@lucern/mcp 0.3.0-alpha.15 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -302,13 +302,9 @@ function loadProfile(options) {
302
302
  const localEnv = options.readLocalEnv === false ? {} : readLocalEnvFiles(options.cwd);
303
303
  const mergedEnv = { ...localEnv, ...options.env };
304
304
  const envProfile = profileFromEnvironment(mergedEnv);
305
- const hasEnvCredentials = Boolean(
306
- envProfile.apiKey || envProfile.userToken || envProfile.packKey
307
- );
308
- const explicitProfileSelected = options.profileName !== void 0 || mergedEnv.LUCERN_PROFILE !== void 0;
309
305
  const selectedProfile = options.profileName ?? mergedEnv.LUCERN_PROFILE ?? profiles.activeProfile ?? credentials.LUCERN_PROFILE ?? "default";
310
- const selected = hasEnvCredentials && !explicitProfileSelected ? "env" : selectedProfile;
311
- const savedProfile = hasEnvCredentials && !explicitProfileSelected ? {} : profiles.profiles?.[selectedProfile] ?? {};
306
+ const selected = selectedProfile;
307
+ const savedProfile = profiles.profiles?.[selectedProfile] ?? {};
312
308
  const credentialsProfile = {
313
309
  apiKey: credentials.LUCERN_API_KEY,
314
310
  userToken: readFirst(credentials, ["LUCERN_SESSION_TOKEN", "LUCERN_USER_TOKEN"]),
@@ -1342,6 +1338,7 @@ defineTable({
1342
1338
  shape: z.object({
1343
1339
  "tenantId": idOf("tenants"),
1344
1340
  "workspaceId": idOf("workspaces").optional(),
1341
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
1345
1342
  "keyPrefix": z.enum(["luc", "stk"]),
1346
1343
  "keyHash": z.string(),
1347
1344
  "keyHint": z.string(),
@@ -1369,7 +1366,7 @@ defineTable({
1369
1366
  shape: z.object({
1370
1367
  "tenantId": idOf("tenants").optional(),
1371
1368
  "apiKeyId": idOf("apiKeys").optional(),
1372
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1369
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1373
1370
  "actorClerkId": z.string(),
1374
1371
  "details": z.any().optional(),
1375
1372
  "createdAt": z.number()
@@ -6580,6 +6577,21 @@ var INFISICAL_RUNTIME_PATHS = [
6580
6577
  }
6581
6578
  ]
6582
6579
  },
6580
+ {
6581
+ id: "platform-operator-credentials",
6582
+ secretPath: "/platform/runtime",
6583
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
6584
+ variables: [
6585
+ {
6586
+ name: "LUCERN_API_KEY",
6587
+ required: false,
6588
+ secret: true,
6589
+ public: false,
6590
+ aliases: ["LUCERN_KEY"],
6591
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
6592
+ }
6593
+ ]
6594
+ },
6583
6595
  {
6584
6596
  id: "tenant-shared-install",
6585
6597
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -6615,7 +6627,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6615
6627
  id: "lucern-sdk",
6616
6628
  packageName: "@lucern/sdk",
6617
6629
  delivery: "runtime_fetch",
6618
- sourcePathIds: ["platform-runtime"],
6630
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6619
6631
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
6620
6632
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
6621
6633
  },
@@ -6624,7 +6636,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6624
6636
  packageName: "@lucern/cli",
6625
6637
  delivery: "runtime_fetch",
6626
6638
  fallback: "device_auth",
6627
- sourcePathIds: ["platform-runtime"],
6639
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6628
6640
  consumer: "developer/operator CLI processes",
6629
6641
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
6630
6642
  },
@@ -6633,7 +6645,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6633
6645
  packageName: "@lucern/mcp",
6634
6646
  delivery: "runtime_fetch",
6635
6647
  fallback: "device_auth",
6636
- sourcePathIds: ["platform-runtime"],
6648
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6637
6649
  consumer: "MCP server/client processes",
6638
6650
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
6639
6651
  },
@@ -9114,9 +9126,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9114
9126
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
9115
9127
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
9116
9128
  "sourcePathIds": [
9117
- "platform-runtime"
9129
+ "platform-runtime",
9130
+ "platform-operator-credentials"
9118
9131
  ],
9119
9132
  "variables": [
9133
+ {
9134
+ "canonicalName": "LUCERN_API_KEY",
9135
