@lucern/sdk 1.0.11 → 1.0.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +3 -0
- package/dist/.generated +2 -0
- package/dist/accessControl.d.ts +19 -26
- package/dist/accessControl.js +195 -1423
- package/dist/adminClient.d.ts +52 -59
- package/dist/adminClient.js +364 -1142
- package/dist/answersClient.d.ts +5 -14
- package/dist/answersClient.js +19 -737
- package/dist/audience/index.d.ts +18 -18
- package/dist/audience/index.js +87 -90
- package/dist/audiencesClient.d.ts +19 -27
- package/dist/audiencesClient.js +107 -868
- package/dist/auditClient.d.ts +8 -15
- package/dist/auditClient.js +18 -791
- package/dist/authContext.d.ts +11 -16
- package/dist/authContext.js +122 -154
- package/dist/authDeviceClient.d.ts +8 -17
- package/dist/authDeviceClient.js +113 -102
- package/dist/beliefs/index.d.ts +15 -67
- package/dist/beliefs/index.js +17 -10181
- package/dist/beliefs/lifecycle.d.ts +10 -11
- package/dist/beliefs/lifecycle.js +78 -80
- package/dist/beliefsClient.d.ts +26 -32
- package/dist/beliefsClient.js +250 -990
- package/dist/boundaryClientSurface.d.ts +11 -16
- package/dist/boundaryClientSurface.js +49 -68
- package/dist/client.d.ts +64 -112
- package/dist/client.js +232 -10155
- package/dist/clientAssemblyTypes.d.ts +3 -3
- package/dist/clientAssemblyTypes.js +1 -2
- package/dist/clientConfig.d.ts +45 -59
- package/dist/clientConfig.js +1 -2
- package/dist/clientEvidenceCompat.d.ts +7 -14
- package/dist/clientEvidenceCompat.js +50 -64
- package/dist/clientGraphNamespaces.d.ts +3 -5
- package/dist/clientGraphNamespaces.js +170 -245
- package/dist/clientHelpers.d.ts +20 -25
- package/dist/clientHelpers.js +104 -127
- package/dist/clientKnowledgeNamespaces.d.ts +6 -53
- package/dist/clientKnowledgeNamespaces.js +502 -506
- package/dist/clientLocalHelpers.d.ts +11 -56
- package/dist/clientLocalHelpers.js +503 -732
- package/dist/clientPlatformNamespaces.d.ts +5 -53
- package/dist/clientPlatformNamespaces.js +229 -323
- package/dist/clientRuntime.d.ts +5 -53
- package/dist/clientRuntime.js +26 -30
- package/dist/clientWorkflowNamespaces.d.ts +6 -15
- package/dist/clientWorkflowNamespaces.js +529 -596
- package/dist/contextClient.d.ts +9 -17
- package/dist/contextClient.js +92 -805
- package/dist/contextFacade.d.ts +11 -2
- package/dist/contextFacade.js +10 -81
- package/dist/contextPackCompiler.d.ts +10 -11
- package/dist/contextPackCompiler.js +494 -1040
- package/dist/contextPackPolicy.d.ts +14 -15
- package/dist/contextPackPolicy.js +227 -305
- package/dist/contextPackSchema.d.ts +3 -3
- package/dist/contextPackSchema.js +169 -176
- package/dist/contextTypes.d.ts +14 -15
- package/dist/contextTypes.js +1 -2
- package/dist/contracts/api-enums.contract.d.ts +29 -30
- package/dist/contracts/api-enums.contract.js +162 -88
- package/dist/contracts/auth-session.contract.d.ts +13 -14
- package/dist/contracts/auth-session.contract.js +55 -52
- package/dist/contracts/context-pack.contract.d.ts +54 -55
- package/dist/contracts/context-pack.contract.js +160 -88
- package/dist/contracts/contextPack.d.ts +2 -1
- package/dist/contracts/contextPack.js +1 -97
- package/dist/contracts/index.d.ts +11 -12
- package/dist/contracts/index.js +10 -854
- package/dist/contracts/lens-filter.contract.d.ts +9 -10
- package/dist/contracts/lens-filter.contract.js +82 -58
- package/dist/contracts/lens-workflow.contract.d.ts +21 -23
- package/dist/contracts/lens-workflow.contract.js +48 -117
- package/dist/contracts/lensFilter.d.ts +2 -1
- package/dist/contracts/lensFilter.js +1 -71
- package/dist/contracts/lensWorkflow.d.ts +2 -2
- package/dist/contracts/lensWorkflow.js +1 -123
- package/dist/contracts/mcpTools.d.ts +16 -18
- package/dist/contracts/mcpTools.js +89 -123
- package/dist/contracts/prompt.contract.d.ts +4 -5
- package/dist/contracts/prompt.contract.js +23 -10
- package/dist/contracts/prompt.d.ts +2 -1
- package/dist/contracts/prompt.js +1 -11
- package/dist/contracts/sdk-tools.contract.d.ts +2 -1
- package/dist/contracts/sdk-tools.contract.js +1 -2
- package/dist/contracts/sdkTools.d.ts +2 -1
- package/dist/contracts/sdkTools.js +1 -26
- package/dist/contracts/tool-contracts.d.ts +2 -1
- package/dist/contracts/tool-contracts.js +1 -2
- package/dist/contracts/workflow-runtime.contract.d.ts +45 -46
- package/dist/contracts/workflow-runtime.contract.js +241 -228
- package/dist/contracts/workflowRuntime.d.ts +2 -1
- package/dist/contracts/workflowRuntime.js +1 -244
- package/dist/contradictions/index.d.ts +8 -60
- package/dist/contradictions/index.js +11 -10175
- package/dist/control-plane.d.ts +17 -24
- package/dist/control-plane.js +124 -840
- package/dist/controlObjectOwnership.d.ts +19 -20
- package/dist/controlObjectOwnership.js +207 -201
- package/dist/coreClient.d.ts +23 -28
- package/dist/coreClient.js +567 -692
- package/dist/customTools.d.ts +17 -21
- package/dist/customTools.js +221 -221
- package/dist/decisions/index.d.ts +7 -58
- package/dist/decisions/index.js +14 -10177
- package/dist/decisionsClient.d.ts +25 -32
- package/dist/decisionsClient.js +113 -913
- package/dist/domainContext.d.ts +2 -1
- package/dist/domainContext.js +1 -2
- package/dist/edges/index.d.ts +21 -73
- package/dist/edges/index.js +12 -10176
- package/dist/embeddingsClient.d.ts +22 -30
- package/dist/embeddingsClient.js +73 -922
- package/dist/eventingClient.d.ts +23 -31
- package/dist/eventingClient.js +89 -918
- package/dist/events.d.ts +48 -49
- package/dist/events.js +257 -241
- package/dist/eventsCore.d.ts +20 -29
- package/dist/eventsCore.js +86 -830
- package/dist/evidence/index.d.ts +9 -60
- package/dist/evidence/index.js +13 -10176
- package/dist/evidenceClient.d.ts +13 -22
- package/dist/evidenceClient.js +34 -751
- package/dist/facade/context.d.ts +7 -8
- package/dist/facade/context.js +73 -72
- package/dist/functionSurface.d.ts +2 -156
- package/dist/functionSurface.js +1 -1460
- package/dist/functionSurfaceClient.d.ts +2 -9
- package/dist/functionSurfaceClient.js +1 -1460
- package/dist/gatewayFacades.d.ts +79 -296
- package/dist/gatewayFacades.factories.d.ts +209 -14
- package/dist/gatewayFacades.factories.js +561 -2227
- package/dist/gatewayFacades.js +284 -2627
- package/dist/generated/functionSurface.d.ts +149 -0
- package/dist/generated/functionSurface.js +749 -0
- package/dist/graphAnalysisClient.d.ts +41 -49
- package/dist/graphAnalysisClient.js +185 -974
- package/dist/graphClient.d.ts +53 -60
- package/dist/graphClient.js +219 -1090
- package/dist/graphIntel.d.ts +2 -4
- package/dist/graphIntel.js +1 -2
- package/dist/graphIntelligence.d.ts +4 -2
- package/dist/graphIntelligence.js +2 -46
- package/dist/graphRecommendationsClient.d.ts +15 -23
- package/dist/graphRecommendationsClient.js +70 -849
- package/dist/graphStateClassifierClient.d.ts +17 -25
- package/dist/graphStateClassifierClient.js +67 -908
- package/dist/harnessClient.d.ts +40 -47
- package/dist/harnessClient.js +198 -993
- package/dist/identityClient.d.ts +25 -33
- package/dist/identityClient.js +245 -1186
- package/dist/index.d.ts +73 -69
- package/dist/index.js +72 -13313
- package/dist/infisicalRuntime.d.ts +12 -14
- package/dist/infisicalRuntime.js +290 -297
- package/dist/jobsClient.d.ts +24 -32
- package/dist/jobsClient.js +101 -916
- package/dist/learningClient.d.ts +8 -16
- package/dist/learningClient.js +45 -809
- package/dist/lenses/index.d.ts +13 -65
- package/dist/lenses/index.js +11 -10175
- package/dist/mcpClient.d.ts +14 -23
- package/dist/mcpClient.js +115 -856
- package/dist/modelRuntimeClient.d.ts +18 -26
- package/dist/modelRuntimeClient.js +74 -894
- package/dist/nodes/index.d.ts +7 -58
- package/dist/nodes/index.js +14 -10177
- package/dist/ontologies/index.d.ts +21 -73
- package/dist/ontologies/index.js +14 -10178
- package/dist/ontologyClient.d.ts +23 -31
- package/dist/ontologyClient.js +138 -924
- package/dist/ontologyLinksClient.d.ts +16 -24
- package/dist/ontologyLinksClient.js +76 -886
- package/dist/opinion.d.ts +5 -6
