@lucern/sdk 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (331) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/README.md +35 -0
  3. package/dist/.generated +2 -0
  4. package/dist/accessControl.d.ts +19 -26
  5. package/dist/accessControl.js +195 -1423
  6. package/dist/adminClient.d.ts +52 -59
  7. package/dist/adminClient.js +364 -1142
  8. package/dist/answersClient.d.ts +5 -14
  9. package/dist/answersClient.js +19 -737
  10. package/dist/audience/index.d.ts +18 -18
  11. package/dist/audience/index.js +87 -90
  12. package/dist/audiencesClient.d.ts +19 -27
  13. package/dist/audiencesClient.js +107 -868
  14. package/dist/auditClient.d.ts +8 -15
  15. package/dist/auditClient.js +18 -791
  16. package/dist/authContext.d.ts +11 -16
  17. package/dist/authContext.js +122 -154
  18. package/dist/authDeviceClient.d.ts +8 -17
  19. package/dist/authDeviceClient.js +113 -102
  20. package/dist/beliefs/index.d.ts +15 -67
  21. package/dist/beliefs/index.js +17 -10172
  22. package/dist/beliefs/lifecycle.d.ts +10 -11
  23. package/dist/beliefs/lifecycle.js +78 -80
  24. package/dist/beliefsClient.d.ts +26 -32
  25. package/dist/beliefsClient.js +250 -990
  26. package/dist/boundaryClientSurface.d.ts +11 -16
  27. package/dist/boundaryClientSurface.js +49 -68
  28. package/dist/client.d.ts +73 -112
  29. package/dist/client.js +232 -10146
  30. package/dist/clientAssemblyTypes.d.ts +3 -3
  31. package/dist/clientAssemblyTypes.js +1 -2
  32. package/dist/clientConfig.d.ts +45 -59
  33. package/dist/clientConfig.js +1 -2
  34. package/dist/clientEvidenceCompat.d.ts +7 -14
  35. package/dist/clientEvidenceCompat.js +50 -64
  36. package/dist/clientGraphNamespaces.d.ts +3 -5
  37. package/dist/clientGraphNamespaces.js +170 -245
  38. package/dist/clientHelpers.d.ts +20 -25
  39. package/dist/clientHelpers.js +104 -127
  40. package/dist/clientKnowledgeNamespaces.d.ts +6 -53
  41. package/dist/clientKnowledgeNamespaces.js +502 -506
  42. package/dist/clientLocalHelpers.d.ts +11 -56
  43. package/dist/clientLocalHelpers.js +503 -732
  44. package/dist/clientPlatformNamespaces.d.ts +14 -53
  45. package/dist/clientPlatformNamespaces.js +229 -314
  46. package/dist/clientRuntime.d.ts +5 -53
  47. package/dist/clientRuntime.js +26 -30
  48. package/dist/clientWorkflowNamespaces.d.ts +6 -15
  49. package/dist/clientWorkflowNamespaces.js +529 -596
  50. package/dist/contextClient.d.ts +9 -17
  51. package/dist/contextClient.js +92 -805
  52. package/dist/contextFacade.d.ts +11 -2
  53. package/dist/contextFacade.js +10 -81
  54. package/dist/contextPackCompiler.d.ts +10 -11
  55. package/dist/contextPackCompiler.js +494 -1040
  56. package/dist/contextPackPolicy.d.ts +14 -15
  57. package/dist/contextPackPolicy.js +227 -305
  58. package/dist/contextPackSchema.d.ts +3 -3
  59. package/dist/contextPackSchema.js +169 -176
  60. package/dist/contextTypes.d.ts +14 -15
  61. package/dist/contextTypes.js +1 -2
  62. package/dist/contracts/api-enums.contract.d.ts +29 -30
  63. package/dist/contracts/api-enums.contract.js +162 -88
  64. package/dist/contracts/auth-session.contract.d.ts +13 -14
  65. package/dist/contracts/auth-session.contract.js +55 -52
  66. package/dist/contracts/context-pack.contract.d.ts +54 -55
  67. package/dist/contracts/context-pack.contract.js +160 -88
  68. package/dist/contracts/contextPack.d.ts +2 -1
  69. package/dist/contracts/contextPack.js +1 -97
  70. package/dist/contracts/index.d.ts +11 -12
  71. package/dist/contracts/index.js +10 -854
  72. package/dist/contracts/lens-filter.contract.d.ts +9 -10
  73. package/dist/contracts/lens-filter.contract.js +82 -58
  74. package/dist/contracts/lens-workflow.contract.d.ts +21 -23
  75. package/dist/contracts/lens-workflow.contract.js +48 -117
  76. package/dist/contracts/lensFilter.d.ts +2 -1
  77. package/dist/contracts/lensFilter.js +1 -71
  78. package/dist/contracts/lensWorkflow.d.ts +2 -2
  79. package/dist/contracts/lensWorkflow.js +1 -123
  80. package/dist/contracts/mcpTools.d.ts +16 -18
  81. package/dist/contracts/mcpTools.js +89 -123
  82. package/dist/contracts/prompt.contract.d.ts +4 -5
  83. package/dist/contracts/prompt.contract.js +23 -10
  84. package/dist/contracts/prompt.d.ts +2 -1
  85. package/dist/contracts/prompt.js +1 -11
  86. package/dist/contracts/sdk-tools.contract.d.ts +2 -1
  87. package/dist/contracts/sdk-tools.contract.js +1 -2
  88. package/dist/contracts/sdkTools.d.ts +2 -1
  89. package/dist/contracts/sdkTools.js +1 -26
  90. package/dist/contracts/tool-contracts.d.ts +2 -1
  91. package/dist/contracts/tool-contracts.js +1 -2
  92. package/dist/contracts/workflow-runtime.contract.d.ts +45 -46
  93. package/dist/contracts/workflow-runtime.contract.js +241 -228
  94. package/dist/contracts/workflowRuntime.d.ts +2 -1
  95. package/dist/contracts/workflowRuntime.js +1 -244
  96. package/dist/contradictions/index.d.ts +8 -60
  97. package/dist/contradictions/index.js +11 -10166
  98. package/dist/control-plane.d.ts +17 -24
  99. package/dist/control-plane.js +124 -840
  100. package/dist/controlObjectOwnership.d.ts +19 -20
  101. package/dist/controlObjectOwnership.js +207 -201
  102. package/dist/coreClient.d.ts +23 -28
  103. package/dist/coreClient.js +567 -692
  104. package/dist/customTools.d.ts +17 -21
  105. package/dist/customTools.js +221 -221
  106. package/dist/decisions/index.d.ts +7 -58
  107. package/dist/decisions/index.js +14 -10168
  108. package/dist/decisionsClient.d.ts +25 -32
  109. package/dist/decisionsClient.js +113 -913
  110. package/dist/domainContext.d.ts +2 -1
  111. package/dist/domainContext.js +1 -2
  112. package/dist/edges/index.d.ts +21 -73
  113. package/dist/edges/index.js +12 -10167
  114. package/dist/embeddingsClient.d.ts +22 -30
  115. package/dist/embeddingsClient.js +73 -922
  116. package/dist/eventingClient.d.ts +23 -31
  117. package/dist/eventingClient.js +89 -918
  118. package/dist/events.d.ts +48 -49
  119. package/dist/events.js +257 -241
  120. package/dist/eventsCore.d.ts +20 -29
  121. package/dist/eventsCore.js +86 -830
  122. package/dist/evidence/index.d.ts +9 -60
  123. package/dist/evidence/index.js +13 -10167
  124. package/dist/evidenceClient.d.ts +13 -22
  125. package/dist/evidenceClient.js +34 -751
  126. package/dist/facade/context.d.ts +7 -8
  127. package/dist/facade/context.js +73 -72
  128. package/dist/functionSurface.d.ts +2 -156
  129. package/dist/functionSurface.js +1 -1460
  130. package/dist/functionSurfaceClient.d.ts +2 -9