+ "envNames": [
9136
+ "LUCERN_API_KEY",
9137
+ "LUCERN_KEY"
9138
+ ],
9139
+ "aliases": [
9140
+ "LUCERN_KEY"
9141
+ ],
9142
+ "writeNames": [
9143
+ "LUCERN_API_KEY"
9144
+ ],
9145
+ "required": false,
9146
+ "secret": true,
9147
+ "public": false,
9148
+ "sourcePath": "/platform/runtime",
9149
+ "environmentPolicy": "environment_specific",
9150
+ "consumers": [
9151
+ "lucern-sdk"
9152
+ ],
9153
+ "destinations": [],
9154
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
9155
+ },
9120
9156
  {
9121
9157
  "canonicalName": "LUCERN_API_URL",
9122
9158
  "envNames": [
@@ -9217,9 +9253,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9217
9253
  "consumer": "developer/operator CLI processes",
9218
9254
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
9219
9255
  "sourcePathIds": [
9220
- "platform-runtime"
9256
+ "platform-runtime",
9257
+ "platform-operator-credentials"
9221
9258
  ],
9222
9259
  "variables": [
9260
+ {
9261
+ "canonicalName": "LUCERN_API_KEY",
9262
+ "envNames": [
9263
+ "LUCERN_API_KEY",
9264
+ "LUCERN_KEY"
9265
+ ],
9266
+ "aliases": [
9267
+ "LUCERN_KEY"
9268
+ ],
9269
+ "writeNames": [
9270
+ "LUCERN_API_KEY"
9271
+ ],
9272
+ "required": false,
9273
+ "secret": true,
9274
+ "public": false,
9275
+ "sourcePath": "/platform/runtime",
9276
+ "environmentPolicy": "environment_specific",
9277
+ "consumers": [
9278
+ "lucern-cli",
9279
+ "lucern-mcp",
9280
+ "lucern-repo-ci"
9281
+ ],
9282
+ "destinations": [
9283
+ {
9284
+ "kind": "runtime_fetch",
9285
+ "target": "lucern-cli-mcp-sdk",
9286
+ "writeNames": [
9287
+ "LUCERN_API_KEY"
9288
+ ]
9289
+ },
9290
+ {
9291
+ "kind": "operator_local",
9292
+ "target": "lucern-repo",
9293
+ "writeNames": [
9294
+ "LUCERN_API_KEY"
9295
+ ]
9296
+ },
9297
+ {
9298
+ "kind": "github_actions",
9299
+ "target": "LucernAI/lucern",
9300
+ "writeNames": [
9301
+ "LUCERN_API_KEY"
9302
+ ]
9303
+ }
9304
+ ],
9305
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9306
+ },
9223
9307
  {
9224
9308
  "canonicalName": "LUCERN_API_URL",
9225
9309
  "envNames": [
@@ -9558,7 +9642,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9558
9642
  "consumer": "MCP server/client processes",
9559
9643
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
9560
9644
  "sourcePathIds": [
9561
- "platform-runtime"
9645
+ "platform-runtime",
9646
+ "platform-operator-credentials"
9562
9647
  ],
9563
9648
  "variables": [
9564
9649
  {
@@ -9646,6 +9731,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9646
9731
  ],
9647
9732
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
9648
9733
  },
9734
+ {
9735
+ "canonicalName": "LUCERN_API_KEY",
9736
+ "envNames": [
9737
+ "LUCERN_API_KEY",
9738
+ "LUCERN_KEY"
9739
+ ],
9740
+ "aliases": [
9741
+ "LUCERN_KEY"
9742
+ ],
9743
+ "writeNames": [
9744
+ "LUCERN_API_KEY"
9745
+ ],
9746
+ "required": false,
9747
+ "secret": true,
9748
+ "public": false,
9749
+ "sourcePath": "/platform/runtime",
9750
+ "environmentPolicy": "environment_specific",
9751
+ "consumers": [
9752
+ "lucern-cli",
9753
+ "lucern-mcp",
9754
+ "lucern-repo-ci"
9755
+ ],
9756
+ "destinations": [
9757
+ {
9758
+ "kind": "runtime_fetch",
9759
+ "target": "lucern-cli-mcp-sdk",
9760
+ "writeNames": [
9761
+ "LUCERN_API_KEY"
9762
+ ]
9763
+ },
9764
+ {
9765
+ "kind": "operator_local",
9766
+ "target": "lucern-repo",
9767
+ "writeNames": [
9768
+ "LUCERN_API_KEY"
9769
+ ]
9770
+ },
9771
+ {
9772
+ "kind": "github_actions",
9773
+ "target": "LucernAI/lucern",
9774
+ "writeNames": [
9775
+ "LUCERN_API_KEY"
9776
+ ]
9777
+ }
9778
+ ],
9779
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9780
+ },
9649
9781
  {
9650
9782
  "canonicalName": "LUCERN_API_URL",
9651
9783
  "envNames": [
@@ -10386,7 +10518,7 @@ function compactRecord2(input) {
10386
10518
  Object.entries(input).filter(([, value]) => value !== void 0)
10387
10519
  );
10388
10520
  }
10389
- var listBeliefsProjection = defineProjection({
10521
+ defineProjection({
10390
10522
  contractName: "list_beliefs",
10391
10523
  inputSchema: listBeliefsInputSchema,
10392
10524
  project: (input) => compactRecord2({
@@ -12895,7 +13027,7 @@ var IDENTITY_WHOAMI = {
12895
13027
  response: {
12896
13028
  description: "Canonical identity summary for the current session",
12897
13029
  fields: {
12898
