@hexis-ai/engram-server 0.11.3 → 0.12.0

package/dist/adapters/postgres-org-store.d.ts

@@ -0,0 +1,37 @@
+import type { Pool } from "pg";
+import type { OrgMembershipRow, OrgRow, OrgStore } from "../org-store";
+export declare class PostgresOrgStore implements OrgStore {
+    private readonly pool;
+    constructor(pool: Pool);
+    createOrg(input: {
+        id?: string;
+        name?: string;
+        metadata?: Record<string, unknown>;
+    }): Promise<OrgRow>;
+    getOrg(id: string): Promise<OrgRow | null>;
+    listOrgs(): Promise<OrgRow[]>;
+    deleteOrg(id: string): Promise<void>;
+    listMembers(orgId: string): Promise<OrgMembershipRow[]>;
+    upsertMember(input: {
+        orgId: string;
+        userId: string;
+        role?: string;
+    }): Promise<OrgMembershipRow>;
+    removeMember(orgId: string, userId: string): Promise<void>;
+    findUserByEmail(email: string): Promise<{
+        id: string;
+        email: string;
+    } | null>;
+    listOrgsForUser(userId: string): Promise<OrgMembershipRow[]>;
+    setWorkspaceOrg(workspaceId: string, orgId: string): Promise<void>;
+    listWorkspacesForOrg(orgId: string): Promise<{
+        id: string;
+        name: string | null;
+    }[]>;
+    listWorkspacesForUser(userId: string): Promise<{
+        id: string;
+        name: string | null;
+        orgId: string;
+    }[]>;
+    userCanAccessWorkspace(userId: string, workspaceId: string): Promise<boolean>;
+}

package/dist/adapters/postgres-org-store.js

@@ -0,0 +1,102 @@
+import { randomUUID } from "node:crypto";
+function iso(v) {
+    return typeof v === "string" ? v : v.toISOString();
+}
+function toOrg(r) {
+    return {
+        id: r.id,
+        name: r.name,
+        metadata: r.metadata ?? {},
+        createdAt: iso(r.created_at),
+    };
+}
+function toMember(r) {
+    return {
+        orgId: r.org_id,
+        userId: r.user_id,
+        role: r.role,
+        joinedAt: iso(r.joined_at),
+    };
+}
+export class PostgresOrgStore {
+    pool;
+    constructor(pool) {
+        this.pool = pool;
+    }
+    // ---------- orgs ---------------------------------------------
+    async createOrg(input) {
+        const id = input.id ?? `org_${randomUUID().replace(/-/g, "").slice(0, 16)}`;
+        const { rows } = await this.pool.query(`INSERT INTO engram_orgs (id, name, metadata)
+       VALUES ($1, $2, $3::jsonb)
+       ON CONFLICT (id) DO NOTHING
+       RETURNING id, name, metadata, created_at`, [id, input.name ?? null, JSON.stringify(input.metadata ?? {})]);
+        if (rows[0])
+            return toOrg(rows[0]);
+        const existing = await this.getOrg(id);
+        if (!existing)
+            throw new Error("org_create_failed");
+        return existing;
+    }
+    async getOrg(id) {
+        const { rows } = await this.pool.query(`SELECT id, name, metadata, created_at FROM engram_orgs WHERE id = $1`, [id]);
+        return rows[0] ? toOrg(rows[0]) : null;
+    }
+    async listOrgs() {
+        const { rows } = await this.pool.query(`SELECT id, name, metadata, created_at FROM engram_orgs ORDER BY created_at`);
+        return rows.map(toOrg);
+    }
+    async deleteOrg(id) {
+        // CASCADE drops members + workspaces under this org.
+        await this.pool.query(`DELETE FROM engram_orgs WHERE id = $1`, [id]);
+    }
+    // ---------- members ------------------------------------------
+    async listMembers(orgId) {
+        const { rows } = await this.pool.query(`SELECT org_id, user_id, role, joined_at
+       FROM engram_org_members WHERE org_id = $1 ORDER BY joined_at`, [orgId]);
+        return rows.map(toMember);
+    }
+    async upsertMember(input) {
+        const role = input.role ?? "member";
+        const { rows } = await this.pool.query(`INSERT INTO engram_org_members (org_id, user_id, role)
+       VALUES ($1, $2, $3)
+       ON CONFLICT (org_id, user_id) DO UPDATE SET role = EXCLUDED.role
+       RETURNING org_id, user_id, role, joined_at`, [input.orgId, input.userId, role]);
+        return toMember(rows[0]);
+    }
+    async removeMember(orgId, userId) {
+        await this.pool.query(`DELETE FROM engram_org_members WHERE org_id = $1 AND user_id = $2`, [orgId, userId]);
+    }
+    async findUserByEmail(email) {
+        const { rows } = await this.pool.query(`SELECT id, email FROM engram_auth_users WHERE LOWER(email) = LOWER($1) LIMIT 1`, [email]);
+        return rows[0] ?? null;
+    }
+    async listOrgsForUser(userId) {
+        const { rows } = await this.pool.query(`SELECT org_id, user_id, role, joined_at
+       FROM engram_org_members WHERE user_id = $1 ORDER BY joined_at`, [userId]);
+        return rows.map(toMember);
+    }
+    // ---------- workspace ↔ org link -----------------------------
+    async setWorkspaceOrg(workspaceId, orgId) {
+        await this.pool.query(`UPDATE engram_workspaces SET org_id = $1 WHERE id = $2`, [orgId, workspaceId]);
+    }
+    async listWorkspacesForOrg(orgId) {
+        const { rows } = await this.pool.query(`SELECT id, name FROM engram_workspaces WHERE org_id = $1 ORDER BY created_at`, [orgId]);
+        return rows;
+    }
+    async listWorkspacesForUser(userId) {
+        const { rows } = await this.pool.query(`SELECT w.id, w.name, w.org_id
+       FROM engram_workspaces w
+       JOIN engram_org_members m ON m.org_id = w.org_id
+       WHERE m.user_id = $1
+       ORDER BY w.created_at`, [userId]);
+        return rows.map((r) => ({ id: r.id, name: r.name, orgId: r.org_id }));
+    }
+    async userCanAccessWorkspace(userId, workspaceId) {
+        const { rows } = await this.pool.query(`SELECT 1 AS ok
+       FROM engram_workspaces w
+       JOIN engram_org_members m ON m.org_id = w.org_id
+       WHERE m.user_id = $1 AND w.id = $2
+       LIMIT 1`, [userId, workspaceId]);
+        return rows.length > 0;
+    }
+}

