
|
+
]);
|
|
4519
|
+
var permitRecordStatus = z.enum([
|
|
4520
|
+
"queued",
|
|
4521
|
+
"inflight",
|
|
4522
|
+
"completed",
|
|
4523
|
+
"failed",
|
|
4524
|
+
"skipped",
|
|
4525
|
+
"stale"
|
|
4526
|
+
]);
|
|
4527
|
+
var permitObjectType = z.enum([
|
|
4528
|
+
"resource",
|
|
4529
|
+
"role",
|
|
4530
|
+
"resource_role",
|
|
4531
|
+
"resource_relation",
|
|
4532
|
+
"tenant",
|
|
4533
|
+
"workspace",
|
|
4534
|
+
"principal",
|
|
4535
|
+
"membership",
|
|
4536
|
+
"group",
|
|
4537
|
+
"resource_instance",
|
|
4538
|
+
"relationship_tuple",
|
|
4539
|
+
"role_assignment",
|
|
4540
|
+
"attribute_binding",
|
|
4541
|
+
"policy_bundle"
|
|
4542
|
+
]);
|
|
4543
|
+
var permitOutboxOperation = z.enum([
|
|
4544
|
+
"upsert",
|
|
4545
|
+
"delete",
|
|
4546
|
+
"sync",
|
|
4547
|
+
"resync",
|
|
4548
|
+
"delete_sync",
|
|
4549
|
+
"noop"
|
|
4550
|
+
]);
|
|
4551
|
+
var permitPolicyBundleStatus = z.enum([
|
|
4552
|
+
"draft",
|
|
4553
|
+
"validated",
|
|
4554
|
+
"enforced",
|
|
4555
|
+
"archived"
|
|
4556
|
+
]);
|
|
4557
|
+
var permitSyncStatus = z.enum([
|
|
4558
|
+
"pending",
|
|
4559
|
+
"synced",
|
|
4560
|
+
"error",
|
|
4561
|
+
"skipped"
|
|
4562
|
+
]);
|
|
4563
|
+
var permitAccessReviewSubjectType = z.enum([
|
|
4564
|
+
"principal",
|
|
4565
|
+
"group",
|
|
4566
|
+
"role_assignment",
|
|
4567
|
+
"resource_instance"
|
|
4568
|
+
]);
|
|
4569
|
+
var permitAttributeType = z.enum([
|
|
4570
|
+
"string",
|
|
4571
|
+
"number",
|
|
4572
|
+
"bool",
|
|
4573
|
+
"json",
|
|
4574
|
+
"time"
|
|
4575
|
+
]);
|
|
4576
|
+
var permitAttributeOperator = z.enum([
|
|
4577
|
+
"eq",
|
|
4578
|
+
"neq",
|
|
4579
|
+
"in",
|
|
4580
|
+
"not_in",
|
|
4581
|
+
"gt",
|
|
4582
|
+
"gte",
|
|
4583
|
+
"lt",
|
|
4584
|
+
"lte",
|
|
4585
|
+
"contains",
|
|
4586
|
+
"not_contains",
|
|
4587
|
+
"matches"
|
|
4588
|
+
]);
|
|
4589
|
+
var permitRoleBindingTarget = z.enum([
|
|
4590
|
+
"principal",
|
|
4591
|
+
"group"
|
|
4592
|
+
]);
|
|
4593
|
+
defineTable({
|
|
4594
|
+
name: "permitPrincipals",
|
|
4595
|
+
component: "control-plane",
|
|
4596
|
+
category: "access-control",
|
|
4597
|
+
shape: z.object({
|
|
4598
|
+
principalId: z.string(),
|
|
4599
|
+
tenantId: z.string(),
|
|
4600
|
+
workspaceId: z.optional(z.string()),
|
|
4601
|
+
principalType: permitActorType,
|
|
4602
|
+
status: permitMembershipStatus,
|
|
4603
|
+
displayName: z.string().optional(),
|
|
4604
|
+
metadata: z.record(z.any()).optional(),
|
|
4605
|
+
createdBy: z.string(),
|
|
4606
|
+
createdAt: z.number(),
|
|
4607
|
+
updatedAt: z.number(),
|
|
4608
|
+
updatedBy: z.string().optional(),
|
|
4609
|
+
lastSeenAt: z.number().optional()
|
|
4610
|
+
}),
|
|
4611
|
+
indices: [
|
|
4612
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4613
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4614
|
+
{ kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
|
|
4615
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
4616
|
+
{
|
|
4617
|
+
kind: "index",
|
|
4618
|
+
name: "by_tenant_principalType_status",
|
|
4619
|
+
columns: ["tenantId", "principalType", "status"]
|
|
4620
|
+
}
|
|
4621
|
+
]
|
|
4622
|
+
});
|
|
4623
|
+
defineTable({
|
|
4624
|
+
name: "permitPrincipalAliases",
|
|
4625
|
+
component: "control-plane",
|
|
4626
|
+
category: "access-control",
|
|
4627
|
+
shape: z.object({
|
|
4628
|
+
principalId: z.string(),
|
|
4629
|
+
tenantId: z.string(),
|
|
4630
|
+
workspaceId: z.optional(z.string()),
|
|
4631
|
+
provider: z.string(),
|
|
4632
|
+
providerSubjectId: z.string(),
|
|
4633
|
+
providerProjectId: z.string().optional(),
|
|
4634
|
+
alias: z.string(),
|
|
4635
|
+
aliasKind: z.string(),
|
|
4636
|
+
status: permitMembershipStatus,
|
|
4637
|
+
metadata: z.record(z.any()).optional(),
|
|
4638
|
+
createdBy: z.string(),
|
|
4639
|
+
createdAt: z.number(),
|
|
4640
|
+
updatedAt: z.number(),
|
|
4641
|
+
revokedBy: z.string().optional(),
|
|
4642
|
+
revokedAt: z.number().optional(),
|
|
4643
|
+
updatedBy: z.string().optional()
|
|
4644
|
+
}),
|
|
4645
|
+
indices: [
|
|
4646
|
+
{ kind: "index", name: "by_principalId", columns: ["principalId"] },
|
|
4647
|
+
{ kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
|
|
4648
|
+
{
|
|
4649
|
+
kind: "index",
|
|
4650
|
+
name: "by_tenant_provider_alias",
|
|
4651
|
+
columns: ["tenantId", "provider", "alias"]
|
|
4652
|
+
},
|
|
4653
|
+
{ kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
|
|
4654
|
+
{
|
|
4655
|
+
kind: "index",
|
|
4656
|
+
name: "by_tenant_provider_status",
|
|
4657
|
+
columns: ["tenantId", "provider", "status"]
|
|
4658
|
+
}
|
|
4659
|
+
]
|
|
4660
|
+
});
|
|
4661
|
+
defineTable({
|
|
4662
|
+
name: "permitGroups",
|
|
4663
|
+
component: "control-plane",
|
|
4664
|
+
category: "access-control",
|
|
4665
|
+
shape: z.object({
|
|
4666
|
+
tenantId: z.string(),
|
|
4667
|
+
workspaceId: z.optional(z.string()),
|
|
4668
|
+
groupId: z.string(),
|
|
4669
|
+
groupKey: z.string(),
|
|
4670
|
+
groupName: z.string(),
|
|
4671
|
+
groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
|
|
4672
|
+
status: permitMembershipStatus,
|
|
4673
|
+
description: z.string().optional(),
|
|
4674
|
+
metadata: z.record(z.any()).optional(),
|
|
4675
|
+
createdBy: z.string(),
|
|
4676
|
+
createdAt: z.number(),
|
|
4677
|
+
updatedAt: z.number(),
|
|
4678
|
+
updatedBy: z.string().optional()
|
|
4679
|
+
}),
|
|
4680
|
+
indices: [
|
|
4681
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4682
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4683
|
+
{ kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
|
|
4684
|
+
{ kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
|
|
4685
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4686
|
+
]
|
|
4687
|
+
});
|
|
4688
|
+
defineTable({
|
|
4689
|
+
name: "permitGroupMemberships",
|
|
4690
|
+
component: "control-plane",
|
|
4691
|
+
category: "access-control",
|
|
4692
|
+
shape: z.object({
|
|
4693
|
+
tenantId: z.string(),
|
|
4694
|
+
workspaceId: z.optional(z.string()),
|
|
4695
|
+
groupId: z.string(),
|
|
4696
|
+
memberType: z.enum(["principal", "group"]),
|
|
4697
|
+
memberId: z.string(),
|
|
4698
|
+
principalId: z.string().optional(),
|
|
4699
|
+
childGroupId: z.string().optional(),
|
|
4700
|
+
status: permitMembershipStatus,
|
|
4701
|
+
addedBy: z.string().optional(),
|
|
4702
|
+
revokedBy: z.string().optional(),
|
|
4703
|
+
expiresAt: z.number().optional(),
|
|
4704
|
+
revocationReason: z.string().optional(),
|
|
4705
|
+
metadata: z.record(z.any()).optional(),
|
|
4706
|
+
createdAt: z.number(),
|
|
4707
|
+
updatedAt: z.number(),
|
|
4708
|
+
updatedBy: z.string().optional()
|
|
4709
|
+
}),
|
|
4710
|
+
indices: [
|
|
4711
|
+
{ kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
|
|
4712
|
+
{ kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
|
|
4713
|
+
{
|
|
4714
|
+
kind: "index",
|
|
4715
|
+
name: "by_tenant_member_group",
|
|
4716
|
+
columns: ["tenantId", "memberType", "memberId", "groupId"]
|
|
4717
|
+
},
|
|
4718
|
+
{ kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
|
|
4719
|
+
{ kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
|
|
4720
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
4721
|
+
{
|
|
4722
|
+
kind: "index",
|
|
4723
|
+
name: "by_workspace_principal",
|
|
4724
|
+
columns: ["workspaceId", "principalId"]
|
|
4725
|
+
}
|
|
4726
|
+
]
|
|
4727
|
+
});
|
|
4728
|
+
defineTable({
|
|
4729
|
+
name: "permitResourceInstances",
|
|
4730
|
+
component: "control-plane",
|
|
4731
|
+
category: "access-control",
|
|
4732
|
+
shape: z.object({
|
|
4733
|
+
tenantId: z.string(),
|
|
4734
|
+
workspaceId: z.optional(z.string()),
|
|
4735
|
+
resourceType: z.string(),
|
|
4736
|
+
resourceKey: z.string(),
|
|
4737
|
+
resourceId: z.string(),
|
|
4738
|
+
status: z.enum(["active", "deleted", "archived"]),
|
|
4739
|
+
attributes: z.record(z.any()).optional(),
|
|
4740
|
+
ownerPrincipalId: z.string().optional(),
|
|
4741
|
+
metadata: z.record(z.any()).optional(),
|
|
4742
|
+
createdBy: z.string(),
|
|
4743
|
+
updatedBy: z.string().optional(),
|
|
4744
|
+
createdAt: z.number(),
|
|
4745
|
+
updatedAt: z.number()
|
|
4746
|
+
}),
|
|
4747
|
+
indices: [
|
|
4748
|
+
{
|
|
4749
|
+
kind: "index",
|
|
4750
|
+
name: "by_tenant_resource_type",
|
|
4751
|
+
columns: ["tenantId", "resourceType"]
|
|
4752
|
+
},
|
|
4753
|
+
{
|
|
4754
|
+
kind: "index",
|
|
4755
|
+
name: "by_tenant_resource_key",
|
|
4756
|
+
columns: ["tenantId", "resourceType", "resourceKey"]
|
|
4757
|
+
},
|
|
4758
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4759
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4760
|
+
{
|
|
4761
|
+
kind: "index",
|
|
4762
|
+
name: "by_tenant_status",
|
|
4763
|
+
columns: ["tenantId", "status"]
|
|
4764
|
+
},
|
|
4765
|
+
{
|
|
4766
|
+
kind: "index",
|
|
4767
|
+
name: "by_ownerPrincipalId",
|
|
4768
|
+
columns: ["ownerPrincipalId"]
|
|
4769
|
+
}
|
|
4770
|
+
]
|
|
4771
|
+
});
|
|
4772
|
+
defineTable({
|
|
4773
|
+
name: "permitRoleAssignments",
|
|
4774
|
+
component: "control-plane",
|
|
4775
|
+
category: "access-control",
|
|
4776
|
+
shape: z.object({
|
|
4777
|
+
tenantId: z.string(),
|
|
4778
|
+
workspaceId: z.optional(z.string()),
|
|
4779
|
+
role: z.string(),
|
|
4780
|
+
targetType: permitRoleBindingTarget,
|
|
4781
|
+
targetId: z.string(),
|
|
4782
|
+
resourceType: z.string(),
|
|
4783
|
+
resourceKey: z.string(),
|
|
4784
|
+
resourceInstanceId: z.string().optional(),
|
|
4785
|
+
status: permitMembershipStatus,
|
|
4786
|
+
expiresAt: z.number().optional(),
|
|
4787
|
+
attributes: z.record(z.any()).optional(),
|
|
4788
|
+
grantedBy: z.string().optional(),
|
|
4789
|
+
updatedBy: z.string().optional(),
|
|
4790
|
+
revokedBy: z.string().optional(),
|
|
4791
|
+
createdAt: z.number(),
|
|
4792
|
+
updatedAt: z.number()
|
|
4793
|
+
}),
|
|
4794
|
+
indices: [
|
|
4795
|
+
{
|
|
4796
|
+
kind: "index",
|
|
4797
|
+
name: "by_tenant_target",
|
|
4798
|
+
columns: ["tenantId", "targetType", "targetId"]
|
|
4799
|
+
},
|
|
4800
|
+
{
|
|
4801
|
+
kind: "index",
|
|
4802
|
+
name: "by_tenant_resource",
|
|
4803
|
+
columns: ["tenantId", "resourceType", "resourceKey"]
|
|
4804
|
+
},
|
|
4805
|
+
{
|
|
4806
|
+
kind: "index",
|
|
4807
|
+
name: "by_tenant_role",
|
|
4808
|
+
columns: ["tenantId", "role", "status"]
|
|
4809
|
+
},
|
|
4810
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4811
|
+
{
|
|
4812
|
+
kind: "index",
|
|
4813
|
+
name: "by_workspace_resource",
|
|
4814
|
+
columns: ["workspaceId", "resourceType", "resourceKey"]
|
|
4815
|
+
}
|
|
4816
|
+
]
|
|
4817
|
+
});
|
|
4818
|
+
defineTable({
|
|
4819
|
+
name: "permitRelationshipTuples",
|
|
4820
|
+
component: "control-plane",
|
|
4821
|
+
category: "access-control",
|
|
4822
|
+
shape: z.object({
|
|
4823
|
+
tenantId: z.string(),
|
|
4824
|
+
workspaceId: z.optional(z.string()),
|
|
4825
|
+
relation: z.string(),
|
|
4826
|
+
subject: z.string(),
|
|
4827
|
+
object: z.string(),
|
|
4828
|
+
resourceType: z.string().optional(),
|
|
4829
|
+
resourceKey: z.string().optional(),
|
|
4830
|
+
status: permitRecordStatus,
|
|
4831
|
+
attributes: z.record(z.any()).optional(),
|
|
4832
|
+
createdBy: z.string(),
|
|
4833
|
+
createdAt: z.number(),
|
|
4834
|
+
updatedAt: z.number(),
|
|
4835
|
+
lastSeenAt: z.number().optional(),
|
|
4836
|
+
updatedBy: z.string().optional()
|
|
4837
|
+
}),
|
|
4838
|
+
indices: [
|
|
4839
|
+
{ kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
|
|
4840
|
+
{ kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
|
|
4841
|
+
{ kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
|
|
4842
|
+
{
|
|
4843
|
+
kind: "index",
|
|
4844
|
+
name: "by_tenant_relation_subject",
|
|
4845
|
+
columns: ["tenantId", "relation", "subject"]
|
|
4846
|
+
},
|
|
4847
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4848
