@lucern/mcp 0.3.0-alpha.9 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/dist/runtime.js CHANGED
@@ -232,6 +232,20 @@ var autoBranchingHandlers = {
232
232
  }
233
233
  };
234
234
 
235
+ // ../contracts/src/types/reasoning-method.ts
236
+ var REASONING_METHODS = [
237
+ "deductive",
238
+ "inductive",
239
+ "abductive",
240
+ "analogical",
241
+ "causal",
242
+ "correlational",
243
+ "testimonial",
244
+ "statistical",
245
+ "implicit",
246
+ "pattern_match"
247
+ ];
248
+
235
249
  // ../contracts/src/graph-intelligence.contract.ts
236
250
  var GRAPH_INTELLIGENCE_MODE_TOOL_NAMES = {
237
251
  core: [
@@ -941,7 +955,7 @@ defineTable({
941
955
  });
942
956
  defineTable({
943
957
  name: "agents",
944
- component: "identity",
958
+ component: "control-plane",
945
959
  category: "agent",
946
960
  shape: z.object({
947
961
  "slug": z.string(),
@@ -972,6 +986,8 @@ defineTable({
972
986
  category: "tenant",
973
987
  shape: z.object({
974
988
  "tenantId": idOf("tenants"),
989
+ "workspaceId": idOf("workspaces").optional(),
990
+ "environment": z.enum(["dev", "staging", "prod"]).optional(),
975
991
  "keyPrefix": z.enum(["luc", "stk"]),
976
992
  "keyHash": z.string(),
977
993
  "keyHint": z.string(),
@@ -999,7 +1015,7 @@ defineTable({
999
1015
  shape: z.object({
1000
1016
  "tenantId": idOf("tenants").optional(),
1001
1017
  "apiKeyId": idOf("apiKeys").optional(),
1002
- "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "principal_created", "principal_updated", "principal_suspended", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1018
+ "action": z.enum(["key_created", "key_revoked", "key_expired", "key_used", "tenant_secret_created", "tenant_secret_rotated", "tenant_secret_revoked", "tenant_slot_binding_upserted", "tenant_slot_binding_revoked", "proxy_token_minted", "proxy_token_lease_issued", "proxy_token_lease_renewed", "proxy_token_lease_revoked", "proxy_request_recorded", "tenant_created", "tenant_updated", "tenant_suspended", "tenant_archived", "tenant_reactivated", "tenant_clerk_organization_linked", "tenant_canonical_identity_repaired", "principal_created", "principal_updated", "principal_suspended", "principal_identity_alias_upserted", "principal_identity_alias_revoked", "membership_created", "membership_updated", "membership_revoked", "group_created", "group_updated", "group_deleted", "group_member_added", "group_member_removed", "workspace_created", "workspace_updated", "workspace_archived", "workspace_deployment_set", "workspace_deployment_removed", "deployment_host_registered", "deployment_host_revoked", "service_key_created", "service_key_rotated", "service_key_revoked", "service_key_used", "service_key_auth_failed", "session_created", "session_validated", "session_revoked", "session_cascade_revoked", "session_expired", "sandbox_created", "sandbox_secret_injected", "sandbox_execution_started", "sandbox_execution_completed", "sandbox_limit_violated", "policy_created", "policy_updated", "policy_enforced", "policy_archived", "permit_sync_enqueued", "permit_sync_succeeded", "permit_sync_failed", "permit_sync_skipped", "agent_registered", "agent_updated", "tool_registered", "tool_updated", "pack_entitled", "pack_installed", "pack_enabled", "pack_disabled", "pack_entitlement_revoked", "pack_upgraded", "pack_upgrade_committed", "pack_upgrade_rolled_back", "pack_group_assigned", "pack_group_unassigned", "methodology_pack_created", "methodology_pack_updated", "methodology_pack_assigned", "methodology_pack_removed", "pack_assigned_to_group", "pack_revoked_from_group", "pack_ontology_materialized", "pack_ontology_topic_bound", "cutover_flag_set", "cutover_flag_cleared"]),
1003
1019
  "actorClerkId": z.string(),
1004
1020
  "details": z.any().optional(),
1005
1021
  "createdAt": z.number()
@@ -1223,6 +1239,35 @@ defineTable({
1223
1239
  { kind: "index", name: "by_source", columns: ["source"] }
1224
1240
  ]
1225
1241
  });
1242
+ defineTable({
1243
+ name: "domainEvents",
1244
+ component: "kernel",
1245
+ category: "events",
1246
+ shape: z.object({
1247
+ "eventId": z.string(),
1248
+ "type": z.string(),
1249
+ "version": z.string(),
1250
+ "timestamp": z.number(),
1251
+ "tenantId": z.string().optional(),
1252
+ "workspaceId": z.string().optional(),
1253
+ "topicId": z.string(),
1254
+ "resourceId": z.string(),
1255
+ "resourceType": z.string(),
1256
+ "actorId": z.string(),
1257
+ "actorType": z.enum(["human", "agent", "service"]),
1258
+ "data": z.record(z.any()),
1259
+ "correlationId": z.string().optional(),
1260
+ "expiresAt": z.number()
1261
+ }),
1262
+ indices: [
1263
+ { kind: "index", name: "by_eventId", columns: ["eventId"] },
1264
+ { kind: "index", name: "by_topic_timestamp", columns: ["topicId", "timestamp"] },
1265
+ { kind: "index", name: "by_tenant_workspace_timestamp", columns: ["tenantId", "workspaceId", "timestamp"] },
1266
+ { kind: "index", name: "by_type_timestamp", columns: ["type", "timestamp"] },
1267
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId", "timestamp"] },
1268
+ { kind: "index", name: "by_expiresAt", columns: ["expiresAt"] }
1269
+ ]
1270
+ });
1226
1271
  defineTable({
1227
1272
  name: "beliefConfidence",
1228
1273
  component: "kernel",
@@ -1878,29 +1923,37 @@ defineTable({
1878
1923
  component: "mc",
1879
1924
  category: "runtime",
1880
1925
  shape: z.object({
1881
- "shimId": z.string(),
1882
- "gateId": z.string(),
1883
- "removalDate": z.string(),
1884
- "removalPriority": z.enum(["P1", "P2", "P3"]),
1885
- "description": z.string(),
1886
- "owner": z.string(),
1887
- "createdAt": z.string(),
1888
- "status": z.enum(["active", "overdue", "removed"]),
1889
- "bridgeType": z.enum(["tool", "agent"]),
1890
- "bridgeTarget": z.object({
1891
- "type": z.enum(["tool", "agent"]),
1892
- "legacyPath": z.string(),
1893
- "harnessPath": z.string()
1926
+ shimId: z.string(),
1927
+ gateId: z.string(),
1928
+ removalDate: z.string(),
1929
+ removalPriority: z.enum(["P1", "P2", "P3"]),
1930
+ description: z.string(),
1931
+ owner: z.string(),
1932
+ createdAt: z.string(),
1933
+ status: z.enum(["active", "overdue", "removed"]),
1934
+ bridgeType: z.enum(["tool", "agent"]),
1935
+ bridgeTarget: z.object({
1936
+ type: z.enum(["tool", "agent"]),
1937
+ legacyPath: z.string(),
1938
+ harnessPath: z.string()
1894
1939
  }),
1895
- "shimBehavior": z.enum(["passthrough_with_logging", "adapter", "feature_flag_gate"]),
1896
- "producesLedgerEntries": z.boolean(),
1897
- "lastAuditedAt": z.number(),
1898
- "metadata": z.record(z.any()).optional()
1940
+ shimBehavior: z.enum([
1941
+ "passthrough_with_logging",
1942
+ "adapter",
1943
+ "feature_flag_gate"
1944
+ ]),
1945
+ producesLedgerEntries: z.boolean(),
1946
+ lastAuditedAt: z.number(),
1947
+ metadata: z.record(z.any()).optional()
1899
1948
  }),
1900
1949
  indices: [
1901
1950
  { kind: "index", name: "by_shimId", columns: ["shimId"] },
1902
1951
  { kind: "index", name: "by_status", columns: ["status"] },
1903
- { kind: "index", name: "by_bridgeType_status", columns: ["bridgeType", "status"] }
1952
+ {
1953
+ kind: "index",
1954
+ name: "by_bridgeType_status",
1955
+ columns: ["bridgeType", "status"]
1956
+ }
1904
1957
  ]
1905
1958
  });
1906
1959
  defineTable({
@@ -1908,12 +1961,23 @@ defineTable({
1908
1961
  component: "mc",
1909
1962
  category: "runtime",
1910
1963
  shape: z.object({
1911
- "domain": z.enum(["graph", "schema", "identity", "policy", "audit", "admin", "agent", "tool", "prompt", "intelligence"]),
1912
- "state": z.enum(["legacy", "cutover", "disabled"]),
1913
- "metadata": z.record(z.any()).optional(),
1914
- "updatedBy": z.string(),
1915
- "createdAt": z.number(),
1916
- "updatedAt": z.number()
1964
+ domain: z.enum([
1965
+ "graph",
1966
+ "schema",
1967
+ "identity",
1968
+ "policy",
1969
+ "audit",
1970
+ "admin",
1971
+ "agent",
1972
+ "tool",
1973
+ "prompt",
1974
+ "intelligence"
1975
+ ]),
1976
+ state: z.enum(["legacy", "cutover", "disabled"]),
1977
+ metadata: z.record(z.any()).optional(),
1978
+ updatedBy: z.string(),
1979
+ createdAt: z.number(),
1980
+ updatedAt: z.number()
1917
1981
  }),
1918
1982
  indices: [
1919
1983
  { kind: "index", name: "by_domain", columns: ["domain"] },
@@ -1925,57 +1989,193 @@ defineTable({
1925
1989
  component: "mc",
1926
1990
  category: "runtime",
1927
1991
  shape: z.object({
1928
- "credentialRef": z.string(),
1929
- "tenantId": idOf("tenants"),
1930
- "target": z.enum(["kernelDeployment", "appDeployment"]),
1931
- "environment": z.enum(["dev", "staging", "prod"]),
1932
- "encryptedDeployKey": z.string(),
1933
- "encryptionVersion": z.string(),
1934
- "keyFingerprint": z.string(),
1935
- "keyHint": z.string(),
1936
- "status": z.enum(["active", "revoked"]),
1937
- "rotatedFromCredentialRef": z.string().optional(),
1938
- "revokedAt": z.number().optional(),
1939
- "revokedBy": z.string().optional(),
1940
- "lastUsedAt": z.number().optional(),
1941
- "metadata": z.record(z.any()).optional(),
1942
- "createdBy": z.string(),
1943
- "createdAt": z.number(),
1944
- "updatedAt": z.number()
1992
+ credentialRef: z.string(),
1993
+ tenantId: idOf("tenants"),
1994
+ workspaceId: idOf("workspaces").optional(),
1995
+ target: z.enum(["kernelDeployment", "appDeployment"]),
1996
+ environment: z.enum(["dev", "staging", "prod"]),
1997
+ encryptedDeployKey: z.string(),
1998
+ encryptionVersion: z.string(),
1999
+ keyFingerprint: z.string(),
2000
+ keyHint: z.string(),
2001
+ status: z.enum(["active", "revoked"]),
2002
+ rotatedFromCredentialRef: z.string().optional(),
2003
+ revokedAt: z.number().optional(),
2004
+ revokedBy: z.string().optional(),
2005
+ lastUsedAt: z.number().optional(),
2006
+ metadata: z.record(z.any()).optional(),
2007
+ createdBy: z.string(),
2008
+ createdAt: z.number(),
2009
+ updatedAt: z.number()
1945
2010
  }),
1946
2011
  indices: [
1947
2012
  { kind: "index", name: "by_credentialRef", columns: ["credentialRef"] },
1948
2013
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1949
- { kind: "index", name: "by_tenant_target", columns: ["tenantId", "target"] },
1950
- { kind: "index", name: "by_tenant_target_environment", columns: ["tenantId", "target", "environment"] },
1951
- { kind: "index", name: "by_tenant_target_environment_status", columns: ["tenantId", "target", "environment", "status"] },
2014
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
2015
+ {
2016
+ kind: "index",
2017
+ name: "by_tenant_target",
2018
+ columns: ["tenantId", "target"]
2019
+ },
2020
+ {
2021
+ kind: "index",
2022
+ name: "by_tenant_target_environment",
2023
+ columns: ["tenantId", "target", "environment"]
2024
+ },
2025
+ {
2026
+ kind: "index",
2027
+ name: "by_tenant_target_environment_status",
2028
+ columns: ["tenantId", "target", "environment", "status"]
2029
+ },
2030
+ {
2031
+ kind: "index",
2032
+ name: "by_tenant_workspace_target_environment_status",
2033
+ columns: ["tenantId", "workspaceId", "target", "environment", "status"]
2034
+ },
1952
2035
  { kind: "index", name: "by_status", columns: ["status"] }
1953
2036
  ]
1954
2037
  });
2038
+ defineTable({
2039
+ name: "permitSyncStates",
2040
+ component: "mc",
2041
+ category: "runtime",
2042
+ shape: z.object({
2043
+ syncKey: z.string(),
2044
+ objectType: z.enum([
2045
+ "resource",
2046
+ "role",
2047
+ "resource_role",
2048
+ "resource_relation",
2049
+ "tenant",
2050
+ "workspace",
2051
+ "principal",
2052
+ "membership",
2053
+ "group",
2054
+ "resource_instance",
2055
+ "relationship_tuple",
2056
+ "role_assignment"
2057
+ ]),
2058
+ objectId: z.string(),
2059
+ tenantId: idOf("tenants").optional(),
2060
+ workspaceId: idOf("workspaces").optional(),
2061
+ principalId: z.string().optional(),
2062
+ permitTenantKey: z.string().optional(),
2063
+ permitResourceType: z.string().optional(),
2064
+ permitResourceKey: z.string().optional(),
2065
+ desiredPayload: z.record(z.any()),
2066
+ lastAppliedPayloadHash: z.string().optional(),
2067
+ status: z.enum(["pending", "synced", "error", "skipped"]),
2068
+ attemptCount: z.number(),
2069
+ lastError: z.string().optional(),
2070
+ nextAttemptAt: z.number().optional(),
2071
+ lastSyncedAt: z.number().optional(),
2072
+ createdBy: z.string(),
2073
+ updatedBy: z.string().optional(),
2074
+ createdAt: z.number(),
2075
+ updatedAt: z.number()
2076
+ }),
2077
+ indices: [
2078
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
2079
+ { kind: "index", name: "by_status", columns: ["status"] },
2080
+ {
2081
+ kind: "index",
2082
+ name: "by_tenant_status",
2083
+ columns: ["tenantId", "status"]
2084
+ },
2085
+ {
2086
+ kind: "index",
2087
+ name: "by_workspace_status",
2088
+ columns: ["workspaceId", "status"]
2089
+ },
2090
+ {
2091
+ kind: "index",
2092
+ name: "by_principal_status",
2093
+ columns: ["principalId", "status"]
2094
+ }
2095
+ ]
2096
+ });
2097
+ defineTable({
2098
+ name: "secretSyncDriftReports",
2099
+ component: "mc",
2100
+ category: "runtime",
2101
+ shape: z.object({
2102
+ reportId: z.string(),
2103
+ source: z.enum(["infisical_manifest", "manual", "ci"]),
2104
+ generatedAt: z.number(),
2105
+ recordedAt: z.number(),
2106
+ recordedBy: z.string(),
2107
+ status: z.enum([
2108
+ "in_sync",
2109
+ "drift",
2110
+ "exception",
2111
+ "blocked",
2112
+ "not_observed"
2113
+ ]),
2114
+ reportHash: z.string(),
2115
+ manifestHash: z.string().optional(),
2116
+ dryRunReceiptId: z.string().optional(),
2117
+ appliedReceiptId: z.string().optional(),
2118
+ summary: z.object({
2119
+ totalPipelines: z.number(),
2120
+ inSync: z.number(),
2121
+ drift: z.number(),
2122
+ exception: z.number(),
2123
+ blocked: z.number(),
2124
+ notObserved: z.number(),
2125
+ missingKeys: z.number(),
2126
+ valueDriftKeys: z.number(),
2127
+ extraKeys: z.number(),
2128
+ deniedConvexLeakage: z.number(),
2129
+ approvedExceptions: z.number()
2130
+ }),
2131
+ redactedReport: z.record(z.any()),
2132
+ metadata: z.record(z.any()).optional()
2133
+ }),
2134
+ indices: [
2135
+ { kind: "index", name: "by_reportId", columns: ["reportId"] },
2136
+ { kind: "index", name: "by_reportHash", columns: ["reportHash"] },
2137
+ { kind: "index", name: "by_generatedAt", columns: ["generatedAt"] },
2138
+ {
2139
+ kind: "index",
2140
+ name: "by_status_generatedAt",
2141
+ columns: ["status", "generatedAt"]
2142
+ }
2143
+ ]
2144
+ });
1955
2145
  defineTable({
1956
2146
  name: "controlPlaneTenantModelSlotBindings",
1957
2147
  component: "mc",
1958
2148
  category: "runtime",
1959
2149
  shape: z.object({
1960
- "bindingId": z.string(),
1961
- "tenantId": idOf("tenants"),
1962
- "providerId": z.string(),
1963
- "modelSlotId": z.string(),
1964
- "secretRef": z.string(),
1965
- "status": z.enum(["active", "revoked"]),
1966
- "passThroughOnly": z.boolean(),
1967
- "revokedAt": z.number().optional(),
1968
- "revokedBy": z.string().optional(),
1969
- "metadata": z.record(z.any()).optional(),
1970
- "createdBy": z.string(),
1971
- "createdAt": z.number(),
1972
- "updatedAt": z.number()
2150
+ bindingId: z.string(),
2151
+ tenantId: idOf("tenants"),
2152
+ workspaceId: idOf("workspaces").optional(),
2153
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2154
+ providerId: z.string(),
2155
+ modelSlotId: z.string(),
2156
+ secretRef: z.string(),
2157
+ status: z.enum(["active", "revoked"]),
2158
+ passThroughOnly: z.boolean(),
2159
+ revokedAt: z.number().optional(),
2160
+ revokedBy: z.string().optional(),
2161
+ metadata: z.record(z.any()).optional(),
2162
+ createdBy: z.string(),
2163
+ createdAt: z.number(),
2164
+ updatedAt: z.number()
1973
2165
  }),
1974
2166
  indices: [
1975
2167
  { kind: "index", name: "by_bindingId", columns: ["bindingId"] },
1976
2168
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
1977
- { kind: "index", name: "by_tenant_slot", columns: ["tenantId", "modelSlotId"] },
1978
- { kind: "index", name: "by_tenant_provider_slot", columns: ["tenantId", "providerId", "modelSlotId"] },
2169
+ {
2170
+ kind: "index",
2171
+ name: "by_tenant_slot",
2172
+ columns: ["tenantId", "modelSlotId"]
2173
+ },
2174
+ {
2175
+ kind: "index",
2176
+ name: "by_tenant_provider_slot",
2177
+ columns: ["tenantId", "providerId", "modelSlotId"]
2178
+ },
1979
2179
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
1980
2180
  { kind: "index", name: "by_status", columns: ["status"] }
1981
2181
  ]
@@ -1985,29 +2185,42 @@ defineTable({
1985
2185
  component: "mc",
1986
2186
  category: "runtime",
1987
2187
  shape: z.object({
1988
- "secretRef": z.string(),
1989
- "tenantId": idOf("tenants"),
1990
- "providerId": z.string(),
1991
- "label": z.string().optional(),
1992
- "encryptedSecret": z.string(),
1993
- "encryptionVersion": z.string(),
1994
- "secretFingerprint": z.string(),
1995
- "keyHint": z.string(),
1996
- "status": z.enum(["active", "revoked"]),
1997
- "rotatedFromSecretRef": z.string().optional(),
1998
- "revokedAt": z.number().optional(),
1999
- "revokedBy": z.string().optional(),
2000
- "lastUsedAt": z.number().optional(),
2001
- "metadata": z.record(z.any()).optional(),
2002
- "createdBy": z.string(),
2003
- "createdAt": z.number(),
2004
- "updatedAt": z.number()
2188
+ secretRef: z.string(),
2189
+ tenantId: idOf("tenants"),
2190
+ workspaceId: idOf("workspaces").optional(),
2191
+ environment: z.enum(["dev", "staging", "prod"]).optional(),
2192
+ providerId: z.string(),
2193
+ label: z.string().optional(),
2194
+ encryptedSecret: z.string().optional(),
2195
+ infisicalPath: z.string().optional(),
2196
+ infisicalSecretKey: z.string().optional(),
2197
+ infisicalProjectId: z.string().optional(),
2198
+ encryptionVersion: z.string(),
2199
+ secretFingerprint: z.string(),
2200
+ keyHint: z.string(),
2201
+ status: z.enum(["active", "revoked"]),
2202
+ rotatedFromSecretRef: z.string().optional(),
2203
+ revokedAt: z.number().optional(),
2204
+ revokedBy: z.string().optional(),
2205
+ lastUsedAt: z.number().optional(),
2206
+ metadata: z.record(z.any()).optional(),
2207
+ createdBy: z.string(),
2208
+ createdAt: z.number(),
2209
+ updatedAt: z.number()
2005
2210
  }),
2006
2211
  indices: [
2007
2212
  { kind: "index", name: "by_secretRef", columns: ["secretRef"] },
2008
2213
  { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
2009
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId"] },
2010
- { kind: "index", name: "by_tenant_provider_status", columns: ["tenantId", "providerId", "status"] },
2214
+ {
2215
+ kind: "index",
2216
+ name: "by_tenant_provider",
2217
+ columns: ["tenantId", "providerId"]
2218
+ },
2219
+ {
2220
+ kind: "index",
2221
+ name: "by_tenant_provider_status",
2222
+ columns: ["tenantId", "providerId", "status"]
2223
+ },
2011
2224
  { kind: "index", name: "by_status", columns: ["status"] }
2012
2225
  ]
2013
2226
  });
@@ -2016,35 +2229,93 @@ defineTable({
2016
2229
  component: "mc",
2017
2230
  category: "runtime",
2018
2231
  shape: z.object({
2019
- "usageId": z.string(),
2020
- "tenantId": idOf("tenants"),
2021
- "providerId": z.string(),
2022
- "modelSlotId": z.string(),
2023
- "secretRef": z.string(),
2024
- "proxyTokenId": z.string(),
2025
- "sessionId": z.string(),
2026
- "principalId": z.string(),
2027
- "workspaceId": z.string().optional(),
2028
- "modelId": z.string().optional(),
2029
- "requestPath": z.string(),
2030
- "status": z.enum(["success", "error"]),
2031
- "responseStatus": z.number().optional(),
2032
- "inputTokens": z.number().optional(),
2033
- "outputTokens": z.number().optional(),
2034
- "tokenCount": z.number().optional(),
2035
- "latencyMs": z.number(),
2036
- "estimatedCostUsd": z.number().optional(),
2037
- "failureCode": z.string().optional(),
2038
- "metadata": z.record(z.any()).optional(),
2039
- "createdAt": z.number(),
2040
- "updatedAt": z.number()
2232
+ usageId: z.string(),
2233
+ tenantId: idOf("tenants"),
2234
+ providerId: z.string(),
2235
+ modelSlotId: z.string(),
2236
+ secretRef: z.string(),
2237
+ proxyTokenId: z.string(),
2238
+ sessionId: z.string(),
2239
+ principalId: z.string(),
2240
+ workspaceId: z.string().optional(),
2241
+ modelId: z.string().optional(),
2242
+ requestPath: z.string(),
2243
+ status: z.enum(["success", "error"]),
2244
+ responseStatus: z.number().optional(),
2245
+ inputTokens: z.number().optional(),
2246
+ outputTokens: z.number().optional(),
2247
+ tokenCount: z.number().optional(),
2248
+ latencyMs: z.number(),
2249
+ estimatedCostUsd: z.number().optional(),
2250
+ failureCode: z.string().optional(),
2251
+ metadata: z.record(z.any()).optional(),
2252
+ createdAt: z.number(),
2253
+ updatedAt: z.number()
2041
2254
  }),
2042
2255
  indices: [
2043
2256
  { kind: "index", name: "by_usageId", columns: ["usageId"] },
2044
2257
  { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2045
- { kind: "index", name: "by_tenant_provider", columns: ["tenantId", "providerId", "createdAt"] },
2046
- { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId", "createdAt"] },
2047
- { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] }
2258
+ {
2259
+ kind: "index",
2260
+ name: "by_tenant_provider",
2261
+ columns: ["tenantId", "providerId", "createdAt"]
2262
+ },
2263
+ {
2264
+ kind: "index",
2265
+ name: "by_proxyTokenId",
2266
+ columns: ["proxyTokenId", "createdAt"]
2267
+ },
2268
+ {
2269
+ kind: "index",
2270
+ name: "by_sessionId",
2271
+ columns: ["sessionId", "createdAt"]
2272
+ }
2273
+ ]
2274
+ });
2275
+ defineTable({
2276
+ name: "controlPlaneTenantProxyTokenLeases",
2277
+ component: "mc",
2278
+ category: "runtime",
2279
+ shape: z.object({
2280
+ leaseId: z.string(),
2281
+ proxyTokenId: z.string(),
2282
+ tenantId: idOf("tenants"),
2283
+ workspaceId: idOf("workspaces").optional(),
2284
+ environment: z.enum(["dev", "staging", "prod"]),
2285
+ providerId: z.string(),
2286
+ modelSlotId: z.string(),
2287
+ bindingId: z.string(),
2288
+ secretRef: z.string(),
2289
+ sessionId: z.string(),
2290
+ principalId: z.string(),
2291
+ agentSessionId: z.string().optional(),
2292
+ status: z.enum(["active", "revoked"]),
2293
+ expiresAt: z.number(),
2294
+ renewedAt: z.number().optional(),
2295
+ revokedAt: z.number().optional(),
2296
+ revokedBy: z.string().optional(),
2297
+ revokeReason: z.string().optional(),
2298
+ permitDecisionLogId: idOf("policyDecisionLogs").optional(),
2299
+ permitTraceId: z.string().optional(),
2300
+ metadata: z.record(z.any()).optional(),
2301
+ createdAt: z.number(),
2302
+ updatedAt: z.number()
2303
+ }),
2304
+ indices: [
2305
+ { kind: "index", name: "by_leaseId", columns: ["leaseId"] },
2306
+ { kind: "index", name: "by_proxyTokenId", columns: ["proxyTokenId"] },
2307
+ { kind: "index", name: "by_tenantId", columns: ["tenantId", "createdAt"] },
2308
+ { kind: "index", name: "by_sessionId", columns: ["sessionId", "createdAt"] },
2309
+ {
2310
+ kind: "index",
2311
+ name: "by_principalId",
2312
+ columns: ["principalId", "createdAt"]
2313
+ },
2314
+ {
2315
+ kind: "index",
2316
+ name: "by_status_expiresAt",
2317
+ columns: ["status", "expiresAt"]
2318
+ }
2048
2319
  ]
2049
2320
  });
2050
2321
  defineTable({
@@ -2377,6 +2648,7 @@ defineTable({
2377
2648
  "questionType": z.enum(["validation", "falsification", "assumption_probe", "prediction_test", "counterfactual", "discovery", "clarification", "comparison", "causal", "mechanism", "general"]).optional(),
2378
2649
  "questionPriority": z.enum(["critical", "high", "medium", "low"]).optional(),
2379
2650
  "answerQuality": z.enum(["definitive", "strong", "moderate", "weak", "speculative", "unanswered"]).optional(),
