@lucern/mcp 0.3.0-alpha.12 → 0.3.0-alpha.14

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/runtime.js CHANGED
@@ -1238,6 +1238,35 @@ defineTable({
1238
1238
  { kind: "index", name: "by_source", columns: ["source"] }
1239
1239
  ]
1240
1240
  });
1241
+ defineTable({
1242
+ name: "domainEvents",
1243
+ component: "kernel",
1244
+ category: "events",
1245
+ shape: z.object({
1246
+ "eventId": z.string(),
1247
+ "type": z.string(),
1248
+ "version": z.string(),
1249
+ "timestamp": z.number(),
1250
+ "tenantId": z.string().optional(),
1251
+ "workspaceId": z.string().optional(),
1252
+ "topicId": z.string(),
1253
+ "resourceId": z.string(),
1254
+ "resourceType": z.string(),
1255
+ "actorId": z.string(),
1256
+ "actorType": z.enum(["human", "agent", "service"]),
1257
+ "data": z.record(z.any()),
1258
+ "correlationId": z.string().optional(),
1259
+ "expiresAt": z.number()
1260
+ }),
1261
+ indices: [
1262
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1263
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1264
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1265
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1266
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1267
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1268
+ ]
1269
+ });
1241
1270
  defineTable({
1242
1271
  name: "beliefConfidence",
1243
1272
  component: "kernel",
@@ -4644,7 +4673,10 @@ defineTable({
4644
4673
  }),
4645
4674
  indices: [
4646
4675
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
4676
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4677
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4647
4678
  { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4679
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4648
4680
  {
4649
4681
  kind: "index",
4650
4682
  name: "by_tenant_provider_alias",
@@ -9686,7 +9718,7 @@ var IDENTITY_WHOAMI = {
9686
9718
  description: "Canonical identity summary for the current session",
9687
9719
  fields: {
9688
9720
  principalId: "string \u2014 canonical federated principal identifier",
9689
- principalType: "string \u2014 human, service, or agent",
9721
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9690
9722
  tenantId: "string | undefined \u2014 resolved tenant scope",
9691
9723
  workspaceId: "string | undefined \u2014 resolved workspace scope",
9692
9724
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -9697,6 +9729,49 @@ var IDENTITY_WHOAMI = {
9697
9729
  ontologyPrimitive: "identity",
9698
9730
  tier: "workhorse"
9699
9731
  };
9732
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9733
+ name: "resolve_interactive_principal",
9734
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
9735
+ parameters: {
9736
+ clerkId: {
9737
+ type: "string",
9738
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9739
+ },
9740
+ tenantId: {
9741
+ type: "string",
9742
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9743
+ },
9744
+ workspaceId: {
9745
+ type: "string",
9746
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9747
+ },
9748
+ providerProjectId: {
9749
+ type: "string",
9750
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9751
+ }
9752
+ },
9753
+ required: ["clerkId"],
9754
+ response: {
9755
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9756
+ fields: {
9757
+ principalId: "string \u2014 canonical Lucern principal identifier",
9758
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9759
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9760
+ tenantId: "string \u2014 resolved tenant scope",
9761
+ workspaceId: "string | null \u2014 resolved workspace scope",
9762
+ roles: "string[] \u2014 effective Permit roles",
9763
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9764
+ groupIds: "string[] \u2014 active Permit group memberships",
9765
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9766
+ tenantStatus: "string \u2014 projected tenant resource status",
9767
+ workspaceStatus: "string \u2014 projected workspace resource status",
