@lucern/mcp 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -85,7 +85,8 @@ This package is the **external package MCP** surface (`packages/mcp`) intended f
85
85
 
86
86
  It is intentionally separate from the **internal Convex MCP** runtime under `convex/mcp/*` used by StackOS internals.
87
87
 
88
- See `docs/lucern-replatform/api/mcp-surface-separation.md` for boundary details.
88
+ See `docs/reference/mcp-event-packages.md` for package-boundary details and
89
+ `docs/reference/mcp.md` for the generated callable MCP inventory.
89
90
 
90
91
  ## Claude Code config
91
92
 
package/dist/cli.js CHANGED
@@ -130,13 +130,9 @@ function loadProfile(options) {
130
130
  const localEnv = options.readLocalEnv === false ? {} : readLocalEnvFiles(options.cwd);
131
131
  const mergedEnv = { ...localEnv, ...options.env };
132
132
  const envProfile = profileFromEnvironment(mergedEnv);
133
- const hasEnvCredentials = Boolean(
134
- envProfile.apiKey || envProfile.userToken || envProfile.packKey
135
- );
136
- const explicitProfileSelected = options.profileName !== void 0 || mergedEnv.LUCERN_PROFILE !== void 0;
137
133
  const selectedProfile = options.profileName ?? mergedEnv.LUCERN_PROFILE ?? profiles.activeProfile ?? credentials.LUCERN_PROFILE ?? "default";
138
- const selected = hasEnvCredentials && !explicitProfileSelected ? "env" : selectedProfile;
139
- const savedProfile = hasEnvCredentials && !explicitProfileSelected ? {} : profiles.profiles?.[selectedProfile] ?? {};
134
+ const selected = selectedProfile;
135
+ const savedProfile = profiles.profiles?.[selectedProfile] ?? {};
140
136
  const credentialsProfile = {
141
137
  apiKey: credentials.LUCERN_API_KEY,
142
138
  userToken: readFirst(credentials, ["LUCERN_SESSION_TOKEN", "LUCERN_USER_TOKEN"]),
@@ -1198,7 +1194,7 @@ defineTable({
1198
1194
  shape: z.object({
1199
1195
  "tenantId": idOf("tenants").optional(),
1200
1196
  "apiKeyId": idOf("apiKeys").optional(),
1201
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1197
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1202
1198
  "actorClerkId": z.string(),
1203
1199
  "details": z.any().optional(),
1204
1200
  "createdAt": z.number()
@@ -6409,6 +6405,21 @@ var INFISICAL_RUNTIME_PATHS = [
6409
6405
  }
6410
6406
  ]
6411
6407
  },
6408
+ {
6409
+ id: "platform-operator-credentials",
6410
+ secretPath: "/platform/runtime",
6411
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
6412
+ variables: [
6413
+ {
6414
+ name: "LUCERN_API_KEY",
6415
+ required: false,
6416
+ secret: true,
6417
+ public: false,
6418
+ aliases: ["LUCERN_KEY"],
6419
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
6420
+ }
6421
+ ]
6422
+ },
6412
6423
  {
6413
6424
  id: "tenant-shared-install",
6414
6425
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -6444,7 +6455,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6444
6455
  id: "lucern-sdk",
6445
6456
  packageName: "@lucern/sdk",
6446
6457
  delivery: "runtime_fetch",
6447
- sourcePathIds: ["platform-runtime"],
6458
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6448
6459
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
6449
6460
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
6450
6461
  },
@@ -6453,7 +6464,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6453
6464
  packageName: "@lucern/cli",
6454
6465
  delivery: "runtime_fetch",
6455
6466
  fallback: "device_auth",
6456
- sourcePathIds: ["platform-runtime"],
6467
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6457
6468
  consumer: "developer/operator CLI processes",
6458
6469
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
6459
6470
  },
@@ -6462,7 +6473,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6462
6473
  packageName: "@lucern/mcp",
6463
6474
  delivery: "runtime_fetch",
6464
6475
  fallback: "device_auth",
6465
- sourcePathIds: ["platform-runtime"],
6476
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6466
6477
  consumer: "MCP server/client processes",
6467
6478
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
6468
6479
  },
@@ -8943,9 +8954,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
8943
8954
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
8944
8955
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
8945
8956
  "sourcePathIds": [
8946
- "platform-runtime"
8957
+ "platform-runtime",
8958
+ "platform-operator-credentials"