2651
+ "themeStatus": z.enum(["emerging", "active", "mature", "declining", "archived"]).optional(),
2380
2652
  "themeConviction": z.enum(["high", "medium", "low", "negative"]).optional(),
2381
2653
  "decisionType": z.enum(["invest", "pass", "follow_on", "exit", "deep_dive", "monitor", "deprioritize", "thesis_adopt", "thesis_revise", "thesis_abandon"]).optional(),
2382
2654
  "decisionOutcome": z.enum(["pending", "successful", "unsuccessful", "mixed", "unknown"]).optional(),
@@ -2527,6 +2799,7 @@ defineTable({
2527
2799
  indices: [
2528
2800
  { kind: "index", name: "by_principalId", columns: ["principalId"] },
2529
2801
  { kind: "index", name: "by_principal_tenant", columns: ["principalId", "tenantId"] },
2802
+ { kind: "index", name: "by_principal_tenant_workspace", columns: ["principalId", "tenantId", "workspaceId"] },
2530
2803
  { kind: "index", name: "by_workspace_principal", columns: ["workspaceId", "principalId"] },
2531
2804
  { kind: "index", name: "by_tenant_role", columns: ["tenantId", "role"] },
2532
2805
  { kind: "index", name: "by_status", columns: ["status"] }
@@ -2558,6 +2831,36 @@ defineTable({
2558
2831
  { kind: "index", name: "by_status", columns: ["status"] }
2559
2832
  ]
2560
2833
  });
2834
+ defineTable({
2835
+ name: "principalIdentityAliases",
2836
+ component: "mc",
2837
+ category: "identity",
2838
+ shape: z.object({
2839
+ "principalId": z.string(),
2840
+ "principalRefId": idOf("principals").optional(),
2841
+ "provider": z.string(),
2842
+ "providerProjectId": z.string().optional(),
2843
+ "externalSubjectId": z.string(),
2844
+ "tenantId": idOf("tenants").optional(),
2845
+ "workspaceId": idOf("workspaces").optional(),
2846
+ "email": z.string().optional(),
2847
+ "status": z.enum(["active", "revoked"]),
2848
+ "metadata": z.record(z.any()).optional(),
2849
+ "createdBy": z.string(),
2850
+ "revokedAt": z.number().optional(),
2851
+ "revokedBy": z.string().optional(),
2852
+ "createdAt": z.number(),
2853
+ "updatedAt": z.number()
2854
+ }),
2855
+ indices: [
2856
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "externalSubjectId"] },
2857
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "externalSubjectId"] },
2858
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
2859
+ { kind: "index", name: "by_principal_status", columns: ["principalId", "status"] },
2860
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "externalSubjectId"] },
2861
+ { kind: "index", name: "by_workspace_provider_subject", columns: ["workspaceId", "provider", "externalSubjectId"] }
2862
+ ]
2863
+ });
2561
2864
  defineTable({
2562
2865
  name: "rateLimitWindows",
2563
2866
  component: "mc",
@@ -3147,7 +3450,7 @@ defineTable({
3147
3450
  });
3148
3451
  defineTable({
3149
3452
  name: "mcpWritePolicy",
3150
- component: "identity",
3453
+ component: "control-plane",
3151
3454
  category: "platform",
3152
3455
  shape: z.object({
3153
3456
  "topicId": z.string().optional(),
@@ -3170,7 +3473,7 @@ defineTable({
3170
3473
  });
3171
3474
  defineTable({
3172
3475
  name: "platformAudienceGrants",
3173
- component: "identity",
3476
+ component: "control-plane",
3174
3477
  category: "platform",
3175
3478
  shape: z.object({
3176
3479
  "tenantId": z.string(),
@@ -3196,7 +3499,7 @@ defineTable({
3196
3499
  });
3197
3500
  defineTable({
3198
3501
  name: "platformAudiences",
3199
- component: "identity",
3502
+ component: "control-plane",
3200
3503
  category: "platform",
3201
3504
  shape: z.object({
3202
3505
  "tenantId": z.string(),
@@ -3221,7 +3524,7 @@ defineTable({
3221
3524
  });
3222
3525
  defineTable({
3223
3526
  name: "platformPolicyDecisionLogs",
3224
- component: "identity",
3527
+ component: "control-plane",
3225
3528
  category: "platform",
3226
3529
  shape: z.object({
3227
3530
  "principalId": z.string(),
@@ -3257,7 +3560,7 @@ defineTable({
3257
3560
  });
3258
3561
  defineTable({
3259
3562
  name: "tenantApiKeys",
3260
- component: "identity",
3563
+ component: "control-plane",
3261
3564
  category: "platform",
3262
3565
  shape: z.object({
3263
3566
  "tenantId": z.string(),
@@ -3284,7 +3587,7 @@ defineTable({
3284
3587
  });
3285
3588
  defineTable({
3286
3589
  name: "tenantConfig",
3287
- component: "identity",
3590
+ component: "control-plane",
3288
3591
  category: "platform",
3289
3592
  shape: z.object({
3290
3593
  "tenantId": z.string(),
@@ -3303,7 +3606,7 @@ defineTable({
3303
3606
  });
3304
3607
  defineTable({
3305
3608
  name: "tenantIntegrations",
3306
- component: "identity",
3609
+ component: "control-plane",
3307
3610
  category: "platform",
3308
3611
  shape: z.object({
3309
3612
  "tenantId": z.string(),
@@ -3358,7 +3661,7 @@ defineTable({
3358
3661
  });
3359
3662
  defineTable({
3360
3663
  name: "tenantModelSlotBindings",
3361
- component: "identity",
3664
+ component: "control-plane",
3362
3665
  category: "platform",
3363
3666
  shape: z.object({
3364
3667
  "bindingId": z.string(),
@@ -3386,7 +3689,7 @@ defineTable({
3386
3689
  });
3387
3690
  defineTable({
3388
3691
  name: "tenantPolicies",
3389
- component: "identity",
3692
+ component: "control-plane",
3390
3693
  category: "platform",
3391
3694
  shape: z.object({
3392
3695
  "tenantId": z.string(),
@@ -3411,7 +3714,7 @@ defineTable({
3411
3714
  });
3412
3715
  defineTable({
3413
3716
  name: "tenantProviderSecrets",
3414
- component: "identity",
3717
+ component: "control-plane",
3415
3718
  category: "platform",
3416
3719
  shape: z.object({
3417
3720
  "secretRef": z.string(),
@@ -3442,7 +3745,7 @@ defineTable({
3442
3745
  });
3443
3746
  defineTable({
3444
3747
  name: "tenantProxyGatewayUsage",
3445
- component: "identity",
3748
+ component: "control-plane",
3446
3749
  category: "platform",
3447
3750
  shape: z.object({
3448
3751
  "usageId": z.string(),
@@ -3477,7 +3780,7 @@ defineTable({
3477
3780
  });
3478
3781
  defineTable({
3479
3782
  name: "tenantProxyTokenMints",
3480
- component: "identity",
3783
+ component: "control-plane",
3481
3784
  category: "platform",
3482
3785
  shape: z.object({
3483
3786
  "proxyTokenId": z.string(),
@@ -3500,7 +3803,7 @@ defineTable({
3500
3803
  });
3501
3804
  defineTable({
3502
3805
  name: "tenantSandboxAuditEvents",
3503
- component: "identity",
3806
+ component: "control-plane",
3504
3807
  category: "platform",
3505
3808
  shape: z.object({
3506
3809
  "eventId": z.string(),
@@ -3534,7 +3837,7 @@ defineTable({
3534
3837
  });
3535
3838
  defineTable({
3536
3839
  name: "tenantSecrets",
3537
- component: "identity",
3840
+ component: "control-plane",
3538
3841
  category: "platform",
3539
3842
  shape: z.object({
3540
3843
  "tenantId": z.string(),
@@ -3556,7 +3859,7 @@ defineTable({
3556
3859
  });
3557
3860
  defineTable({
3558
3861
  name: "toolAcls",
3559
- component: "identity",
3862
+ component: "control-plane",
3560
3863
  category: "platform",
3561
3864
  shape: z.object({
3562
3865
  "role": z.enum(["platform_admin", "tenant_admin", "workspace_admin", "editor", "viewer", "auditor", "service_agent"]),
@@ -3571,7 +3874,7 @@ defineTable({
3571
3874
  });
3572
3875
  defineTable({
3573
3876
  name: "toolRegistry",
3574
- component: "identity",
3877
+ component: "control-plane",
3575
3878
  category: "platform",
3576
3879
  shape: z.object({
3577
3880
  "toolName": z.string(),
@@ -3652,7 +3955,7 @@ defineTable({
3652
3955
  });
3653
3956
  defineTable({
3654
3957
  name: "modelCallLogs",
3655
- component: "identity",
3958
+ component: "control-plane",
3656
3959
  category: "model",
3657
3960
  shape: z.object({
3658
3961
  "slot": z.string(),
@@ -3678,7 +3981,7 @@ defineTable({
3678
3981
  });
3679
3982
  defineTable({
3680
3983
  name: "modelFunctionSlots",
3681
- component: "identity",
3984
+ component: "control-plane",
3682
3985
  category: "model",
3683
3986
  shape: z.object({
3684
3987
  "slot": z.string(),
@@ -3703,7 +4006,7 @@ defineTable({
3703
4006
  });
3704
4007
  defineTable({
3705
4008
  name: "modelRegistry",
3706
- component: "identity",
4009
+ component: "control-plane",
3707
4010
  category: "model",
3708
4011
  shape: z.object({
3709
4012
  "key": z.string(),
@@ -3730,7 +4033,7 @@ defineTable({
3730
4033
  });
3731
4034
  defineTable({
3732
4035
  name: "modelSlotConfigs",
3733
- component: "identity",
4036
+ component: "control-plane",
3734
4037
  category: "model",
3735
4038
  shape: z.object({
3736
4039
  "slot": z.string(),
@@ -4117,7 +4420,7 @@ defineTable({
4117
4420
  "workspaceId": idOf("workspaces").optional(),
4118
4421
  "resourceType": z.string(),
4119
4422
  "resourceId": z.string(),
4120
- "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote"]),
4423
+ "action": z.enum(["read", "summarize", "export", "mutate", "admin", "comment", "escalate", "resolve", "vote", "route", "invoke", "manage", "deploy", "promote", "rollback", "audit", "read_ref", "fetch_value", "rotate", "administer", "mint", "delegate", "revoke"]),
4121
4424
  "decision": z.enum(["allow", "deny"]),
4122
4425
  "reasonCode": z.string(),
4123
4426
  "policyVersion": z.string(),
@@ -4179,7 +4482,7 @@ defineTable({
4179
4482
  });
4180
4483
  defineTable({
4181
4484
  name: "projectGrants",
4182
- component: "identity",
4485
+ component: "control-plane",
4183
4486
  category: "project",
4184
4487
  shape: z.object({
4185
4488
  "projectId": z.string().optional(),
@@ -4211,90 +4514,734 @@ defineTable({
4211
4514
  { kind: "index", name: "by_topic_cluster_status", columns: ["topicId", "beliefClusterId", "status"] }
4212
4515
  ]
4213
4516
  });
4517
+ var permitActorType = z.enum([
4518
+ "human",
4519
+ "agent",
4520
+ "service_principal",
4521
+ "external_stakeholder",
4522
+ "system"
4523
+ ]);
4524
+ var permitMembershipStatus = z.enum([
4525
+ "active",
4526
+ "invited",
4527
+ "revoked",
4528
+ "suspended",
4529
+ "disabled"
4530
+ ]);
4531
+ var permitDecision = z.enum(["allow", "deny"]);
4532
+ var permitAccessReviewStatus = z.enum([
4533
+ "open",
4534
+ "in_progress",
4535
+ "approved",
4536
+ "denied",
4537
+ "expired",
4538
+ "cancelled"
4539
+ ]);
4540
+ var permitReviewScope = z.enum([
4541
+ "tenant",
4542
+ "workspace",
4543
+ "resource_instance",
4544
+ "group",
4545
+ "principal",
4546
+ "api_key",
4547
+ "admin_action"
4548
+ ]);
4549
+ var permitRecordStatus = z.enum([
4550
+ "queued",
4551
+ "inflight",
4552
+ "completed",
4553
+ "failed",
4554
+ "skipped",
4555
+ "stale"
4556
+ ]);
4557
+ var permitObjectType = z.enum([
4558
+ "resource",
4559
+ "role",
4560
+ "resource_role",
4561
+ "resource_relation",
4562
+ "tenant",
4563
+ "workspace",
4564
+ "principal",
4565
+ "membership",
4566
+ "group",
4567
+ "resource_instance",
4568
+ "relationship_tuple",
4569
+ "role_assignment",
4570
+ "attribute_binding",
4571
+ "policy_bundle"
4572
+ ]);
4573
+ var permitOutboxOperation = z.enum([
4574
+ "upsert",
4575
+ "delete",
4576
+ "sync",
4577
+ "resync",
4578
+ "delete_sync",
4579
+ "noop"
4580
+ ]);
4581
+ var permitPolicyBundleStatus = z.enum([
4582
+ "draft",
4583
+ "validated",
4584
+ "enforced",
4585
+ "archived"
4586
+ ]);
4587
+ var permitSyncStatus = z.enum([
4588
+ "pending",
4589
+ "synced",
4590
+ "error",
4591
+ "skipped"
4592
+ ]);
4593
+ var permitAccessReviewSubjectType = z.enum([
4594
+ "principal",
4595
+ "group",
4596
+ "role_assignment",
4597
+ "resource_instance"
4598
+ ]);
4599
+ var permitAttributeType = z.enum([
4600
+ "string",
4601
+ "number",
4602
+ "bool",
4603
+ "json",
4604
+ "time"
4605
+ ]);
4606
+ var permitAttributeOperator = z.enum([
4607
+ "eq",
4608
+ "neq",
4609
+ "in",
4610
+ "not_in",
4611
+ "gt",
4612
+ "gte",
4613
+ "lt",
4614
+ "lte",
4615
+ "contains",
4616
+ "not_contains",
4617
+ "matches"
4618
+ ]);
4619
+ var permitRoleBindingTarget = z.enum([
4620
+ "principal",
4621
+ "group"
4622
+ ]);
4214
4623
  defineTable({
4215
- name: "reasoningPermissions",
4216
- component: "identity",
4217
- category: "epistemic",
4624
+ name: "permitPrincipals",
4625
+ component: "control-plane",
4626
+ category: "access-control",
4218
4627
  shape: z.object({
4219
- "topicId": z.string().optional(),
4220
- "principalId": z.string(),
4221
- "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
4222
- "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
4223
- "effect": z.enum(["allow", "deny"]),
4224
- "policyReference": z.string().optional(),
4225
- "rationale": z.string().optional(),
4226
- "metadata": z.record(z.any()).optional(),
4227
- "createdAt": z.number(),
4228
- "createdBy": z.string(),
4229
- "updatedAt": z.number()
4628
+ principalId: z.string(),
4629
+ tenantId: z.string(),
4630
+ workspaceId: z.optional(z.string()),
4631
+ principalType: permitActorType,
4632
+ status: permitMembershipStatus,
4633
+ displayName: z.string().optional(),
4634
+ metadata: z.record(z.any()).optional(),
4635
+ createdBy: z.string(),
4636
+ createdAt: z.number(),
4637
+ updatedAt: z.number(),
4638
+ updatedBy: z.string().optional(),
4639
+ lastSeenAt: z.number().optional()
4230
4640
  }),
4231
4641
  indices: [
4232
- { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
4233
- { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
4234
- { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
4235
- { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
4642
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4643
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4644
+ { kind: "index", name: "by_tenant_principalId", columns: ["tenantId", "principalId"] },
4645
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4646
+ {
4647
+ kind: "index",
4648
+ name: "by_tenant_principalType_status",
4649
+ columns: ["tenantId", "principalType", "status"]
4650
+ }
4236
4651
  ]
4237
4652
  });
4238
4653
  defineTable({
4239
- name: "schemaEnumConfig",
4240
- component: "kernel",
4241
- category: "config",
4654
+ name: "permitPrincipalAliases",
4655
+ component: "control-plane",
4656
+ category: "access-control",
4242
4657
  shape: z.object({
4243
- "tenantId": z.string().optional(),
4244
- "category": z.string(),
4245
- "value": z.string(),
4246
- "label": z.string(),
4247
- "description": z.string().optional(),
4248
- "tier": z.enum(["platform", "tenant"]),
4249
- "domainNamespace": z.string().optional(),
4250
- "metadata": z.any().optional(),
4251
- "isDefault": z.boolean().optional(),
4252
- "sortOrder": z.number().optional(),
4253
- "status": z.enum(["active", "deprecated"]),
4254
- "createdAt": z.number(),
4255
- "updatedAt": z.number()
4658
+ principalId: z.string(),
4659
+ tenantId: z.string(),
4660
+ workspaceId: z.optional(z.string()),
4661
+ provider: z.string(),
4662
+ providerSubjectId: z.string(),
4663
+ providerProjectId: z.string().optional(),
4664
+ alias: z.string(),
4665
+ aliasKind: z.string(),
4666
+ status: permitMembershipStatus,
4667
+ metadata: z.record(z.any()).optional(),
4668
+ createdBy: z.string(),
4669
+ createdAt: z.number(),
4670
+ updatedAt: z.number(),
4671
+ revokedBy: z.string().optional(),
4672
+ revokedAt: z.number().optional(),
4673
+ updatedBy: z.string().optional()
4256
4674
  }),
4257
4675
  indices: [
4258
- { kind: "index", name: "by_category", columns: ["category"] },
4259
- { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
4260
- { kind: "index", name: "by_category_value", columns: ["category", "value"] }
4676
+ { kind: "index", name: "by_principalId", columns: ["principalId"] },
4677
+ { kind: "index", name: "by_provider_subject", columns: ["provider", "providerSubjectId"] },
4678
+ { kind: "index", name: "by_provider_project_subject", columns: ["provider", "providerProjectId", "providerSubjectId"] },
4679
+ { kind: "index", name: "by_tenant_provider_subject", columns: ["tenantId", "provider", "providerSubjectId"] },
4680
+ { kind: "index", name: "by_tenant_provider_project_subject", columns: ["tenantId", "provider", "providerProjectId", "providerSubjectId"] },
4681
+ {
4682
+ kind: "index",
4683
+ name: "by_tenant_provider_alias",
4684
+ columns: ["tenantId", "provider", "alias"]
4685
+ },
4686
+ { kind: "index", name: "by_tenant_alias", columns: ["tenantId", "alias"] },
4687
+ {
4688
+ kind: "index",
4689
+ name: "by_tenant_provider_status",
4690
+ columns: ["tenantId", "provider", "status"]
4691
+ }
4261
4692
  ]
4262
4693
  });
4263
4694
  defineTable({
4264
- name: "tasks",
4265
- component: "kernel",
4266
- category: "task",
4695
+ name: "permitGroups",
4696
+ component: "control-plane",
4697
+ category: "access-control",
4267
4698
  shape: z.object({
4268
- "topicId": z.string().optional(),
4269
- "tenantId": z.string().optional(),
4270
- "workspaceId": z.string().optional(),
4271
- "title": z.string(),
4272
- "description": z.string().optional(),
4273
- "status": z.enum(["todo", "in_progress", "blocked", "done"]),
4274
- "priority": z.enum(["urgent", "high", "medium", "low"]),
4275
- "dueDate": z.number().optional(),
4276
- "linkedWorktreeId": idOf("worktrees").optional(),
4277
- "linkedBeliefId": z.string().optional(),
4278
- "linkedQuestionId": z.string().optional(),
4279
- "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
4280
- "assigneeId": z.string().optional(),
4281
- "blockedReason": z.string().optional(),
4282
- "blockedBy": z.array(idOf("tasks")).optional(),
4283
- "blocks": z.array(idOf("tasks")).optional(),
4284
- "sortOrder": z.number().optional(),
4285
- "executionOrder": z.number().optional(),
4286
- "subtasks": z.array(z.object({
4287
- "id": z.string(),
4288
- "title": z.string(),
4289
- "completed": z.boolean(),
4290
- "completedAt": z.number().optional()
4291
- })).optional(),
4292
- "comments": z.array(z.object({
4293
- "id": z.string(),
4294
- "userId": z.string(),
4295
- "content": z.string(),
4296
- "createdAt": z.number()
4297
- })).optional(),
4699
+ tenantId: z.string(),
4700
+ workspaceId: z.optional(z.string()),
4701
+ groupId: z.string(),
4702
+ groupKey: z.string(),
4703
+ groupName: z.string(),
4704
+ groupType: z.enum(["tenant", "workspace", "external", "system", "dynamic"]),
4705
+ status: permitMembershipStatus,
4706
+ description: z.string().optional(),
4707
+ metadata: z.record(z.any()).optional(),
4708
+ createdBy: z.string(),
4709
+ createdAt: z.number(),
4710
+ updatedAt: z.number(),
4711
+ updatedBy: z.string().optional()
4712
+ }),
4713
+ indices: [
4714
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4715
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4716
+ { kind: "index", name: "by_tenant_groupId", columns: ["tenantId", "groupId"] },
4717
+ { kind: "index", name: "by_tenant_groupKey", columns: ["tenantId", "groupKey"] },
4718
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4719
+ ]
4720
+ });
4721
+ defineTable({
4722
+ name: "permitGroupMemberships",
4723
+ component: "control-plane",
4724
+ category: "access-control",
4725
+ shape: z.object({
4726
+ tenantId: z.string(),
4727
+ workspaceId: z.optional(z.string()),
4728
+ groupId: z.string(),
4729
+ memberType: z.enum(["principal", "group"]),
4730
+ memberId: z.string(),
4731
+ principalId: z.string().optional(),
4732
+ childGroupId: z.string().optional(),
4733
+ status: permitMembershipStatus,
4734
+ addedBy: z.string().optional(),
4735
+ revokedBy: z.string().optional(),
4736
+ expiresAt: z.number().optional(),
4737
+ revocationReason: z.string().optional(),
4738
+ metadata: z.record(z.any()).optional(),
4739
+ createdAt: z.number(),
4740
+ updatedAt: z.number(),
4741
+ updatedBy: z.string().optional()
4742
+ }),
4743
+ indices: [
4744
+ { kind: "index", name: "by_tenant_principal", columns: ["tenantId", "principalId"] },
4745
+ { kind: "index", name: "by_tenant_member", columns: ["tenantId", "memberType", "memberId"] },
4746
+ {
4747
+ kind: "index",
4748
+ name: "by_tenant_member_group",
4749
+ columns: ["tenantId", "memberType", "memberId", "groupId"]
4750
+ },
4751
+ { kind: "index", name: "by_tenant_group", columns: ["tenantId", "groupId"] },
4752
+ { kind: "index", name: "by_member_group", columns: ["memberType", "memberId", "groupId"] },
4753
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
4754
+ {
4755
+ kind: "index",
4756
+ name: "by_workspace_principal",
4757
+ columns: ["workspaceId", "principalId"]
4758
+ }
4759
+ ]
4760
+ });
4761
+ defineTable({
4762
+ name: "permitResourceInstances",
4763
+ component: "control-plane",
4764
+ category: "access-control",
4765
+ shape: z.object({
4766
+ tenantId: z.string(),
4767
+ workspaceId: z.optional(z.string()),
4768
+ resourceType: z.string(),
4769
+ resourceKey: z.string(),
4770
+ resourceId: z.string(),
4771
+ status: z.enum(["active", "deleted", "archived"]),
4772
+ attributes: z.record(z.any()).optional(),
4773
+ ownerPrincipalId: z.string().optional(),
4774
+ metadata: z.record(z.any()).optional(),
4775
+ createdBy: z.string(),
4776
+ updatedBy: z.string().optional(),
4777
+ createdAt: z.number(),
4778
+ updatedAt: z.number()
4779
+ }),
4780
+ indices: [
4781
+ {
4782
+ kind: "index",
4783
+ name: "by_tenant_resource_type",
4784
+ columns: ["tenantId", "resourceType"]
4785
+ },
4786
+ {
4787
+ kind: "index",
4788
+ name: "by_tenant_resource_key",
4789
+ columns: ["tenantId", "resourceType", "resourceKey"]
4790
+ },
4791
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4792
+ { kind: "index", name: "by_status", columns: ["status"] },
4793
+ {
4794
+ kind: "index",
4795
+ name: "by_tenant_status",
4796
+ columns: ["tenantId", "status"]
4797
+ },
4798
+ {
4799
+ kind: "index",
4800
+ name: "by_ownerPrincipalId",
4801
+ columns: ["ownerPrincipalId"]
4802
+ }
4803
+ ]
4804
+ });
4805
+ defineTable({
4806
+ name: "permitRoleAssignments",
4807
+ component: "control-plane",
4808
+ category: "access-control",
4809
+ shape: z.object({
4810
+ tenantId: z.string(),
4811
+ workspaceId: z.optional(z.string()),
4812
+ role: z.string(),
4813
+ targetType: permitRoleBindingTarget,
4814
+ targetId: z.string(),
4815
+ resourceType: z.string(),
4816
+ resourceKey: z.string(),
4817
+ resourceInstanceId: z.string().optional(),
4818
+ status: permitMembershipStatus,
4819
+ expiresAt: z.number().optional(),
4820
+ attributes: z.record(z.any()).optional(),
4821
+ grantedBy: z.string().optional(),
4822
+ updatedBy: z.string().optional(),
4823
+ revokedBy: z.string().optional(),
4824
+ createdAt: z.number(),
4825
+ updatedAt: z.number()
4826
+ }),
4827
+ indices: [
4828
+ {
4829
+ kind: "index",
4830
+ name: "by_tenant_target",
4831
+ columns: ["tenantId", "targetType", "targetId"]
4832
+ },
4833
+ {
4834
+ kind: "index",
4835
+ name: "by_tenant_resource",
4836
+ columns: ["tenantId", "resourceType", "resourceKey"]
4837
+ },
4838
+ {
4839
+ kind: "index",
4840
+ name: "by_tenant_role",
4841
+ columns: ["tenantId", "role", "status"]
4842
+ },
4843
+ { kind: "index", name: "by_status", columns: ["status"] },
4844
+ {
4845
+ kind: "index",
4846
+ name: "by_workspace_resource",
4847
+ columns: ["workspaceId", "resourceType", "resourceKey"]
4848
+ }
4849
+ ]
4850
+ });
4851
+ defineTable({
4852
+ name: "permitRelationshipTuples",
4853
+ component: "control-plane",
4854
+ category: "access-control",
4855
+ shape: z.object({
4856
+ tenantId: z.string(),
4857
+ workspaceId: z.optional(z.string()),
4858
+ relation: z.string(),
4859
+ subject: z.string(),
4860
+ object: z.string(),
4861
+ resourceType: z.string().optional(),
4862
+ resourceKey: z.string().optional(),
4863
+ status: permitRecordStatus,
4864
+ attributes: z.record(z.any()).optional(),
4865
+ createdBy: z.string(),
4866
+ createdAt: z.number(),
4867
+ updatedAt: z.number(),