package/dist/admin.d.ts

@@ -1,9 +1,17 @@
 import { Hono } from "hono";
 import { type KeyStore } from "./key-store";
+import type { OrgStore } from "./org-store";
 export interface AdminOptions {
     /** Bearer token required for every /admin/v1 request. */
     token: string;
     keyStore: KeyStore;
+    /**
+     * Optional org store. When provided, mounts the orgs surface
+     * (\`/admin/v1/orgs/*\` plus \`/admin/v1/orgs/:id/workspaces\` for
+     * org-scoped workspace creation). Without it only the legacy
+     * \`/admin/v1/workspaces\` endpoints are exposed.
+     */
+    orgStore?: OrgStore;
 }
 interface Env {
     Variables: {
@@ -11,11 +19,25 @@ interface Env {
     };
 }
 /**
- * Build the admin sub-router. Mount under `/admin/v1`.
+ * Build the admin sub-router. Mount under \`/admin/v1\`.
  *
- * Auth model: a single platform-level bearer token (`ENGRAM_ADMIN_TOKEN`).
- * The admin token is checked here only — it never reaches the workspace
- * KeyStore, so an admin token cannot accidentally double as a workspace key.
+ * Auth model: a single platform-level bearer token
+ * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
+ *
+ * Surface, when orgStore is wired:
+ *
+ *   POST   /orgs                                  create org
+ *   GET    /orgs                                  list orgs
+ *   GET    /orgs/:id                              get org
+ *   DELETE /orgs/:id                              delete org (CASCADE)
+ *   POST   /orgs/:id/members                      add member (email|userId)
+ *   GET    /orgs/:id/members
+ *   DELETE /orgs/:id/members/:userId
+ *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   GET    /orgs/:id/workspaces
+ *
+ * Plus the lower-level workspace + key endpoints from before
+ * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
  */
 export declare function createAdminRouter(opts: AdminOptions): Hono<Env>;
 export {};