- package/dist/opinion.js +21 -25
- package/dist/orgGraphSearchClient.d.ts +19 -27
- package/dist/orgGraphSearchClient.js +89 -857
- package/dist/packRuntime.d.ts +2 -2
- package/dist/packRuntime.js +1 -2
- package/dist/packsClient.d.ts +30 -37
- package/dist/packsClient.js +131 -906
- package/dist/policyClient.d.ts +21 -29
- package/dist/policyClient.js +267 -1026
- package/dist/proof-attestation.json +1 -1
- package/dist/questions/index.d.ts +9 -60
- package/dist/questions/index.js +15 -10178
- package/dist/realtime/index.d.ts +20 -16
- package/dist/realtime/index.js +30 -19
- package/dist/realtime/refs.d.ts +4 -6
- package/dist/realtime/refs.js +12 -7
- package/dist/realtime-refs.d.ts +1 -0
- package/dist/realtime-refs.js +1 -0
- package/dist/realtime.d.ts +1 -0
- package/dist/realtime.js +1 -0
- package/dist/reportsClient.d.ts +10 -19
- package/dist/reportsClient.js +48 -836
- package/dist/schemaClient.d.ts +16 -23
- package/dist/schemaClient.js +62 -832
- package/dist/sdkSurface.d.ts +18 -25
- package/dist/sdkSurface.js +135 -106
- package/dist/secrets.d.ts +2 -1
- package/dist/secrets.js +1 -2
- package/dist/sourcesClient.d.ts +11 -18
- package/dist/sourcesClient.js +18 -741
- package/dist/telemetryClient.d.ts +22 -30
- package/dist/telemetryClient.js +107 -931
- package/dist/toolRegistryClient.d.ts +27 -35
- package/dist/toolRegistryClient.js +116 -954
- package/dist/topics/index.d.ts +13 -64
- package/dist/topics/index.js +15 -10178
- package/dist/topicsClient.d.ts +19 -27
- package/dist/topicsClient.js +106 -894
- package/dist/types.d.ts +84 -87
- package/dist/types.js +1 -2
- package/dist/version.d.ts +2 -3
- package/dist/version.js +2 -5
- package/dist/workflowClient.d.ts +60 -65
- package/dist/workflowClient.js +343 -1219
- package/dist/worktrees/index.d.ts +16 -68
- package/dist/worktrees/index.js +14 -10178
- package/package.json +6 -6
- package/dist/accessControl.js.map +0 -1
- package/dist/adminClient.js.map +0 -1
- package/dist/answersClient.js.map +0 -1
- package/dist/audience/index.js.map +0 -1
- package/dist/audiencesClient.js.map +0 -1
- package/dist/auditClient.js.map +0 -1
- package/dist/authContext.js.map +0 -1
- package/dist/authDeviceClient.js.map +0 -1
- package/dist/beliefs/index.js.map +0 -1
- package/dist/beliefs/lifecycle.js.map +0 -1
- package/dist/beliefsClient.js.map +0 -1
- package/dist/boundaryClientSurface.js.map +0 -1
- package/dist/client.js.map +0 -1
- package/dist/clientAssemblyTypes.js.map +0 -1
- package/dist/clientConfig.js.map +0 -1
- package/dist/clientEvidenceCompat.js.map +0 -1
- package/dist/clientGraphNamespaces.js.map +0 -1
- package/dist/clientHelpers.js.map +0 -1
- package/dist/clientKnowledgeNamespaces.js.map +0 -1
- package/dist/clientLocalHelpers.js.map +0 -1
- package/dist/clientPlatformNamespaces.js.map +0 -1
- package/dist/clientRuntime.js.map +0 -1
- package/dist/clientWorkflowNamespaces.js.map +0 -1
- package/dist/contextClient.js.map +0 -1
- package/dist/contextFacade.js.map +0 -1
- package/dist/contextPackCompiler.js.map +0 -1
- package/dist/contextPackPolicy.js.map +0 -1
- package/dist/contextPackSchema.js.map +0 -1
- package/dist/contextTypes.js.map +0 -1
- package/dist/contracts/api-enums.contract.js.map +0 -1
- package/dist/contracts/auth-session.contract.js.map +0 -1
- package/dist/contracts/context-pack.contract.js.map +0 -1
- package/dist/contracts/contextPack.js.map +0 -1
- package/dist/contracts/index.js.map +0 -1
- package/dist/contracts/lens-filter.contract.js.map +0 -1
- package/dist/contracts/lens-workflow.contract.js.map +0 -1
- package/dist/contracts/lensFilter.js.map +0 -1
- package/dist/contracts/lensWorkflow.js.map +0 -1
- package/dist/contracts/mcpTools.js.map +0 -1
- package/dist/contracts/prompt.contract.js.map +0 -1
- package/dist/contracts/prompt.js.map +0 -1
- package/dist/contracts/sdk-tools.contract.js.map +0 -1
- package/dist/contracts/sdkTools.js.map +0 -1
- package/dist/contracts/tool-contracts.js.map +0 -1
- package/dist/contracts/workflow-runtime.contract.js.map +0 -1
- package/dist/contracts/workflowRuntime.js.map +0 -1
- package/dist/contradictions/index.js.map +0 -1
- package/dist/control-plane.js.map +0 -1
- package/dist/controlObjectOwnership.js.map +0 -1
- package/dist/coreClient.js.map +0 -1
- package/dist/customTools.js.map +0 -1
- package/dist/decisions/index.js.map +0 -1
- package/dist/decisionsClient.js.map +0 -1
- package/dist/domainContext.js.map +0 -1
- package/dist/edges/index.js.map +0 -1
- package/dist/embeddingsClient.js.map +0 -1
- package/dist/eventingClient.js.map +0 -1
- package/dist/events.js.map +0 -1
- package/dist/eventsCore.js.map +0 -1
- package/dist/evidence/index.js.map +0 -1
- package/dist/evidenceClient.js.map +0 -1
- package/dist/facade/context.js.map +0 -1
- package/dist/functionSurface.js.map +0 -1
- package/dist/functionSurfaceClient.js.map +0 -1
- package/dist/gatewayFacades.factories.js.map +0 -1
- package/dist/gatewayFacades.js.map +0 -1
- package/dist/graphAnalysisClient.js.map +0 -1
- package/dist/graphClient.js.map +0 -1
- package/dist/graphIntel.js.map +0 -1
- package/dist/graphIntelligence.js.map +0 -1
- package/dist/graphRecommendationsClient.js.map +0 -1
- package/dist/graphStateClassifierClient.js.map +0 -1
- package/dist/harnessClient.js.map +0 -1
- package/dist/identityClient.js.map +0 -1
- package/dist/index.js.map +0 -1
- package/dist/infisicalRuntime.js.map +0 -1
- package/dist/jobsClient.js.map +0 -1
- package/dist/learningClient.js.map +0 -1
- package/dist/lenses/index.js.map +0 -1
- package/dist/mcpClient.js.map +0 -1
- package/dist/modelRuntimeClient.js.map +0 -1
- package/dist/nodes/index.js.map +0 -1
- package/dist/ontologies/index.js.map +0 -1
- package/dist/ontologyClient.js.map +0 -1
- package/dist/ontologyLinksClient.js.map +0 -1
- package/dist/opinion.js.map +0 -1
- package/dist/orgGraphSearchClient.js.map +0 -1
- package/dist/packRuntime.js.map +0 -1
- package/dist/packsClient.js.map +0 -1
- package/dist/policyClient.js.map +0 -1
- package/dist/questions/index.js.map +0 -1
- package/dist/realtime/index.js.map +0 -1
- package/dist/realtime/refs.js.map +0 -1
- package/dist/reportsClient.js.map +0 -1
- package/dist/schemaClient.js.map +0 -1
- package/dist/sdk-tools.contract-B4c1Zr1o.d.ts +0 -22
- package/dist/sdkSurface.js.map +0 -1
- package/dist/secrets.js.map +0 -1
- package/dist/sourcesClient.js.map +0 -1
- package/dist/telemetryClient.js.map +0 -1
- package/dist/tool-contracts-BUiL9P6z.d.ts +0 -22
- package/dist/toolRegistryClient.js.map +0 -1
- package/dist/topics/index.js.map +0 -1
- package/dist/topicsClient.js.map +0 -1
- package/dist/types.js.map +0 -1
- package/dist/version.js.map +0 -1
- package/dist/workflowClient.js.map +0 -1
- package/dist/worktrees/index.js.map +0 -1
package/dist/control-plane.js
CHANGED
|
@@ -1,853 +1,137 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import {
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
function cleanString(value) {
|
|
18
|
-
const normalized = value?.trim();
|
|
19
|
-
return normalized ? normalized : void 0;
|
|
20
|
-
}
|
|
21
|
-
function cleanStringList(values) {
|
|
22
|
-
if (!values) {
|
|
23
|
-
return [];
|
|
24
|
-
}
|
|
25
|
-
return values.map((value) => value.trim()).filter(
|
|
26
|
-
(value, index, list) => value.length > 0 && list.indexOf(value) === index
|
|
27
|
-
);
|
|
28
|
-
}
|
|
29
|
-
function requireString(value, reason, label) {
|
|
30
|
-
const normalized = cleanString(value);
|
|
31
|
-
if (!normalized) {
|
|
32
|
-
throw new LucernSdkAuthContextError(
|
|
33
|
-
reason,
|
|
34
|
-
`Canonical Lucern SDK auth context is missing ${label}.`
|
|
35
|
-
);
|
|
36
|
-
}
|
|
37
|
-
return normalized;
|
|
38
|
-
}
|
|
39
|
-
function requirePrincipalType(principalType2) {
|
|
40
|
-
if (!principalType2) {
|
|
41
|
-
throw new LucernSdkAuthContextError(
|
|
42
|
-
"principal_missing",
|
|
43
|
-
"Canonical Lucern SDK auth context is missing principalType."