4868
+ lastSeenAt: z.number().optional(),
4869
+ updatedBy: z.string().optional()
4870
+ }),
4871
+ indices: [
4872
+ { kind: "index", name: "by_tenant_subject", columns: ["tenantId", "subject"] },
4873
+ { kind: "index", name: "by_tenant_object", columns: ["tenantId", "object"] },
4874
+ { kind: "index", name: "by_tenant_relation", columns: ["tenantId", "relation"] },
4875
+ {
4876
+ kind: "index",
4877
+ name: "by_tenant_relation_subject",
4878
+ columns: ["tenantId", "relation", "subject"]
4879
+ },
4880
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4881
+ ]
4882
+ });
4883
+ defineTable({
4884
+ name: "permitAttributeBindings",
4885
+ component: "control-plane",
4886
+ category: "access-control",
4887
+ shape: z.object({
4888
+ tenantId: z.string(),
4889
+ workspaceId: z.optional(z.string()),
4890
+ targetType: permitRoleBindingTarget,
4891
+ targetId: z.string(),
4892
+ attributeName: z.string(),
4893
+ attributeType: permitAttributeType,
4894
+ attributeOperator: permitAttributeOperator,
4895
+ attributeValue: z.any(),
4896
+ status: permitRecordStatus,
4897
+ source: z.string().optional(),
4898
+ sourceRef: z.string().optional(),
4899
+ metadata: z.record(z.any()).optional(),
4900
+ createdAt: z.number(),
4901
+ updatedAt: z.number(),
4902
+ createdBy: z.string(),
4903
+ updatedBy: z.string().optional(),
4904
+ expiresAt: z.number().optional()
4905
+ }),
4906
+ indices: [
4907
+ {
4908
+ kind: "index",
4909
+ name: "by_tenant_target",
4910
+ columns: ["tenantId", "targetType", "targetId"]
4911
+ },
4912
+ {
4913
+ kind: "index",
4914
+ name: "by_tenant_target_attribute",
4915
+ columns: ["tenantId", "targetType", "targetId", "attributeName"]
4916
+ },
4917
+ {
4918
+ kind: "index",
4919
+ name: "by_tenant_name",
4920
+ columns: ["tenantId", "attributeName"]
4921
+ },
4922
+ {
4923
+ kind: "index",
4924
+ name: "by_tenant_status",
4925
+ columns: ["tenantId", "status"]
4926
+ }
4927
+ ]
4928
+ });
4929
+ defineTable({
4930
+ name: "permitPolicyBundles",
4931
+ component: "control-plane",
4932
+ category: "access-control",
4933
+ shape: z.object({
4934
+ tenantId: z.string(),
4935
+ workspaceId: z.optional(z.string()),
4936
+ bundleKey: z.string(),
4937
+ version: z.number(),
4938
+ status: permitPolicyBundleStatus,
4939
+ policyHash: z.string().optional(),
4940
+ policyPayload: z.record(z.any()),
4941
+ metadata: z.record(z.any()).optional(),
4942
+ createdBy: z.string(),
4943
+ reviewedBy: z.string().optional(),
4944
+ createdAt: z.number(),
4945
+ updatedAt: z.number(),
4946
+ retiredAt: z.number().optional()
4947
+ }),
4948
+ indices: [
4949
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4950
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
4951
+ {
4952
+ kind: "index",
4953
+ name: "by_tenant_bundleKey",
4954
+ columns: ["tenantId", "bundleKey"]
4955
+ },
4956
+ {
4957
+ kind: "index",
4958
+ name: "by_tenant_bundle_version",
4959
+ columns: ["tenantId", "bundleKey", "version"]
4960
+ },
4961
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] }
4962
+ ]
4963
+ });
4964
+ defineTable({
4965
+ name: "permitProjectionOutbox",
4966
+ component: "control-plane",
4967
+ category: "access-control",
4968
+ shape: z.object({
4969
+ syncKey: z.string(),
4970
+ objectType: permitObjectType,
4971
+ objectId: z.string(),
4972
+ operation: permitOutboxOperation,
4973
+ payload: z.record(z.any()),
4974
+ status: permitRecordStatus,
4975
+ attemptCount: z.number(),
4976
+ nextAttemptAt: z.number().optional(),
4977
+ lastError: z.string().optional(),
4978
+ tenantId: z.string().optional(),
4979
+ workspaceId: z.optional(z.string()),
4980
+ principalId: z.string().optional(),
4981
+ permitTenantKey: z.string().optional(),
4982
+ permitResourceType: z.string().optional(),
4983
+ permitResourceKey: z.string().optional(),
4984
+ createdAt: z.number(),
4985
+ updatedAt: z.number(),
4986
+ lastHandledAt: z.number().optional()
4987
+ }),
4988
+ indices: [
4989
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
4990
+ { kind: "index", name: "by_status", columns: ["status"] },
4991
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
4992
+ {
4993
+ kind: "index",
4994
+ name: "by_tenant_status",
4995
+ columns: ["tenantId", "status"]
4996
+ },
4997
+ {
4998
+ kind: "index",
4999
+ name: "by_objectType",
5000
+ columns: ["objectType", "status"]
5001
+ }
5002
+ ]
5003
+ });
5004
+ defineTable({
5005
+ name: "tenantPermitSyncStates",
5006
+ component: "control-plane",
5007
+ category: "access-control",
5008
+ shape: z.object({
5009
+ syncKey: z.string(),
5010
+ objectType: permitObjectType,
5011
+ objectId: z.string(),
5012
+ tenantId: z.string().optional(),
5013
+ workspaceId: z.string().optional(),
5014
+ principalId: z.string().optional(),
5015
+ permitTenantKey: z.string().optional(),
5016
+ permitResourceType: z.string().optional(),
5017
+ permitResourceKey: z.string().optional(),
5018
+ desiredPayload: z.record(z.any()),
5019
+ lastAppliedPayloadHash: z.string().optional(),
5020
+ status: permitSyncStatus,
5021
+ attemptCount: z.number(),
5022
+ lastError: z.string().optional(),
5023
+ nextAttemptAt: z.number().optional(),
5024
+ lastSyncedAt: z.number().optional(),
5025
+ createdBy: z.string(),
5026
+ updatedBy: z.string().optional(),
5027
+ createdAt: z.number(),
5028
+ updatedAt: z.number()
5029
+ }),
5030
+ indices: [
5031
+ { kind: "index", name: "by_syncKey", columns: ["syncKey"] },
5032
+ { kind: "index", name: "by_status", columns: ["status"] },
5033
+ {
5034
+ kind: "index",
5035
+ name: "by_tenant_status",
5036
+ columns: ["tenantId", "status"]
5037
+ },
5038
+ {
5039
+ kind: "index",
5040
+ name: "by_workspace_status",
5041
+ columns: ["workspaceId", "status"]
5042
+ },
5043
+ {
5044
+ kind: "index",
5045
+ name: "by_principal_status",
5046
+ columns: ["principalId", "status"]
5047
+ }
5048
+ ]
5049
+ });
5050
+ defineTable({
5051
+ name: "permitPolicyDecisionReceipts",
5052
+ component: "control-plane",
5053
+ category: "access-control",
5054
+ shape: z.object({
5055
+ tenantId: z.string().optional(),
5056
+ workspaceId: z.string().optional(),
5057
+ principalId: z.string(),
5058
+ subjectType: permitAccessReviewSubjectType.optional(),
5059
+ subjectId: z.string().optional(),
5060
+ resourceType: z.string(),
5061
+ resourceId: z.string(),
5062
+ action: z.string(),
5063
+ decision: permitDecision,
5064
+ reasonCode: z.string(),
5065
+ policyBundleId: z.string().optional(),
5066
+ policyVersion: z.string(),
5067
+ traceId: z.string().optional(),
5068
+ requestId: z.string().optional(),
5069
+ audienceMode: z.string().optional(),
5070
+ audienceKey: z.string().optional(),
5071
+ audienceClass: z.enum(["internal", "restricted_external", "public"]).optional(),
5072
+ metadata: z.record(z.any()).optional(),
5073
+ createdAt: z.number(),
5074
+ expiresAt: z.number().optional(),
5075
+ createdBy: z.string().optional()
5076
+ }),
5077
+ indices: [
5078
+ { kind: "index", name: "by_principal_createdAt", columns: ["principalId", "createdAt"] },
5079
+ { kind: "index", name: "by_tenant_createdAt", columns: ["tenantId", "createdAt"] },
5080
+ { kind: "index", name: "by_resource", columns: ["resourceType", "resourceId"] },
5081
+ { kind: "index", name: "by_decision_createdAt", columns: ["decision", "createdAt"] },
5082
+ { kind: "index", name: "by_traceId", columns: ["traceId"] },
5083
+ { kind: "index", name: "by_action", columns: ["action"] }
5084
+ ]
5085
+ });
5086
+ defineTable({
5087
+ name: "permitAccessReviews",
5088
+ component: "control-plane",
5089
+ category: "access-control",
5090
+ shape: z.object({
5091
+ tenantId: z.string(),
5092
+ workspaceId: z.optional(z.string()),
5093
+ reviewKey: z.string(),
5094
+ scope: permitReviewScope,
5095
+ status: permitAccessReviewStatus,
5096
+ subjectType: permitAccessReviewSubjectType,
5097
+ subjectId: z.string(),
5098
+ resourceType: z.string().optional(),
5099
+ resourceKey: z.string().optional(),
5100
+ outcome: z.enum(["allow", "deny"]).optional(),
5101
+ requestedBy: z.string(),
5102
+ reviewedBy: z.string().optional(),
5103
+ requestedAt: z.number(),
5104
+ reviewedAt: z.number().optional(),
5105
+ dueAt: z.number().optional(),
5106
+ justification: z.string().optional(),
5107
+ rationale: z.string().optional(),
5108
+ policyBundleId: z.string().optional(),
5109
+ metadata: z.record(z.any()).optional(),
5110
+ createdAt: z.number(),
5111
+ updatedAt: z.number()
5112
+ }),
5113
+ indices: [
5114
+ { kind: "index", name: "by_tenant_status", columns: ["tenantId", "status"] },
5115
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5116
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5117
+ {
5118
+ kind: "index",
5119
+ name: "by_tenant_subject",
5120
+ columns: ["tenantId", "subjectType", "subjectId"]
5121
+ },
5122
+ { kind: "index", name: "by_outcome", columns: ["outcome"] },
5123
+ {
5124
+ kind: "index",
5125
+ name: "by_workspace_status",
5126
+ columns: ["workspaceId", "status"]
5127
+ }
5128
+ ]
5129
+ });
5130
+ defineTable({
5131
+ name: "permitAccessReviewItems",
5132
+ component: "control-plane",
5133
+ category: "access-control",
5134
+ shape: z.object({
5135
+ reviewKey: z.string(),
5136
+ itemKey: z.string(),
5137
+ tenantId: z.string(),
5138
+ workspaceId: z.string().optional(),
5139
+ subjectType: permitAccessReviewSubjectType,
5140
+ subjectId: z.string(),
5141
+ resourceType: z.string().optional(),
5142
+ resourceKey: z.string().optional(),
5143
+ role: z.string().optional(),
5144
+ relation: z.string().optional(),
5145
+ status: z.enum(["open", "approved", "revoked", "changed", "deferred"]),
5146
+ reviewerId: z.string().optional(),
5147
+ decisionAt: z.number().optional(),
5148
+ rationale: z.string().optional(),
5149
+ metadata: z.record(z.any()).optional(),
5150
+ createdAt: z.number(),
5151
+ updatedAt: z.number()
5152
+ }),
5153
+ indices: [
5154
+ { kind: "index", name: "by_reviewKey", columns: ["reviewKey"] },
5155
+ { kind: "index", name: "by_tenant_reviewKey", columns: ["tenantId", "reviewKey"] },
5156
+ { kind: "index", name: "by_tenant_itemKey", columns: ["tenantId", "itemKey"] },
5157
+ { kind: "index", name: "by_subject", columns: ["subjectType", "subjectId"] },
5158
+ { kind: "index", name: "by_status", columns: ["status"] }
5159
+ ]
5160
+ });
5161
+ defineTable({
5162
+ name: "reasoningPermissions",
5163
+ component: "control-plane",
5164
+ category: "epistemic",
5165
+ shape: z.object({
5166
+ "topicId": z.string().optional(),
5167
+ "principalId": z.string(),
5168
+ "nodeType": z.enum(["belief", "evidence", "action", "approval", "artifact"]),
5169
+ "action": z.enum(["view_conclusion", "view_evidence", "propose_action", "approve_action", "view_derived_artifact"]),
5170
+ "effect": z.enum(["allow", "deny"]),
5171
+ "policyReference": z.string().optional(),
5172
+ "rationale": z.string().optional(),
5173
+ "metadata": z.record(z.any()).optional(),
5174
+ "createdAt": z.number(),
5175
+ "createdBy": z.string(),
5176
+ "updatedAt": z.number()
5177
+ }),
5178
+ indices: [
5179
+ { kind: "index", name: "by_topic_principal", columns: ["topicId", "principalId"] },
5180
+ { kind: "index", name: "by_topic_principal_action", columns: ["topicId", "principalId", "action"] },
5181
+ { kind: "index", name: "by_topic_principal_node_action", columns: ["topicId", "principalId", "nodeType", "action"] },
5182
+ { kind: "index", name: "by_principal_action", columns: ["principalId", "action"] }
5183
+ ]
5184
+ });
5185
+ defineTable({
5186
+ name: "schemaEnumConfig",
5187
+ component: "kernel",
5188
+ category: "config",
5189
+ shape: z.object({
5190
+ "tenantId": z.string().optional(),
5191
+ "category": z.string(),
5192
+ "value": z.string(),
5193
+ "label": z.string(),
5194
+ "description": z.string().optional(),
5195
+ "tier": z.enum(["platform", "tenant"]),
5196
+ "domainNamespace": z.string().optional(),
5197
+ "metadata": z.any().optional(),
5198
+ "isDefault": z.boolean().optional(),
5199
+ "sortOrder": z.number().optional(),
5200
+ "status": z.enum(["active", "deprecated"]),
5201
+ "createdAt": z.number(),
5202
+ "updatedAt": z.number()
5203
+ }),
5204
+ indices: [
5205
+ { kind: "index", name: "by_category", columns: ["category"] },
5206
+ { kind: "index", name: "by_tenant_category", columns: ["tenantId", "category"] },
5207
+ { kind: "index", name: "by_category_value", columns: ["category", "value"] }
5208
+ ]
5209
+ });
5210
+ defineTable({
5211
+ name: "tasks",
5212
+ component: "kernel",
5213
+ category: "task",
5214
+ shape: z.object({
5215
+ "topicId": z.string().optional(),
5216
+ "tenantId": z.string().optional(),
5217
+ "workspaceId": z.string().optional(),
5218
+ "title": z.string(),
5219
+ "description": z.string().optional(),
5220
+ "status": z.enum(["todo", "in_progress", "blocked", "done"]),
5221
+ "priority": z.enum(["urgent", "high", "medium", "low"]),
5222
+ "dueDate": z.number().optional(),
5223
+ "linkedWorktreeId": idOf("worktrees").optional(),
5224
+ "linkedBeliefId": z.string().optional(),
5225
+ "linkedQuestionId": z.string().optional(),
5226
+ "taskType": z.enum(["general", "find_evidence", "verify_claim", "research", "review", "interview", "analysis", "track_metrics"]).optional(),
5227
+ "assigneeId": z.string().optional(),
5228
+ "blockedReason": z.string().optional(),
5229
+ "blockedBy": z.array(idOf("tasks")).optional(),
5230
+ "blocks": z.array(idOf("tasks")).optional(),
5231
+ "sortOrder": z.number().optional(),
5232
+ "executionOrder": z.number().optional(),
5233
+ "subtasks": z.array(z.object({
5234
+ "id": z.string(),
5235
+ "title": z.string(),
5236
+ "completed": z.boolean(),
5237
+ "completedAt": z.number().optional()
5238
+ })).optional(),
5239
+ "comments": z.array(z.object({
5240
+ "id": z.string(),
5241
+ "userId": z.string(),
5242
+ "content": z.string(),
5243
+ "createdAt": z.number()
5244
+ })).optional(),
4298
5245
  "attachments": z.array(z.object({
4299
5246
  "id": z.string(),
4300
5247
  "type": z.enum(["call_script", "email_template", "research_plan", "framework", "checklist", "note", "file", "transcript"]),
@@ -4448,6 +5395,7 @@ defineTable({
4448
5395
  "updatedAt": z.number()
4449
5396
  }),
4450
5397
  indices: [
5398
+ { kind: "index", name: "by_globalId", columns: ["globalId"] },
4451
5399
  { kind: "index", name: "by_parent", columns: ["parentTopicId"] },
4452
5400
  { kind: "index", name: "by_type", columns: ["type"] },
4453
5401
  { kind: "index", name: "by_graph_scope_project", columns: ["graphScopeProjectId"] },
@@ -4459,7 +5407,7 @@ defineTable({
4459
5407
  });
4460
5408
  defineTable({
4461
5409
  name: "users",
4462
- component: "identity",
5410
+ component: "control-plane",
4463
5411
  category: "user",
4464
5412
  shape: z.object({
4465
5413
  "clerkId": z.string(),
@@ -4573,7 +5521,6 @@ defineTable({
4573
5521
  "deployments": z.record(z.object({
4574
5522
  "url": z.string(),
4575
5523
  "target": z.enum(["kernelDeployment", "appDeployment"]).optional(),
4576
- "encryptedDeployKey": z.string().optional(),
4577
5524
  "credentialRef": z.string().optional()
4578
5525
  })).optional(),
4579
5526
  "metadata": z.record(z.any()).optional(),
@@ -4588,6 +5535,39 @@ defineTable({
4588
5535
  { kind: "index", name: "by_status", columns: ["status"] }
4589
5536
  ]
4590
5537
  });
5538
+ defineTable({
5539
+ name: "deploymentHosts",
5540
+ component: "mc",
5541
+ category: "workspace",
5542
+ shape: z.object({
5543
+ "host": z.string(),
5544
+ "tenantId": idOf("tenants"),
5545
+ "workspaceId": idOf("workspaces"),
5546
+ "environment": z.enum(["dev", "staging", "prod"]),
5547
+ "target": z.enum(["kernelDeployment", "appDeployment"]),
5548
+ "deploymentUrl": z.string().optional(),
5549
+ "deploymentName": z.string().optional(),
5550
+ "vercelProjectName": z.string().optional(),
5551
+ "vercelProjectId": z.string().optional(),
5552
+ "vercelEnvironment": z.enum(["development", "preview", "staging", "production"]).optional(),
5553
+ "source": z.enum(["vercel_preview", "vercel_production", "vercel_custom_environment", "custom_domain", "manual"]),
5554
+ "status": z.enum(["active", "revoked"]),
5555
+ "metadata": z.record(z.any()).optional(),
5556
+ "createdBy": z.string(),
5557
+ "createdAt": z.number(),
5558
+ "updatedAt": z.number(),
5559
+ "revokedAt": z.number().optional(),
5560
+ "revokedBy": z.string().optional()
5561
+ }),
5562
+ indices: [
5563
+ { kind: "index", name: "by_host", columns: ["host"] },
5564
+ { kind: "index", name: "by_tenantId", columns: ["tenantId"] },
5565
+ { kind: "index", name: "by_workspaceId", columns: ["workspaceId"] },
5566
+ { kind: "index", name: "by_tenant_workspace_environment", columns: ["tenantId", "workspaceId", "environment"] },
5567
+ { kind: "index", name: "by_workspace_status", columns: ["workspaceId", "status"] },
5568
+ { kind: "index", name: "by_status", columns: ["status"] }
5569
+ ]
5570
+ });
4591
5571
  defineTable({
4592
5572
  name: "worktreeBeliefCluster",
4593
5573
  component: "kernel",
@@ -4895,8 +5875,8 @@ defineTable({
4895
5875
  });
4896
5876
  z.object({
4897
5877
  manifestVersion: z.string(),
4898
- componentName: z.enum(["kernel", "identity"]),
4899
- tier: z.enum(["K", "I"]),
5878
+ componentName: z.enum(["kernel", "control-plane"]),
5879
+ tier: z.enum(["K", "CP"]),
4900
5880
  packageVersion: z.string(),
4901
5881
  tables: z.array(
4902
5882
  z.object({
@@ -5063,7 +6043,7 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
5063
6043
  },
5064
6044
  {
5065
6045
  packageName: "@lucern/control-plane",
5066
- role: "platform_runtime",
6046
+ role: "component_runtime",
5067
6047
  directTenantImport: false
5068
6048
  },
5069
6049
  {
@@ -5086,11 +6066,6 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
5086
6066
  role: "host_addon_runtime",
5087
6067
  directTenantImport: true
5088
6068
  },
5089
- {
5090
- packageName: "@lucern/identity",
5091
- role: "component_runtime",
5092
- directTenantImport: false
5093
- },
5094
6069
  {
5095
6070
  packageName: "@lucern/mcp",
5096
6071
  role: "runtime_entrypoint",
@@ -5126,25 +6101,899 @@ var TENANT_CLIENT_INSTALLABLE_PACKAGES = [
5126
6101
  role: "runtime_entrypoint",
5127
6102
  directTenantImport: true
5128
6103
  },
6104
+ {
6105
+ packageName: "@lucern/secrets",
6106
+ role: "sdk_dependency",
6107
+ directTenantImport: false
6108
+ },
5129
6109
  {
5130
6110
  packageName: "@lucern/server-core",
5131
6111
  role: "platform_runtime",
5132
6112
  directTenantImport: false
5133
6113
  },
5134
6114
  {
5135
- packageName: "@lucern/testing",
5136
- role: "test_support",
5137
- directTenantImport: false
6115
+ packageName: "@lucern/testing",
6116
+ role: "test_support",
6117
+ directTenantImport: false
6118
+ },
6119
+ {
6120
+ packageName: "@lucern/types",
6121
+ role: "contract_entrypoint",
6122
+ directTenantImport: true
6123
+ }
6124
+ ];
6125
+ TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
6126
+ (entry) => entry.packageName
6127
+ );
6128
+
6129
+ // ../contracts/src/infisical-runtime.contract.ts
6130
+ var INFISICAL_TENANT_SOFTWARE_SYSTEMS = [
6131
+ {
6132
+ id: "stack-frontend",
6133
+ tenantKey: "stack",
6134
+ workspaceKey: "frontend",
6135
+ vercelProjectName: "ai-chatbot-diao",
6136
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6137
+ vercelProjectId: "prj_PihFw8kohSSw14nZs9YQV3xVo517",
6138
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6139
+ repository: {
6140
+ owner: "stack-vc",
6141
+ name: "front-end"
6142
+ },
6143
+ sharedSourcePath: "/tenants/stack",
6144
+ sharedVariablePolicy: "tenant_shared_all_systems",
6145
+ convex: {
6146
+ urlEnv: "CONVEX_FRONTEND_URL",
6147
+ deployKeyEnv: "CONVEX_FRONTEND_DEPLOY_KEY",
6148
+ preprodDeployment: "rugged-lobster-664",
6149
+ prodDeployment: "wonderful-toucan-0"
6150
+ }
6151
+ },
6152
+ {
6153
+ id: "stackos",
6154
+ tenantKey: "stack",
6155
+ workspaceKey: "stackos",
6156
+ vercelProjectName: "stackos",
6157
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6158
+ vercelProjectId: "prj_rXLAL0Z6v9p1fasKbomby6GI7kau",
6159
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6160
+ repository: {
6161
+ owner: "stack-vc",
6162
+ name: "stackos"
6163
+ },
6164
+ sharedSourcePath: "/tenants/stack",
6165
+ sharedVariablePolicy: "tenant_shared_all_systems",
6166
+ convex: {
6167
+ urlEnv: "CONVEX_STACKOS_URL",
6168
+ deployKeyEnv: "CONVEX_STACKOS_DEPLOY_KEY",
6169
+ preprodDeployment: "giant-mandrill-761",
6170
+ prodDeployment: "good-snake-515"
6171
+ }
6172
+ },
6173
+ {
6174
+ id: "stack-eng",
6175
+ tenantKey: "stack",
6176
+ workspaceKey: "engineering",
6177
+ vercelProjectName: "stackos-engineering-graph",
6178
+ vercelTeamId: "team_mZBKwvXSSu7qxrWdg2go29sK",
6179
+ vercelProjectId: "prj_zAU0Zn9GkbHjHI63dxW4vLpmoqTJ",
6180
+ vercelWriterTokenEnv: "STACK_VERCEL_TOKEN",
6181
+ repository: {
6182
+ owner: "stack-vc",
6183
+ name: "stackos-engineering-graph"
6184
+ },
6185
+ sharedSourcePath: "/tenants/stack/engineering",
6186
+ sharedVariablePolicy: "tenant_shared_all_systems",
6187
+ convex: {
6188
+ urlEnv: "CONVEX_STACK_ENG_URL",
6189
+ deployKeyEnv: "CONVEX_STACK_ENG_DEPLOY_KEY",
6190
+ preprodDeployment: "small-oyster-270",
6191
+ prodDeployment: "bold-cuttlefish-804"
6192
+ }
6193
+ },
6194
+ {
6195
+ id: "lucern-graph",
6196
+ tenantKey: "lucern",
6197
+ workspaceKey: "lucern",
6198
+ vercelProjectName: "lucern-graph",
6199
+ vercelTeamId: "team_vTHxxs8GAoAFUe6RWMlYt7fY",
6200
+ vercelProjectId: "prj_KJ8EKV8vGM5xURpqmwTwmECEGPgQ",
6201
+ vercelWriterTokenEnv: "LUCERN_VERCEL_TOKEN",
6202
+ repository: {
6203
+ owner: "LucernAI",
6204
+ name: "lucern-graph"
6205
+ },
6206
+ sharedSourcePath: "/tenants/lucern/shared",
6207
+ sharedVariablePolicy: "tenant_shared_all_systems",
6208
+ convex: {
6209
+ urlEnv: "CONVEX_LUCERN_URL",
6210
+ deployKeyEnv: "CONVEX_LUCERN_DEPLOY_KEY",
6211
+ preprodDeployment: "good-blackbird-774",
6212
+ prodDeployment: "precious-dog-365"
6213
+ }
6214
+ }
6215
+ ];
6216
+ var TENANT_SHARED_SECRET_DEFINITION_TEMPLATES = [
6217
+ {
6218
+ idSuffix: "clerk.publishable",
6219
+ canonicalName: "NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY",
6220
+ aliases: ["CLERK_PUBLISHABLE_KEY"],
6221
+ required: true,
6222
+ secret: false,
6223
+ public: true,
6224
+ description: "Tenant-owned Clerk browser key. For Stack this is the master clerk.stack.vc project shared by front-end, StackOS, and the engineering workspace."
6225
+ },
6226
+ {
6227
+ idSuffix: "clerk.secret",
6228
+ canonicalName: "CLERK_SECRET_KEY",
6229
+ required: true,
6230
+ secret: true,
6231
+ public: false,
6232
+ description: "Tenant-owned Clerk backend secret used only by that tenant's server runtimes."
6233
+ },
6234
+ {
6235
+ idSuffix: "clerk.project",
6236
+ canonicalName: "CLERK_PROJECT_ID",
6237
+ required: true,
6238
+ secret: false,
6239
+ public: false,
6240
+ description: "Tenant-owned Clerk project id used to resolve canonical Clerk aliases."
6241
+ },
6242
+ {
6243
+ idSuffix: "clerk.jwks",
6244
+ canonicalName: "CLERK_JWT_ISSUER_DOMAIN",
6245
+ aliases: ["CLERK_ISSUER_URL", "CLERK_JWKS_URL"],
6246
+ required: false,
6247
+ secret: false,
6248
+ public: false,
6249
+ description: "Tenant Clerk issuer/JWKS URL consumed by Convex auth.config.ts."
6250
+ },
6251
+ {
6252
+ idSuffix: "clerk.jwt-key",
6253
+ canonicalName: "CLERK_JWT_KEY",
6254
+ required: false,
6255
+ secret: true,
6256
+ public: false,
6257
+ description: "Tenant Clerk JWT public verification key used by bearer-token API routes."
