@inkeep/agents-api 0.0.0-dev-20260123094230 → 0.0.0-dev-20260123202200

package/dist/.well-known/workflow/v1/step.cjs.debug.json

@@ -1,6 +1,6 @@
 {
   "stepFiles": [
-    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/runDatasetItem.ts",
-    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/evaluateConversation.ts"
+    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/evaluateConversation.ts",
+    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/runDatasetItem.ts"
   ]
 }

package/dist/data/db/runDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core3 from "@inkeep/agents-core";
+import * as _inkeep_agents_core2 from "@inkeep/agents-core";
 
 //#region src/data/db/runDbClient.d.ts
-declare const runDbClient: _inkeep_agents_core3.AgentsRunDatabaseClient;
+declare const runDbClient: _inkeep_agents_core2.AgentsRunDatabaseClient;
 //#endregion
 export { runDbClient as default };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono12 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono12.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono13 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono13.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono0 from "hono";
+import * as hono17 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono0.Env, {}, "/">;
+declare const app: OpenAPIHono<hono17.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono9 from "hono";
+import * as hono15 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono9.Env, {}, "/">;
+declare const app: OpenAPIHono<hono15.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types9 from "hono/types";
+import * as hono_types7 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types9.BlankSchema, "/">;
+}, hono_types7.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/triggers.js

@@ -4,21 +4,11 @@ import runDbClient_default from "../../../data/db/runDbClient.js";
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { speakeasyOffsetLimitPagination } from "../../../utils/speakeasy.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiSelectSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
+import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, TriggerWithWebhookUrlListResponse, TriggerWithWebhookUrlResponse, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getCredentialReference, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/triggers.ts
 const logger = getLogger$1("triggers");
 const app = new OpenAPIHono();
-const TriggerResponse = z.object({ data: TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") }) });
-const TriggerListResponse = z.object({
-	data: z.array(TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") })),
-	pagination: z.object({
-		page: z.number(),
-		limit: z.number(),
-		total: z.number(),
-		pages: z.number()
-	})
-});
 app.use("/", async (c, next) => {
 	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
@@ -51,7 +41,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "List of triggers retrieved successfully",
-			content: { "application/json": { schema: TriggerListResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlListResponse } }
 		},
 		...commonGetErrorResponses
 	},
@@ -103,7 +93,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger found",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -151,7 +141,7 @@ app.openapi(createRoute({
 	responses: {
 		201: {
 			description: "Trigger created successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -161,12 +151,29 @@ app.openapi(createRoute({
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
 	const id = body.id || generateId();
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Creating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) hashedAuthentication = { headers: await hashAuthenticationHeaders(authInput.headers) };
@@ -182,7 +189,8 @@ app.openapi(createRoute({
 		outputTransform: body.outputTransform,
 		messageTemplate: body.messageTemplate,
 		authentication: hashedAuthentication,
-		signingSecret: body.signingSecret
+		signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+		signatureVerification: body.signatureVerification
 	});
 	const { tenantId: _tid, projectId: _pid, agentId: _aid, ...triggerWithoutScopes } = trigger;
 	return c.json({ data: {
@@ -212,7 +220,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger updated successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -221,16 +229,33 @@ app.openapi(createRoute({
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
-	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecret !== void 0 || body.keepExistingSigningSecret !== void 0)) throw createApiError({
+	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecretCredentialReferenceId !== void 0 || body.signatureVerification !== void 0)) throw createApiError({
 		code: "bad_request",
 		message: "No fields to update"
 	});
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Updating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) {
@@ -259,7 +284,6 @@ app.openapi(createRoute({
 		}
 		hashedAuthentication = hashedHeaders.length > 0 ? { headers: hashedHeaders } : void 0;
 	} else if (body.authentication !== void 0) hashedAuthentication = body.authentication;
-	const signingSecretUpdate = body.keepExistingSigningSecret ? void 0 : body.signingSecret;
 	const updatedTrigger = await updateTrigger(db)({
 		scopes: {
 			tenantId,
@@ -275,7 +299,8 @@ app.openapi(createRoute({
 			outputTransform: body.outputTransform,
 			messageTemplate: body.messageTemplate,
 			authentication: hashedAuthentication,
-			signingSecret: signingSecretUpdate
+			signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+			signatureVerification: body.signatureVerification
 		}
 	});
 	if (!updatedTrigger) throw createApiError({
@@ -311,7 +336,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const db = c.get("db");
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -372,7 +397,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId } = c.req.valid("param");
 	const { page, limit, status, from, to } = c.req.valid("query");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -426,7 +451,7 @@ app.openapi(createRoute({
 	}
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId, invocationId } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,