  131. package/dist/functionSurfaceClient.js +1 -1460
  132. package/dist/gatewayFacades.d.ts +79 -296
  133. package/dist/gatewayFacades.factories.d.ts +209 -14
  134. package/dist/gatewayFacades.factories.js +561 -2227
  135. package/dist/gatewayFacades.js +284 -2627
  136. package/dist/generated/functionSurface.d.ts +149 -0
  137. package/dist/generated/functionSurface.js +749 -0
  138. package/dist/graphAnalysisClient.d.ts +41 -49
  139. package/dist/graphAnalysisClient.js +185 -974
  140. package/dist/graphClient.d.ts +53 -60
  141. package/dist/graphClient.js +219 -1090
  142. package/dist/graphIntel.d.ts +2 -4
  143. package/dist/graphIntel.js +1 -2
  144. package/dist/graphIntelligence.d.ts +4 -2
  145. package/dist/graphIntelligence.js +2 -46
  146. package/dist/graphRecommendationsClient.d.ts +15 -23
  147. package/dist/graphRecommendationsClient.js +70 -849
  148. package/dist/graphStateClassifierClient.d.ts +17 -25
  149. package/dist/graphStateClassifierClient.js +67 -908
  150. package/dist/harnessClient.d.ts +40 -47
  151. package/dist/harnessClient.js +198 -993
  152. package/dist/identityClient.d.ts +25 -33
  153. package/dist/identityClient.js +245 -1186
  154. package/dist/index.d.ts +73 -69
  155. package/dist/index.js +72 -13304
  156. package/dist/infisicalRuntime.d.ts +12 -14
  157. package/dist/infisicalRuntime.js +290 -297
  158. package/dist/jobsClient.d.ts +24 -32
  159. package/dist/jobsClient.js +101 -916
  160. package/dist/learningClient.d.ts +8 -16
  161. package/dist/learningClient.js +45 -809
  162. package/dist/lenses/index.d.ts +13 -65
  163. package/dist/lenses/index.js +11 -10166
  164. package/dist/mcpClient.d.ts +14 -23
  165. package/dist/mcpClient.js +115 -856
  166. package/dist/modelRuntimeClient.d.ts +18 -26
  167. package/dist/modelRuntimeClient.js +74 -894
  168. package/dist/nodes/index.d.ts +7 -58
  169. package/dist/nodes/index.js +14 -10168
  170. package/dist/ontologies/index.d.ts +21 -73
  171. package/dist/ontologies/index.js +14 -10169
  172. package/dist/ontologyClient.d.ts +23 -31
  173. package/dist/ontologyClient.js +138 -924
  174. package/dist/ontologyLinksClient.d.ts +16 -24
  175. package/dist/ontologyLinksClient.js +76 -886
  176. package/dist/opinion.d.ts +5 -6
  177. package/dist/opinion.js +21 -25
  178. package/dist/orgGraphSearchClient.d.ts +19 -27
  179. package/dist/orgGraphSearchClient.js +89 -857
  180. package/dist/packRuntime.d.ts +2 -2
  181. package/dist/packRuntime.js +1 -2
  182. package/dist/packsClient.d.ts +30 -37
  183. package/dist/packsClient.js +131 -906
  184. package/dist/policyClient.d.ts +21 -29
  185. package/dist/policyClient.js +267 -1026
  186. package/dist/proof-attestation.json +1 -1
  187. package/dist/questions/index.d.ts +9 -60
  188. package/dist/questions/index.js +15 -10169
  189. package/dist/realtime/index.d.ts +20 -16
  190. package/dist/realtime/index.js +30 -19
  191. package/dist/realtime/refs.d.ts +4 -6
  192. package/dist/realtime/refs.js +12 -7
  193. package/dist/realtime-refs.d.ts +1 -0
  194. package/dist/realtime-refs.js +1 -0
  195. package/dist/realtime.d.ts +1 -0
  196. package/dist/realtime.js +1 -0
  197. package/dist/reportsClient.d.ts +10 -19
  198. package/dist/reportsClient.js +48 -836
  199. package/dist/schemaClient.d.ts +16 -23
  200. package/dist/schemaClient.js +62 -832
  201. package/dist/sdkSurface.d.ts +18 -25
  202. package/dist/sdkSurface.js +135 -106
  203. package/dist/secrets.d.ts +2 -1
  204. package/dist/secrets.js +1 -2
  205. package/dist/sourcesClient.d.ts +11 -18
  206. package/dist/sourcesClient.js +18 -741
  207. package/dist/telemetryClient.d.ts +22 -30
  208. package/dist/telemetryClient.js +107 -931
  209. package/dist/toolRegistryClient.d.ts +27 -35
  210. package/dist/toolRegistryClient.js +116 -954
  211. package/dist/topics/index.d.ts +13 -64
  212. package/dist/topics/index.js +15 -10169
  213. package/dist/topicsClient.d.ts +19 -27
  214. package/dist/topicsClient.js +106 -894
  215. package/dist/types.d.ts +84 -87
  216. package/dist/types.js +1 -2
  217. package/dist/version.d.ts +2 -3
  218. package/dist/version.js +2 -5
  219. package/dist/workflowClient.d.ts +60 -65
  220. package/dist/workflowClient.js +343 -1219
  221. package/dist/worktrees/index.d.ts +16 -68
  222. package/dist/worktrees/index.js +14 -10169
  223. package/package.json +6 -6
  224. package/dist/accessControl.js.map +0 -1
  225. package/dist/adminClient.js.map +0 -1
  226. package/dist/answersClient.js.map +0 -1
  227. package/dist/audience/index.js.map +0 -1
  228. package/dist/audiencesClient.js.map +0 -1
  229. package/dist/auditClient.js.map +0 -1
  230. package/dist/authContext.js.map +0 -1
  231. package/dist/authDeviceClient.js.map +0 -1
  232. package/dist/beliefs/index.js.map +0 -1
  233. package/dist/beliefs/lifecycle.js.map +0 -1
  234. package/dist/beliefsClient.js.map +0 -1
  235. package/dist/boundaryClientSurface.js.map +0 -1
  236. package/dist/client.js.map +0 -1
  237. package/dist/clientAssemblyTypes.js.map +0 -1
  238. package/dist/clientConfig.js.map +0 -1
  239. package/dist/clientEvidenceCompat.js.map +0 -1
  240. package/dist/clientGraphNamespaces.js.map +0 -1
  241. package/dist/clientHelpers.js.map +0 -1
  242. package/dist/clientKnowledgeNamespaces.js.map +0 -1
  243. package/dist/clientLocalHelpers.js.map +0 -1
  244. package/dist/clientPlatformNamespaces.js.map +0 -1
  245. package/dist/clientRuntime.js.map +0 -1
  246. package/dist/clientWorkflowNamespaces.js.map +0 -1
  247. package/dist/contextClient.js.map +0 -1
  248. package/dist/contextFacade.js.map +0 -1
  249. package/dist/contextPackCompiler.js.map +0 -1
  250. package/dist/contextPackPolicy.js.map +0 -1
  251. package/dist/contextPackSchema.js.map +0 -1
  252. package/dist/contextTypes.js.map +0 -1
  253. package/dist/contracts/api-enums.contract.js.map +0 -1
  254. package/dist/contracts/auth-session.contract.js.map +0 -1
  255. package/dist/contracts/context-pack.contract.js.map +0 -1
  256. package/dist/contracts/contextPack.js.map +0 -1
  257. package/dist/contracts/index.js.map +0 -1
  258. package/dist/contracts/lens-filter.contract.js.map +0 -1
  259. package/dist/contracts/lens-workflow.contract.js.map +0 -1
  260. package/dist/contracts/lensFilter.js.map +0 -1
  261. package/dist/contracts/lensWorkflow.js.map +0 -1
  262. package/dist/contracts/mcpTools.js.map +0 -1
  263. package/dist/contracts/prompt.contract.js.map +0 -1
  264. package/dist/contracts/prompt.js.map +0 -1
  265. package/dist/contracts/sdk-tools.contract.js.map +0 -1