6258
+ },
6259
+ {
6260
+ idSuffix: "clerk.authorized-parties",
6261
+ canonicalName: "CLERK_AUTHORIZED_PARTIES",
6262
+ aliases: ["CLERK_MOBILE_AUTHORIZED_PARTIES"],
6263
+ required: false,
6264
+ secret: false,
6265
+ public: false,
6266
+ description: "Comma-separated Clerk authorized parties for browser and mobile bearer-token validation."
6267
+ },
6268
+ {
6269
+ idSuffix: "clerk.sign-in-url",
6270
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_IN_URL",
6271
+ required: false,
6272
+ secret: false,
6273
+ public: true,
6274
+ description: "Tenant Clerk sign-in route for custom app login surfaces."
6275
+ },
6276
+ {
6277
+ idSuffix: "clerk.sign-up-url",
6278
+ canonicalName: "NEXT_PUBLIC_CLERK_SIGN_UP_URL",
6279
+ required: false,
6280
+ secret: false,
6281
+ public: true,
6282
+ description: "Tenant Clerk sign-up route for custom app login surfaces."
6283
+ }
6284
+ ];
6285
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6286
+ (system) => TENANT_SHARED_SECRET_DEFINITION_TEMPLATES.map(
6287
+ (template) => ({
6288
+ id: `tenant.${system.id}.${template.idSuffix}`,
6289
+ canonicalName: template.canonicalName,
6290
+ aliases: "aliases" in template ? template.aliases : void 0,
6291
+ owner: "tenant",
6292
+ scope: "tenant",
6293
+ sourcePath: system.sharedSourcePath,
6294
+ environmentPolicy: "environment_specific",
6295
+ required: template.required,
6296
+ secret: template.secret,
6297
+ public: template.public,
6298
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6299
+ destinations: [
6300
+ {
6301
+ kind: "vercel",
6302
+ target: system.vercelProjectName,
6303
+ environmentPolicy: "preprod_staging_prod_prod"
6304
+ },
6305
+ {
6306
+ kind: "convex",
6307
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6308
+ environmentPolicy: "preprod_staging_prod_prod"
6309
+ }
6310
+ ],
6311
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6312
+ })
6313
+ )
6314
+ );
6315
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.map(
6316
+ (system) => ({
6317
+ id: `tenant.${system.id}.install-lucern-npm`,
6318
+ canonicalName: "INSTALL_LUCERN_NPM",
6319
+ owner: "provider",
6320
+ scope: "global",
6321
+ sourcePath: "/tenants/shared",
6322
+ environmentPolicy: "same_all_environments",
6323
+ required: true,
6324
+ secret: true,
6325
+ public: false,
6326
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6327
+ destinations: [
6328
+ {
6329
+ kind: "vercel",
6330
+ target: system.vercelProjectName,
6331
+ environmentPolicy: "same_all_environments"
6332
+ },
6333
+ {
6334
+ kind: "github_actions",
6335
+ target: `${system.repository.owner}/${system.repository.name}`,
6336
+ environmentPolicy: "same_all_environments"
6337
+ }
6338
+ ],
6339
+ description: `${system.tenantKey}/${system.workspaceKey}: read-only npm install token for published @lucern/* packages.`
6340
+ })
6341
+ );
6342
+ var TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS = ["stack-frontend", "stackos"];
6343
+ var TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES = [
6344
+ {
6345
+ idSuffix: "ai.openai-api-key",
6346
+ canonicalName: "OPENAI_API_KEY",
6347
+ required: false,
6348
+ secret: true,
6349
+ public: false,
6350
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6351
+ description: "Tenant-owned OpenAI key for product runtime LLM calls."
6352
+ },
6353
+ {
6354
+ idSuffix: "ai.anthropic-api-key",
6355
+ canonicalName: "ANTHROPIC_API_KEY",
6356
+ required: false,
6357
+ secret: true,
6358
+ public: false,
6359
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6360
+ description: "Tenant-owned Anthropic key for product runtime LLM calls."
6361
+ },
6362
+ {
6363
+ idSuffix: "ai.gemini-api-key",
6364
+ canonicalName: "GEMINI_API_KEY",
6365
+ aliases: ["GOOGLE_AI_API_KEY", "GOOGLE_GENERATIVE_AI_API_KEY"],
6366
+ required: false,
6367
+ secret: true,
6368
+ public: false,
6369
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment", "tenant-ai-runtime"],
6370
+ description: "Tenant-owned Google/Gemini key for product runtime LLM calls."
6371
+ },
6372
+ {
6373
+ idSuffix: "langfuse.secret-key",
6374
+ canonicalName: "LANGFUSE_SECRET_KEY",
6375
+ required: false,
6376
+ secret: true,
6377
+ public: false,
6378
+ consumers: [
6379
+ "tenant-vercel-app",
6380
+ "tenant-convex-deployment",
6381
+ "tenant-observability"
6382
+ ],
6383
+ description: "Tenant-owned Langfuse secret key for product AI tracing."
6384
+ },
6385
+ {
6386
+ idSuffix: "langfuse.public-key",
6387
+ canonicalName: "LANGFUSE_PUBLIC_KEY",
6388
+ required: false,
6389
+ secret: false,
6390
+ public: false,
6391
+ consumers: [
6392
+ "tenant-vercel-app",
6393
+ "tenant-convex-deployment",
6394
+ "tenant-observability"
6395
+ ],
6396
+ description: "Tenant-owned Langfuse public key for product AI tracing."
6397
+ },
6398
+ {
6399
+ idSuffix: "langfuse.base-url",
6400
+ canonicalName: "LANGFUSE_BASE_URL",
6401
+ aliases: ["LANGFUSE_BASEURL", "LANGFUSE_HOST"],
6402
+ required: false,
6403
+ secret: false,
6404
+ public: false,
6405
+ consumers: [
6406
+ "tenant-vercel-app",
6407
+ "tenant-convex-deployment",
6408
+ "tenant-observability"
6409
+ ],
6410
+ description: "Tenant-owned Langfuse API origin."
6411
+ },
6412
+ {
6413
+ idSuffix: "graph.neo4j-uri",
6414
+ canonicalName: "NEO4J_URI",
6415
+ required: false,
6416
+ secret: false,
6417
+ public: false,
6418
+ consumers: [
6419
+ "tenant-vercel-app",
6420
+ "tenant-convex-deployment",
6421
+ "tenant-graph-sync"
6422
+ ],
6423
+ description: "Tenant-owned Neo4j URI for product graph-sync."
6424
+ },
6425
+ {
6426
+ idSuffix: "graph.neo4j-user",
6427
+ canonicalName: "NEO4J_USER",
6428
+ aliases: ["NEO4J_USERNAME"],
6429
+ required: false,
6430
+ secret: false,
6431
+ public: false,
6432
+ consumers: [
6433
+ "tenant-vercel-app",
6434
+ "tenant-convex-deployment",
6435
+ "tenant-graph-sync"
6436
+ ],
6437
+ description: "Tenant-owned Neo4j user for product graph-sync."
6438
+ },
6439
+ {
6440
+ idSuffix: "graph.neo4j-password",
6441
+ canonicalName: "NEO4J_PASSWORD",
6442
+ required: false,
6443
+ secret: true,
6444
+ public: false,
6445
+ consumers: [
6446
+ "tenant-vercel-app",
6447
+ "tenant-convex-deployment",
6448
+ "tenant-graph-sync"
6449
+ ],
6450
+ description: "Tenant-owned Neo4j password for product graph-sync."
6451
+ },
6452
+ {
6453
+ idSuffix: "graph.neo4j-sync-secret",
6454
+ canonicalName: "NEO4J_SYNC_SECRET",
6455
+ required: false,
6456
+ secret: true,
6457
+ public: false,
6458
+ consumers: [
6459
+ "tenant-vercel-app",
6460
+ "tenant-convex-deployment",
6461
+ "tenant-graph-sync"
6462
+ ],
6463
+ description: "Tenant-owned shared secret for product Convex-to-HTTP graph-sync calls."
6464
+ },
6465
+ {
6466
+ idSuffix: "graph.neo4j-database",
6467
+ canonicalName: "NEO4J_DATABASE",
6468
+ required: false,
6469
+ secret: false,
6470
+ public: false,
6471
+ consumers: [
6472
+ "tenant-vercel-app",
6473
+ "tenant-convex-deployment",
6474
+ "tenant-graph-sync"
6475
+ ],
6476
+ description: "Tenant-owned Neo4j database name for product graph-sync."
6477
+ },
6478
+ {
6479
+ idSuffix: "vector.pinecone-api-key",
6480
+ canonicalName: "PINECONE_API_KEY",
6481
+ required: false,
6482
+ secret: true,
6483
+ public: false,
6484
+ consumers: [
6485
+ "tenant-vercel-app",
6486
+ "tenant-convex-deployment",
6487
+ "tenant-vector-store"
6488
+ ],
6489
+ description: "Tenant-owned Pinecone API key for product vector search."
6490
+ },
6491
+ {
6492
+ idSuffix: "vector.pinecone-index-name",
6493
+ canonicalName: "PINECONE_INDEX_NAME",
6494
+ aliases: ["PINECONE_INDEX"],
6495
+ required: false,
6496
+ secret: false,
6497
+ public: false,
6498
+ consumers: [
6499
+ "tenant-vercel-app",
6500
+ "tenant-convex-deployment",
6501
+ "tenant-vector-store"
6502
+ ],
6503
+ description: "Tenant-owned Pinecone index name for product vector search."
6504
+ },
6505
+ {
6506
+ idSuffix: "vector.pinecone-host",
6507
+ canonicalName: "PINECONE_HOST",
6508
+ aliases: ["PINECONE_INDEX_HOST"],
6509
+ required: false,
6510
+ secret: false,
6511
+ public: false,
6512
+ consumers: [
6513
+ "tenant-vercel-app",
6514
+ "tenant-convex-deployment",
6515
+ "tenant-vector-store"
6516
+ ],
6517
+ description: "Tenant-owned Pinecone host for product vector search."
6518
+ },
6519
+ {
6520
+ idSuffix: "vector.pinecone-namespace",
6521
+ canonicalName: "PINECONE_NAMESPACE",
6522
+ required: false,
6523
+ secret: false,
6524
+ public: false,
6525
+ consumers: [
6526
+ "tenant-vercel-app",
6527
+ "tenant-convex-deployment",
6528
+ "tenant-vector-store"
6529
+ ],
6530
+ description: "Tenant-owned Pinecone namespace for product vector search isolation."
6531
+ },
6532
+ {
6533
+ idSuffix: "storage.aws-access-key-id",
6534
+ canonicalName: "AWS_ACCESS_KEY_ID",
6535
+ required: false,
6536
+ secret: true,
6537
+ public: false,
6538
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6539
+ description: "Tenant-owned AWS access key id for document/file ingestion."
6540
+ },
6541
+ {
6542
+ idSuffix: "storage.aws-secret-access-key",
6543
+ canonicalName: "AWS_SECRET_ACCESS_KEY",
6544
+ required: false,
6545
+ secret: true,
6546
+ public: false,
6547
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6548
+ description: "Tenant-owned AWS secret access key for document/file ingestion."
6549
+ },
6550
+ {
6551
+ idSuffix: "storage.aws-region",
6552
+ canonicalName: "AWS_REGION",
6553
+ required: false,
6554
+ secret: false,
6555
+ public: false,
6556
+ consumers: ["tenant-vercel-app", "tenant-convex-deployment"],
6557
+ description: "Tenant-owned AWS region for document/file ingestion."
6558
+ },
6559
+ {
6560
+ idSuffix: "observability.sentry-dsn",
6561
+ canonicalName: "NEXT_PUBLIC_SENTRY_DSN",
6562
+ aliases: ["NEXT_PUBLIC_SENTRY_DSN_NEXTJS", "SENTRY_DSN"],
6563
+ required: false,
6564
+ secret: false,
6565
+ public: true,
6566
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6567
+ description: "Tenant-owned Sentry DSN for app telemetry."
6568
+ },
6569
+ {
6570
+ idSuffix: "observability.sentry-auth-token",
6571
+ canonicalName: "SENTRY_AUTH_TOKEN",
6572
+ required: false,
6573
+ secret: true,
6574
+ public: false,
6575
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6576
+ description: "Tenant-owned Sentry release token for app deployments."
6577
+ },
6578
+ {
6579
+ idSuffix: "observability.sentry-org",
6580
+ canonicalName: "SENTRY_ORG",
6581
+ aliases: ["SENTRY_ORG_SLUG"],
6582
+ required: false,
6583
+ secret: false,
6584
+ public: false,
6585
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6586
+ description: "Tenant-owned Sentry org slug for release uploads."
6587
+ },
6588
+ {
6589
+ idSuffix: "observability.sentry-project",
6590
+ canonicalName: "SENTRY_PROJECT",
6591
+ aliases: ["SENTRY_PROJECT_NEXTJS"],
6592
+ required: false,
6593
+ secret: false,
6594
+ public: false,
6595
+ consumers: ["tenant-deploy-tooling", "tenant-observability"],
6596
+ description: "Tenant-owned Sentry project slug for release uploads."
6597
+ },
6598
+ {
6599
+ idSuffix: "observability.sentry-environment",
6600
+ canonicalName: "NEXT_PUBLIC_SENTRY_ENVIRONMENT",
6601
+ aliases: ["SENTRY_ENVIRONMENT"],
6602
+ required: false,
6603
+ secret: false,
6604
+ public: true,
6605
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6606
+ description: "Tenant-owned Sentry environment label."
6607
+ },
6608
+ {
6609
+ idSuffix: "observability.sentry-release",
6610
+ canonicalName: "NEXT_PUBLIC_SENTRY_RELEASE",
6611
+ aliases: ["SENTRY_RELEASE"],
6612
+ required: false,
6613
+ secret: false,
6614
+ public: true,
6615
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6616
+ description: "Tenant-owned Sentry release label."
6617
+ },
6618
+ {
6619
+ idSuffix: "observability.sentry-client-options",
6620
+ canonicalName: "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE",
6621
+ aliases: [
6622
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS",
6623
+ "NEXT_PUBLIC_SENTRY_CAPTURE_CONSOLE_LEVELS_NEXTJS",
6624
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS",
6625
+ "NEXT_PUBLIC_SENTRY_CONSOLE_BREADCRUMB_LEVELS_NEXTJS",
6626
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS",
6627
+ "NEXT_PUBLIC_SENTRY_CONSOLE_LOG_LEVELS_NEXTJS",
6628
+ "NEXT_PUBLIC_SENTRY_ENABLE_LOGS",
6629
+ "NEXT_PUBLIC_SENTRY_REPLAYS_ON_ERROR_SAMPLE_RATE",
6630
+ "NEXT_PUBLIC_SENTRY_REPLAYS_SESSION_SAMPLE_RATE",
6631
+ "NEXT_PUBLIC_SENTRY_SEND_DEFAULT_PII",
6632
+ "NEXT_PUBLIC_SENTRY_TRACES_SAMPLE_RATE_NEXTJS"
6633
+ ],
6634
+ required: false,
6635
+ secret: false,
6636
+ public: true,
6637
+ consumers: ["tenant-vercel-app", "tenant-observability"],
6638
+ description: "Tenant-owned public Sentry tuning values for Next.js client instrumentation."
6639
+ },
6640
+ {
6641
+ idSuffix: "observability.sentry-webhook-secret",
6642
+ canonicalName: "SENTRY_WEBHOOK_SECRET",
6643
+ required: false,
6644
+ secret: true,
6645
+ public: false,
6646
+ consumers: ["tenant-convex-deployment", "tenant-observability"],
6647
+ description: "Tenant-owned Sentry webhook verification secret."
6648
+ },
6649
+ {
6650
+ idSuffix: "lucern.gateway-api-key",
6651
+ canonicalName: "LUCERN_API_KEY",
6652
+ aliases: ["STACK_API_KEY"],
6653
+ required: false,
6654
+ secret: true,
6655
+ public: false,
6656
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6657
+ description: "Tenant-scoped Lucern/MC gateway API key for product front-door calls."
6658
+ },
6659
+ {
6660
+ idSuffix: "lucern.gateway-base-url",
6661
+ canonicalName: "LUCERN_BASE_URL",
6662
+ aliases: ["LUCERN_API_BASE_URL", "LUCERN_GATEWAY_BASE_URL"],
6663
+ required: false,
6664
+ secret: false,
6665
+ public: false,
6666
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6667
+ description: "Lucern/MC gateway base URL used by tenant product apps."
6668
+ },
6669
+ {
6670
+ idSuffix: "lucern.proxy-token-secret",
6671
+ canonicalName: "LUCERN_PROXY_TOKEN_SECRET",
6672
+ required: false,
6673
+ secret: true,
6674
+ public: false,
6675
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6676
+ description: "Tenant-owned secret for signing internal proxy/session tokens in product apps."
6677
+ },
6678
+ {
6679
+ idSuffix: "tenant.integrations.linear-api-key",
6680
+ canonicalName: "LINEAR_API_KEY",
6681
+ required: false,
6682
+ secret: true,
6683
+ public: false,
6684
+ consumers: ["tenant-vercel-app", "tenant-agent-runtime"],
6685
+ description: "Tenant-owned Linear API key for support/slash-command flows."
6686
+ },
6687
+ {
6688
+ idSuffix: "tenant.vercel.bypass-token",
6689
+ canonicalName: "VERCEL_AUTOMATION_BYPASS_SECRET",
6690
+ aliases: ["NEXT_PUBLIC_VERCEL_BYPASS_TOKEN"],
6691
+ required: false,
6692
+ secret: true,
6693
+ public: false,
6694
+ consumers: ["tenant-vercel-app", "tenant-deploy-tooling"],
6695
+ description: "Tenant-owned Vercel automation bypass token. Public alias is legacy and should be removed from app code."
6696
+ }
6697
+ ];
6698
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.filter(
6699
+ (system) => TENANT_PRODUCT_SOFTWARE_SYSTEM_IDS.includes(system.id)
6700
+ ).flatMap(
6701
+ (system) => TENANT_PRODUCT_RUNTIME_SECRET_DEFINITION_TEMPLATES.map(
6702
+ (template) => ({
6703
+ id: `tenant.${system.id}.${template.idSuffix}`,
6704
+ canonicalName: template.canonicalName,
6705
+ aliases: "aliases" in template ? template.aliases : void 0,
6706
+ owner: "tenant",
6707
+ scope: "tenant",
6708
+ sourcePath: system.sharedSourcePath,
6709
+ environmentPolicy: "environment_specific",
6710
+ required: template.required,
6711
+ secret: template.secret,
6712
+ public: template.public,
6713
+ consumers: template.consumers,
6714
+ destinations: [
6715
+ {
6716
+ kind: "vercel",
6717
+ target: system.vercelProjectName,
6718
+ environmentPolicy: "preprod_staging_prod_prod"
6719
+ },
6720
+ {
6721
+ kind: "convex",
6722
+ target: `${system.convex.preprodDeployment}|${system.convex.prodDeployment}`,
6723
+ environmentPolicy: "preprod_staging_prod_prod"
6724
+ },
6725
+ {
6726
+ kind: "github_actions",
6727
+ target: `${system.repository.owner}/${system.repository.name}`,
6728
+ environmentPolicy: "preprod_staging_prod_prod"
6729
+ }
6730
+ ],
6731
+ description: `${system.tenantKey}/${system.workspaceKey}: ${template.description}`
6732
+ })
6733
+ )
6734
+ );
6735
+ function tenantVercelConvexUrlWriteNames(system) {
6736
+ const names = [system.convex.urlEnv, "NEXT_PUBLIC_CONVEX_URL"];
6737
+ if (system.id === "stack-eng") {
6738
+ return [...names, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6739
+ }
6740
+ return names;
6741
+ }
6742
+ function tenantRepositoryConvexUrlWriteNames(system) {
6743
+ if (system.id === "stack-eng") {
6744
+ return [system.convex.urlEnv, "STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6745
+ }
6746
+ return [system.convex.urlEnv];
6747
+ }
6748
+ function tenantRepositoryConvexDeployKeyWriteNames(system) {
6749
+ if (system.id === "stack-eng") {
6750
+ return [system.convex.deployKeyEnv, "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6751
+ }
6752
+ return [system.convex.deployKeyEnv];
6753
+ }
6754
+ function tenantConvexUrlAliases(system) {
6755
+ if (system.id === "stack-frontend") {
6756
+ return [
6757
+ "CONVEX_PROD_URL",
6758
+ "CONVEX_STACK_V2_PROD_URL",
6759
+ "CONVEX_STACK_V2_STAGING_URL",
6760
+ "STACK_CONVEX_URL"
6761
+ ];
6762
+ }
6763
+ if (system.id === "stackos") {
6764
+ return [
6765
+ "CONVEX_CLOUD_URL",
6766
+ "CONVEX_STACK_URL",
6767
+ "CONVEX_URL",
6768
+ "CONVEX_URL_DEVELOPMENT",
6769
+ "CONVEX_URL_PRODUCTION",
6770
+ "STACK_CONVEX_URL"
6771
+ ];
6772
+ }
6773
+ if (system.id === "stack-eng") {
6774
+ return ["STACKOS_ENGINEERING_GRAPH_CONVEX_URL"];
6775
+ }
6776
+ if (system.id === "lucern-graph") {
6777
+ return [
6778
+ "CONVEX_GRAPH_URL",
6779
+ "LUCERN_PROD_URL",
6780
+ "NEXT_PUBLIC_LUCERN_GRAPH_URL"
6781
+ ];
6782
+ }
6783
+ return void 0;
6784
+ }
6785
+ function tenantConvexDeployKeyAliases(system) {
6786
+ if (system.id === "stack-frontend") {
6787
+ return [
6788
+ "CONVEX_STACK_V2_PROD_DEPLOY_KEY",
6789
+ "CONVEX_STACK_V2_STAGING_DEPLOY_KEY",
6790
+ "STACK_DEPLOY_KEY"
6791
+ ];
6792
+ }
6793
+ if (system.id === "stackos") {
6794
+ return [
6795
+ "CONVEX_DEPLOY_KEY",
6796
+ "CONVEX_DEV_DEPLOY_KEY",
6797
+ "CONVEX_PROD_DEPLOY_KEY",
6798
+ "CONVEX_STACK_DEPLOY_KEY",
6799
+ "STACK_DEPLOY_KEY"
6800
+ ];
6801
+ }
6802
+ if (system.id === "stack-eng") {
6803
+ return ["CONVEX_DEPLOY_KEY", "STACKOS_ENGINEERING_GRAPH_DEPLOY_KEY"];
6804
+ }
6805
+ if (system.id === "lucern-graph") {
6806
+ return [
6807
+ "CONVEX_DEPLOY_KEY",
6808
+ "CONVEX_GRAPH_DEPLOY_KEY",
6809
+ "LUCERN_CONVEX_DEPLOY_KEY",
6810
+ "LUCERN_DEV_DEPLOY_KEY",
6811
+ "LUCERN_PROD_DEPLOY_KEY"
6812
+ ];
6813
+ }
6814
+ return void 0;
6815
+ }
6816
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap(
6817
+ (system) => {
6818
+ if (system.id === "lucern-graph") {
6819
+ return [
6820
+ {
6821
+ id: "tenant.lucern-graph.public.tenant-id",
6822
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_ID",
6823
+ aliases: ["NEXT_PUBLIC_LUCERN_TENANT_ID"],
6824
+ owner: "tenant",
6825
+ scope: "workspace",
6826
+ sourcePath: system.sharedSourcePath,
6827
+ environmentPolicy: "environment_specific",
6828
+ required: false,
6829
+ secret: false,
6830
+ public: true,
6831
+ consumers: ["tenant-vercel-app"],
6832
+ destinations: [
6833
+ {
6834
+ kind: "vercel",
6835
+ target: system.vercelProjectName,
6836
+ environmentPolicy: "preprod_staging_prod_prod"
6837
+ }
6838
+ ],
6839
+ description: "Lucern graph public tenant id used by the standalone graph explorer."
6840
+ },
6841
+ {
6842
+ id: "tenant.lucern-graph.public.tenant-label",
6843
+ canonicalName: "NEXT_PUBLIC_LUCERN_GRAPH_TENANT_LABEL",
6844
+ owner: "tenant",
6845
+ scope: "workspace",
6846
+ sourcePath: system.sharedSourcePath,
6847
+ environmentPolicy: "environment_specific",
6848
+ required: false,
6849
+ secret: false,
6850
+ public: true,
6851
+ consumers: ["tenant-vercel-app"],
6852
+ destinations: [
6853
+ {
6854
+ kind: "vercel",
6855
+ target: system.vercelProjectName,
6856
+ environmentPolicy: "preprod_staging_prod_prod"
6857
+ }
6858
+ ],
6859
+ description: "Lucern graph public tenant label used by the standalone graph explorer."
6860
+ }
6861
+ ];
6862
+ }
6863
+ if (system.id === "stack-eng") {
6864
+ return [
6865
+ {
6866
+ id: "tenant.stack-eng.public.tenant-id",
6867
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_ID",
6868
+ owner: "tenant",
6869
+ scope: "workspace",
6870
+ sourcePath: system.sharedSourcePath,
6871
+ environmentPolicy: "environment_specific",
6872
+ required: false,
6873
+ secret: false,
6874
+ public: true,
6875
+ consumers: ["tenant-vercel-app"],
6876
+ destinations: [
6877
+ {
6878
+ kind: "vercel",
6879
+ target: system.vercelProjectName,
6880
+ environmentPolicy: "preprod_staging_prod_prod"
6881
+ }
6882
+ ],
6883
+ description: "Stack engineering graph public tenant id used by the graph explorer."
6884
+ },
6885
+ {
6886
+ id: "tenant.stack-eng.public.tenant-label",
6887
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_TENANT_LABEL",
6888
+ owner: "tenant",
6889
+ scope: "workspace",
6890
+ sourcePath: system.sharedSourcePath,
6891
+ environmentPolicy: "environment_specific",
6892
+ required: false,
6893
+ secret: false,
6894
+ public: true,
6895
+ consumers: ["tenant-vercel-app"],
6896
+ destinations: [
6897
+ {
6898
+ kind: "vercel",
6899
+ target: system.vercelProjectName,
6900
+ environmentPolicy: "preprod_staging_prod_prod"
6901
+ }
6902
+ ],
6903
+ description: "Stack engineering graph public tenant label used by the graph explorer."
6904
+ },
6905
+ {
6906
+ id: "tenant.stack-eng.public.environment",
6907
+ canonicalName: "NEXT_PUBLIC_STACKOS_ENGINEERING_GRAPH_ENV",
6908
+ owner: "tenant",
6909
+ scope: "workspace",
6910
+ sourcePath: system.sharedSourcePath,
6911
+ environmentPolicy: "environment_specific",
6912
+ required: false,
6913
+ secret: false,
6914
+ public: true,
6915
+ consumers: ["tenant-vercel-app"],
6916
+ destinations: [
6917
+ {
6918
+ kind: "vercel",
6919
+ target: system.vercelProjectName,
6920
+ environmentPolicy: "preprod_staging_prod_prod"
6921
+ }
6922
+ ],
6923
+ description: "Stack engineering graph public environment label used by the graph explorer."
