@lucern/sdk 0.3.0-alpha.8 → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (155) hide show
  1. package/CHANGELOG.md +8 -0
  2. package/README.md +60 -1
  3. package/dist/accessControl.d.ts +79 -0
  4. package/dist/accessControl.js +1270 -0
  5. package/dist/accessControl.js.map +1 -0
  6. package/dist/adminClient.js +19 -1
  7. package/dist/adminClient.js.map +1 -1
  8. package/dist/answersClient.js +19 -1
  9. package/dist/answersClient.js.map +1 -1
  10. package/dist/audiencesClient.js +19 -1
  11. package/dist/audiencesClient.js.map +1 -1
  12. package/dist/auditClient.js +19 -1
  13. package/dist/auditClient.js.map +1 -1
  14. package/dist/authContext.d.ts +2 -2
  15. package/dist/authContext.js.map +1 -1
  16. package/dist/beliefs/index.d.ts +3 -0
  17. package/dist/beliefs/index.js +1212 -667
  18. package/dist/beliefs/index.js.map +1 -1
  19. package/dist/beliefsClient.js +19 -1
  20. package/dist/beliefsClient.js.map +1 -1
  21. package/dist/client.d.ts +147 -68
  22. package/dist/client.js +1212 -667
  23. package/dist/client.js.map +1 -1
  24. package/dist/clientHelpers.d.ts +21 -2
  25. package/dist/clientHelpers.js +16 -1
  26. package/dist/clientHelpers.js.map +1 -1
  27. package/dist/contextClient.js +19 -1
  28. package/dist/contextClient.js.map +1 -1
  29. package/dist/contracts/api-enums.contract.d.ts +1 -1
  30. package/dist/contracts/api-enums.contract.js +6 -1
  31. package/dist/contracts/api-enums.contract.js.map +1 -1
  32. package/dist/contracts/auth-session.contract.d.ts +1 -1
  33. package/dist/contracts/auth-session.contract.js +14 -2
  34. package/dist/contracts/auth-session.contract.js.map +1 -1
  35. package/dist/contracts/index.js +26 -3
  36. package/dist/contracts/index.js.map +1 -1
  37. package/dist/contracts/mcpTools.js +6 -0
  38. package/dist/contracts/mcpTools.js.map +1 -1
  39. package/dist/contradictions/index.d.ts +3 -0
  40. package/dist/contradictions/index.js +1212 -667
  41. package/dist/contradictions/index.js.map +1 -1
  42. package/dist/control-plane.d.ts +69 -0
  43. package/dist/control-plane.js +674 -0
  44. package/dist/control-plane.js.map +1 -0
  45. package/dist/coreClient.d.ts +17 -1
  46. package/dist/coreClient.js +19 -1
  47. package/dist/coreClient.js.map +1 -1
  48. package/dist/decisions/index.d.ts +3 -0
  49. package/dist/decisions/index.js +1212 -667
  50. package/dist/decisions/index.js.map +1 -1
  51. package/dist/decisionsClient.js +19 -1
  52. package/dist/decisionsClient.js.map +1 -1
  53. package/dist/edges/index.d.ts +27 -84
  54. package/dist/edges/index.js +1212 -667
  55. package/dist/edges/index.js.map +1 -1
  56. package/dist/embeddingsClient.js +19 -1
  57. package/dist/embeddingsClient.js.map +1 -1
  58. package/dist/eventingClient.js +19 -1
  59. package/dist/eventingClient.js.map +1 -1
  60. package/dist/eventsCore.js +19 -1
  61. package/dist/eventsCore.js.map +1 -1
  62. package/dist/evidence/index.d.ts +3 -0
  63. package/dist/evidence/index.js +1212 -667
  64. package/dist/evidence/index.js.map +1 -1
  65. package/dist/evidenceClient.js +19 -1
  66. package/dist/evidenceClient.js.map +1 -1
  67. package/dist/functionSurface.d.ts +16 -1
  68. package/dist/functionSurface.js +95 -2
  69. package/dist/functionSurface.js.map +1 -1
  70. package/dist/functionSurfaceClient.js +95 -2
  71. package/dist/functionSurfaceClient.js.map +1 -1
  72. package/dist/gatewayFacades.d.ts +29 -2
  73. package/dist/gatewayFacades.js +156 -8
  74. package/dist/gatewayFacades.js.map +1 -1
  75. package/dist/graphAnalysisClient.js +19 -1
  76. package/dist/graphAnalysisClient.js.map +1 -1
  77. package/dist/graphClient.d.ts +1 -0
  78. package/dist/graphClient.js +19 -1
  79. package/dist/graphClient.js.map +1 -1