|
|
44
|
-
);
|
|
45
|
-
}
|
|
46
|
-
return principalType2;
|
|
47
|
-
}
|
|
48
|
-
function requireAuthMode(authMode) {
|
|
49
|
-
if (!authMode) {
|
|
50
|
-
throw new LucernSdkAuthContextError(
|
|
51
|
-
"principal_missing",
|
|
52
|
-
"Canonical Lucern SDK auth context is missing authMode."
|
|
53
|
-
);
|
|
54
|
-
}
|
|
55
|
-
return authMode;
|
|
56
|
-
}
|
|
57
|
-
function ensurePermitMatch(args) {
|
|
58
|
-
const actual = cleanString(args.actual);
|
|
59
|
-
if (actual && actual !== args.expected) {
|
|
60
|
-
throw new LucernSdkAuthContextError(
|
|
61
|
-
"policy_denied",
|
|
62
|
-
`Canonical Lucern SDK auth context has conflicting Permit ${args.field}.`
|
|
63
|
-
);
|
|
64
|
-
}
|
|
65
|
-
}
|
|
66
|
-
function normalizeCanonicalLucernAuthContext(input) {
|
|
67
|
-
if (!input) {
|
|
68
|
-
throw new LucernSdkAuthContextError(
|
|
69
|
-
"principal_missing",
|
|
70
|
-
"Canonical Lucern SDK auth context is required."
|
|
71
|
-
);
|
|
72
|
-
}
|
|
73
|
-
if (input.policyDecision === "deny") {
|
|
74
|
-
throw new LucernSdkAuthContextError(
|
|
75
|
-
"policy_denied",
|
|
76
|
-
"Canonical Lucern SDK auth context carries a denied policy decision."
|
|
77
|
-
);
|
|
78
|
-
}
|
|
79
|
-
const principalId = requireString(
|
|
80
|
-
input.principalId,
|
|
81
|
-
"principal_missing",
|
|
82
|
-
"principalId"
|
|
83
|
-
);
|
|
84
|
-
const tenantId = requireString(input.tenantId, "tenant_missing", "tenantId");
|
|
85
|
-
const workspaceId = requireString(
|
|
86
|
-
input.workspaceId,
|
|
87
|
-
"workspace_missing",
|
|
88
|
-
"workspaceId"
|
|
89
|
-
);
|
|
90
|
-
const roles = cleanStringList(input.roles);
|
|
91
|
-
const scopes = cleanStringList(input.scopes);
|
|
92
|
-
const principalType2 = requirePrincipalType(input.principalType);
|
|
93
|
-
const authMode = requireAuthMode(input.authMode);
|
|
94
|
-
const roleBasedInteractiveAuth = authMode === "interactive_user" && roles.length > 0;
|
|
95
|
-
if (roles.length === 0 || scopes.length === 0 && !roleBasedInteractiveAuth) {
|
|
96
|
-
throw new LucernSdkAuthContextError(
|
|
97
|
-
"membership_missing",
|
|
98
|
-
"Canonical Lucern SDK auth context requires non-empty roles and scopes."
|
|
99
|
-
);
|
|
100
|
-
}
|
|
101
|
-
const subject = cleanString(input.permit?.subject) ?? principalId;
|
|
102
|
-
const tenant = cleanString(input.permit?.tenant) ?? tenantId;
|
|
103
|
-
const workspace = cleanString(input.permit?.workspace) ?? workspaceId;
|
|
104
|
-
ensurePermitMatch({
|
|
105
|
-
field: "subject",
|
|
106
|
-
expected: principalId,
|
|
107
|
-
actual: subject
|
|
108
|
-
});
|
|
109
|
-
ensurePermitMatch({ field: "tenant", expected: tenantId, actual: tenant });
|
|
110
|
-
ensurePermitMatch({
|
|
111
|
-
field: "workspace",
|
|
112
|
-
expected: workspaceId,
|
|
113
|
-
actual: workspace
|
|
114
|
-
});
|
|
115
|
-
const context = input.permit?.context ? { ...input.permit.context } : void 0;
|
|
116
|
-
return {
|
|
117
|
-
clerkId: cleanString(input.clerkId),
|
|
118
|
-
principalId,
|
|
119
|
-
tenantId,
|
|
120
|
-
workspaceId,
|
|
121
|
-
principalType: principalType2,
|
|
122
|
-
authMode,
|
|
123
|
-
roles,
|
|
124
|
-
scopes,
|
|
125
|
-
delegationChain: input.delegationChain ? [...input.delegationChain] : [],
|
|
126
|
-
policyTraceId: cleanString(input.policyTraceId),
|
|
127
|
-
correlationId: cleanString(input.correlationId),
|
|
128
|
-
membershipId: cleanString(input.membershipId),
|
|
129
|
-
permit: {
|
|
130
|
-
subject,
|
|
131
|
-
tenant,
|
|
132
|
-
workspace,
|
|
133
|
-
resource: cleanString(input.permit?.resource),
|
|
134
|
-
action: cleanString(input.permit?.action),
|
|
135
|
-
relation: cleanString(input.permit?.relation),
|
|
136
|
-
context
|
|
1
|
+
import { createGatewayRequestClient, } from "./coreClient.js";
|
|
2
|
+
import { mapGatewayData } from "./sdkSurface.js";
|
|
3
|
+
export class LucernControlPlaneIdentityError extends Error {
|
|
4
|
+
reason;
|
|
5
|
+
principalStatus;
|
|
6
|
+
tenantStatus;
|
|
7
|
+
workspaceStatus;
|
|
8
|
+
details;
|
|
9
|
+
constructor(failure) {
|
|
10
|
+
super(failure.message);
|
|
11
|
+
this.name = "LucernControlPlaneIdentityError";
|
|
12
|
+
this.reason = failure.reason;
|
|
13
|
+
this.principalStatus = failure.principalStatus;
|
|
14
|
+
this.tenantStatus = failure.tenantStatus;
|
|
15
|
+
this.workspaceStatus = failure.workspaceStatus;
|
|
16
|
+
this.details = failure.details;
|
|
137
17
|
}
|
|
138
|
-
};
|
|
139
|
-
}
|
|
140
|
-
function createCanonicalAuthHeaders(authContext) {
|
|
141
|
-
const headers = {
|
|
142
|
-
"x-lucern-principal-id": authContext.principalId,
|
|
143
|
-
"x-lucern-principal-type": authContext.principalType,
|
|
144
|
-
"x-lucern-tenant": authContext.tenantId,
|
|
145
|
-
"x-lucern-tenant-id": authContext.tenantId,
|
|
146
|
-
"x-lucern-workspace": authContext.workspaceId,
|
|
147
|
-
"x-lucern-workspace-id": authContext.workspaceId,
|
|
148
|
-
"x-lucern-auth-mode": authContext.authMode,
|
|
149
|
-
"x-lucern-roles": authContext.roles.join(","),
|
|
150
|
-
"x-lucern-scopes": authContext.scopes.join(","),
|
|
151
|
-
"x-lucern-permit-context": JSON.stringify(authContext.permit)
|
|
152
|
-
};
|
|
153
|
-
if (authContext.clerkId) {
|
|
154
|
-
headers["x-lucern-clerk-id"] = authContext.clerkId;
|
|
155
|
-
headers["x-lucern-user-id"] = authContext.clerkId;
|
|
156
|
-
}
|
|
157
|
-
if (authContext.delegationChain.length > 0) {
|
|
158
|
-
headers["x-lucern-delegation-chain"] = JSON.stringify(
|
|
159
|
-
authContext.delegationChain
|
|
160
|
-
);
|
|
161
|
-
}
|
|
162
|
-
if (authContext.policyTraceId) {
|
|
163
|
-
headers["x-lucern-policy-trace-id"] = authContext.policyTraceId;
|
|
164
|
-
}
|
|
165
|
-
if (authContext.correlationId) {
|
|
166
|
-
headers["x-correlation-id"] = authContext.correlationId;
|
|
167
|
-
headers["x-lucern-correlation-id"] = authContext.correlationId;
|
|
168
|
-
}
|
|
169
|
-
if (authContext.membershipId) {
|
|
170
|
-
headers["x-lucern-membership-id"] = authContext.membershipId;
|
|
171
|
-
}
|
|
172
|
-
return headers;
|
|
173
18
|
}
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
var DEFAULT_ENV_TIMEOUT_MS = "LUCERN_REQUEST_TIMEOUT_MS";
|
|
179
|
-
