@lucern/sdk 0.3.0-alpha.10 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (104) hide show
  1. package/README.md +1 -1
  2. package/dist/accessControl.d.ts +78 -0
  3. package/dist/accessControl.js +1118 -0
  4. package/dist/accessControl.js.map +1 -0
  5. package/dist/adminClient.js.map +1 -1
  6. package/dist/answersClient.js.map +1 -1
  7. package/dist/audiencesClient.js.map +1 -1
  8. package/dist/auditClient.js.map +1 -1
  9. package/dist/authContext.d.ts +1 -1
  10. package/dist/authContext.js.map +1 -1
  11. package/dist/beliefs/index.d.ts +1 -0
  12. package/dist/beliefs/index.js +799 -551
  13. package/dist/beliefs/index.js.map +1 -1
  14. package/dist/beliefsClient.js.map +1 -1
  15. package/dist/client.d.ts +27 -8
  16. package/dist/client.js +799 -551
  17. package/dist/client.js.map +1 -1
  18. package/dist/contextClient.js.map +1 -1
  19. package/dist/contracts/api-enums.contract.d.ts +1 -1
  20. package/dist/contracts/api-enums.contract.js +6 -1
  21. package/dist/contracts/api-enums.contract.js.map +1 -1
  22. package/dist/contracts/index.js +12 -1
  23. package/dist/contracts/index.js.map +1 -1
  24. package/dist/contracts/mcpTools.js +6 -0
  25. package/dist/contracts/mcpTools.js.map +1 -1
  26. package/dist/contradictions/index.d.ts +1 -0
  27. package/dist/contradictions/index.js +799 -551
  28. package/dist/contradictions/index.js.map +1 -1
  29. package/dist/coreClient.js.map +1 -1
  30. package/dist/decisions/index.d.ts +1 -0
  31. package/dist/decisions/index.js +799 -551
  32. package/dist/decisions/index.js.map +1 -1
  33. package/dist/decisionsClient.js.map +1 -1
  34. package/dist/edges/index.d.ts +1 -0
  35. package/dist/edges/index.js +799 -551
  36. package/dist/edges/index.js.map +1 -1
  37. package/dist/embeddingsClient.js.map +1 -1
  38. package/dist/eventingClient.js.map +1 -1
  39. package/dist/eventsCore.js.map +1 -1
  40. package/dist/evidence/index.d.ts +1 -0
  41. package/dist/evidence/index.js +799 -551
  42. package/dist/evidence/index.js.map +1 -1
  43. package/dist/evidenceClient.js.map +1 -1
  44. package/dist/functionSurface.js.map +1 -1
  45. package/dist/functionSurfaceClient.js.map +1 -1
  46. package/dist/gatewayFacades.d.ts +1 -0
  47. package/dist/gatewayFacades.js.map +1 -1
  48. package/dist/graphAnalysisClient.js.map +1 -1
  49. package/dist/graphClient.d.ts +1 -0
  50. package/dist/graphClient.js.map +1 -1
  51. package/dist/graphIntel.d.ts +1 -0
  52. package/dist/graphRecommendationsClient.js.map +1 -1
  53. package/dist/graphStateClassifierClient.js.map +1 -1
  54. package/dist/harnessClient.js.map +1 -1
  55. package/dist/identityClient.d.ts +1 -1
  56. package/dist/identityClient.js.map +1 -1
  57. package/dist/index.d.ts +2 -0
  58. package/dist/index.js +790 -490
  59. package/dist/index.js.map +1 -1
  60. package/dist/infisicalRuntime.d.ts +1 -0
  61. package/dist/infisicalRuntime.js +64 -32
  62. package/dist/infisicalRuntime.js.map +1 -1
  63. package/dist/jobsClient.js.map +1 -1
  64. package/dist/learningClient.js.map +1 -1
  65. package/dist/lenses/index.d.ts +1 -0
  66. package/dist/lenses/index.js +799 -551
  67. package/dist/lenses/index.js.map +1 -1
  68. package/dist/mcpClient.js +2 -1
  69. package/dist/mcpClient.js.map +1 -1
  70. package/dist/modelRuntimeClient.js.map +1 -1
  71. package/dist/nodes/index.d.ts +1 -0
  72. package/dist/nodes/index.js +799 -551
  73. package/dist/nodes/index.js.map +1 -1
  74. package/dist/ontologies/index.d.ts +1 -0
  75. package/dist/ontologies/index.js +799 -551
  76. package/dist/ontologies/index.js.map +1 -1
  77. package/dist/ontologyClient.js.map +1 -1
  78. package/dist/ontologyLinksClient.js.map +1 -1
  79. package/dist/orgGraphSearchClient.js.map +1 -1
  80. package/dist/packsClient.js.map +1 -1
  81. package/dist/policyClient.js.map +1 -1
  82. package/dist/questions/index.d.ts +1 -0
  83. package/dist/questions/index.js +799 -551
  84. package/dist/questions/index.js.map +1 -1
  85. package/dist/reportsClient.js.map +1 -1
  86. package/dist/schemaClient.js.map +1 -1
  87. package/dist/secrets.d.ts +1 -0
  88. package/dist/secrets.js +3 -0
  89. package/dist/secrets.js.map +1 -0
  90. package/dist/sourcesClient.js.map +1 -1
  91. package/dist/telemetryClient.js.map +1 -1
  92. package/dist/toolRegistryClient.js.map +1 -1
  93. package/dist/topics/index.d.ts +1 -0
  94. package/dist/topics/index.js +799 -551
  95. package/dist/topics/index.js.map +1 -1
  96. package/dist/topicsClient.js.map +1 -1
  97. package/dist/version.d.ts +1 -1
  98. package/dist/version.js +1 -1
  99. package/dist/version.js.map +1 -1
  100. package/dist/workflowClient.js.map +1 -1
  101. package/dist/worktrees/index.d.ts +1 -0
  102. package/dist/worktrees/index.js +799 -551
  103. package/dist/worktrees/index.js.map +1 -1
  104. package/package.json +5 -4
package/dist/index.js CHANGED
@@ -5,7 +5,9 @@ import { LUCERN_OPERATION_MANIFEST } from '@lucern/contracts/function-registry/m
5
5
  import * as graphIntel_star from '@lucern/reasoning-kernel/graphIntel';
6
6
  import { listGraphIntelligenceQueries, isGraphIntelligenceQueryMode, getGraphIntelligenceQuery, fillGraphIntelligencePromptTemplate, GRAPH_INTELLIGENCE_QUICK_QUERIES, GRAPH_INTELLIGENCE_QUERY_MODES, GRAPH_INTELLIGENCE_QUERY_CATEGORIES, GRAPH_INTELLIGENCE_QUERY_CATALOG_VERSION, GRAPH_INTELLIGENCE_QUERIES_WITH_TOOLS, GRAPH_INTELLIGENCE_QUERIES, GRAPH_INTELLIGENCE_PUBLIC_TOOL_NAMES, GRAPH_INTELLIGENCE_MODE_TOOL_NAMES } from '@lucern/contracts/graph-intelligence.contract';
7
7
  export { GRAPH_INTELLIGENCE_MODE_TOOL_NAMES, GRAPH_INTELLIGENCE_PUBLIC_TOOL_NAMES, GRAPH_INTELLIGENCE_QUERIES, GRAPH_INTELLIGENCE_QUERIES_WITH_TOOLS, GRAPH_INTELLIGENCE_QUERY_CATALOG_VERSION, GRAPH_INTELLIGENCE_QUERY_CATEGORIES, GRAPH_INTELLIGENCE_QUERY_MODES, GRAPH_INTELLIGENCE_QUICK_QUERIES, fillGraphIntelligencePromptTemplate, getGraphIntelligenceQuery, isGraphIntelligenceQueryMode, listGraphIntelligenceQueries } from '@lucern/contracts/graph-intelligence.contract';
8
- import { INFISICAL_RUNTIME_MANIFEST, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DEFAULT_API_URL, findInfisicalRuntimeSurface, findInfisicalRuntimePath } from '@lucern/contracts';
8
+ import { INFISICAL_RUNTIME_MANIFEST, INFISICAL_RUNTIME_DEFAULT_PROJECT_ID, INFISICAL_RUNTIME_DEFAULT_API_URL, findInfisicalRuntimeSurface, findInfisicalRuntimePath, GENERATED_INFISICAL_RUNTIME_ENV } from '@lucern/contracts';
9
+ import { resolveInfisicalSecretFromBinding, SecretResolverError } from '@lucern/secrets';
10
+ export { SecretResolverError, resolveInfisicalSecretFromBinding } from '@lucern/secrets';
9
11
 
10
12
  var __defProp = Object.defineProperty;
11
13
  var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
@@ -77,6 +79,7 @@ __export(src_exports, {
77
79
  LENS_STATUSES: () => LENS_STATUSES,
78
80
  LENS_TASK_TEMPLATE_PRIORITIES: () => LENS_TASK_TEMPLATE_PRIORITIES,
79
81
  LUCERN_SDK_VERSION: () => LUCERN_SDK_VERSION,
82
+ LucernAccessControlError: () => LucernAccessControlError,
80
83
  LucernApiError: () => LucernApiError,
81
84
  LucernSdkAuthContextError: () => LucernSdkAuthContextError,
82
85
  MAX_ENTITY_LIMIT: () => MAX_ENTITY_LIMIT,
@@ -92,6 +95,7 @@ __export(src_exports, {
92
95
  SESSION_LIFECYCLE_STATUSES: () => SESSION_LIFECYCLE_STATUSES,
93
96
  SESSION_PRINCIPAL_TYPES: () => SESSION_PRINCIPAL_TYPES,
94
97
  STRUCTURAL_EDGE_TYPES: () => STRUCTURAL_EDGE_TYPES,
98
+ SecretResolverError: () => SecretResolverError,
95
99
  TELEMETRY_FIELDS: () => TELEMETRY_FIELDS,
96
100
  TENANT_IDENTITY_FIELDS: () => TENANT_IDENTITY_FIELDS,
97
101
  TOOL_REGISTRY_FIELDS: () => TOOL_REGISTRY_FIELDS,
@@ -113,6 +117,7 @@ __export(src_exports, {
113
117
  applyInfisicalRuntimeEnv: () => applyInfisicalRuntimeEnv,
114
118
  asListItems: () => asListItems,
115
119
  asRecord: () => asRecord,
120
+ assertPermitAllowed: () => assertPermitAllowed,
116
121
  assertValidWebhookSecret: () => assertValidWebhookSecret,
117
122
  assertValidWebhookUrl: () => assertValidWebhookUrl,
118
123
  buildDeprecatedBranchMetadata: () => buildDeprecatedBranchMetadata,
@@ -123,6 +128,7 @@ __export(src_exports, {
123
128
  compareEventCursor: () => compareEventCursor,
124
129
  compileContextPackFromSnapshot: () => compileContextPackFromSnapshot,
125
130
  computeWebhookSignature: () => computeWebhookSignature,
131
+ createAccessControlClient: () => createAccessControlClient,
126
132
  createAdminClient: () => createAdminClient,
127
133
