@lucern/mcp 0.3.0-alpha.16 → 0.3.0-alpha.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/index.js CHANGED
@@ -302,13 +302,9 @@ function loadProfile(options) {
302
302
  const localEnv = options.readLocalEnv === false ? {} : readLocalEnvFiles(options.cwd);
303
303
  const mergedEnv = { ...localEnv, ...options.env };
304
304
  const envProfile = profileFromEnvironment(mergedEnv);
305
- const hasEnvCredentials = Boolean(
306
- envProfile.apiKey || envProfile.userToken || envProfile.packKey
307
- );
308
- const explicitProfileSelected = options.profileName !== void 0 || mergedEnv.LUCERN_PROFILE !== void 0;
309
305
  const selectedProfile = options.profileName ?? mergedEnv.LUCERN_PROFILE ?? profiles.activeProfile ?? credentials.LUCERN_PROFILE ?? "default";
310
- const selected = hasEnvCredentials && !explicitProfileSelected ? "env" : selectedProfile;
311
- const savedProfile = hasEnvCredentials && !explicitProfileSelected ? {} : profiles.profiles?.[selectedProfile] ?? {};
306
+ const selected = selectedProfile;
307
+ const savedProfile = profiles.profiles?.[selectedProfile] ?? {};
312
308
  const credentialsProfile = {
313
309
  apiKey: credentials.LUCERN_API_KEY,
314
310
  userToken: readFirst(credentials, ["LUCERN_SESSION_TOKEN", "LUCERN_USER_TOKEN"]),
@@ -1370,7 +1366,7 @@ defineTable({
1370
1366
  shape: z.object({
1371
1367
  "tenantId": idOf("tenants").optional(),
1372
1368
  "apiKeyId": idOf("apiKeys").optional(),
1373
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1369
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1374
1370
  "actorClerkId": z.string(),
1375
1371
  "details": z.any().optional(),
1376
1372
  "createdAt": z.number()
@@ -6581,6 +6577,21 @@ var INFISICAL_RUNTIME_PATHS = [
6581
6577
  }
6582
6578
  ]
6583
6579
  },
6580
+ {
6581
+ id: "platform-operator-credentials",
6582
+ secretPath: "/platform/runtime",
6583
+ description: "Lucern-owned operator credential material for local CLI, MCP, and SDK sessions.",
6584
+ variables: [
6585
+ {
6586
+ name: "LUCERN_API_KEY",
6587
+ required: false,
6588
+ secret: true,
6589
+ public: false,
6590
+ aliases: ["LUCERN_KEY"],
6591
+ description: "Lucern-owned operator API key for gateway calls from trusted local tooling."
6592
+ }
6593
+ ]
6594
+ },
6584
6595
  {
6585
6596
  id: "tenant-shared-install",
6586
6597
  secretPath: TENANT_CLIENT_INSTALL_TOKEN_INFISICAL_PATH,
@@ -6616,7 +6627,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6616
6627
  id: "lucern-sdk",
6617
6628
  packageName: "@lucern/sdk",
6618
6629
  delivery: "runtime_fetch",
6619
- sourcePathIds: ["platform-runtime"],
6630
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6620
6631
  consumer: "server-side SDK operator contexts with a scoped Infisical identity",
6621
6632
  description: "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials."
6622
6633
  },
@@ -6625,7 +6636,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6625
6636
  packageName: "@lucern/cli",
6626
6637
  delivery: "runtime_fetch",
6627
6638
  fallback: "device_auth",
6628
- sourcePathIds: ["platform-runtime"],
6639
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6629
6640
  consumer: "developer/operator CLI processes",
6630
6641
  description: "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login."
6631
6642
  },
@@ -6634,7 +6645,7 @@ var INFISICAL_RUNTIME_SURFACES = [
6634
6645
  packageName: "@lucern/mcp",
6635
6646
  delivery: "runtime_fetch",
6636
6647
  fallback: "device_auth",
6637
- sourcePathIds: ["platform-runtime"],
6648
+ sourcePathIds: ["platform-runtime", "platform-operator-credentials"],
6638
6649
  consumer: "MCP server/client processes",
6639
6650
  description: "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner."
6640
6651
  },
@@ -9115,9 +9126,33 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9115
9126
  "consumer": "server-side SDK operator contexts with a scoped Infisical identity",
9116
9127
  "description": "SDK exposes the runtime Infisical resolver used by clients that have machine identity credentials.",
9117
9128
  "sourcePathIds": [
9118
- "platform-runtime"
9129
+ "platform-runtime",
9130
+ "platform-operator-credentials"
9119
9131
  ],
9120
9132
  "variables": [
9133
+ {
9134
+ "canonicalName": "LUCERN_API_KEY",
9135
+ "envNames": [
9136
+ "LUCERN_API_KEY",
9137
+ "LUCERN_KEY"
9138
+ ],
9139
+ "aliases": [
9140
+ "LUCERN_KEY"
9141
+ ],
9142
+ "writeNames": [
9143
+ "LUCERN_API_KEY"
9144
+ ],
9145
+ "required": false,
9146
+ "secret": true,
9147
+ "public": false,
9148
+ "sourcePath": "/platform/runtime",
9149
+ "environmentPolicy": "environment_specific",
9150
+ "consumers": [
9151
+ "lucern-sdk"
9152
+ ],
9153
+ "destinations": [],
9154
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling."