- principalId: "string \u2014 canonical federated principal identifier",
13030
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
12899
13031
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12900
13032
  tenantId: "string | undefined \u2014 resolved tenant scope",
12901
13033
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -12909,7 +13041,7 @@ var IDENTITY_WHOAMI = {
12909
13041
  };
12910
13042
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
12911
13043
  name: "resolve_interactive_principal",
12912
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
13044
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
12913
13045
  parameters: {
12914
13046
  clerkId: {
12915
13047
  type: "string",
@@ -12932,7 +13064,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
12932
13064
  response: {
12933
13065
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
12934
13066
  fields: {
12935
- principalId: "string \u2014 canonical Lucern principal identifier",
13067
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
12936
13068
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12937
13069
  clerkId: "string \u2014 authenticated Clerk subject alias",
12938
13070
  tenantId: "string \u2014 resolved tenant scope",
@@ -13760,7 +13892,7 @@ var MANAGE_WRITE_POLICY = {
13760
13892
  },
13761
13893
  role: {
13762
13894
  type: "string",
13763
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
13895
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
13764
13896
  },
13765
13897
  permission: {
13766
13898
  type: "string",
@@ -15702,11 +15834,8 @@ var identityContracts = [
15702
15834
  sdkNamespace: "identity",
15703
15835
  sdkMethod: "whoami",
15704
15836
  summary: "Describe the current gateway principal.",
15705
- convex: {
15706
- module: "identity",
15707
- functionName: "whoami",
15708
- kind: "query",
15709
- inputProjection: withPrincipal
15837
+ gateway: {
15838
+ handler: "identity.whoami"
15710
15839
  }
15711
15840
  }),
15712
15841
  surfaceContract({
@@ -15726,7 +15855,7 @@ var identityContracts = [
15726
15855
  providerProjectId: z.string().min(1).optional()
15727
15856
  }),
15728
15857
  convex: {
15729
- module: "identity",
15858
+ module: "platform",
15730
15859
  functionName: "resolveInteractivePrincipal",
15731
15860
  kind: "query"
15732
15861
  }
@@ -15810,15 +15939,6 @@ var beliefLookupInput = (input) => compactRecord4({
15810
15939
  var beliefNodeInput = (input) => compactRecord4({
15811
15940
  nodeId: input.nodeId ?? input.id ?? input.beliefId
15812
15941
  });
15813
- var beliefTopicInput = (input) => {
15814
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
15815
- if (!parsed.success) {
15816
- throw new Error(
15817
- `list_beliefs projection input rejected: ${parsed.error.message}`
15818
- );
15819
- }
15820
- return compactRecord4(listBeliefsProjection.project(parsed.data));
15821
- };
15822
15942
  var createBeliefInput = (input, context) => {
15823
15943
  return withUserId(
15824
15944
  compactRecord4({
@@ -15907,11 +16027,8 @@ var beliefsContracts = [
15907
16027
  sdkNamespace: "beliefs",
15908
16028
  sdkMethod: "listBeliefs",
15909
16029
  summary: "List beliefs for a topic.",
15910
- convex: {
15911
- module: "beliefs",
15912
- functionName: "getByTopic",
15913
- kind: "query",
15914
- inputProjection: beliefTopicInput
16030
+ gateway: {
16031
+ handler: "beliefs.list"
15915
16032
  },
15916
16033
  args: listBeliefsInputSchema
15917
16034
  }),
@@ -16096,12 +16213,6 @@ var evidenceIdInput = (input) => compactRecord4({
16096
16213
  insightId: input.insightId,
16097
16214
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
16098
16215
  });
16099
- var evidenceTopicInput = (input) => compactRecord4({
16100
- topicId: input.topicId,
16101
- status: input.status,
16102
- userId: input.userId,
16103
- limit: input.limit
16104
- });
16105
16216
  var createEvidenceInput = (input, context) => {
16106
16217
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
16107
16218
  if (!parsed.success) {
@@ -16232,11 +16343,8 @@ var evidenceContracts = [
16232
16343
  sdkNamespace: "evidence",
16233
16344
  sdkMethod: "listEvidence",
16234
16345
  summary: "List evidence for a topic.",
16235
- convex: {
16236
- module: "evidence",
16237
- functionName: "getByTopic",
16238