|
+
]
|
|
4849
|
+
});
|
|
4850
|
+
defineTable({
|
|
4851
|
+
name: "permitAttributeBindings",
|
|
4852
|
+
component: "control-plane",
|
|
4853
|
+
category: "access-control",
|
|
4854
|
+
shape: z.object({
|
|
4855
|
+
tenantId: z.string(),
|
|
4856
|
+
workspaceId: z.optional(z.string()),
|
|
4857
|
+
targetType: permitRoleBindingTarget,
|
|
4858
|
+
targetId: z.string(),
|
|
4859
|
+
attributeName: z.string(),
|
|
4860
|
+
attributeType: permitAttributeType,
|
|
4861
|
+
attributeOperator: permitAttributeOperator,
|
|
4862
|
+
attributeValue: z.any(),
|
|
4863
|
+
status: permitRecordStatus,
|
|
4864
|
+
source: z.string().optional(),
|
|
4865
|
+
sourceRef: z.string().optional(),
|
|
4866
|
+
metadata: z.record(z.any()).optional(),
|
|
4867
|
+
createdAt: z.number(),
|
|
4868
|
+
updatedAt: z.number(),
|
|
4869
|
+
createdBy: z.string(),
|
|
4870
|
+
updatedBy: z.string().optional(),
|
|
4871
|
+
expiresAt: z.number().optional()
|
|
4872
|
+
}),
|
|
4873
|
+
indices: [
|
|
4874
|
+
{
|
|
4875
|
+
kind: "index",
|
|
4876
|
+
name: "by_tenant_target",
|
|
4877
|
+
columns: ["tenantId", "targetType", "targetId"]
|
|
4878
|
+
},
|
|
4879
|
+
{
|
|
4880
|
+
kind: "index",
|
|
4881
|
+
name: "by_tenant_target_attribute",
|
|
4882
|
+
columns: ["tenantId", "targetType", "targetId", "attributeName"]
|
|
4883
|
+
},
|
|
4884
|
+
{
|
|
4885
|
+
kind: "index",
|
|
4886
|
+
name: "by_tenant_name",
|
|
4887
|
+
columns: ["tenantId", "attributeName"]
|
|
4888
|
+
},
|
|
4889
|
+
{
|
|
4890
|
+
kind: "index",
|
|
4891
|
+
name: "by_tenant_status",
|
|
4892
|
+
columns: ["tenantId", "status"]
|
|
4893
|
+
}
|
|
4894
|
+
]
|
|
4895
|
+
});
|
|
4896
|
+
defineTable({
|
|
4897
|
+
name: "permitPolicyBundles",
|
|
4898
|
+
component: "control-plane",
|
|
4899
|
+
category: "access-control",
|
|
4900
|
+
shape: z.object({
|
|
4901
|
+
tenantId: z.string(),
|
|
4902
|
+
workspaceId: z.optional(z.string()),
|
|
4903
|
+
bundleKey: z.string(),
|
|
4904
|
+
version: z.number(),
|
|
4905
|
+
status: permitPolicyBundleStatus,
|
|
4906
|
+
policyHash: z.string().optional(),
|
|
4907
|
+
policyPayload: z.record(z.any()),
|
|
4908
|
+
metadata: z.record(z.any()).optional(),
|
|
4909
|
+
createdBy: z.string(),
|
|
4910
|
+
reviewedBy: z.string().optional(),
|
|
4911
|
+
createdAt: z.number(),
|
|
4912
|
+
updatedAt: z.number(),
|
|
4913
|
+
retiredAt: z.number().optional()
|
|
4914
|
+
}),
|
|
4915
|
+
indices: [
|
|
4916
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4917
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
4918
|
+
{
|
|
4919
|
+
kind: "index",
|
|
4920
|
+
name: "by_tenant_bundleKey",
|
|
4921
|
+
columns: ["tenantId", "bundleKey"]
|
|
4922
|
+
},
|
|
4923
|
+
{
|
|
4924
|
+
kind: "index",
|
|
4925
|
+
name: "by_tenant_bundle_version",
|
|
4926
|
+
columns: ["tenantId", "bundleKey", "version"]
|
|
4927
|
+
},
|
|
4928
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
|
|
4929
|
+
]
|
|
4930
|
+
});
|
|
4931
|
+
defineTable({
|
|
4932
|
+
name: "permitProjectionOutbox",
|
|
4933
|
+
component: "control-plane",
|
|
4934
|
+
category: "access-control",
|
|
4935
|
+
shape: z.object({
|
|
4936
|
+
syncKey: z.string(),
|
|
4937
|
+
objectType: permitObjectType,
|
|
4938
|
+
objectId: z.string(),
|
|
4939
|
+
operation: permitOutboxOperation,
|
|
4940
|
+
payload: z.record(z.any()),
|
|
4941
|
+
status: permitRecordStatus,
|
|
4942
|
+
attemptCount: z.number(),
|
|
4943
|
+
nextAttemptAt: z.number().optional(),
|
|
4944
|
+
lastError: z.string().optional(),
|
|
4945
|
+
tenantId: z.string().optional(),
|
|
4946
|
+
workspaceId: z.optional(z.string()),
|
|
4947
|
+
principalId: z.string().optional(),
|
|
4948
|
+
permitTenantKey: z.string().optional(),
|
|
4949
|
+
permitResourceType: z.string().optional(),
|
|
4950
|
+
permitResourceKey: z.string().optional(),
|
|
4951
|
+
createdAt: z.number(),
|
|
4952
|
+
updatedAt: z.number(),
|
|
4953
|
+
lastHandledAt: z.number().optional()
|
|
4954
|
+
}),
|
|
4955
|
+
indices: [
|
|
4956
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
4957
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
4958
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
4959
|
+
{
|
|
4960
|
+
kind: "index",
|
|
4961
|
+
name: "by_tenant_status",
|
|
4962
|
+
columns: ["tenantId", "status"]
|
|
4963
|
+
},
|
|
4964
|
+
{
|
|
4965
|
+
kind: "index",
|
|
4966
|
+
name: "by_objectType",
|
|
4967
|
+
columns: ["objectType", "status"]
|
|
4968
|
+
}
|
|
4969
|
+
]
|
|
4970
|
+
});
|
|
4971
|
+
defineTable({
|
|
4972
|
+
name: "tenantPermitSyncStates",
|
|
4973
|
+
component: "control-plane",
|
|
4974
|
+
category: "access-control",
|
|
4975
|
+
shape: z.object({
|
|
4976
|
+
syncKey: z.string(),
|
|
4977
|
+
objectType: permitObjectType,
|
|
4978
|
+
objectId: z.string(),
|
|
4979
|
+
tenantId: z.string().optional(),
|
|
4980
|
+
workspaceId: z.string().optional(),
|
|
4981
|
+
principalId: z.string().optional(),
|
|
4982
|
+
permitTenantKey: z.string().optional(),
|
|
4983
|
+
permitResourceType: z.string().optional(),
|
|
4984
|
+
permitResourceKey: z.string().optional(),
|
|
4985
|
+
desiredPayload: z.record(z.any()),
|
|
4986
|
+
lastAppliedPayloadHash: z.string().optional(),
|
|
4987
|
+
status: permitSyncStatus,
|
|
4988
|
+
attemptCount: z.number(),
|
|
4989
|
+
lastError: z.string().optional(),
|
|
4990
|
+
nextAttemptAt: z.number().optional(),
|
|
4991
|
+
lastSyncedAt: z.number().optional(),
|
|
4992
|
+
createdBy: z.string(),
|
|
4993
|
+
updatedBy: z.string().optional(),
|
|
4994
|
+
createdAt: z.number(),
|
|
4995
|
+
updatedAt: z.number()
|
|
4996
|
+
}),
|
|
4997
|
+
indices: [
|
|
4998
|
+
{ kind: "index", name: "by_syncKey", columns: ["syncKey"] },
|
|
4999
|
+
{ kind: "index", name: "by_status", columns: ["status"] },
|
|
5000
|
+
{
|
|
5001
|
+
kind: "index",
|
|
5002
|
+
name: "by_tenant_status",
|
|
5003
|
+
columns: ["tenantId", "status"]
|
|
5004
|
+
},
|
|
5005
|
+
{
|
|
5006
|
+
kind: "index",
|
|
5007
|
+
name: "by_workspace_status",
|
|
5008
|
+
columns: ["workspaceId", "status"]
|
|
5009
|
+
},
|
|
5010
|
+
{
|
|
5011
|
+
kind: "index",
|
|
5012
|
+
name: "by_principal_status",
|
|
5013
|
+
columns: ["principalId", "status"]
|
|
5014
|
+
}
|
|
5015
|
+
]
|
|
5016
|
+
});
|
|
5017
|
+
defineTable({
|
|
5018
|
+
name: "permitPolicyDecisionReceipts",
|
|
5019
|
+
component: "control-plane",
|
|
5020
|
+
category: "access-control",
|
|
5021
|
+
shape: z.object({
|
|
5022
|
+
tenantId: z.string().optional(),
|
|
5023
|
+
workspaceId: z.string().optional(),
|
|
5024
|
+
principalId: z.string(),
|
|
5025
|
+
subjectType: permitAccessReviewSubjectType.optional(),
|
|
5026
|
+
subjectId: z.string().optional(),
|
|
5027
|
+
resourceType: z.string(),
|
|
5028
|
+
resourceId: z.string(),
|
|
5029
|
+
action: z.string(),
|
|
5030
|
+
decision: permitDecision,
|
|
5031
|
+
reasonCode: z.string(),
|
|
5032
|
+
policyBundleId: z.string().optional(),
|
|
5033
|
+
policyVersion: z.string(),
|
|
5034
|
+
traceId: z.string().optional(),
|
|
5035
|
+
requestId: z.string().optional(),
|
|
5036
|
+
audienceMode: z.string().optional(),
|
|
5037
|
+
audienceKey: z.string().optional(),
|
|
5038
|
+
audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
|
|
5039
|
+
metadata: z.record(z.any()).optional(),
|
|
5040
|
+
createdAt: z.number(),
|
|
5041
|
+
expiresAt: z.number().optional(),
|
|
5042
|
+
createdBy: z.string().optional()
|
|
5043
|
+
}),
|
|
5044
|
+
indices: [
|
|
5045
|
+
{ kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
|
|
5046
|
+
{ kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
|
|
5047
|
+
{ kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
|
|
5048
|
+
{ kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
|
|
5049
|
+
{ kind: "index", name: "by_traceId", columns: ["traceId"] },
|
|
5050
|
+
{ kind: "index", name: "by_action", columns: ["action"] }
|
|
5051
|
+
]
|
|
5052
|
+
});
|
|
5053
|
+
defineTable({
|
|
5054
|
+
name: "permitAccessReviews",
|
|
5055
|
+
component: "control-plane",
|
|
5056
|
+
category: "access-control",
|
|
5057
|
+
shape: z.object({
|
|
5058
|
+
tenantId: z.string(),
|
|
5059
|
+
workspaceId: z.optional(z.string()),
|
|
5060
|
+
reviewKey: z.string(),
|
|
5061
|
+
scope: permitReviewScope,
|
|
5062
|
+
status: permitAccessReviewStatus,
|
|
5063
|
+
subjectType: permitAccessReviewSubjectType,
|
|
5064
|
+
subjectId: z.string(),
|
|
5065
|
+
resourceType: z.string().optional(),
|
|
5066
|
+
resourceKey: z.string().optional(),
|
|
5067
|
+
outcome: z.enum(["allow", "deny"]).optional(),
|
|
5068
|
+
requestedBy: z.string(),
|
|
5069
|
+
reviewedBy: z.string().optional(),
|
|
5070
|
+
requestedAt: z.number(),
|
|
5071
|
+
reviewedAt: z.number().optional(),
|
|
5072
|
+
dueAt: z.number().optional(),
|
|
5073
|
+
justification: z.string().optional(),
|
|
5074
|
+
rationale: z.string().optional(),
|
|
5075
|
+
policyBundleId: z.string().optional(),
|
|
5076
|
+
metadata: z.record(z.any()).optional(),
|
|
5077
|
+
createdAt: z.number(),
|
|
5078
|
+
updatedAt: z.number()
|
|
5079
|
+
}),
|
|
5080
|
+
indices: [
|
|
5081
|
+
{ kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
|
|
5082
|
+
{ kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
|
|
5083
|
+
{ kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
|
|
5084
|
+
{
|
|
5085
|
+
kind: "index",
|
|
5086
|
+
name: "by_tenant_subject",
|
|
5087
|
+
columns: ["tenantId", "subjectType", "subjectId"]
|
|
5088
|
+
},
|
|
5089
|
+
{ kind: "index", name: "by_outcome", columns: ["outcome"] },
|
|
5090
|
+
{
|
|
5091
|
+
kind: "index",
|
|
5092
|
+
name: "by_workspace_status",
|
|
5093
|
+
columns: ["workspaceId", "status"]
|
|
5094
|
+
}
|
|
5095
|
+
]
|
|
5096
|
+
});
|
|
5097
|
+
defineTable({
|
|
5098
|
+
name: "permitAccessReviewItems",
|
|
5099
|
+
component: "control-plane",
|
|
5100
|
+
category: "access-control",
|
|
5101
|
+
shape: z.object({
|
|
5102
|
+
reviewKey: z.string(),
|
|
5103
|
+
itemKey: z.string(),
|
|
5104
|
+
tenantId: z.string(),
|
|
5105
|
+
workspaceId: z.string().optional(),
|
|
5106
|
+
subjectType: permitAccessReviewSubjectType,
|
|
5107
|
+
subjectId: z.string(),
|
|
5108
|
+
resourceType: z.string().optional(),
|
|
5109
|
+
resourceKey: z.string().optional(),
|
|
5110
|
+
role: z.string().optional(),
|
|
5111
|
+
relation: z.string().optional(),
|
|
5112
|
+
status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
|
|
5113
|
+
reviewerId: z.string().optional(),
|
|
5114
|
+
decisionAt: z.number().optional(),
|
|
5115
|
+
rationale: z.string().optional(),
|
|
5116
|
+
metadata: z.record(z.any()).optional(),
|
|
5117
|
+
createdAt: z.number(),
|
|
5118
|
+
updatedAt: z.number()
|
|
5119
|
+
}),
|
|
5120
|
+
indices: [
|
|
5121
|
+
{ kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
|
|
5122
|
+
{ kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
|
|
5123
|
+
{ kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
|
|
5124
|
+
{ kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
|
|
5125
|
+
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
5126
|
+
]
|
|
5127
|
+
});
|
|
4214
5128
|
defineTable({
|
|
4215
5129
|
name: "reasoningPermissions",
|
|
4216
|
-
component: "
|
|
5130
|
+
component: "control-plane",
|
|
4217
5131
|
category: "epistemic",
|
|
4218
5132
|
shape: z.object({
|
|
4219
5133
|
"topicId": z.string().optional(),
|
|
@@ -4460,7 +5374,7 @@ defineTable({
|
|
|
4460
5374
|
});
|
|
4461
5375
|
defineTable({
|
|
4462
5376
|
name: "users",
|
|
4463
|
-
component: "
|
|
5377
|
+
component: "control-plane",
|
|
4464
5378
|
category: "user",
|
|
4465
5379
|
shape: z.object({
|
|
4466
5380
|
"clerkId": z.string(),
|
|
@@ -4574,7 +5488,6 @@ defineTable({
|
|
|
4574
5488
|
"deployments": z.record(z.object({
|
|
4575
5489
|
"url": z.string(),
|
|
4576
5490
|
"target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
|
|
4577
|
-
"encryptedDeployKey": z.string().optional(),