9155
+ },
9121
9156
  {
9122
9157
  "canonicalName": "LUCERN_API_URL",
9123
9158
  "envNames": [
@@ -9218,9 +9253,57 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9218
9253
  "consumer": "developer/operator CLI processes",
9219
9254
  "description": "CLI hydrates runtime defaults from Infisical when configured, then authenticates users through Lucern device login.",
9220
9255
  "sourcePathIds": [
9221
- "platform-runtime"
9256
+ "platform-runtime",
9257
+ "platform-operator-credentials"
9222
9258
  ],
9223
9259
  "variables": [
9260
+ {
9261
+ "canonicalName": "LUCERN_API_KEY",
9262
+ "envNames": [
9263
+ "LUCERN_API_KEY",
9264
+ "LUCERN_KEY"
9265
+ ],
9266
+ "aliases": [
9267
+ "LUCERN_KEY"
9268
+ ],
9269
+ "writeNames": [
9270
+ "LUCERN_API_KEY"
9271
+ ],
9272
+ "required": false,
9273
+ "secret": true,
9274
+ "public": false,
9275
+ "sourcePath": "/platform/runtime",
9276
+ "environmentPolicy": "environment_specific",
9277
+ "consumers": [
9278
+ "lucern-cli",
9279
+ "lucern-mcp",
9280
+ "lucern-repo-ci"
9281
+ ],
9282
+ "destinations": [
9283
+ {
9284
+ "kind": "runtime_fetch",
9285
+ "target": "lucern-cli-mcp-sdk",
9286
+ "writeNames": [
9287
+ "LUCERN_API_KEY"
9288
+ ]
9289
+ },
9290
+ {
9291
+ "kind": "operator_local",
9292
+ "target": "lucern-repo",
9293
+ "writeNames": [
9294
+ "LUCERN_API_KEY"
9295
+ ]
9296
+ },
9297
+ {
9298
+ "kind": "github_actions",
9299
+ "target": "LucernAI/lucern",
9300
+ "writeNames": [
9301
+ "LUCERN_API_KEY"
9302
+ ]
9303
+ }
9304
+ ],
9305
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9306
+ },
9224
9307
  {
9225
9308
  "canonicalName": "LUCERN_API_URL",
9226
9309
  "envNames": [
@@ -9559,7 +9642,8 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9559
9642
  "consumer": "MCP server/client processes",
9560
9643
  "description": "MCP hydrates runtime defaults through the SDK resolver and remains a Lucern client, not a platform secret owner.",
9561
9644
  "sourcePathIds": [
9562
- "platform-runtime"
9645
+ "platform-runtime",
9646
+ "platform-operator-credentials"
9563
9647
  ],
9564
9648
  "variables": [
9565
9649
  {
@@ -9647,6 +9731,53 @@ var GENERATED_INFISICAL_RUNTIME_ENV = {
9647
9731
  ],
9648
9732
  "description": "Lucern-owned Clerk backend secret. Never route to tenant-owned apps unless that tenant is Lucern itself."
9649
9733
  },
9734
+ {
9735
+ "canonicalName": "LUCERN_API_KEY",
9736
+ "envNames": [
9737
+ "LUCERN_API_KEY",
9738
+ "LUCERN_KEY"
9739
+ ],
9740
+ "aliases": [
9741
+ "LUCERN_KEY"
9742
+ ],
9743
+ "writeNames": [
9744
+ "LUCERN_API_KEY"
9745
+ ],
9746
+ "required": false,
9747
+ "secret": true,
9748
+ "public": false,
9749
+ "sourcePath": "/platform/runtime",
9750
+ "environmentPolicy": "environment_specific",
9751
+ "consumers": [
9752
+ "lucern-cli",
9753
+ "lucern-mcp",
9754
+ "lucern-repo-ci"
9755
+ ],
9756
+ "destinations": [
9757
+ {
9758
+ "kind": "runtime_fetch",
9759
+ "target": "lucern-cli-mcp-sdk",
9760
+ "writeNames": [
9761
+ "LUCERN_API_KEY"
9762
+ ]
9763
+ },
9764
+ {
9765
+ "kind": "operator_local",
9766
+ "target": "lucern-repo",
9767
+ "writeNames": [
9768
+ "LUCERN_API_KEY"
9769
+ ]
9770
+ },
9771
+ {
9772
+ "kind": "github_actions",
9773
+ "target": "LucernAI/lucern",
9774
+ "writeNames": [
9775
+ "LUCERN_API_KEY"
9776
+ ]
9777
+ }
9778
+ ],
9779
+ "description": "Lucern-owned operator API key for gateway calls from trusted local tooling. Lucern-owned operator API key for trusted CLI/MCP/CI calls. Source it from /platform/runtime; do not persist it into local user credential files."