  266. package/dist/contracts/sdkTools.js.map +0 -1
  267. package/dist/contracts/tool-contracts.js.map +0 -1
  268. package/dist/contracts/workflow-runtime.contract.js.map +0 -1
  269. package/dist/contracts/workflowRuntime.js.map +0 -1
  270. package/dist/contradictions/index.js.map +0 -1
  271. package/dist/control-plane.js.map +0 -1
  272. package/dist/controlObjectOwnership.js.map +0 -1
  273. package/dist/coreClient.js.map +0 -1
  274. package/dist/customTools.js.map +0 -1
  275. package/dist/decisions/index.js.map +0 -1
  276. package/dist/decisionsClient.js.map +0 -1
  277. package/dist/domainContext.js.map +0 -1
  278. package/dist/edges/index.js.map +0 -1
  279. package/dist/embeddingsClient.js.map +0 -1
  280. package/dist/eventingClient.js.map +0 -1
  281. package/dist/events.js.map +0 -1
  282. package/dist/eventsCore.js.map +0 -1
  283. package/dist/evidence/index.js.map +0 -1
  284. package/dist/evidenceClient.js.map +0 -1
  285. package/dist/facade/context.js.map +0 -1
  286. package/dist/functionSurface.js.map +0 -1
  287. package/dist/functionSurfaceClient.js.map +0 -1
  288. package/dist/gatewayFacades.factories.js.map +0 -1
  289. package/dist/gatewayFacades.js.map +0 -1
  290. package/dist/graphAnalysisClient.js.map +0 -1
  291. package/dist/graphClient.js.map +0 -1
  292. package/dist/graphIntel.js.map +0 -1
  293. package/dist/graphIntelligence.js.map +0 -1
  294. package/dist/graphRecommendationsClient.js.map +0 -1
  295. package/dist/graphStateClassifierClient.js.map +0 -1
  296. package/dist/harnessClient.js.map +0 -1
  297. package/dist/identityClient.js.map +0 -1
  298. package/dist/index.js.map +0 -1
  299. package/dist/infisicalRuntime.js.map +0 -1
  300. package/dist/jobsClient.js.map +0 -1
  301. package/dist/learningClient.js.map +0 -1
  302. package/dist/lenses/index.js.map +0 -1
  303. package/dist/mcpClient.js.map +0 -1
  304. package/dist/modelRuntimeClient.js.map +0 -1
  305. package/dist/nodes/index.js.map +0 -1
  306. package/dist/ontologies/index.js.map +0 -1
  307. package/dist/ontologyClient.js.map +0 -1
  308. package/dist/ontologyLinksClient.js.map +0 -1
  309. package/dist/opinion.js.map +0 -1
  310. package/dist/orgGraphSearchClient.js.map +0 -1
  311. package/dist/packRuntime.js.map +0 -1
  312. package/dist/packsClient.js.map +0 -1
  313. package/dist/policyClient.js.map +0 -1
  314. package/dist/questions/index.js.map +0 -1
  315. package/dist/realtime/index.js.map +0 -1
  316. package/dist/realtime/refs.js.map +0 -1
  317. package/dist/reportsClient.js.map +0 -1
  318. package/dist/schemaClient.js.map +0 -1
  319. package/dist/sdk-tools.contract-B4c1Zr1o.d.ts +0 -22
  320. package/dist/sdkSurface.js.map +0 -1
  321. package/dist/secrets.js.map +0 -1
  322. package/dist/sourcesClient.js.map +0 -1
  323. package/dist/telemetryClient.js.map +0 -1
  324. package/dist/tool-contracts-BUiL9P6z.d.ts +0 -22
  325. package/dist/toolRegistryClient.js.map +0 -1
  326. package/dist/topics/index.js.map +0 -1
  327. package/dist/topicsClient.js.map +0 -1
  328. package/dist/types.js.map +0 -1
  329. package/dist/version.js.map +0 -1
  330. package/dist/workflowClient.js.map +0 -1
  331. package/dist/worktrees/index.js.map +0 -1
@@ -1,1040 +1,281 @@
1
- import { createTelemetryExporterFromEnv, emitTelemetrySignal } from '@lucern/transport-core';
2
- import { redactDiagnosticValue } from '@lucern/transport-core/redaction';
3
- import { classifyRetry } from '@lucern/transport-core/transport';
4
- import { Effect, Exit, Cause } from 'effect';
5
-
6
- // src/coreClient.ts
7
-
8
- // src/authContext.ts
9
- var LucernSdkAuthContextError = class extends Error {
10
- reason;
11
- constructor(reason, message) {
12
- super(message);
13
- this.name = "LucernSdkAuthContextError";
14
- this.reason = reason;
15
- }
16
- };
17
- function cleanString(value) {
18
- const normalized = value?.trim();
19
- return normalized ? normalized : void 0;
20
- }
21
- function cleanStringList(values) {
22
- if (!values) {
23
- return [];
24
- }
25
- return values.map((value) => value.trim()).filter(
26
- (value, index, list) => value.length > 0 && list.indexOf(value) === index
27
- );
28
- }
29
- function requireString(value, reason, label) {
30
- const normalized = cleanString(value);
31
- if (!normalized) {
32
- throw new LucernSdkAuthContextError(
33
- reason,
34
- `Canonical Lucern SDK auth context is missing ${label}.`
35
- );
36
- }
37
- return normalized;
38
- }
39
- function requirePrincipalType(principalType) {
40
- if (!principalType) {
41
- throw new LucernSdkAuthContextError(
42
- "principal_missing",
43
- "Canonical Lucern SDK auth context is missing principalType."
44
- );
45
- }
46
- return principalType;
47
- }
48
- function requireAuthMode(authMode) {
49
- if (!authMode) {
50
- throw new LucernSdkAuthContextError(
51
- "principal_missing",
52
- "Canonical Lucern SDK auth context is missing authMode."
53
- );
54
- }
55
- return authMode;
56
- }
57
- function ensurePermitMatch(args) {
58
- const actual = cleanString(args.actual);
59
- if (actual && actual !== args.expected) {
60
- throw new LucernSdkAuthContextError(
61
- "policy_denied",
62
- `Canonical Lucern SDK auth context has conflicting Permit ${args.field}.`
63
- );
64
- }
65
- }
66
- function normalizeCanonicalLucernAuthContext(input) {
67
- if (!input) {
68
- throw new LucernSdkAuthContextError(
69
- "principal_missing",
70
- "Canonical Lucern SDK auth context is required."
71
- );
72
- }
73
- if (input.policyDecision === "deny") {
74
- throw new LucernSdkAuthContextError(
75
- "policy_denied",
76
- "Canonical Lucern SDK auth context carries a denied policy decision."
77
- );
78
- }
79
- const principalId = requireString(
80
- input.principalId,
81
- "principal_missing",
82
- "principalId"
83
- );
84
- const tenantId = requireString(input.tenantId, "tenant_missing", "tenantId");
85
- const workspaceId = requireString(
86
- input.workspaceId,
87
- "workspace_missing",
88
- "workspaceId"
89
- );
90
- const roles = cleanStringList(input.roles);
91
- const scopes = cleanStringList(input.scopes);
92
- const principalType = requirePrincipalType(input.principalType);
93
- const authMode = requireAuthMode(input.authMode);
94
- const roleBasedInteractiveAuth = authMode === "interactive_user" && roles.length > 0;
95
- if (roles.length === 0 || scopes.length === 0 && !roleBasedInteractiveAuth) {
96
- throw new LucernSdkAuthContextError(
97
- "membership_missing",
98
- "Canonical Lucern SDK auth context requires non-empty roles and scopes."