|
|
4578
5491
|
"credentialRef": z.string().optional()
|
|
4579
5492
|
})).optional(),
|
|
4580
5493
|
"metadata": z.record(z.any()).optional(),
|
|
@@ -4589,6 +5502,39 @@ defineTable({
|
|
|
4589
5502
|
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
4590
5503
|
]
|
|
4591
5504
|
});
|
|
5505
|
+
defineTable({
|
|
5506
|
+
name: "deploymentHosts",
|
|
5507
|
+
component: "mc",
|
|
5508
|
+
category: "workspace",
|
|
5509
|
+
shape: z.object({
|
|
5510
|
+
"host": z.string(),
|
|
5511
|
+
"tenantId": idOf("tenants"),
|
|
5512
|
+
"workspaceId": idOf("workspaces"),
|
|
5513
|
+
"environment": z.enum(["dev", "staging", "prod"]),
|
|
5514
|
+
"target": z.enum(["kernelDeployment", "appDeployment"]),
|
|
5515
|
+
"deploymentUrl": z.string().optional(),
|
|
5516
|
+
"deploymentName": z.string().optional(),
|
|
5517
|
+
"vercelProjectName": z.string().optional(),
|
|
5518
|
+
"vercelProjectId": z.string().optional(),
|
|
5519
|
+
"vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
|
|
5520
|
+
"source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
|
|
5521
|
+
"status": z.enum(["active", "revoked"]),
|
|
5522
|
+
"metadata": z.record(z.any()).optional(),
|
|
5523
|
+
"createdBy": z.string(),
|
|
5524
|
+
"createdAt": z.number(),
|
|
5525
|
+
"updatedAt": z.number(),
|
|
5526
|
+
"revokedAt": z.number().optional(),
|
|
5527
|
+
"revokedBy": z.string().optional()
|
|
5528
|
+
}),
|
|
5529
|
+
indices: [
|
|
5530
|
+
{ kind: "index", name: "by_host", columns: ["host"] },
|
|
5531
|
+
{ kind: "index", name: "by_tenantId", columns: ["tenantId"] },
|
|
5532
|
+
{ kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
|
|
5533
|
+
{ kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
|
|
5534
|
+
{ kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
|
|
5535
|
+
{ kind: "index", name: "by_status", columns: ["status"] }
|
|
5536
|
+
]
|
|
5537
|
+
});
|
|
4592
5538
|
defineTable({
|
|
4593
5539
|
name: "worktreeBeliefCluster",
|
|
4594
5540
|
component: "kernel",
|
|
@@ -4896,8 +5842,8 @@ defineTable({
|
|
|
4896
5842
|
});
|
|
4897
5843
|
z.object({
|
|
4898
5844
|
manifestVersion: z.string(),
|
|
4899
|
-
componentName: z.enum(["kernel", "
|
|
4900
|
-
tier: z.enum(["K", "
|
|
5845
|
+
componentName: z.enum(["kernel", "control-plane"]),
|
|
5846
|
+
tier: z.enum(["K", "CP"]),
|
|
4901
5847
|
packageVersion: z.string(),
|
|
4902
5848
|
tables: z.array(
|
|
4903
5849
|
z.object({
|
|
@@ -5033,119 +5979,984 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
|
|
|
5033
5979
|
directTenantImport: false
|
|
5034
5980
|
},
|
|
5035
5981
|
{
|
|
5036
|
-
packageName: "@lucern/auth",
|
|
5037
|
-
role: "sdk_dependency",
|
|
5038
|
-
directTenantImport: false
|
|
5982
|
+
packageName: "@lucern/auth",
|
|
5983
|
+
role: "sdk_dependency",
|
|
5984
|
+
directTenantImport: false
|
|
5985
|
+
},
|
|
5986
|
+
{
|
|
5987
|
+
packageName: "@lucern/cli",
|
|
5988
|
+
role: "developer_tool",
|
|
5989
|
+
directTenantImport: false
|
|
5990
|
+
},
|
|
5991
|
+
{
|
|
5992
|
+
packageName: "@lucern/client-core",
|
|
5993
|
+
role: "sdk_dependency",
|
|
5994
|
+
directTenantImport: false
|
|
5995
|
+
},
|
|
5996
|
+
{
|
|
5997
|
+
packageName: "@lucern/confidence",
|
|
5998
|
+
role: "sdk_dependency",
|
|
5999
|
+
directTenantImport: false
|
|
6000
|
+
},
|
|
6001
|
+
{
|
|
6002
|
+
packageName: "@lucern/config",
|
|
6003
|
+
role: "configuration",
|
|
6004
|
+
directTenantImport: false
|
|
6005
|
+
},
|
|
6006
|
+
{
|
|
6007
|
+
packageName: "@lucern/contracts",
|
|
6008
|
+
role: "contract_entrypoint",
|
|
6009
|
+
directTenantImport: true
|
|
6010
|
+
},
|
|
6011
|
+
{
|
|
6012
|
+
packageName: "@lucern/control-plane",
|
|
6013
|
+
role: "component_runtime",
|
|
6014
|
+
directTenantImport: false
|
|
6015
|
+
},
|
|
6016
|
+
{
|
|
6017
|
+
packageName: "@lucern/developer-kit",
|
|
6018
|
+
role: "developer_tool",
|
|
6019
|
+
directTenantImport: false
|
|
6020
|
+
},
|
|
6021
|
+
{
|
|
6022
|
+
packageName: "@lucern/events",
|
|
6023
|
+
role: "sdk_dependency",
|
|
6024
|
+
directTenantImport: false
|
|
6025
|
+
},
|
|
6026
|
+
{
|
|
6027
|
+
packageName: "@lucern/graph-primitives",
|
|
6028
|
+
role: "sdk_dependency",
|
|
6029
|
+
directTenantImport: false
|
|
6030
|
+
},
|
|
6031
|
+
{
|
|
6032
|
+
packageName: "@lucern/graph-sync",
|
|
6033
|
+
role: "host_addon_runtime",
|
|
6034
|
+
directTenantImport: true
|
|
6035
|
+
},
|
|
6036
|
+
{
|
|
6037
|
+
packageName: "@lucern/mcp",
|
|
6038
|
+
role: "runtime_entrypoint",
|
|
6039
|
+
directTenantImport: true
|
|
6040
|
+
},
|
|
6041
|
+
{
|
|
6042
|
+
packageName: "@lucern/pack-host",
|
|
6043
|
+
role: "platform_runtime",
|
|
6044
|
+
directTenantImport: false
|
|
6045
|
+
},
|
|
6046
|
+
{
|
|
6047
|
+
packageName: "@lucern/pack-installer",
|
|
6048
|
+
role: "developer_tool",
|
|
6049
|
+
directTenantImport: false
|
|
6050
|
+
},
|
|
6051
|
+
{
|
|
6052
|
+
packageName: "@lucern/proof-compiler",
|
|
6053
|
+
role: "developer_tool",
|
|
6054
|
+
directTenantImport: false
|
|
6055
|
+
},
|
|
6056
|
+
{
|
|
6057
|
+
packageName: "@lucern/react",
|
|
6058
|
+
role: "runtime_entrypoint",
|
|
6059
|
+
directTenantImport: true
|
|
6060
|
+
},
|
|
6061
|
+
{
|
|
6062
|
+
packageName: "@lucern/reasoning-kernel",
|
|
6063
|
+
role: "component_runtime",
|
|
6064
|
+
directTenantImport: false
|
|
6065
|
+
},
|
|
6066
|
+
{
|
|
6067
|
+
packageName: "@lucern/sdk",
|
|
6068
|
+
role: "runtime_entrypoint",
|
|
6069
|
+
directTenantImport: true
|
|
6070
|
+
},
|
|
6071
|
+
{
|
|
6072
|
+
packageName: "@lucern/secrets",
|
|
6073
|
+
role: "sdk_dependency",
|
|
6074
|
+
directTenantImport: false
|
|
6075
|
+
},
|
|
6076
|
+
{
|
|
6077
|
+
packageName: "@lucern/server-core",
|
|
6078
|
+
role: "platform_runtime",
|
|
6079
|
+
directTenantImport: false
|
|
6080
|
+
},
|
|
6081
|
+
{
|
|
6082
|
+
packageName: "@lucern/testing",
|
|
6083
|
+
role: "test_support",
|
|
6084
|
+
directTenantImport: false
|
|
6085
|
+
},
|
|
6086
|
+
{
|
|
6087
|
+
packageName: "@lucern/types",
|
|
6088
|
+
role: "contract_entrypoint",
|
|
6089
|
+
directTenantImport: true
|
|
6090
|
+
}
|
|
6091
|
+
];
|
|
6092
|
+
TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
|
|
6093
|
+
(entry) => entry.packageName
|
|
6094
|
+
);
|
|
6095
|
+
|
|
6096
|
+
// ../contracts/src/infisical-runtime.contract.ts
|
|
6097
|
+
var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
|
|
6098
|
+
{
|
|
6099
|
+
id: "stack-frontend",
|
|
6100
|
+
tenantKey: "stack",
|
|
6101
|
+
workspaceKey: "frontend",
|
|
6102
|
+
vercelProjectName: "ai-chatbot-diao",
|
|
6103
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6104
|
+
vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
|
|
6105
|
+
repository: {
|
|
6106
|
+
owner: "stack-vc",
|
|
6107
|
+
name: "front-end"
|
|
6108
|
+
},
|
|
6109
|
+
sharedSourcePath: "/tenants/stack",
|
|
6110
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6111
|
+
convex: {
|
|
6112
|
+
urlEnv: "CONVEX_FRONTEND_URL",
|
|
6113
|
+
deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
|
|
6114
|
+
preprodDeployment: "rugged-lobster-664",
|
|
6115
|
+
prodDeployment: "wonderful-toucan-0"
|
|
6116
|
+
}
|
|
6117
|
+
},
|
|
6118
|
+
{
|
|
6119
|
+
id: "stackos",
|
|
6120
|
+
tenantKey: "stack",
|
|
6121
|
+
workspaceKey: "stackos",
|
|
6122
|
+
vercelProjectName: "stackos",
|
|
6123
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6124
|
+
vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
|
|
6125
|
+
repository: {
|
|
6126
|
+
owner: "stack-vc",
|
|
6127
|
+
name: "stackos"
|
|
6128
|
+
},
|
|
6129
|
+
sharedSourcePath: "/tenants/stack",
|
|
6130
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6131
|
+
convex: {
|
|
6132
|
+
urlEnv: "CONVEX_STACKOS_URL",
|
|
6133
|
+
deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
|
|
6134
|
+
preprodDeployment: "giant-mandrill-761",
|
|
6135
|
+
prodDeployment: "good-snake-515"
|
|
6136
|
+
}
|
|
6137
|
+
},
|
|
6138
|
+
{
|
|
6139
|
+
id: "stack-eng",
|
|
6140
|
+
tenantKey: "stack",
|
|
6141
|
+
workspaceKey: "engineering",
|
|
6142
|
+
vercelProjectName: "stackos-engineering-graph",
|
|
6143
|
+
vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
|
|
6144
|
+
vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
|
|
6145
|
+
repository: {
|
|
6146
|
+
owner: "stack-vc",
|
|
6147
|
+
name: "stackos-engineering-graph"
|
|
6148
|
+
},
|
|
6149
|
+
sharedSourcePath: "/tenants/stack/engineering",
|
|
6150
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6151
|
+
convex: {
|
|
6152
|
+
urlEnv: "CONVEX_STACK_ENG_URL",
|
|
6153
|
+
deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
|
|
6154
|
+
preprodDeployment: "small-oyster-270",
|
|
6155
|
+
prodDeployment: "bold-cuttlefish-804"
|
|
6156
|
+
}
|
|
6157
|
+
},
|
|
6158
|
+
{
|
|
6159
|
+
id: "lucern-graph",
|
|
6160
|
+
tenantKey: "lucern",
|
|
6161
|
+
workspaceKey: "lucern",
|
|
6162
|
+
vercelProjectName: "lucern-graph",
|
|
6163
|
+
vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
|
|
6164
|
+
vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
|
|
6165
|
+
repository: {
|
|
6166
|
+
owner: "LucernAI",
|
|
6167
|
+
name: "lucern-graph"
|
|
6168
|
+
},
|
|
6169
|
+
sharedSourcePath: "/tenants/lucern/shared",
|
|
6170
|
+
sharedVariablePolicy: "tenant_shared_all_systems",
|
|
6171
|
+
convex: {
|
|
6172
|
+
urlEnv: "CONVEX_LUCERN_URL",
|
|
6173
|
+
deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
|
|
6174
|
+
preprodDeployment: "good-blackbird-774",
|
|
6175
|
+
prodDeployment: "precious-dog-365"
|
|
6176
|
+
}
|
|
6177
|
+
}
|
|
6178
|
+
];
|
|
6179
|
+
var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
|
|
6180
|
+
{
|
|
6181
|
+
idSuffix: "clerk.publishable",
|
|
6182
|
+
canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
|
|
6183
|
+
aliases: ["CLERK_PUBLISHABLE_KEY"],
|
|
6184
|
+
required: true,
|
|
6185
|
+
secret: false,
|
|
6186
|
+
public: true,
|
|
6187
|
+
description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
|
|
6188
|
+
},
|
|
6189
|
+
{
|
|
6190
|
+
idSuffix: "clerk.secret",
|
|
6191
|
+
canonicalName: "CLERK_SECRET_KEY",
|
|
6192
|
+
required: true,
|
|
6193
|
+
secret: true,
|
|
6194
|
+
public: false,
|
|
6195
|
+
description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
|
|
6196
|
+
},
|
|
6197
|
+
{
|
|
6198
|
+
idSuffix: "clerk.project",
|
|
6199
|
+
canonicalName: "CLERK_PROJECT_ID",
|
|
6200
|
+
required: true,
|
|
6201
|
+
secret: false,
|
|
6202
|
+
public: false,
|
|
6203
|
+
description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
|
|
6204
|
+
},
|
|
6205
|
+
{
|
|
6206
|
+
idSuffix: "clerk.jwks",
|
|
6207
|
+
canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
|
|
6208
|
+
aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
|
|
6209
|
+
required: false,
|
|
6210
|
+
secret: false,
|
|
6211
|
+
public: false,
|
|
6212
|
+
description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
|
|
6213
|
+
},
|
|
6214
|
+
{
|
|
6215
|
+
idSuffix: "clerk.jwt-key",
|
|
6216
|
+
canonicalName: "CLERK_JWT_KEY",
|
|
6217
|
+
required: false,
|
|
6218
|
+
secret: true,
|
|
6219
|
+
public: false,
|
|
6220
|
+
description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
|
|
6221
|
+
},
|
|
6222
|
+
{
|
|
6223
|
+
idSuffix: "clerk.authorized-parties",
|
|
6224
|
+
canonicalName: "CLERK_AUTHORIZED_PARTIES",
|
|
6225
|
+
aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
|
|
6226
|
+
required: false,
|
|
6227
|
+
secret: false,
|
|
6228
|
+
public: false,
|
|
6229
|
+
description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
|
|
6230
|
+
},
|
|
6231
|
+
{
|
|
6232
|
+
idSuffix: "clerk.sign-in-url",
|
|
6233
|
+
canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
|
|
6234
|
+
required: false,
|
|
6235
|
+
secret: false,
|
|
6236
|
+
public: true,
|
|
6237
|
+
description: "Tenant Clerk sign-in route for custom app login surfaces."
