@lucern/mcp 0.3.0-alpha.15 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -890,13 +890,31 @@ function mergeHeaderRecord(base, addition) {
890
890
  }
891
891
  return Object.fromEntries(headers.entries());
892
892
  }
893
+ function cleanHeaderValue(value) {
894
+ const normalized = value?.trim();
895
+ return normalized ? normalized : void 0;
896
+ }
893
897
  function createGatewayRequestClient(config = {}) {
894
898
  const fetchImpl = config.fetchImpl ?? fetch;
895
899
  const baseUrl = config.baseUrl?.replace(/\/+$/, "") ?? "";
896
900
  const maxRetries = config.maxRetries ?? 2;
897
901
  const requestIdFactory = config.requestIdFactory ?? (() => generatePortableRequestId());
898
902
  async function resolveAuthHeaders() {
899
- const base = config.getAuthHeaders ? await config.getAuthHeaders() : {};
903
+ const provided = config.getAuthHeaders ? await config.getAuthHeaders() : {};
904
+ const headers = new Headers(provided);
905
+ const setIfAbsent = (name, value) => {
906
+ const normalized = cleanHeaderValue(value);
907
+ if (normalized && !headers.has(name)) {
908
+ headers.set(name, normalized);
909
+ }
910
+ };
911
+ setIfAbsent("x-lucern-key", config.apiKey);
912
+ setIfAbsent("x-lucern-session-token", config.userToken);
913
+ setIfAbsent("x-lucern-environment", config.environment);
914
+ setIfAbsent("x-lucern-clerk-id", config.clerkId);
915
+ setIfAbsent("x-lucern-user-id", config.userId ?? config.clerkId);
916
+ setIfAbsent("x-lucern-deployment-host", config.deploymentHost);
917
+ const base = Object.fromEntries(headers.entries());
900
918
  const authContextInput = await resolveConfiguredAuthContext(
901
919
  config.authContext
902
920
  );
@@ -2190,7 +2208,7 @@ function normalizeCanonicalPrincipalIdentity(input, options = {}) {
2190
2208
  })) {
2191
2209
  throw new LucernAccessControlError(
2192
2210
  "clerk_alias_unrecognized",
2193
- "Observed Clerk user id is not attached to the canonical Lucern principal."
2211
+ "Observed Clerk user id does not match the canonical human principal id."
2194
2212
  );
2195
2213
  }
2196
2214
  return {
@@ -7792,7 +7810,7 @@ function createToolRegistryClient(config = {}) {
7792
7810
  }
7793
7811
 
7794
7812
  // ../sdk/src/version.ts
7795
- var LUCERN_SDK_VERSION = "0.3.0-alpha.15";
7813
+ var LUCERN_SDK_VERSION = "0.3.0-alpha.17";
7796
7814
 
7797
7815
  // ../sdk/src/workflowClient.ts
7798
7816
  function normalizeLensQuery(value) {
@@ -8200,6 +8218,12 @@ function toGatewayConfig(config) {
8200
8218
  return {
8201
8219
  baseUrl: config.baseUrl,
8202
8220
  fetchImpl: config.fetchImpl,
8221
+ apiKey: config.apiKey,
8222
+ userToken: config.userToken,
8223
+ environment: config.environment,
8224
+ clerkId: config.clerkId,
8225
+ userId: config.userId,
8226
+ deploymentHost: config.deploymentHost,
8203
8227
  maxRetries: config.maxRetries,
8204
8228
  timeoutMs: config.timeoutMs,
8205
8229
  timeoutMsByMethod: config.timeoutMsByMethod,
@@ -8208,19 +8232,7 @@ function toGatewayConfig(config) {
8208
8232
  onResponse: config.onResponse,
8209
8233
  authContext: config.authContext,
8210
8234
  requireCanonicalAuthContext: config.requireCanonicalAuthContext,
8211
- getAuthHeaders: async () => {
8212
- const base = config.getAuthHeaders ? await config.getAuthHeaders() : {};
8213
- if (config.apiKey && !base["x-lucern-key"] && !base.Authorization) {
8214
- base["x-lucern-key"] = config.apiKey;
8215
- }
8216
- if (config.userToken && !base["x-lucern-session-token"]) {
8217
- base["x-lucern-session-token"] = config.userToken;
8218
- }
8219
- if (config.environment && !base["x-lucern-environment"]) {
8220
- base["x-lucern-environment"] = config.environment;
8221
- }
8222
- return base;
8223
- }
8235
+ getAuthHeaders: config.getAuthHeaders