  createAnswersClient: () => createAnswersClient,
128
134
  createAudiencesClient: () => createAudiencesClient,
@@ -169,6 +175,7 @@ __export(src_exports, {
169
175
  encodeEventCursor: () => encodeEventCursor,
170
176
  eventPatternToRegExp: () => eventPatternToRegExp,
171
177
  fillGraphIntelligencePromptTemplate: () => fillGraphIntelligencePromptTemplate,
178
+ formatPermitResource: () => formatPermitResource,
172
179
  getControlObjectOwnershipCase: () => getControlObjectOwnershipCase,
173
180
  getGraphIntelligenceQuery: () => getGraphIntelligenceQuery,
174
181
  getMcpToolExposure: () => getMcpToolExposure,
@@ -200,6 +207,7 @@ __export(src_exports, {
200
207
  migrateBranchToLens: () => migrateBranchToLens,
201
208
  nextDeliveryAttemptAt: () => nextDeliveryAttemptAt,
202
209
  normalizeCanonicalLucernAuthContext: () => normalizeCanonicalLucernAuthContext,
210
+ normalizeCanonicalPrincipalIdentity: () => normalizeCanonicalPrincipalIdentity,
203
211
  normalizeDelegationChain: () => normalizeDelegationChain,
204
212
  normalizeNodeVerificationStatus: () => normalizeNodeVerificationStatus,
205
213
  normalizeNodeWriteInput: () => normalizeNodeWriteInput,
@@ -214,6 +222,7 @@ __export(src_exports, {
214
222
  readInfisicalRuntimeBootstrap: () => readInfisicalRuntimeBootstrap,
215
223
  registerCustomTool: () => registerCustomTool,
216
224
  resolveDeliveryFailureStatus: () => resolveDeliveryFailureStatus,
225
+ resolveInfisicalSecretFromBinding: () => resolveInfisicalSecretFromBinding,
217
226
  resolveText: () => resolveText,
218
227
  resolveTopicId: () => resolveTopicId,
219
228
  sanitizeWebhookRecord: () => sanitizeWebhookRecord,
@@ -1306,6 +1315,574 @@ function createAdminClient(config = {}) {
1306
1315
  };
1307
1316
  }
1308
1317
 
1318
+ // src/boundaryClientSurface.ts
1319
+ function cleanOptionalString(value) {
1320
+ const normalized = value?.trim();
1321
+ return normalized ? normalized : void 0;
1322
+ }
1323
+ function isRecord3(value) {
1324
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
1325
+ }
1326
+ function cleanRequiredString(value, label) {
1327
+ const normalized = cleanOptionalString(value);
1328
+ if (!normalized) {
1329
+ throw new Error(`${label} is required`);
1330
+ }
1331
+ return normalized;
1332
+ }
1333
+ function readTopicId(input) {
1334
+ return cleanOptionalString(input.topicId) ?? cleanOptionalString(input.projectId);
1335
+ }
1336
+ function requireTopicId(input) {
1337
+ const topicId = readTopicId(input);
1338
+ if (!topicId) {
1339
+ throw new Error("topicId is required");
1340
+ }
1341
+ return topicId;
1342
+ }
1343
+ function assertKnownKeys(input, allowed, operation) {
1344
+ const allowedSet = new Set(allowed);
1345
+ const unknownKeys = Object.keys(input).filter((key) => !allowedSet.has(key));
1346
+ if (unknownKeys.length > 0) {
1347
+ throw new Error(
1348
+ `${operation} received unsupported field(s): ${unknownKeys.join(", ")}`
1349
+ );
1350
+ }
1351
+ }
1352
+ function knownPayload(input, allowed, operation) {
1353
+ assertKnownKeys(input, allowed, operation);
1354
+ return { ...input };
1355
+ }
1356
+ function topicPayload(input, allowed, operation) {
1357
+ assertKnownKeys(input, allowed, operation);
1358
+ return {
1359
+ ...input,
1360
+ topicId: requireTopicId(input),
1361
+ projectId: void 0
1362
+ };
1363
+ }
1364
+ function listResultFromEnvelope(data, legacyKey) {
1365
+ const record = isRecord3(data) ? data : {};
1366
+ const legacyItems = record[legacyKey];
1367
+ return createListResult(
1368
+ Array.isArray(legacyItems) ? legacyItems : Array.isArray(data) ? data : [],
1369
+ legacyKey
1370
+ );
1371
+ }
1372
+
1373
+ // src/identityClient.ts
1374
+ function createIdentityWhoamiClient(config = {}) {
1375
+ const gateway = createGatewayRequestClient(config);
1376
+ return {
1377
+ async whoami() {
1378
+ return gateway.request({
1379
+ path: "/api/platform/v1/identity/whoami"
1380
+ });
1381
+ }
1382
+ };
1383
+ }
1384
+ var TENANT_IDENTITY_FIELDS = [
1385
+ "tenantId",
1386
+ "workspaceId",
1387
+ "principalId",
1388
+ "integrationKey",
1389
+ "secretRef",
1390
+ "policySubject",
1391
+ "policyAction",
1392
+ "policyResource",
1393
+ "decision",
1394
+ "config",
1395
+ "configKey",
1396
+ "configValue",
1397
+ "provider",
1398
+ "status",
1399
+ "metadata",
1400
+ "limit",
1401
+ "cursor"
1402
+ ];
1403
+ function tenantIdentityQuery(input) {
1404
+ return {
1405
+ tenantId: cleanRequiredString(input.tenantId, "tenantId"),
1406
+ workspaceId: input.workspaceId,
1407
+ principalId: input.principalId,
1408
+ limit: input.limit,
1409
+ cursor: input.cursor
1410
+ };
1411
+ }
1412
+ function tenantIdentityBody(input, operation) {
1413
+ return knownPayload(input, TENANT_IDENTITY_FIELDS, operation);
1414
+ }
1415
+ function createIdentityClient(config = {}) {
1416
+ const gateway = createGatewayRequestClient(config);
1417
+ const whoamiClient = createIdentityWhoamiClient(config);
1418
+ const requestPrincipalWrite = (method, input, idempotencyKey) => gateway.request({
1419
+ path: "/api/platform/v1/identity/principals",
1420
+ method,
1421
+ body: input,
1422
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1423
+ });
1424
+ const updatePrincipal = (input, idempotencyKey) => requestPrincipalWrite("PATCH", input, idempotencyKey);
1425
+ const deleteKey = (keyId, input = {}, idempotencyKey) => gateway.request({
1426
+ path: `/api/platform/v1/identity/keys/${encodeURIComponent(keyId)}/revoke`,
1427
+ method: "POST",
1428
+ body: input,
1429
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1430
+ });
1431
+ return {
1432
+ /**
1433
+ * Resolve the current authenticated identity summary.
1434
+ */
1435
+ async whoami() {
1436
+ return whoamiClient.whoami().then(
1437
+ (response) => mapGatewayData(response, (data) => ({
1438
+ principalId: data.principalId,
1439
+ principalType: data.principalType,
1440
+ tenantId: data.tenantId ?? null,
1441
+ workspaceId: data.workspaceId ?? null,
1442
+ scopes: Array.isArray(data.scopes) ? data.scopes : [],
1443
+ roles: Array.isArray(data.roles) ? data.roles : [],
1444
+ isPlatformAdmin: data.isPlatformAdmin === true,
1445
+ isTenantAdmin: data.isTenantAdmin === true,
1446
+ isWorkspaceAdmin: data.isWorkspaceAdmin === true,
1447
+ authMode: data.authMode,
1448
+ sessionId: data.sessionId,
1449
+ delegatedBy: data.delegatedBy,
1450
+ expiresAt: data.expiresAt
1451
+ }))
1452
+ );
1453
+ },
1454
+ /**
1455
+ * List principals in the current identity scope.
1456
+ */
1457
+ async listPrincipals(query5 = {}) {
1458
+ return gateway.request({
1459
+ path: `/api/platform/v1/identity/principals${toQueryString(query5)}`
1460
+ }).then(
1461
+ (response) => mapGatewayData(
1462
+ response,
1463
+ (data) => createListResult(
1464
+ Array.isArray(data) ? data : [],
1465
+ "principals"
1466
+ )
1467
+ )
1468
+ );
1469
+ },
1470
+ /**
1471
+ * Create a principal.
1472
+ */
1473
+ async createPrincipal(input, idempotencyKey) {
1474
+ return requestPrincipalWrite("POST", input, idempotencyKey);
1475
+ },
1476
+ /**
1477
+ * Update a principal.
1478
+ */
1479
+ updatePrincipal,
1480
+ /**
1481
+ * @deprecated Use createPrincipal or updatePrincipal.
1482
+ */
1483
+ upsertPrincipal: updatePrincipal,
1484
+ /**
1485
+ * List keys in the current identity scope.
1486
+ */
1487
+ async listKeys(query5 = {}) {
1488
+ return gateway.request({
1489
+ path: `/api/platform/v1/identity/keys${toQueryString(query5)}`
1490
+ }).then(
1491
+ (response) => mapGatewayData(
1492
+ response,
1493
+ (data) => createListResult(Array.isArray(data) ? data : [], "keys")
1494
+ )
1495
+ );
1496
+ },
1497
+ /**
1498
+ * Create an API key.
1499
+ */
1500
+ async createKey(input, idempotencyKey) {
1501
+ return gateway.request({
1502
+ path: "/api/platform/v1/identity/keys",
1503
+ method: "POST",
1504
+ body: input,
1505
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1506
+ });
1507
+ },
1508
+ /**
1509
+ * Rotate an API key.
1510
+ */
1511
+ async rotateKey(keyId, input = {}, idempotencyKey) {
1512
+ return gateway.request({
1513
+ path: `/api/platform/v1/identity/keys/${encodeURIComponent(keyId)}/rotate`,
1514
+ method: "POST",
1515
+ body: input,
1516
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1517
+ });
1518
+ },
1519
+ /**
1520
+ * Delete an API key by revoking it.
1521
+ */
1522
+ deleteKey,
1523
+ /**
1524
+ * @deprecated Use deleteKey.
1525
+ */
1526
+ revokeKey: deleteKey,
1527
+ /**
1528
+ * Search Clerk users by email or display attributes.