9768
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9769
+ }
9770
+ },
9771
+ ownerModule: "control-plane",
9772
+ ontologyPrimitive: "identity",
9773
+ tier: "workhorse"
9774
+ };
9700
9775
  var COMPILE_CONTEXT = {
9701
9776
  name: "compile_context",
9702
9777
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -11599,6 +11674,7 @@ var MCP_TOOL_CONTRACTS = {
11599
11674
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
11600
11675
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
11601
11676
  identity_whoami: IDENTITY_WHOAMI,
11677
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
11602
11678
  compile_context: COMPILE_CONTEXT,
11603
11679
  record_scope_learning: RECORD_SCOPE_LEARNING,
11604
11680
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -11716,6 +11792,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
11716
11792
  var MCP_CORE_OPERATION_NAMES = [
11717
11793
  "compile_context",
11718
11794
  "identity_whoami",
11795
+ "resolve_interactive_principal",
11719
11796
  "check_permission",
11720
11797
  "filter_by_permission",
11721
11798
  "create_belief",
@@ -12269,7 +12346,13 @@ function surfaceContract(args) {
12269
12346
  scopes: args.scopes ?? [
12270
12347
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
12271
12348
  ],
12272
- allowedPrincipalTypes: ["user", "service", "agent"]
12349
+ allowedPrincipalTypes: [
12350
+ "user",
12351
+ "service",
12352
+ "agent",
12353
+ "group",
12354
+ "external_viewer"
12355
+ ]
12273
12356
  },
12274
12357
  convex: args.convex,
12275
12358
  gateway: args.gateway,
@@ -12411,8 +12494,6 @@ var contextContracts = [
12411
12494
  args: observationContextArgs
12412
12495
  })
12413
12496
  ];
12414
-
12415
- // ../contracts/src/function-registry/identity.ts
12416
12497
  var withPrincipal = (input, context) => ({
12417
12498
  ...input,
12418
12499
  tenantId: input.tenantId ?? context.tenantId,
@@ -12438,6 +12519,28 @@ var identityContracts = [
12438
12519
  inputProjection: withPrincipal
12439
12520
  }
12440
12521
  }),
12522
+ surfaceContract({
12523
+ name: "resolve_interactive_principal",
12524
+ kind: "query",
12525
+ domain: "controlPlane",
12526
+ surfaceClass: "platform_public",
12527
+ method: "POST",
12528
+ path: "/control-plane/identity/resolve-interactive-principal",
12529
+ sdkNamespace: "controlPlane.identity",
12530
+ sdkMethod: "resolveInteractivePrincipal",
12531
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12532
+ args: z.object({
12533
+ clerkId: z.string().min(1),
12534
+ tenantId: z.string().min(1).optional(),
12535
+ workspaceId: z.string().min(1).optional(),
12536
+ providerProjectId: z.string().min(1).optional()
12537
+ }),
12538
+ convex: {
12539
+ module: "identity",
12540
+ functionName: "resolveInteractivePrincipal",
12541
+ kind: "query"
12542
+ }
12543
+ }),
12441
12544
  surfaceContract({
12442
12545
  name: "check_permission",
12443
12546
  kind: "query",
@@ -16241,6 +16344,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
16241
16344
  copyMode: "none",
16242
16345
  description: "Deliberation sessions are created by tenant workflows."
16243
16346
  },
16347
+ {
16348
+ component: "kernel",
16349
+ table: "domainEvents",
16350
+ prepopulation: "runtime_log",
16351
+ copyMode: "none",
16352
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16353
+ },
16244
16354
  {
16245
16355
  component: "kernel",
16246
16356
  table: "epistemicAudit",
@@ -18489,6 +18599,14 @@ var generatedFunctionSurfaceHandlers = {
18489
18599
  )
18490
18600
  );
18491
18601
  },
18602
+ async resolve_interactive_principal(args, ctx) {
18603
+ return formatSdkResult(
18604
+ await getSdkClient(ctx).raw.functionSurface.resolveInteractivePrincipal(
18605
+ stripInternalArgs(args),
18606
+ idempotencyKeyFrom(args)
18607
+ )
18608
+ );
18609
+ },
18492
18610
  async run_graph_intelligence_query(args, ctx) {
18493
18611
  return formatSdkResult(
18494
18612
  await getSdkClient(ctx).raw.functionSurface.runGraphIntelligenceQuery(