99
- );
100
- }
101
- const subject = cleanString(input.permit?.subject) ?? principalId;
102
- const tenant = cleanString(input.permit?.tenant) ?? tenantId;
103
- const workspace = cleanString(input.permit?.workspace) ?? workspaceId;
104
- ensurePermitMatch({
105
- field: "subject",
106
- expected: principalId,
107
- actual: subject
108
- });
109
- ensurePermitMatch({ field: "tenant", expected: tenantId, actual: tenant });
110
- ensurePermitMatch({
111
- field: "workspace",
112
- expected: workspaceId,
113
- actual: workspace
114
- });
115
- const context = input.permit?.context ? { ...input.permit.context } : void 0;
116
- return {
117
- clerkId: cleanString(input.clerkId),
118
- principalId,
119
- tenantId,
120
- workspaceId,
121
- principalType,
122
- authMode,
123
- roles,
124
- scopes,
125
- delegationChain: input.delegationChain ? [...input.delegationChain] : [],
126
- policyTraceId: cleanString(input.policyTraceId),
127
- correlationId: cleanString(input.correlationId),
128
- membershipId: cleanString(input.membershipId),
129
- permit: {
130
- subject,
131
- tenant,
132
- workspace,
133
- resource: cleanString(input.permit?.resource),
134
- action: cleanString(input.permit?.action),
135
- relation: cleanString(input.permit?.relation),
136
- context
137
- }
138
- };
139
- }
140
- function createCanonicalAuthHeaders(authContext) {
141
- const headers = {
142
- "x-lucern-principal-id": authContext.principalId,
143
- "x-lucern-principal-type": authContext.principalType,
144
- "x-lucern-tenant": authContext.tenantId,
145
- "x-lucern-tenant-id": authContext.tenantId,
146
- "x-lucern-workspace": authContext.workspaceId,
147
- "x-lucern-workspace-id": authContext.workspaceId,
148
- "x-lucern-auth-mode": authContext.authMode,
149
- "x-lucern-roles": authContext.roles.join(","),
150
- "x-lucern-scopes": authContext.scopes.join(","),
151
- "x-lucern-permit-context": JSON.stringify(authContext.permit)
152
- };
153
- if (authContext.clerkId) {
154
- headers["x-lucern-clerk-id"] = authContext.clerkId;
155
- headers["x-lucern-user-id"] = authContext.clerkId;
156
- }
157
- if (authContext.delegationChain.length > 0) {
158
- headers["x-lucern-delegation-chain"] = JSON.stringify(
159
- authContext.delegationChain
160
- );
161
- }
162
- if (authContext.policyTraceId) {
163
- headers["x-lucern-policy-trace-id"] = authContext.policyTraceId;
164
- }
165
- if (authContext.correlationId) {
166
- headers["x-correlation-id"] = authContext.correlationId;
167
- headers["x-lucern-correlation-id"] = authContext.correlationId;
168
- }
169
- if (authContext.membershipId) {
170
- headers["x-lucern-membership-id"] = authContext.membershipId;
171
- }
172
- return headers;
173
- }
174
-
175
- // src/coreClient.ts
176
- var DEFAULT_GATEWAY_TIMEOUT_MS = 15e3;
177
- var DEFAULT_GATEWAY_MAX_RETRIES = 2;
178
- var DEFAULT_ENV_TIMEOUT_MS = "LUCERN_REQUEST_TIMEOUT_MS";
179
- var DEFAULT_ENV_MAX_RETRIES = "LUCERN_GATEWAY_MAX_RETRIES";
180
- var ENV_TIMEOUT_BY_METHOD_PREFIX = "LUCERN_REQUEST_TIMEOUT_MS_";
181
- var GatewayTimeoutError = class extends Error {
182
- retryable = true;
183
- timeoutMs;
184
- constructor(timeoutMs) {
185
- super(`Request timed out after ${timeoutMs}ms`);
186
- this.name = "AbortError";
187
- this.timeoutMs = timeoutMs;
188
- }
189
- };
190
- var GatewayTransportError = class extends Error {
191
- retryable;
192
- cause;
193
- constructor(message, options) {
194
- super(message);
195
- this.name = "GatewayTransportError";
196
- this.retryable = options?.retryable ?? true;
197
- this.cause = options?.cause;
198
- }
199
- };
200
- function isGatewayRetryableError(error) {
201
- return error instanceof GatewayTimeoutError && error.retryable || error instanceof GatewayTransportError && error.retryable || false;
202
- }
203
- var LucernApiError = class extends Error {
204
- code;
205
- status;
206
- invariant;
207
- suggestion;
208
- details;
209
- requestId;
210
- correlationId;
211
- policyTraceId;
212
- constructor(args) {
213
- super(args.message);
214
- this.name = "LucernApiError";
215
- this.code = args.code;
216
- this.status = args.status;
217
- this.invariant = args.invariant;
218
- this.suggestion = args.suggestion;
219
- this.details = args.details;
220
- this.requestId = args.requestId;
221
- this.correlationId = args.correlationId;
222
- this.policyTraceId = args.policyTraceId;
223
- }
224
- };
225
- function toQueryString(scope) {
226
- const params = new URLSearchParams();
227
- if (scope.tenantId) {
228
- params.set("tenantId", scope.tenantId);
229
- }
230
- if (scope.workspaceId) {
231
- params.set("workspaceId", scope.workspaceId);
232
- }
233
- for (const [key, value] of Object.entries(scope)) {
234
- if (key === "tenantId" || key === "workspaceId") {
235
- continue;
236
- }
237
- if (value === void 0) {
238
- continue;
1
+ import { createGatewayRequestClient, LucernApiError, randomIdempotencyKey, toQueryString, } from "./coreClient.js";
2
+ import { createListResult, mapGatewayData } from "./sdkSurface.js";
3
+ export { LucernApiError };
4
+ function asTopicArray(data) {
5
+ if (Array.isArray(data)) {
6
+ return data.filter((row) => Boolean(row) && typeof row === "object");
239
7
  }
240
- params.set(key, String(value));
241
- }
242
- const serialized = params.toString();
243
- return serialized.length > 0 ? `?${serialized}` : "";
244
- }
245
- function fillRandomBytes(length) {
246
- const bytes = new Uint8Array(length);
247
- if (typeof globalThis.crypto?.getRandomValues === "function") {
248
- globalThis.crypto.getRandomValues(bytes);
249
- return bytes;
250
- }
251
- for (let index = 0; index < length; index += 1) {
252
- bytes[index] = Math.floor(Math.random() * 256);
253
- }
254
- return bytes;
255
- }
256
- function generatePortableRequestId() {
257
- if (typeof globalThis.crypto?.randomUUID === "function") {
258
- return globalThis.crypto.randomUUID();
259
- }
260
- const bytes = fillRandomBytes(16);
261
- bytes[6] = bytes[6] & 15 | 64;
262
- bytes[8] = bytes[8] & 63 | 128;
263
- const hex = Array.from(bytes, (value) => value.toString(16).padStart(2, "0"));
264
- return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(
265
- 6,
266
- 8
267
- ).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
8
+ return [];
268
9
  }
269
- function resolveEnvironment() {
270
- const processEnv = typeof globalThis === "object" && globalThis !== null && "process" in globalThis ? globalThis.process : void 0;
271
- const env = processEnv !== void 0 && typeof processEnv === "object" && processEnv !== null && typeof processEnv.env === "object" ? processEnv.env : void 0;
272
- return {
273
- get: (name) => {
274
- const value = env?.[name];
275
- return typeof value === "string" && value.length > 0 ? value : void 0;
10
+ function asWritePolicyRecord(data) {
11
+ if (!data || typeof data !== "object") {
12
+ return null;
276
13
  }
277
- };
14
+ return data;
278
15
  }
279
- function telemetryEnvironmentRecord(environment) {
280
- const names = [
281
- "LUCERN_TELEMETRY_ENABLED",
282
- "AXIOM_TELEMETRY_ENABLED",
283
- "LUCERN_AXIOM_TOKEN",
284
- "AXIOM_TOKEN",
285
- "LUCERN_AXIOM_EVENTS_DATASET",
286
- "LUCERN_AXIOM_DATASET",
287
- "AXIOM_EVENTS_DATASET",
288
- "AXIOM_DATASET",
289
- "LUCERN_AXIOM_API_URL",
290
- "AXIOM_URL",
291
- "LUCERN_ENVIRONMENT",
292
- "NODE_ENV",
293
- "LUCERN_RELEASE",
294
- "SENTRY_RELEASE",
295
- "VERCEL_GIT_COMMIT_SHA"
296
- ];
297
- return Object.fromEntries(
298
- names.map((name) => [name, environment.get(name)])
299
- );
300
- }
301
- function resolveRequestProfile(config, environment) {
302
- const requestIdFactory = config.requestIdFactory ?? (() => generatePortableRequestId());
303
- const parsedMaxRetries = parseIntegerFromString(
304
- config.maxRetries,
305
- environment.get(DEFAULT_ENV_MAX_RETRIES)
306
- );
307
- const parsedTimeoutMs = parseIntegerFromString(
308
- config.timeoutMs,
309
- environment.get(DEFAULT_ENV_TIMEOUT_MS)
310
- );
311
- const methodTimeouts = {
312
- ...config.timeoutMsByMethod
313
- };
314
- for (const method of ["GET", "POST", "PUT", "PATCH", "DELETE"]) {
315
- const envKey = `${ENV_TIMEOUT_BY_METHOD_PREFIX}${method}`;
316
- const raw = environment.get(envKey);
317
- if (!raw || methodTimeouts[method] !== void 0) {
318
- continue;
319
- }
320
- const parsed = parseIntegerFromString(void 0, raw);
321
- if (typeof parsed === "number") {
322
- methodTimeouts[method] = parsed;
16
+ function asWritePolicyArray(data) {