1529
+ */
1530
+ async searchClerkUsers(q) {
1531
+ return gateway.request({
1532
+ path: `/api/platform/v1/identity/clerk-users${toQueryString({ q })}`
1533
+ });
1534
+ },
1535
+ async getTenantConfig(input) {
1536
+ return gateway.request({
1537
+ path: `/api/platform/v1/identity/tenant-config${toQueryString(
1538
+ tenantIdentityQuery(input)
1539
+ )}`
1540
+ });
1541
+ },
1542
+ async updateTenantConfig(input, idempotencyKey) {
1543
+ cleanRequiredString(input.tenantId, "tenantId");
1544
+ return gateway.request({
1545
+ path: "/api/platform/v1/identity/tenant-config",
1546
+ method: "PATCH",
1547
+ body: tenantIdentityBody(
1548
+ input,
1549
+ "identity.updateTenantConfig"
1550
+ ),
1551
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1552
+ });
1553
+ },
1554
+ async listIntegrations(input) {
1555
+ return gateway.request({
1556
+ path: `/api/platform/v1/identity/integrations${toQueryString(
1557
+ tenantIdentityQuery(input)
1558
+ )}`
1559
+ }).then(
1560
+ (response) => mapGatewayData(
1561
+ response,
1562
+ (data) => listResultFromEnvelope(
1563
+ data,
1564
+ "integrations"
1565
+ )
1566
+ )
1567
+ );
1568
+ },
1569
+ async upsertIntegration(input, idempotencyKey) {
1570
+ cleanRequiredString(input.tenantId, "tenantId");
1571
+ cleanRequiredString(input.integrationKey, "integrationKey");
1572
+ return gateway.request({
1573
+ path: "/api/platform/v1/identity/integrations",
1574
+ method: "PUT",
1575
+ body: tenantIdentityBody(
1576
+ input,
1577
+ "identity.upsertIntegration"
1578
+ ),
1579
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1580
+ });
1581
+ },
1582
+ async listSecrets(input) {
1583
+ return gateway.request({
1584
+ path: `/api/platform/v1/identity/secrets${toQueryString(
1585
+ tenantIdentityQuery(input)
1586
+ )}`
1587
+ }).then(
1588
+ (response) => mapGatewayData(
1589
+ response,
1590
+ (data) => listResultFromEnvelope(
1591
+ data,
1592
+ "secrets"
1593
+ )
1594
+ )
1595
+ );
1596
+ },
1597
+ async putSecretReference(input, idempotencyKey) {
1598
+ cleanRequiredString(input.tenantId, "tenantId");
1599
+ cleanRequiredString(input.secretRef, "secretRef");
1600
+ return gateway.request({
1601
+ path: "/api/platform/v1/identity/secrets",
1602
+ method: "PUT",
1603
+ body: tenantIdentityBody(
1604
+ input,
1605
+ "identity.putSecretReference"
1606
+ ),
1607
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1608
+ });
1609
+ },
1610
+ async evaluatePolicy(input, idempotencyKey) {
1611
+ cleanRequiredString(input.tenantId, "tenantId");
1612
+ cleanRequiredString(input.policySubject, "policySubject");
1613
+ cleanRequiredString(input.policyAction, "policyAction");
1614
+ cleanRequiredString(input.policyResource, "policyResource");
1615
+ return gateway.request({
1616
+ path: "/api/platform/v1/identity/policy/evaluate",
1617
+ method: "POST",
1618
+ body: tenantIdentityBody(
1619
+ input,
1620
+ "identity.evaluatePolicy"
1621
+ ),
1622
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1623
+ });
1624
+ },
1625
+ async recordPolicyDecision(input, idempotencyKey) {
1626
+ cleanRequiredString(input.tenantId, "tenantId");
1627
+ cleanRequiredString(input.decision, "decision");
1628
+ return gateway.request({
1629
+ path: "/api/platform/v1/identity/policy/decisions",
1630
+ method: "POST",
1631
+ body: tenantIdentityBody(
1632
+ input,
1633
+ "identity.recordPolicyDecision"
1634
+ ),
1635
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1636
+ });
1637
+ }
1638
+ };
1639
+ }
1640
+
1641
+ // src/accessControl.ts
1642
+ var LucernAccessControlError = class extends LucernSdkAuthContextError {
1643
+ policyDecision;
1644
+ constructor(reason, message, policyDecision) {
1645
+ super(reason, message);
1646
+ this.name = "LucernAccessControlError";
1647
+ this.policyDecision = policyDecision;
1648
+ }
1649
+ };
1650
+ function cleanString3(value) {
1651
+ const normalized = value?.trim();
1652
+ return normalized ? normalized : void 0;
1653
+ }
1654
+ function cleanStringList2(values) {
1655
+ if (!values) {
1656
+ return [];
1657
+ }
1658
+ return [
1659
+ ...new Set(
1660
+ values.map((value) => value.trim()).filter((value) => value.length > 0)
1661
+ )
1662
+ ];
1663
+ }
1664
+ function requireString2(value, reason, label) {
1665
+ const normalized = cleanString3(value);
1666
+ if (!normalized) {
1667
+ throw new LucernAccessControlError(
1668
+ reason,
1669
+ `Lucern SDK access control requires ${label}.`
1670
+ );
1671
+ }
1672
+ return normalized;
1673
+ }
1674
+ function normalizePrincipalType(principalType) {
1675
+ if (principalType === "agent") {
1676
+ return "agent";
1677
+ }
1678
+ if (principalType === "service") {
1679
+ return "service";
1680
+ }
1681
+ return "human";
1682
+ }
1683
+ function aliasKey(alias) {
1684
+ return `${alias.provider}:${alias.providerProjectId ?? ""}:${alias.externalSubjectId}`;
1685
+ }
1686
+ function normalizeAliases(input, canonicalClerkUserId) {
1687
+ const aliases = /* @__PURE__ */ new Map();
1688
+ for (const alias of input ?? []) {
1689
+ const externalSubjectId = cleanString3(alias.externalSubjectId);
1690
+ if (!externalSubjectId) {
1691
+ continue;
1692
+ }
1693
+ const normalized = {
1694
+ provider: cleanString3(alias.provider) ?? "clerk",
1695
+ providerProjectId: cleanString3(alias.providerProjectId),
1696
+ externalSubjectId,
1697
+ status: cleanString3(alias.status)
1698
+ };
1699
+ aliases.set(aliasKey(normalized), normalized);
1700
+ }
1701
+ if (canonicalClerkUserId) {
1702
+ const canonicalAlias = {
1703
+ provider: "clerk",
1704
+ externalSubjectId: canonicalClerkUserId,
1705
+ status: "active"
1706
+ };
1707
+ aliases.set(aliasKey(canonicalAlias), canonicalAlias);
1708
+ }
1709
+ return [...aliases.values()];
1710
+ }
1711
+ function isKnownClerkSubject(args) {
1712
+ if (args.clerkId === args.canonicalClerkUserId) {
1713
+ return true;
1714
+ }
1715
+ return args.aliases.some(
1716
+ (alias) => alias.provider === "clerk" && alias.externalSubjectId === args.clerkId
1717
+ );
1718
+ }
1719
+ function authContextToPrincipalInput(input) {
1720
+ const normalized = normalizeCanonicalLucernAuthContext(input);
1721
+ return {
1722
+ principalId: normalized.principalId,
1723
+ principalType: normalized.principalType,
1724
+ canonicalClerkUserId: normalized.clerkId,
1725
+ clerkId: normalized.clerkId,
1726
+ tenantId: normalized.tenantId,
1727
+ workspaceId: normalized.workspaceId,
1728
+ roles: normalized.roles,
1729
+ scopes: normalized.scopes
1730
+ };
1731
+ }
1732
+ function isAuthContextInput(input) {
1733
+ return "authMode" in input || "permit" in input || "delegationChain" in input;
1734
+ }
1735
+ function normalizeCanonicalPrincipalIdentity(input, options = {}) {
1736
+ const principalInput = isAuthContextInput(input) ? authContextToPrincipalInput(input) : input;
1737
+ const principalId = requireString2(
1738
+ principalInput.principalId,
1739
+ "principal_missing",
1740
+ "principalId"
1741
+ );
1742
+ const principalType = normalizePrincipalType(principalInput.principalType);
1743
+ const observedClerkId = cleanString3(options.observedClerkId);
1744
+ const canonicalClerkUserId = cleanString3(principalInput.canonicalClerkUserId) ?? cleanString3(principalInput.clerkId);
1745
+ if (principalType === "human" && !canonicalClerkUserId) {
1746
+ throw new LucernAccessControlError(
1747
+ "clerk_alias_missing",
1748
+ "Human principals require one canonical Clerk user id."
1749
+ );
1750
+ }
1751
+ const aliases = normalizeAliases(
1752
+ principalInput.clerkIdentityAliases,
1753
+ canonicalClerkUserId
1754
+ );
1755
+ if (observedClerkId && !isKnownClerkSubject({
1756
+ clerkId: observedClerkId,
1757
+ canonicalClerkUserId,
1758
+ aliases
1759
+ })) {
1760
+ throw new LucernAccessControlError(
1761
+ "clerk_alias_unrecognized",
1762
+ "Observed Clerk user id is not attached to the canonical Lucern principal."
1763
+ );
1764
+ }
1765
+ return {
1766
+ principalId,
1767
+ principalType,
1768
+ canonicalClerkUserId,
1769
+ clerkIdentityAliases: aliases,
1770
+ tenantId: cleanString3(principalInput.tenantId),
1771
+ workspaceId: cleanString3(principalInput.workspaceId),
1772
+ roles: cleanStringList2(principalInput.roles),
1773
+ scopes: cleanStringList2(principalInput.scopes)
1774
+ };
1775
+ }
1776
+ function formatPermitResource(resource) {
1777
+ if (typeof resource === "string") {
1778
+ return requireString2(resource, "policy_denied", "policyResource");
1779
+ }
1780
+ const type = requireString2(resource.type, "policy_denied", "resource.type");
1781
+ const key = requireString2(resource.key, "policy_denied", "resource.key");
1782
+ return key.startsWith(`${type}:`) ? key : `${type}:${key}`;
1783
+ }
1784
+ function resourceRequiresWorkspace(resource) {
1785
+ if (typeof resource === "string") {
1786
+ return !resource.startsWith("tenant:");
1787
+ }
1788
+ return resource.type !== "tenant";
1789
+ }
1790
+ function buildPolicyInput(identity, input) {
1791
+ const tenantId = requireString2(
1792
+ input.tenantId ?? identity.tenantId,
1793
+ "tenant_missing",
1794
+ "tenantId"
1795
+ );
1796
+ const workspaceId = cleanString3(input.workspaceId ?? identity.workspaceId);
1797
+ if (resourceRequiresWorkspace(input.resource) && !workspaceId) {
1798
+ throw new LucernAccessControlError(
1799
+ "workspace_missing",
1800
+ "Workspace-scoped Permit checks require workspaceId."
1801
+ );
1802
+ }
1803
+ return {
1804
+ tenantId,
1805
+ workspaceId,
1806
+ principalId: identity.principalId,
1807
+ policySubject: identity.principalId,
1808
+ policyAction: requireString2(input.action, "policy_denied", "policyAction"),
1809
+ policyResource: formatPermitResource(input.resource),
1810
+ metadata: input.context
1811
+ };
1812
+ }
1813
+ async function resolveConfiguredPrincipalInput(authContext) {
1814
+ if (typeof authContext === "function") {
1815
+ return await authContext();
1816
+ }
1817
+ return authContext;
1818
+ }
1819
+ function assertPermitAllowed(decision) {
1820
+ if (decision.decision !== "allow") {
1821
+ throw new LucernAccessControlError(
1822
+ decision.decision === "deny" ? "policy_denied" : "policy_unknown",
1823
+ `Permit denied ${decision.policyAction} on ${decision.policyResource}.`,
1824
+ decision
1825
+ );
1826
+ }
1827
+ }
1828
+ function createAccessControlClient(config = {}) {
1829
+ const identityClient = createIdentityClient(config);
1830
+ async function resolveIdentity(input, observedClerkId) {
1831
+ const identityInput = input ?? await resolveConfiguredPrincipalInput(config.authContext);
1832
+ if (!identityInput) {
1833
+ throw new LucernAccessControlError(
1834
+ "principal_missing",
1835
+ "Lucern SDK access control requires a canonical principal identity."