var DEFAULT_ENV_MAX_RETRIES = "LUCERN_GATEWAY_MAX_RETRIES";
|
|
180
|
-
var ENV_TIMEOUT_BY_METHOD_PREFIX = "LUCERN_REQUEST_TIMEOUT_MS_";
|
|
181
|
-
var GatewayTimeoutError = class extends Error {
|
|
182
|
-
retryable = true;
|
|
183
|
-
timeoutMs;
|
|
184
|
-
constructor(timeoutMs) {
|
|
185
|
-
super(`Request timed out after ${timeoutMs}ms`);
|
|
186
|
-
this.name = "AbortError";
|
|
187
|
-
this.timeoutMs = timeoutMs;
|
|
188
|
-
}
|
|
189
|
-
};
|
|
190
|
-
var GatewayTransportError = class extends Error {
|
|
191
|
-
retryable;
|
|
192
|
-
cause;
|
|
193
|
-
constructor(message, options) {
|
|
194
|
-
super(message);
|
|
195
|
-
this.name = "GatewayTransportError";
|
|
196
|
-
this.retryable = options?.retryable ?? true;
|
|
197
|
-
this.cause = options?.cause;
|
|
198
|
-
}
|
|
199
|
-
};
|
|
200
|
-
function isGatewayRetryableError(error) {
|
|
201
|
-
return error instanceof GatewayTimeoutError && error.retryable || error instanceof GatewayTransportError && error.retryable || false;
|
|
202
|
-
}
|
|
203
|
-
var LucernApiError = class extends Error {
|
|
204
|
-
code;
|
|
205
|
-
status;
|
|
206
|
-
invariant;
|
|
207
|
-
suggestion;
|
|
208
|
-
details;
|
|
209
|
-
requestId;
|
|
210
|
-
correlationId;
|
|
211
|
-
policyTraceId;
|
|
212
|
-
constructor(args) {
|
|
213
|
-
super(args.message);
|
|
214
|
-
this.name = "LucernApiError";
|
|
215
|
-
this.code = args.code;
|
|
216
|
-
this.status = args.status;
|
|
217
|
-
this.invariant = args.invariant;
|
|
218
|
-
this.suggestion = args.suggestion;
|
|
219
|
-
this.details = args.details;
|
|
220
|
-
this.requestId = args.requestId;
|
|
221
|
-
this.correlationId = args.correlationId;
|
|
222
|
-
this.policyTraceId = args.policyTraceId;
|
|
223
|
-
}
|
|
224
|
-
};
|
|
225
|
-
function fillRandomBytes(length) {
|
|
226
|
-
const bytes = new Uint8Array(length);
|
|
227
|
-
if (typeof globalThis.crypto?.getRandomValues === "function") {
|
|
228
|
-
globalThis.crypto.getRandomValues(bytes);
|
|
229
|
-
return bytes;
|
|
230
|
-
}
|
|
231
|
-
for (let index = 0; index < length; index += 1) {
|
|
232
|
-
bytes[index] = Math.floor(Math.random() * 256);
|
|
233
|
-
}
|
|
234
|
-
return bytes;
|
|
235
|
-
}
|
|
236
|
-
function generatePortableRequestId() {
|
|
237
|
-
if (typeof globalThis.crypto?.randomUUID === "function") {
|
|
238
|
-
return globalThis.crypto.randomUUID();
|
|
239
|
-
}
|
|
240
|
-
const bytes = fillRandomBytes(16);
|
|
241
|
-
bytes[6] = bytes[6] & 15 | 64;
|
|
242
|
-
bytes[8] = bytes[8] & 63 | 128;
|
|
243
|
-
const hex = Array.from(bytes, (value) => value.toString(16).padStart(2, "0"));
|
|
244
|
-
return `${hex.slice(0, 4).join("")}-${hex.slice(4, 6).join("")}-${hex.slice(
|
|
245
|
-
6,
|
|
246
|
-
8
|
|
247
|
-
).join("")}-${hex.slice(8, 10).join("")}-${hex.slice(10).join("")}`;
|
|
248
|
-
}
|
|
249
|
-
function resolveEnvironment() {
|
|
250
|
-
const processEnv = typeof globalThis === "object" && globalThis !== null && "process" in globalThis ? globalThis.process : void 0;
|
|
251
|
-
const env = processEnv !== void 0 && typeof processEnv === "object" && processEnv !== null && typeof processEnv.env === "object" ? processEnv.env : void 0;
|
|
252
|
-
return {
|
|
253
|
-
get: (name) => {
|
|
254
|
-
const value = env?.[name];
|
|
255
|
-
return typeof value === "string" && value.length > 0 ? value : void 0;
|
|
256
|
-
}
|
|
257
|
-
};
|
|
258
|
-
}
|
|
259
|
-
function telemetryEnvironmentRecord(environment) {
|
|
260
|
-
const names = [
|
|
261
|
-
"LUCERN_TELEMETRY_ENABLED",
|
|
262
|
-
"AXIOM_TELEMETRY_ENABLED",
|
|
263
|
-
"LUCERN_AXIOM_TOKEN",
|
|
264
|
-
"AXIOM_TOKEN",
|
|
265
|
-
"LUCERN_AXIOM_EVENTS_DATASET",
|
|
266
|
-
"LUCERN_AXIOM_DATASET",
|
|
267
|
-
"AXIOM_EVENTS_DATASET",
|
|
268
|
-
"AXIOM_DATASET",
|
|
269
|
-
"LUCERN_AXIOM_API_URL",
|
|
270
|
-
"AXIOM_URL",
|
|
271
|
-
"LUCERN_ENVIRONMENT",
|
|
272
|
-
"NODE_ENV",
|
|
273
|
-
"LUCERN_RELEASE",
|
|
274
|
-
"SENTRY_RELEASE",
|
|
275
|
-
"VERCEL_GIT_COMMIT_SHA"
|
|
276
|
-
];
|
|
277
|
-
return Object.fromEntries(
|
|
278
|
-
names.map((name) => [name, environment.get(name)])
|
|
279
|
-
);
|
|
19
|
+
function cleanString(value) {
|
|
20
|
+
return typeof value === "string" && value.trim().length > 0
|
|
21
|
+
? value.trim()
|
|
22
|
+
: undefined;
|
|
280
23
|
}
|
|
281
|
-
function
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
config.maxRetries,
|
|
285
|
-
environment.get(DEFAULT_ENV_MAX_RETRIES)
|
|
286
|
-
);
|
|
287
|
-
const parsedTimeoutMs = parseIntegerFromString(
|
|
288
|
-
config.timeoutMs,
|
|
289
|
-
environment.get(DEFAULT_ENV_TIMEOUT_MS)
|
|
290
|
-
);
|
|
291
|
-
const methodTimeouts = {
|
|
292
|
-
...config.timeoutMsByMethod
|
|
293
|
-
};
|
|
294
|
-
for (const method of ["GET", "POST", "PUT", "PATCH", "DELETE"]) {
|
|
295
|
-
const envKey = `${ENV_TIMEOUT_BY_METHOD_PREFIX}${method}`;
|
|
296
|
-
const raw = environment.get(envKey);
|
|
297
|
-
if (!raw || methodTimeouts[method] !== void 0) {
|
|
298
|
-
continue;
|
|
299
|
-
}
|
|
300
|
-
const parsed = parseIntegerFromString(void 0, raw);
|
|
301
|
-
if (typeof parsed === "number") {
|
|
302
|
-
methodTimeouts[method] = parsed;
|
|
24
|
+
function stringList(value) {
|
|
25
|
+
if (!Array.isArray(value)) {
|
|
26
|
+
return [];
|
|
303
27
|
}
|
|
304
|
-
|
|
305
|
-
|
|
306
|
-
|
|
307
|
-
|
|
308
|
-
|
|
309
|
-
|
|
310
|
-
};
|
|
311
|
-
}
|
|
312
|
-
function createGatewayRuntime(config, environment) {
|
|
313
|
-
return {
|
|
314
|
-
fetch: config.fetchImpl ?? fetch,
|
|
315
|
-
now: () => Date.now(),
|
|
316
|
-
sleep: (ms) => delay(ms),
|
|
317
|
-
env: environment,
|
|
318
|
-
redaction: resolveRequestRedactionValue,
|
|
319
|
-
profile: resolveRequestProfile(config, environment)
|
|
320
|
-
};
|
|
321
|
-
}
|
|
322
|
-
function parseIntegerFromString(value, rawValue) {
|
|
323
|
-
if (typeof value === "number" && Number.isInteger(value) && value >= 0) {
|
|
324
|
-
return value;
|
|
325
|
-
}
|
|
326
|
-
if (typeof rawValue !== "string" || !rawValue.trim()) {
|
|
327
|
-
return void 0;
|
|
328
|
-
}
|
|
329
|
-
const parsed = Number.parseInt(rawValue, 10);
|
|
330
|
-
return Number.isInteger(parsed) && parsed >= 0 ? parsed : void 0;
|
|
331
|