17
+ if (!Array.isArray(data)) {
18
+ return [];
323
19
  }
324
- }
325
- return {
326
- maxRetries: parsedMaxRetries ?? DEFAULT_GATEWAY_MAX_RETRIES,
327
- timeoutMs: parsedTimeoutMs ?? DEFAULT_GATEWAY_TIMEOUT_MS,
328
- timeoutMsByMethod: methodTimeouts,
329
- requestIdFactory
330
- };
331
- }
332
- function createGatewayRuntime(config, environment) {
333
- return {
334
- fetch: config.fetchImpl ?? fetch,
335
- now: () => Date.now(),
336
- sleep: (ms) => delay(ms),
337
- env: environment,
338
- redaction: resolveRequestRedactionValue,
339
- profile: resolveRequestProfile(config, environment)
340
- };
341
- }
342
- function parseIntegerFromString(value, rawValue) {
343
- if (typeof value === "number" && Number.isInteger(value) && value >= 0) {
344
- return value;
345
- }
346
- if (typeof rawValue !== "string" || !rawValue.trim()) {
347
- return void 0;
348
- }
349
- const parsed = Number.parseInt(rawValue, 10);
350
- return Number.isInteger(parsed) && parsed >= 0 ? parsed : void 0;
351
- }
352
- function resolveRequestRedactionValue(value) {
353
- return redactDiagnosticValue(value);
354
- }
355
- function resolveGatewayBaseUrl(configBaseUrl, environment) {
356
- const envBaseUrl = environment.get("LUCERN_API_URL") ?? environment.get("LUCERN_BASE_URL") ?? environment.get("LUCERN_GATEWAY_BASE_URL");
357
- return (configBaseUrl ?? envBaseUrl ?? "").replace(/\/+$/, "");
358
- }
359
- function normalizeGatewayEnvironment(value) {
360
- return value === "sandbox" || value === "production" ? value : void 0;
361
- }
362
- var randomIdempotencyKey = generatePortableRequestId;
363
- function fallbackErrorCode(status) {
364
- if (status === 401) {
365
- return "AUTHENTICATION_REQUIRED";
366
- }
367
- if (status === 403) {
368
- return "FORBIDDEN";
369
- }
370
- if (status === 404) {
371
- return "NOT_FOUND";
372
- }
373
- if (status === 408) {
374
- return "UPSTREAM_ERROR";
375
- }
376
- if (status === 409) {
377
- return "CONFLICT";
378
- }
379
- if (status === 429) {
380
- return "RATE_LIMIT_EXCEEDED";
381
- }
382
- if (status >= 500) {
383
- return "UPSTREAM_ERROR";
384
- }
385
- return "INTERNAL_ERROR";
20
+ return data
21
+ .map(asWritePolicyRecord)
22
+ .filter((row) => Boolean(row));
386
23
  }
387
- function delay(ms) {
388
- return new Promise((resolve) => setTimeout(resolve, ms));
389
- }
390
- function computeRetryDelayMs(args) {
391
- const baseDelay = args.status === 429 ? Math.max(
392
- args.retryAfterMs ?? 0,
393
- Math.min(1e3 * 2 ** args.attempt, 1e4)
394
- ) : Math.min(1e3 * 2 ** args.attempt, 4e3);
395
- if (args.status !== 429) {
396
- return baseDelay;
397
- }
398
- const jitterWindow = Math.max(250, Math.round(baseDelay * 0.25));
399
- return baseDelay + Math.round(Math.random() * jitterWindow);
400
- }
401
- function classifyGatewayErrorForRetry(error) {
402
- return isGatewayRetryableError(error) || classifyRetry({ error }).retryable;
403
- }
404
- function isRecord(value) {
405
- return value !== null && typeof value === "object" && !Array.isArray(value);
406
- }
407
- function readPolicySummaryFromDetails(details) {
408
- if (!isRecord(details)) {
409
- return null;
410
- }
411
- const directSummary = details.summary;
412
- if (typeof directSummary === "string" && directSummary.trim().length > 0) {
413
- return directSummary.trim();
414
- }
415
- const policy = details.policy;
416
- if (!isRecord(policy)) {
417
- return null;
418
- }
419
- const explanation = policy.explanation;
420
- if (!isRecord(explanation)) {
421
- return null;
422
- }
423
- const nestedSummary = explanation.summary;
424
- if (typeof nestedSummary === "string" && nestedSummary.trim().length > 0) {
425
- return nestedSummary.trim();
426
- }
427
- return null;
428
- }
429
- function redactJsonDiagnosticValue(value) {
430
- return value === void 0 ? void 0 : redactDiagnosticValue(value);
431
- }
432
- async function resolveConfiguredAuthContext(authContext) {
433
- if (typeof authContext === "function") {
434
- return await authContext();
435
- }
436
- return authContext;
437
- }
438
- function mergeHeaderRecord(base, addition) {
439
- const headers = new Headers(base);
440
- for (const [key, value] of Object.entries(addition)) {
441
- const existing = headers.get(key);
442
- if (existing !== null && existing !== value) {
443
- throw new LucernSdkAuthContextError(
444
- "policy_denied",
445
- `Canonical Lucern SDK auth context conflicts with existing ${key} header.`
446
- );
24
+ function asRolePolicyRecord(data) {
25
+ if (!data || typeof data !== "object") {
26
+ return null;
447
27
  }
448
- headers.set(key, value);
449
- }
450
- return Object.fromEntries(headers.entries());
28
+ return data;
451
29
  }
452
- function cleanHeaderValue(value) {
453
- const normalized = value?.trim();
454
- return normalized ? normalized : void 0;
455
- }
456
- function createGatewayRequestClient(config = {}) {
457
- const env = resolveEnvironment();
458
- const runtime = createGatewayRuntime(config, env);
459
- const baseUrl = resolveGatewayBaseUrl(config.baseUrl, env);
460
- const maxRetries = runtime.profile.maxRetries;
461
- const requestIdFactory = runtime.profile.requestIdFactory;
462
- const requestTimeoutByMethod = runtime.profile.timeoutMsByMethod;
463
- const defaultRequestTimeoutMs = runtime.profile.timeoutMs;
464
- const normalizedEnvironment = normalizeGatewayEnvironment(config.environment);
465
- const telemetryExporter = config.telemetryEnabled === false ? null : config.telemetryExporter ?? createTelemetryExporterFromEnv(telemetryEnvironmentRecord(env), {
466
- service: "lucern-sdk",
467
- environment: normalizedEnvironment
468
- });
469
- async function resolveAuthHeaders() {
470
- const provided = config.getAuthHeaders ? await config.getAuthHeaders() : {};
471
- const headers = new Headers(provided);
472
- const setIfAbsent = (name, value) => {
473
- const normalized = cleanHeaderValue(value);
474
- if (normalized && !headers.has(name)) {
475
- headers.set(name, normalized);
476
- }
477
- };
478
- setIfAbsent("x-lucern-key", config.apiKey);
479
- setIfAbsent("x-lucern-session-token", config.userToken);
480
- setIfAbsent("x-lucern-environment", normalizedEnvironment);
481
- setIfAbsent("x-lucern-clerk-id", config.clerkId);
482
- setIfAbsent("x-lucern-user-id", config.userId ?? config.clerkId);
483
- setIfAbsent("x-lucern-deployment-host", config.deploymentHost);
484
- const base = Object.fromEntries(headers.entries());
485
- const authContextInput = await resolveConfiguredAuthContext(
486
- config.authContext
487
- );
488
- if (!authContextInput && !config.requireCanonicalAuthContext) {
489
- return base;
490
- }
491
- const authContext = normalizeCanonicalLucernAuthContext(authContextInput);
492
- return mergeHeaderRecord(base, createCanonicalAuthHeaders(authContext));
493
- }
494
- async function fetchWithTimeout(url, init, timeoutMs) {
495
- const normalizeTransportError = (error, isTimeout) => {
496
- if (isTimeout) {
497
- return new GatewayTimeoutError(timeoutMs);
498
- }
499
- return error instanceof GatewayTimeoutError || error instanceof GatewayTransportError ? error : new GatewayTransportError(
500
- error instanceof Error ? error.message : "Gateway transport error",
501
- {
502
- cause: error,
503
- retryable: classifyGatewayErrorForRetry(error)
504
- }
505
- );
506
- };
507
- const controller = new AbortController();
508
- const timer = setTimeout(() => controller.abort(), timeoutMs);
509
- const requestEffect = Effect.tryPromise({
510
- try: () => runtime.fetch(url, { ...init, signal: controller.signal }),
511
- catch: (error) => normalizeTransportError(error, controller.signal.aborted)
512
- });
513
- try {
514
- const exit = await Effect.runPromiseExit(requestEffect);
515
- if (Exit.isSuccess(exit)) {
516
- return exit.value;
517
- }
518
- const failure = Array.from(Cause.failures(exit.cause))[0];
519
- if (failure !== void 0) {
520
- throw failure;
521
- }
522
- throw Cause.squash(exit.cause);
523
- } finally {
524
- clearTimeout(timer);
525
- }
526
- }
527
- async function emitSdkResponseTelemetry(context) {
528
- const retry = classifyRetry({
529
- status: context.status,
530
- error: context.error,
531
- retryAfter: context.retryAfterMs !== null && context.retryAfterMs !== void 0 ? String(context.retryAfterMs / 1e3) : void 0
532
- });
533
- await emitTelemetrySignal(telemetryExporter, {
534
- signalType: "trace",
535
- surface: "sdk-retry",
536