package/dist/admin.js

@@ -2,11 +2,25 @@ import { Hono } from "hono";
 import { isValidWorkspaceId } from "./key-store";
 import { createWorkspaceSchema, issueKeySchema, parseJsonBody } from "./schemas";
 /**
- * Build the admin sub-router. Mount under `/admin/v1`.
+ * Build the admin sub-router. Mount under \`/admin/v1\`.
  *
- * Auth model: a single platform-level bearer token (`ENGRAM_ADMIN_TOKEN`).
- * The admin token is checked here only — it never reaches the workspace
- * KeyStore, so an admin token cannot accidentally double as a workspace key.
+ * Auth model: a single platform-level bearer token
+ * (\`ENGRAM_ADMIN_TOKEN\`). Never crosses with workspace api-keys.
+ *
+ * Surface, when orgStore is wired:
+ *
+ *   POST   /orgs                                  create org
+ *   GET    /orgs                                  list orgs
+ *   GET    /orgs/:id                              get org
+ *   DELETE /orgs/:id                              delete org (CASCADE)
+ *   POST   /orgs/:id/members                      add member (email|userId)
+ *   GET    /orgs/:id/members
+ *   DELETE /orgs/:id/members/:userId
+ *   POST   /orgs/:id/workspaces                   create + key (under org)
+ *   GET    /orgs/:id/workspaces
+ *
+ * Plus the lower-level workspace + key endpoints from before
+ * (\`/workspaces\`, \`/workspaces/:id/keys\`, ...).
  */
 export function createAdminRouter(opts) {
     const app = new Hono();
@@ -18,6 +32,9 @@ export function createAdminRouter(opts) {
         }
         await next();
     });
+    // -------------------- workspaces (legacy / api-key-only) ----
+    // Kept for backwards compatibility; new callers should create
+    // workspaces under an org so they're reachable from the web UI.
     app.post("/workspaces", async (c) => {
         const body = await parseJsonBody(c, createWorkspaceSchema);
         if (body instanceof Response)
@@ -31,8 +48,6 @@ export function createAdminRouter(opts) {
                 ...(body.name !== undefined ? { name: body.name } : {}),
                 ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
             });
-            // Default: issue an initial key so the caller can start using the
-            // workspace in one round trip. Opt out with `issueKey: false`.
             if (body.issueKey === false) {
                 return c.json({ workspace: ws });
             }
@@ -68,7 +83,6 @@ export function createAdminRouter(opts) {
         const ws = await opts.keyStore.getWorkspace(workspaceId);
         if (!ws)
             return c.json({ error: "workspace_not_found" }, 404);
-        // The body is optional here — an empty POST issues a key with no name.
         const raw = await c.req.json().catch(() => ({}));
         const parsed = issueKeySchema.safeParse(raw);
         if (!parsed.success) {
@@ -101,5 +115,121 @@ export function createAdminRouter(opts) {
         }
         return c.body(null, 204);
     });
+    // -------------------- orgs (org-scoped admin surface) -------
+    const orgStore = opts.orgStore;
+    if (!orgStore)
+        return app;
+    app.post("/orgs", async (c) => {
+        const body = (await c.req.json().catch(() => ({})));
+        try {
+            const org = await orgStore.createOrg({
+                ...(body.id !== undefined ? { id: body.id } : {}),
+                ...(body.name !== undefined ? { name: body.name } : {}),
+                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
+            });
+            return c.json({ org });
+        }
+        catch (e) {
+            return c.json({ error: e.message }, 400);
+        }
+    });
+    app.get("/orgs", async (c) => {
+        const orgs = await orgStore.listOrgs();
+        return c.json({ orgs });
+    });
+    app.get("/orgs/:id", async (c) => {
+        const org = await orgStore.getOrg(c.req.param("id"));
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        return c.json({ org });
+    });
+    app.delete("/orgs/:id", async (c) => {
+        const id = c.req.param("id");
+        const org = await orgStore.getOrg(id);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        await orgStore.deleteOrg(id);
+        return c.body(null, 204);
+    });
+    // ----- org members ------------------------------------------
+    app.get("/orgs/:id/members", async (c) => {
+        const id = c.req.param("id");
+        const org = await orgStore.getOrg(id);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        return c.json({ members: await orgStore.listMembers(id) });
+    });
+    app.post("/orgs/:id/members", async (c) => {
+        const orgId = c.req.param("id");
+        const org = await orgStore.getOrg(orgId);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        const body = (await c.req.json().catch(() => ({})));
+        let userId = body.userId;
+        if (!userId && body.email) {
+            const u = await orgStore.findUserByEmail(body.email);
+            if (!u)
+                return c.json({ error: "user_not_found" }, 404);
+            userId = u.id;
+        }
+        if (!userId)
+            return c.json({ error: "userId_or_email_required" }, 400);
+        const member = await orgStore.upsertMember({
+            orgId,
+            userId,
+            ...(body.role !== undefined ? { role: body.role } : {}),
+        });
+        return c.json({ member });
+    });
+    app.delete("/orgs/:id/members/:userId", async (c) => {
+        const orgId = c.req.param("id");
+        const org = await orgStore.getOrg(orgId);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        await orgStore.removeMember(orgId, c.req.param("userId"));
+        return c.body(null, 204);
+    });
+    // ----- org workspaces ---------------------------------------
+    // Combines createWorkspace + setWorkspaceOrg + issueKey so a
+    // tenant can be stood up in one round-trip. Mirrors the legacy
+    // /workspaces POST shape but adds org scoping.
+    app.post("/orgs/:id/workspaces", async (c) => {
+        const orgId = c.req.param("id");
+        const org = await orgStore.getOrg(orgId);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        const body = await parseJsonBody(c, createWorkspaceSchema);
+        if (body instanceof Response)
+            return body;
+        if (body.id !== undefined && !isValidWorkspaceId(body.id)) {
+            return c.json({ error: "invalid_workspace_id" }, 400);
+        }
+        try {
+            const ws = await opts.keyStore.createWorkspace({
+                ...(body.id !== undefined ? { id: body.id } : {}),
+                ...(body.name !== undefined ? { name: body.name } : {}),
+                ...(body.metadata !== undefined ? { metadata: body.metadata } : {}),
+            });
+            await orgStore.setWorkspaceOrg(ws.id, orgId);
+            if (body.issueKey === false) {
+                return c.json({ workspace: { ...ws, orgId } });
+            }
+            const key = await opts.keyStore.issueKey(ws.id, {
+                ...(body.keyName !== undefined ? { name: body.keyName } : {}),
+            });
+            return c.json({ workspace: { ...ws, orgId }, key });
+        }
+        catch (e) {
+            return c.json({ error: e.message }, 400);
+        }
+    });
+    app.get("/orgs/:id/workspaces", async (c) => {
+        const orgId = c.req.param("id");
+        const org = await orgStore.getOrg(orgId);
+        if (!org)
+            return c.json({ error: "org_not_found" }, 404);
+        const workspaces = await orgStore.listWorkspacesForOrg(orgId);
+        return c.json({ workspaces });
+    });
     return app;
 }