-
}
|
|
332
|
-
function resolveRequestRedactionValue(value) {
|
|
333
|
-
return redactDiagnosticValue(value);
|
|
334
|
-
}
|
|
335
|
-
function resolveGatewayBaseUrl(configBaseUrl, environment) {
|
|
336
|
-
const envBaseUrl = environment.get("LUCERN_API_URL") ?? environment.get("LUCERN_BASE_URL") ?? environment.get("LUCERN_GATEWAY_BASE_URL");
|
|
337
|
-
return (configBaseUrl ?? envBaseUrl ?? "").replace(/\/+$/, "");
|
|
338
|
-
}
|
|
339
|
-
function normalizeGatewayEnvironment(value) {
|
|
340
|
-
return value === "sandbox" || value === "production" ? value : void 0;
|
|
341
|
-
}
|
|
342
|
-
function fallbackErrorCode(status) {
|
|
343
|
-
if (status === 401) {
|
|
344
|
-
return "AUTHENTICATION_REQUIRED";
|
|
345
|
-
}
|
|
346
|
-
if (status === 403) {
|
|
347
|
-
return "FORBIDDEN";
|
|
348
|
-
}
|
|
349
|
-
if (status === 404) {
|
|
350
|
-
return "NOT_FOUND";
|
|
351
|
-
}
|
|
352
|
-
if (status === 408) {
|
|
353
|
-
return "UPSTREAM_ERROR";
|
|
354
|
-
}
|
|
355
|
-
if (status === 409) {
|
|
356
|
-
return "CONFLICT";
|
|
357
|
-
}
|
|
358
|
-
if (status === 429) {
|
|
359
|
-
return "RATE_LIMIT_EXCEEDED";
|
|
360
|
-
}
|
|
361
|
-
if (status >= 500) {
|
|
362
|
-
return "UPSTREAM_ERROR";
|
|
363
|
-
}
|
|
364
|
-
return "INTERNAL_ERROR";
|
|
365
|
-
}
|
|
366
|
-
function delay(ms) {
|
|
367
|
-
return new Promise((resolve) => setTimeout(resolve, ms));
|
|
368
|
-
}
|
|
369
|
-
function computeRetryDelayMs(args) {
|
|
370
|
-
const baseDelay = args.status === 429 ? Math.max(
|
|
371
|
-
args.retryAfterMs ?? 0,
|
|
372
|
-
Math.min(1e3 * 2 ** args.attempt, 1e4)
|
|
373
|
-
) : Math.min(1e3 * 2 ** args.attempt, 4e3);
|
|
374
|
-
if (args.status !== 429) {
|
|
375
|
-
return baseDelay;
|
|
376
|
-
}
|
|
377
|
-
const jitterWindow = Math.max(250, Math.round(baseDelay * 0.25));
|
|
378
|
-
return baseDelay + Math.round(Math.random() * jitterWindow);
|
|
379
|
-
}
|
|
380
|
-
function classifyGatewayErrorForRetry(error) {
|
|
381
|
-
return isGatewayRetryableError(error) || classifyRetry({ error }).retryable;
|
|
382
|
-
}
|
|
383
|
-
function isRecord(value) {
|
|
384
|
-
return value !== null && typeof value === "object" && !Array.isArray(value);
|
|
385
|
-
}
|
|
386
|
-
function readPolicySummaryFromDetails(details) {
|
|
387
|
-
if (!isRecord(details)) {
|
|
388
|
-
return null;
|
|
389
|
-
}
|
|
390
|
-
const directSummary = details.summary;
|
|
391
|
-
if (typeof directSummary === "string" && directSummary.trim().length > 0) {
|
|
392
|
-
return directSummary.trim();
|
|
393
|
-
}
|
|
394
|
-
const policy = details.policy;
|
|
395
|
-
if (!isRecord(policy)) {
|
|
396
|
-
return null;
|
|
397
|
-
}
|
|
398
|
-
const explanation = policy.explanation;
|
|
399
|
-
if (!isRecord(explanation)) {
|
|
400
|
-
return null;
|
|
401
|
-
}
|
|
402
|
-
const nestedSummary = explanation.summary;
|
|
403
|
-
if (typeof nestedSummary === "string" && nestedSummary.trim().length > 0) {
|
|
404
|
-
return nestedSummary.trim();
|
|
405
|
-
}
|
|
406
|
-
return null;
|
|
407
|
-
}
|
|
408
|
-
function redactJsonDiagnosticValue(value) {
|
|
409
|
-
return value === void 0 ? void 0 : redactDiagnosticValue(value);
|
|
410
|
-
}
|
|
411
|
-
async function resolveConfiguredAuthContext(authContext) {
|
|
412
|
-
if (typeof authContext === "function") {
|
|
413
|
-
return await authContext();
|
|
414
|
-
}
|
|
415
|
-
return authContext;
|
|
28
|
+
return [
|
|
29
|
+
...new Set(value
|
|
30
|
+
.filter((entry) => typeof entry === "string")
|
|
31
|
+
.map((entry) => entry.trim())
|
|
32
|
+
.filter(Boolean)),
|
|
33
|
+
];
|
|
416
34
|
}
|
|
417
|
-
function
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
35
|
+
function principalType(value) {
|
|
36
|
+
switch (value) {
|
|
37
|
+
case "service":
|
|
38
|
+
case "service_principal":
|
|
39
|
+
return "service";
|
|
40
|
+
case "agent":
|
|
41
|
+
return "agent";
|
|
42
|
+
case "group":
|
|
43
|
+
return "group";
|
|
44
|
+
case "external_viewer":
|
|
45
|
+
case "external_stakeholder":
|
|
46
|
+
return "external_viewer";
|
|
47
|
+
default:
|
|
48
|
+
return "human";
|
|
426
49
|
}
|
|
427
|
-
headers.set(key, value);
|
|
428
|
-
}
|
|
429
|
-
return Object.fromEntries(headers.entries());
|
|
430
|
-
}
|
|
431
|
-
function cleanHeaderValue(value) {
|
|
432
|
-
const normalized = value?.trim();
|
|
433
|
-
return normalized ? normalized : void 0;
|
|
434
50
|
}
|
|
435
|
-
function
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
443
|
-
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
449
|
-
const
|
|
450
|
-
const
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
setIfAbsent("x-lucern-environment", normalizedEnvironment);
|
|
460
|
-
setIfAbsent("x-lucern-clerk-id", config.clerkId);
|
|
461
|
-
setIfAbsent("x-lucern-user-id", config.userId ?? config.clerkId);
|
|
462
|
-
setIfAbsent("x-lucern-deployment-host", config.deploymentHost);
|
|
463
|
-
const base = Object.fromEntries(headers.entries());
|
|
464
|
-
const authContextInput = await resolveConfiguredAuthContext(
|
|
465
|
-
config.authContext
|
|
466
|
-
);
|
|
467
|
-
if (!authContextInput && !config.requireCanonicalAuthContext) {
|
|
468
|
-
return base;
|
|
469
|
-
}
|
|
470
|
-
const authContext = normalizeCanonicalLucernAuthContext(authContextInput);
|
|
471
|
-
return mergeHeaderRecord(base, createCanonicalAuthHeaders(authContext));
|
|
472
|
-
}
|
|
473
|
-
async function fetchWithTimeout(url, init, timeoutMs) {
|
|
474
|
-
const normalizeTransportError = (error, isTimeout) => {
|
|
475
|
-
if (isTimeout) {
|
|
476
|
-
return new GatewayTimeoutError(timeoutMs);
|
|
477
|
-
}
|
|
478
|
-
return error instanceof GatewayTimeoutError || error instanceof GatewayTransportError ? error : new GatewayTransportError(
|
|
479
|
-
error instanceof Error ? error.message : "Gateway transport error",
|
|
480
|
-
{
|
|
481
|
-
cause: error,
|
|
482
|
-
retryable: classifyGatewayErrorForRetry(error)
|
|
483
|
-
}
|
|
484
|
-
);
|
|
485
|
-
};
|
|
486
|
-
const controller = new AbortController();
|
|
487
|
-
const timer = setTimeout(() => controller.abort(), timeoutMs);
|
|
488
|
-
const requestEffect = Effect.tryPromise({
|
|
489
|
-