6924
+ }
6925
+ ];
6926
+ }
6927
+ return [];
6928
+ }
6929
+ );
6930
+ INFISICAL_TENANT_SOFTWARE_SYSTEMS.flatMap((system) => [
6931
+ {
6932
+ id: `tenant.${system.id}.convex.url`,
6933
+ canonicalName: system.convex.urlEnv,
6934
+ aliases: tenantConvexUrlAliases(system),
6935
+ owner: "tenant",
6936
+ scope: "software_system",
6937
+ sourcePath: system.sharedSourcePath,
6938
+ environmentPolicy: "preprod_staging_prod_prod",
6939
+ required: true,
6940
+ secret: false,
6941
+ public: false,
6942
+ consumers: [
6943
+ "tenant-vercel-app",
6944
+ "tenant-agent-runtime",
6945
+ "mc-operator-tooling"
6946
+ ],
6947
+ destinations: [
6948
+ {
6949
+ kind: "vercel",
6950
+ target: system.vercelProjectName,
6951
+ environmentPolicy: "preprod_staging_prod_prod",
6952
+ writeNames: tenantVercelConvexUrlWriteNames(system)
6953
+ },
6954
+ {
6955
+ kind: "github_actions",
6956
+ target: `${system.repository.owner}/${system.repository.name}`,
6957
+ environmentPolicy: "preprod_staging_prod_prod",
6958
+ writeNames: tenantRepositoryConvexUrlWriteNames(system),
6959
+ notes: "Only if that repository deploy/test workflow owns this software system."
6960
+ }
6961
+ ],
6962
+ description: `${system.tenantKey}/${system.workspaceKey} Convex URL. Pre-prod resolves to ${system.convex.preprodDeployment}; prod resolves to ${system.convex.prodDeployment}.`
5138
6963
  },
5139
6964
  {
5140
- packageName: "@lucern/types",
5141
- role: "contract_entrypoint",
5142
- directTenantImport: true
6965
+ id: `tenant.${system.id}.convex.deploy-key`,
6966
+ canonicalName: system.convex.deployKeyEnv,
6967
+ aliases: tenantConvexDeployKeyAliases(system),
6968
+ owner: "tenant",
6969
+ scope: "software_system",
6970
+ sourcePath: system.sharedSourcePath,
6971
+ environmentPolicy: "preprod_staging_prod_prod",
6972
+ required: true,
6973
+ secret: true,
6974
+ public: false,
6975
+ consumers: [
6976
+ "tenant-vercel-app",
6977
+ "tenant-agent-runtime",
6978
+ "mc-operator-tooling"
6979
+ ],
6980
+ destinations: [
6981
+ {
6982
+ kind: "vercel",
6983
+ target: system.vercelProjectName,
6984
+ environmentPolicy: "preprod_staging_prod_prod"
6985
+ },
6986
+ {
6987
+ kind: "github_actions",
6988
+ target: `${system.repository.owner}/${system.repository.name}`,
6989
+ environmentPolicy: "preprod_staging_prod_prod",
6990
+ writeNames: tenantRepositoryConvexDeployKeyWriteNames(system),
6991
+ notes: "Only if that repository deploy/test workflow owns this software system."
6992
+ }
6993
+ ],
6994
+ description: `${system.tenantKey}/${system.workspaceKey} Convex deploy/admin key. Never route to sibling workspaces.`
5143
6995
  }
5144
- ];
5145
- TENANT_CLIENT_INSTALLABLE_PACKAGES.map(
5146
- (entry) => entry.packageName
5147
- );
6996
+ ]);
5148
6997
  z.object({
5149
6998
  manifestVersion: z.literal("1.0.0"),
5150
6999
  rules: z.array(
@@ -5185,7 +7034,7 @@ var createEvidenceInputSchemaBase = z.object({
5185
7034
  targetId: z.string().optional(),
5186
7035
  targetNodeId: z.string().optional(),
5187
7036
  linkedBeliefNodeId: z.string().optional(),
5188
- evidenceRelation: z.enum(["supports", "contradicts", "neutral"]).optional(),
7037
+ evidenceRelation: z.enum(["supports", "contradicts"]).optional(),
5189
7038
  confidence: z.number().optional(),
5190
7039
  weight: z.number().optional(),
5191
7040
  reasoning: z.string().optional(),
@@ -5270,8 +7119,7 @@ var createEvidenceProjection = defineProjection({
5270
7119
  evidenceRelation: v.optional(
5271
7120
  v.union(
5272
7121
  v.literal("supports"),
5273
- v.literal("contradicts"),
5274
- v.literal("neutral")
7122
+ v.literal("contradicts")
5275
7123
  )
5276
7124
  ),
5277
7125
  confidence: v.optional(v.number()),
@@ -5296,7 +7144,7 @@ function compactRecord2(input) {
5296
7144
  Object.entries(input).filter(([, value]) => value !== void 0)
5297
7145
  );
5298
7146
  }
5299
- var listBeliefsProjection = defineProjection({
7147
+ defineProjection({
5300
7148
  contractName: "list_beliefs",
5301
7149
  inputSchema: listBeliefsInputSchema,
5302
7150
  project: (input) => compactRecord2({
@@ -5320,12 +7168,17 @@ var listBeliefsProjection = defineProjection({
5320
7168
  });
5321
7169
  var taskStatusSchema = z.enum(["todo", "in_progress", "blocked", "done"]).optional().describe("Filter by task status");
5322
7170
  var listTasksInputSchema = z.object({
5323
- topicId: z.string().describe("Topic scope"),
7171
+ topicId: z.string().optional().describe("Topic scope"),
5324
7172
  worktreeId: z.string().optional().describe("Alias for linkedWorktreeId"),
5325
7173
  linkedWorktreeId: z.string().optional().describe("Filter to tasks linked to this worktree"),
5326
7174
  status: taskStatusSchema,
5327
7175
  limit: z.number().optional().describe("Maximum results")
5328
- });
7176
+ }).refine(
7177
+ (input) => Boolean(input.topicId || input.worktreeId || input.linkedWorktreeId),
7178
+ {
7179
+ message: "topicId or worktreeId is required"
7180
+ }
7181
+ );
5329
7182
  function compactRecord3(input) {
5330
7183
  return Object.fromEntries(
5331
7184
  Object.entries(input).filter(([, value]) => value !== void 0)
@@ -5342,7 +7195,7 @@ var listTasksProjection = defineProjection({
5342
7195
  linkedWorktreeId: input.linkedWorktreeId ?? input.worktreeId
5343
7196
  }),
5344
7197
  convexArgsValidator: v.object({
5345
- topicId: v.string(),
7198
+ topicId: v.optional(v.string()),
5346
7199
  status: v.optional(
5347
7200
  v.union(
5348
7201
  v.literal("todo"),
@@ -6389,19 +8242,23 @@ var FIND_CONTRADICTIONS = {
6389
8242
  };
6390
8243
  var CREATE_EDGE = {
6391
8244
  name: "create_edge",
6392
- description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. The engine enforces layer transition rules \u2014 for example, L1 \u2192 L3 direct edges are forbidden (must go through L2).",
8245
+ description: "Commit a typed relationship between two nodes in the reasoning graph. Like `git commit` \u2014 an atomic write that declares a dependency between nodes. Accepts any public epistemic edge type between public graph node refs so agents can author the full spine.",
6393
8246
  parameters: {
6394
- sourceId: {
6395
- type: "string",
6396
- description: "Source node of the relationship"
8247
+ from: {
8248
+ type: "object",
8249
+ description: "Source graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'topic' }"
6397
8250
  },
6398
- targetId: {
6399
- type: "string",
6400
- description: "Target node of the relationship"
8251
+ to: {
8252
+ type: "object",
8253
+ description: "Target graph ref, e.g. { kind: 'epistemic_node', nodeId: '...', nodeType: 'belief' }"
6401
8254
  },
6402
8255
  edgeType: {
6403
8256
  type: "string",
6404
- description: "Relationship type (informs, tests, depends_on, supersedes, etc.)"
8257
+ description: "Relationship type from the public epistemic edge enum."
8258
+ },
8259
+ globalId: {
8260
+ type: "string",
8261
+ description: "Optional idempotent edge global ID."
6405
8262
  },
6406
8263
  weight: {
6407
8264
  type: "number",
@@ -6411,10 +8268,14 @@ var CREATE_EDGE = {
6411
8268
  reasoningMethod: {
6412
8269
  type: "string",
6413
8270
  description: "How this was determined",
6414
- enum: ["deductive", "inductive", "abductive", "analogical", "empirical"]
8271
+ enum: [...REASONING_METHODS]
8272
+ },
8273
+ metadata: {
8274
+ type: "object",
8275
+ description: "Optional edge metadata."
6415
8276
  }
6416
8277
  },
6417
- required: ["sourceId", "targetId", "edgeType"],
8278
+ required: ["from", "to", "edgeType"],
6418
8279
  response: {
6419
8280
  description: "The created edge",
6420
8281
  fields: {
@@ -6428,6 +8289,240 @@ var CREATE_EDGE = {
6428
8289
  ontologyPrimitive: "edge",
6429
8290
  tier: "showcase"
6430
8291
  };
8292
+ var UPDATE_EDGE = {
8293
+ name: "update_edge",
8294
+ description: "Amend metadata on an existing graph edge. Like `git commit --amend` \u2014 changes the edge annotation without recreating the relationship.",
8295
+ parameters: {
8296
+ edgeId: { type: "string", description: "Edge ID or global ID to update" },
8297
+ weight: { type: "number", description: "Updated edge weight" },
8298
+ confidence: { type: "number", description: "Updated confidence" },
8299
+ context: { type: "string", description: "Updated human-readable context" },
8300
+ derivationType: { type: "string", description: "Updated derivation type" },
8301
+ metadata: { type: "object", description: "Updated metadata" }
8302
+ },
8303
+ required: ["edgeId"],
8304
+ response: {
8305
+ description: "Edge update result",
8306
+ fields: { success: "boolean" }
8307
+ },
8308
+ ownerModule: "graph-primitives",
8309
+ ontologyPrimitive: "edge",
8310
+ tier: "workhorse"
8311
+ };
8312
+ var REMOVE_EDGE = {
8313
+ name: "remove_edge",
8314
+ description: "Remove one graph edge by ID. Like `git rm` \u2014 deletes a single explicit relationship from the spine.",
8315
+ parameters: {
8316
+ edgeId: { type: "string", description: "Edge ID or global ID to remove" }
8317
+ },
8318
+ required: ["edgeId"],
8319
+ response: {
8320
+ description: "Edge removal result",
8321
+ fields: { success: "boolean" }
8322
+ },
8323
+ ownerModule: "graph-primitives",
8324
+ ontologyPrimitive: "edge",
8325
+ tier: "workhorse"
8326
+ };
8327
+ var REMOVE_EDGES_BETWEEN = {
8328
+ name: "remove_edges_between",
8329
+ description: "Remove graph edges between two nodes. Like `git rm <pathspec>` \u2014 deletes relationships matching a source, target, and optional type.",
8330
+ parameters: {
8331
+ fromNodeId: { type: "string", description: "Source node ID or global ID" },
8332
+ toNodeId: { type: "string", description: "Target node ID or global ID" },
8333
+ edgeType: { type: "string", description: "Optional edge type filter" }
8334
+ },
8335
+ required: ["fromNodeId", "toNodeId"],
8336
+ response: {
8337
+ description: "Matched edge removal result",
8338
+ fields: { deleted: "number" }
8339
+ },
8340
+ ownerModule: "graph-primitives",
8341
+ ontologyPrimitive: "edge",
8342
+ tier: "workhorse"
8343
+ };
8344
+ var BATCH_CREATE_EDGES = {
8345
+ name: "batch_create_edges",
8346
+ description: "Commit multiple typed graph edges. Like `git commit` with many staged paths \u2014 writes a batch of explicit relationships atomically per edge.",
8347
+ parameters: {
8348
+ edges: {
8349
+ type: "array",
8350
+ description: "Edges to create, each with from, to, edgeType, and optional weight/confidence/context."
8351
+ },
8352
+ skipLayerValidation: {
8353
+ type: "boolean",
8354
+ description: "Skip kernel layer validation for trusted materialization flows."
8355
+ }
8356
+ },
8357
+ required: ["edges"],
8358
+ response: {
8359
+ description: "Batch edge creation result",
8360
+ fields: {
8361
+ created: "number",
8362
+ results: "array",
8363
+ errors: "array"
8364
+ }
8365
+ },
8366
+ ownerModule: "graph-primitives",
8367
+ ontologyPrimitive: "edge",
8368
+ tier: "workhorse"
8369
+ };
8370
+ var CREATE_EPISTEMIC_NODE = {
8371
+ name: "create_epistemic_node",
8372
+ description: "Commit a generic epistemic graph node. Like `git commit` \u2014 creates a canonical node in the public spine for topics, beliefs, evidence, questions, answers, sources, and entities.",
8373
+ parameters: {
8374
+ globalId: { type: "string", description: "Optional idempotent node global ID" },
8375
+ nodeType: { type: "string", description: "Public epistemic node type" },
8376
+ canonicalText: { type: "string", description: "Canonical node text" },
8377
+ text: { type: "string", description: "Alias for canonicalText" },
8378
+ contentHash: { type: "string", description: "Optional idempotency content hash" },
8379
+ sourceType: { type: "string", description: "Source type for provenance" },
8380
+ topicId: { type: "string", description: "Optional topic scope" },
8381
+ content: { type: "string", description: "Extended content" },
8382
+ title: { type: "string", description: "Display title" },
8383
+ metadata: { type: "object", description: "Optional node metadata" }
8384
+ },
8385
+ required: ["nodeType"],
8386
+ response: {
8387
+ description: "Created node result",
8388
+ fields: {
8389
+ nodeId: "string",
8390
+ nodeGlobalId: "string",
8391
+ isDuplicate: "boolean"
8392
+ }
8393
+ },
8394
+ ownerModule: "reasoning-kernel",
8395
+ ontologyPrimitive: "graph",
8396
+ tier: "showcase"
8397
+ };
8398
+ var GET_EPISTEMIC_NODE = {
8399
+ name: "get_epistemic_node",
8400
+ description: "Read one epistemic graph node. Like `git show` \u2014 resolves a canonical spine node by ID or global ID.",
8401
+ parameters: {
8402
+ nodeId: { type: "string", description: "Node ID or global ID" }
8403
+ },
8404
+ required: ["nodeId"],
8405
+ response: {
8406
+ description: "The resolved node",
8407
+ fields: { node: "object" }
8408
+ },
8409
+ ownerModule: "reasoning-kernel",
8410
+ ontologyPrimitive: "graph",
8411
+ tier: "workhorse"
8412
+ };
8413
+ var LIST_EPISTEMIC_NODES = {
8414
+ name: "list_epistemic_nodes",
8415
+ description: "List epistemic graph nodes. Like `git ls-tree` \u2014 lists canonical spine nodes by topic, type, status, or search query.",
8416
+ parameters: {
8417
+ topicId: { type: "string", description: "Optional topic scope" },
8418
+ nodeType: { type: "string", description: "Optional node type filter" },
8419
+ status: { type: "string", description: "Optional lifecycle status" },
8420
+ searchQuery: { type: "string", description: "Optional text search query" },
8421
+ limit: { type: "number", description: "Maximum nodes to return" }
8422
+ },
8423
+ required: [],
8424
+ response: {
8425
+ description: "Matching nodes",
8426
+ fields: { nodes: "array" }
8427
+ },
8428
+ ownerModule: "reasoning-kernel",
8429
+ ontologyPrimitive: "graph",
8430
+ tier: "workhorse"
8431
+ };
8432
+ var UPDATE_EPISTEMIC_NODE = {
8433
+ name: "update_epistemic_node",
8434
+ description: "Amend an epistemic graph node. Like `git commit --amend` \u2014 updates mutable node metadata, text, status, or verification fields.",
8435
+ parameters: {
8436
+ nodeId: { type: "string", description: "Node ID or global ID" },
8437
+ canonicalText: { type: "string", description: "Updated canonical text" },
8438
+ text: { type: "string", description: "Alias for canonicalText" },
8439
+ contentHash: { type: "string", description: "Updated content hash" },
8440
+ content: { type: "string", description: "Updated content" },
8441
+ title: { type: "string", description: "Updated display title" },
8442
+ metadata: { type: "object", description: "Updated metadata" },
8443
+ confidence: { type: "number", description: "Updated confidence" },
8444
+ verificationStatus: { type: "string", description: "Updated verification status" },
8445
+ status: { type: "string", description: "Updated lifecycle status" }
8446
+ },
8447
+ required: ["nodeId"],
8448
+ response: {
8449
+ description: "Node update result",
8450
+ fields: { success: "boolean" }
8451
+ },
8452
+ ownerModule: "reasoning-kernel",
8453
+ ontologyPrimitive: "graph",
8454
+ tier: "workhorse"
8455
+ };
8456
+ var ARCHIVE_EPISTEMIC_NODE = {
8457
+ name: "archive_epistemic_node",
8458
+ description: "Archive an epistemic graph node. Like `git rm --cached` \u2014 removes a node from active traversal without hard-deleting it.",
8459
+ parameters: {
8460
+ nodeId: { type: "string", description: "Node ID or global ID" }
8461
+ },
8462
+ required: ["nodeId"],
8463
+ response: {
8464
+ description: "Archive result",
8465
+ fields: { success: "boolean", effectiveStatus: "string" }
8466
+ },
8467
+ ownerModule: "reasoning-kernel",
8468
+ ontologyPrimitive: "graph",
8469
+ tier: "workhorse"
8470
+ };
8471
+ var VERIFY_EPISTEMIC_NODE = {
8472
+ name: "verify_epistemic_node",
8473
+ description: "Record verification state on an epistemic graph node. Like `git tag` \u2014 marks the node with a reviewed verification state.",
8474
+ parameters: {
8475
+ nodeId: { type: "string", description: "Node ID or global ID" },
8476
+ verificationStatus: { type: "string", description: "Verification status" },
8477
+ confidence: { type: "number", description: "Optional confidence update" }
8478
+ },
8479
+ required: ["nodeId", "verificationStatus"],
8480
+ response: {
8481
+ description: "Verification result",
8482
+ fields: { success: "boolean" }
8483
+ },
8484
+ ownerModule: "reasoning-kernel",
8485
+ ontologyPrimitive: "graph",
8486
+ tier: "workhorse"
8487
+ };
8488
+ var SUPERSEDE_EPISTEMIC_NODE = {
8489
+ name: "supersede_epistemic_node",
8490
+ description: "Supersede an epistemic graph node with a new version. Like `git commit --amend` on an immutable history branch \u2014 creates the replacement and marks the old node superseded.",
8491
+ parameters: {
8492
+ oldNodeId: { type: "string", description: "Node ID or global ID to supersede" },
8493
+ newGlobalId: { type: "string", description: "Optional replacement global ID" },
8494
+ newCanonicalText: { type: "string", description: "Replacement canonical text" },
8495
+ text: { type: "string", description: "Alias for newCanonicalText" },
8496
+ newContentHash: { type: "string", description: "Optional replacement content hash" },
8497
+ reason: { type: "string", description: "Reason for superseding" }
8498
+ },
8499
+ required: ["oldNodeId"],
8500
+ response: {
8501
+ description: "Supersede result",
8502
+ fields: { oldNodeId: "string", newNodeId: "string" }
8503
+ },
8504
+ ownerModule: "reasoning-kernel",
8505
+ ontologyPrimitive: "graph",
8506
+ tier: "workhorse"
8507
+ };
8508
+ var BATCH_CREATE_EPISTEMIC_NODES = {
8509
+ name: "batch_create_epistemic_nodes",
8510
+ description: "Commit multiple epistemic graph nodes. Like `git commit` with many staged files \u2014 writes a batch of canonical spine nodes.",
8511
+ parameters: {
8512
+ nodes: {
8513
+ type: "array",
8514
+ description: "Nodes to create with nodeType, canonicalText/text, and optional metadata."
8515
+ }
8516
+ },
8517
+ required: ["nodes"],
8518
+ response: {
8519
+ description: "Batch node creation result",
8520
+ fields: { created: "number", results: "array" }
8521
+ },
8522
+ ownerModule: "reasoning-kernel",
8523
+ ontologyPrimitive: "graph",
8524
+ tier: "workhorse"
8525
+ };
6431
8526
  var RECORD_JUDGMENT = {
6432
8527
  name: "record_judgment",
6433
8528
  description: "Record a judgment \u2014 an irreversible commitment based on the current epistemic state. Like a `git tag` marking a release. A judgment synthesizes beliefs, evidence, and uncertainties into a determination. Once issued, a judgment is evaluated against the epistemic state that existed when it was made (knowledge horizon evaluation, Invariant #10).",
@@ -7627,8 +9722,8 @@ var IDENTITY_WHOAMI = {
7627
9722
  response: {
7628
9723
  description: "Canonical identity summary for the current session",
7629
9724
  fields: {
7630
- principalId: "string \u2014 canonical federated principal identifier",
7631
- principalType: "string \u2014 human, service, or agent",
9725
+ principalId: "string \u2014 canonical principal identifier; for humans this is the Clerk user_... ID",
9726
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
7632
9727
  tenantId: "string | undefined \u2014 resolved tenant scope",
7633
9728
  workspaceId: "string | undefined \u2014 resolved workspace scope",
7634
9729
  scopes: "string[] | undefined \u2014 granted scopes for this session",
@@ -7639,6 +9734,49 @@ var IDENTITY_WHOAMI = {
7639
9734
  ontologyPrimitive: "identity",
7640
9735
  tier: "workhorse"
7641
9736
  };
9737
+ var RESOLVE_INTERACTIVE_PRINCIPAL = {
9738
+ name: "resolve_interactive_principal",
9739
+ description: "Read the Permit-backed Lucern principal context for an authenticated Clerk user. Like `git config --get user.email` plus the repository ACL \u2014 resolves the Clerk subject into tenant/workspace authorization context.",
9740
+ parameters: {
9741
+ clerkId: {
9742
+ type: "string",
9743
+ description: "Authenticated Clerk subject (`sub`). Clerk proves identity only; it is not the authorization record."
9744
+ },
9745
+ tenantId: {
9746
+ type: "string",
9747
+ description: "Optional tenant scope. Omit only when the Clerk alias is globally unambiguous."
9748
+ },
9749
+ workspaceId: {
9750
+ type: "string",
9751
+ description: "Optional workspace scope. Required when the principal has access to multiple workspaces and no default can be inferred."
9752
+ },
9753
+ providerProjectId: {
9754
+ type: "string",
9755
+ description: "Optional Clerk project or provider instance id for tenants with multiple identity providers."
9756
+ }
9757
+ },
9758
+ required: ["clerkId"],
9759
+ response: {
9760
+ description: "Permit-backed Lucern principal context for tenant SDK bootstrap",
9761
+ fields: {
9762
+ principalId: "string \u2014 canonical Clerk user_... ID for human sessions",
9763
+ principalType: "string \u2014 human, service, agent, group, or external_viewer",
9764
+ clerkId: "string \u2014 authenticated Clerk subject alias",
9765
+ tenantId: "string \u2014 resolved tenant scope",
9766
+ workspaceId: "string | null \u2014 resolved workspace scope",
9767
+ roles: "string[] \u2014 effective Permit roles",
9768
+ scopes: "string[] \u2014 effective scopes derived from Permit/control-plane projection",
9769
+ groupIds: "string[] \u2014 active Permit group memberships",
9770
+ principalStatus: "string \u2014 active, invited, suspended, disabled, revoked, or missing",
9771
+ tenantStatus: "string \u2014 projected tenant resource status",
9772
+ workspaceStatus: "string \u2014 projected workspace resource status",
9773
+ permit: "object \u2014 Permit subject, tenant, and optional workspace tuple"
9774
+ }
9775
+ },
9776
+ ownerModule: "control-plane",
9777
+ ontologyPrimitive: "identity",
9778
+ tier: "workhorse"
9779
+ };
7642
9780
  var COMPILE_CONTEXT = {
7643
9781
  name: "compile_context",
7644
9782
  description: "Compile a focused reasoning context. If topicId is omitted, Lucern resolves the best topic from the query. Like `git log --graph --decorate` for the reasoning substrate \u2014 returns the canonical Pillar 3 context pack through the public API shape.",
@@ -7900,6 +10038,10 @@ var CREATE_TASK = {
7900
10038
  tags: {
7901
10039
  type: "array",
7902
10040
  description: "Free-form string tags"
10041
+ },
10042
+ metadata: {
10043
+ type: "object",
10044
+ description: "Structured task metadata for handoff context and routing hints"
7903
10045
  }
7904
10046
  },
7905
10047
  required: ["title"],
@@ -7973,6 +10115,10 @@ var UPDATE_TASK = {
7973
10115
  type: "string",
7974
10116
  description: "Updated status",
7975
10117
  enum: ["todo", "in_progress", "blocked", "done"]
10118
+ },
10119
+ metadata: {
10120
+ type: "object",
10121
+ description: "Structured task metadata to replace or refine"
7976
10122
  }
7977
10123
  },
7978
10124
  required: ["taskId"],
@@ -8020,6 +10166,10 @@ var CREATE_TOPIC = {
8020
10166
  name: "create_topic",
8021
10167
  description: "Create a new topic container for scoping knowledge. Like `git init` \u2014 initializes a new repository for a knowledge domain. Topics are hierarchical: a deal topic can nest under a theme topic. Types: domain, theme, deal, strategy, constitution, project, portfolio.",
8022
10168
  parameters: {
10169
+ globalId: {
10170
+ type: "string",
10171
+ description: "Optional idempotent topic global ID"
10172
+ },
8023
10173
  name: { type: "string", description: "Topic name" },
8024
10174
  type: {
8025
10175
  type: "string",
@@ -8030,6 +10180,18 @@ var CREATE_TOPIC = {
8030
10180
  type: "string",
8031
10181
  description: "Optional parent topic for nesting"
8032
10182
  },
10183
+ parentTopicGlobalId: {
10184
+ type: "string",
10185
+ description: "Optional parent topic global ID for nesting"
10186
+ },
10187
+ tenantId: { type: "string", description: "Optional tenant scope" },
10188
+ workspaceId: { type: "string", description: "Optional workspace scope" },
10189
+ visibility: {
10190
+ type: "string",
10191
+ description: "Topic visibility",
10192
+ enum: ["private", "team", "firm", "external", "public"]
10193
+ },
10194
+ metadata: { type: "object", description: "Optional topic metadata" },
8033
10195
  createdBy: { type: "string", description: "Who created this topic" }
8034
10196
  },
8035
10197
  required: ["name", "type"],
@@ -8038,6 +10200,9 @@ var CREATE_TOPIC = {
8038
10200
  fields: {
8039
10201
  id: "string \u2014 topic ID",
8040
10202
  globalId: "string \u2014 globally unique ID",
10203
+ topicGlobalId: "string \u2014 topic global ID",
10204
+ epistemicNodeId: "string \u2014 materialized topic node ID",
10205
+ epistemicNodeGlobalId: "string \u2014 materialized topic node global ID",
8041
10206
  depth: "number \u2014 nesting depth"
8042
10207
  }
8043
10208
  },
@@ -8159,10 +10324,69 @@ var GET_TOPIC_TREE = {
8159
10324
  description: "Maximum depth to traverse (default: 5)"
8160
10325
  }
8161
10326
  },
8162
- required: ["rootId"],
10327
+ required: ["rootId"],
10328
+ response: {
10329
+ description: "Tree of topics with nesting",
10330
+ fields: { tree: "array \u2014 topics in BFS order with depth and path" }
10331
+ },
10332
+ ownerModule: "reasoning-kernel",
10333
+ ontologyPrimitive: "graph",
10334
+ tier: "workhorse"
10335
+ };
10336
+ var MATERIALIZE_TOPIC_GRAPH = {
10337
+ name: "materialize_topic_graph",
10338
+ description: "Backfill the topic graph spine. Like `git fsck --connectivity-only` with repair enabled \u2014 creates missing topic nodes and parent-child edges idempotently.",
10339
+ parameters: {
10340
+ rootTopicId: {
10341
+ type: "string",
10342
+ description: "Optional root topic for a bounded materialization pass"
10343
+ },
10344
+ dryRun: {
10345
+ type: "boolean",
10346
+ description: "When true, report missing rows without writing them"
10347
+ }
10348
+ },
10349
+ required: [],
10350
+ response: {
10351
+ description: "Topic graph materialization counts",
10352
+ fields: {
10353
+ topicsSeen: "number",
10354
+ nodesCreated: "number",
10355
+ nodesExisting: "number",
10356
+ edgesCreated: "number",
10357
+ edgesExisting: "number",
10358
+ errors: "array"
10359
+ }
10360
+ },
10361
+ ownerModule: "reasoning-kernel",
10362
+ ontologyPrimitive: "graph",
10363
+ tier: "workhorse"
10364
+ };
10365
+ var GET_TOPIC_GRAPH_SPINE = {
10366
+ name: "get_topic_graph_spine",
10367
+ description: "Verify the topic graph spine. Like `git fsck` \u2014 reads topics, materialized topic nodes, parent-child edges, and missing spine rows.",
10368
+ parameters: {
10369
+ rootTopicId: {
10370
+ type: "string",
10371
+ description: "Optional root topic for a bounded verifier pass"
10372
+ },
10373
+ includeTopicBeliefEdges: {
10374
+ type: "boolean",
10375
+ description: "Include topic -> belief edges in the verifier payload"
10376
+ }
10377
+ },
10378
+ required: [],
8163
10379
  response: {
8164
- description: "Tree of topics with nesting",
8165
- fields: { tree: "array \u2014 topics in BFS order with depth and path" }
10380
+ description: "Topic graph spine verification payload",
10381
+ fields: {
10382
+ ok: "boolean",
10383
+ counts: "object",
10384
+ topics: "array",
10385
+ topicNodes: "array",
10386
+ parentEdges: "array",
10387
+ missingTopicNodes: "array",
10388
+ missingParentEdges: "array"
10389
+ }
8166
10390
  },
8167
10391
  ownerModule: "reasoning-kernel",
8168
10392
  ontologyPrimitive: "graph",
@@ -8363,7 +10587,7 @@ var MANAGE_WRITE_POLICY = {
8363
10587
  },
8364
10588
  role: {
8365
10589
  type: "string",
8366
- description: "Role to set policy for (required for 'set'). E.g. 'agent:internal', 'user:analyst'."