1836
+ );
1837
+ }
1838
+ return normalizeCanonicalPrincipalIdentity(identityInput, {
1839
+ observedClerkId
1840
+ });
1841
+ }
1842
+ async function checkAccess(input, idempotencyKey) {
1843
+ const identity = await resolveIdentity(input.identity, input.observedClerkId);
1844
+ const policyInput = buildPolicyInput(identity, input);
1845
+ try {
1846
+ const response = await identityClient.evaluatePolicy(
1847
+ policyInput,
1848
+ idempotencyKey
1849
+ );
1850
+ return {
1851
+ identity,
1852
+ policyInput,
1853
+ decision: response.data
1854
+ };
1855
+ } catch (error) {
1856
+ if (error instanceof LucernSdkAuthContextError) {
1857
+ throw error;
1858
+ }
1859
+ throw new LucernAccessControlError(
1860
+ "policy_unavailable",
1861
+ "Permit policy check failed closed before an allow decision was returned."
1862
+ );
1863
+ }
1864
+ }
1865
+ async function requireAccess(input, idempotencyKey) {
1866
+ const result = await checkAccess(input, idempotencyKey);
1867
+ assertPermitAllowed(result.decision);
1868
+ return result;
1869
+ }
1870
+ async function canAccess(input, idempotencyKey) {
1871
+ try {
1872
+ await requireAccess(input, idempotencyKey);
1873
+ return true;
1874
+ } catch {
1875
+ return false;
1876
+ }
1877
+ }
1878
+ return {
1879
+ normalizePrincipal: normalizeCanonicalPrincipalIdentity,
1880
+ checkAccess,
1881
+ requireAccess,
1882
+ canAccess
1883
+ };
1884
+ }
1885
+
1309
1886
  // src/answersClient.ts
1310
1887
  function createAnswersClient(config = {}) {
1311
1888
  const gateway = createGatewayRequestClient(config);
@@ -1473,7 +2050,7 @@ function authBaseUrl(config) {
1473
2050
  async function readJson(response) {
1474
2051
  try {
1475
2052
  const payload = await response.json();
1476
- return isRecord3(payload) ? payload : {};
2053
+ return isRecord4(payload) ? payload : {};
1477
2054
  } catch (error) {
1478
2055
  return unreadableJsonBodyFallback();
1479
2056
  }
@@ -1481,7 +2058,7 @@ async function readJson(response) {
1481
2058
  function unreadableJsonBodyFallback(_error) {
1482
2059
  return {};
1483
2060
  }
1484
- function isRecord3(value) {
2061
+ function isRecord4(value) {
1485
2062
  return value !== null && typeof value === "object" && !Array.isArray(value);
1486
2063
  }
1487
2064
  function readString(value) {
@@ -1524,7 +2101,7 @@ function assertDeviceTokenResponse(payload) {
1524
2101
  tenant_id: tenantId,
1525
2102
  workspace_id: readString(payload.workspace_id),
1526
2103
  principal_id: principalId,
1527
- user: isRecord3(payload.user) && typeof payload.user.id === "string" && typeof payload.user.principalId === "string" ? {
2104
+ user: isRecord4(payload.user) && typeof payload.user.id === "string" && typeof payload.user.principalId === "string" ? {
1528
2105
  id: payload.user.id,
1529
2106
  principalId: payload.user.principalId
1530
2107
  } : void 0
@@ -1864,65 +2441,10 @@ function createEvidenceClient(config = {}) {
1864
2441
  evidence,
1865
2442
  config: classificationConfig
1866
2443
  },
1867
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
1868
- });
1869
- }
1870
- };
1871
- }
1872
-
1873
- // src/boundaryClientSurface.ts
1874
- function cleanOptionalString(value) {
1875
- const normalized = value?.trim();
1876
- return normalized ? normalized : void 0;
1877
- }
1878
- function isRecord4(value) {
1879
- return Boolean(value) && typeof value === "object" && !Array.isArray(value);
1880
- }
1881
- function cleanRequiredString(value, label) {
1882
- const normalized = cleanOptionalString(value);
1883
- if (!normalized) {
1884
- throw new Error(`${label} is required`);
1885
- }
1886
- return normalized;
1887
- }
1888
- function readTopicId(input) {
1889
- return cleanOptionalString(input.topicId) ?? cleanOptionalString(input.projectId);
1890
- }
1891
- function requireTopicId(input) {
1892
- const topicId = readTopicId(input);
1893
- if (!topicId) {
1894
- throw new Error("topicId is required");
1895
- }
1896
- return topicId;
1897
- }
1898
- function assertKnownKeys(input, allowed, operation) {
1899
- const allowedSet = new Set(allowed);
1900
- const unknownKeys = Object.keys(input).filter((key) => !allowedSet.has(key));
1901
- if (unknownKeys.length > 0) {
1902
- throw new Error(
1903
- `${operation} received unsupported field(s): ${unknownKeys.join(", ")}`
1904
- );
1905
- }
1906
- }
1907
- function knownPayload(input, allowed, operation) {
1908
- assertKnownKeys(input, allowed, operation);
1909
- return { ...input };
1910
- }
1911
- function topicPayload(input, allowed, operation) {
1912
- assertKnownKeys(input, allowed, operation);
1913
- return {
1914
- ...input,
1915
- topicId: requireTopicId(input),
1916
- projectId: void 0
1917
- };
1918
- }
1919
- function listResultFromEnvelope(data, legacyKey) {
1920
- const record = isRecord4(data) ? data : {};
1921
- const legacyItems = record[legacyKey];
1922
- return createListResult(
1923
- Array.isArray(legacyItems) ? legacyItems : Array.isArray(data) ? data : [],
1924
- legacyKey
1925
- );
2444
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2445
+ });
2446
+ }
2447
+ };
1926
2448
  }
1927
2449
 
1928
2450
  // src/eventingClient.ts
@@ -2514,437 +3036,169 @@ function createGraphClient(config = {}) {
2514
3036
  return gateway.request({
2515
3037
  path: "/api/platform/v1/graph/nodes/supersede",
2516
3038
  method: "POST",
2517
- body: input,
2518
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2519
- });
2520
- },
2521
- /**
2522
- * Update a node's verification status.
2523
- */
2524
- async verifyNode(input, idempotencyKey) {
2525
- const verificationStatus = normalizeNodeVerificationStatus(input.verificationStatus) ?? input.verificationStatus;
2526
- return gateway.request({
2527
- path: "/api/platform/v1/graph/nodes/verify",
2528
- method: "POST",
2529
- body: {
2530
- ...input,
2531
- verificationStatus
2532
- },
2533
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2534
- });
2535
- },
2536
- /**
2537
- * Permanently delete a node via the admin-only hard-delete route.
2538
- */
2539
- async hardDeleteNode(input, idempotencyKey) {
2540
- return gateway.request({
2541
- path: "/api/platform/v1/graph/nodes/hard-delete",
2542
- method: "POST",
2543
- body: input,
2544
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2545
- });
2546
- },
2547
- /**
2548
- * List graph edges matching the provided filters.
2549
- */
2550
- async listEdges(query5) {
2551
- return gateway.request({
2552
- path: `/api/platform/v1/graph/edges${toQueryString(
2553
- normalizeTopicQuery(query5)
2554
- )}`
2555
- }).then(
2556
- (response) => mapGatewayData(
2557
- response,
2558
- (data) => mapAliasedList(data, "edges")
2559
- )
2560
- );
2561
- },
2562
- /**
2563
- * Create a graph edge.
2564
- */
2565
- async createEdge(input, idempotencyKey) {
2566
- return gateway.request({
2567
- path: "/api/platform/v1/graph/edges",
2568
- method: "POST",
2569
- body: normalizeTopicQuery(input),
2570
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2571
- });
2572
- },
2573
- /**
2574
- * Delete one or more edges matching the provided filter.
2575
- */
2576
- async deleteEdge(query5, idempotencyKey) {
2577
- return gateway.request({
2578
- path: `/api/platform/v1/graph/edges${toQueryString(query5)}`,
2579
- method: "DELETE",
2580
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2581
- });
2582
- },
2583
- /**
2584
- * Retrieve a graph neighborhood around a root node.
2585
- */
2586
- async neighborhood(query5) {
2587
- return gateway.request({
2588
- path: `/api/platform/v1/graph/neighborhood${toQueryString(query5)}`
2589
- });
2590
- },
2591
- /**
2592
- * Traverse the graph from a starting node.
2593
- */
2594
- async traverse(query5) {
2595
- return gateway.request({
2596
- path: "/api/platform/v1/graph/traverse",
2597
- method: "POST",
2598
- body: normalizeTopicQuery(query5)
2599
- });
2600
- },
2601
- /**
2602
- * Analyze graph structure for a topic.
2603
- */
2604
- async analyze(query5 = {}) {
2605
- const normalized = normalizeTopicQuery(query5);
2606
- return gateway.request({
2607
- path: `/api/platform/v1/graph/analyze${toQueryString({
2608
- topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
2609
- metric: typeof normalized.metric === "string" ? normalized.metric : void 0,
2610
- limit: typeof normalized.limit === "number" ? normalized.limit : void 0
2611
- })}`
2612
- });
2613
- },
2614
- /**
2615
- * Detect confirmation-bias patterns for a topic graph.
2616
- */
2617
- async bias(query5 = {}) {
2618
- const normalized = normalizeTopicQuery(query5);
2619
- return gateway.request({
2620
- path: `/api/platform/v1/graph/bias${toQueryString({
2621
- topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
2622
- threshold: typeof normalized.threshold === "number" ? normalized.threshold : void 0,
2623
- limit: typeof normalized.limit === "number" ? normalized.limit : void 0
2624
- })}`
2625
- });
2626
- },
2627
- /**
2628
- * Find graph gaps for beliefs that still need testing.
2629
- */
2630
- async gaps(query5) {
2631
- const normalized = normalizeTopicQuery(query5);
2632
- return gateway.request({
2633
- path: `/api/platform/v1/graph/gaps${toQueryString({
2634
- topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
2635
- minConfidence: typeof normalized.minConfidence === "number" ? normalized.minConfidence : void 0
2636
- })}`
2637
- });
2638
- },
2639
- /**
2640
- * Search across graph resources within a topic.
2641
- */
2642
- async search(query5) {
2643
- return gateway.request({
2644
- path: "/api/platform/v1/search",
2645
- method: "POST",
2646
- body: normalizeTopicQuery(query5)
2647
- });
2648
- },
2649
- /**
2650
- * Retrieve the shortest known path between two graph nodes.
2651
- */
2652
- async getPath(query5) {
2653
- return gateway.request({
2654
- path: `/api/platform/v1/graph/path${toQueryString(query5)}`
2655
- });
2656
- },
2657
- /**
2658
- * Retrieve graph analytics for the requested metric.