try: () => runtime.fetch(url, { ...init, signal: controller.signal }),
|
|
490
|
-
catch: (error) => normalizeTransportError(error, controller.signal.aborted)
|
|
491
|
-
});
|
|
492
|
-
try {
|
|
493
|
-
const exit = await Effect.runPromiseExit(requestEffect);
|
|
494
|
-
if (Exit.isSuccess(exit)) {
|
|
495
|
-
return exit.value;
|
|
496
|
-
}
|
|
497
|
-
const failure = Array.from(Cause.failures(exit.cause))[0];
|
|
498
|
-
if (failure !== void 0) {
|
|
499
|
-
throw failure;
|
|
500
|
-
}
|
|
501
|
-
throw Cause.squash(exit.cause);
|
|
502
|
-
} finally {
|
|
503
|
-
clearTimeout(timer);
|
|
504
|
-
}
|
|
505
|
-
}
|
|
506
|
-
async function emitSdkResponseTelemetry(context) {
|
|
507
|
-
const retry = classifyRetry({
|
|
508
|
-
status: context.status,
|
|
509
|
-
error: context.error,
|
|
510
|
-
retryAfter: context.retryAfterMs !== null && context.retryAfterMs !== void 0 ? String(context.retryAfterMs / 1e3) : void 0
|
|
511
|
-
});
|
|
512
|
-
await emitTelemetrySignal(telemetryExporter, {
|
|
513
|
-
signalType: "trace",
|
|
514
|
-
surface: "sdk-retry",
|
|
515
|
-
eventName: context.willRetry ? "sdk.retry" : context.error ? "sdk.request.error" : "sdk.request.complete",
|
|
516
|
-
severity: context.error ? context.willRetry ? "warn" : "error" : "info",
|
|
517
|
-
durationMs: context.durationMs,
|
|
518
|
-
metricName: "sdk.request.duration_ms",
|
|
519
|
-
metricValue: context.durationMs,
|
|
520
|
-
correlationId: context.correlationId ?? context.requestId,
|
|
521
|
-
policyTraceId: context.policyTraceId ?? null,
|
|
522
|
-
tenantId: context.headers.get("x-lucern-tenant-id") ?? context.headers.get("x-lucern-tenant") ?? void 0,
|
|
523
|
-
workspaceId: context.headers.get("x-lucern-workspace-id") ?? context.headers.get("x-lucern-workspace") ?? void 0,
|
|
524
|
-
attributes: {
|
|
525
|
-
service: "lucern-sdk",
|
|
526
|
-
operation: "gateway.request",
|
|
527
|
-
path: context.path,
|
|
528
|
-
httpMethod: context.method,
|
|
529
|
-
httpStatus: context.status,
|
|
530
|
-
attempt: context.attempt,
|
|
531
|
-
maxRetries: context.maxRetries,
|
|
532
|
-
retryReason: retry.reason,
|
|
533
|
-
retryAfterMs: context.retryAfterMs ?? retry.retryAfterMs,
|
|
534
|
-
willRetry: context.willRetry,
|
|
535
|
-
retryable: retry.retryable,
|
|
536
|
-
errorName: context.error instanceof Error ? context.error.name : void 0,
|
|
537
|
-
errorMessage: context.error instanceof Error ? context.error.message : void 0
|
|
538
|
-
}
|
|
539
|
-
});
|
|
540
|
-
}
|
|
541
|
-
async function parsePayload(response) {
|
|
542
|
-
const text = await response.text();
|
|
543
|
-
if (!text) {
|
|
544
|
-
return null;
|
|
545
|
-
}
|
|
546
|
-
const parsed = tryParseGatewayEnvelopeJson(text);
|
|
547
|
-
if (!parsed.ok) {
|
|
548
|
-
return null;
|
|
549
|
-
}
|
|
550
|
-
return isRecord(parsed.value) ? parsed.value : null;
|
|
551
|
-
}
|
|
552
|
-
function resolveTimeoutMs(method, requestTimeoutMs) {
|
|
553
|
-
if (typeof requestTimeoutMs === "number") {
|
|
554
|
-
return requestTimeoutMs;
|
|
555
|
-
}
|
|
556
|
-
const methodTimeoutMs = requestTimeoutByMethod?.[method];
|
|
557
|
-
if (typeof methodTimeoutMs === "number") {
|
|
558
|
-
return methodTimeoutMs;
|
|
559
|
-
}
|
|
560
|
-
return defaultRequestTimeoutMs;
|
|
561
|
-
}
|
|
562
|
-
function tryParseGatewayEnvelopeJson(text) {
|
|
563
|
-
const trimmed = text.trim();
|
|
564
|
-
if (!trimmed.startsWith("{") && !trimmed.startsWith("[")) {
|
|
565
|
-
return { ok: false, reason: "non-json" };
|
|
566
|
-
}
|
|
567
|
-
try {
|
|
568
|
-
return { ok: true, value: JSON.parse(trimmed) };
|
|
569
|
-
} catch (error) {
|
|
570
|
-
if (error instanceof SyntaxError) {
|
|
571
|
-
return { ok: false, reason: "invalid-json", error };
|
|
572
|
-
}
|
|
573
|
-
throw error;
|
|
574
|
-
}
|
|
575
|
-
}
|
|
576
|
-
function buildApiError(args) {
|
|
577
|
-
const failure = args.failure;
|
|
578
|
-
const legacyError = failure && isRecord(failure.error) ? failure.error : failure?.legacyError;
|
|
579
|
-
const correlationId = failure?.correlationId ?? args.response.headers.get("x-lucern-correlation-id")?.trim() ?? args.requestId;
|
|
580
|
-
const policyTraceId = failure?.policyTraceId ?? args.response.headers.get("x-lucern-policy-trace-id")?.trim() ?? null;
|
|
581
|
-
const details = runtime.redaction(
|
|
582
|
-
redactJsonDiagnosticValue(failure?.details ?? legacyError?.details)
|
|
583
|
-
);
|
|
584
|
-
const policySummary = readPolicySummaryFromDetails(details);
|
|
585
|
-
const failureMessage = typeof failure?.error === "string" ? failure.error : legacyError?.message;
|
|
586
|
-
return new LucernApiError({
|
|
587
|
-
code: failure?.code ?? legacyError?.code ?? fallbackErrorCode(args.response.status),
|
|
588
|
-
message: policySummary ?? failureMessage ?? (args.response.ok ? "Platform API returned an invalid success payload." : "Platform API request failed."),
|
|
589
|
-
status: args.response.status,
|
|
590
|
-
invariant: failure?.invariant,
|
|
591
|
-
suggestion: failure?.suggestion,
|
|
592
|
-
details,
|
|
593
|
-
requestId: args.requestId,
|
|
594
|
-
correlationId,
|
|
595
|
-
policyTraceId
|
|
596
|
-
});
|
|
597
|
-
}
|
|
598
|
-
async function request(args) {
|
|
599
|
-
const authHeaders = await resolveAuthHeaders();
|
|
600
|
-
const method = args.method ?? "GET";
|
|
601
|
-
const timeoutMs = resolveTimeoutMs(method, args.timeoutMs);
|
|
602
|
-
const headers = new Headers({
|
|
603
|
-
"content-type": "application/json",
|
|
604
|
-
...authHeaders
|
|
605
|
-
});
|
|
606
|
-
if (args.idempotencyKey) {
|
|
607
|
-
headers.set("idempotency-key", args.idempotencyKey);
|
|
608
|
-
}
|
|
609
|
-
const requestId = headers.get("x-correlation-id")?.trim() || headers.get("x-request-id")?.trim() || args.requestId || requestIdFactory();
|
|
610
|
-
if (!headers.has("x-correlation-id") && !headers.has("x-request-id")) {
|
|
611
|
-
headers.set("x-correlation-id", requestId);
|
|
612
|
-
}
|
|
613
|
-
const url = `${baseUrl}${args.path}`;
|
|
614
|
-
const serializedBody = args.body ? JSON.stringify(args.body) : void 0;
|
|
615
|
-
const init = {
|
|
616
|
-
method,
|
|
617
|
-
headers,
|
|
618
|
-
body: serializedBody
|
|
619
|
-
};
|
|
620
|
-
let lastError;