8224
8236
  };
8225
8237
  }
8226
8238
  function exposeGatewayData(response) {
@@ -11492,7 +11504,7 @@ var SESSION_LIFECYCLE_STATUSES = [
11492
11504
  "revoked"
11493
11505
  ];
11494
11506
  function inferSessionPrincipalType(principalId) {
11495
- if (principalId.startsWith("user:")) {
11507
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
11496
11508
  return "human";
11497
11509
  }
11498
11510
  if (principalId.startsWith("agent:")) {
@@ -13975,7 +13987,7 @@ var IDENTITY_WHOAMI = {
13975
13987
  response: {
13976
13988
  description: "Canonical identity summary for the current session",
13977
13989
  fields: {
13978
- principalId: "string \u2014 canonical federated principal identifier",
13990
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
13979
13991
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
13980
13992
  tenantId: "string | undefined \u2014 resolved tenant scope",
13981
13993
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -13989,7 +14001,7 @@ var IDENTITY_WHOAMI = {
13989
14001
  };
13990
14002
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
13991
14003
  name: "resolve_interactive_principal",
13992
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
14004
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
13993
14005
  parameters: {
13994
14006
  clerkId: {
13995
14007
  type: "string",
@@ -14012,7 +14024,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
14012
14024
  response: {
14013
14025
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
14014
14026
  fields: {
14015
- principalId: "string \u2014 canonical Lucern principal identifier",
14027
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
14016
14028
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
14017
14029
  clerkId: "string \u2014 authenticated Clerk subject alias",
14018
14030
  tenantId: "string \u2014 resolved tenant scope",
@@ -14840,7 +14852,7 @@ var MANAGE_WRITE_POLICY = {
14840
14852
  },
14841
14853
  role: {
14842
14854
  type: "string",
14843
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
14855
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
14844
14856
  },
14845
14857
  permission: {
14846
14858
  type: "string",
@@ -17893,6 +17905,7 @@ defineTable({
17893
17905
  shape: z.object({
17894
17906
  "tenantId": idOf("tenants"),
17895
17907
  "workspaceId": idOf("workspaces").optional(),
17908
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
17896
17909
  "keyPrefix": z.enum(["luc", "stk"]),
17897
17910
  "keyHash": z.string(),
17898
17911
  "keyHint": z.string(),
@@ -17920,7 +17933,7 @@ defineTable({
17920
17933
  shape: z.object({
17921
17934
  "tenantId": idOf("tenants").optional(),
17922
17935
  "apiKeyId": idOf("apiKeys").optional(),
17923
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
17936
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
17924
17937
  "actorClerkId": z.string(),
17925
17938
  "details": z.any().optional(),
17926
17939
  "createdAt": z.number()
@@ -23131,6 +23144,21 @@ var INFISICAL_RUNTIME_PATHS = [
23131
23144
  }
23132
23145
  ]
23133
23146
  },
23147
+ {
23148
+ id: "platform-operator-credentials",
23149
+ secretPath: "/platform/runtime",
23150
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
23151
+ variables: [
23152
+ {
23153
+ name: "LUCERN_API_KEY",
23154
+ required: false,
23155
+ secret: true,
23156
+ public: false,
23157
+ aliases: ["LUCERN_KEY"],
23158
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
23159
+ }
23160
+ ]
23161
+ },
23134
23162
  {
23135
23163
  id: "tenant-shared-install",
23136
23164
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -23166,7 +23194,7 @@ var INFISICAL_RUNTIME_SURFACES = [
23166
23194
  id: "lucern-sdk",
23167
23195
  packageName: "@lucern/sdk",
23168