package/dist/auth-resolver.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Cookie-session → WorkspaceContext bridge (org-based).
+ *
+ * Each user joins an org once; the org has many workspaces. To
+ * resolve a request:
+ *
+ *   1) Validate the cookie via better-auth.
+ *   2) Look up every workspace visible to the user via
+ *      \`engram_org_members\` JOIN \`engram_workspaces\`.
+ *   3) Pick one by, in order:
+ *        a) x-workspace-id header (verified against the visible list)
+ *        b) session.currentWorkspaceId (sticky from last UI choice)
+ *        c) the user's only visible workspace, if exactly one exists
+ *
+ * Membership at the workspace level is intentionally not modeled —
+ * any org member sees every workspace in that org. Add finer-grained
+ * scoping at the app level if needed later.
+ */
+import type { Pool } from "pg";
+import type { EngramAuth } from "./auth";
+import type { WorkspaceContext } from "./context";
+import type { OrgStore } from "./org-store";
+import type { StorageAdapter } from "./storage";
+export interface CookieResolverOptions {
+    auth: EngramAuth;
+    pool: Pool;
+    orgStore: OrgStore;
+    /** Workspace-scoped storage factory; same one wired into api-key auth. */
+    getStorage: (workspaceId: string) => StorageAdapter;
+}
+export type CookieAuthResolver = (req: Request) => Promise<WorkspaceContext | null>;
+export declare function makeCookieAuthResolver(opts: CookieResolverOptions): CookieAuthResolver;