2659
- */
2660
- async getAnalytics(query5 = {}) {
2661
- return gateway.request({
2662
- path: `/api/platform/v1/graph/analytics${toQueryString(query5)}`
2663
- });
2664
- }
2665
- };
2666
- return Object.assign(client, {
2667
- queryNodes: client.listNodes,
2668
- queryEdges: client.listEdges,
2669
- getNeighborhood: client.neighborhood
2670
- });
2671
- }
2672
-
2673
- // src/identityClient.ts
2674
- function createIdentityWhoamiClient(config = {}) {
2675
- const gateway = createGatewayRequestClient(config);
2676
- return {
2677
- async whoami() {
2678
- return gateway.request({
2679
- path: "/api/platform/v1/identity/whoami"
2680
- });
2681
- }
2682
- };
2683
- }
2684
- var TENANT_IDENTITY_FIELDS = [
2685
- "tenantId",
2686
- "workspaceId",
2687
- "principalId",
2688
- "integrationKey",
2689
- "secretRef",
2690
- "policySubject",
2691
- "policyAction",
2692
- "policyResource",
2693
- "decision",
2694
- "config",
2695
- "configKey",
2696
- "configValue",
2697
- "provider",
2698
- "status",
2699
- "metadata",
2700
- "limit",
2701
- "cursor"
2702
- ];
2703
- function tenantIdentityQuery(input) {
2704
- return {
2705
- tenantId: cleanRequiredString(input.tenantId, "tenantId"),
2706
- workspaceId: input.workspaceId,
2707
- principalId: input.principalId,
2708
- limit: input.limit,
2709
- cursor: input.cursor
2710
- };
2711
- }
2712
- function tenantIdentityBody(input, operation) {
2713
- return knownPayload(input, TENANT_IDENTITY_FIELDS, operation);
2714
- }
2715
- function createIdentityClient(config = {}) {
2716
- const gateway = createGatewayRequestClient(config);
2717
- const whoamiClient = createIdentityWhoamiClient(config);
2718
- const requestPrincipalWrite = (method, input, idempotencyKey) => gateway.request({
2719
- path: "/api/platform/v1/identity/principals",
2720
- method,
2721
- body: input,
2722
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2723
- });
2724
- const updatePrincipal = (input, idempotencyKey) => requestPrincipalWrite("PATCH", input, idempotencyKey);
2725
- const deleteKey = (keyId, input = {}, idempotencyKey) => gateway.request({
2726
- path: `/api/platform/v1/identity/keys/${encodeURIComponent(keyId)}/revoke`,
2727
- method: "POST",
2728
- body: input,
2729
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2730
- });
2731
- return {
2732
- /**
2733
- * Resolve the current authenticated identity summary.
2734
- */
2735
- async whoami() {
2736
- return whoamiClient.whoami().then(
2737
- (response) => mapGatewayData(response, (data) => ({
2738
- principalId: data.principalId,
2739
- principalType: data.principalType,
2740
- tenantId: data.tenantId ?? null,
2741
- workspaceId: data.workspaceId ?? null,
2742
- scopes: Array.isArray(data.scopes) ? data.scopes : [],
2743
- roles: Array.isArray(data.roles) ? data.roles : [],
2744
- isPlatformAdmin: data.isPlatformAdmin === true,
2745
- isTenantAdmin: data.isTenantAdmin === true,
2746
- isWorkspaceAdmin: data.isWorkspaceAdmin === true,
2747
- authMode: data.authMode,
2748
- sessionId: data.sessionId,
2749
- delegatedBy: data.delegatedBy,
2750
- expiresAt: data.expiresAt
2751
- }))
2752
- );
2753
- },
2754
- /**
2755
- * List principals in the current identity scope.
2756
- */
2757
- async listPrincipals(query5 = {}) {
2758
- return gateway.request({
2759
- path: `/api/platform/v1/identity/principals${toQueryString(query5)}`
2760
- }).then(
2761
- (response) => mapGatewayData(
2762
- response,
2763
- (data) => createListResult(
2764
- Array.isArray(data) ? data : [],
2765
- "principals"
2766
- )
2767
- )
2768
- );
3039
+ body: input,
3040
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3041
+ });
2769
3042
  },
2770
3043
  /**
2771
- * Create a principal.
3044
+ * Update a node's verification status.
2772
3045
  */
2773
- async createPrincipal(input, idempotencyKey) {
2774
- return requestPrincipalWrite("POST", input, idempotencyKey);
3046
+ async verifyNode(input, idempotencyKey) {
3047
+ const verificationStatus = normalizeNodeVerificationStatus(input.verificationStatus) ?? input.verificationStatus;
3048
+ return gateway.request({
3049
+ path: "/api/platform/v1/graph/nodes/verify",
3050
+ method: "POST",
3051
+ body: {
3052
+ ...input,
3053
+ verificationStatus
3054
+ },
3055
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3056
+ });
2775
3057
  },
2776
3058
  /**
2777
- * Update a principal.
2778
- */
2779
- updatePrincipal,
2780
- /**
2781
- * @deprecated Use createPrincipal or updatePrincipal.
3059
+ * Permanently delete a node via the admin-only hard-delete route.
2782
3060
  */
2783
- upsertPrincipal: updatePrincipal,
3061
+ async hardDeleteNode(input, idempotencyKey) {
3062
+ return gateway.request({
3063
+ path: "/api/platform/v1/graph/nodes/hard-delete",
3064
+ method: "POST",
3065
+ body: input,
3066
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3067
+ });
3068
+ },
2784
3069
  /**
2785
- * List keys in the current identity scope.
3070
+ * List graph edges matching the provided filters.
2786
3071
  */
2787
- async listKeys(query5 = {}) {
3072
+ async listEdges(query5) {
2788
3073
  return gateway.request({
2789
- path: `/api/platform/v1/identity/keys${toQueryString(query5)}`
3074
+ path: `/api/platform/v1/graph/edges${toQueryString(
3075
+ normalizeTopicQuery(query5)
3076
+ )}`
2790
3077
  }).then(
2791
3078
  (response) => mapGatewayData(
2792
3079
  response,
2793
- (data) => createListResult(Array.isArray(data) ? data : [], "keys")
3080
+ (data) => mapAliasedList(data, "edges")
2794
3081
  )
2795
3082
  );
2796
3083
  },
2797
3084
  /**
2798
- * Create an API key.
3085
+ * Create a graph edge.
2799
3086
  */
2800
- async createKey(input, idempotencyKey) {
3087
+ async createEdge(input, idempotencyKey) {
2801
3088
  return gateway.request({
2802
- path: "/api/platform/v1/identity/keys",
3089
+ path: "/api/platform/v1/graph/edges",
2803
3090
  method: "POST",
2804
- body: input,
3091
+ body: normalizeTopicQuery(input),
2805
3092
  idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2806
3093
  });
2807
3094
  },
2808
3095
  /**
2809
- * Rotate an API key.
3096
+ * Delete one or more edges matching the provided filter.
2810
3097
  */
2811
- async rotateKey(keyId, input = {}, idempotencyKey) {
3098
+ async deleteEdge(query5, idempotencyKey) {
2812
3099
  return gateway.request({
2813
- path: `/api/platform/v1/identity/keys/${encodeURIComponent(keyId)}/rotate`,
2814
- method: "POST",
2815
- body: input,
3100
+ path: `/api/platform/v1/graph/edges${toQueryString(query5)}`,
3101
+ method: "DELETE",
2816
3102
  idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
2817
3103
  });
2818
3104
  },
2819
3105
  /**
2820
- * Delete an API key by revoking it.
2821
- */
2822
- deleteKey,
2823
- /**
2824
- * @deprecated Use deleteKey.
2825
- */
2826
- revokeKey: deleteKey,
2827
- /**
2828
- * Search Clerk users by email or display attributes.
3106
+ * Retrieve a graph neighborhood around a root node.
2829
3107
  */
2830
- async searchClerkUsers(q) {
3108
+ async neighborhood(query5) {
2831
3109
  return gateway.request({
2832
- path: `/api/platform/v1/identity/clerk-users${toQueryString({ q })}`
3110
+ path: `/api/platform/v1/graph/neighborhood${toQueryString(query5)}`
2833
3111
  });
2834
3112
  },
2835
- async getTenantConfig(input) {
3113
+ /**
3114
+ * Traverse the graph from a starting node.
3115
+ */
3116
+ async traverse(query5) {
2836
3117
  return gateway.request({
2837
- path: `/api/platform/v1/identity/tenant-config${toQueryString(
2838
- tenantIdentityQuery(input)
2839
- )}`
3118
+ path: "/api/platform/v1/graph/traverse",
3119
+ method: "POST",
3120
+ body: normalizeTopicQuery(query5)
2840
3121
  });
2841
3122
  },
2842
- async updateTenantConfig(input, idempotencyKey) {
2843
- cleanRequiredString(input.tenantId, "tenantId");
3123
+ /**
3124
+ * Analyze graph structure for a topic.
3125
+ */
3126
+ async analyze(query5 = {}) {
3127
+ const normalized = normalizeTopicQuery(query5);
2844
3128
  return gateway.request({
2845
- path: "/api/platform/v1/identity/tenant-config",
2846
- method: "PATCH",
2847
- body: tenantIdentityBody(
2848
- input,
2849
- "identity.updateTenantConfig"
2850
- ),
2851
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3129
+ path: `/api/platform/v1/graph/analyze${toQueryString({
3130
+ topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
3131
+ metric: typeof normalized.metric === "string" ? normalized.metric : void 0,
3132
+ limit: typeof normalized.limit === "number" ? normalized.limit : void 0
3133
+ })}`
2852
3134
  });
2853
3135
  },
2854
- async listIntegrations(input) {
2855
- return gateway.request({
2856
- path: `/api/platform/v1/identity/integrations${toQueryString(
2857
- tenantIdentityQuery(input)
2858
- )}`
2859
- }).then(
2860
- (response) => mapGatewayData(
2861
- response,
2862
- (data) => listResultFromEnvelope(
2863
- data,
2864
- "integrations"
2865
- )
2866
- )
2867
- );
2868
- },
2869
- async upsertIntegration(input, idempotencyKey) {
2870
- cleanRequiredString(input.tenantId, "tenantId");
2871
- cleanRequiredString(input.integrationKey, "integrationKey");
3136
+ /**
3137
+ * Detect confirmation-bias patterns for a topic graph.
3138
+ */
3139
+ async bias(query5 = {}) {
3140
+ const normalized = normalizeTopicQuery(query5);
2872
3141
  return gateway.request({
2873
- path: "/api/platform/v1/identity/integrations",
2874
- method: "PUT",
2875
- body: tenantIdentityBody(
2876
- input,
2877
- "identity.upsertIntegration"
2878
- ),
2879
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3142
+ path: `/api/platform/v1/graph/bias${toQueryString({
3143
+ topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
3144
+ threshold: typeof normalized.threshold === "number" ? normalized.threshold : void 0,
3145
+ limit: typeof normalized.limit === "number" ? normalized.limit : void 0
3146
+ })}`
2880
3147
  });
2881
3148
  },
2882
- async listSecrets(input) {
3149
+ /**
3150
+ * Find graph gaps for beliefs that still need testing.
3151
+ */
3152
+ async gaps(query5) {
3153
+ const normalized = normalizeTopicQuery(query5);
2883
3154
  return gateway.request({
2884
- path: `/api/platform/v1/identity/secrets${toQueryString(
2885
- tenantIdentityQuery(input)
2886
- )}`
2887
- }).then(
2888
- (response) => mapGatewayData(
2889
- response,
2890
- (data) => listResultFromEnvelope(
2891
- data,
2892
- "secrets"
2893
- )
2894
- )
2895
- );
3155
+ path: `/api/platform/v1/graph/gaps${toQueryString({
3156
+ topicId: typeof normalized.topicId === "string" ? normalized.topicId : void 0,
3157
+ minConfidence: typeof normalized.minConfidence === "number" ? normalized.minConfidence : void 0
3158
+ })}`
3159
+ });
2896
3160
  },
2897
- async putSecretReference(input, idempotencyKey) {
2898
- cleanRequiredString(input.tenantId, "tenantId");
2899
- cleanRequiredString(input.secretRef, "secretRef");
3161
+ /**
3162
+ * Search across graph resources within a topic.