- eventName: context.willRetry ? "sdk.retry" : context.error ? "sdk.request.error" : "sdk.request.complete",
537
- severity: context.error ? context.willRetry ? "warn" : "error" : "info",
538
- durationMs: context.durationMs,
539
- metricName: "sdk.request.duration_ms",
540
- metricValue: context.durationMs,
541
- correlationId: context.correlationId ?? context.requestId,
542
- policyTraceId: context.policyTraceId ?? null,
543
- tenantId: context.headers.get("x-lucern-tenant-id") ?? context.headers.get("x-lucern-tenant") ?? void 0,
544
- workspaceId: context.headers.get("x-lucern-workspace-id") ?? context.headers.get("x-lucern-workspace") ?? void 0,
545
- attributes: {
546
- service: "lucern-sdk",
547
- operation: "gateway.request",
548
- path: context.path,
549
- httpMethod: context.method,
550
- httpStatus: context.status,
551
- attempt: context.attempt,
552
- maxRetries: context.maxRetries,
553
- retryReason: retry.reason,
554
- retryAfterMs: context.retryAfterMs ?? retry.retryAfterMs,
555
- willRetry: context.willRetry,
556
- retryable: retry.retryable,
557
- errorName: context.error instanceof Error ? context.error.name : void 0,
558
- errorMessage: context.error instanceof Error ? context.error.message : void 0
559
- }
560
- });
561
- }
562
- async function parsePayload(response) {
563
- const text = await response.text();
564
- if (!text) {
565
- return null;
566
- }
567
- const parsed = tryParseGatewayEnvelopeJson(text);
568
- if (!parsed.ok) {
569
- return null;
570
- }
571
- return isRecord(parsed.value) ? parsed.value : null;
572
- }
573
- function resolveTimeoutMs(method, requestTimeoutMs) {
574
- if (typeof requestTimeoutMs === "number") {
575
- return requestTimeoutMs;
576
- }
577
- const methodTimeoutMs = requestTimeoutByMethod?.[method];
578
- if (typeof methodTimeoutMs === "number") {
579
- return methodTimeoutMs;
580
- }
581
- return defaultRequestTimeoutMs;
582
- }
583
- function tryParseGatewayEnvelopeJson(text) {
584
- const trimmed = text.trim();
585
- if (!trimmed.startsWith("{") && !trimmed.startsWith("[")) {
586
- return { ok: false, reason: "non-json" };
587
- }
588
- try {
589
- return { ok: true, value: JSON.parse(trimmed) };
590
- } catch (error) {
591
- if (error instanceof SyntaxError) {
592
- return { ok: false, reason: "invalid-json", error };
593
- }
594
- throw error;
595
- }
596
- }
597
- function buildApiError(args) {
598
- const failure = args.failure;
599
- const legacyError = failure && isRecord(failure.error) ? failure.error : failure?.legacyError;
600
- const correlationId = failure?.correlationId ?? args.response.headers.get("x-lucern-correlation-id")?.trim() ?? args.requestId;
601
- const policyTraceId = failure?.policyTraceId ?? args.response.headers.get("x-lucern-policy-trace-id")?.trim() ?? null;
602
- const details = runtime.redaction(
603
- redactJsonDiagnosticValue(failure?.details ?? legacyError?.details)
604
- );
605
- const policySummary = readPolicySummaryFromDetails(details);
606
- const failureMessage = typeof failure?.error === "string" ? failure.error : legacyError?.message;
607
- return new LucernApiError({
608
- code: failure?.code ?? legacyError?.code ?? fallbackErrorCode(args.response.status),
609
- message: policySummary ?? failureMessage ?? (args.response.ok ? "Platform API returned an invalid success payload." : "Platform API request failed."),
610
- status: args.response.status,
611
- invariant: failure?.invariant,
612
- suggestion: failure?.suggestion,
613
- details,
614
- requestId: args.requestId,
615
- correlationId,
616
- policyTraceId
617
- });
618
- }
619
- async function request(args) {
620
- const authHeaders = await resolveAuthHeaders();
621
- const method = args.method ?? "GET";
622
- const timeoutMs = resolveTimeoutMs(method, args.timeoutMs);
623
- const headers = new Headers({
624
- "content-type": "application/json",
625
- ...authHeaders
626
- });
627
- if (args.idempotencyKey) {
628
- headers.set("idempotency-key", args.idempotencyKey);
629
- }
630
- const requestId = headers.get("x-correlation-id")?.trim() || headers.get("x-request-id")?.trim() || args.requestId || requestIdFactory();
631
- if (!headers.has("x-correlation-id") && !headers.has("x-request-id")) {
632
- headers.set("x-correlation-id", requestId);
633
- }
634
- const url = `${baseUrl}${args.path}`;
635
- const serializedBody = args.body ? JSON.stringify(args.body) : void 0;
636
- const init = {
637
- method,
638
- headers,
639
- body: serializedBody
640
- };
641
- let lastError;
642
- for (let attempt = 0; attempt <= maxRetries; attempt++) {
643
- const hookRequestContext = {
644
- requestId,
645
- attempt,
646
- maxRetries,
647
- method,
648
- path: args.path,
649
- url,
650
- headers: new Headers(headers),
651
- body: serializedBody,
652
- timeoutMs
653
- };
654
- await config.onRequest?.(hookRequestContext);
655
- const startedAt = Date.now();
656
- try {
657
- const response = await fetchWithTimeout(url, init, timeoutMs);
658
- const responseClone = response.clone();
659
- const payload = await parsePayload(response);
660
- const retry = classifyRetry({
661
- status: response.status,
662
- retryAfter: response.headers.get("Retry-After")
663
- });
664
- const retryAfterMs = retry.retryAfterMs ?? null;
665
- if (!response.ok || !payload?.success) {
666
- const failure = payload && !payload.success ? payload : null;
667
- const apiError = buildApiError({
668
- requestId,
669
- response,
670
- failure
671
- });
672
- const willRetry = attempt < maxRetries && retry.retryable;
673
- const responseContext2 = {
674
- ...hookRequestContext,
675
- durationMs: Date.now() - startedAt,
676
- status: response.status,
677
- response: responseClone,
678
- error: apiError,
679
- correlationId: apiError.correlationId ?? requestId,
680
- policyTraceId: apiError.policyTraceId ?? null,
681
- retryAfterMs,
682
- willRetry
683
- };
684
- await config.onResponse?.(responseContext2);
685
- await emitSdkResponseTelemetry(responseContext2);
686
- if (willRetry) {
687
- lastError = apiError;
688
- await delay(
689
- computeRetryDelayMs({
690
- attempt,
691
- status: response.status,
692
- retryAfterMs
693
- })
694
- );
695
- continue;
696
- }
697
- throw apiError;
698
- }
699
- const successPayload = payload;
700
- const responseContext = {
701
- ...hookRequestContext,
702
- durationMs: Date.now() - startedAt,
703
- status: response.status,
704
- response: responseClone,
705
- correlationId: successPayload.correlationId ?? response.headers.get("x-lucern-correlation-id")?.trim() ?? requestId,
706
- policyTraceId: successPayload.policyTraceId ?? response.headers.get("x-lucern-policy-trace-id")?.trim() ?? null,
707
- idempotentReplay: successPayload.idempotentReplay,
708
- retryAfterMs,
709
- willRetry: false
710
- };
711
- await config.onResponse?.(responseContext);
712
- await emitSdkResponseTelemetry(responseContext);
713
- return successPayload;
714
- } catch (fetchError) {
715
- if (fetchError instanceof LucernApiError) {
716
- throw fetchError;
717
- }
718
- const willRetry = attempt < maxRetries && classifyGatewayErrorForRetry(fetchError);
719
- const responseContext = {
720
- ...hookRequestContext,
721
- durationMs: Date.now() - startedAt,
722
- error: fetchError,
723
- correlationId: requestId,
724
- policyTraceId: null,
725
- willRetry
726
- };
727
- await config.onResponse?.(responseContext);
728
- await emitSdkResponseTelemetry(responseContext);
729
- lastError = fetchError;
730
- if (willRetry) {
731
- await delay(computeRetryDelayMs({ attempt }));
732
- }
733
- }
30
+ function asRolePolicyArray(data) {
31
+ if (!Array.isArray(data)) {
32
+ return [];
734
33
  }
735
- throw lastError instanceof Error ? lastError : new Error("Platform API request failed after retries.");
736
- }
737
- return {
738
- request
739
- };
34
+ return data
35
+ .map(asRolePolicyRecord)
36
+ .filter((row) => Boolean(row));
740
37
  }
741
-
742
- // src/sdkSurface.ts
743
- function createListResult(items, legacyKey) {
744
- const result = {
745
- items,
746
- total: items.length
747
- };
748
- {
38
+ function buildFilterByPermissionResponse(permission, allowedTopicIds, deniedTopics, count) {
39
+ const result = {};
40
+ result.permission = permission;
41
+ result.allowedTopicIds = allowedTopicIds;
42
+ result.deniedTopics = deniedTopics;
43
+ result.count = count;
44
+ return result;
45
+ }
46
+ /**
47
+ * Create the policy client for permission checks, grants, and write policies.