|
|
6238
|
+
},
|
|
6239
|
+
{
|
|
6240
|
+
idSuffix: "clerk.sign-up-url",
|
|
6241
|
+
canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
|
|
6242
|
+
required: false,
|
|
6243
|
+
secret: false,
|
|
6244
|
+
public: true,
|
|
6245
|
+
description: "Tenant Clerk sign-up route for custom app login surfaces."
|
|
6246
|
+
}
|
|
6247
|
+
];
|
|
6248
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
|
|
6249
|
+
(system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
|
|
6250
|
+
(template) => ({
|
|
6251
|
+
id: `tenant.${system.id}.${template.idSuffix}`,
|
|
6252
|
+
canonicalName: template.canonicalName,
|
|
6253
|
+
aliases: "aliases" in template ? template.aliases : void 0,
|
|
6254
|
+
owner: "tenant",
|
|
6255
|
+
scope: "tenant",
|
|
6256
|
+
sourcePath: system.sharedSourcePath,
|
|
6257
|
+
environmentPolicy: "environment_specific",
|
|
6258
|
+
required: template.required,
|
|
6259
|
+
secret: template.secret,
|
|
6260
|
+
public: template.public,
|
|
6261
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6262
|
+
destinations: [
|
|
6263
|
+
{
|
|
6264
|
+
kind: "vercel",
|
|
6265
|
+
target: system.vercelProjectName,
|
|
6266
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6267
|
+
},
|
|
6268
|
+
{
|
|
6269
|
+
kind: "convex",
|
|
6270
|
+
target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
|
|
6271
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6272
|
+
}
|
|
6273
|
+
],
|
|
6274
|
+
description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
|
|
6275
|
+
})
|
|
6276
|
+
)
|
|
6277
|
+
);
|
|
6278
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
|
|
6279
|
+
(system) => ({
|
|
6280
|
+
id: `tenant.${system.id}.install-lucern-npm`,
|
|
6281
|
+
canonicalName: "INSTALL_LUCERN_NPM",
|
|
6282
|
+
owner: "provider",
|
|
6283
|
+
scope: "global",
|
|
6284
|
+
sourcePath: "/tenants/shared",
|
|
6285
|
+
environmentPolicy: "same_all_environments",
|
|
6286
|
+
required: true,
|
|
6287
|
+
secret: true,
|
|
6288
|
+
public: false,
|
|
6289
|
+
consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
|
|
6290
|
+
destinations: [
|
|
6291
|
+
{
|
|
6292
|
+
kind: "vercel",
|
|
6293
|
+
target: system.vercelProjectName,
|
|
6294
|
+
environmentPolicy: "same_all_environments"
|
|
6295
|
+
},
|
|
6296
|
+
{
|
|
6297
|
+
kind: "github_actions",
|
|
6298
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6299
|
+
environmentPolicy: "same_all_environments"
|
|
6300
|
+
}
|
|
6301
|
+
],
|
|
6302
|
+
description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
|
|
6303
|
+
})
|
|
6304
|
+
);
|
|
6305
|
+
var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
|
|
6306
|
+
var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
|
|
6307
|
+
{
|
|
6308
|
+
idSuffix: "ai.openai-api-key",
|
|
6309
|
+
canonicalName: "OPENAI_API_KEY",
|
|
6310
|
+
required: false,
|
|
6311
|
+
secret: true,
|
|
6312
|
+
public: false,
|
|
6313
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6314
|
+
description: "Tenant-owned OpenAI key for product runtime LLM calls."
|
|
6315
|
+
},
|
|
6316
|
+
{
|
|
6317
|
+
idSuffix: "ai.anthropic-api-key",
|
|
6318
|
+
canonicalName: "ANTHROPIC_API_KEY",
|
|
6319
|
+
required: false,
|
|
6320
|
+
secret: true,
|
|
6321
|
+
public: false,
|
|
6322
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6323
|
+
description: "Tenant-owned Anthropic key for product runtime LLM calls."
|
|
6324
|
+
},
|
|
6325
|
+
{
|
|
6326
|
+
idSuffix: "ai.gemini-api-key",
|
|
6327
|
+
canonicalName: "GEMINI_API_KEY",
|
|
6328
|
+
aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
|
|
6329
|
+
required: false,
|
|
6330
|
+
secret: true,
|
|
6331
|
+
public: false,
|
|
6332
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
|
|
6333
|
+
description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
|
|
6334
|
+
},
|
|
6335
|
+
{
|
|
6336
|
+
idSuffix: "langfuse.secret-key",
|
|
6337
|
+
canonicalName: "LANGFUSE_SECRET_KEY",
|
|
6338
|
+
required: false,
|
|
6339
|
+
secret: true,
|
|
6340
|
+
public: false,
|
|
6341
|
+
consumers: [
|
|
6342
|
+
"tenant-vercel-app",
|
|
6343
|
+
"tenant-convex-deployment",
|
|
6344
|
+
"tenant-observability"
|
|
6345
|
+
],
|
|
6346
|
+
description: "Tenant-owned Langfuse secret key for product AI tracing."
|
|
6347
|
+
},
|
|
6348
|
+
{
|
|
6349
|
+
idSuffix: "langfuse.public-key",
|
|
6350
|
+
canonicalName: "LANGFUSE_PUBLIC_KEY",
|
|
6351
|
+
required: false,
|
|
6352
|
+
secret: false,
|
|
6353
|
+
public: false,
|
|
6354
|
+
consumers: [
|
|
6355
|
+
"tenant-vercel-app",
|
|
6356
|
+
"tenant-convex-deployment",
|
|
6357
|
+
"tenant-observability"
|
|
6358
|
+
],
|
|
6359
|
+
description: "Tenant-owned Langfuse public key for product AI tracing."
|
|
6360
|
+
},
|
|
6361
|
+
{
|
|
6362
|
+
idSuffix: "langfuse.base-url",
|
|
6363
|
+
canonicalName: "LANGFUSE_BASE_URL",
|
|
6364
|
+
aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
|
|
6365
|
+
required: false,
|
|
6366
|
+
secret: false,
|
|
6367
|
+
public: false,
|
|
6368
|
+
consumers: [
|
|
6369
|
+
"tenant-vercel-app",
|
|
6370
|
+
"tenant-convex-deployment",
|
|
6371
|
+
"tenant-observability"
|
|
6372
|
+
],
|
|
6373
|
+
description: "Tenant-owned Langfuse API origin."
|
|
6374
|
+
},
|
|
6375
|
+
{
|
|
6376
|
+
idSuffix: "graph.neo4j-uri",
|
|
6377
|
+
canonicalName: "NEO4J_URI",
|
|
6378
|
+
required: false,
|
|
6379
|
+
secret: false,
|
|
6380
|
+
public: false,
|
|
6381
|
+
consumers: [
|
|
6382
|
+
"tenant-vercel-app",
|
|
6383
|
+
"tenant-convex-deployment",
|
|
6384
|
+
"tenant-graph-sync"
|
|
6385
|
+
],
|
|
6386
|
+
description: "Tenant-owned Neo4j URI for product graph-sync."
|
|
6387
|
+
},
|
|
6388
|
+
{
|
|
6389
|
+
idSuffix: "graph.neo4j-user",
|
|
6390
|
+
canonicalName: "NEO4J_USER",
|
|
6391
|
+
aliases: ["NEO4J_USERNAME"],
|
|
6392
|
+
required: false,
|
|
6393
|
+
secret: false,
|
|
6394
|
+
public: false,
|
|
6395
|
+
consumers: [
|
|
6396
|
+
"tenant-vercel-app",
|
|
6397
|
+
"tenant-convex-deployment",
|
|
6398
|
+
"tenant-graph-sync"
|
|
6399
|
+
],
|
|
6400
|
+
description: "Tenant-owned Neo4j user for product graph-sync."
|
|
6401
|
+
},
|
|
6402
|
+
{
|
|
6403
|
+
idSuffix: "graph.neo4j-password",
|
|
6404
|
+
canonicalName: "NEO4J_PASSWORD",
|
|
6405
|
+
required: false,
|
|
6406
|
+
secret: true,
|
|
6407
|
+
public: false,
|
|
6408
|
+
consumers: [
|
|
6409
|
+
"tenant-vercel-app",
|
|
6410
|
+
"tenant-convex-deployment",
|
|
6411
|
+
"tenant-graph-sync"
|
|
6412
|
+
],
|
|
6413
|
+
description: "Tenant-owned Neo4j password for product graph-sync."
|
|
6414
|
+
},
|
|
6415
|
+
{
|
|
6416
|
+
idSuffix: "graph.neo4j-sync-secret",
|
|
6417
|
+
canonicalName: "NEO4J_SYNC_SECRET",
|
|
6418
|
+
required: false,
|
|
6419
|
+
secret: true,
|
|
6420
|
+
public: false,
|
|
6421
|
+
consumers: [
|
|
6422
|
+
"tenant-vercel-app",
|
|
6423
|
+
"tenant-convex-deployment",
|
|
6424
|
+
"tenant-graph-sync"
|
|
6425
|
+
],
|
|
6426
|
+
description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
|
|
5039
6427
|
},
|
|
5040
6428
|
{
|
|
5041
|
-
|
|
5042
|
-
|
|
5043
|
-
|
|
6429
|
+
idSuffix: "graph.neo4j-database",
|
|
6430
|
+
canonicalName: "NEO4J_DATABASE",
|
|
6431
|
+
required: false,
|
|
6432
|
+
secret: false,
|
|
6433
|
+
public: false,
|
|
6434
|
+
consumers: [
|
|
6435
|
+
"tenant-vercel-app",
|
|
6436
|
+
"tenant-convex-deployment",
|
|
6437
|
+
"tenant-graph-sync"
|
|
6438
|
+
],
|
|
6439
|
+
description: "Tenant-owned Neo4j database name for product graph-sync."
|
|
5044
6440
|
},
|
|
5045
6441
|
{
|
|
5046
|
-
|
|
5047
|
-
|
|
5048
|
-
|
|
6442
|
+
idSuffix: "vector.pinecone-api-key",
|
|
6443
|
+
canonicalName: "PINECONE_API_KEY",
|
|
6444
|
+
required: false,
|
|
6445
|
+
secret: true,
|
|
6446
|
+
public: false,
|
|
6447
|
+
consumers: [
|
|
6448
|
+
"tenant-vercel-app",
|
|
6449
|
+
"tenant-convex-deployment",
|
|
6450
|
+
"tenant-vector-store"
|
|
6451
|
+
],
|
|
6452
|
+
description: "Tenant-owned Pinecone API key for product vector search."
|
|
5049
6453
|
},
|
|
5050
6454
|
{
|
|
5051
|
-
|
|
5052
|
-
|
|
5053
|
-
|
|
6455
|
+
idSuffix: "vector.pinecone-index-name",
|
|
6456
|
+
canonicalName: "PINECONE_INDEX_NAME",
|
|
6457
|
+
aliases: ["PINECONE_INDEX"],
|
|
6458
|
+
required: false,
|
|
6459
|
+
secret: false,
|
|
6460
|
+
public: false,
|
|
6461
|
+
consumers: [
|
|
6462
|
+
"tenant-vercel-app",
|
|
6463
|
+
"tenant-convex-deployment",
|
|
6464
|
+
"tenant-vector-store"
|
|
6465
|
+
],
|
|
6466
|
+
description: "Tenant-owned Pinecone index name for product vector search."
|
|
5054
6467
|
},
|
|
5055
6468
|
{
|
|
5056
|
-
|
|
5057
|
-
|
|
5058
|
-
|
|
6469
|
+
idSuffix: "vector.pinecone-host",
|
|
6470
|
+
canonicalName: "PINECONE_HOST",
|
|
6471
|
+
aliases: ["PINECONE_INDEX_HOST"],
|
|
6472
|
+
required: false,
|
|
6473
|
+
secret: false,
|
|
6474
|
+
public: false,
|
|
6475
|
+
consumers: [
|
|
6476
|
+
"tenant-vercel-app",
|
|
6477
|
+
"tenant-convex-deployment",
|
|
6478
|
+
"tenant-vector-store"
|
|
6479
|
+
],
|
|
6480
|
+
description: "Tenant-owned Pinecone host for product vector search."
|
|
5059
6481
|
},
|
|
5060
6482
|
{
|
|
5061
|
-
|
|
5062
|
-
|
|
5063
|
-
|
|
6483
|
+
idSuffix: "vector.pinecone-namespace",
|
|
6484
|
+
canonicalName: "PINECONE_NAMESPACE",
|
|
6485
|
+
required: false,
|
|
6486
|
+
secret: false,
|
|
6487
|
+
public: false,
|
|
6488
|
+
consumers: [
|
|
6489
|
+
"tenant-vercel-app",
|
|
6490
|
+
"tenant-convex-deployment",
|
|
6491
|
+
"tenant-vector-store"
|
|
6492
|
+
],
|
|
6493
|
+
description: "Tenant-owned Pinecone namespace for product vector search isolation."
|
|
5064
6494
|
},
|
|
5065
6495
|
{
|
|
5066
|
-
|
|
5067
|
-
|
|
5068
|
-
|
|
6496
|
+
idSuffix: "storage.aws-access-key-id",
|
|
6497
|
+
canonicalName: "AWS_ACCESS_KEY_ID",
|
|
6498
|
+
required: false,
|
|
6499
|
+
secret: true,
|
|
6500
|
+
public: false,
|
|
6501
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6502
|
+
description: "Tenant-owned AWS access key id for document/file ingestion."
|
|
5069
6503
|
},
|
|
5070
6504
|
{
|
|
5071
|
-
|
|
5072
|
-
|
|
5073
|
-
|
|
6505
|
+
idSuffix: "storage.aws-secret-access-key",
|
|
6506
|
+
canonicalName: "AWS_SECRET_ACCESS_KEY",
|
|
6507
|
+
required: false,
|
|
6508
|
+
secret: true,
|
|
6509
|
+
public: false,
|
|
6510
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6511
|
+
description: "Tenant-owned AWS secret access key for document/file ingestion."
|
|
5074
6512
|
},
|
|
5075
6513
|
{
|
|
5076
|
-
|
|
5077
|
-
|
|
5078
|
-
|
|
6514
|
+
idSuffix: "storage.aws-region",
|
|
6515
|
+
canonicalName: "AWS_REGION",
|
|
6516
|
+
required: false,
|
|
6517
|
+
secret: false,
|
|
6518
|
+
public: false,
|
|
6519
|
+
consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
|
|
6520
|
+
description: "Tenant-owned AWS region for document/file ingestion."
|
|
5079
6521
|
},
|
|
5080
6522
|
{
|
|
5081
|
-
|
|
5082
|
-
|
|
5083
|
-
|
|
6523
|
+
idSuffix: "observability.sentry-dsn",
|
|
6524
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
|
|
6525
|
+
aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
|
|
6526
|
+
required: false,
|
|
6527
|
+
secret: false,
|
|
6528
|
+
public: true,
|
|
6529
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6530
|
+
description: "Tenant-owned Sentry DSN for app telemetry."
|
|
5084
6531
|
},
|
|
5085
6532
|
{
|
|
5086
|
-
|
|
5087
|
-
|
|
5088
|
-
|
|
6533
|
+
idSuffix: "observability.sentry-auth-token",
|
|
6534
|
+
canonicalName: "SENTRY_AUTH_TOKEN",
|
|
6535
|
+
required: false,
|
|
6536
|
+
secret: true,
|
|
6537
|
+
public: false,
|
|
6538
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6539
|
+
description: "Tenant-owned Sentry release token for app deployments."