8947
8959
  ],
8948
8960
  "variables": [
8961
+ {
8962
+ "canonicalName": "LUCERN_API_KEY",
8963
+ "envNames": [
8964
+ "LUCERN_API_KEY",
8965
+ "LUCERN_KEY"
8966
+ ],
8967
+ "aliases": [
8968
+ "LUCERN_KEY"
8969
+ ],
8970
+ "writeNames": [
8971
+ "LUCERN_API_KEY"
8972
+ ],
8973
+ "required": false,
8974
+ "secret": true,
8975
+ "public": false,
8976
+ "sourcePath": "/platform/runtime",
8977
+ "environmentPolicy": "environment_specific",
8978
+ "consumers": [
8979
+ "lucern-sdk"
8980
+ ],
8981
+ "destinations": [],
8982
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
8983
+ },
8949
8984
  {
8950
8985
  "canonicalName": "LUCERN_API_URL",
8951
8986
  "envNames": [
@@ -9046,9 +9081,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9046
9081
  "consumer": "developer/operator CLI processes",
9047
9082
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
9048
9083
  "sourcePathIds": [
9049
- "platform-runtime"
9084
+ "platform-runtime",
9085
+ "platform-operator-credentials"
9050
9086
  ],
9051
9087
  "variables": [
9088
+ {
9089
+ "canonicalName": "LUCERN_API_KEY",
9090
+ "envNames": [
9091
+ "LUCERN_API_KEY",
9092
+ "LUCERN_KEY"
9093
+ ],
9094
+ "aliases": [
9095
+ "LUCERN_KEY"
9096
+ ],
9097
+ "writeNames": [
9098
+ "LUCERN_API_KEY"
9099
+ ],
9100
+ "required": false,
9101
+ "secret": true,
9102
+ "public": false,
9103
+ "sourcePath": "/platform/runtime",
9104
+ "environmentPolicy": "environment_specific",
9105
+ "consumers": [
9106
+ "lucern-cli",
9107
+ "lucern-mcp",
9108
+ "lucern-repo-ci"
9109
+ ],
9110
+ "destinations": [
9111
+ {
9112
+ "kind": "runtime_fetch",
9113
+ "target": "lucern-cli-mcp-sdk",
9114
+ "writeNames": [
9115
+ "LUCERN_API_KEY"
9116
+ ]
9117
+ },
9118
+ {
9119
+ "kind": "operator_local",
9120
+ "target": "lucern-repo",
9121
+ "writeNames": [
9122
+ "LUCERN_API_KEY"
9123
+ ]
9124
+ },
9125
+ {
9126
+ "kind": "github_actions",
9127
+ "target": "LucernAI/lucern",
9128
+ "writeNames": [
9129
+ "LUCERN_API_KEY"
9130
+ ]
9131
+ }
9132
+ ],
9133
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9134
+ },
9052
9135
  {
9053
9136
  "canonicalName": "LUCERN_API_URL",
9054
9137
  "envNames": [
@@ -9387,7 +9470,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9387
9470
  "consumer": "MCP server/client processes",
9388
9471
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
9389
9472
  "sourcePathIds": [
9390
- "platform-runtime"
9473
+ "platform-runtime",
9474
+ "platform-operator-credentials"
9391
9475
  ],
9392
9476
  "variables": [
9393
9477
  {
@@ -9475,6 +9559,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9475
9559
  ],
9476
9560
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
9477
9561
  },
9562
+ {
9563
+ "canonicalName": "LUCERN_API_KEY",
9564
+ "envNames": [
9565
+ "LUCERN_API_KEY",
9566
+ "LUCERN_KEY"
9567
+ ],
9568
+ "aliases": [
9569
+ "LUCERN_KEY"
9570
+ ],
9571
+ "writeNames": [
9572
+ "LUCERN_API_KEY"
9573
+ ],
9574
+ "required": false,
9575
+ "secret": true,
9576
+ "public": false,
9577
+ "sourcePath": "/platform/runtime",
9578
+ "environmentPolicy": "environment_specific",
9579
+ "consumers": [
9580
+ "lucern-cli",
9581
+ "lucern-mcp",
9582
+ "lucern-repo-ci"
9583
+ ],
9584
+ "destinations": [
9585
+ {
9586
+ "kind": "runtime_fetch",
9587
+ "target": "lucern-cli-mcp-sdk",
9588
+ "writeNames": [
9589
+ "LUCERN_API_KEY"
9590
+ ]
9591
+ },
9592
+ {
9593
+ "kind": "operator_local",
9594
+ "target": "lucern-repo",
9595
+ "writeNames": [
9596
+ "LUCERN_API_KEY"
9597
+ ]
9598
+ },
9599
+ {
9600
+ "kind": "github_actions",
9601
+ "target": "LucernAI/lucern",
9602
+ "writeNames": [
9603
+ "LUCERN_API_KEY"
9604
+ ]
9605
+ }
9606
+ ],
9607
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9608
+ },
9478
9609
  {
9479
9610
  "canonicalName": "LUCERN_API_URL",
9480
9611
  "envNames": [
@@ -12724,7 +12855,7 @@ var IDENTITY_WHOAMI = {
12724
12855
  response: {
12725
12856
  description: "Canonical identity summary for the current session",
12726
12857
  fields: {
12727
- principalId: "string \u2014 canonical federated principal identifier",
12858
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
12728
12859
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12729
12860
  tenantId: "string | undefined \u2014 resolved tenant scope",
12730
12861
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -12738,7 +12869,7 @@ var IDENTITY_WHOAMI = {
12738