|
|
621
|
-
for (let attempt = 0; attempt <= maxRetries; attempt++) {
|
|
622
|
-
const hookRequestContext = {
|
|
623
|
-
requestId,
|
|
624
|
-
attempt,
|
|
625
|
-
maxRetries,
|
|
626
|
-
method,
|
|
627
|
-
path: args.path,
|
|
628
|
-
url,
|
|
629
|
-
headers: new Headers(headers),
|
|
630
|
-
body: serializedBody,
|
|
631
|
-
timeoutMs
|
|
632
|
-
};
|
|
633
|
-
await config.onRequest?.(hookRequestContext);
|
|
634
|
-
const startedAt = Date.now();
|
|
635
|
-
try {
|
|
636
|
-
const response = await fetchWithTimeout(url, init, timeoutMs);
|
|
637
|
-
const responseClone = response.clone();
|
|
638
|
-
const payload = await parsePayload(response);
|
|
639
|
-
const retry = classifyRetry({
|
|
640
|
-
status: response.status,
|
|
641
|
-
retryAfter: response.headers.get("Retry-After")
|
|
51
|
+
function adminFlags(roles) {
|
|
52
|
+
const normalized = roles.map((role) => role.toLowerCase());
|
|
53
|
+
const isPlatformAdmin = normalized.includes("platform_admin");
|
|
54
|
+
const isTenantAdmin = isPlatformAdmin || normalized.includes("tenant_admin");
|
|
55
|
+
const isWorkspaceAdmin = isTenantAdmin ||
|
|
56
|
+
normalized.includes("workspace_admin") ||
|
|
57
|
+
normalized.includes("workspace_owner");
|
|
58
|
+
return { isPlatformAdmin, isTenantAdmin, isWorkspaceAdmin };
|
|
59
|
+
}
|
|
60
|
+
export function normalizeResolvedInteractivePrincipal(payload) {
|
|
61
|
+
if ("ok" in payload && payload.ok === false) {
|
|
62
|
+
throw new LucernControlPlaneIdentityError(payload);
|
|
63
|
+
}
|
|
64
|
+
const principalId = cleanString(payload.principalId);
|
|
65
|
+
const clerkId = cleanString(payload.clerkId);
|
|
66
|
+
const tenantId = cleanString(payload.tenantId);
|
|
67
|
+
if (!principalId || !clerkId || !tenantId) {
|
|
68
|
+
throw new LucernControlPlaneIdentityError({
|
|
69
|
+
ok: false,
|
|
70
|
+
reason: "resolver_unavailable",
|
|
71
|
+
message: "Control-plane principal resolver returned an incomplete principal context.",
|
|
72
|
+
principalStatus: payload.principalStatus ?? "missing",
|
|
73
|
+
tenantStatus: payload.tenantStatus,
|
|
74
|
+
workspaceStatus: payload.workspaceStatus,
|
|
642
75
|
});
|
|
643
|
-
const retryAfterMs = retry.retryAfterMs ?? null;
|
|
644
|
-
if (!response.ok || !payload?.success) {
|
|
645
|
-
const failure = payload && !payload.success ? payload : null;
|
|
646
|
-
const apiError = buildApiError({
|
|
647
|
-
requestId,
|
|
648
|
-
response,
|
|
649
|
-
failure
|
|
650
|
-
});
|
|
651
|
-
const willRetry = attempt < maxRetries && retry.retryable;
|
|
652
|
-
const responseContext2 = {
|
|
653
|
-
...hookRequestContext,
|
|
654
|
-
durationMs: Date.now() - startedAt,
|
|
655
|
-
status: response.status,
|
|
656
|
-
response: responseClone,
|
|
657
|
-
error: apiError,
|
|
658
|
-
correlationId: apiError.correlationId ?? requestId,
|
|
659
|
-
policyTraceId: apiError.policyTraceId ?? null,
|
|
660
|
-
retryAfterMs,
|
|
661
|
-
willRetry
|
|
662
|
-
};
|
|
663
|
-
await config.onResponse?.(responseContext2);
|
|
664
|
-
await emitSdkResponseTelemetry(responseContext2);
|
|
665
|
-
if (willRetry) {
|
|
666
|
-
lastError = apiError;
|
|
667
|
-
await delay(
|
|
668
|
-
computeRetryDelayMs({
|
|
669
|
-
attempt,
|
|
670
|
-
status: response.status,
|
|
671
|
-
retryAfterMs
|
|
672
|
-
})
|
|
673
|
-
);
|
|
674
|
-
continue;
|
|
675
|
-
}
|
|
676
|
-
throw apiError;
|
|
677
|
-
}
|
|
678
|
-
const successPayload = payload;
|
|
679
|
-
const responseContext = {
|
|
680
|
-
...hookRequestContext,
|
|
681
|
-
durationMs: Date.now() - startedAt,
|
|
682
|
-
status: response.status,
|
|
683
|
-
response: responseClone,
|
|
684
|
-
correlationId: successPayload.correlationId ?? response.headers.get("x-lucern-correlation-id")?.trim() ?? requestId,
|
|
685
|
-
policyTraceId: successPayload.policyTraceId ?? response.headers.get("x-lucern-policy-trace-id")?.trim() ?? null,
|
|
686
|
-
idempotentReplay: successPayload.idempotentReplay,
|
|
687
|
-
retryAfterMs,
|
|
688
|
-
willRetry: false
|
|
689
|
-
};
|
|
690
|
-
await config.onResponse?.(responseContext);
|
|
691
|
-
await emitSdkResponseTelemetry(responseContext);
|
|
692
|
-
return successPayload;
|
|
693
|
-
} catch (fetchError) {
|
|
694
|
-
if (fetchError instanceof LucernApiError) {
|
|
695
|
-
throw fetchError;
|
|
696
|
-
}
|
|
697
|
-
const willRetry = attempt < maxRetries && classifyGatewayErrorForRetry(fetchError);
|
|
698
|
-
const responseContext = {
|
|
699
|
-
...hookRequestContext,
|
|
700
|
-
durationMs: Date.now() - startedAt,
|
|
701
|
-
error: fetchError,
|
|
702
|
-
correlationId: requestId,
|
|
703
|
-
policyTraceId: null,
|
|
704
|
-
willRetry
|
|
705
|
-
};
|
|
706
|
-
await config.onResponse?.(responseContext);
|
|
707
|
-
await emitSdkResponseTelemetry(responseContext);
|
|
708
|
-
lastError = fetchError;
|
|
709
|
-
if (willRetry) {
|
|
710
|
-
await delay(computeRetryDelayMs({ attempt }));
|
|
711
|
-
}
|
|
712
|
-
}
|
|
713
76
|
}
|
|
714
|
-
|
|
715
|
-
|
|
716
|
-
|
|
717
|
-
|
|
718
|
-
|
|
719
|
-
|
|
720
|
-
|
|
721
|
-
|
|
722
|
-
|
|
723
|
-
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
727
|
-
|
|
728
|
-
|
|
729
|
-
|
|
730
|
-
|
|
731
|
-
|
|
732
|
-
|
|
733
|
-
|
|
734
|
-
|
|
735
|
-
|
|
736
|
-
|
|
737
|
-
|
|
738
|
-
|
|
739
|
-
|
|
740
|
-
|
|
741
|
-
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
|
|
747
|
-
|
|
748
|
-
}
|
|
749
|
-
|
|
750
|
-
|
|
751
|
-
|
|
752
|
-
|
|
753
|
-
|
|
754
|
-
...new Set(
|
|
755
|
-
value.filter((entry) => typeof entry === "string").map((entry) => entry.trim()).filter(Boolean)
|
|
756
|
-
)
|
|
757
|
-
];
|
|
758
|
-
}
|
|
759
|
-
function principalType(value) {
|
|
760
|
-
switch (value) {
|
|
761
|
-
case "service":
|
|
762
|
-
case "service_principal":
|
|
763
|
-
return "service";
|
|
764
|
-
case "agent":
|
|
765
|
-
return "agent";
|
|
766
|
-
case "group":
|
|
767
|
-
return "group";
|
|
768
|
-
case "external_viewer":
|
|
769
|
-
case "external_stakeholder":
|
|
770
|
-
return "external_viewer";
|
|
771
|
-
default:
|
|
772
|
-
return "human";
|
|
773
|
-
}
|
|
774
|
-
}
|
|
775
|
-
function adminFlags(roles) {
|
|
776
|
-
const normalized = roles.map((role) => role.toLowerCase());