|
|
5089
6540
|
},
|
|
5090
6541
|
{
|
|
5091
|
-
|
|
5092
|
-
|
|
5093
|
-
|
|
6542
|
+
idSuffix: "observability.sentry-org",
|
|
6543
|
+
canonicalName: "SENTRY_ORG",
|
|
6544
|
+
aliases: ["SENTRY_ORG_SLUG"],
|
|
6545
|
+
required: false,
|
|
6546
|
+
secret: false,
|
|
6547
|
+
public: false,
|
|
6548
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6549
|
+
description: "Tenant-owned Sentry org slug for release uploads."
|
|
5094
6550
|
},
|
|
5095
6551
|
{
|
|
5096
|
-
|
|
5097
|
-
|
|
5098
|
-
|
|
6552
|
+
idSuffix: "observability.sentry-project",
|
|
6553
|
+
canonicalName: "SENTRY_PROJECT",
|
|
6554
|
+
aliases: ["SENTRY_PROJECT_NEXTJS"],
|
|
6555
|
+
required: false,
|
|
6556
|
+
secret: false,
|
|
6557
|
+
public: false,
|
|
6558
|
+
consumers: ["tenant-deploy-tooling", "tenant-observability"],
|
|
6559
|
+
description: "Tenant-owned Sentry project slug for release uploads."
|
|
5099
6560
|
},
|
|
5100
6561
|
{
|
|
5101
|
-
|
|
5102
|
-
|
|
5103
|
-
|
|
6562
|
+
idSuffix: "observability.sentry-environment",
|
|
6563
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
|
|
6564
|
+
aliases: ["SENTRY_ENVIRONMENT"],
|
|
6565
|
+
required: false,
|
|
6566
|
+
secret: false,
|
|
6567
|
+
public: true,
|
|
6568
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6569
|
+
description: "Tenant-owned Sentry environment label."
|
|
5104
6570
|
},
|
|
5105
6571
|
{
|
|
5106
|
-
|
|
5107
|
-
|
|
5108
|
-
|
|
6572
|
+
idSuffix: "observability.sentry-release",
|
|
6573
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
|
|
6574
|
+
aliases: ["SENTRY_RELEASE"],
|
|
6575
|
+
required: false,
|
|
6576
|
+
secret: false,
|
|
6577
|
+
public: true,
|
|
6578
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6579
|
+
description: "Tenant-owned Sentry release label."
|
|
5109
6580
|
},
|
|
5110
6581
|
{
|
|
5111
|
-
|
|
5112
|
-
|
|
5113
|
-
|
|
6582
|
+
idSuffix: "observability.sentry-client-options",
|
|
6583
|
+
canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
|
|
6584
|
+
aliases: [
|
|
6585
|
+
"NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
|
|
6586
|
+
"NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
|
|
6587
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
|
|
6588
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
|
|
6589
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
|
|
6590
|
+
"NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
|
|
6591
|
+
"NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
|
|
6592
|
+
"NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
|
|
6593
|
+
"NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
|
|
6594
|
+
"NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
|
|
6595
|
+
"NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
|
|
6596
|
+
],
|
|
6597
|
+
required: false,
|
|
6598
|
+
secret: false,
|
|
6599
|
+
public: true,
|
|
6600
|
+
consumers: ["tenant-vercel-app", "tenant-observability"],
|
|
6601
|
+
description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
|
|
5114
6602
|
},
|
|
5115
6603
|
{
|
|
5116
|
-
|
|
5117
|
-
|
|
5118
|
-
|
|
6604
|
+
idSuffix: "observability.sentry-webhook-secret",
|
|
6605
|
+
canonicalName: "SENTRY_WEBHOOK_SECRET",
|
|
6606
|
+
required: false,
|
|
6607
|
+
secret: true,
|
|
6608
|
+
public: false,
|
|
6609
|
+
consumers: ["tenant-convex-deployment", "tenant-observability"],
|
|
6610
|
+
description: "Tenant-owned Sentry webhook verification secret."
|
|
5119
6611
|
},
|
|
5120
6612
|
{
|
|
5121
|
-
|
|
5122
|
-
|
|
5123
|
-
|
|
6613
|
+
idSuffix: "lucern.gateway-api-key",
|
|
6614
|
+
canonicalName: "LUCERN_API_KEY",
|
|
6615
|
+
aliases: ["STACK_API_KEY"],
|
|
6616
|
+
required: false,
|
|
6617
|
+
secret: true,
|
|
6618
|
+
public: false,
|
|
6619
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6620
|
+
description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
|
|
5124
6621
|
},
|
|
5125
6622
|
{
|
|
5126
|
-
|
|
5127
|
-
|
|
5128
|
-
|
|
6623
|
+
idSuffix: "lucern.gateway-base-url",
|
|
6624
|
+
canonicalName: "LUCERN_BASE_URL",
|
|
6625
|
+
aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
|
|
6626
|
+
required: false,
|
|
6627
|
+
secret: false,
|
|
6628
|
+
public: false,
|
|
6629
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6630
|
+
description: "Lucern/MC gateway base URL used by tenant product apps."
|
|
5129
6631
|
},
|
|
5130
6632
|
{
|
|
5131
|
-
|
|
5132
|
-
|
|
5133
|
-
|
|
6633
|
+
idSuffix: "lucern.proxy-token-secret",
|
|
6634
|
+
canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
|
|
6635
|
+
required: false,
|
|
6636
|
+
secret: true,
|
|
6637
|
+
public: false,
|
|
6638
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6639
|
+
description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
|
|
5134
6640
|
},
|
|
5135
6641
|
{
|
|
5136
|
-
|
|
5137
|
-
|
|
5138
|
-
|
|
6642
|
+
idSuffix: "tenant.integrations.linear-api-key",
|
|
6643
|
+
canonicalName: "LINEAR_API_KEY",
|
|
6644
|
+
required: false,
|
|
6645
|
+
secret: true,
|
|
6646
|
+
public: false,
|
|
6647
|
+
consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
|
|
6648
|
+
description: "Tenant-owned Linear API key for support/slash-command flows."
|
|
5139
6649
|
},
|
|
5140
6650
|
{
|
|
5141
|
-
|
|
5142
|
-
|
|
5143
|
-
|
|
6651
|
+
idSuffix: "tenant.vercel.bypass-token",
|
|
6652
|
+
canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
|
|
6653
|
+
aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
|
|
6654
|
+
required: false,
|
|
6655
|
+
secret: true,
|
|
6656
|
+
public: false,
|
|
6657
|
+
consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
|
|
6658
|
+
description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
|
|
5144
6659
|
}
|
|
5145
6660
|
];
|
|
5146
|
-
|
|
5147
|
-
(
|
|
6661
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
|
|
6662
|
+
(system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
|
|
6663
|
+
).flatMap(
|
|
6664
|
+
(system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
|
|
6665
|
+
(template) => ({
|
|
6666
|
+
id: `tenant.${system.id}.${template.idSuffix}`,
|
|
6667
|
+
canonicalName: template.canonicalName,
|
|
6668
|
+
aliases: "aliases" in template ? template.aliases : void 0,
|
|
6669
|
+
owner: "tenant",
|
|
6670
|
+
scope: "tenant",
|
|
6671
|
+
sourcePath: system.sharedSourcePath,
|
|
6672
|
+
environmentPolicy: "environment_specific",
|
|
6673
|
+
required: template.required,
|
|
6674
|
+
secret: template.secret,
|
|
6675
|
+
public: template.public,
|
|
6676
|
+
consumers: template.consumers,
|
|
6677
|
+
destinations: [
|
|
6678
|
+
{
|
|
6679
|
+
kind: "vercel",
|
|
6680
|
+
target: system.vercelProjectName,
|
|
6681
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6682
|
+
},
|
|
6683
|
+
{
|
|
6684
|
+
kind: "convex",
|
|
6685
|
+
target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
|
|
6686
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6687
|
+
},
|
|
6688
|
+
{
|
|
6689
|
+
kind: "github_actions",
|
|
6690
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6691
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6692
|
+
}
|
|
6693
|
+
],
|
|
6694
|
+
description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
|
|
6695
|
+
})
|
|
6696
|
+
)
|
|
6697
|
+
);
|
|
6698
|
+
function tenantVercelConvexUrlWriteNames(system) {
|
|
6699
|
+
const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
|
|
6700
|
+
if (system.id === "stack-eng") {
|
|
6701
|
+
return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6702
|
+
}
|
|
6703
|
+
return names;
|
|
6704
|
+
}
|
|
6705
|
+
function tenantRepositoryConvexUrlWriteNames(system) {
|
|
6706
|
+
if (system.id === "stack-eng") {
|
|
6707
|
+
return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6708
|
+
}
|
|
6709
|
+
return [system.convex.urlEnv];
|
|
6710
|
+
}
|
|
6711
|
+
function tenantRepositoryConvexDeployKeyWriteNames(system) {
|
|
6712
|
+
if (system.id === "stack-eng") {
|
|
6713
|
+
return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
|
|
6714
|
+
}
|
|
6715
|
+
return [system.convex.deployKeyEnv];
|
|
6716
|
+
}
|
|
6717
|
+
function tenantConvexUrlAliases(system) {
|
|
6718
|
+
if (system.id === "stack-frontend") {
|
|
6719
|
+
return [
|
|
6720
|
+
"CONVEX_PROD_URL",
|
|
6721
|
+
"CONVEX_STACK_V2_PROD_URL",
|
|
6722
|
+
"CONVEX_STACK_V2_STAGING_URL",
|
|
6723
|
+
"STACK_CONVEX_URL"
|
|
6724
|
+
];
|
|
6725
|
+
}
|
|
6726
|
+
if (system.id === "stackos") {
|
|
6727
|
+
return [
|
|
6728
|
+
"CONVEX_CLOUD_URL",
|
|
6729
|
+
"CONVEX_STACK_URL",
|
|
6730
|
+
"CONVEX_URL",
|
|
6731
|
+
"CONVEX_URL_DEVELOPMENT",
|
|
6732
|
+
"CONVEX_URL_PRODUCTION",
|
|
6733
|
+
"STACK_CONVEX_URL"
|
|
6734
|
+
];
|
|
6735
|
+
}
|
|
6736
|
+
if (system.id === "stack-eng") {
|
|
6737
|
+
return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
|
|
6738
|
+
}
|
|
6739
|
+
if (system.id === "lucern-graph") {
|
|
6740
|
+
return [
|
|
6741
|
+
"CONVEX_GRAPH_URL",
|
|
6742
|
+
"LUCERN_PROD_URL",
|
|
6743
|
+
"NEXT_PUBLIC_LUCERN_GRAPH_URL"
|
|
6744
|
+
];
|
|
6745
|
+
}
|
|
6746
|
+
return void 0;
|
|
6747
|
+
}
|
|
6748
|
+
function tenantConvexDeployKeyAliases(system) {
|
|
6749
|
+
if (system.id === "stack-frontend") {
|
|
6750
|
+
return [
|
|
6751
|
+
"CONVEX_STACK_V2_PROD_DEPLOY_KEY",
|
|
6752
|
+
"CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
|
|
6753
|
+
"STACK_DEPLOY_KEY"
|
|
6754
|
+
];
|
|
6755
|
+
}
|
|
6756
|
+
if (system.id === "stackos") {
|
|
6757
|
+
return [
|
|
6758
|
+
"CONVEX_DEPLOY_KEY",
|
|
6759
|
+
"CONVEX_DEV_DEPLOY_KEY",
|
|
6760
|
+
"CONVEX_PROD_DEPLOY_KEY",
|
|
6761
|
+
"CONVEX_STACK_DEPLOY_KEY",
|
|
6762
|
+
"STACK_DEPLOY_KEY"
|
|
6763
|
+
];
|
|
6764
|
+
}
|
|
6765
|
+
if (system.id === "stack-eng") {
|
|
6766
|
+
return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
|
|
6767
|
+
}
|
|
6768
|
+
if (system.id === "lucern-graph") {
|
|
6769
|
+
return [
|
|
6770
|
+
"CONVEX_DEPLOY_KEY",
|
|
6771
|
+
"CONVEX_GRAPH_DEPLOY_KEY",
|
|
6772
|
+
"LUCERN_CONVEX_DEPLOY_KEY",
|
|
6773
|
+
"LUCERN_DEV_DEPLOY_KEY",
|
|
6774
|
+
"LUCERN_PROD_DEPLOY_KEY"
|
|
6775
|
+
];
|
|
6776
|
+
}
|
|
6777
|
+
return void 0;
|
|
6778
|
+
}
|
|
6779
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
|
|
6780
|
+
(system) => {
|
|
6781
|
+
if (system.id === "lucern-graph") {
|
|
6782
|
+
return [
|
|
6783
|
+
{
|
|
6784
|
+
id: "tenant.lucern-graph.public.tenant-id",
|
|
6785
|
+
canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
|
|
6786
|
+
aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
|
|
6787
|
+
owner: "tenant",
|
|
6788
|
+
scope: "workspace",
|
|
6789
|
+
sourcePath: system.sharedSourcePath,
|
|
6790
|
+
environmentPolicy: "environment_specific",
|
|
6791
|
+
required: false,
|
|
6792
|
+
secret: false,
|
|
6793
|
+
public: true,
|
|
6794
|
+
consumers: ["tenant-vercel-app"],
|
|
6795
|
+
destinations: [
|
|
6796
|
+
{
|
|
6797
|
+
kind: "vercel",
|
|
6798
|
+
target: system.vercelProjectName,
|
|
6799
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6800
|
+
}
|
|
6801
|
+
],
|
|
6802
|
+
description: "Lucern graph public tenant id used by the standalone graph explorer."
|
|
6803
|
+
},
|
|
6804
|
+
{
|
|
6805
|
+
id: "tenant.lucern-graph.public.tenant-label",
|
|
6806
|
+
canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
|
|
6807
|
+
owner: "tenant",
|
|
6808
|
+
scope: "workspace",
|
|
6809
|
+
sourcePath: system.sharedSourcePath,
|
|
6810
|
+
environmentPolicy: "environment_specific",
|
|
6811
|
+
required: false,
|
|
6812
|
+
secret: false,
|
|
6813
|
+
public: true,
|
|
6814
|
+
consumers: ["tenant-vercel-app"],
|
|
6815
|
+
destinations: [
|
|
6816
|
+
{
|
|
6817
|
+
kind: "vercel",
|
|
6818
|
+
target: system.vercelProjectName,
|
|
6819
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6820
|
+
}
|
|
6821
|
+
],
|
|
6822
|
+
description: "Lucern graph public tenant label used by the standalone graph explorer."
|
|
6823
|
+
}
|
|
6824
|
+
];
|
|
6825
|
+
}
|
|
6826
|
+
if (system.id === "stack-eng") {
|
|
6827
|
+
return [
|
|
6828
|
+
{
|
|
6829
|
+
id: "tenant.stack-eng.public.tenant-id",
|
|
6830
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
|
|
6831
|
+
owner: "tenant",
|
|
6832
|
+
scope: "workspace",
|
|
6833
|
+
sourcePath: system.sharedSourcePath,
|
|
6834
|
+
environmentPolicy: "environment_specific",
|
|
6835
|
+
required: false,
|
|
6836
|
+
secret: false,
|
|
6837
|
+
public: true,
|
|
6838
|
+
consumers: ["tenant-vercel-app"],
|
|
6839
|
+
destinations: [
|
|
6840
|
+
{
|
|
6841
|
+
kind: "vercel",
|
|
6842
|
+
target: system.vercelProjectName,
|
|
6843
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6844
|
+
}
|
|
6845
|
+
],
|
|
6846
|
+
description: "Stack engineering graph public tenant id used by the graph explorer."