48
+ * @param config - Gateway transport configuration.
49
+ * @returns An object with methods to check permissions, manage grants, and manage write policies.
50
+ */
51
+ export function createPolicyClient(config = {}) {
52
+ const gateway = createGatewayRequestClient(config);
749
53
  return {
750
- ...result,
751
- [legacyKey]: items
54
+ /**
55
+ * List policy decisions in the current scope.
56
+ */
57
+ async listDecisions(query = {}) {
58
+ return gateway.request({
59
+ path: `/api/platform/v1/policy/decisions${toQueryString(query)}`,
60
+ }).then((response) => mapGatewayData(response, (data) => createListResult(Array.isArray(data) ? data : [], "decisions")));
61
+ },
62
+ /**
63
+ * Create a permission grant.
64
+ */
65
+ async grant(input, idempotencyKey) {
66
+ return gateway.request({
67
+ path: "/api/platform/v1/policy/grant",
68
+ method: "POST",
69
+ body: input,
70
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
71
+ });
72
+ },
73
+ /**
74
+ * Delete a permission grant by revoking it.
75
+ */
76
+ async revoke(input, idempotencyKey) {
77
+ return gateway.request({
78
+ path: "/api/platform/v1/policy/revoke",
79
+ method: "POST",
80
+ body: input,
81
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
82
+ });
83
+ },
84
+ /**
85
+ * List write policy rules for the current scope.
86
+ */
87
+ async listWritePolicies(query = {}) {
88
+ const response = await gateway.request({
89
+ path: `/api/platform/v1/policy/write-policies${toQueryString(query)}`,
90
+ });
91
+ const rawPolicies = response.data && typeof response.data === "object"
92
+ ? response.data.policies
93
+ : response.data;
94
+ return {
95
+ ...response,
96
+ data: {
97
+ policies: asWritePolicyArray(rawPolicies),
98
+ },
99
+ };
100
+ },
101
+ /**
102
+ * Create a write policy rule.
103
+ */
104
+ async createWritePolicy(input, idempotencyKey) {
105
+ const response = await gateway.request({
106
+ path: "/api/platform/v1/policy/write-policies",
107
+ method: "POST",
108
+ body: input,
109
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
110
+ });
111
+ return {
112
+ ...response,
113
+ data: {
114
+ id: typeof response.data?.id === "string" ? response.data.id : undefined,
115
+ created: response.data?.created === true,
116
+ policy: asWritePolicyRecord(response.data?.policy),
117
+ },
118
+ };
119
+ },
120
+ /**
121
+ * Update an existing write policy rule by identifier.
122
+ */
123
+ async updateWritePolicy(id, input, idempotencyKey) {
124
+ const response = await gateway.request({
125
+ path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(id)}`,
126
+ method: "PATCH",
127
+ body: input,
128
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
129
+ });
130
+ return {
131
+ ...response,
132
+ data: {
133
+ id: typeof response.data?.id === "string" ? response.data.id : undefined,
134
+ updated: response.data?.updated === true,
135
+ policy: asWritePolicyRecord(response.data?.policy),
136
+ },
137
+ };
138
+ },
139
+ /**
140
+ * Delete a write policy rule by identifier.
141
+ */
142
+ async deleteWritePolicy(id, scope = {}, idempotencyKey) {
143
+ return gateway.request({
144
+ path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(id)}${toQueryString(scope)}`,
145
+ method: "DELETE",
146
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
147
+ });
148
+ },
149
+ /**
150
+ * List tenant role policies for the current scope.
151
+ */
152
+ async listRolePolicies(query = {}) {
153
+ const response = await gateway.request({
154
+ path: `/api/platform/v1/policy/roles${toQueryString(query)}`,
155
+ });
156
+ return {
157
+ ...response,
158
+ data: {
159
+ policies: asRolePolicyArray(response.data?.policies),
160
+ },
161
+ };
162
+ },
163
+ /**
164
+ * Create a tenant role policy.
165
+ */
166
+ async createRolePolicy(input, idempotencyKey) {
167
+ const response = await gateway.request({
168
+ path: "/api/platform/v1/policy/roles",
169
+ method: "POST",
170
+ body: input,
171
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
172
+ });
173
+ return {
174
+ ...response,
175
+ data: {
176
+ policy: asRolePolicyRecord(response.data?.policy),
177
+ },
178
+ };
179
+ },
180
+ /**
181
+ * Update a tenant role policy by identifier.
182
+ */
183
+ async updateRolePolicy(id, input, idempotencyKey) {
184
+ const response = await gateway.request({
185
+ path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}`,
186
+ method: "PATCH",
187
+ body: input,
188
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
189
+ });
190
+ return {
191
+ ...response,
192
+ data: {
193
+ policy: asRolePolicyRecord(response.data?.policy),
194
+ },
195
+ };
196
+ },
197
+ /**
198
+ * Delete a tenant role policy by identifier.
199
+ */
200
+ async deleteRolePolicy(id, scope = {}, idempotencyKey) {
201
+ return gateway.request({
202
+ path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}${toQueryString(scope)}`,
203
+ method: "DELETE",
204
+ idempotencyKey: idempotencyKey ?? randomIdempotencyKey(),
205
+ });
206
+ },
207
+ /**
208
+ * Check a permission decision for a topic or project scope.
209
+ */
210
+ async checkPermission(query) {
211
+ if (!query.topicId) {
212
+ throw new Error("topicId is required");
213
+ }
214
+ return gateway.request({
215
+ path: `/api/platform/v1/policy/check${toQueryString(query)}`,
216
+ });
217
+ },
218
+ /**
219
+ * List accessible topics for a principal.
220
+ */
221
+ async listAccessibleTopics(query = {}) {
222
+ const permission = query.permission ?? "read";
223
+ const principal = query.principal ?? query.principalId;
224
+ const response = await gateway.request({
225
+ path: `/api/platform/v1/policy/topics${toQueryString({
226
+ tenantId: query.tenantId,
227
+ workspaceId: query.workspaceId,
228
+ permission,
229
+ includeShared: query.includeShared,
230
+ principal,
231
+ limit: query.limit,
232
+ })}`,
233
+ });
234
+ return {
235
+ ...response,
236
+ data: {
237
+ permission,
238
+ topics: asTopicArray(response.data?.topics),
239
+ total: typeof response.data?.total === "number"
240
+ ? response.data.total
241
+ : asTopicArray(response.data?.topics).length,
242
+ deniedTopics: Array.isArray(response.data?.deniedTopics)
243
+ ? response.data.deniedTopics
244
+ : [],
245
+ },
246
+ };
247
+ },
248
+ /**
249
+ * Filter topic identifiers by permission.
250
+ */
251
+ async filterByPermission(input) {
252
+ const permission = input.permission ?? "read";
253
+ const principal = input.principal ?? input.principalId;
254
+ const uniqueTopicIds = [...new Set(input.topicIds ?? [])].filter((topicId) => typeof topicId === "string" && topicId.trim().length > 0);
255
+ const response = await gateway.request({
256
+ path: "/api/platform/v1/policy/filter",
257
+ method: "POST",
258
+ body: {
259
+ tenantId: input.tenantId,
260
+ workspaceId: input.workspaceId,
261
+ topicIds: uniqueTopicIds,
262
+ permission,
263
+ principal,
264
+ },
265
+ });
266
+ const allowedTopicIds = Array.isArray(response.data?.allowedTopicIds)
267
+ ? response.data.allowedTopicIds
268
+ : [];
269
+ const deniedTopics = Array.isArray(response.data?.deniedTopics)
270
+ ? response.data.deniedTopics
271
+ : [];
272
+ const result = {};
273
+ result.success = true;
274
+ result.data = buildFilterByPermissionResponse(permission, allowedTopicIds, deniedTopics, typeof response.data?.count === "number"
275
+ ? response.data.count
276
+ : allowedTopicIds.length);
277
+ return result;
278
+ },
752
279
  };
753
- }
754
- }
755
- function mapGatewayData(response, mapper) {
756
- return {
757
- ...response,
758
- data: mapper(response.data)
759
- };
760
- }
761
-
762
- // src/policyClient.ts
763
- function asTopicArray(data) {
764
- if (Array.isArray(data)) {
765
- return data.filter(
766
- (row) => Boolean(row) && typeof row === "object"
767
- );
768
- }
769
- return [];
770
- }
771
- function asWritePolicyRecord(data) {
772
- if (!data || typeof data !== "object") {
773
- return null;
774
- }
775
- return data;
776
- }
777
- function asWritePolicyArray(data) {
778
- if (!Array.isArray(data)) {
779
- return [];
780
- }
781
- return data.map(asWritePolicyRecord).filter((row) => Boolean(row));
782
- }
783
- function asRolePolicyRecord(data) {
784
- if (!data || typeof data !== "object") {
785
- return null;
786
- }
787
- return data;
788
- }
789
- function asRolePolicyArray(data) {
790
- if (!Array.isArray(data)) {
791
- return [];
792
- }
793
- return data.map(asRolePolicyRecord).filter((row) => Boolean(row));
794
- }
795
- function buildFilterByPermissionResponse(permission, allowedTopicIds, deniedTopics, count) {
796
- const result = {};
797
- result.permission = permission;
798
- result.allowedTopicIds = allowedTopicIds;
799
- result.deniedTopics = deniedTopics;
800
- result.count = count;
801
- return result;
802
- }
803
- function createPolicyClient(config = {}) {
804
- const gateway = createGatewayRequestClient(config);
805
- return {
806
- /**
807
- * List policy decisions in the current scope.