23196
  delivery: "runtime_fetch",
23169
- sourcePathIds: ["platform-runtime"],
23197
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
23170
23198
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
23171
23199
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
23172
23200
  },
@@ -23175,7 +23203,7 @@ var INFISICAL_RUNTIME_SURFACES = [
23175
23203
  packageName: "@lucern/cli",
23176
23204
  delivery: "runtime_fetch",
23177
23205
  fallback: "device_auth",
23178
- sourcePathIds: ["platform-runtime"],
23206
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
23179
23207
  consumer: "developer/operator CLI processes",
23180
23208
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
23181
23209
  },
@@ -23184,7 +23212,7 @@ var INFISICAL_RUNTIME_SURFACES = [
23184
23212
  packageName: "@lucern/mcp",
23185
23213
  delivery: "runtime_fetch",
23186
23214
  fallback: "device_auth",
23187
- sourcePathIds: ["platform-runtime"],
23215
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
23188
23216
  consumer: "MCP server/client processes",
23189
23217
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
23190
23218
  },
@@ -25665,9 +25693,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
25665
25693
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
25666
25694
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
25667
25695
  "sourcePathIds": [
25668
- "platform-runtime"
25696
+ "platform-runtime",
25697
+ "platform-operator-credentials"
25669
25698
  ],
25670
25699
  "variables": [
25700
+ {
25701
+ "canonicalName": "LUCERN_API_KEY",
25702
+ "envNames": [
25703
+ "LUCERN_API_KEY",
25704
+ "LUCERN_KEY"
25705
+ ],
25706
+ "aliases": [
25707
+ "LUCERN_KEY"
25708
+ ],
25709
+ "writeNames": [
25710
+ "LUCERN_API_KEY"
25711
+ ],
25712
+ "required": false,
25713
+ "secret": true,
25714
+ "public": false,
25715
+ "sourcePath": "/platform/runtime",
25716
+ "environmentPolicy": "environment_specific",
25717
+ "consumers": [
25718
+ "lucern-sdk"
25719
+ ],
25720
+ "destinations": [],
25721
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
25722
+ },
25671
25723
  {
25672
25724
  "canonicalName": "LUCERN_API_URL",
25673
25725
  "envNames": [
@@ -25768,9 +25820,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
25768
25820
  "consumer": "developer/operator CLI processes",
25769
25821
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
25770
25822
  "sourcePathIds": [
25771
- "platform-runtime"
25823
+ "platform-runtime",
25824
+ "platform-operator-credentials"
25772
25825
  ],
25773
25826
  "variables": [
25827
+ {
25828
+ "canonicalName": "LUCERN_API_KEY",
25829
+ "envNames": [
25830
+ "LUCERN_API_KEY",
25831
+ "LUCERN_KEY"
25832
+ ],
25833
+ "aliases": [
25834
+ "LUCERN_KEY"
25835
+ ],
25836
+ "writeNames": [
25837
+ "LUCERN_API_KEY"
25838
+ ],
25839
+ "required": false,
25840
+ "secret": true,
25841
+ "public": false,
25842
+ "sourcePath": "/platform/runtime",
25843
+ "environmentPolicy": "environment_specific",
25844
+ "consumers": [
25845
+ "lucern-cli",
25846
+ "lucern-mcp",
25847
+ "lucern-repo-ci"
25848
+ ],
25849
+ "destinations": [
25850
+ {
25851
+ "kind": "runtime_fetch",
25852
+ "target": "lucern-cli-mcp-sdk",
25853
+ "writeNames": [
25854
+ "LUCERN_API_KEY"
25855
+ ]
25856
+ },
25857
+ {
25858
+ "kind": "operator_local",
25859
+ "target": "lucern-repo",
25860
+ "writeNames": [
25861
+ "LUCERN_API_KEY"
25862
+ ]
25863
+ },
25864
+ {
25865
+ "kind": "github_actions",
25866
+ "target": "LucernAI/lucern",
25867
+ "writeNames": [
25868
+ "LUCERN_API_KEY"
25869
+ ]
25870
+ }
25871
+ ],
25872
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
25873
+ },
25774
25874
  {
25775
25875
  "canonicalName": "LUCERN_API_URL",
25776
25876
  "envNames": [