|
|
6847
|
+
},
|
|
6848
|
+
{
|
|
6849
|
+
id: "tenant.stack-eng.public.tenant-label",
|
|
6850
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
|
|
6851
|
+
owner: "tenant",
|
|
6852
|
+
scope: "workspace",
|
|
6853
|
+
sourcePath: system.sharedSourcePath,
|
|
6854
|
+
environmentPolicy: "environment_specific",
|
|
6855
|
+
required: false,
|
|
6856
|
+
secret: false,
|
|
6857
|
+
public: true,
|
|
6858
|
+
consumers: ["tenant-vercel-app"],
|
|
6859
|
+
destinations: [
|
|
6860
|
+
{
|
|
6861
|
+
kind: "vercel",
|
|
6862
|
+
target: system.vercelProjectName,
|
|
6863
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6864
|
+
}
|
|
6865
|
+
],
|
|
6866
|
+
description: "Stack engineering graph public tenant label used by the graph explorer."
|
|
6867
|
+
},
|
|
6868
|
+
{
|
|
6869
|
+
id: "tenant.stack-eng.public.environment",
|
|
6870
|
+
canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
|
|
6871
|
+
owner: "tenant",
|
|
6872
|
+
scope: "workspace",
|
|
6873
|
+
sourcePath: system.sharedSourcePath,
|
|
6874
|
+
environmentPolicy: "environment_specific",
|
|
6875
|
+
required: false,
|
|
6876
|
+
secret: false,
|
|
6877
|
+
public: true,
|
|
6878
|
+
consumers: ["tenant-vercel-app"],
|
|
6879
|
+
destinations: [
|
|
6880
|
+
{
|
|
6881
|
+
kind: "vercel",
|
|
6882
|
+
target: system.vercelProjectName,
|
|
6883
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6884
|
+
}
|
|
6885
|
+
],
|
|
6886
|
+
description: "Stack engineering graph public environment label used by the graph explorer."
|
|
6887
|
+
}
|
|
6888
|
+
];
|
|
6889
|
+
}
|
|
6890
|
+
return [];
|
|
6891
|
+
}
|
|
5148
6892
|
);
|
|
6893
|
+
INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
|
|
6894
|
+
{
|
|
6895
|
+
id: `tenant.${system.id}.convex.url`,
|
|
6896
|
+
canonicalName: system.convex.urlEnv,
|
|
6897
|
+
aliases: tenantConvexUrlAliases(system),
|
|
6898
|
+
owner: "tenant",
|
|
6899
|
+
scope: "software_system",
|
|
6900
|
+
sourcePath: system.sharedSourcePath,
|
|
6901
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6902
|
+
required: true,
|
|
6903
|
+
secret: false,
|
|
6904
|
+
public: false,
|
|
6905
|
+
consumers: [
|
|
6906
|
+
"tenant-vercel-app",
|
|
6907
|
+
"tenant-agent-runtime",
|
|
6908
|
+
"mc-operator-tooling"
|
|
6909
|
+
],
|
|
6910
|
+
destinations: [
|
|
6911
|
+
{
|
|
6912
|
+
kind: "vercel",
|
|
6913
|
+
target: system.vercelProjectName,
|
|
6914
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6915
|
+
writeNames: tenantVercelConvexUrlWriteNames(system)
|
|
6916
|
+
},
|
|
6917
|
+
{
|
|
6918
|
+
kind: "github_actions",
|
|
6919
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6920
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6921
|
+
writeNames: tenantRepositoryConvexUrlWriteNames(system),
|
|
6922
|
+
notes: "Only if that repository deploy/test workflow owns this software system."
|
|
6923
|
+
}
|
|
6924
|
+
],
|
|
6925
|
+
description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
|
|
6926
|
+
},
|
|
6927
|
+
{
|
|
6928
|
+
id: `tenant.${system.id}.convex.deploy-key`,
|
|
6929
|
+
canonicalName: system.convex.deployKeyEnv,
|
|
6930
|
+
aliases: tenantConvexDeployKeyAliases(system),
|
|
6931
|
+
owner: "tenant",
|
|
6932
|
+
scope: "software_system",
|
|
6933
|
+
sourcePath: system.sharedSourcePath,
|
|
6934
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6935
|
+
required: true,
|
|
6936
|
+
secret: true,
|
|
6937
|
+
public: false,
|
|
6938
|
+
consumers: [
|
|
6939
|
+
"tenant-vercel-app",
|
|
6940
|
+
"tenant-agent-runtime",
|
|
6941
|
+
"mc-operator-tooling"
|
|
6942
|
+
],
|
|
6943
|
+
destinations: [
|
|
6944
|
+
{
|
|
6945
|
+
kind: "vercel",
|
|
6946
|
+
target: system.vercelProjectName,
|
|
6947
|
+
environmentPolicy: "preprod_staging_prod_prod"
|
|
6948
|
+
},
|
|
6949
|
+
{
|
|
6950
|
+
kind: "github_actions",
|
|
6951
|
+
target: `${system.repository.owner}/${system.repository.name}`,
|
|
6952
|
+
environmentPolicy: "preprod_staging_prod_prod",
|
|
6953
|
+
writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
|
|
6954
|
+
notes: "Only if that repository deploy/test workflow owns this software system."
|
|
6955
|
+
}
|
|
6956
|
+
],
|
|
6957
|
+
description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
|
|
6958
|
+
}
|
|
6959
|
+
]);
|
|
5149
6960
|
z.object({
|
|
5150
6961
|
manifestVersion: z.literal("1.0.0"),
|
|
5151
6962
|
rules: z.array(
|
|
@@ -5186,7 +6997,7 @@ var createEvidenceInputSchemaBase = z.object({
|
|
|
5186
6997
|
targetId: z.string().optional(),
|
|
5187
6998
|
targetNodeId: z.string().optional(),
|
|
5188
6999
|
linkedBeliefNodeId: z.string().optional(),
|
|
5189
|
-
evidenceRelation: z.enum(["supports", "contradicts"
|
|
7000
|
+
evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
|
|
5190
7001
|
confidence: z.number().optional(),
|
|
5191
7002
|
weight: z.number().optional(),
|
|
5192
7003
|
reasoning: z.string().optional(),
|
|
@@ -5271,8 +7082,7 @@ var createEvidenceProjection = defineProjection({
|
|
|
5271
7082
|
evidenceRelation: v.optional(
|
|
5272
7083
|
v.union(
|
|
5273
7084
|
v.literal("supports"),
|
|
5274
|
-
v.literal("contradicts")
|
|
5275
|
-
v.literal("neutral")
|
|
7085
|
+
v.literal("contradicts")
|
|
5276
7086
|
)
|
|
5277
7087
|
),
|
|
5278
7088
|
confidence: v.optional(v.number()),
|
|
@@ -5321,12 +7131,17 @@ var listBeliefsProjection = defineProjection({
|
|
|
5321
7131
|
});
|
|
5322
7132
|
var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
|
|
5323
7133
|
var listTasksInputSchema = z.object({
|
|
5324
|
-
topicId: z.string().describe("Topic scope"),
|
|
7134
|
+
topicId: z.string().optional().describe("Topic scope"),
|
|
5325
7135
|
worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
|
|
5326
7136
|
linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
|
|
5327
7137
|
status: taskStatusSchema,
|
|
5328
7138
|
limit: z.number().optional().describe("Maximum results")
|
|
5329
|
-
})
|
|
7139
|
+
}).refine(
|
|
7140
|
+
(input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
|
|
7141
|
+
{
|
|
7142
|
+
message: "topicId or worktreeId is required"
|
|
7143
|
+
}
|
|
7144
|
+
);
|
|
5330
7145
|
function compactRecord3(input) {
|
|
5331
7146
|
return Object.fromEntries(
|
|
5332
7147
|
Object.entries(input).filter(([, value]) => value !== void 0)
|
|
@@ -5343,7 +7158,7 @@ var listTasksProjection = defineProjection({
|
|
|
5343
7158
|
linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
|
|
5344
7159
|
}),
|
|
5345
7160
|
convexArgsValidator: v.object({
|
|
5346
|
-
topicId: v.string(),
|
|
7161
|
+
topicId: v.optional(v.string()),
|
|
5347
7162
|
status: v.optional(
|
|
5348
7163
|
v.union(
|
|
5349
7164
|
v.literal("todo"),
|
|
@@ -6416,7 +8231,7 @@ var CREATE_EDGE = {
|
|
|
6416
8231
|
reasoningMethod: {
|
|
6417
8232
|
type: "string",
|
|
6418
8233
|
description: "How this was determined",
|
|
6419
|
-
enum: [
|
|
8234
|
+
enum: [...REASONING_METHODS]
|
|
6420
8235
|
},
|
|
6421
8236
|
metadata: {
|
|
6422
8237
|
type: "object",
|
|
@@ -8143,6 +9958,10 @@ var CREATE_TASK = {
|
|
|
8143
9958
|
tags: {
|
|
8144
9959
|
type: "array",
|
|
8145
9960
|
description: "Free-form string tags"
|
|
9961
|
+
},
|
|
9962
|
+
metadata: {
|
|
9963
|
+
type: "object",
|
|
9964
|
+
description: "Structured task metadata for handoff context and routing hints"
|
|
8146
9965
|
}
|
|
8147
9966
|
},
|
|
8148
9967
|
required: ["title"],
|
|
@@ -8216,6 +10035,10 @@ var UPDATE_TASK = {
|
|
|
8216
10035
|
type: "string",
|
|
8217
10036
|
description: "Updated status",
|
|
8218
10037
|
enum: ["todo", "in_progress", "blocked", "done"]
|
|
10038
|
+
},
|
|
10039
|
+
metadata: {
|
|
10040
|
+
type: "object",
|
|
10041
|
+
description: "Structured task metadata to replace or refine"
|
|
8219
10042
|
}
|
|
8220
10043
|
},
|
|
8221
10044
|
required: ["taskId"],
|
|
@@ -9671,6 +11494,9 @@ var BEGIN_BUILD_SESSION = {
|
|
|
9671
11494
|
sessionMode: "string \u2014 async | interactive",
|
|
9672
11495
|
targetBeliefIds: "array \u2014 scoped belief IDs",
|
|
9673
11496
|
targetQuestionIds: "array \u2014 scoped question IDs",
|
|
11497
|
+
taskIds: "array \u2014 assigned task IDs for this worktree",
|
|
11498
|
+
incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
|
|
11499
|
+
tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
|
|
9674
11500
|
topBeliefs: "array \u2014 highest-confidence scoped beliefs",
|
|
9675
11501
|
openQuestions: "array \u2014 open scoped questions",
|
|
9676
11502
|
resolvedDecisions: "array \u2014 answered questions summarized for the session",
|
|
@@ -10271,12 +12097,20 @@ function unwrapMcpParameterSchema(schema) {
|
|
|
10271
12097
|
current = current._def.schema;
|
|
10272
12098
|
continue;
|
|
10273
12099
|
default:
|
|
10274
|
-
return {
|
|
12100
|
+
return {
|
|
12101
|
+
schema: current,
|
|
12102
|
+
required,
|
|
12103
|
+
description: description ?? current.description
|
|
12104
|
+
};
|
|
10275
12105
|
}
|
|
10276
12106
|
}
|
|
10277
12107
|
}
|
|
10278
12108
|
function mcpParameterFromZod(fieldName, schema, contractName) {
|
|
10279
|
-
const {
|
|
12109
|
+
const {
|
|
12110
|
+
schema: unwrapped,
|
|
12111
|
+
required,
|
|
12112
|
+
description: schemaDescription
|
|
12113
|
+
} = unwrapMcpParameterSchema(schema);
|
|
10280
12114
|
const description = schemaDescription ?? unwrapped.description ?? fieldName;
|
|
10281
12115
|
switch (unwrapped._def.typeName) {
|
|
10282
12116
|
case z.ZodFirstPartyTypeKind.ZodString:
|
|
@@ -10321,10 +12155,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
|
|
|
10321
12155
|
const entries2 = Object.entries(getObjectShape(args)).sort(
|
|
10322
12156
|
([left], [right]) => left.localeCompare(right)
|
|
10323
12157
|
);
|
|
10324
|
-
const converted = entries2.map(
|
|
10325
|
-
fieldName,
|
|
10326
|
-
|
|
10327
|
-
|
|
12158
|
+
const converted = entries2.map(
|
|
12159
|
+
([fieldName, schema]) => [
|
|
12160
|
+
fieldName,
|
|
12161
|
+
mcpParameterFromZod(fieldName, schema, contractName)
|
|
12162
|
+
]
|
|
12163
|
+
);
|
|
10328
12164
|
return {
|
|
10329
12165
|
...base,
|
|
10330
12166
|
parameters: Object.fromEntries(
|
|
@@ -10436,6 +12272,7 @@ function surfaceContract(args) {
|
|
|
10436
12272
|
allowedPrincipalTypes: ["user", "service", "agent"]
|
|
10437
12273
|
},
|
|
10438
12274
|
convex: args.convex,
|
|
12275
|
+
gateway: args.gateway,
|
|
10439
12276
|
args: canonicalArgs,
|
|
10440
12277
|
returns: canonicalReturns,
|
|
10441
12278
|
input,
|
|
@@ -10922,7 +12759,7 @@ var beliefsContracts = [
|
|
|
10922
12759
|
})
|
|
10923
12760
|
];
|
|
10924
12761
|
var jsonRecordSchema4 = z.record(z.unknown());
|
|
10925
|
-
var evidenceRelationSchema = z.enum(["supports", "contradicts"
|
|
12762
|
+
var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
|
|
10926
12763
|
var createEvidenceArgs = z.object({
|
|
10927
12764
|
topicId: z.string().optional().describe("Topic scope for the evidence."),
|
|
10928
12765
|
text: z.string().describe("Canonical evidence text."),
|
|
@@ -12845,7 +14682,8 @@ var createTaskArgs = z.object({
|
|
|
12845
14682
|
linkedQuestionId: z.string().optional().describe("Question this task addresses."),
|
|
12846
14683
|
assigneeId: z.string().optional().describe("Principal assigned to the task."),
|
|
12847
14684
|
dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
|
|
12848
|
-
tags: z.array(z.string()).optional().describe("Free-form tags.")