package/dist/auth-resolver.js

@@ -0,0 +1,53 @@
+/**
+ * Cookie-session → WorkspaceContext bridge (org-based).
+ *
+ * Each user joins an org once; the org has many workspaces. To
+ * resolve a request:
+ *
+ *   1) Validate the cookie via better-auth.
+ *   2) Look up every workspace visible to the user via
+ *      \`engram_org_members\` JOIN \`engram_workspaces\`.
+ *   3) Pick one by, in order:
+ *        a) x-workspace-id header (verified against the visible list)
+ *        b) session.currentWorkspaceId (sticky from last UI choice)
+ *        c) the user's only visible workspace, if exactly one exists
+ *
+ * Membership at the workspace level is intentionally not modeled —
+ * any org member sees every workspace in that org. Add finer-grained
+ * scoping at the app level if needed later.
+ */
+async function sessionWorkspace(pool, sessionId) {
+    const { rows } = await pool.query(`SELECT current_workspace_id FROM engram_auth_sessions WHERE id = $1 LIMIT 1`, [sessionId]);
+    return rows[0]?.current_workspace_id ?? null;
+}
+export function makeCookieAuthResolver(opts) {
+    return async (req) => {
+        const session = await opts.auth.api
+            .getSession({ headers: req.headers })
+            .catch(() => null);
+        if (!session?.user)
+            return null;
+        const visible = await opts.orgStore.listWorkspacesForUser(session.user.id);
+        if (visible.length === 0)
+            return null;
+        const allowed = new Set(visible.map((w) => w.id));
+        const headerWs = req.headers.get("x-workspace-id");
+        let pick = null;
+        if (headerWs) {
+            if (allowed.has(headerWs))
+                pick = headerWs;
+            else
+                return null; // explicit header that isn't allowed → 401
+        }
+        else {
+            const stickied = await sessionWorkspace(opts.pool, session.session.id);
+            if (stickied && allowed.has(stickied))
+                pick = stickied;
+            else if (visible.length === 1)
+                pick = visible[0].id;
+        }
+        if (!pick)
+            return null;
+        return { workspaceId: pick, storage: opts.getStorage(pick) };
+    };
+}