  80. package/dist/graphIntel.d.ts +1 -0
  81. package/dist/graphRecommendationsClient.js +19 -1
  82. package/dist/graphRecommendationsClient.js.map +1 -1
  83. package/dist/graphStateClassifierClient.js +19 -1
  84. package/dist/graphStateClassifierClient.js.map +1 -1
  85. package/dist/harnessClient.js +19 -1
  86. package/dist/harnessClient.js.map +1 -1
  87. package/dist/identityClient.d.ts +19 -1
  88. package/dist/identityClient.js +152 -6
  89. package/dist/identityClient.js.map +1 -1
  90. package/dist/index.d.ts +5 -1
  91. package/dist/index.js +1428 -799
  92. package/dist/index.js.map +1 -1
  93. package/dist/infisicalRuntime.d.ts +1 -0
  94. package/dist/infisicalRuntime.js +64 -32
  95. package/dist/infisicalRuntime.js.map +1 -1
  96. package/dist/jobsClient.js +19 -1
  97. package/dist/jobsClient.js.map +1 -1
  98. package/dist/learningClient.js +19 -1
  99. package/dist/learningClient.js.map +1 -1
  100. package/dist/lenses/index.d.ts +3 -0
  101. package/dist/lenses/index.js +1212 -667
  102. package/dist/lenses/index.js.map +1 -1
  103. package/dist/mcpClient.js +21 -2
  104. package/dist/mcpClient.js.map +1 -1
  105. package/dist/modelRuntimeClient.js +19 -1
  106. package/dist/modelRuntimeClient.js.map +1 -1
  107. package/dist/nodes/index.d.ts +22 -15
  108. package/dist/nodes/index.js +1212 -667
  109. package/dist/nodes/index.js.map +1 -1
  110. package/dist/ontologies/index.d.ts +3 -0
  111. package/dist/ontologies/index.js +1212 -667
  112. package/dist/ontologies/index.js.map +1 -1
  113. package/dist/ontologyClient.js +19 -1
  114. package/dist/ontologyClient.js.map +1 -1
  115. package/dist/ontologyLinksClient.js +19 -1
  116. package/dist/ontologyLinksClient.js.map +1 -1
  117. package/dist/orgGraphSearchClient.js +19 -1
  118. package/dist/orgGraphSearchClient.js.map +1 -1
  119. package/dist/packsClient.js +19 -1
  120. package/dist/packsClient.js.map +1 -1
  121. package/dist/policyClient.js +19 -1
  122. package/dist/policyClient.js.map +1 -1
  123. package/dist/questions/index.d.ts +3 -0
  124. package/dist/questions/index.js +1212 -667
  125. package/dist/questions/index.js.map +1 -1
  126. package/dist/reportsClient.js +19 -1
  127. package/dist/reportsClient.js.map +1 -1
  128. package/dist/schemaClient.js +19 -1
  129. package/dist/schemaClient.js.map +1 -1
  130. package/dist/secrets.d.ts +1 -0
  131. package/dist/secrets.js +3 -0
  132. package/dist/secrets.js.map +1 -0
  133. package/dist/sourcesClient.js +19 -1
  134. package/dist/sourcesClient.js.map +1 -1
  135. package/dist/telemetryClient.js +19 -1
  136. package/dist/telemetryClient.js.map +1 -1
  137. package/dist/toolRegistryClient.js +19 -1
  138. package/dist/toolRegistryClient.js.map +1 -1
  139. package/dist/topics/index.d.ts +12 -3
  140. package/dist/topics/index.js +1214 -667
  141. package/dist/topics/index.js.map +1 -1
  142. package/dist/topicsClient.d.ts +2 -0
  143. package/dist/topicsClient.js +19 -1
  144. package/dist/topicsClient.js.map +1 -1
  145. package/dist/types.d.ts +17 -0
  146. package/dist/version.d.ts +1 -1
  147. package/dist/version.js +1 -1
  148. package/dist/version.js.map +1 -1
  149. package/dist/workflowClient.d.ts +2 -0
  150. package/dist/workflowClient.js +19 -1
  151. package/dist/workflowClient.js.map +1 -1
  152. package/dist/worktrees/index.d.ts +3 -0
  153. package/dist/worktrees/index.js +1212 -667
  154. package/dist/worktrees/index.js.map +1 -1
  155. package/package.json +9 -4
package/CHANGELOG.md CHANGED
@@ -5,6 +5,14 @@ All notable changes to `@lucern/sdk` will be documented in this file.
5
5
  ## [Unreleased]
6
6
  - No unreleased changes yet.
7
7
 
8
+ ## [1.0.0] - 2026-05-23
9
+ - Promote the Campaign 1 package line to the stable 1.0.0 release.