@@ -26109,7 +26209,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
26109
26209
  "consumer": "MCP server/client processes",
26110
26210
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
26111
26211
  "sourcePathIds": [
26112
- "platform-runtime"
26212
+ "platform-runtime",
26213
+ "platform-operator-credentials"
26113
26214
  ],
26114
26215
  "variables": [
26115
26216
  {
@@ -26197,6 +26298,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
26197
26298
  ],
26198
26299
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
26199
26300
  },
26301
+ {
26302
+ "canonicalName": "LUCERN_API_KEY",
26303
+ "envNames": [
26304
+ "LUCERN_API_KEY",
26305
+ "LUCERN_KEY"
26306
+ ],
26307
+ "aliases": [
26308
+ "LUCERN_KEY"
26309
+ ],
26310
+ "writeNames": [
26311
+ "LUCERN_API_KEY"
26312
+ ],
26313
+ "required": false,
26314
+ "secret": true,
26315
+ "public": false,
26316
+ "sourcePath": "/platform/runtime",
26317
+ "environmentPolicy": "environment_specific",
26318
+ "consumers": [
26319
+ "lucern-cli",
26320
+ "lucern-mcp",
26321
+ "lucern-repo-ci"
26322
+ ],
26323
+ "destinations": [
26324
+ {
26325
+ "kind": "runtime_fetch",
26326
+ "target": "lucern-cli-mcp-sdk",
26327
+ "writeNames": [
26328
+ "LUCERN_API_KEY"
26329
+ ]
26330
+ },
26331
+ {
26332
+ "kind": "operator_local",
26333
+ "target": "lucern-repo",
26334
+ "writeNames": [
26335
+ "LUCERN_API_KEY"
26336
+ ]
26337
+ },
26338
+ {
26339
+ "kind": "github_actions",
26340
+ "target": "LucernAI/lucern",
26341
+ "writeNames": [
26342
+ "LUCERN_API_KEY"
26343
+ ]
26344
+ }
26345
+ ],
26346
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
26347
+ },
26200
26348
  {
26201
26349
  "canonicalName": "LUCERN_API_URL",
26202
26350
  "envNames": [
@@ -26937,7 +27085,7 @@ function compactRecord2(input) {
26937
27085
  Object.entries(input).filter(([, value]) => value !== void 0)
26938
27086
  );
26939
27087
  }
26940
- var listBeliefsProjection = defineProjection({
27088
+ defineProjection({
26941
27089
  contractName: "list_beliefs",
26942
27090
  inputSchema: listBeliefsInputSchema,
26943
27091
  project: (input) => compactRecord2({
@@ -27566,11 +27714,8 @@ var identityContracts = [
27566
27714
  sdkNamespace: "identity",
27567
27715
  sdkMethod: "whoami",
27568
27716
  summary: "Describe the current gateway principal.",
27569
- convex: {
27570
- module: "identity",
27571
- functionName: "whoami",
27572
- kind: "query",
27573
- inputProjection: withPrincipal
27717
+ gateway: {
27718
+ handler: "identity.whoami"
27574
27719
  }
27575
27720
  }),
27576
27721
  surfaceContract({
@@ -27590,7 +27735,7 @@ var identityContracts = [
27590
27735
  providerProjectId: z.string().min(1).optional()
27591
27736
  }),
27592
27737
  convex: {
27593
- module: "identity",
27738
+ module: "platform",
27594
27739
  functionName: "resolveInteractivePrincipal",
27595
27740
  kind: "query"
27596
27741
  }
@@ -27674,15 +27819,6 @@ var beliefLookupInput = (input) => compactRecord4({
27674
27819
  var beliefNodeInput = (input) => compactRecord4({
27675
27820
  nodeId: input.nodeId ?? input.id ?? input.beliefId
27676
27821
  });
27677
- var beliefTopicInput = (input) => {
27678
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
27679
- if (!parsed.success) {
27680
- throw new Error(
27681
- `list_beliefs projection input rejected: ${parsed.error.message}`
27682
- );
27683
- }
27684
- return compactRecord4(listBeliefsProjection.project(parsed.data));
27685
- };
27686
27822
  var createBeliefInput = (input, context) => {
27687
27823
  return withUserId(
27688
27824
  compactRecord4({
@@ -27771,11 +27907,8 @@ var beliefsContracts = [
27771
27907
  sdkNamespace: "beliefs",
27772
27908
  sdkMethod: "listBeliefs",
27773
27909
  summary: "List beliefs for a topic.",
27774
- convex: {
27775