3163
+ */
3164
+ async search(query5) {
2900
3165
  return gateway.request({
2901
- path: "/api/platform/v1/identity/secrets",
2902
- method: "PUT",
2903
- body: tenantIdentityBody(
2904
- input,
2905
- "identity.putSecretReference"
2906
- ),
2907
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3166
+ path: "/api/platform/v1/search",
3167
+ method: "POST",
3168
+ body: normalizeTopicQuery(query5)
2908
3169
  });
2909
3170
  },
2910
- async evaluatePolicy(input, idempotencyKey) {
2911
- cleanRequiredString(input.tenantId, "tenantId");
2912
- cleanRequiredString(input.policySubject, "policySubject");
2913
- cleanRequiredString(input.policyAction, "policyAction");
2914
- cleanRequiredString(input.policyResource, "policyResource");
3171
+ /**
3172
+ * Retrieve the shortest known path between two graph nodes.
3173
+ */
3174
+ async getPath(query5) {
2915
3175
  return gateway.request({
2916
- path: "/api/platform/v1/identity/policy/evaluate",
2917
- method: "POST",
2918
- body: tenantIdentityBody(
2919
- input,
2920
- "identity.evaluatePolicy"
2921
- ),
2922
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3176
+ path: `/api/platform/v1/graph/path${toQueryString(query5)}`
2923
3177
  });
2924
3178
  },
2925
- async recordPolicyDecision(input, idempotencyKey) {
2926
- cleanRequiredString(input.tenantId, "tenantId");
2927
- cleanRequiredString(input.decision, "decision");
3179
+ /**
3180
+ * Retrieve graph analytics for the requested metric.
3181
+ */
3182
+ async getAnalytics(query5 = {}) {
2928
3183
  return gateway.request({
2929
- path: "/api/platform/v1/identity/policy/decisions",
2930
- method: "POST",
2931
- body: tenantIdentityBody(
2932
- input,
2933
- "identity.recordPolicyDecision"
2934
- ),
2935
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
3184
+ path: `/api/platform/v1/graph/analytics${toQueryString(query5)}`
2936
3185
  });
2937
3186
  }
2938
3187
  };
3188
+ return Object.assign(client, {
3189
+ queryNodes: client.listNodes,
3190
+ queryEdges: client.listEdges,
3191
+ getNeighborhood: client.neighborhood
3192
+ });
2939
3193
  }
2940
3194
 
2941
3195
  // src/topicsClient.ts
2942
- function cleanString3(value) {
3196
+ function cleanString4(value) {
2943
3197
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
2944
3198
  }
2945
3199
  function normalizeTopicRecord(value) {
2946
3200
  const record = asRecord(value);
2947
- const topicId = cleanString3(record.topicId) ?? cleanString3(record.id) ?? cleanString3(record._id);
3201
+ const topicId = cleanString4(record.topicId) ?? cleanString4(record.id) ?? cleanString4(record._id);
2948
3202
  return withTopicAlias({
2949
3203
  ...record,
2950
3204
  ...topicId ? { topicId } : {}
@@ -4157,7 +4411,7 @@ function createEmbeddingsClient(config = {}) {
4157
4411
  }
4158
4412
 
4159
4413
  // src/contextClient.ts
4160
- function cleanString4(value) {
4414
+ function cleanString5(value) {
4161
4415
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
4162
4416
  }
4163
4417
  function cleanNumber(value) {
@@ -4169,11 +4423,11 @@ function cleanBoolean(value) {
4169
4423
  function buildCompileContextRequest(topicIdOrInput = {}, input = {}) {
4170
4424
  const effectiveInput = typeof topicIdOrInput === "string" ? input : topicIdOrInput;
4171
4425
  const payload = {};
4172
- const topicId = typeof topicIdOrInput === "string" ? cleanString4(topicIdOrInput) : cleanString4(effectiveInput.topicId);
4426
+ const topicId = typeof topicIdOrInput === "string" ? cleanString5(topicIdOrInput) : cleanString5(effectiveInput.topicId);
4173
4427
  if (topicId) {
4174
4428
  payload.topicId = topicId;
4175
4429
  }
4176
- const query5 = cleanString4(effectiveInput.query);
4430
+ const query5 = cleanString5(effectiveInput.query);
4177
4431
  if (query5) {
4178
4432
  payload.query = query5;
4179
4433
  }
@@ -4181,7 +4435,7 @@ function buildCompileContextRequest(topicIdOrInput = {}, input = {}) {
4181
4435
  if (budget !== void 0) {
4182
4436
  payload.budget = budget;
4183
4437
  }
4184
- const ranking = cleanString4(effectiveInput.ranking) ?? cleanString4(effectiveInput.rankingProfile);
4438
+ const ranking = cleanString5(effectiveInput.ranking) ?? cleanString5(effectiveInput.rankingProfile);
4185
4439
  if (ranking) {
4186
4440
  payload.ranking = ranking;
4187
4441
  }
@@ -4197,7 +4451,7 @@ function buildCompileContextRequest(topicIdOrInput = {}, input = {}) {
4197
4451
  if (includeEntities !== void 0) {
4198
4452
  payload.includeEntities = includeEntities;
4199
4453
  }
4200
- const mode = cleanString4(effectiveInput.mode);
4454
+ const mode = cleanString5(effectiveInput.mode);
4201
4455
  if (mode) {
4202
4456
  payload.mode = mode;
4203
4457
  }
@@ -4205,11 +4459,11 @@ function buildCompileContextRequest(topicIdOrInput = {}, input = {}) {
4205
4459
  if (includeFailures !== void 0) {
4206
4460
  payload.includeFailures = includeFailures;
4207
4461
  }
4208
- const worktreeId = cleanString4(effectiveInput.worktreeId);
4462
+ const worktreeId = cleanString5(effectiveInput.worktreeId);
4209
4463
  if (worktreeId) {
4210
4464
  payload.worktreeId = worktreeId;
4211
4465
  }
4212
- const sessionId = cleanString4(effectiveInput.sessionId);
4466
+ const sessionId = cleanString5(effectiveInput.sessionId);
4213
4467
  if (sessionId) {
4214
4468
  payload.sessionId = sessionId;
4215
4469
  }
@@ -5095,7 +5349,8 @@ function createMcpClient(config = {}) {
5095
5349
  transportKind: input.transportKind,
5096
5350
  sessionId: input.sessionId,
5097
5351
  agentIdentity: input.agentIdentity,
5098
- workspaceId: input.workspaceId
5352
+ workspaceId: input.workspaceId,
5353
+ worktreeId: input.worktreeId
5099
5354
  };
5100
5355
  return gateway.request({
5101
5356
  path: `${MCP_GATEWAY_BOOTSTRAP_ENDPOINT}${toQueryString(scope)}`,
@@ -6055,7 +6310,7 @@ var ORG_GRAPH_SEARCH_FIELDS = [
6055
6310
  "cursor",
6056
6311
  "provenanceScope"
6057
6312
  ];
6058
- function cleanString5(value, label) {
6313
+ function cleanString6(value, label) {
6059
6314
  const normalized = value?.trim();
6060
6315
  if (!normalized) {
6061
6316
  throw new Error(`${label} is required`);
@@ -6077,9 +6332,9 @@ function searchBody(input) {
6077
6332
  "orgGraphSearch.search"
6078
6333
  );
6079
6334
  return {
6080
- tenantId: cleanString5(input.tenantId, "tenantId"),
6081
- workspaceId: cleanString5(input.workspaceId, "workspaceId"),
6082
- query: cleanString5(input.query, "query"),
6335
+ tenantId: cleanString6(input.tenantId, "tenantId"),
6336
+ workspaceId: cleanString6(input.workspaceId, "workspaceId"),
6337
+ query: cleanString6(input.query, "query"),
6083
6338
  nodeTypes: input.nodeTypes,
6084
6339
  minConfidence: input.minConfidence,
6085
6340
  limit: input.limit,
@@ -6089,8 +6344,8 @@ function searchBody(input) {
6089
6344
  }
6090
6345
  function listQuery2(input) {
6091
6346
  return {
6092
- tenantId: cleanString5(input.tenantId, "tenantId"),
6093
- workspaceId: cleanString5(input.workspaceId, "workspaceId"),
6347
+ tenantId: cleanString6(input.tenantId, "tenantId"),
6348
+ workspaceId: cleanString6(input.workspaceId, "workspaceId"),
6094
6349
  nodeTypes: input.nodeTypes?.join(","),
6095
6350
  minConfidence: input.minConfidence,
6096
6351
  limit: input.limit,
@@ -6124,8 +6379,8 @@ function createOrgGraphSearchClient(config = {}) {
6124
6379
  return gateway.request({
6125
6380
  path: `/api/platform/v1/org-graph-search/nodes/${nodePath}${toQueryString(
6126
6381
  {
6127
- tenantId: cleanString5(input.tenantId, "tenantId"),
6128
- workspaceId: cleanString5(input.workspaceId, "workspaceId"),
6382
+ tenantId: cleanString6(input.tenantId, "tenantId"),
6383
+ workspaceId: cleanString6(input.workspaceId, "workspaceId"),
6129
6384
  globalId: nodeId ? void 0 : globalId
6130
6385
  }
6131
6386
  )}`
@@ -7090,7 +7345,7 @@ function createToolRegistryClient(config = {}) {
7090
7345
  }
7091
7346
 
7092
7347
  // src/version.ts
7093
- var LUCERN_SDK_VERSION = "0.3.0-alpha.10";
7348
+ var LUCERN_SDK_VERSION = "0.3.0-alpha.12";
7094
7349
 
7095
7350
  // src/workflowClient.ts
7096
7351
  function normalizeLensQuery(value) {
@@ -7547,6 +7802,7 @@ function createLucernClient(config = {}) {
7547
7802
  const auditClient = createAuditClient(gatewayConfig);
7548
7803
  const authDeviceClient = createAuthDeviceClient(gatewayConfig);
7549
7804
  const adminClient = createAdminClient(gatewayConfig);
7805
+ const accessControlClient = createAccessControlClient(gatewayConfig);
7550
7806
  const answersClient = createAnswersClient(gatewayConfig);
7551
7807
  const contradictionsFacade = createContradictionsFacade(gatewayConfig);
7552
7808
  const edgesFacade = createEdgesFacade(gatewayConfig);
@@ -9231,6 +9487,7 @@ function createLucernClient(config = {}) {
9231
9487
  nodes: nodesNamespace,
9232
9488
  identity: {
9233
9489
  ...identityFacade,
9490
+ access: accessControlClient,
9234
9491
  evaluatePolicy: identityClient.evaluatePolicy,
9235
9492
  recordPolicyDecision: identityClient.recordPolicyDecision,
9236
9493