10
+
11
+ ## [0.3.0-alpha.16] - 2026-05-14
12
+ - Adds the exact-row reasoning-kernel migration surface required for tenant identity/scope repairs.
13
+ - Keeps the coherent Lucern package line aligned for StackOS and reasoning-environment adoption.
14
+
15
+
8
16
  ## [0.3.0-alpha.7] - 2026-05-03
9
17
  - Rebuild the coherent Lucern package line after Campaign 1 SDK hardening fixes.
10
18
 
package/README.md CHANGED
@@ -24,7 +24,7 @@ Common direct installs:
24
24
  | Programmatic Lucern API calls | `@lucern/sdk` |
25
25
  | Tool access checks | `@lucern/access-control` |
26
26
  | React hooks/components | `@lucern/react @lucern/sdk` |
27
- | Convex component binding | `@lucern/identity @lucern/reasoning-kernel` |
27
+ | Convex component binding | `@lucern/control-plane @lucern/reasoning-kernel` |
28
28
  | Bootstrap, auth, doctor, and operator commands | `@lucern/cli` |
29
29
  | Agent-facing MCP server/runtime | `@lucern/mcp` |
30
30
  | Full design-partner/package-suite pin | all packages from `TENANT_CLIENT_INSTALLABLE_PACKAGES` in `@lucern/contracts` |
@@ -42,6 +42,9 @@ code should stay on `@lucern/sdk`, `@lucern/react`, `@lucern/mcp`,
42
42
  - Build applications, automations, and backend integrations against the SDK first.
43
43
  - Treat `/api/platform/v1/*` as the transport mirror of the SDK surface.
44
44
  - Treat MCP as an agent-facing client of the same surface, not as a privileged bypass around SDK or HTTP semantics.
45
+ - Treat REST, SDK, CLI, and MCP as projections of the same manifest. New
46
+ control-plane operations must be added to the manifest first, then exposed
47
+ through the generated surfaces.
45
48
 
46
49
  IA-7 closes the remaining SDK surface gaps needed for SDK-first clients:
47
50
 
@@ -67,6 +70,62 @@ const identity = await lucern.identity.whoami();
67
70
  const principal: SdkPrincipalContext = identity.data;
68
71
  ```
69
72
 
73
+ ### Control-Plane Tenant Bootstrap
74
+
75
+ Interactive tenant applications should resolve Clerk users through the Lucern
76
+ control-plane identity surface before making workspace-scoped graph calls. Clerk
77
+ proves the browser user's identity; Lucern authorization comes from the
78
+ Permit-backed control-plane projection.
79
+
80
+ ```typescript
81
+ import { createLucernClient } from "@lucern/sdk";
82
+
83
+ async function createLucernForClerkUser(args: {
84
+ clerkUserId: string;
85
+ getClerkToken: () => Promise<string | null>;
86
+ tenantId: string;
87
+ workspaceId: string;
88
+ clerkProjectId?: string;
89
+ }) {
90
+ const token = await args.getClerkToken();
91
+ if (!token) {
92
+ throw new Error("Clerk session token is required.");
93
+ }
94
+
95
+ const getAuthHeaders = () => ({ Authorization: `Bearer ${token}` });
96
+ const lucern = createLucernClient({
97
+ baseUrl: "https://api.lucern.ai",
98
+ getAuthHeaders,
99
+ });
100
+
101
+ const principal =
102
+ await lucern.controlPlane.identity.resolveInteractivePrincipal({
103
+ clerkId: args.clerkUserId,
104
+ tenantId: args.tenantId,
105
+ workspaceId: args.workspaceId,
106
+ providerProjectId: args.clerkProjectId,
107
+ });
108
+
109
+ return createLucernClient({
110
+ baseUrl: "https://api.lucern.ai",
111
+ getAuthHeaders,
112
+ authContext: principal.data,
113
+ });
114
+ }
115
+ ```
116
+
117
+ Use `authContext.principalId`, roles, scopes, groups, permitted tools, and
118
+ Permit subject data as the runtime Lucern principal context. Tenant apps must
119
+ not read legacy `users.mcRole` / `defaultTenantId` fields as authorization, and
120
+ they must not call `components.controlPlane.migration` from application code.
121
+ Provisioning and backfills can use migration APIs; runtime bootstrapping uses
122
+ `controlPlane.identity.resolveInteractivePrincipal(...)`.
123
+
124
+ StackOS, Lucern Graph, and Stack Engineering should use this bootstrap path
125
+ before calling morning brief, graph session, MCP, or CLI-backed runtime flows.
126
+ `/api/platform/v1/users/:clerkId` may be a profile facade, but it is not an
127
+ authorization source.
128
+
70
129
  ## The Full Developer Journey
71
130
 
72
131
  This walkthrough mirrors what a developer building an AI-powered code review system would experience in a real coding session. Every API call is something you would actually use.