- module: "beliefs",
27776
- functionName: "getByTopic",
27777
- kind: "query",
27778
- inputProjection: beliefTopicInput
27910
+ gateway: {
27911
+ handler: "beliefs.list"
27779
27912
  },
27780
27913
  args: listBeliefsInputSchema
27781
27914
  }),
@@ -27960,12 +28093,6 @@ var evidenceIdInput = (input) => compactRecord4({
27960
28093
  insightId: input.insightId,
27961
28094
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
27962
28095
  });
27963
- var evidenceTopicInput = (input) => compactRecord4({
27964
- topicId: input.topicId,
27965
- status: input.status,
27966
- userId: input.userId,
27967
- limit: input.limit
27968
- });
27969
28096
  var createEvidenceInput = (input, context) => {
27970
28097
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
27971
28098
  if (!parsed.success) {
@@ -28096,11 +28223,8 @@ var evidenceContracts = [
28096
28223
  sdkNamespace: "evidence",
28097
28224
  sdkMethod: "listEvidence",
28098
28225
  summary: "List evidence for a topic.",
28099
- convex: {
28100
- module: "evidence",
28101
- functionName: "getByTopic",
28102
- kind: "query",
28103
- inputProjection: evidenceTopicInput
28226
+ gateway: {
28227
+ handler: "evidence.list"
28104
28228
  }
28105
28229
  }),
28106
28230
  surfaceContract({
@@ -28335,11 +28459,8 @@ var questionsContracts = [
28335
28459
  sdkNamespace: "questions",
28336
28460
  sdkMethod: "listQuestions",
28337
28461
  summary: "List questions for a topic.",
28338
- convex: {
28339
- module: "questions",
28340
- functionName: "getByTopic",
28341
- kind: "query",
28342
- inputProjection: questionTopicInput
28462
+ gateway: {
28463
+ handler: "questions.list"
28343
28464
  }
28344
28465
  }),
28345
28466
  surfaceContract({
@@ -29444,6 +29565,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
29444
29565
  progress: z.string().optional().describe("Collection progress note for the signal."),
29445
29566
  notes: z.string().optional().describe("Additional evidence collection notes.")
29446
29567
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
29568
+ var worktreeDocCompanionTargetSchema = z.object({
29569
+ docPath: z.string().describe(
29570
+ "Repo-relative path to a documentation file the worktree promises to update."
29571
+ ),
29572
+ sectionAnchor: z.string().optional().describe(
29573
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
29574
+ ),
29575
+ reason: z.string().describe(
29576
+ "Why this doc section must be updated for the worktree to be complete."
29577
+ )
29578
+ }).passthrough().describe(
29579
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
29580
+ );
29447
29581
  var worktreeDecisionGateInputSchema = z.object({
29448
29582
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
29449
29583
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -29476,6 +29610,9 @@ var addWorktreeArgs = z.object({
29476
29610
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
29477
29611
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
29478
29612
  decisionGate: worktreeDecisionGateInputSchema.optional(),
29613
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
29614
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
29615
+ ),
29479
29616
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
29480
29617
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
29481
29618
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -34658,7 +34795,7 @@ function createLucernStandaloneMcpServer(options) {
34658
34795
  });
34659
34796
  const server = new McpServer({
34660
34797
  name: "lucern-mcp",
34661
- version: "0.3.0-alpha.15"
34798
+ version: "0.3.0-alpha.17"
34662
34799
  });
34663
34800
  registerTools(server, runtime);
34664
34801
  const resources = registerResources(server, runtime, observationStore);