9780
+ },
9650
9781
  {
9651
9782
  "canonicalName": "LUCERN_API_URL",
9652
9783
  "envNames": [
@@ -12896,7 +13027,7 @@ var IDENTITY_WHOAMI = {
12896
13027
  response: {
12897
13028
  description: "Canonical identity summary for the current session",
12898
13029
  fields: {
12899
- principalId: "string \u2014 canonical federated principal identifier",
13030
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
12900
13031
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12901
13032
  tenantId: "string | undefined \u2014 resolved tenant scope",
12902
13033
  workspaceId: "string | undefined \u2014 resolved workspace scope",
@@ -12910,7 +13041,7 @@ var IDENTITY_WHOAMI = {
12910
13041
  };
12911
13042
  var RESOLVE_INTERACTIVE_PRINCIPAL = {
12912
13043
  name: "resolve_interactive_principal",
12913
- description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the identity alias into the canonical authorization subject.",
13044
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
12914
13045
  parameters: {
12915
13046
  clerkId: {
12916
13047
  type: "string",
@@ -12933,7 +13064,7 @@ var RESOLVE_INTERACTIVE_PRINCIPAL = {
12933
13064
  response: {
12934
13065
  description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
12935
13066
  fields: {
12936
- principalId: "string \u2014 canonical Lucern principal identifier",
13067
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
12937
13068
  principalType: "string \u2014 human, service, agent, group, or external_viewer",
12938
13069
  clerkId: "string \u2014 authenticated Clerk subject alias",
12939
13070
  tenantId: "string \u2014 resolved tenant scope",
@@ -13761,7 +13892,7 @@ var MANAGE_WRITE_POLICY = {
13761
13892
  },
13762
13893
  role: {
13763
13894
  type: "string",
13764
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
13895
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
13765
13896
  },
13766
13897
  permission: {
13767
13898
  type: "string",
@@ -17554,6 +17685,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
17554
17685
  progress: z.string().optional().describe("Collection progress note for the signal."),
17555
17686
  notes: z.string().optional().describe("Additional evidence collection notes.")
17556
17687
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
17688
+ var worktreeDocCompanionTargetSchema = z.object({
17689
+ docPath: z.string().describe(
17690
+ "Repo-relative path to a documentation file the worktree promises to update."
17691
+ ),
17692
+ sectionAnchor: z.string().optional().describe(
17693
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
17694
+ ),
17695
+ reason: z.string().describe(
17696
+ "Why this doc section must be updated for the worktree to be complete."
17697
+ )
17698
+ }).passthrough().describe(
17699
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
17700
+ );
17557
17701
  var worktreeDecisionGateInputSchema = z.object({
17558
17702
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
17559
17703
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -17586,6 +17730,9 @@ var addWorktreeArgs = z.object({
17586
17730
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
17587
17731
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
17588
17732
  decisionGate: worktreeDecisionGateInputSchema.optional(),
17733
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
17734
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
17735
+ ),
17589
17736
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
17590
17737
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
17591
17738
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -22557,7 +22704,7 @@ function normalizeCanonicalPrincipalIdentity(input, options = {}) {
22557
22704
  })) {
22558
22705
  throw new LucernAccessControlError(
22559
22706
  "clerk_alias_unrecognized",
22560
- "Observed Clerk user id is not attached to the canonical Lucern principal."
22707
+ "Observed Clerk user id does not match the canonical human principal id."
22561
22708
  );
22562
22709
  }
22563
22710
  return {
@@ -28159,7 +28306,7 @@ function createToolRegistryClient(config = {}) {
28159
28306
  }
28160
28307
 
28161
28308
  // ../sdk/src/version.ts
28162
- var LUCERN_SDK_VERSION = "0.3.0-alpha.16";
28309
+ var LUCERN_SDK_VERSION = "0.3.0-alpha.17";
28163
28310
 
28164
28311
  // ../sdk/src/workflowClient.ts
28165
28312
  function normalizeLensQuery(value) {
@@ -31853,7 +32000,7 @@ var SESSION_LIFECYCLE_STATUSES = [
31853
32000
  "revoked"
31854
32001
  ];
31855
32002
  function inferSessionPrincipalType(principalId) {
31856
- if (principalId.startsWith("user:")) {
32003
+ if (/^user_[A-Za-z0-9]+$/.test(principalId)) {
31857
32004
  return "human";
31858
32005
  }
31859
32006
  if (principalId.startsWith("agent:")) {
@@ -34980,7 +35127,7 @@ function createLucernStandaloneMcpServer(options) {
34980
35127
  });
34981
35128
  const server = new McpServer({
34982
35129
  name: "lucern-mcp",
34983
- version: "0.3.0-alpha.16"
35130
+ version: "0.3.0-alpha.17"
34984
35131
  });
34985
35132
  registerTools(server, runtime);
34986
35133
  const resources = registerResources(server, runtime, observationStore);