10590
+ description: "Role to set policy for (required for 'set'). E.g. 'agent:internal' or a Permit role key such as 'workspace_admin'."
8367
10591
  },
8368
10592
  permission: {
8369
10593
  type: "string",
@@ -9350,6 +11574,9 @@ var BEGIN_BUILD_SESSION = {
9350
11574
  sessionMode: "string \u2014 async | interactive",
9351
11575
  targetBeliefIds: "array \u2014 scoped belief IDs",
9352
11576
  targetQuestionIds: "array \u2014 scoped question IDs",
11577
+ taskIds: "array \u2014 assigned task IDs for this worktree",
11578
+ incompleteTaskIds: "array \u2014 assigned task IDs that still require done/deferred/blocked proof",
11579
+ tasks: "array \u2014 assigned task packet with id, title, status, priority, links, and summaries",
9353
11580
  topBeliefs: "array \u2014 highest-confidence scoped beliefs",
9354
11581
  openQuestions: "array \u2014 open scoped questions",
9355
11582
  resolvedDecisions: "array \u2014 answered questions summarized for the session",
@@ -9405,6 +11632,19 @@ var MCP_TOOL_CONTRACTS = {
9405
11632
  bisect_confidence: BISECT_CONFIDENCE,
9406
11633
  // Edges (commit)
9407
11634
  create_edge: CREATE_EDGE,
11635
+ update_edge: UPDATE_EDGE,
11636
+ remove_edge: REMOVE_EDGE,
11637
+ remove_edges_between: REMOVE_EDGES_BETWEEN,
11638
+ batch_create_edges: BATCH_CREATE_EDGES,
11639
+ // Epistemic node spine (commit/amend/show)
11640
+ create_epistemic_node: CREATE_EPISTEMIC_NODE,
11641
+ get_epistemic_node: GET_EPISTEMIC_NODE,
11642
+ list_epistemic_nodes: LIST_EPISTEMIC_NODES,
11643
+ update_epistemic_node: UPDATE_EPISTEMIC_NODE,
11644
+ archive_epistemic_node: ARCHIVE_EPISTEMIC_NODE,
11645
+ verify_epistemic_node: VERIFY_EPISTEMIC_NODE,
11646
+ supersede_epistemic_node: SUPERSEDE_EPISTEMIC_NODE,
11647
+ batch_create_epistemic_nodes: BATCH_CREATE_EPISTEMIC_NODES,
9408
11648
  // Judgments (tag)
9409
11649
  record_judgment: RECORD_JUDGMENT,
9410
11650
  // Graph intelligence (showcase)
@@ -9439,6 +11679,7 @@ var MCP_TOOL_CONTRACTS = {
9439
11679
  update_worktree_targets: UPDATE_WORKTREE_TARGETS,
9440
11680
  update_worktree_metadata: UPDATE_WORKTREE_METADATA,
9441
11681
  identity_whoami: IDENTITY_WHOAMI,
11682
+ resolve_interactive_principal: RESOLVE_INTERACTIVE_PRINCIPAL,
9442
11683
  compile_context: COMPILE_CONTEXT,
9443
11684
  record_scope_learning: RECORD_SCOPE_LEARNING,
9444
11685
  pipeline_snapshot: PIPELINE_SNAPSHOT,
@@ -9478,6 +11719,8 @@ var MCP_TOOL_CONTRACTS = {
9478
11719
  get_topic: GET_TOPIC,
9479
11720
  update_topic: UPDATE_TOPIC,
9480
11721
  get_topic_tree: GET_TOPIC_TREE,
11722
+ materialize_topic_graph: MATERIALIZE_TOPIC_GRAPH,
11723
+ get_topic_graph_spine: GET_TOPIC_GRAPH_SPINE,
9481
11724
  // Coding intelligence (code-grounded knowledge)
9482
11725
  get_code_context: GET_CODE_CONTEXT,
9483
11726
  get_change_history: GET_CHANGE_HISTORY,
@@ -9554,6 +11797,7 @@ function entries(names, surfaceClass, surfaceIntent, surfaces, rationale) {
9554
11797
  var MCP_CORE_OPERATION_NAMES = [
9555
11798
  "compile_context",
9556
11799
  "identity_whoami",
11800
+ "resolve_interactive_principal",
9557
11801
  "check_permission",
9558
11802
  "filter_by_permission",
9559
11803
  "create_belief",
@@ -9582,14 +11826,28 @@ var MCP_CORE_OPERATION_NAMES = [
9582
11826
  "find_missing_questions",
9583
11827
  "get_high_priority_questions",
9584
11828
  "get_falsification_questions",
11829
+ "create_epistemic_node",
11830
+ "get_epistemic_node",
11831
+ "list_epistemic_nodes",
11832
+ "update_epistemic_node",
11833
+ "archive_epistemic_node",
11834
+ "verify_epistemic_node",
11835
+ "supersede_epistemic_node",
11836
+ "batch_create_epistemic_nodes",
9585
11837
  "create_topic",
9586
11838
  "get_topic",
9587
11839
  "list_topics",
9588
11840
  "update_topic",
9589
- "get_topic_tree"
11841
+ "get_topic_tree",
11842
+ "materialize_topic_graph",
11843
+ "get_topic_graph_spine"
9590
11844
  ];
9591
11845
  var MCP_ANALYSIS_PLATFORM_OPERATION_NAMES = [
9592
11846
  "create_edge",
11847
+ "update_edge",
11848
+ "remove_edge",
11849
+ "remove_edges_between",
11850
+ "batch_create_edges",
9593
11851
  "query_lineage",
9594
11852
  "traverse_graph",
9595
11853
  "get_graph_neighborhood",
@@ -9921,12 +12179,20 @@ function unwrapMcpParameterSchema(schema) {
9921
12179
  current = current._def.schema;
9922
12180
  continue;
9923
12181
  default:
9924
- return { schema: current, required, description: description ?? current.description };
12182
+ return {
12183
+ schema: current,
12184
+ required,
12185
+ description: description ?? current.description
12186
+ };
9925
12187
  }
9926
12188
  }
9927
12189
  }
9928
12190
  function mcpParameterFromZod(fieldName, schema, contractName) {
9929
- const { schema: unwrapped, required, description: schemaDescription } = unwrapMcpParameterSchema(schema);
12191
+ const {
12192
+ schema: unwrapped,
12193
+ required,
12194
+ description: schemaDescription
12195
+ } = unwrapMcpParameterSchema(schema);
9930
12196
  const description = schemaDescription ?? unwrapped.description ?? fieldName;
9931
12197
  switch (unwrapped._def.typeName) {
9932
12198
  case z.ZodFirstPartyTypeKind.ZodString:
@@ -9971,10 +12237,12 @@ function mcpContractFromArgsSchema(base, args, contractName) {
9971
12237
  const entries2 = Object.entries(getObjectShape(args)).sort(
9972
12238
  ([left], [right]) => left.localeCompare(right)
9973
12239
  );
9974
- const converted = entries2.map(([fieldName, schema]) => [
9975
- fieldName,
9976
- mcpParameterFromZod(fieldName, schema, contractName)
9977
- ]);
12240
+ const converted = entries2.map(
12241
+ ([fieldName, schema]) => [
12242
+ fieldName,
12243
+ mcpParameterFromZod(fieldName, schema, contractName)
12244
+ ]
12245
+ );
9978
12246
  return {
9979
12247
  ...base,
9980
12248
  parameters: Object.fromEntries(
@@ -10083,9 +12351,16 @@ function surfaceContract(args) {
10083
12351
  scopes: args.scopes ?? [
10084
12352
  args.kind === "query" ? `${args.domain}.read` : `${args.domain}.write`
10085
12353
  ],
10086
- allowedPrincipalTypes: ["user", "service", "agent"]
12354
+ allowedPrincipalTypes: [
12355
+ "user",
12356
+ "service",
12357
+ "agent",
12358
+ "group",
12359
+ "external_viewer"
12360
+ ]
10087
12361
  },
10088
12362
  convex: args.convex,
12363
+ gateway: args.gateway,
10089
12364
  args: canonicalArgs,
10090
12365
  returns: canonicalReturns,
10091
12366
  input,
@@ -10224,8 +12499,6 @@ var contextContracts = [
10224
12499
  args: observationContextArgs
10225
12500
  })
10226
12501
  ];
10227
-
10228
- // ../contracts/src/function-registry/identity.ts
10229
12502
  var withPrincipal = (input, context) => ({
10230
12503
  ...input,
10231
12504
  tenantId: input.tenantId ?? context.tenantId,
@@ -10244,11 +12517,30 @@ var identityContracts = [
10244
12517
  sdkNamespace: "identity",
10245
12518
  sdkMethod: "whoami",
10246
12519
  summary: "Describe the current gateway principal.",
12520
+ gateway: {
12521
+ handler: "identity.whoami"
12522
+ }
12523
+ }),
12524
+ surfaceContract({
12525
+ name: "resolve_interactive_principal",
12526
+ kind: "query",
12527
+ domain: "controlPlane",
12528
+ surfaceClass: "platform_public",
12529
+ method: "POST",
12530
+ path: "/control-plane/identity/resolve-interactive-principal",
12531
+ sdkNamespace: "controlPlane.identity",
12532
+ sdkMethod: "resolveInteractivePrincipal",
12533
+ summary: "Resolve an authenticated Clerk user into a Permit-backed Lucern principal context.",
12534
+ args: z.object({
12535
+ clerkId: z.string().min(1),
12536
+ tenantId: z.string().min(1).optional(),
12537
+ workspaceId: z.string().min(1).optional(),
12538
+ providerProjectId: z.string().min(1).optional()
12539
+ }),
10247
12540
  convex: {
10248
- module: "identity",
10249
- functionName: "whoami",
10250
- kind: "query",
10251
- inputProjection: withPrincipal
12541
+ module: "platform",
12542
+ functionName: "resolveInteractivePrincipal",
12543
+ kind: "query"
10252
12544
  }
10253
12545
  }),
10254
12546
  surfaceContract({
@@ -10330,15 +12622,6 @@ var beliefLookupInput = (input) => compactRecord4({
10330
12622
  var beliefNodeInput = (input) => compactRecord4({
10331
12623
  nodeId: input.nodeId ?? input.id ?? input.beliefId
10332
12624
  });
10333
- var beliefTopicInput = (input) => {
10334
- const parsed = listBeliefsProjection.inputSchema.safeParse(input);
10335
- if (!parsed.success) {
10336
- throw new Error(
10337
- `list_beliefs projection input rejected: ${parsed.error.message}`
10338
- );
10339
- }
10340
- return compactRecord4(listBeliefsProjection.project(parsed.data));
10341
- };
10342
12625
  var createBeliefInput = (input, context) => {
10343
12626
  return withUserId(
10344
12627
  compactRecord4({
@@ -10427,11 +12710,8 @@ var beliefsContracts = [
10427
12710
  sdkNamespace: "beliefs",
10428
12711
  sdkMethod: "listBeliefs",
10429
12712
  summary: "List beliefs for a topic.",
10430
- convex: {
10431
- module: "beliefs",
10432
- functionName: "getByTopic",
10433
- kind: "query",
10434
- inputProjection: beliefTopicInput
12713
+ gateway: {
12714
+ handler: "beliefs.list"
10435
12715
  },
10436
12716
  args: listBeliefsInputSchema
10437
12717
  }),
@@ -10572,7 +12852,7 @@ var beliefsContracts = [
10572
12852
  })
10573
12853
  ];
10574
12854
  var jsonRecordSchema4 = z.record(z.unknown());
10575
- var evidenceRelationSchema = z.enum(["supports", "contradicts", "neutral"]);
12855
+ var evidenceRelationSchema = z.enum(["supports", "contradicts"]);
10576
12856
  var createEvidenceArgs = z.object({
10577
12857
  topicId: z.string().optional().describe("Topic scope for the evidence."),
10578
12858
  text: z.string().describe("Canonical evidence text."),
@@ -10616,12 +12896,6 @@ var evidenceIdInput = (input) => compactRecord4({
10616
12896
  insightId: input.insightId,
10617
12897
  nodeId: input.nodeId ?? input.id ?? input.evidenceId
10618
12898
  });
10619
- var evidenceTopicInput = (input) => compactRecord4({
10620
- topicId: input.topicId,
10621
- status: input.status,
10622
- userId: input.userId,
10623
- limit: input.limit
10624
- });
10625
12899
  var createEvidenceInput = (input, context) => {
10626
12900
  const parsed = createEvidenceProjection.inputSchema.safeParse(input);
10627
12901
  if (!parsed.success) {
@@ -10752,11 +13026,8 @@ var evidenceContracts = [
10752
13026
  sdkNamespace: "evidence",
10753
13027
  sdkMethod: "listEvidence",
10754
13028
  summary: "List evidence for a topic.",
10755
- convex: {
10756
- module: "evidence",
10757
- functionName: "getByTopic",
10758
- kind: "query",
10759
- inputProjection: evidenceTopicInput
13029
+ gateway: {
13030
+ handler: "evidence.list"
10760
13031
  }
10761
13032
  }),
10762
13033
  surfaceContract({
@@ -10991,11 +13262,8 @@ var questionsContracts = [
10991
13262
  sdkNamespace: "questions",
10992
13263
  sdkMethod: "listQuestions",
10993
13264
  summary: "List questions for a topic.",
10994
- convex: {
10995
- module: "questions",
10996
- functionName: "getByTopic",
10997
- kind: "query",
10998
- inputProjection: questionTopicInput
13265
+ gateway: {
13266
+ handler: "questions.list"
10999
13267
  }
11000
13268
  }),
11001
13269
  surfaceContract({
@@ -11198,18 +13466,50 @@ var questionsContracts = [
11198
13466
  args: falsificationQuestionsArgs
11199
13467
  })
11200
13468
  ];
13469
+ var topicVisibilitySchema = z.enum([
13470
+ "private",
13471
+ "team",
13472
+ "firm",
13473
+ "external",
13474
+ "public"
13475
+ ]);
13476
+ var topicStatusSchema = z.enum(["active", "archived", "watching"]);
13477
+ var createTopicArgs = z.object({
13478
+ globalId: z.string().optional().describe("Optional idempotent topic global ID."),
13479
+ name: z.string().describe("Topic name."),
13480
+ description: z.string().optional().describe("Topic description."),
13481
+ type: z.string().describe("Topic type."),
13482
+ parentTopicId: z.string().optional().describe("Optional parent topic ID."),
13483
+ parentTopicGlobalId: z.string().optional().describe("Optional parent topic global ID."),
13484
+ ontologyId: z.string().optional().describe("Ontology to bind."),
13485
+ tenantId: z.string().optional().describe("Optional tenant scope."),
13486
+ workspaceId: z.string().optional().describe("Optional workspace scope."),
13487
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
13488
+ metadata: z.record(z.unknown()).optional().describe("Topic metadata."),
13489
+ graphScopeProjectId: z.string().optional(),
13490
+ createdBy: z.string().optional()
13491
+ });
11201
13492
  var updateTopicArgs = z.object({
11202
13493
  id: z.string().describe("Topic ID."),
11203
13494
  topicId: z.string().optional().describe("Topic ID alias."),
11204
13495
  name: z.string().optional().describe("Topic name."),
11205
13496
  description: z.string().optional().describe("Topic description."),
11206
13497
  type: z.string().optional().describe("Topic type."),
11207
- status: z.string().optional().describe("Topic status."),
11208
- visibility: z.string().optional().describe("Topic visibility."),
13498
+ status: topicStatusSchema.optional().describe("Topic status."),
13499
+ visibility: topicVisibilitySchema.optional().describe("Topic visibility."),
11209
13500
  ontologyId: z.string().optional().describe("Ontology to bind."),
11210
13501
  clearOntologyId: z.boolean().optional().describe("Whether to clear the ontology binding."),
11211
13502
  metadata: z.record(z.unknown()).optional().describe("Topic metadata.")
11212
13503
  });
13504
+ var materializeTopicGraphArgs = z.object({
13505
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13506
+ dryRun: z.boolean().optional().describe("Report missing rows without writing."),
13507
+ createdBy: z.string().optional()
13508
+ });
13509
+ var getTopicGraphSpineArgs = z.object({
13510
+ rootTopicId: z.string().optional().describe("Optional root topic ID."),
13511
+ includeTopicBeliefEdges: z.boolean().optional()
13512
+ });
11213
13513
  var topicIdInput = (input) => compactRecord4({
11214
13514
  id: input.id ?? input.topicId
11215
13515
  });
@@ -11240,7 +13540,8 @@ var topicsContracts = [
11240
13540
  functionName: "create",
11241
13541
  kind: "mutation",
11242
13542
  inputProjection: withCreatedBy
11243
- }
13543
+ },
13544
+ args: createTopicArgs
11244
13545
  }),
11245
13546
  surfaceContract({
11246
13547
  name: "get_topic",
@@ -11308,6 +13609,406 @@ var topicsContracts = [
11308
13609
  functionName: "getTree",
11309
13610
  kind: "query"
11310
13611
  }
13612
+ }),
13613
+ surfaceContract({
13614
+ name: "materialize_topic_graph",
13615
+ kind: "mutation",
13616
+ domain: "topics",
13617
+ surfaceClass: "platform_public",
13618
+ path: "/topics/materialize-graph",
13619
+ sdkNamespace: "topics",
13620
+ sdkMethod: "materializeTopicGraph",
13621
+ summary: "Materialize topic nodes and parent-child graph edges.",
13622
+ convex: {
13623
+ module: "topics",
13624
+ functionName: "materializeTopicGraph",
13625
+ kind: "mutation",
13626
+ inputProjection: withCreatedBy
13627
+ },
13628
+ args: materializeTopicGraphArgs
13629
+ }),
13630
+ surfaceContract({
13631
+ name: "get_topic_graph_spine",
13632
+ kind: "query",
13633
+ domain: "topics",
13634
+ surfaceClass: "platform_public",
13635
+ method: "GET",
13636
+ path: "/topics/graph-spine",
13637
+ sdkNamespace: "topics",
13638
+ sdkMethod: "getTopicGraphSpine",
13639
+ summary: "Verify topic nodes and parent-child graph edges.",
13640
+ convex: {
13641
+ module: "topics",
13642
+ functionName: "getTopicGraphSpine",
13643
+ kind: "query"
13644
+ },
13645
+ args: getTopicGraphSpineArgs
13646
+ })
13647
+ ];
13648
+ var sourceTypeSchema2 = z.enum([
13649
+ "human",
13650
+ "ai_extracted",
13651
+ "ai_generated",
13652
+ "imported",
13653
+ "system",
13654
+ "verified",
13655
+ "proprietary"
13656
+ ]);
13657
+ var verificationStatusSchema = z.enum([
13658
+ "unverified",
13659
+ "human_verified",
13660
+ "ai_verified",
13661
+ "contradicted",
13662
+ "outdated"
13663
+ ]);
13664
+ var nodeStatusSchema = z.enum([
13665
+ "active",
13666
+ "superseded",
13667
+ "archived",
13668
+ "deleted"
13669
+ ]);
13670
+ var externalIdsArgs = z.object({
13671
+ crunchbase: z.string().optional(),
13672
+ linkedin: z.string().optional(),
13673
+ pitchbook: z.string().optional(),
13674
+ twitter: z.string().optional(),
13675
+ website: z.string().optional()
13676
+ }).optional();
13677
+ var createEpistemicNodeItemArgs = z.object({
13678
+ globalId: z.string().optional().describe("Optional idempotent node global ID."),
13679
+ nodeType: NODE_TYPE.describe("Public epistemic node type."),
13680
+ subtype: z.string().optional(),
13681
+ canonicalText: z.string().optional().describe("Canonical node text."),
13682
+ text: z.string().optional().describe("Alias for canonicalText."),
13683
+ contentHash: z.string().optional().describe("Optional idempotency content hash."),
13684
+ content: z.string().optional(),
13685
+ contentType: z.string().optional(),
13686
+ title: z.string().optional(),
13687
+ tags: z.array(z.string()).optional(),
13688
+ domain: z.string().optional(),
13689
+ metadata: z.record(z.unknown()).optional(),
13690
+ externalIds: externalIdsArgs,
13691
+ sourceType: sourceTypeSchema2.optional(),
13692
+ aiProvider: z.string().optional(),
13693
+ extractedFromNodeId: z.string().optional(),
13694
+ confidence: z.number().optional(),
13695
+ verificationStatus: verificationStatusSchema.optional(),
13696
+ topicId: z.string().optional(),
13697
+ projectId: z.string().optional(),
13698
+ createdBy: z.string().optional(),
13699
+ trustedBypassAccessCheck: z.boolean().optional()
13700
+ });
13701
+ var createEpistemicNodeArgs = createEpistemicNodeItemArgs;
13702
+ var batchCreateEpistemicNodesArgs = z.object({
13703
+ nodes: z.array(createEpistemicNodeItemArgs)
13704
+ });
13705
+ var getEpistemicNodeArgs = z.object({
13706
+ nodeId: z.string().describe("Node ID or global ID."),
13707
+ globalId: z.string().optional().describe("Node global ID alias.")