  putSecretReference: identityClient.putSecretReference,
@@ -9292,7 +9549,7 @@ function createLucernClient(config = {}) {
9292
9549
  }
9293
9550
 
9294
9551
  // src/facade/context.ts
9295
- function cleanString6(value) {
9552
+ function cleanString7(value) {
9296
9553
  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
9297
9554
  }
9298
9555
  function cleanNumber2(value) {
@@ -9304,11 +9561,11 @@ function cleanBoolean2(value) {
9304
9561
  function buildCompileContextRequest2(topicIdOrInput = {}, input = {}) {
9305
9562
  const effectiveInput = typeof topicIdOrInput === "string" ? input : topicIdOrInput;
9306
9563
  const payload = {};
9307
- const topicId = typeof topicIdOrInput === "string" ? cleanString6(topicIdOrInput) : cleanString6(effectiveInput.topicId);
9564
+ const topicId = typeof topicIdOrInput === "string" ? cleanString7(topicIdOrInput) : cleanString7(effectiveInput.topicId);
9308
9565
  if (topicId) {
9309
9566
  payload.topicId = topicId;
9310
9567
  }
9311
- const query5 = cleanString6(effectiveInput.query);
9568
+ const query5 = cleanString7(effectiveInput.query);
9312
9569
  if (query5) {
9313
9570
  payload.query = query5;
9314
9571
  }
@@ -9316,7 +9573,7 @@ function buildCompileContextRequest2(topicIdOrInput = {}, input = {}) {
9316
9573
  if (budget !== void 0) {
9317
9574
  payload.budget = budget;
9318
9575
  }
9319
- const ranking = cleanString6(effectiveInput.ranking) ?? cleanString6(effectiveInput.rankingProfile);
9576
+ const ranking = cleanString7(effectiveInput.ranking) ?? cleanString7(effectiveInput.rankingProfile);
9320
9577
  if (ranking) {
9321
9578
  payload.ranking = ranking;
9322
9579
  }
@@ -9332,7 +9589,7 @@ function buildCompileContextRequest2(topicIdOrInput = {}, input = {}) {
9332
9589
  if (includeEntities !== void 0) {
9333
9590
  payload.includeEntities = includeEntities;
9334
9591
  }
9335
- const mode = cleanString6(effectiveInput.mode);
9592
+ const mode = cleanString7(effectiveInput.mode);
9336
9593
  if (mode) {
9337
9594
  payload.mode = mode;
9338
9595
  }
@@ -9340,11 +9597,11 @@ function buildCompileContextRequest2(topicIdOrInput = {}, input = {}) {
9340
9597
  if (includeFailures !== void 0) {
9341
9598
  payload.includeFailures = includeFailures;
9342
9599
  }
9343
- const worktreeId = cleanString6(effectiveInput.worktreeId);
9600
+ const worktreeId = cleanString7(effectiveInput.worktreeId);
9344
9601
  if (worktreeId) {
9345
9602
  payload.worktreeId = worktreeId;
9346
9603
  }
9347
- const sessionId = cleanString6(effectiveInput.sessionId);
9604
+ const sessionId = cleanString7(effectiveInput.sessionId);
9348
9605
  if (sessionId) {
9349
9606
  payload.sessionId = sessionId;
9350
9607
  }
@@ -10710,7 +10967,12 @@ var REASONING_METHODS = [
10710
10967
  "inductive",
10711
10968
  "abductive",
10712
10969
  "analogical",
10713
- "empirical"
10970
+ "causal",
10971
+ "correlational",
10972
+ "testimonial",
10973
+ "statistical",
10974
+ "implicit",
10975
+ "pattern_match"
10714
10976
  ];
10715
10977
  var DEFEAT_TYPES = [
10716
10978
  "rebuts",
@@ -11007,6 +11269,12 @@ function isMcpToolAllowed(toolName, options = {}) {
11007
11269
  if (options.permittedTools !== void 0 && options.permittedTools !== null) {
11008
11270
  return options.permittedTools.some((tool) => tool.toolName === toolName);
11009
11271
  }
11272
+ if (options.sessionType === "agent") {
11273
+ if (options.allowedTools === null || options.allowedTools === void 0) {
11274
+ return false;
11275
+ }
11276
+ return options.allowedTools.includes(toolName);
11277
+ }
11010
11278
  if (options.allowedTools === null || options.allowedTools === void 0) {
11011
11279
  return true;
11012
11280
  }
@@ -11719,10 +11987,11 @@ async function hydrateInfisicalRuntimeEnv(options) {
11719
11987
  message: `Unknown Lucern Infisical runtime surface: ${options.surfaceId}.`
11720
11988
  });
11721
11989
  }
11722
- if (surface.delivery !== "runtime_fetch") {
11990
+ const fallbackDelivery = surface.fallback;
11991
+ if (surface.delivery !== "runtime_fetch" && fallbackDelivery !== "runtime_fetch") {
11723
11992
  throw new InfisicalRuntimeError({
11724
11993
  code: "INFISICAL_UNSUPPORTED_SURFACE_DELIVERY",
11725
- message: `${surface.id} uses ${surface.delivery}; runtime fetch is only valid for runtime_fetch surfaces.`
11994
+ message: `${surface.id} uses ${surface.delivery}; runtime fetch is only valid for runtime_fetch surfaces or surfaces with a runtime_fetch fallback.`
11726
11995
  });
11727
11996
  }
11728
11997
  const fetchImpl = options.fetchImpl ?? globalThis.fetch;
@@ -11735,35 +12004,26 @@ async function hydrateInfisicalRuntimeEnv(options) {
11735
12004
  const token = await loginWithUniversalAuth(bootstrap, fetchImpl);
11736
12005
  const values = {};
11737
12006
  const missingRequired = [];
11738
- const sourcePaths = [];
11739
- for (const pathId of surface.sourcePathIds) {
11740
- const path = findInfisicalRuntimePath(pathId);
11741
- if (!path) {
11742
- throw new InfisicalRuntimeError({
11743
- code: "INFISICAL_UNKNOWN_PATH",
11744
- message: `Unknown Lucern Infisical runtime path: ${pathId}.`
11745
- });
11746
- }
11747
- sourcePaths.push(path.secretPath);
11748
- for (const variable of path.variables) {
11749
- const runtimeVariable = variable;
11750
- const secretValue = await readVariableSecret({
11751
- bootstrap,
11752
- fetchImpl,
11753
- token,
11754
- secretPath: path.secretPath,
11755
- variable: runtimeVariable
11756
- });
11757
- if (!secretValue) {
11758
- if (runtimeVariable.required) {
11759
- missingRequired.push(runtimeVariable.name);
11760
- }
11761
- continue;
11762
- }
11763
- values[runtimeVariable.name] = secretValue.value;
11764
- for (const alias of runtimeVariable.aliases ?? []) {
11765
- values[alias] = secretValue.value;
12007
+ const sourcePaths = /* @__PURE__ */ new Set();
12008
+ const variables = options.includeGeneratedSurfaceVariables ? generatedSurfaceVariables(options.surfaceId) : contractSurfaceVariables(surface.sourcePathIds);
12009
+ for (const runtimeVariable of variables) {
12010
+ sourcePaths.add(runtimeVariable.secretPath);
12011
+ const secretValue = await readVariableSecret({
12012
+ bootstrap,
12013
+ fetchImpl,
12014
+ token,
12015
+ secretPath: runtimeVariable.secretPath,
12016
+ variable: runtimeVariable
12017
+ });
12018
+ if (!secretValue) {
12019
+ if (runtimeVariable.required) {
12020
+ missingRequired.push(runtimeVariable.name);
11766
12021
  }
12022
+ continue;
12023
+ }
12024
+ values[runtimeVariable.name] = secretValue.value;
12025
+ for (const alias of runtimeVariable.aliases ?? []) {
12026
+ values[alias] = secretValue.value;
11767
12027
  }
11768
12028
  }
11769
12029
  if (missingRequired.length > 0) {
@@ -11777,7 +12037,7 @@ async function hydrateInfisicalRuntimeEnv(options) {
11777
12037
  surfaceId: options.surfaceId,
11778
12038
  environment: bootstrap.environment,
11779
12039
  values,
11780
- sourcePaths
12040
+ sourcePaths: [...sourcePaths]
11781
12041
  };
11782
12042
  }
11783
12043
  function applyInfisicalRuntimeEnv(result, targetEnv, options = {}) {
@@ -11848,6 +12108,46 @@ async function readVariableSecret(args) {
11848
12108
  }
11849
12109
  return null;
11850
12110
  }
12111
+ function contractSurfaceVariables(sourcePathIds) {
12112
+ return sourcePathIds.flatMap((pathId) => {
12113
+ const path = findInfisicalRuntimePath(pathId);
12114
+ if (!path) {
12115
+ throw new InfisicalRuntimeError({
12116
+ code: "INFISICAL_UNKNOWN_PATH",
12117
+ message: `Unknown Lucern Infisical runtime path: ${pathId}.`
12118
+ });
12119
+ }
12120
+ return path.variables.map((variable) => ({
12121
+ ...variable,
12122
+ secretPath: path.secretPath
12123
+ }));
12124
+ });
12125
+ }
12126
+ function generatedSurfaceVariables(surfaceId) {
12127
+ const surface = GENERATED_INFISICAL_RUNTIME_ENV.surfaces[surfaceId];
12128
+ if (!surface) {
12129
+ throw new InfisicalRuntimeError({
12130
+ code: "INFISICAL_UNKNOWN_SURFACE",
12131
+ message: `Unknown generated Lucern Infisical runtime surface: ${surfaceId}.`
12132
+ });
12133
+ }
12134
+ return surface.variables.map(generatedVariableToRuntimeVariable);
12135
+ }
12136
+ function generatedVariableToRuntimeVariable(variable) {
12137
+ const aliases = /* @__PURE__ */ new Set([
12138
+ ...variable.envNames.filter((name) => name !== variable.canonicalName),
12139
+ ...variable.aliases
12140
+ ]);
12141
+ return {
12142
+ name: variable.canonicalName,
12143
+ required: variable.required,
12144
+ secret: variable.secret,
12145
+ public: variable.public,
12146
+ aliases: [...aliases],
12147
+ description: variable.description,
12148
+ secretPath: variable.sourcePath
12149
+ };
12150
+ }
11851
12151
  async function readSecretValue(args) {
11852
12152
  const params = new URLSearchParams({
11853
12153
  projectId: args.bootstrap.projectId,
@@ -11955,6 +12255,6 @@ function formatInfisicalRuntimeError(error) {
11955
12255
  return "Unknown Infisical runtime error shape";
11956
12256
  }
11957
12257
 
11958