12869
  };
12739
12870
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
12740
12871
  name: "resolve_interactive_principal",
12741
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
12872
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
12742
12873
  parameters: {
12743
12874
  clerkId: {
12744
12875
  type: "string",
@@ -12761,7 +12892,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
12761
12892
  response: {
12762
12893
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
12763
12894
  fields: {
12764
- principalId: "string \u2014 canonical Lucern principal identifier",
12895
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
12765
12896
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12766
12897
  clerkId: "string \u2014 authenticated Clerk subject alias",
12767
12898
  tenantId: "string \u2014 resolved tenant scope",
@@ -13589,7 +13720,7 @@ var MANAGE_WRITE_POLICY = {
13589
13720
  },
13590
13721
  role: {
13591
13722
  type: "string",
13592
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
13723
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
13593
13724
  },
13594
13725
  permission: {
13595
13726
  type: "string",
@@ -17382,6 +17513,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
17382
17513
  progress: z.string().optional().describe("Collection progress note for the signal."),
17383
17514
  notes: z.string().optional().describe("Additional evidence collection notes.")
17384
17515
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
17516
+ var worktreeDocCompanionTargetSchema = z.object({
17517
+ docPath: z.string().describe(
17518
+ "Repo-relative path to a documentation file the worktree promises to update."
17519
+ ),
17520
+ sectionAnchor: z.string().optional().describe(
17521
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
17522
+ ),
17523
+ reason: z.string().describe(
17524
+ "Why this doc section must be updated for the worktree to be complete."
17525
+ )
17526
+ }).passthrough().describe(
17527
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
17528
+ );
17385
17529
  var worktreeDecisionGateInputSchema = z.object({
17386
17530
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
17387
17531
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -17414,6 +17558,9 @@ var addWorktreeArgs = z.object({
17414
17558
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
17415
17559
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
17416
17560
  decisionGate: worktreeDecisionGateInputSchema.optional(),
17561
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
17562
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
17563
+ ),
17417
17564
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
17418
17565
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
17419
17566
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -22432,7 +22579,7 @@ function normalizeCanonicalPrincipalIdentity(input, options = {}) {
22432
22579
  })) {
22433
22580
  throw new LucernAccessControlError(
22434
22581
  "clerk_alias_unrecognized",
22435
- "Observed Clerk user id is not attached to the canonical Lucern principal."
22582
+ "Observed Clerk user id does not match the canonical human principal id."
22436
22583
  );
22437
22584
  }
22438
22585
  return {
@@ -28034,7 +28181,7 @@ function createToolRegistryClient(config = {}) {
28034
28181
  }
28035
28182
 
28036
28183
  // ../sdk/src/version.ts
28037
- var LUCERN_SDK_VERSION = "0.3.0-alpha.16";
28184
+ var LUCERN_SDK_VERSION = "0.3.0-alpha.17";
28038
28185
 
28039
28186
  // ../sdk/src/workflowClient.ts
28040
28187
  function normalizeLensQuery(value) {
@@ -31728,7 +31875,7 @@ var SESSION_LIFECYCLE_STATUSES = [
31728
31875
  "revoked"
31729
31876
  ];
31730
31877
  function inferSessionPrincipalType(principalId) {
31731
- if (principalId.startsWith("user:")) {
31878
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
31732
31879
  return "human";
31733
31880
  }
31734
31881
  if (principalId.startsWith("agent:")) {
@@ -34955,7 +35102,7 @@ function createLucernStandaloneMcpServer(options) {
34955
35102
  });
34956
35103
  const server = new McpServer({
34957
35104
  name: "lucern-mcp",
34958
- version: "0.3.0-alpha.16"
35105
+ version: "0.3.0-alpha.17"
34959
35106
  });
34960
35107
  registerTools(server, runtime);
34961
35108
  const resources = registerResources(server, runtime, observationStore);