13708
+ });
13709
+ var listEpistemicNodesArgs = z.object({
13710
+ topicId: z.string().optional(),
13711
+ projectId: z.string().optional(),
13712
+ nodeType: NODE_TYPE.optional(),
13713
+ status: nodeStatusSchema.optional(),
13714
+ searchQuery: z.string().optional(),
13715
+ query: z.string().optional(),
13716
+ limit: z.number().optional()
13717
+ });
13718
+ var updateEpistemicNodeArgs = z.object({
13719
+ nodeId: z.string().describe("Node ID or global ID."),
13720
+ id: z.string().optional().describe("Node ID alias."),
13721
+ subtype: z.string().optional(),
13722
+ canonicalText: z.string().optional(),
13723
+ text: z.string().optional(),
13724
+ contentHash: z.string().optional(),
13725
+ content: z.string().optional(),
13726
+ contentType: z.string().optional(),
13727
+ title: z.string().optional(),
13728
+ tags: z.array(z.string()).optional(),
13729
+ domain: z.string().optional(),
13730
+ metadata: z.record(z.unknown()).optional(),
13731
+ externalIds: externalIdsArgs,
13732
+ confidence: z.number().optional(),
13733
+ verificationStatus: verificationStatusSchema.optional(),
13734
+ status: nodeStatusSchema.optional(),
13735
+ userId: z.string().optional(),
13736
+ trustedBypassAccessCheck: z.boolean().optional()
13737
+ });
13738
+ var archiveEpistemicNodeArgs = z.object({
13739
+ nodeId: z.string().describe("Node ID or global ID."),
13740
+ id: z.string().optional().describe("Node ID alias."),
13741
+ userId: z.string().optional(),
13742
+ trustedBypassAccessCheck: z.boolean().optional()
13743
+ });
13744
+ var verifyEpistemicNodeArgs = z.object({
13745
+ nodeId: z.string().describe("Node ID or global ID."),
13746
+ id: z.string().optional().describe("Node ID alias."),
13747
+ verificationStatus: verificationStatusSchema,
13748
+ confidence: z.number().optional(),
13749
+ userId: z.string().optional()
13750
+ });
13751
+ var supersedeEpistemicNodeArgs = z.object({
13752
+ oldNodeId: z.string().describe("Node ID or global ID to supersede."),
13753
+ nodeId: z.string().optional().describe("Old node ID alias."),
13754
+ newGlobalId: z.string().optional(),
13755
+ newCanonicalText: z.string().optional(),
13756
+ text: z.string().optional(),
13757
+ canonicalText: z.string().optional(),
13758
+ newContentHash: z.string().optional(),
13759
+ reason: z.string().optional(),
13760
+ createdBy: z.string().optional(),
13761
+ trustedBypassAccessCheck: z.boolean().optional()
13762
+ });
13763
+ function generatedGlobalId(prefix) {
13764
+ return `${prefix}:${crypto.randomUUID()}`;
13765
+ }
13766
+ function resolveCanonicalText(input) {
13767
+ const text = input.canonicalText ?? input.text ?? input.title ?? input.content;
13768
+ if (typeof text !== "string" || text.trim().length === 0) {
13769
+ throw new Error("canonicalText or text is required.");
13770
+ }
13771
+ return text;
13772
+ }
13773
+ function createNodeInput(input, context) {
13774
+ const canonicalText = resolveCanonicalText(input);
13775
+ const nodeType = String(input.nodeType);
13776
+ return withCreatedBy(
13777
+ compactRecord4({
13778
+ globalId: typeof input.globalId === "string" && input.globalId.trim() ? input.globalId : generatedGlobalId(nodeType),
13779
+ nodeType,
13780
+ subtype: input.subtype,
13781
+ canonicalText,
13782
+ contentHash: typeof input.contentHash === "string" && input.contentHash.trim() ? input.contentHash : `${nodeType}:${canonicalText}`,
13783
+ content: input.content,
13784
+ contentType: input.contentType,
13785
+ title: input.title,
13786
+ tags: input.tags,
13787
+ domain: input.domain,
13788
+ metadata: input.metadata,
13789
+ externalIds: input.externalIds,
13790
+ sourceType: typeof input.sourceType === "string" && input.sourceType.trim() ? input.sourceType : "human",
13791
+ aiProvider: input.aiProvider,
13792
+ extractedFromNodeId: input.extractedFromNodeId,
13793
+ confidence: input.confidence,
13794
+ verificationStatus: input.verificationStatus,
13795
+ topicId: input.topicId,
13796
+ projectId: input.projectId
13797
+ }),
13798
+ context
13799
+ );
13800
+ }
13801
+ var getNodeInput = (input) => compactRecord4({
13802
+ nodeId: input.nodeId ?? input.globalId
13803
+ });
13804
+ var listNodesInput = (input) => compactRecord4({
13805
+ topicId: input.topicId,
13806
+ projectId: input.projectId,
13807
+ nodeType: input.nodeType,
13808
+ status: input.status,
13809
+ searchQuery: input.searchQuery ?? input.query,
13810
+ limit: input.limit
13811
+ });
13812
+ var updateNodeInput = (input, context) => withUserId(
13813
+ compactRecord4({
13814
+ nodeId: input.nodeId ?? input.id,
13815
+ subtype: input.subtype,
13816
+ canonicalText: input.canonicalText ?? input.text,
13817
+ contentHash: input.contentHash,
13818
+ content: input.content,
13819
+ contentType: input.contentType,
13820
+ title: input.title,
13821
+ tags: input.tags,
13822
+ domain: input.domain,
13823
+ metadata: input.metadata,
13824
+ externalIds: input.externalIds,
13825
+ confidence: input.confidence,
13826
+ verificationStatus: input.verificationStatus,
13827
+ status: input.status,
13828
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13829
+ }),
13830
+ context
13831
+ );
13832
+ var archiveNodeInput = (input, context) => withUserId(
13833
+ compactRecord4({
13834
+ nodeId: input.nodeId ?? input.id,
13835
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13836
+ }),
13837
+ context
13838
+ );
13839
+ var verifyNodeInput = (input, context) => withUserId(
13840
+ compactRecord4({
13841
+ nodeId: input.nodeId ?? input.id,
13842
+ verificationStatus: input.verificationStatus,
13843
+ confidence: input.confidence
13844
+ }),
13845
+ context
13846
+ );
13847
+ var supersedeNodeInput = (input, context) => {
13848
+ const newCanonicalText = input.newCanonicalText ?? input.canonicalText ?? input.text;
13849
+ if (typeof newCanonicalText !== "string" || newCanonicalText.trim().length === 0) {
13850
+ throw new Error("newCanonicalText or text is required.");
13851
+ }
13852
+ return {
13853
+ oldNodeId: input.oldNodeId ?? input.nodeId,
13854
+ newGlobalId: typeof input.newGlobalId === "string" && input.newGlobalId.trim() ? input.newGlobalId : generatedGlobalId("node"),
13855
+ newCanonicalText,
13856
+ newContentHash: typeof input.newContentHash === "string" && input.newContentHash.trim() ? input.newContentHash : `superseded:${newCanonicalText}`,
13857
+ createdBy: typeof input.createdBy === "string" ? input.createdBy : authUserId(context),
13858
+ reason: input.reason,
13859
+ trustedBypassAccessCheck: input.trustedBypassAccessCheck
13860
+ };
13861
+ };
13862
+ var batchCreateNodesInput = (input, context) => {
13863
+ const nodes = Array.isArray(input.nodes) ? input.nodes : [];
13864
+ return {
13865
+ nodes: nodes.map(
13866
+ (node) => createNodeInput(
13867
+ node && typeof node === "object" ? node : {},
13868
+ context
13869
+ )
13870
+ )
13871
+ };
13872
+ };
13873
+ var nodesContracts = [
13874
+ surfaceContract({
13875
+ name: "create_epistemic_node",
13876
+ kind: "mutation",
13877
+ domain: "nodes",
13878
+ surfaceClass: "platform_public",
13879
+ path: "/nodes",
13880
+ sdkNamespace: "nodes",
13881
+ sdkMethod: "createEpistemicNode",
13882
+ summary: "Create a generic epistemic graph node.",
13883
+ convex: {
13884
+ module: "nodes",
13885
+ functionName: "create",
13886
+ kind: "mutation",
13887
+ inputProjection: createNodeInput
13888
+ },
13889
+ args: createEpistemicNodeArgs
13890
+ }),
13891
+ surfaceContract({
13892
+ name: "get_epistemic_node",
13893
+ kind: "query",
13894
+ domain: "nodes",
13895
+ surfaceClass: "platform_public",
13896
+ method: "GET",
13897
+ path: "/nodes/get",
13898
+ sdkNamespace: "nodes",
13899
+ sdkMethod: "getEpistemicNode",
13900
+ summary: "Get a generic epistemic graph node.",
13901
+ convex: {
13902
+ module: "nodes",
13903
+ functionName: "get",
13904
+ kind: "query",
13905
+ inputProjection: getNodeInput
13906
+ },
13907
+ args: getEpistemicNodeArgs
13908
+ }),
13909
+ surfaceContract({
13910
+ name: "list_epistemic_nodes",
13911
+ kind: "query",
13912
+ domain: "nodes",
13913
+ surfaceClass: "platform_public",
13914
+ method: "GET",
13915
+ path: "/nodes",
13916
+ sdkNamespace: "nodes",
13917
+ sdkMethod: "listEpistemicNodes",
13918
+ summary: "List generic epistemic graph nodes.",
13919
+ convex: {
13920
+ module: "nodes",
13921
+ functionName: "list",
13922
+ kind: "query",
13923
+ inputProjection: listNodesInput
13924
+ },
13925
+ args: listEpistemicNodesArgs
13926
+ }),
13927
+ surfaceContract({
13928
+ name: "update_epistemic_node",
13929
+ kind: "mutation",
13930
+ domain: "nodes",
13931
+ surfaceClass: "platform_public",
13932
+ method: "PATCH",
13933
+ path: "/nodes",
13934
+ sdkNamespace: "nodes",
13935
+ sdkMethod: "updateEpistemicNode",
13936
+ summary: "Update a generic epistemic graph node.",
13937
+ convex: {
13938
+ module: "nodes",
13939
+ functionName: "update",
13940
+ kind: "mutation",
13941
+ inputProjection: updateNodeInput
13942
+ },
13943
+ args: updateEpistemicNodeArgs
13944
+ }),
13945
+ surfaceContract({
13946
+ name: "archive_epistemic_node",
13947
+ kind: "mutation",
13948
+ domain: "nodes",
13949
+ surfaceClass: "platform_public",
13950
+ path: "/nodes/archive",
13951
+ sdkNamespace: "nodes",
13952
+ sdkMethod: "archiveEpistemicNode",
13953
+ summary: "Archive a generic epistemic graph node.",
13954
+ convex: {
13955
+ module: "nodes",
13956
+ functionName: "archive",
13957
+ kind: "mutation",
13958
+ inputProjection: archiveNodeInput
13959
+ },
13960
+ args: archiveEpistemicNodeArgs
13961
+ }),
13962
+ surfaceContract({
13963
+ name: "verify_epistemic_node",
13964
+ kind: "mutation",
13965
+ domain: "nodes",
13966
+ surfaceClass: "platform_public",
13967
+ path: "/nodes/verify",
13968
+ sdkNamespace: "nodes",
13969
+ sdkMethod: "verifyEpistemicNode",
13970
+ summary: "Verify a generic epistemic graph node.",
13971
+ convex: {
13972
+ module: "nodes",
13973
+ functionName: "verify",
13974
+ kind: "mutation",
13975
+ inputProjection: verifyNodeInput
13976
+ },
13977
+ args: verifyEpistemicNodeArgs
13978
+ }),
13979
+ surfaceContract({
13980
+ name: "supersede_epistemic_node",
13981
+ kind: "mutation",
13982
+ domain: "nodes",
13983
+ surfaceClass: "platform_public",
13984
+ path: "/nodes/supersede",
13985
+ sdkNamespace: "nodes",
13986
+ sdkMethod: "supersedeEpistemicNode",
13987
+ summary: "Supersede a generic epistemic graph node.",
13988
+ convex: {
13989
+ module: "nodes",
13990
+ functionName: "supersede",
13991
+ kind: "mutation",
13992
+ inputProjection: supersedeNodeInput
13993
+ },
13994
+ args: supersedeEpistemicNodeArgs
13995
+ }),
13996
+ surfaceContract({
13997
+ name: "batch_create_epistemic_nodes",
13998
+ kind: "mutation",
13999
+ domain: "nodes",
14000
+ surfaceClass: "platform_public",
14001
+ path: "/nodes/batch",
14002
+ sdkNamespace: "nodes",
14003
+ sdkMethod: "batchCreateEpistemicNodes",
14004
+ summary: "Batch create generic epistemic graph nodes.",
14005
+ convex: {
14006
+ module: "nodes",
14007
+ functionName: "batchCreate",
14008
+ kind: "mutation",
14009
+ inputProjection: batchCreateNodesInput
14010
+ },
14011
+ args: batchCreateEpistemicNodesArgs
11311
14012
  })
11312
14013
  ];
11313
14014
  var lensPerspectiveSchema = z.enum([
@@ -11667,6 +14368,19 @@ var worktreeEvidenceSignalInputSchema = z.object({
11667
14368
  progress: z.string().optional().describe("Collection progress note for the signal."),
11668
14369
  notes: z.string().optional().describe("Additional evidence collection notes.")
11669
14370
  }).passthrough().describe("Evidence signal embedded in the worktree plan.");
14371
+ var worktreeDocCompanionTargetSchema = z.object({
14372
+ docPath: z.string().describe(
14373
+ "Repo-relative path to a documentation file the worktree promises to update."
14374
+ ),
14375
+ sectionAnchor: z.string().optional().describe(
14376
+ "Markdown heading anchor (e.g. '## Function-surface manifest') that scopes the promised update."
14377
+ ),
14378
+ reason: z.string().describe(
14379
+ "Why this doc section must be updated for the worktree to be complete."
14380
+ )
14381
+ }).passthrough().describe(
14382
+ "Intent-driven docs companion target. pr-gate-reviewer verifies that the PR actually touches each declared (docPath, sectionAnchor). Distinct from the touch-driven docs-loop. See docs/development/docs-sync-discipline.md Lock 3."
14383
+ );
11670
14384
  var worktreeDecisionGateInputSchema = z.object({
11671
14385
  goCriteria: z.array(z.string()).describe("Criteria that must hold for the worktree to proceed."),
11672
14386
  noGoSignals: z.array(z.string()).describe("Signals that stop or redirect the worktree."),
@@ -11699,6 +14413,9 @@ var addWorktreeArgs = z.object({
11699
14413
  keyQuestions: z.array(worktreeKeyQuestionInputSchema).optional().describe("Inline key questions captured as part of the worktree plan."),
11700
14414
  evidenceSignals: z.array(worktreeEvidenceSignalInputSchema).optional().describe("Evidence signals the worktree needs to collect or validate."),
11701
14415
  decisionGate: worktreeDecisionGateInputSchema.optional(),
14416
+ docCompanionTargets: z.array(worktreeDocCompanionTargetSchema).optional().describe(
14417
+ "Doc sections the worktree promises to update at PR time. Enforced by pr-gate-reviewer (Lock 3)."
14418
+ ),
11702
14419
  goCriteria: z.array(z.string()).optional().describe("Shorthand go criteria used to build decisionGate."),
11703
14420
  noGoSignals: z.array(z.string()).optional().describe("Shorthand no-go signals used to build decisionGate."),
11704
14421
  proofArtifacts: z.array(z.unknown()).optional().describe("Expected proof artifacts required to close the worktree."),
@@ -12062,7 +14779,21 @@ var createTaskArgs = z.object({
12062
14779
  linkedQuestionId: z.string().optional().describe("Question this task addresses."),
12063
14780
  assigneeId: z.string().optional().describe("Principal assigned to the task."),
12064
14781
  dueDate: z.number().optional().describe("Due date as epoch milliseconds."),
12065
- tags: z.array(z.string()).optional().describe("Free-form tags.")
14782
+ tags: z.array(z.string()).optional().describe("Free-form tags."),
14783
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
14784
+ });
14785
+ var updateTaskArgs = z.object({
14786
+ taskId: z.string().describe("Task to update."),
14787
+ title: z.string().optional().describe("Updated task title."),
14788
+ description: z.string().optional().describe("Updated task description."),
14789
+ priority: taskPrioritySchema.optional().describe("Updated priority."),
14790
+ status: taskStatusSchema2.optional().describe("Updated status."),
14791
+ linkedWorktreeId: z.string().optional().describe("Worktree this task belongs to."),
14792
+ linkedBeliefId: z.string().optional().describe("Belief this task supports."),
14793
+ linkedQuestionId: z.string().optional().describe("Question this task addresses."),
14794
+ assigneeId: z.string().optional().describe("Principal assigned to the task."),
14795
+ blockedReason: z.string().optional().describe("Reason the task is blocked or deferred."),
14796
+ metadata: z.record(z.unknown()).optional().describe("Structured task metadata for handoff context and routing hints.")
12066
14797
  });
12067
14798
  var createTaskInput = (input) => compactRecord4({
12068
14799
  title: input.title,
@@ -12076,7 +14807,8 @@ var createTaskInput = (input) => compactRecord4({
12076
14807
  linkedQuestionId: input.linkedQuestionId,
12077
14808
  assigneeId: input.assigneeId,
12078
14809
  dueDate: input.dueDate,
12079
- tags: input.tags
14810
+ tags: input.tags,
14811
+ metadata: input.metadata
12080
14812
  });
12081
14813
  var taskInput = (input) => compactRecord4({
12082
14814
  ...input,
@@ -12093,8 +14825,7 @@ var taskTopicInput = (input) => {
12093
14825
  };
12094
14826
  var completeTaskInput = (input) => compactRecord4({
12095
14827
  taskId: input.taskId ?? input.id,
12096
- outputSummary: input.outputSummary ?? input.summary,
12097
- userId: input.userId
14828
+ outputSummary: input.outputSummary ?? input.summary
12098
14829
  });
12099
14830
  var tasksContracts = [
12100
14831
  surfaceContract({
@@ -12112,6 +14843,7 @@ var tasksContracts = [
12112
14843
  kind: "mutation",
12113
14844
  inputProjection: createTaskInput
12114
14845
  },
14846
+ gateway: { handler: "tasks.create" },
12115
14847
  args: createTaskArgs
12116
14848
  }),
12117
14849
  surfaceContract({
@@ -12130,6 +14862,7 @@ var tasksContracts = [
12130
14862
  kind: "query",
12131
14863
  inputProjection: taskTopicInput
12132
14864
  },
14865
+ gateway: { handler: "tasks.list" },
12133
14866
  args: listTasksInputSchema
12134
14867
  }),
12135
14868
  surfaceContract({
@@ -12147,7 +14880,9 @@ var tasksContracts = [
12147
14880
  functionName: "update",
12148
14881
  kind: "mutation",
12149
14882
  inputProjection: taskInput
12150
- }
14883
+ },
14884
+ gateway: { handler: "tasks.update" },
14885
+ args: updateTaskArgs
12151
14886
  }),
12152
14887
  surfaceContract({
12153
14888
  name: "complete_task",
@@ -12163,12 +14898,14 @@ var tasksContracts = [
12163
14898
  functionName: "complete",
12164
14899
  kind: "mutation",
12165
14900
  inputProjection: completeTaskInput
12166
- }
14901
+ },
14902
+ gateway: { handler: "tasks.complete" }
12167
14903
  })
12168
14904
  ];
12169
14905
  var CREATE_EDGE_TYPES = edgePolicyManifest.policies.map(
12170
14906
  (policy) => policy.edgeType
12171
14907
  );
14908
+ var REASONING_METHOD_TYPES = [...REASONING_METHODS];
12172
14909
  var createEdgeArgs = z.object({
12173
14910
  from: GraphRefSchema,
12174
14911
  to: GraphRefSchema,
@@ -12178,10 +14915,37 @@ var createEdgeArgs = z.object({
12178
14915
  confidence: z.number().optional(),
12179
14916
  context: z.string().optional(),
12180
14917
  reasoning: z.string().optional(),
14918
+ reasoningMethod: z.enum(REASONING_METHOD_TYPES).optional(),
12181
14919
  derivationType: z.string().optional(),
14920
+ metadata: z.record(z.unknown()).optional(),
12182
14921
  topicId: z.string().optional(),
12183
14922
  trustedBypassAccessCheck: z.boolean().optional()
12184
14923
  });
14924
+ var updateEdgeArgs = z.object({
14925
+ edgeId: z.string().describe("Edge ID or global ID."),
14926
+ weight: z.number().optional(),
14927
+ confidence: z.number().optional(),
14928
+ context: z.string().optional(),
14929
+ reasoning: z.string().optional(),
14930
+ derivationType: z.string().optional(),
14931
+ metadata: z.record(z.unknown()).optional(),
14932
+ userId: z.string().optional()
14933
+ });
14934
+ var removeEdgeArgs = z.object({
14935
+ edgeId: z.string().describe("Edge ID or global ID."),
14936
+ userId: z.string().optional()
14937
+ });
14938
+ var removeEdgesBetweenArgs = z.object({
14939
+ from: GraphRefSchema.optional(),
14940
+ to: GraphRefSchema.optional(),
14941
+ fromNodeId: z.string().optional(),
14942
+ toNodeId: z.string().optional(),
14943
+ edgeType: z.enum(CREATE_EDGE_TYPES).optional()
14944
+ });
14945
+ var batchCreateEdgesArgs = z.object({
14946
+ edges: z.array(createEdgeArgs),
14947
+ skipLayerValidation: z.boolean().optional()
14948
+ });
12185
14949
  var queryLineageArgs = z.object({
12186
14950
  nodeId: z.string().describe("Starting node to trace from."),
12187
14951
  startNode: z.string().optional().describe("Starting node alias accepted by traversal callers."),
@@ -12230,7 +14994,9 @@ var edgesContracts = [
12230
14994
  weight: parsed.weight,
12231
14995
  confidence: parsed.confidence,
12232
14996
  context: parsed.context ?? parsed.reasoning,
14997
+ reasoningMethod: parsed.reasoningMethod,
12233
14998
  derivationType: parsed.derivationType,
14999
+ metadata: parsed.metadata,
12234
15000
  skipLayerValidation: true,
12235
15001
  topicId: parsed.topicId,
12236
15002
  trustedBypassAccessCheck: parsed.trustedBypassAccessCheck
@@ -12241,6 +15007,131 @@ var edgesContracts = [
12241
15007
  },
12242
15008
  args: createEdgeArgs
12243
15009
  }),
15010
+ surfaceContract({
15011
+ name: "update_edge",
15012
+ kind: "mutation",
15013
+ domain: "edges",
15014
+ surfaceClass: "platform_public",
15015
+ method: "PATCH",
15016
+ path: "/edges",
15017
+ sdkNamespace: "edges",
15018
+ sdkMethod: "updateEdge",
15019
+ summary: "Update an epistemic edge.",
15020
+ convex: {
15021
+ module: "edges",
15022
+ functionName: "update",
15023
+ kind: "mutation",
15024
+ inputProjection: (input, context) => compactRecord4({
15025
+ edgeId: input.edgeId,
15026
+ weight: input.weight,
15027
+ confidence: input.confidence,
15028
+ context: input.context ?? input.reasoning,
15029
+ derivationType: input.derivationType,
15030
+ metadata: input.metadata,
15031
+ userId: input.userId ?? context.userId ?? context.principalId
15032
+ })
15033
+ },
15034
+ args: updateEdgeArgs
15035
+ }),
15036
+ surfaceContract({
15037
+ name: "remove_edge",
15038
+ kind: "mutation",
15039
+ domain: "edges",
15040
+ surfaceClass: "platform_public",
15041
+ method: "DELETE",
15042
+ path: "/edges",
15043
+ sdkNamespace: "edges",
15044
+ sdkMethod: "removeEdge",
15045
+ summary: "Remove an epistemic edge.",
15046
+ convex: {
15047
+ module: "edges",
15048
+ functionName: "remove",
15049
+ kind: "mutation",
15050
+ inputProjection: (input, context) => compactRecord4({
15051
+ edgeId: input.edgeId,
15052
+ userId: input.userId ?? context.userId ?? context.principalId
15053
+ })
15054
+ },
15055
+ args: removeEdgeArgs
15056
+ }),
15057
+ surfaceContract({
15058
+ name: "remove_edges_between",
15059
+ kind: "mutation",
15060
+ domain: "edges",
15061
+ surfaceClass: "platform_public",
15062
+ method: "DELETE",
15063
+ path: "/edges/between",
15064
+ sdkNamespace: "edges",
15065
+ sdkMethod: "removeEdgesBetween",
15066
+ summary: "Remove epistemic edges between two nodes.",
15067
+ convex: {
15068
+ module: "edges",
15069
+ functionName: "removeBetween",
15070
+ kind: "mutation",
15071
+ inputProjection: (input) => {
15072
+ const parsed = removeEdgesBetweenArgs.parse(input);
15073
+ const fromNodeId = parsed.from ? graphRefNodeId(parsed.from) : parsed.fromNodeId;
15074
+ const toNodeId = parsed.to ? graphRefNodeId(parsed.to) : parsed.toNodeId;
15075
+ if (!fromNodeId || !toNodeId) {
15076
+ throw new Error("from/to or fromNodeId/toNodeId are required.");
15077
+ }
15078
+ return compactRecord4({
15079
+ fromNodeId,
15080
+ toNodeId,
15081
+ edgeType: parsed.edgeType
15082
+ });
15083
+ }
15084
+ },
15085
+ args: removeEdgesBetweenArgs
15086
+ }),
15087
+ surfaceContract({
15088
+ name: "batch_create_edges",
15089
+ kind: "mutation",
15090
+ domain: "edges",
15091
+ surfaceClass: "platform_public",
15092
+ path: "/edges/batch",
15093
+ sdkNamespace: "edges",
15094
+ sdkMethod: "batchCreateEdges",
15095
+ summary: "Batch create epistemic edges.",
15096
+ convex: {
15097
+ module: "edges",
15098
+ functionName: "batchCreate",
15099
+ kind: "mutation",
15100
+ inputProjection: (input, context) => {
15101
+ const parsed = batchCreateEdgesArgs.parse(input);
15102
+ return {
15103
+ skipLayerValidation: parsed.skipLayerValidation ?? true,
15104
+ edges: parsed.edges.map((edge) => {
15105
+ assertEdgePolicyAllowed(
15106
+ edgePolicyManifest,
15107
+ edge.edgeType,
15108
+ edge.from,
15109
+ edge.to
15110
+ );
15111
+ const fromNodeId = graphRefNodeId(edge.from);
15112
+ const toNodeId = graphRefNodeId(edge.to);
15113
+ return withCreatedBy(
15114
+ compactRecord4({
15115
+ fromNodeId,
15116
+ toNodeId,
15117
+ edgeType: edge.edgeType,
15118
+ globalId: edge.globalId ?? `edge:${fromNodeId}:${toNodeId}:${edge.edgeType}`,
15119
+ weight: edge.weight,
15120
+ confidence: edge.confidence,
15121
+ context: edge.context ?? edge.reasoning,
15122
+ reasoningMethod: edge.reasoningMethod,
15123
+ derivationType: edge.derivationType,
15124
+ metadata: edge.metadata,
15125
+ topicId: edge.topicId
15126
+ }),
15127
+ context
15128
+ );
15129
+ })
15130
+ };
15131
+ }
15132
+ },
15133
+ args: batchCreateEdgesArgs
15134
+ }),
12244
15135
  surfaceContract({
12245
15136
  name: "query_lineage",
12246
15137
  kind: "query",
@@ -12963,6 +15854,69 @@ var pipelineContracts = [
12963
15854
  }
12964
15855
  })
12965
15856
  ];
15857
+ function isRecord4(value) {
15858
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
15859
+ }
15860
+ function stringValues(value) {
15861
+ if (typeof value === "string") {
15862
+ return [value];
15863
+ }
15864
+ if (Array.isArray(value)) {
15865
+ return value.flatMap((item) => stringValues(item));
15866
+ }
15867
+ return [];
15868
+ }
15869
+ function nestedEvidenceRows(value) {
15870
+ if (Array.isArray(value)) {
15871
+ return value.flatMap((item) => nestedEvidenceRows(item));
15872
+ }
15873
+ if (!isRecord4(value)) {
15874
+ return [];
15875
+ }
15876
+ const nestedKeys = ["evidence", "items", "nodes"];
15877
+ const nestedRows = nestedKeys.flatMap((key) => nestedEvidenceRows(value[key]));
15878
+ return nestedRows.length > 0 ? nestedRows : [value];
15879
+ }
15880
+ function isFailedAttemptRow(row) {
15881
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15882
+ return metadata?.failedApproach === true || metadata?.isFailedAttempt === true;
15883
+ }
15884
+ function failureLogSearchFields(row) {
15885
+ const metadata = isRecord4(row.metadata) ? row.metadata : null;
15886
+ return [
15887
+ ...stringValues(row.id),
15888
+ ...stringValues(row._id),
15889
+ ...stringValues(row.title),
15890
+ ...stringValues(row.text),
15891
+ ...stringValues(row.canonicalText),
15892
+ ...stringValues(row.content),
15893
+ ...stringValues(metadata?.codeAnchor),
15894
+ ...stringValues(metadata?.codeAnchors),
15895
+ ...stringValues(metadata?.anchor),
15896
+ ...stringValues(metadata?.anchors),
15897
+ ...stringValues(metadata?.filePath),
15898
+ ...stringValues(metadata?.filePaths),
15899
+ ...stringValues(metadata?.path),
15900
+ ...stringValues(metadata?.paths),
15901
+ ...stringValues(metadata?.sourceRef),
15902
+ ...stringValues(metadata?.touchedPaths)
15903
+ ];
15904
+ }
15905
+ function projectFailureLog(output, input) {
15906
+ const rawQuery = typeof input.query === "string" && input.query.trim().length > 0 ? input.query.trim() : void 0;
15907
+ const searchKey = rawQuery?.toLowerCase();
15908
+ const failures = nestedEvidenceRows(output).filter((row) => isFailedAttemptRow(row)).filter(
15909
+ (row) => !searchKey ? true : failureLogSearchFields(row).some(
15910
+ (field) => field.toLowerCase().includes(searchKey)
15911
+ )
15912
+ );
15913
+ return {
15914
+ query: rawQuery,
15915
+ failures,
15916
+ totalFound: failures.length,
15917
+ showing: failures.length
15918
+ };
15919
+ }
12966
15920
  var recordScopeLearningArgs = z.object({
12967
15921
  topicId: z.string().optional().describe("Topic scope ID"),
12968
15922
  summary: z.string().describe("Atomic learning statement"),
@@ -13052,6 +16006,8 @@ var attemptInput = (input, context) => withUserId(
13052
16006
  tags: ["code_attempt"],
13053
16007
  metadata: compactRecord4({
13054
16008
  ...recordValue2(input.metadata),
16009
+ failedApproach: true,
16010
+ isFailedAttempt: true,
13055
16011
  filePaths: input.filePaths,
13056
16012
  filePath: input.filePath,
13057
16013
  errorMessage: input.errorMessage,
@@ -13182,7 +16138,8 @@ var codingContracts = [
13182
16138
  limit: input.limit,
13183
16139
  status: input.status,
13184
16140
  userId: input.userId
13185
- })
16141
+ }),
16142
+ outputProjection: (output, input) => projectFailureLog(output, input)
13186
16143
  }
13187
16144
  })
13188
16145
  ];
@@ -13219,6 +16176,7 @@ var ALL_FUNCTION_CONTRACTS = [
13219
16176
  ...evidenceContracts,
13220
16177
  ...questionsContracts,
13221
16178
  ...topicsContracts,
16179
+ ...nodesContracts,
13222
16180
  ...lensesContracts,
13223
16181
  ...ontologiesContracts,
13224
16182
  ...worktreesContracts,
@@ -13394,6 +16352,13 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13394
16352
  copyMode: "none",
13395
16353
  description: "Deliberation sessions are created by tenant workflows."