package/dist/auth.d.ts

@@ -0,0 +1,196 @@
+/**
+ * better-auth instance for engram-server.
+ *
+ * Two auth modes coexist on /v1/*:
+ *   - x-api-key / Bearer  → machine callers (monet telemetry / MCP),
+ *                           resolved through KeyStore → workspace.
+ *   - cookie session       → human users from engram-web,
+ *                           resolved through this module → user →
+ *                           membership check → workspace.
+ *
+ * Tables live under \`engram_auth_*\` (see migration 0006-auth) so the
+ * shorter \`engram_session\` namespace remains agent-trajectory only.
+ *
+ * Required env (production):
+ *   ENGRAM_AUTH_SECRET           cookie/JWT signing secret (>= 32 chars)
+ *   ENGRAM_AUTH_URL              full base URL of this server
+ *                                (e.g. https://api.engram.hexis.ltd)
+ *   ENGRAM_AUTH_GOOGLE_ID        Google OAuth client id
+ *   ENGRAM_AUTH_GOOGLE_SECRET    Google OAuth client secret
+ *
+ * Optional:
+ *   ENGRAM_AUTH_COOKIE_DOMAIN    set to .hexis.ltd to share cookies
+ *                                between engram.hexis.ltd (web) and
+ *                                api.engram.hexis.ltd (this server)
+ *   ENGRAM_AUTH_TRUSTED_ORIGINS  comma-separated extra origins, e.g.
+ *                                engram-web's URL in dev
+ *   ENGRAM_AUTH_EMAIL_DOMAIN     restrict sign-in to one email domain
+ *                                (default: hexis.ltd)
+ */
+import type { Pool } from "pg";
+export interface BuildAuthOptions {
+    /** node-postgres Pool for better-auth's Kysely adapter. */
+    pool: Pool;
+    /** Cookie/JWT signing secret. Required, >= 32 chars in prod. */
+    secret: string;
+    /** Full base URL of this server (e.g. https://api.engram.hexis.ltd). */
+    baseURL: string;
+    google: {
+        clientId: string;
+        clientSecret: string;
+    };
+    /** Cookie scope when web + api are on sibling subdomains. */
+    cookieDomain?: string;
+    /** Additional trustedOrigins for CSRF / redirect allowlist. */
+    trustedOrigins?: string[];
+    /** Restrict sign-in to a single email domain. Default: hexis.ltd. */
+    emailDomain?: string;
+    /** Use Secure cookies (HTTPS only). Defaults to NODE_ENV=production. */
+    secureCookies?: boolean;
+}
+export type EngramAuth = ReturnType<typeof buildAuth>;
+/**
+ * Construct the better-auth instance. The returned value exposes
+ *   - \`handler(req: Request): Response\` for Hono \`.all("/auth/*", ...)\`
+ *   - \`api.getSession({ headers })\` for cookie → session lookup
+ */
+export declare function buildAuth(opts: BuildAuthOptions): import("better-auth").Auth<{
+    database: Pool;
+    secret: string;
+    baseURL: string;
+    basePath: string;
+    trustedOrigins: string[];
+    user: {
+        modelName: "engram_auth_users";
+        fields: {
+            emailVerified: string;
+            createdAt: string;
+            updatedAt: string;
+        };
+    };
+    session: {
+        modelName: "engram_auth_sessions";
+        fields: {
+            userId: string;
+            expiresAt: string;
+            ipAddress: string;
+            userAgent: string;
+            createdAt: string;
+            updatedAt: string;
+            token: string;
+        };
+        additionalFields: {
+            currentWorkspaceId: {
+                type: "string";
+                required: false;
+                input: false;
+                fieldName: string;
+            };
+        };
+        cookieCache: {
+            enabled: true;
+            maxAge: number;
+        };
+    };
+    account: {
+        modelName: "engram_auth_accounts";
+        fields: {
+            userId: string;
+            accountId: string;
+            providerId: string;
+            accessToken: string;
+            refreshToken: string;
+            idToken: string;
+            accessTokenExpiresAt: string;
+            refreshTokenExpiresAt: string;
+            scope: string;
+            password: string;
+            createdAt: string;
+            updatedAt: string;
+        };
+        accountLinking: {
+            enabled: true;
+            trustedProviders: "google"[];
+        };
+    };
+    verification: {
+        modelName: "engram_auth_verifications";
+        fields: {
+            expiresAt: string;
+            createdAt: string;
+            updatedAt: string;
+        };
+    };
+    advanced: {
+        database: {
+            generateId: () => string;
+        };
+        cookiePrefix: string;
+        cookies: {
+            sessionToken: {
+                attributes: {
+                    domain: string;
+                    sameSite: "lax";
+                    secure: boolean;
+                    httpOnly: true;
+                    path: string;
+                };
+            };
+        } | undefined;
+        useSecureCookies: boolean;
+        crossSubDomainCookies: {
+            enabled: true;
+            domain: string;
+        } | undefined;
+    };
+    socialProviders: {
+        google: {
+            clientId: string;
+            clientSecret: string;
+        };
+    };
+    databaseHooks: {
+        user: {
+            create: {
+                before: (user: {
+                    id: string;
+                    createdAt: Date;
+                    updatedAt: Date;
+                    email: string;
+                    emailVerified: boolean;
+                    name: string;
+                    image?: string | null | undefined;
+                } & Record<string, unknown>) => Promise<{
+                    data: {
+                        id: string;
+                        createdAt: Date;
+                        updatedAt: Date;
+                        email: string;
+                        emailVerified: boolean;
+                        name: string;
+                        image?: string | null | undefined;
+                    } & Record<string, unknown>;
+                }>;
+            };
+        };
+    };
+    plugins: [{
+        id: "bearer";
+        version: string;
+        hooks: {
+            before: {
+                matcher(context: import("better-auth").HookEndpointContext): boolean;
+                handler: (inputContext: import("better-auth").MiddlewareInputContext<import("better-auth").MiddlewareOptions>) => Promise<{
+                    context: {
+                        headers: Headers;
+                    };
+                } | undefined>;
+            }[];
+            after: {
+                matcher(context: import("better-auth").HookEndpointContext): true;
+                handler: (inputContext: import("better-auth").MiddlewareInputContext<import("better-auth").MiddlewareOptions>) => Promise<void>;
+            }[];
+        };
+        options: import("better-auth/plugins").BearerOptions | undefined;
+    }];
+}>;