- kind: "query",
16239
- inputProjection: evidenceTopicInput
16346
+ gateway: {
16347
+ handler: "evidence.list"
16240
16348
  }
16241
16349
  }),
16242
16350
  surfaceContract({
@@ -16471,11 +16579,8 @@ var questionsContracts = [
16471
16579
  sdkNamespace: "questions",
16472
16580
  sdkMethod: "listQuestions",
16473
16581
  summary: "List questions for a topic.",
16474
- convex: {
16475
- module: "questions",
16476
- functionName: "getByTopic",
16477
- kind: "query",
16478
- inputProjection: questionTopicInput
16582
+ gateway: {
16583
+ handler: "questions.list"
16479
16584
  }
16480
16585
  }),
16481
16586
  surfaceContract({
@@ -17580,6 +17685,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
17580
17685
  progress: z.string().optional().describe("Collection progress note for the signal."),
17581
17686
  notes: z.string().optional().describe("Additional evidence collection notes.")
17582
17687
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
17688
+ var worktreeDocCompanionTargetSchema = z.object({
17689
+ docPath: z.string().describe(
17690
+ "Repo-relative path to a documentation file the worktree promises to update."
17691
+ ),
17692
+ sectionAnchor: z.string().optional().describe(
17693
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
17694
+ ),
17695
+ reason: z.string().describe(
17696
+ "Why this doc section must be updated for the worktree to be complete."
17697
+ )
17698
+ }).passthrough().describe(
17699
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
17700
+ );
17583
17701
  var worktreeDecisionGateInputSchema = z.object({
17584
17702
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
17585
17703
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -17612,6 +17730,9 @@ var addWorktreeArgs = z.object({
17612
17730
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
17613
17731
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
17614
17732
  decisionGate: worktreeDecisionGateInputSchema.optional(),
17733
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
17734
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
17735
+ ),
17615
17736
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
17616
17737
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
17617
17738
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -21265,13 +21386,31 @@ function mergeHeaderRecord(base, addition) {
21265
21386
  }
21266
21387
  return Object.fromEntries(headers.entries());
21267
21388
  }
21389
+ function cleanHeaderValue(value) {
21390
+ const normalized = value?.trim();
21391
+ return normalized ? normalized : void 0;
21392
+ }
21268
21393
  function createGatewayRequestClient(config = {}) {
21269
21394
  const fetchImpl = config.fetchImpl ?? fetch;
21270
21395
  const baseUrl = config.baseUrl?.replace(/\/+$/, "") ?? "";
21271
21396
  const maxRetries = config.maxRetries ?? 2;
21272
21397
  const requestIdFactory = config.requestIdFactory ?? (() => generatePortableRequestId());
21273
21398
  async function resolveAuthHeaders2() {
21274
- const base = config.getAuthHeaders ? await config.getAuthHeaders() : {};
21399
+ const provided = config.getAuthHeaders ? await config.getAuthHeaders() : {};
21400
+ const headers = new Headers(provided);
21401
+ const setIfAbsent = (name, value) => {
21402
+ const normalized = cleanHeaderValue(value);
21403
+ if (normalized && !headers.has(name)) {
21404
+ headers.set(name, normalized);
21405
+ }
21406
+ };
21407
+ setIfAbsent("x-lucern-key", config.apiKey);
21408
+ setIfAbsent("x-lucern-session-token", config.userToken);
21409
+ setIfAbsent("x-lucern-environment", config.environment);
21410
+ setIfAbsent("x-lucern-clerk-id", config.clerkId);
21411
+ setIfAbsent("x-lucern-user-id", config.userId ?? config.clerkId);
21412
+ setIfAbsent("x-lucern-deployment-host", config.deploymentHost);
21413
+ const base = Object.fromEntries(headers.entries());
21275
21414
  const authContextInput = await resolveConfiguredAuthContext(
21276
21415
  config.authContext
21277
21416
  );
@@ -22565,7 +22704,7 @@ function normalizeCanonicalPrincipalIdentity(input, options = {}) {
22565
22704
  })) {
22566
22705
  throw new LucernAccessControlError(
22567
22706
  "clerk_alias_unrecognized",
22568
- "Observed Clerk user id is not attached to the canonical Lucern principal."