|
|
777
|
-
const isPlatformAdmin = normalized.includes("platform_admin");
|
|
778
|
-
const isTenantAdmin = isPlatformAdmin || normalized.includes("tenant_admin");
|
|
779
|
-
const isWorkspaceAdmin = isTenantAdmin || normalized.includes("workspace_admin") || normalized.includes("workspace_owner");
|
|
780
|
-
return { isPlatformAdmin, isTenantAdmin, isWorkspaceAdmin };
|
|
781
|
-
}
|
|
782
|
-
function normalizeResolvedInteractivePrincipal(payload) {
|
|
783
|
-
if ("ok" in payload && payload.ok === false) {
|
|
784
|
-
throw new LucernControlPlaneIdentityError(payload);
|
|
785
|
-
}
|
|
786
|
-
const principalId = cleanString2(payload.principalId);
|
|
787
|
-
const clerkId = cleanString2(payload.clerkId);
|
|
788
|
-
const tenantId = cleanString2(payload.tenantId);
|
|
789
|
-
if (!principalId || !clerkId || !tenantId) {
|
|
790
|
-
throw new LucernControlPlaneIdentityError({
|
|
791
|
-
ok: false,
|
|
792
|
-
reason: "resolver_unavailable",
|
|
793
|
-
message: "Control-plane principal resolver returned an incomplete principal context.",
|
|
794
|
-
principalStatus: payload.principalStatus ?? "missing",
|
|
795
|
-
tenantStatus: payload.tenantStatus,
|
|
796
|
-
workspaceStatus: payload.workspaceStatus
|
|
797
|
-
});
|
|
798
|
-
}
|
|
799
|
-
const roles = stringList(payload.roles);
|
|
800
|
-
const scopes = stringList(payload.scopes);
|
|
801
|
-
const workspaceId = cleanString2(payload.workspaceId) ?? null;
|
|
802
|
-
const flags = adminFlags(roles);
|
|
803
|
-
return {
|
|
804
|
-
principalId,
|
|
805
|
-
principalType: principalType(payload.principalType),
|
|
806
|
-
clerkId,
|
|
807
|
-
tenantId,
|
|
808
|
-
workspaceId,
|
|
809
|
-
roles,
|
|
810
|
-
scopes,
|
|
811
|
-
groupIds: stringList(payload.groupIds),
|
|
812
|
-
permittedToolNames: stringList(payload.permittedToolNames),
|
|
813
|
-
permittedPackKeys: stringList(payload.permittedPackKeys),
|
|
814
|
-
principalStatus: cleanString2(payload.principalStatus) ?? "active",
|
|
815
|
-
tenantStatus: cleanString2(payload.tenantStatus) ?? "active",
|
|
816
|
-
workspaceStatus: cleanString2(payload.workspaceStatus) ?? (workspaceId ? "active" : "none"),
|
|
817
|
-
isPlatformAdmin: typeof payload.isPlatformAdmin === "boolean" ? payload.isPlatformAdmin : flags.isPlatformAdmin,
|
|
818
|
-
isTenantAdmin: typeof payload.isTenantAdmin === "boolean" ? payload.isTenantAdmin : flags.isTenantAdmin,
|
|
819
|
-
isWorkspaceAdmin: typeof payload.isWorkspaceAdmin === "boolean" ? payload.isWorkspaceAdmin : flags.isWorkspaceAdmin,
|
|
820
|
-
permit: {
|
|
821
|
-
subject: cleanString2(payload.permit?.subject) ?? principalId,
|
|
822
|
-
tenant: cleanString2(payload.permit?.tenant) ?? tenantId,
|
|
823
|
-
...workspaceId ? { workspace: cleanString2(payload.permit?.workspace) ?? workspaceId } : {}
|
|
824
|
-
},
|
|
825
|
-
authMode: "interactive_user",
|
|
826
|
-
sessionId: payload.sessionId,
|
|
827
|
-
delegatedBy: payload.delegatedBy,
|
|
828
|
-
expiresAt: payload.expiresAt
|
|
829
|
-
};
|
|
77
|
+
const roles = stringList(payload.roles);
|
|
78
|
+
const scopes = stringList(payload.scopes);
|
|
79
|
+
const workspaceId = cleanString(payload.workspaceId) ?? null;
|
|
80
|
+
const flags = adminFlags(roles);
|
|
81
|
+
return {
|
|
82
|
+
principalId,
|
|
83
|
+
principalType: principalType(payload.principalType),
|
|
84
|
+
clerkId,
|
|
85
|
+
tenantId,
|
|
86
|
+
workspaceId,
|
|
87
|
+
roles,
|
|
88
|
+
scopes,
|
|
89
|
+
groupIds: stringList(payload.groupIds),
|
|
90
|
+
permittedToolNames: stringList(payload.permittedToolNames),
|
|
91
|
+
permittedPackKeys: stringList(payload.permittedPackKeys),
|
|
92
|
+
principalStatus: cleanString(payload.principalStatus) ??
|
|
93
|
+
"active",
|
|
94
|
+
tenantStatus: cleanString(payload.tenantStatus) ?? "active",
|
|
95
|
+
workspaceStatus: cleanString(payload.workspaceStatus) ?? (workspaceId ? "active" : "none"),
|
|
96
|
+
isPlatformAdmin: typeof payload.isPlatformAdmin === "boolean"
|
|
97
|
+
? payload.isPlatformAdmin
|
|
98
|
+
: flags.isPlatformAdmin,
|
|
99
|
+
isTenantAdmin: typeof payload.isTenantAdmin === "boolean"
|
|
100
|
+
? payload.isTenantAdmin
|
|
101
|
+
: flags.isTenantAdmin,
|
|
102
|
+
isWorkspaceAdmin: typeof payload.isWorkspaceAdmin === "boolean"
|
|
103
|
+
? payload.isWorkspaceAdmin
|
|
104
|
+
: flags.isWorkspaceAdmin,
|
|
105
|
+
permit: {
|
|
106
|
+
subject: cleanString(payload.permit?.subject) ?? principalId,
|
|
107
|
+
tenant: cleanString(payload.permit?.tenant) ?? tenantId,
|
|
108
|
+
...(workspaceId
|
|
109
|
+
? { workspace: cleanString(payload.permit?.workspace) ?? workspaceId }
|
|
110
|
+
: {}),
|
|
111
|
+
},
|
|
112
|
+
authMode: "interactive_user",
|
|
113
|
+
sessionId: payload.sessionId,
|
|
114
|
+
delegatedBy: payload.delegatedBy,
|
|
115
|
+
expiresAt: payload.expiresAt,
|
|
116
|
+
};
|
|
830
117
|
}
|
|
831
|
-
function createControlPlaneIdentityClient(config = {}) {
|
|
832
|
-
|
|
833
|
-
|
|
834
|
-
|
|
835
|
-
|
|
836
|
-
|
|
837
|
-
|
|
838
|
-
|
|
839
|
-
|
|
840
|
-
|
|
841
|
-
|
|
842
|
-
|
|
843
|
-
|
|
118
|
+
export function createControlPlaneIdentityClient(config = {}) {
|
|
119
|
+
const gateway = createGatewayRequestClient(config);
|
|
120
|
+
return {
|
|
121
|
+
async resolveInteractivePrincipal(input) {
|
|
122
|
+
return gateway
|
|
123
|
+
.request({
|
|
124
|
+
path: "/api/platform/v1/control-plane/identity/resolve-interactive-principal",
|
|
125
|
+
method: "POST",
|
|
126
|
+
body: input,
|
|
127
|
+
})
|
|
128
|
+
.then((response) => mapGatewayData(response, normalizeResolvedInteractivePrincipal));
|
|
129
|
+
},
|
|
130
|
+
};
|
|
844
131
|
}
|
|
845
|
-
function createControlPlaneClient(config = {}) {
|
|
846
|
-
|
|
847
|
-
|
|
848
|
-
|
|
132
|
+
export function createControlPlaneClient(config = {}) {
|
|
133
|
+
return {
|
|
134
|
+
identity: createControlPlaneIdentityClient(config),
|
|
135
|
+
};
|
|
849
136
|
}
|
|
850
|
-
|
|
851
|
-
export { LucernControlPlaneIdentityError, createControlPlaneClient, createControlPlaneIdentityClient, normalizeResolvedInteractivePrincipal };
|
|
852
|
-
//# sourceMappingURL=control-plane.js.map
|
|
853
137
|
//# sourceMappingURL=control-plane.js.map
|