@@ -0,0 +1,79 @@
1
+ import { LucernSdkAuthContextError, LucernSdkAuthFailureReason, LucernSdkAuthContextInput } from './authContext.js';
2
+ import { GatewayClientConfig } from './coreClient.js';
3
+ import { PolicyEvaluationInput, PolicyDecisionRecord } from './identityClient.js';
4
+ import { SessionPrincipalType } from './contracts/auth-session.contract.js';
5
+ import { JsonObject } from './types.js';
6
+ import './control-plane.js';
7
+ import './contracts/workflow-runtime.contract.js';
8
+ import './contracts/lens-workflow.contract.js';
9
+ import './contracts/lens-filter.contract.js';
10
+
11
+ type ClerkIdentityAliasInput = {
12
+ provider?: "clerk" | string;
13
+ providerProjectId?: string | null;
14
+ externalSubjectId: string;
15
+ status?: "active" | "pending" | "revoked" | string;
16
+ };
17
+ type CanonicalPrincipalIdentityInput = {
18
+ principalId?: string | null;
19
+ principalType?: SessionPrincipalType | "user" | "external_viewer" | null;
20
+ canonicalClerkUserId?: string | null;
21
+ clerkId?: string | null;
22
+ clerkIdentityAliases?: readonly ClerkIdentityAliasInput[];
23
+ tenantId?: string | null;
24
+ workspaceId?: string | null;
25
+ roles?: readonly string[];
26
+ scopes?: readonly string[];
27
+ };
28
+ type CanonicalPrincipalIdentityAlias = {
29
+ provider: string;
30
+ providerProjectId?: string;
31
+ externalSubjectId: string;
32
+ status?: string;
33
+ };
34
+ type CanonicalPrincipalIdentity = {
35
+ principalId: string;
36
+ principalType: SessionPrincipalType;
37
+ canonicalClerkUserId?: string;
38
+ clerkIdentityAliases: CanonicalPrincipalIdentityAlias[];
39
+ tenantId?: string;
40
+ workspaceId?: string;
41
+ roles: string[];
42
+ scopes: string[];
43
+ };
44
+ type AccessResourceType = "tenant" | "workspace" | "deployment" | "convex_table" | "secret_scope" | "agent_session" | (string & {});
45
+ type AccessResourceDescriptor = {
46
+ type: AccessResourceType;
47
+ key: string;
48
+ };
49
+ type RequireAccessInput = {
50
+ identity?: CanonicalPrincipalIdentityInput | LucernSdkAuthContextInput;
51
+ observedClerkId?: string;
52
+ tenantId?: string;
53
+ workspaceId?: string;
54
+ action: string;
55
+ resource: AccessResourceDescriptor | string;
56
+ context?: JsonObject;
57
+ };
58
+ type AccessCheckResult = {
59
+ identity: CanonicalPrincipalIdentity;
60
+ policyInput: PolicyEvaluationInput;
61
+ decision: PolicyDecisionRecord;
62
+ };
63
+ declare class LucernAccessControlError extends LucernSdkAuthContextError {
64
+ readonly policyDecision?: PolicyDecisionRecord;
65
+ constructor(reason: LucernSdkAuthFailureReason, message: string, policyDecision?: PolicyDecisionRecord);
66
+ }
67
+ declare function normalizeCanonicalPrincipalIdentity(input: CanonicalPrincipalIdentityInput | LucernSdkAuthContextInput, options?: {
68
+ observedClerkId?: string;
69
+ }): CanonicalPrincipalIdentity;
70
+ declare function formatPermitResource(resource: AccessResourceDescriptor | string): string;
71
+ declare function assertPermitAllowed(decision: PolicyDecisionRecord): void;
72
+ declare function createAccessControlClient(config?: GatewayClientConfig): {
73
+ normalizePrincipal: typeof normalizeCanonicalPrincipalIdentity;
74
+ checkAccess: (input: RequireAccessInput, idempotencyKey?: string) => Promise<AccessCheckResult>;
75
+ requireAccess: (input: RequireAccessInput, idempotencyKey?: string) => Promise<AccessCheckResult>;
76
+ canAccess: (input: RequireAccessInput, idempotencyKey?: string) => Promise<boolean>;
77
+ };
78
+
79
+ export { type AccessCheckResult, type AccessResourceDescriptor, type AccessResourceType, type CanonicalPrincipalIdentity, type CanonicalPrincipalIdentityAlias, type CanonicalPrincipalIdentityInput, type ClerkIdentityAliasInput, LucernAccessControlError, type RequireAccessInput, assertPermitAllowed, createAccessControlClient, formatPermitResource, normalizeCanonicalPrincipalIdentity };