808
- */
809
- async listDecisions(query = {}) {
810
- return gateway.request({
811
- path: `/api/platform/v1/policy/decisions${toQueryString(query)}`
812
- }).then(
813
- (response) => mapGatewayData(
814
- response,
815
- (data) => createListResult(Array.isArray(data) ? data : [], "decisions")
816
- )
817
- );
818
- },
819
- /**
820
- * Create a permission grant.
821
- */
822
- async grant(input, idempotencyKey) {
823
- return gateway.request({
824
- path: "/api/platform/v1/policy/grant",
825
- method: "POST",
826
- body: input,
827
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
828
- });
829
- },
830
- /**
831
- * Delete a permission grant by revoking it.
832
- */
833
- async revoke(input, idempotencyKey) {
834
- return gateway.request({
835
- path: "/api/platform/v1/policy/revoke",
836
- method: "POST",
837
- body: input,
838
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
839
- });
840
- },
841
- /**
842
- * List write policy rules for the current scope.
843
- */
844
- async listWritePolicies(query = {}) {
845
- const response = await gateway.request({
846
- path: `/api/platform/v1/policy/write-policies${toQueryString(query)}`
847
- });
848
- const rawPolicies = response.data && typeof response.data === "object" ? response.data.policies : response.data;
849
- return {
850
- ...response,
851
- data: {
852
- policies: asWritePolicyArray(rawPolicies)
853
- }
854
- };
855
- },
856
- /**
857
- * Create a write policy rule.
858
- */
859
- async createWritePolicy(input, idempotencyKey) {
860
- const response = await gateway.request({
861
- path: "/api/platform/v1/policy/write-policies",
862
- method: "POST",
863
- body: input,
864
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
865
- });
866
- return {
867
- ...response,
868
- data: {
869
- id: typeof response.data?.id === "string" ? response.data.id : void 0,
870
- created: response.data?.created === true,
871
- policy: asWritePolicyRecord(response.data?.policy)
872
- }
873
- };
874
- },
875
- /**
876
- * Update an existing write policy rule by identifier.
877
- */
878
- async updateWritePolicy(id, input, idempotencyKey) {
879
- const response = await gateway.request({
880
- path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(id)}`,
881
- method: "PATCH",
882
- body: input,
883
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
884
- });
885
- return {
886
- ...response,
887
- data: {
888
- id: typeof response.data?.id === "string" ? response.data.id : void 0,
889
- updated: response.data?.updated === true,
890
- policy: asWritePolicyRecord(response.data?.policy)
891
- }
892
- };
893
- },
894
- /**
895
- * Delete a write policy rule by identifier.
896
- */
897
- async deleteWritePolicy(id, scope = {}, idempotencyKey) {
898
- return gateway.request({
899
- path: `/api/platform/v1/policy/write-policies/${encodeURIComponent(
900
- id
901
- )}${toQueryString(scope)}`,
902
- method: "DELETE",
903
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
904
- });
905
- },
906
- /**
907
- * List tenant role policies for the current scope.
908
- */
909
- async listRolePolicies(query = {}) {
910
- const response = await gateway.request({
911
- path: `/api/platform/v1/policy/roles${toQueryString(query)}`
912
- });
913
- return {
914
- ...response,
915
- data: {
916
- policies: asRolePolicyArray(response.data?.policies)
917
- }
918
- };
919
- },
920
- /**
921
- * Create a tenant role policy.
922
- */
923
- async createRolePolicy(input, idempotencyKey) {
924
- const response = await gateway.request({
925
- path: "/api/platform/v1/policy/roles",
926
- method: "POST",
927
- body: input,
928
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
929
- });
930
- return {
931
- ...response,
932
- data: {
933
- policy: asRolePolicyRecord(response.data?.policy)
934
- }
935
- };
936
- },
937
- /**
938
- * Update a tenant role policy by identifier.
939
- */
940
- async updateRolePolicy(id, input, idempotencyKey) {
941
- const response = await gateway.request({
942
- path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}`,
943
- method: "PATCH",
944
- body: input,
945
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
946
- });
947
- return {
948
- ...response,
949
- data: {
950
- policy: asRolePolicyRecord(response.data?.policy)
951
- }
952
- };
953
- },
954
- /**
955
- * Delete a tenant role policy by identifier.
956
- */
957
- async deleteRolePolicy(id, scope = {}, idempotencyKey) {
958
- return gateway.request({
959
- path: `/api/platform/v1/policy/roles/${encodeURIComponent(id)}${toQueryString(
960
- scope
961
- )}`,
962
- method: "DELETE",
963
- idempotencyKey: idempotencyKey ?? randomIdempotencyKey()
964
- });
965
- },
966
- /**
967
- * Check a permission decision for a topic or project scope.
968
- */
969
- async checkPermission(query) {
970
- if (!query.topicId) {
971
- throw new Error("topicId is required");
972
- }
973
- return gateway.request({
974
- path: `/api/platform/v1/policy/check${toQueryString(query)}`
975
- });
976
- },
977
- /**
978
- * List accessible topics for a principal.
979
- */
980
- async listAccessibleTopics(query = {}) {
981
- const permission = query.permission ?? "read";
982
- const principal = query.principal ?? query.principalId;
983
- const response = await gateway.request({
984
- path: `/api/platform/v1/policy/topics${toQueryString({
985
- tenantId: query.tenantId,
986
- workspaceId: query.workspaceId,
987
- permission,
988
- includeShared: query.includeShared,
989
- principal,
990
- limit: query.limit
991
- })}`
992
- });
993
- return {
994
- ...response,
995
- data: {
996
- permission,
997
- topics: asTopicArray(response.data?.topics),
998
- total: typeof response.data?.total === "number" ? response.data.total : asTopicArray(response.data?.topics).length,
999
- deniedTopics: Array.isArray(response.data?.deniedTopics) ? response.data.deniedTopics : []
1000
- }
1001
- };
1002
- },
1003
- /**
1004
- * Filter topic identifiers by permission.
1005
- */
1006
- async filterByPermission(input) {
1007
- const permission = input.permission ?? "read";
1008
- const principal = input.principal ?? input.principalId;
1009
- const uniqueTopicIds = [...new Set(input.topicIds ?? [])].filter(
1010
- (topicId) => typeof topicId === "string" && topicId.trim().length > 0
1011
- );
1012
- const response = await gateway.request({
1013
- path: "/api/platform/v1/policy/filter",
1014
- method: "POST",
1015
- body: {
1016
- tenantId: input.tenantId,
1017
- workspaceId: input.workspaceId,
1018
- topicIds: uniqueTopicIds,
1019
- permission,
1020
- principal
1021
- }
1022
- });
1023
- const allowedTopicIds = Array.isArray(response.data?.allowedTopicIds) ? response.data.allowedTopicIds : [];
1024
- const deniedTopics = Array.isArray(response.data?.deniedTopics) ? response.data.deniedTopics : [];
1025
- const result = {};
1026
- result.success = true;
1027
- result.data = buildFilterByPermissionResponse(
1028
- permission,
1029
- allowedTopicIds,
1030
- deniedTopics,
1031
- typeof response.data?.count === "number" ? response.data.count : allowedTopicIds.length
1032
- );
1033
- return result;
1034
- }
1035
- };
1036
280
  }
1037
-
1038
- export { LucernApiError, createPolicyClient };
1039
- //# sourceMappingURL=policyClient.js.map
1040
281
  //# sourceMappingURL=policyClient.js.map