|
|
14685
|
+
tags: z.array(z.string()).optional().describe("Free-form tags."),
|
|
14686
|
+
metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
|
|
12849
14687
|
});
|
|
12850
14688
|
var createTaskInput = (input) => compactRecord4({
|
|
12851
14689
|
title: input.title,
|
|
@@ -12859,7 +14697,8 @@ var createTaskInput = (input) => compactRecord4({
|
|
|
12859
14697
|
linkedQuestionId: input.linkedQuestionId,
|
|
12860
14698
|
assigneeId: input.assigneeId,
|
|
12861
14699
|
dueDate: input.dueDate,
|
|
12862
|
-
tags: input.tags
|
|
14700
|
+
tags: input.tags,
|
|
14701
|
+
metadata: input.metadata
|
|
12863
14702
|
});
|
|
12864
14703
|
var taskInput = (input) => compactRecord4({
|
|
12865
14704
|
...input,
|
|
@@ -12876,8 +14715,7 @@ var taskTopicInput = (input) => {
|
|
|
12876
14715
|
};
|
|
12877
14716
|
var completeTaskInput = (input) => compactRecord4({
|
|
12878
14717
|
taskId: input.taskId ?? input.id,
|
|
12879
|
-
outputSummary: input.outputSummary ?? input.summary
|
|
12880
|
-
userId: input.userId
|
|
14718
|
+
outputSummary: input.outputSummary ?? input.summary
|
|
12881
14719
|
});
|
|
12882
14720
|
var tasksContracts = [
|
|
12883
14721
|
surfaceContract({
|
|
@@ -12895,6 +14733,7 @@ var tasksContracts = [
|
|
|
12895
14733
|
kind: "mutation",
|
|
12896
14734
|
inputProjection: createTaskInput
|
|
12897
14735
|
},
|
|
14736
|
+
gateway: { handler: "tasks.create" },
|
|
12898
14737
|
args: createTaskArgs
|
|
12899
14738
|
}),
|
|
12900
14739
|
surfaceContract({
|
|
@@ -12913,6 +14752,7 @@ var tasksContracts = [
|
|
|
12913
14752
|
kind: "query",
|
|
12914
14753
|
inputProjection: taskTopicInput
|
|
12915
14754
|
},
|
|
14755
|
+
gateway: { handler: "tasks.list" },
|
|
12916
14756
|
args: listTasksInputSchema
|
|
12917
14757
|
}),
|
|
12918
14758
|
surfaceContract({
|
|
@@ -12930,7 +14770,8 @@ var tasksContracts = [
|
|
|
12930
14770
|
functionName: "update",
|
|
12931
14771
|
kind: "mutation",
|
|
12932
14772
|
inputProjection: taskInput
|
|
12933
|
-
}
|
|
14773
|
+
},
|
|
14774
|
+
gateway: { handler: "tasks.update" }
|
|
12934
14775
|
}),
|
|
12935
14776
|
surfaceContract({
|
|
12936
14777
|
name: "complete_task",
|
|
@@ -12946,12 +14787,14 @@ var tasksContracts = [
|
|
|
12946
14787
|
functionName: "complete",
|
|
12947
14788
|
kind: "mutation",
|
|
12948
14789
|
inputProjection: completeTaskInput
|
|
12949
|
-
}
|
|
14790
|
+
},
|
|
14791
|
+
gateway: { handler: "tasks.complete" }
|
|
12950
14792
|
})
|
|
12951
14793
|
];
|
|
12952
14794
|
var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
|
|
12953
14795
|
(policy) => policy.edgeType
|
|
12954
14796
|
);
|
|
14797
|
+
var REASONING_METHOD_TYPES = [...REASONING_METHODS];
|
|
12955
14798
|
var createEdgeArgs = z.object({
|
|
12956
14799
|
from: GraphRefSchema,
|
|
12957
14800
|
to: GraphRefSchema,
|
|
@@ -12961,6 +14804,7 @@ var createEdgeArgs = z.object({
|
|
|
12961
14804
|
confidence: z.number().optional(),
|
|
12962
14805
|
context: z.string().optional(),
|
|
12963
14806
|
reasoning: z.string().optional(),
|
|
14807
|
+
reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
|
|
12964
14808
|
derivationType: z.string().optional(),
|
|
12965
14809
|
metadata: z.record(z.unknown()).optional(),
|
|
12966
14810
|
topicId: z.string().optional(),
|
|
@@ -13039,6 +14883,7 @@ var edgesContracts = [
|
|
|
13039
14883
|
weight: parsed.weight,
|
|
13040
14884
|
confidence: parsed.confidence,
|
|
13041
14885
|
context: parsed.context ?? parsed.reasoning,
|
|
14886
|
+
reasoningMethod: parsed.reasoningMethod,
|
|
13042
14887
|
derivationType: parsed.derivationType,
|
|
13043
14888
|
metadata: parsed.metadata,
|
|
13044
14889
|
skipLayerValidation: true,
|
|
@@ -13163,6 +15008,7 @@ var edgesContracts = [
|
|
|
13163
15008
|
weight: edge.weight,
|
|
13164
15009
|
confidence: edge.confidence,
|
|
13165
15010
|
context: edge.context ?? edge.reasoning,
|
|
15011
|
+
reasoningMethod: edge.reasoningMethod,
|
|
13166
15012
|
derivationType: edge.derivationType,
|
|
13167
15013
|
metadata: edge.metadata,
|
|
13168
15014
|
topicId: edge.topicId
|
|
@@ -13897,6 +15743,69 @@ var pipelineContracts = [
|
|
|
13897
15743
|
}
|
|
13898
15744
|
})
|
|
13899
15745
|
];
|
|
15746
|
+
function isRecord4(value) {
|
|
15747
|
+
return Boolean(value) && typeof value === "object" && !Array.isArray(value);
|
|
15748
|
+
}
|
|
15749
|
+
function stringValues(value) {
|
|
15750
|
+
if (typeof value === "string") {
|
|
15751
|
+
return [value];
|
|
15752
|
+
}
|
|
15753
|
+
if (Array.isArray(value)) {
|
|
15754
|
+
return value.flatMap((item) => stringValues(item));
|
|
15755
|
+
}
|
|
15756
|
+
return [];
|
|
15757
|
+
}
|
|
15758
|
+
function nestedEvidenceRows(value) {
|
|
15759
|
+
if (Array.isArray(value)) {
|
|
15760
|
+
return value.flatMap((item) => nestedEvidenceRows(item));
|
|
15761
|
+
}
|
|
15762
|
+
if (!isRecord4(value)) {
|
|
15763
|
+
return [];
|
|
15764
|
+
}
|
|
15765
|
+
const nestedKeys = ["evidence", "items", "nodes"];
|
|
15766
|
+
const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
|
|
15767
|
+
return nestedRows.length > 0 ? nestedRows : [value];
|
|
15768
|
+
}
|
|
15769
|
+
function isFailedAttemptRow(row) {
|
|
15770
|
+
const metadata = isRecord4(row.metadata) ? row.metadata : null;
|
|
15771
|
+
return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
|
|
15772
|
+
}
|
|
15773
|
+
function failureLogSearchFields(row) {
|
|
15774
|
+
const metadata = isRecord4(row.metadata) ? row.metadata : null;
|
|
15775
|
+
return [
|
|
15776
|
+
...stringValues(row.id),
|
|
15777
|
+
...stringValues(row._id),
|
|
15778
|
+
...stringValues(row.title),
|
|
15779
|
+
...stringValues(row.text),
|
|
15780
|
+
...stringValues(row.canonicalText),
|
|
15781
|
+
...stringValues(row.content),
|
|
15782
|
+
...stringValues(metadata?.codeAnchor),
|
|
15783
|
+
...stringValues(metadata?.codeAnchors),
|
|
15784
|
+
...stringValues(metadata?.anchor),
|
|
15785
|
+
...stringValues(metadata?.anchors),
|
|
15786
|
+
...stringValues(metadata?.filePath),
|
|
15787
|
+
...stringValues(metadata?.filePaths),
|
|
15788
|
+
...stringValues(metadata?.path),
|
|
15789
|
+
...stringValues(metadata?.paths),
|
|
15790
|
+
...stringValues(metadata?.sourceRef),
|
|
15791
|
+
...stringValues(metadata?.touchedPaths)
|
|
15792
|
+
];
|
|
15793
|
+
}
|
|
15794
|
+
function projectFailureLog(output, input) {
|
|
15795
|
+
const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
|
|
15796
|
+
const searchKey = rawQuery?.toLowerCase();
|
|
15797
|
+
const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
|
|
15798
|
+
(row) => !searchKey ? true : failureLogSearchFields(row).some(
|
|
15799
|
+
(field) => field.toLowerCase().includes(searchKey)
|
|
15800
|
+
)
|
|
15801
|
+
);
|
|
15802
|
+
return {
|
|
15803
|
+
query: rawQuery,
|
|
15804
|
+
failures,
|
|
15805
|
+
totalFound: failures.length,
|
|
15806
|
+
showing: failures.length
|
|
15807
|
+
};
|
|
15808
|
+
}
|
|
13900
15809
|
var recordScopeLearningArgs = z.object({
|
|
13901
15810
|
topicId: z.string().optional().describe("Topic scope ID"),
|
|
13902
15811
|
summary: z.string().describe("Atomic learning statement"),
|
|
@@ -13986,6 +15895,8 @@ var attemptInput = (input, context) => withUserId(
|
|
|
13986
15895
|
tags: ["code_attempt"],
|
|
13987
15896
|
metadata: compactRecord4({
|
|
13988
15897
|
...recordValue2(input.metadata),
|
|
15898
|
+
failedApproach: true,
|
|
15899
|
+
isFailedAttempt: true,
|
|
13989
15900
|
filePaths: input.filePaths,
|
|
13990
15901
|
filePath: input.filePath,
|
|
13991
15902
|
errorMessage: input.errorMessage,
|
|
@@ -14116,7 +16027,8 @@ var codingContracts = [
|
|
|
14116
16027
|
limit: input.limit,
|
|
14117
16028
|
status: input.status,
|
|
14118
16029
|
userId: input.userId
|
|
14119
|
-
})
|
|
16030
|
+
}),
|
|
16031
|
+
outputProjection: (output, input) => projectFailureLog(output, input)
|
|
14120
16032
|
}
|
|
14121
16033
|
})
|
|
14122
16034
|
];
|
|
@@ -14578,14 +16490,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14578
16490
|
description: "Worktrees are tenant/runtime planning data."
|
|
14579
16491
|
},
|
|
14580
16492
|
{
|
|
14581
|
-
component: "
|
|
16493
|
+
component: "control-plane",
|
|
14582
16494
|
table: "agents",
|
|
14583
16495
|
prepopulation: "runtime_bootstrap",
|
|
14584
16496
|
copyMode: "none",
|
|
14585
16497
|
description: "Service agents are provisioned per tenant or service, not copied."
|
|
14586
16498
|
},
|
|
14587
16499
|
{
|
|
14588
|
-
component: "
|
|
16500
|
+
component: "control-plane",
|
|
14589
16501
|
table: "mcpWritePolicy",
|
|
14590
16502
|
prepopulation: "required_template",
|
|
14591
16503
|
copyMode: "template_global",
|
|
@@ -14594,14 +16506,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14594
16506
|
description: "Global write policy defaults govern service and interactive MCP writes."
|
|
14595
16507
|
},
|
|
14596
16508
|
{
|
|
14597
|
-
component: "
|
|
16509
|
+
component: "control-plane",
|
|
14598
16510
|
table: "modelCallLogs",
|
|
14599
16511
|
prepopulation: "runtime_log",
|
|
14600
16512
|
copyMode: "none",
|
|
14601
16513
|
description: "Model call logs are runtime telemetry."
|
|
14602
16514
|
},
|
|
14603
16515
|
{
|
|
14604
|
-
component: "
|
|
16516
|
+
component: "control-plane",
|
|
14605
16517
|
table: "modelFunctionSlots",
|
|
14606
16518
|
prepopulation: "required_template",
|
|
14607
16519
|
copyMode: "template_global",
|
|
@@ -14610,7 +16522,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14610
16522
|
description: "Function-to-model slots are required by model runtime resolution."
|
|
14611
16523
|
},
|
|
14612
16524
|
{
|
|
14613
|
-
component: "
|
|
16525
|
+
component: "control-plane",
|
|
14614
16526
|
table: "modelRegistry",
|
|
14615
16527
|
prepopulation: "required_template",
|
|
14616
16528
|
copyMode: "template_global",
|
|
@@ -14619,7 +16531,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14619
16531
|
description: "Model catalog defaults are required by model runtime clients."
|
|
14620
16532
|
},
|
|
14621
16533
|
{
|
|
14622
|
-
component: "
|
|
16534
|
+
component: "control-plane",
|
|
14623
16535
|
table: "modelSlotConfigs",
|
|
14624
16536
|
prepopulation: "required_template",
|
|
14625
16537
|
copyMode: "template_global",
|
|
@@ -14628,14 +16540,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14628
16540
|
description: "Slot-level defaults are required before tenant overrides exist."
|
|
14629
16541
|
},
|
|
14630
16542
|
{
|
|
14631
|
-
component: "
|
|
16543
|
+
component: "control-plane",
|
|
16544
|
+
table: "permitAccessReviewItems",
|
|
16545
|
+
prepopulation: "runtime_data",
|
|
16546
|
+
copyMode: "none",
|
|
16547
|
+
description: "Permit access-review item rows are tenant review data projected from Permit."
|
|
16548
|
+
},
|
|
16549
|
+
{
|
|
16550
|
+
component: "control-plane",
|
|
16551
|
+
table: "permitAccessReviews",
|
|
16552
|
+
prepopulation: "runtime_data",
|
|
16553
|
+
copyMode: "none",
|
|
16554
|
+
description: "Permit access-review campaigns are tenant review data projected from Permit."
|
|
16555
|
+
},
|
|
16556
|
+
{
|
|
16557
|
+
component: "control-plane",
|
|
16558
|
+
table: "permitAttributeBindings",
|
|
16559
|
+
prepopulation: "runtime_data",
|
|
16560
|
+
copyMode: "none",
|
|
16561
|
+
description: "Permit ABAC attribute bindings are tenant policy projection rows."
|
|
16562
|
+
},
|
|
16563
|
+
{
|
|
16564
|
+
component: "control-plane",
|
|
16565
|
+
table: "permitGroups",
|
|
16566
|
+
prepopulation: "runtime_data",
|
|
16567
|
+
copyMode: "none",
|
|
16568
|
+
description: "Permit groups are tenant-defined policy subjects, not template data."
|
|
16569
|
+
},
|
|
16570
|
+
{
|
|
16571
|
+
component: "control-plane",
|
|
16572
|
+
table: "permitGroupMemberships",
|
|
16573
|
+
prepopulation: "runtime_data",
|
|
16574
|
+
copyMode: "none",
|
|
16575
|
+
description: "Permit group memberships are tenant-specific policy projection rows."
|
|
16576
|
+
},
|
|
16577
|
+
{
|
|
16578
|
+
component: "control-plane",
|
|
16579
|
+
table: "permitPolicyBundles",
|
|
16580
|
+
prepopulation: "runtime_derived",
|
|
16581
|
+
copyMode: "none",
|
|
16582
|
+
description: "Permit policy bundles are derived from the Permit control plane."
|
|
16583
|
+
},
|
|
16584
|
+
{
|
|
16585
|
+
component: "control-plane",
|
|
16586
|
+
table: "permitPolicyDecisionReceipts",
|
|
16587
|
+
prepopulation: "runtime_log",
|
|
16588
|
+
copyMode: "none",
|
|
16589
|
+
description: "Permit decision receipts are runtime authorization audit logs."
|
|
16590
|
+
},
|
|
16591
|
+
{
|
|
16592
|
+
component: "control-plane",
|
|
16593
|
+
table: "permitPrincipalAliases",
|
|
16594
|
+
prepopulation: "runtime_data",
|
|
16595
|
+
copyMode: "none",
|
|
16596
|
+
description: "Permit principal aliases are tenant-specific identity projection rows."
|
|
16597
|
+
},
|
|
16598
|
+
{
|
|
16599
|
+
component: "control-plane",
|
|
16600
|
+
table: "permitPrincipals",
|
|
16601
|
+
prepopulation: "runtime_data",
|
|
16602
|
+
copyMode: "none",
|
|
16603
|
+
description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
|
|
16604
|
+
},
|
|
16605
|
+
{
|
|
16606
|
+
component: "control-plane",
|
|
16607
|
+
table: "permitProjectionOutbox",
|
|
16608
|
+
prepopulation: "runtime_queue",
|
|
16609
|
+
copyMode: "none",
|
|
16610
|
+
description: "Permit projection outbox rows are runtime sync queue data."
|
|
16611
|
+
},
|
|
16612
|
+
{
|
|
16613
|
+
component: "control-plane",
|
|
16614
|
+
table: "permitRelationshipTuples",
|
|
16615
|
+
prepopulation: "runtime_data",
|
|
16616
|
+
copyMode: "none",
|
|
16617
|
+
description: "Permit ReBAC relationship tuples are tenant policy projection rows."