13396
16354
  },
16355
+ {
16356
+ component: "kernel",
16357
+ table: "domainEvents",
16358
+ prepopulation: "runtime_log",
16359
+ copyMode: "none",
16360
+ description: "Domain event rows are append-only runtime audit/exhaust data."
16361
+ },
13397
16362
  {
13398
16363
  component: "kernel",
13399
16364
  table: "epistemicAudit",
@@ -13643,14 +16608,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13643
16608
  description: "Worktrees are tenant/runtime planning data."
13644
16609
  },
13645
16610
  {
13646
- component: "identity",
16611
+ component: "control-plane",
13647
16612
  table: "agents",
13648
16613
  prepopulation: "runtime_bootstrap",
13649
16614
  copyMode: "none",
13650
16615
  description: "Service agents are provisioned per tenant or service, not copied."
13651
16616
  },
13652
16617
  {
13653
- component: "identity",
16618
+ component: "control-plane",
13654
16619
  table: "mcpWritePolicy",
13655
16620
  prepopulation: "required_template",
13656
16621
  copyMode: "template_global",
@@ -13659,14 +16624,14 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13659
16624
  description: "Global write policy defaults govern service and interactive MCP writes."
13660
16625
  },
13661
16626
  {
13662
- component: "identity",
16627
+ component: "control-plane",
13663
16628
  table: "modelCallLogs",
13664
16629
  prepopulation: "runtime_log",
13665
16630
  copyMode: "none",
13666
16631
  description: "Model call logs are runtime telemetry."
13667
16632
  },
13668
16633
  {
13669
- component: "identity",
16634
+ component: "control-plane",
13670
16635
  table: "modelFunctionSlots",
13671
16636
  prepopulation: "required_template",
13672
16637
  copyMode: "template_global",
@@ -13675,7 +16640,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13675
16640
  description: "Function-to-model slots are required by model runtime resolution."
13676
16641
  },
13677
16642
  {
13678
- component: "identity",
16643
+ component: "control-plane",
13679
16644
  table: "modelRegistry",
13680
16645
  prepopulation: "required_template",
13681
16646
  copyMode: "template_global",
@@ -13684,7 +16649,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13684
16649
  description: "Model catalog defaults are required by model runtime clients."
13685
16650
  },
13686
16651
  {
13687
- component: "identity",
16652
+ component: "control-plane",
13688
16653
  table: "modelSlotConfigs",
13689
16654
  prepopulation: "required_template",
13690
16655
  copyMode: "template_global",
@@ -13693,14 +16658,105 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13693
16658
  description: "Slot-level defaults are required before tenant overrides exist."
13694
16659
  },
13695
16660
  {
13696
- component: "identity",
16661
+ component: "control-plane",
16662
+ table: "permitAccessReviewItems",
16663
+ prepopulation: "runtime_data",
16664
+ copyMode: "none",
16665
+ description: "Permit access-review item rows are tenant review data projected from Permit."
16666
+ },
16667
+ {
16668
+ component: "control-plane",
16669
+ table: "permitAccessReviews",
16670
+ prepopulation: "runtime_data",
16671
+ copyMode: "none",
16672
+ description: "Permit access-review campaigns are tenant review data projected from Permit."
16673
+ },
16674
+ {
16675
+ component: "control-plane",
16676
+ table: "permitAttributeBindings",
16677
+ prepopulation: "runtime_data",
16678
+ copyMode: "none",
16679
+ description: "Permit ABAC attribute bindings are tenant policy projection rows."
16680
+ },
16681
+ {
16682
+ component: "control-plane",
16683
+ table: "permitGroups",
16684
+ prepopulation: "runtime_data",
16685
+ copyMode: "none",
16686
+ description: "Permit groups are tenant-defined policy subjects, not template data."
16687
+ },
16688
+ {
16689
+ component: "control-plane",
16690
+ table: "permitGroupMemberships",
16691
+ prepopulation: "runtime_data",
16692
+ copyMode: "none",
16693
+ description: "Permit group memberships are tenant-specific policy projection rows."
16694
+ },
16695
+ {
16696
+ component: "control-plane",
16697
+ table: "permitPolicyBundles",
16698
+ prepopulation: "runtime_derived",
16699
+ copyMode: "none",
16700
+ description: "Permit policy bundles are derived from the Permit control plane."
16701
+ },
16702
+ {
16703
+ component: "control-plane",
16704
+ table: "permitPolicyDecisionReceipts",
16705
+ prepopulation: "runtime_log",
16706
+ copyMode: "none",
16707
+ description: "Permit decision receipts are runtime authorization audit logs."
16708
+ },
16709
+ {
16710
+ component: "control-plane",
16711
+ table: "permitPrincipalAliases",
16712
+ prepopulation: "runtime_data",
16713
+ copyMode: "none",
16714
+ description: "Permit principal aliases are tenant-specific identity projection rows."
16715
+ },
16716
+ {
16717
+ component: "control-plane",
16718
+ table: "permitPrincipals",
16719
+ prepopulation: "runtime_data",
16720
+ copyMode: "none",
16721
+ description: "Permit principals are projected from Clerk, Permit, and tenant onboarding flows."
16722
+ },
16723
+ {
16724
+ component: "control-plane",
16725
+ table: "permitProjectionOutbox",
16726
+ prepopulation: "runtime_queue",
16727
+ copyMode: "none",
16728
+ description: "Permit projection outbox rows are runtime sync queue data."
16729
+ },
16730
+ {
16731
+ component: "control-plane",
16732
+ table: "permitRelationshipTuples",
16733
+ prepopulation: "runtime_data",
16734
+ copyMode: "none",
16735
+ description: "Permit ReBAC relationship tuples are tenant policy projection rows."
16736
+ },
16737
+ {
16738
+ component: "control-plane",
16739
+ table: "permitResourceInstances",
16740
+ prepopulation: "runtime_data",
16741
+ copyMode: "none",
16742
+ description: "Permit resource instances are tenant/workspace graph and deployment projection rows."
16743
+ },
16744
+ {
16745
+ component: "control-plane",
16746
+ table: "permitRoleAssignments",
16747
+ prepopulation: "runtime_data",
16748
+ copyMode: "none",
16749
+ description: "Permit role assignments are tenant-specific policy projection rows."
16750
+ },
16751
+ {
16752
+ component: "control-plane",
13697
16753
  table: "platformAudienceGrants",
13698
16754
  prepopulation: "runtime_data",
13699
16755
  copyMode: "none",
13700
16756
  description: "Audience grants are principal/group-specific access rows."
13701
16757
  },
13702
16758
  {
13703
- component: "identity",
16759
+ component: "control-plane",
13704
16760
  table: "platformAudiences",
13705
16761
  prepopulation: "required_template",
13706
16762
  copyMode: "template_tenant_rewrite",
@@ -13709,35 +16765,35 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13709
16765
  description: "Default tenant audience taxonomy rows are rewritten into each tenant."
13710
16766
  },
13711
16767
  {
13712
- component: "identity",
16768
+ component: "control-plane",
13713
16769
  table: "platformPolicyDecisionLogs",
13714
16770
  prepopulation: "runtime_log",
13715
16771
  copyMode: "none",
13716
16772
  description: "Policy decisions are runtime audit logs."
13717
16773
  },
13718
16774
  {
13719
- component: "identity",
16775
+ component: "control-plane",
13720
16776
  table: "projectGrants",
13721
16777
  prepopulation: "runtime_data",
13722
16778
  copyMode: "none",
13723
16779
  description: "Project/topic grants are principal or group-specific access rows."
13724
16780
  },
13725
16781
  {
13726
- component: "identity",
16782
+ component: "control-plane",
13727
16783
  table: "reasoningPermissions",
13728
16784
  prepopulation: "runtime_data",
13729
16785
  copyMode: "none",
13730
16786
  description: "Reasoning permissions are principal-specific policy rows."
13731
16787
  },
13732
16788
  {
13733
- component: "identity",
16789
+ component: "control-plane",
13734
16790
  table: "tenantApiKeys",
13735
16791
  prepopulation: "runtime_secret",
13736
16792
  copyMode: "none",
13737
16793
  description: "API keys are tenant credentials and must never be copied."
13738
16794
  },
13739
16795
  {
13740
- component: "identity",
16796
+ component: "control-plane",
13741
16797
  table: "tenantConfig",
13742
16798
  prepopulation: "required_template",
13743
16799
  copyMode: "template_tenant_rewrite",
@@ -13746,7 +16802,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13746
16802
  description: "Tenant-local config defaults are rewritten during bootstrap."
13747
16803
  },
13748
16804
  {
13749
- component: "identity",
16805
+ component: "control-plane",
13750
16806
  table: "tenantIntegrations",
13751
16807
  prepopulation: "required_template",
13752
16808
  copyMode: "template_tenant_rewrite",
@@ -13755,14 +16811,21 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13755
16811
  description: "Non-secret integration descriptors are rewritten into each tenant."
13756
16812
  },
13757
16813
  {
13758
- component: "identity",
16814
+ component: "control-plane",
13759
16815
  table: "tenantModelSlotBindings",
13760
16816
  prepopulation: "runtime_secret",
13761
16817
  copyMode: "none",
13762
16818
  description: "Tenant model slot bindings reference provider secrets and are runtime-only."
13763
16819
  },
13764
16820
  {
13765
- component: "identity",
16821
+ component: "control-plane",
16822
+ table: "tenantPermitSyncStates",
16823
+ prepopulation: "runtime_derived",
16824
+ copyMode: "none",
16825
+ description: "Tenant Permit sync state rows are runtime reconciliation state."
16826
+ },
16827
+ {
16828
+ component: "control-plane",
13766
16829
  table: "tenantPolicies",
13767
16830
  prepopulation: "required_template",
13768
16831
  copyMode: "template_tenant_rewrite",
@@ -13771,42 +16834,42 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13771
16834
  description: "Default tenant policy roles are rewritten during bootstrap."
13772
16835
  },
13773
16836
  {
13774
- component: "identity",
16837
+ component: "control-plane",
13775
16838
  table: "tenantProviderSecrets",
13776
16839
  prepopulation: "runtime_secret",
13777
16840
  copyMode: "none",
13778
16841
  description: "Provider secrets are credentials and must never be copied."
13779
16842
  },
13780
16843
  {
13781
- component: "identity",
16844
+ component: "control-plane",
13782
16845
  table: "tenantProxyGatewayUsage",
13783
16846
  prepopulation: "runtime_log",
13784
16847
  copyMode: "none",
13785
16848
  description: "Proxy gateway usage rows are runtime telemetry."
13786
16849
  },
13787
16850
  {
13788
- component: "identity",
16851
+ component: "control-plane",
13789
16852
  table: "tenantProxyTokenMints",
13790
16853
  prepopulation: "runtime_secret",
13791
16854
  copyMode: "none",
13792
16855
  description: "Proxy token mints are ephemeral secret-bearing runtime rows."
13793
16856
  },
13794
16857
  {
13795
- component: "identity",
16858
+ component: "control-plane",
13796
16859
  table: "tenantSandboxAuditEvents",
13797
16860
  prepopulation: "runtime_log",
13798
16861
  copyMode: "none",
13799
16862
  description: "Sandbox audit rows are runtime security logs."
13800
16863
  },
13801
16864
  {
13802
- component: "identity",
16865
+ component: "control-plane",
13803
16866
  table: "tenantSecrets",
13804
16867
  prepopulation: "runtime_secret",
13805
16868
  copyMode: "none",
13806
16869
  description: "Tenant secrets are credentials and must never be copied."
13807
16870
  },
13808
16871
  {
13809
- component: "identity",
16872
+ component: "control-plane",
13810
16873
  table: "toolAcls",
13811
16874
  prepopulation: "required_template",
13812
16875
  copyMode: "template_global",
@@ -13815,7 +16878,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13815
16878
  description: "Default role-to-tool grants are required for SDK/MCP tool access."
13816
16879
  },
13817
16880
  {
13818
- component: "identity",
16881
+ component: "control-plane",
13819
16882
  table: "toolRegistry",
13820
16883
  prepopulation: "required_template",
13821
16884
  copyMode: "template_global",
@@ -13824,7 +16887,7 @@ var TENANT_BOOTSTRAP_TABLE_REQUIREMENTS = [
13824
16887
  description: "Core tool catalog rows are required before pack or tenant tools exist."
13825
16888
  },
13826
16889
  {
13827
- component: "identity",
16890
+ component: "control-plane",
13828
16891
  table: "users",
13829
16892
  prepopulation: "runtime_bootstrap",
13830
16893
  copyMode: "none",
@@ -14209,11 +17272,11 @@ function readString2(value) {
14209
17272
  function readNullableNumber(value) {
14210
17273
  return typeof value === "number" && Number.isFinite(value) ? value : null;
14211
17274
  }
14212
- function isRecord4(value) {
17275
+ function isRecord5(value) {
14213
17276
  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
14214
17277
  }
14215
17278
  function refreshLucernContextFromBuildSession(payload, args) {
14216
- if (!isRecord4(payload)) {
17279
+ if (!isRecord5(payload)) {
14217
17280
  return;
14218
17281
  }
14219
17282
  const topicId = readString2(payload.topicId);
@@ -14418,7 +17481,8 @@ var edgeHandlers = {
14418
17481
  topicId: readString(args.topicId ?? args.projectId),
14419
17482
  confidence: readNumber(args.confidence),
14420
17483
  weight: readNumber(args.weight),
14421
- context: readString(args.context) ?? readString(args.reasoning)
17484
+ context: readString(args.context) ?? readString(args.reasoning),
17485
+ reasoningMethod: readString(args.reasoningMethod)
14422
17486
  })
14423
17487
  );
14424
17488
  },
@@ -14775,6 +17839,14 @@ var generatedFunctionSurfaceHandlers = {
14775
17839
  )
14776
17840
  );
14777
17841
  },
17842
+ async archive_epistemic_node(args, ctx) {
17843
+ return formatSdkResult(
17844
+ await getSdkClient(ctx).raw.functionSurface.archiveEpistemicNode(
17845
+ stripInternalArgs(args),
17846
+ idempotencyKeyFrom(args)
17847
+ )
17848
+ );
17849
+ },
14778
17850
  async archive_ontology(args, ctx) {
14779
17851
  return formatSdkResult(
14780
17852
  await getSdkClient(ctx).raw.functionSurface.archiveOntology(
@@ -14791,6 +17863,22 @@ var generatedFunctionSurfaceHandlers = {
14791
17863
  )
14792
17864
  );
14793
17865
  },
17866
+ async batch_create_edges(args, ctx) {
17867
+ return formatSdkResult(
17868
+ await getSdkClient(ctx).raw.functionSurface.batchCreateEdges(
17869
+ stripInternalArgs(args),
17870
+ idempotencyKeyFrom(args)
17871
+ )
17872
+ );
17873
+ },
17874
+ async batch_create_epistemic_nodes(args, ctx) {
17875
+ return formatSdkResult(
17876
+ await getSdkClient(ctx).raw.functionSurface.batchCreateEpistemicNodes(
17877
+ stripInternalArgs(args),
17878
+ idempotencyKeyFrom(args)
17879
+ )
17880
+ );
17881
+ },
14794
17882
  async begin_build_session(args, ctx) {
14795
17883
  return formatSdkResult(
14796
17884
  await getSdkClient(ctx).raw.functionSurface.beginBuildSession(
@@ -14879,6 +17967,14 @@ var generatedFunctionSurfaceHandlers = {
14879
17967
  )
14880
17968
  );
14881
17969
  },
17970
+ async create_epistemic_node(args, ctx) {
17971
+ return formatSdkResult(
17972
+ await getSdkClient(ctx).raw.functionSurface.createEpistemicNode(
17973
+ stripInternalArgs(args),
17974
+ idempotencyKeyFrom(args)
17975
+ )
17976
+ );
17977
+ },
14882
17978
  async create_evidence(args, ctx) {
14883
17979
  return formatSdkResult(
14884
17980
  await getSdkClient(ctx).raw.functionSurface.createEvidence(
@@ -15079,6 +18175,14 @@ var generatedFunctionSurfaceHandlers = {
15079
18175
  )
15080
18176
  );
15081
18177
  },
18178
+ async get_epistemic_node(args, ctx) {
18179
+ return formatSdkResult(
18180
+ await getSdkClient(ctx).raw.functionSurface.getEpistemicNode(
18181
+ stripInternalArgs(args),
18182
+ idempotencyKeyFrom(args)
18183
+ )
18184
+ );
18185
+ },
15082
18186
  async get_evidence(args, ctx) {
15083
18187
  return formatSdkResult(
15084
18188
  await getSdkClient(ctx).raw.functionSurface.getEvidence(
@@ -15183,6 +18287,14 @@ var generatedFunctionSurfaceHandlers = {
15183
18287
  )
15184
18288
  );
15185
18289
  },
18290
+ async get_topic_graph_spine(args, ctx) {
18291
+ return formatSdkResult(
18292
+ await getSdkClient(ctx).raw.functionSurface.getTopicGraphSpine(
18293
+ stripInternalArgs(args),
18294
+ idempotencyKeyFrom(args)
18295
+ )
18296
+ );
18297
+ },
15186
18298
  async get_topic_tree(args, ctx) {
15187
18299
  return formatSdkResult(
15188
18300
  await getSdkClient(ctx).raw.functionSurface.getTopicTree(
@@ -15263,6 +18375,14 @@ var generatedFunctionSurfaceHandlers = {
15263
18375
  )
15264
18376
  );
15265
18377
  },
18378
+ async list_epistemic_nodes(args, ctx) {
18379
+ return formatSdkResult(
18380
+ await getSdkClient(ctx).raw.functionSurface.listEpistemicNodes(
18381
+ stripInternalArgs(args),
18382
+ idempotencyKeyFrom(args)
18383
+ )
18384
+ );
18385
+ },
15266
18386
  async list_evidence(args, ctx) {
15267
18387
  return formatSdkResult(
15268
18388
  await getSdkClient(ctx).raw.functionSurface.listEvidence(
@@ -15343,6 +18463,14 @@ var generatedFunctionSurfaceHandlers = {
15343
18463
  )
15344
18464
  );
15345
18465
  },
18466
+ async materialize_topic_graph(args, ctx) {
18467
+ return formatSdkResult(
18468
+ await getSdkClient(ctx).raw.functionSurface.materializeTopicGraph(
18469
+ stripInternalArgs(args),
18470
+ idempotencyKeyFrom(args)
18471
+ )
18472
+ );
18473
+ },
15346
18474
  async merge(args, ctx) {
15347
18475
  return formatSdkResult(
15348
18476
  await getSdkClient(ctx).raw.functionSurface.merge(
@@ -15447,6 +18575,22 @@ var generatedFunctionSurfaceHandlers = {
15447
18575
  )
15448
18576
  );
15449
18577
  },
18578
+ async remove_edge(args, ctx) {
18579
+ return formatSdkResult(
18580
+ await getSdkClient(ctx).raw.functionSurface.removeEdge(
18581
+ stripInternalArgs(args),
18582
+ idempotencyKeyFrom(args)
18583
+ )
18584
+ );
18585
+ },
18586
+ async remove_edges_between(args, ctx) {
18587
+ return formatSdkResult(
18588
+ await getSdkClient(ctx).raw.functionSurface.removeEdgesBetween(
18589
+ stripInternalArgs(args),
18590
+ idempotencyKeyFrom(args)
18591
+ )
18592
+ );
18593
+ },
15450
18594
  async remove_lens_from_topic(args, ctx) {
15451
18595
  return formatSdkResult(
15452
18596
  await getSdkClient(ctx).raw.functionSurface.removeLensFromTopic(
@@ -15463,6 +18607,14 @@ var generatedFunctionSurfaceHandlers = {
15463
18607
  )
15464
18608
  );
15465
18609
  },
18610
+ async resolve_interactive_principal(args, ctx) {
18611
+ return formatSdkResult(
18612
+ await getSdkClient(ctx).raw.functionSurface.resolveInteractivePrincipal(
18613
+ stripInternalArgs(args),
18614
+ idempotencyKeyFrom(args)
18615
+ )
18616
+ );
18617
+ },
15466
18618
  async run_graph_intelligence_query(args, ctx) {
15467
18619
  return formatSdkResult(
15468
18620
  await getSdkClient(ctx).raw.functionSurface.runGraphIntelligenceQuery(
@@ -15503,6 +18655,14 @@ var generatedFunctionSurfaceHandlers = {
15503
18655
  )
15504
18656
  );
15505
18657
  },
18658
+ async supersede_epistemic_node(args, ctx) {
18659
+ return formatSdkResult(
18660
+ await getSdkClient(ctx).raw.functionSurface.supersedeEpistemicNode(
18661
+ stripInternalArgs(args),
18662
+ idempotencyKeyFrom(args)
18663
+ )
18664
+ );
18665
+ },
15506
18666
  async trace_entity_impact(args, ctx) {
15507
18667
  return formatSdkResult(
15508
18668
  await getSdkClient(ctx).raw.functionSurface.traceEntityImpact(
@@ -15527,6 +18687,22 @@ var generatedFunctionSurfaceHandlers = {
15527
18687
  )
15528
18688
  );
15529
18689
  },
18690
+ async update_edge(args, ctx) {
18691
+ return formatSdkResult(
18692
+ await getSdkClient(ctx).raw.functionSurface.updateEdge(
18693
+ stripInternalArgs(args),
18694
+ idempotencyKeyFrom(args)
18695
+ )
18696
+ );
18697
+ },
18698
+ async update_epistemic_node(args, ctx) {
18699
+ return formatSdkResult(
18700
+ await getSdkClient(ctx).raw.functionSurface.updateEpistemicNode(
18701
+ stripInternalArgs(args),
18702
+ idempotencyKeyFrom(args)
18703
+ )
18704
+ );
18705
+ },
15530
18706
  async update_ontology(args, ctx) {
15531
18707
  return formatSdkResult(
15532
18708
  await getSdkClient(ctx).raw.functionSurface.updateOntology(
@@ -15574,6 +18750,14 @@ var generatedFunctionSurfaceHandlers = {
15574
18750
  idempotencyKeyFrom(args)
15575
18751
  )
15576
18752
  );
18753
+ },
18754
+ async verify_epistemic_node(args, ctx) {
18755
+ return formatSdkResult(
18756
+ await getSdkClient(ctx).raw.functionSurface.verifyEpistemicNode(
18757
+ stripInternalArgs(args),
18758
+ idempotencyKeyFrom(args)
18759
+ )
18760
+ );
15577
18761
  }
15578
18762
  };
15579
18763
 
@@ -15735,7 +18919,7 @@ function readStringArray2(value) {
15735
18919
  }
15736
18920
  return value.map((entry) => readString3(entry)).filter((entry) => Boolean(entry));
15737
18921
  }
15738
- function isRecord5(value) {
18922
+ function isRecord6(value) {
15739
18923
  return value !== null && typeof value === "object" && !Array.isArray(value);
15740
18924
  }
15741
18925
  function decodePrefixedIdOrNull(value) {
@@ -15750,7 +18934,7 @@ function decodePrefixedIdOrNull(value) {
15750
18934
  };
15751
18935
  }
15752
18936
  function asRecord2(value) {
15753
- return isRecord5(value) ? value : {};
18937
+ return isRecord6(value) ? value : {};
15754
18938
  }
15755
18939
  function normalizeTopicId(value) {
15756
18940
  const normalized = readString3(value);
@@ -16023,7 +19207,7 @@ async function resolveBeliefTopicId(ctx, beliefId) {
16023
19207
  if (!normalizedBeliefId) {
16024
19208
  return void 0;
16025
19209
  }
16026
- return fetchRecordTopicId(ctx, api.epistemicBeliefs.getById, {
19210
+ return fetchRecordTopicId(ctx, api.beliefs.getById, {
16027
19211
  beliefId: normalizedBeliefId,
16028
19212
  nodeId: normalizedBeliefId
16029
19213
  });
@@ -16885,7 +20069,7 @@ var researchVerificationHandlers = {
16885
20069
  function cleanString(value) {
16886
20070
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
16887
20071
  }
16888
- function isRecord6(value) {
20072
+ function isRecord7(value) {
16889
20073
  return value !== null && typeof value === "object" && !Array.isArray(value);
16890
20074
  }
16891
20075
  function prefixId(prefix, value) {
@@ -16941,7 +20125,7 @@ function toPublicCompiledContext(pack) {
16941
20125
  scopedTopicIds: (pack.scopedTopicIds ?? []).map((id) => prefixId("top", id)),
16942
20126
  generatedAt: pack.generatedAt,
16943
20127
  ranking: pack.rankingProfile,
16944
- summary: isRecord6(pack.summary) ? pack.summary : {},
20128
+ summary: isRecord7(pack.summary) ? pack.summary : {},
16945
20129
  invariants: (pack.invariants ?? []).map((belief) => ({
16946
20130
  beliefId: prefixId("bel", belief.nodeId),
16947
20131
  text: belief.canonicalText,
@@ -17012,7 +20196,7 @@ function toPublicCompiledContext(pack) {
17012
20196
  }))
17013
20197
  } : {}
17014
20198
  },
17015
- diagnostics: isRecord6(pack.diagnostics) ? pack.diagnostics : {},
20199
+ diagnostics: isRecord7(pack.diagnostics) ? pack.diagnostics : {},
17016
20200
  ...pack.compilationMode ? { compilationMode: pack.compilationMode } : {},
17017
20201
  ...pack.failureContext ? {
17018
20202
  failureContext: {
@@ -17520,6 +20704,21 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
17520
20704
  authCtx
17521
20705
  });
17522
20706
  if (!result) {
20707
+ if (authCtx.sessionType === "agent") {
20708
+ return {
20709
+ allowed: false,
20710
+ permission: "deny",
20711
+ toolCategory: null,
20712
+ policy: null,
20713
+ reason: "no_policy_response",
20714
+ explanation: {
20715
+ summary: "Denied because agent write-policy checks fail closed when no policy response is returned.",
20716
+ toolName,
20717
+ role: authCtx.role,
20718
+ topicId
20719
+ }
20720
+ };
20721
+ }
17523
20722
  return {
17524
20723
  allowed: true,
17525
20724
  permission: "allow",
@@ -17553,6 +20752,33 @@ async function checkWritePolicy(toolName, topicId, authCtx) {
17553
20752
  }
17554
20753
  return result;
17555
20754
  } catch (err) {
20755
+ if (authCtx.sessionType === "agent") {
20756
+ return {
20757
+ allowed: false,
20758
+ permission: "deny",
20759
+ toolCategory: null,
20760
+ policy: null,
20761
+ explanation: {
20762
+ summary: "Denied because agent write-policy checks fail closed on policy evaluation errors.",
20763
+ matchedReasonCode: "WRITE_POLICY_CHECK_ERROR",
20764
+ steps: [
20765
+ {
20766
+ stage: "policy_lookup",
20767
+ outcome: "failed",
20768
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20769
+ detail: err instanceof Error ? err.message : "Unknown policy evaluation error."
20770
+ },
20771
+ {
20772
+ stage: "decision",
20773
+ outcome: "failed",
20774
+ reasonCode: "WRITE_POLICY_CHECK_ERROR",
20775
+ detail: "Agent sessions cannot convert a write-policy infrastructure error into an allow."
20776
+ }
20777
+ ]
20778
+ },
20779
+ reason: "policy_check_error"
20780
+ };
20781
+ }
17556
20782
  console.error(
17557
20783
  `[write-policy] Policy check failed for ${toolName}: ${err instanceof Error ? err.message : err}. Allowing (fail-open).`
17558
20784
  );