- export { BELIEF_STATUSES, BRANCH_DEPRECATION_MESSAGE, CANONICAL_WORKFLOW_DEFINITIONS, CONFIDENCE_TRIGGERS, CONTRADICTION_SEVERITIES, CONTRADICTION_STATUSES, CONTROL_OBJECT_BLAST_RADII, CONTROL_OBJECT_EDIT_SURFACES, CONTROL_OBJECT_INHERITANCE_RULES, CONTROL_OBJECT_KINDS, CONTROL_OBJECT_OWNERSHIP_CONTRACT, CONTROL_OBJECT_OWNERSHIP_MATRIX, CONTROL_OBJECT_OWNERSHIP_ROWS, CONTROL_OBJECT_OWNER_SCOPES, CustomToolRegistryError, DEFAULT_TIER_APPROVAL_MODE, DEFAULT_WORKFLOW_AUTO_FIX_POLICY, DEFEAT_TYPES, DOMAIN_EVENT_TYPES, DOMAIN_EVENT_VERSION, DeviceAuthorizationError, EDGE_TYPES, EMBEDDINGS_FIELDS, EPISTEMIC_EDGE_TYPES, EPISTEMIC_LAYERS, EVENTING_FIELDS, EVENT_RETENTION_DEFAULT_DAYS, FORK_REASONS, FUNCTION_SURFACE_METHOD_PATHS, GRAPH_ANALYSIS_ANALYSIS_FIELDS, GRAPH_ANALYSIS_COMPUTE_FIELDS, GRAPH_ANALYSIS_SUGGESTION_FIELDS, GRAPH_RECOMMENDATION_FIELDS, GRAPH_STATE_CLASSIFIER_FIELDS, InfisicalRuntimeError, JOBS_FIELDS, JUDGMENT_TYPES, LENS_PERSPECTIVE_TYPES, LENS_STATUSES, LENS_TASK_TEMPLATE_PRIORITIES, LUCERN_SDK_VERSION, LucernApiError, LucernSdkAuthContextError, MAX_ENTITY_LIMIT, MCP_ALWAYS_ALLOWED_TOOL_NAMES, MERGE_OUTCOMES, MODEL_RUNTIME_FIELDS, MORNING_BRIEF_WORKFLOW_ID, NIGHTLY_RECONCILIATION_WORKFLOW_ID, ONTOLOGY_LINK_FIELDS, ORG_GRAPH_SEARCH_FIELDS, REASONING_METHODS, SESSION_AUTH_MODES, SESSION_LIFECYCLE_STATUSES, SESSION_PRINCIPAL_TYPES, STRUCTURAL_EDGE_TYPES, TELEMETRY_FIELDS, TENANT_IDENTITY_FIELDS, TOOL_REGISTRY_FIELDS, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_RETRY_DELAYS_MS, WORKFLOW_ACTION_KINDS, WORKFLOW_APPROVAL_MODES, WORKFLOW_AUTO_FIX_MODES, WORKFLOW_HOOK_EVENTS, WORKFLOW_INTEGRITY_CHECKS, WORKFLOW_MUTATION_TIERS, WORKFLOW_OUTPUT_KINDS, WORKFLOW_PROOF_ARTIFACT_KINDS, WORKFLOW_RUNTIME_SCHEMA_VERSION, WORKFLOW_RUN_STATUSES, WORKFLOW_STAFFING_HINTS, WORKFLOW_TRIGGER_KINDS, WORKTREE_PHASES, applyInfisicalRuntimeEnv, asListItems, asRecord, assertValidWebhookSecret, assertValidWebhookUrl, buildDeprecatedBranchMetadata, buildDomainEvent, buildMcpToolContracts, buildMcpToolManifest, clearRegisteredCustomTools, compareEventCursor, compileContextPackFromSnapshot, computeWebhookSignature, createAdminClient, createAnswersClient, createAudiencesClient, createAuditClient, createAuthDeviceClient, createBeliefsClient, createCanonicalAuthHeaders, createContextClient, createContextFacade, createDecisionsClient, createEmbeddingsClient, createEventId, createEventingClient, createEventsClientCore, createEvidenceClient, createFunctionSurfaceClient, createGatewayRequestClient, createGraphAnalysisClient, createGraphClient, createGraphRecommendationsClient, createGraphStateClassifierClient, createHarnessClient, createIdentityClient, createJobsClient, createLearningClient, createListResult, createLucernClient, createModelRuntimeClient, createOntologyClient, createOntologyLinksClient, createOrgGraphSearchClient, createPacksClient, createPolicyClient, createReportsClient, createSchemaClient, createSourcesClient, createTelemetryClient, createToolRegistryClient, createTopicsClient, createWebhooksClientCore, createWorkflowClient, decodeEventCursor, emitDomainEvent, encodeEventCursor, eventPatternToRegExp, getControlObjectOwnershipCase, getMcpToolExposure, getRegisteredCustomTool, hydrateInfisicalRuntimeEnv, inferActorType, inferLensPerspectiveTypeFromBranchSchema, inferSessionPrincipalType, invokeRegisteredCustomTool, isAfterCursor, isInfisicalRuntimeDisabled, isLensFilterCriteria, isLucernPrompt, isMcpToolAllowed, isRecord2 as isRecord, isTaxonomyFilterCriteriaV1, lastDelegator, listControlObjectOwnershipCases, listRegisteredCustomTools, mapAliasedList, mapGatewayData, mapOpinionHistoryEntriesFromGatewayData, matchesAnyEventPattern, matchesEventPattern, mcpContractToInputSchema, mcpContractToManifestEntry, migrateBranchToLens, nextDeliveryAttemptAt, normalizeCanonicalLucernAuthContext, normalizeDelegationChain, normalizeNodeVerificationStatus, normalizeNodeWriteInput, normalizeRetentionDays, normalizeTopicQuery, normalizeWebhookPatterns, opinionFromBaseRate, opinionFromDogmatic, opinionFromProjected, planContextPackCompilation, randomIdempotencyKey, readInfisicalRuntimeBootstrap, registerCustomTool, resolveDeliveryFailureStatus, resolveText, resolveTopicId, sanitizeWebhookRecord, sortEventsByCursor, toQueryString, truncateWebhookResponseBody, unregisterCustomTool, validateFilterCriteria, withSdkAliases, withTextAlias, withTopicAlias };
12258
+ export { BELIEF_STATUSES, BRANCH_DEPRECATION_MESSAGE, CANONICAL_WORKFLOW_DEFINITIONS, CONFIDENCE_TRIGGERS, CONTRADICTION_SEVERITIES, CONTRADICTION_STATUSES, CONTROL_OBJECT_BLAST_RADII, CONTROL_OBJECT_EDIT_SURFACES, CONTROL_OBJECT_INHERITANCE_RULES, CONTROL_OBJECT_KINDS, CONTROL_OBJECT_OWNERSHIP_CONTRACT, CONTROL_OBJECT_OWNERSHIP_MATRIX, CONTROL_OBJECT_OWNERSHIP_ROWS, CONTROL_OBJECT_OWNER_SCOPES, CustomToolRegistryError, DEFAULT_TIER_APPROVAL_MODE, DEFAULT_WORKFLOW_AUTO_FIX_POLICY, DEFEAT_TYPES, DOMAIN_EVENT_TYPES, DOMAIN_EVENT_VERSION, DeviceAuthorizationError, EDGE_TYPES, EMBEDDINGS_FIELDS, EPISTEMIC_EDGE_TYPES, EPISTEMIC_LAYERS, EVENTING_FIELDS, EVENT_RETENTION_DEFAULT_DAYS, FORK_REASONS, FUNCTION_SURFACE_METHOD_PATHS, GRAPH_ANALYSIS_ANALYSIS_FIELDS, GRAPH_ANALYSIS_COMPUTE_FIELDS, GRAPH_ANALYSIS_SUGGESTION_FIELDS, GRAPH_RECOMMENDATION_FIELDS, GRAPH_STATE_CLASSIFIER_FIELDS, InfisicalRuntimeError, JOBS_FIELDS, JUDGMENT_TYPES, LENS_PERSPECTIVE_TYPES, LENS_STATUSES, LENS_TASK_TEMPLATE_PRIORITIES, LUCERN_SDK_VERSION, LucernAccessControlError, LucernApiError, LucernSdkAuthContextError, MAX_ENTITY_LIMIT, MCP_ALWAYS_ALLOWED_TOOL_NAMES, MERGE_OUTCOMES, MODEL_RUNTIME_FIELDS, MORNING_BRIEF_WORKFLOW_ID, NIGHTLY_RECONCILIATION_WORKFLOW_ID, ONTOLOGY_LINK_FIELDS, ORG_GRAPH_SEARCH_FIELDS, REASONING_METHODS, SESSION_AUTH_MODES, SESSION_LIFECYCLE_STATUSES, SESSION_PRINCIPAL_TYPES, STRUCTURAL_EDGE_TYPES, TELEMETRY_FIELDS, TENANT_IDENTITY_FIELDS, TOOL_REGISTRY_FIELDS, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_RETRY_DELAYS_MS, WORKFLOW_ACTION_KINDS, WORKFLOW_APPROVAL_MODES, WORKFLOW_AUTO_FIX_MODES, WORKFLOW_HOOK_EVENTS, WORKFLOW_INTEGRITY_CHECKS, WORKFLOW_MUTATION_TIERS, WORKFLOW_OUTPUT_KINDS, WORKFLOW_PROOF_ARTIFACT_KINDS, WORKFLOW_RUNTIME_SCHEMA_VERSION, WORKFLOW_RUN_STATUSES, WORKFLOW_STAFFING_HINTS, WORKFLOW_TRIGGER_KINDS, WORKTREE_PHASES, applyInfisicalRuntimeEnv, asListItems, asRecord, assertPermitAllowed, assertValidWebhookSecret, assertValidWebhookUrl, buildDeprecatedBranchMetadata, buildDomainEvent, buildMcpToolContracts, buildMcpToolManifest, clearRegisteredCustomTools, compareEventCursor, compileContextPackFromSnapshot, computeWebhookSignature, createAccessControlClient, createAdminClient, createAnswersClient, createAudiencesClient, createAuditClient, createAuthDeviceClient, createBeliefsClient, createCanonicalAuthHeaders, createContextClient, createContextFacade, createDecisionsClient, createEmbeddingsClient, createEventId, createEventingClient, createEventsClientCore, createEvidenceClient, createFunctionSurfaceClient, createGatewayRequestClient, createGraphAnalysisClient, createGraphClient, createGraphRecommendationsClient, createGraphStateClassifierClient, createHarnessClient, createIdentityClient, createJobsClient, createLearningClient, createListResult, createLucernClient, createModelRuntimeClient, createOntologyClient, createOntologyLinksClient, createOrgGraphSearchClient, createPacksClient, createPolicyClient, createReportsClient, createSchemaClient, createSourcesClient, createTelemetryClient, createToolRegistryClient, createTopicsClient, createWebhooksClientCore, createWorkflowClient, decodeEventCursor, emitDomainEvent, encodeEventCursor, eventPatternToRegExp, formatPermitResource, getControlObjectOwnershipCase, getMcpToolExposure, getRegisteredCustomTool, hydrateInfisicalRuntimeEnv, inferActorType, inferLensPerspectiveTypeFromBranchSchema, inferSessionPrincipalType, invokeRegisteredCustomTool, isAfterCursor, isInfisicalRuntimeDisabled, isLensFilterCriteria, isLucernPrompt, isMcpToolAllowed, isRecord2 as isRecord, isTaxonomyFilterCriteriaV1, lastDelegator, listControlObjectOwnershipCases, listRegisteredCustomTools, mapAliasedList, mapGatewayData, mapOpinionHistoryEntriesFromGatewayData, matchesAnyEventPattern, matchesEventPattern, mcpContractToInputSchema, mcpContractToManifestEntry, migrateBranchToLens, nextDeliveryAttemptAt, normalizeCanonicalLucernAuthContext, normalizeCanonicalPrincipalIdentity, normalizeDelegationChain, normalizeNodeVerificationStatus, normalizeNodeWriteInput, normalizeRetentionDays, normalizeTopicQuery, normalizeWebhookPatterns, opinionFromBaseRate, opinionFromDogmatic, opinionFromProjected, planContextPackCompilation, randomIdempotencyKey, readInfisicalRuntimeBootstrap, registerCustomTool, resolveDeliveryFailureStatus, resolveText, resolveTopicId, sanitizeWebhookRecord, sortEventsByCursor, toQueryString, truncateWebhookResponseBody, unregisterCustomTool, validateFilterCriteria, withSdkAliases, withTextAlias, withTopicAlias };
11959
12259
  //# sourceMappingURL=index.js.map
11960
12260
  //# sourceMappingURL=index.js.map