22707
+ "Observed Clerk user id does not match the canonical human principal id."
22569
22708
  );
22570
22709
  }
22571
22710
  return {
@@ -28167,7 +28306,7 @@ function createToolRegistryClient(config = {}) {
28167
28306
  }
28168
28307
 
28169
28308
  // ../sdk/src/version.ts
28170
- var LUCERN_SDK_VERSION = "0.3.0-alpha.15";
28309
+ var LUCERN_SDK_VERSION = "0.3.0-alpha.17";
28171
28310
 
28172
28311
  // ../sdk/src/workflowClient.ts
28173
28312
  function normalizeLensQuery(value) {
@@ -28575,6 +28714,12 @@ function toGatewayConfig(config) {
28575
28714
  return {
28576
28715
  baseUrl: config.baseUrl,
28577
28716
  fetchImpl: config.fetchImpl,
28717
+ apiKey: config.apiKey,
28718
+ userToken: config.userToken,
28719
+ environment: config.environment,
28720
+ clerkId: config.clerkId,
28721
+ userId: config.userId,
28722
+ deploymentHost: config.deploymentHost,
28578
28723
  maxRetries: config.maxRetries,
28579
28724
  timeoutMs: config.timeoutMs,
28580
28725
  timeoutMsByMethod: config.timeoutMsByMethod,
@@ -28583,19 +28728,7 @@ function toGatewayConfig(config) {
28583
28728
  onResponse: config.onResponse,
28584
28729
  authContext: config.authContext,
28585
28730
  requireCanonicalAuthContext: config.requireCanonicalAuthContext,
28586
- getAuthHeaders: async () => {
28587
- const base = config.getAuthHeaders ? await config.getAuthHeaders() : {};
28588
- if (config.apiKey && !base["x-lucern-key"] && !base.Authorization) {
28589
- base["x-lucern-key"] = config.apiKey;
28590
- }
28591
- if (config.userToken && !base["x-lucern-session-token"]) {
28592
- base["x-lucern-session-token"] = config.userToken;
28593
- }
28594
- if (config.environment && !base["x-lucern-environment"]) {
28595
- base["x-lucern-environment"] = config.environment;
28596
- }
28597
- return base;
28598
- }
28731
+ getAuthHeaders: config.getAuthHeaders
28599
28732
  };
28600
28733
  }
28601
28734
  function exposeGatewayData(response) {
@@ -31867,7 +32000,7 @@ var SESSION_LIFECYCLE_STATUSES = [
31867
32000
  "revoked"
31868
32001
  ];
31869
32002
  function inferSessionPrincipalType(principalId) {
31870
- if (principalId.startsWith("user:")) {
32003
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
31871
32004
  return "human";
31872
32005
  }
31873
32006
  if (principalId.startsWith("agent:")) {
@@ -34994,7 +35127,7 @@ function createLucernStandaloneMcpServer(options) {
34994
35127
  });
34995
35128
  const server = new McpServer({
34996
35129
  name: "lucern-mcp",
34997
- version: "0.3.0-alpha.15"
35130
+ version: "0.3.0-alpha.17"
34998
35131
  });
34999
35132
  registerTools(server, runtime);
35000
35133
  const resources = registerResources(server, runtime, observationStore);