|
|
16618
|
+
},
|
|
16619
|
+
{
|
|
16620
|
+
component: "control-plane",
|
|
16621
|
+
table: "permitResourceInstances",
|
|
16622
|
+
prepopulation: "runtime_data",
|
|
16623
|
+
copyMode: "none",
|
|
16624
|
+
description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
|
|
16625
|
+
},
|
|
16626
|
+
{
|
|
16627
|
+
component: "control-plane",
|
|
16628
|
+
table: "permitRoleAssignments",
|
|
16629
|
+
prepopulation: "runtime_data",
|
|
16630
|
+
copyMode: "none",
|
|
16631
|
+
description: "Permit role assignments are tenant-specific policy projection rows."
|
|
16632
|
+
},
|
|
16633
|
+
{
|
|
16634
|
+
component: "control-plane",
|
|
14632
16635
|
table: "platformAudienceGrants",
|
|
14633
16636
|
prepopulation: "runtime_data",
|
|
14634
16637
|
copyMode: "none",
|
|
14635
16638
|
description: "Audience grants are principal/group-specific access rows."
|
|
14636
16639
|
},
|
|
14637
16640
|
{
|
|
14638
|
-
component: "
|
|
16641
|
+
component: "control-plane",
|
|
14639
16642
|
table: "platformAudiences",
|
|
14640
16643
|
prepopulation: "required_template",
|
|
14641
16644
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14644,35 +16647,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14644
16647
|
description: "Default tenant audience taxonomy rows are rewritten into each tenant."
|
|
14645
16648
|
},
|
|
14646
16649
|
{
|
|
14647
|
-
component: "
|
|
16650
|
+
component: "control-plane",
|
|
14648
16651
|
table: "platformPolicyDecisionLogs",
|
|
14649
16652
|
prepopulation: "runtime_log",
|
|
14650
16653
|
copyMode: "none",
|
|
14651
16654
|
description: "Policy decisions are runtime audit logs."
|
|
14652
16655
|
},
|
|
14653
16656
|
{
|
|
14654
|
-
component: "
|
|
16657
|
+
component: "control-plane",
|
|
14655
16658
|
table: "projectGrants",
|
|
14656
16659
|
prepopulation: "runtime_data",
|
|
14657
16660
|
copyMode: "none",
|
|
14658
16661
|
description: "Project/topic grants are principal or group-specific access rows."
|
|
14659
16662
|
},
|
|
14660
16663
|
{
|
|
14661
|
-
component: "
|
|
16664
|
+
component: "control-plane",
|
|
14662
16665
|
table: "reasoningPermissions",
|
|
14663
16666
|
prepopulation: "runtime_data",
|
|
14664
16667
|
copyMode: "none",
|
|
14665
16668
|
description: "Reasoning permissions are principal-specific policy rows."
|
|
14666
16669
|
},
|
|
14667
16670
|
{
|
|
14668
|
-
component: "
|
|
16671
|
+
component: "control-plane",
|
|
14669
16672
|
table: "tenantApiKeys",
|
|
14670
16673
|
prepopulation: "runtime_secret",
|
|
14671
16674
|
copyMode: "none",
|
|
14672
16675
|
description: "API keys are tenant credentials and must never be copied."
|
|
14673
16676
|
},
|
|
14674
16677
|
{
|
|
14675
|
-
component: "
|
|
16678
|
+
component: "control-plane",
|
|
14676
16679
|
table: "tenantConfig",
|
|
14677
16680
|
prepopulation: "required_template",
|
|
14678
16681
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14681,7 +16684,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14681
16684
|
description: "Tenant-local config defaults are rewritten during bootstrap."
|
|
14682
16685
|
},
|
|
14683
16686
|
{
|
|
14684
|
-
component: "
|
|
16687
|
+
component: "control-plane",
|
|
14685
16688
|
table: "tenantIntegrations",
|
|
14686
16689
|
prepopulation: "required_template",
|
|
14687
16690
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14690,14 +16693,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14690
16693
|
description: "Non-secret integration descriptors are rewritten into each tenant."
|
|
14691
16694
|
},
|
|
14692
16695
|
{
|
|
14693
|
-
component: "
|
|
16696
|
+
component: "control-plane",
|
|
14694
16697
|
table: "tenantModelSlotBindings",
|
|
14695
16698
|
prepopulation: "runtime_secret",
|
|
14696
16699
|
copyMode: "none",
|
|
14697
16700
|
description: "Tenant model slot bindings reference provider secrets and are runtime-only."
|
|
14698
16701
|
},
|
|
14699
16702
|
{
|
|
14700
|
-
component: "
|
|
16703
|
+
component: "control-plane",
|
|
16704
|
+
table: "tenantPermitSyncStates",
|
|
16705
|
+
prepopulation: "runtime_derived",
|
|
16706
|
+
copyMode: "none",
|
|
16707
|
+
description: "Tenant Permit sync state rows are runtime reconciliation state."
|
|
16708
|
+
},
|
|
16709
|
+
{
|
|
16710
|
+
component: "control-plane",
|
|
14701
16711
|
table: "tenantPolicies",
|
|
14702
16712
|
prepopulation: "required_template",
|
|
14703
16713
|
copyMode: "template_tenant_rewrite",
|
|
@@ -14706,42 +16716,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14706
16716
|
description: "Default tenant policy roles are rewritten during bootstrap."
|
|
14707
16717
|
},
|
|
14708
16718
|
{
|
|
14709
|
-
component: "
|
|
16719
|
+
component: "control-plane",
|
|
14710
16720
|
table: "tenantProviderSecrets",
|
|
14711
16721
|
prepopulation: "runtime_secret",
|
|
14712
16722
|
copyMode: "none",
|
|
14713
16723
|
description: "Provider secrets are credentials and must never be copied."
|
|
14714
16724
|
},
|
|
14715
16725
|
{
|
|
14716
|
-
component: "
|
|
16726
|
+
component: "control-plane",
|
|
14717
16727
|
table: "tenantProxyGatewayUsage",
|
|
14718
16728
|
prepopulation: "runtime_log",
|
|
14719
16729
|
copyMode: "none",
|
|
14720
16730
|
description: "Proxy gateway usage rows are runtime telemetry."
|
|
14721
16731
|
},
|
|
14722
16732
|
{
|
|
14723
|
-
component: "
|
|
16733
|
+
component: "control-plane",
|
|
14724
16734
|
table: "tenantProxyTokenMints",
|
|
14725
16735
|
prepopulation: "runtime_secret",
|
|
14726
16736
|
copyMode: "none",
|
|
14727
16737
|
description: "Proxy token mints are ephemeral secret-bearing runtime rows."
|
|
14728
16738
|
},
|
|
14729
16739
|
{
|
|
14730
|
-
component: "
|
|
16740
|
+
component: "control-plane",
|
|
14731
16741
|
table: "tenantSandboxAuditEvents",
|
|
14732
16742
|
prepopulation: "runtime_log",
|
|
14733
16743
|
copyMode: "none",
|
|
14734
16744
|
description: "Sandbox audit rows are runtime security logs."
|
|
14735
16745
|
},
|
|
14736
16746
|
{
|
|
14737
|
-
component: "
|
|
16747
|
+
component: "control-plane",
|
|
14738
16748
|
table: "tenantSecrets",
|
|
14739
16749
|
prepopulation: "runtime_secret",
|
|
14740
16750
|
copyMode: "none",
|
|
14741
16751
|
description: "Tenant secrets are credentials and must never be copied."
|
|
14742
16752
|
},
|
|
14743
16753
|
{
|
|
14744
|
-
component: "
|
|
16754
|
+
component: "control-plane",
|
|
14745
16755
|
table: "toolAcls",
|
|
14746
16756
|
prepopulation: "required_template",
|
|
14747
16757
|
copyMode: "template_global",
|
|
@@ -14750,7 +16760,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14750
16760
|
description: "Default role-to-tool grants are required for SDK/MCP tool access."
|
|
14751
16761
|
},
|
|
14752
16762
|
{
|
|
14753
|
-
component: "
|
|
16763
|
+
component: "control-plane",
|
|
14754
16764
|
table: "toolRegistry",
|
|
14755
16765
|
prepopulation: "required_template",
|
|
14756
16766
|
copyMode: "template_global",
|
|
@@ -14759,7 +16769,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
|
|
|
14759
16769
|
description: "Core tool catalog rows are required before pack or tenant tools exist."
|
|
14760
16770
|
},
|
|
14761
16771
|
{
|
|
14762
|
-
component: "
|
|
16772
|
+
component: "control-plane",
|
|
14763
16773
|
table: "users",
|
|
14764
16774
|
prepopulation: "runtime_bootstrap",
|
|
14765
16775
|
copyMode: "none",
|
|
@@ -15144,11 +17154,11 @@ function readString2(value) {
|
|
|
15144
17154
|
function readNullableNumber(value) {
|
|
15145
17155
|
return typeof value === "number" && Number.isFinite(value) ? value : null;
|
|
15146
17156
|
}
|
|
15147
|
-
function
|
|
17157
|
+
function isRecord5(value) {
|
|
15148
17158
|
return Boolean(value) && typeof value === "object" && !Array.isArray(value);
|
|
15149
17159
|
}
|
|
15150
17160
|
function refreshLucernContextFromBuildSession(payload, args) {
|
|
15151
|
-
if (!
|
|
17161
|
+
if (!isRecord5(payload)) {
|
|
15152
17162
|
return;
|
|
15153
17163
|
}
|
|
15154
17164
|
const topicId = readString2(payload.topicId);
|
|
@@ -15353,7 +17363,8 @@ var edgeHandlers = {
|
|
|
15353
17363
|
topicId: readString(args.topicId ?? args.projectId),
|
|
15354
17364
|
confidence: readNumber(args.confidence),
|
|
15355
17365
|
weight: readNumber(args.weight),
|
|
15356
|
-
context: readString(args.context) ?? readString(args.reasoning)
|
|
17366
|
+
context: readString(args.context) ?? readString(args.reasoning),
|
|
17367
|
+
reasoningMethod: readString(args.reasoningMethod)
|
|
15357
17368
|
})
|
|
15358
17369
|
);
|
|
15359
17370
|
},
|
|
@@ -16782,7 +18793,7 @@ function readStringArray2(value) {
|
|
|
16782
18793
|
}
|
|
16783
18794
|
return value.map((entry) => readString3(entry)).filter((entry) => Boolean(entry));
|
|
16784
18795
|
}
|
|
16785
|
-
function
|
|
18796
|
+
function isRecord6(value) {
|
|
16786
18797
|
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
16787
18798
|
}
|
|
16788
18799
|
function decodePrefixedIdOrNull(value) {
|
|
@@ -16797,7 +18808,7 @@ function decodePrefixedIdOrNull(value) {
|
|
|
16797
18808
|
};
|
|
16798
18809
|
}
|
|
16799
18810
|
function asRecord2(value) {
|
|
16800
|
-
return
|
|
18811
|
+
return isRecord6(value) ? value : {};
|
|
16801
18812
|
}
|
|
16802
18813
|
function normalizeTopicId(value) {
|
|
16803
18814
|
const normalized = readString3(value);
|
|
@@ -17932,7 +19943,7 @@ var researchVerificationHandlers = {
|
|
|
17932
19943
|
function cleanString(value) {
|
|
17933
19944
|
return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
|
|
17934
19945
|
}
|
|
17935
|
-
function
|
|
19946
|
+
function isRecord7(value) {
|
|
17936
19947
|
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
17937
19948
|
}
|
|
17938
19949
|
function prefixId(prefix, value) {
|
|
@@ -17988,7 +19999,7 @@ function toPublicCompiledContext(pack) {
|
|
|
17988
19999
|
scopedTopicIds: (pack.scopedTopicIds ?? []).map((id) => prefixId("top", id)),
|
|
17989
20000
|
generatedAt: pack.generatedAt,
|
|
17990
20001
|
ranking: pack.rankingProfile,
|
|
17991
|
-
summary:
|
|
20002
|
+
summary: isRecord7(pack.summary) ? pack.summary : {},
|
|
17992
20003
|
invariants: (pack.invariants ?? []).map((belief) => ({
|
|
17993
20004
|
beliefId: prefixId("bel", belief.nodeId),
|
|
17994
20005
|
text: belief.canonicalText,
|
|
@@ -18059,7 +20070,7 @@ function toPublicCompiledContext(pack) {
|
|
|
18059
20070
|
}))
|
|
18060
20071
|
} : {}
|
|
18061
20072
|
},
|
|
18062
|
-
diagnostics:
|
|
20073
|
+
diagnostics: isRecord7(pack.diagnostics) ? pack.diagnostics : {},
|
|
18063
20074
|
...pack.compilationMode ? { compilationMode: pack.compilationMode } : {},
|
|
18064
20075
|
...pack.failureContext ? {
|
|
18065
20076
|
failureContext: {
|
|
@@ -18567,6 +20578,21 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
|
|
|
18567
20578
|
authCtx
|
|
18568
20579
|
});
|
|
18569
20580
|
if (!result) {
|
|
20581
|
+
if (authCtx.sessionType === "agent") {
|
|
20582
|
+
return {
|
|
20583
|
+
allowed: false,
|
|
20584
|
+
permission: "deny",
|
|
20585
|
+
toolCategory: null,
|
|
20586
|
+
policy: null,
|
|
20587
|
+
reason: "no_policy_response",
|
|
20588
|
+
explanation: {
|
|
20589
|
+
summary: "Denied because agent write-policy checks fail closed when no policy response is returned.",
|
|
20590
|
+
toolName,
|
|
20591
|
+
role: authCtx.role,
|
|
20592
|
+
topicId
|
|
20593
|
+
}
|
|
20594
|
+
};
|
|
20595
|
+
}
|
|
18570
20596
|
return {
|
|
18571
20597
|
allowed: true,
|
|
18572
20598
|
permission: "allow",
|
|
@@ -18600,6 +20626,33 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
|
|
|
18600
20626
|
}
|
|
18601
20627
|
return result;
|
|
18602
20628
|
} catch (err) {
|
|
20629
|
+
if (authCtx.sessionType === "agent") {
|
|
20630
|
+
return {
|
|
20631
|
+
allowed: false,
|
|
20632
|
+
permission: "deny",
|
|
20633
|
+
toolCategory: null,
|
|
20634
|
+
policy: null,
|
|
20635
|
+
explanation: {
|
|
20636
|
+
summary: "Denied because agent write-policy checks fail closed on policy evaluation errors.",
|
|
20637
|
+
matchedReasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20638
|
+
steps: [
|
|
20639
|
+
{
|
|
20640
|
+
stage: "policy_lookup",
|
|
20641
|
+
outcome: "failed",
|
|
20642
|
+
reasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20643
|
+
detail: err instanceof Error ? err.message : "Unknown policy evaluation error."
|
|
20644
|
+
},
|
|
20645
|
+
{
|
|
20646
|
+
stage: "decision",
|
|
20647
|
+
outcome: "failed",
|
|
20648
|
+
reasonCode: "WRITE_POLICY_CHECK_ERROR",
|
|
20649
|
+
detail: "Agent sessions cannot convert a write-policy infrastructure error into an allow."
|
|
20650
|
+
}
|
|
20651
|
+
]
|
|
20652
|
+
},
|
|
20653
|
+
reason: "policy_check_error"
|
|
20654
|
+
};
|
|
20655
|
+
}
|
|
18603
20656
|
console.error(
|
|
18604
20657
|
`[write-policy] Policy check failed for ${toolName}: ${err instanceof Error ? err.message : err}. Allowing (fail-open).`
|
|
18605
20658
|
);
|