package/dist/domains/run/routes/webhooks.js

@@ -55,6 +55,10 @@ const triggerWebhookRoute = createRoute({
 		422: {
 			description: "Payload transformation failed",
 			content: { "application/json": { schema: z.object({ error: z.string() }) } }
+		},
+		500: {
+			description: "Internal server error",
+			content: { "application/json": { schema: z.object({ error: z.string() }) } }
 		}
 	}
 });

package/dist/domains/run/services/TriggerService.d.ts

@@ -19,7 +19,7 @@ type TriggerWebhookResult = {
 } | {
   success: false;
   error: string;
-  status: 400 | 401 | 403 | 404 | 422;
+  status: 400 | 401 | 403 | 404 | 422 | 500;
   validationErrors?: string[];
 };
 /**

package/dist/domains/run/services/TriggerService.js

@@ -4,13 +4,15 @@ import manageDbPool_default from "../../../data/db/manageDbPool.js";
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { createSSEStreamHelper } from "../utils/stream-helpers.js";
 import { ExecutionHandler } from "../handlers/executionHandler.js";
-import { JsonTransformer, createMessage, createOrGetConversation, createTriggerInvocation, generateId, getConversationId, getFullProjectWithRelationIds, getTriggerById, interpolateTemplate, setActiveAgentForConversation, updateTriggerInvocationStatus, verifySigningSecret, verifyTriggerAuth, withRef } from "@inkeep/agents-core";
+import { JsonTransformer, createKeyChainStore, createMessage, createOrGetConversation, createTriggerInvocation, generateId, getConversationId, getCredentialReference, getCredentialStoreLookupKeyFromRetrievalParams, getFullProjectWithRelationIds, getTriggerById, interpolateTemplate, setActiveAgentForConversation, updateTriggerInvocationStatus, verifySignatureWithConfig, verifyTriggerAuth, withRef } from "@inkeep/agents-core";
 import { ROOT_CONTEXT, SpanStatusCode, propagation, trace } from "@opentelemetry/api";
 import Ajv from "ajv";
 
 //#region src/domains/run/services/TriggerService.ts
 const logger = getLogger$1("TriggerService");
 const ajv = new Ajv({ allErrors: true });
+const credentialCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 300 * 1e3;
 /**
 * Process a trigger webhook request.
 * Handles validation, transformation, and dispatches async execution.
@@ -37,7 +39,14 @@ async function processWebhook(params) {
 	const payload = rawBody ? JSON.parse(rawBody) : {};
 	const authResult = await verifyAuthentication(trigger, honoContext);
 	if (!authResult.success) return authResult;
-	const signatureResult = verifySignature(trigger, honoContext, rawBody);
+	const signatureResult = await verifySignature({
+		trigger,
+		tenantId,
+		projectId,
+		resolvedRef,
+		honoContext,
+		rawBody
+	});
 	if (!signatureResult.success) return signatureResult;
 	const validationResult = validatePayload(trigger, payload);
 	if (!validationResult.success) return validationResult;
@@ -94,15 +103,106 @@ async function verifyAuthentication(trigger, honoContext) {
 	}
 	return { success: true };
 }
-function verifySignature(trigger, honoContext, rawBody) {
-	if (!trigger.signingSecret) return { success: true };
-	const signatureResult = verifySigningSecret(honoContext, trigger.signingSecret, rawBody);
-	if (!signatureResult.success) return {
-		success: false,
-		error: signatureResult.message || "Invalid signature",
-		status: 403
-	};
-	return { success: true };
+/**
+* Resolve signing secret from credential reference with caching
+*/
+async function resolveSigningSecret(params) {
+	const { tenantId, projectId, credentialReferenceId, resolvedRef } = params;
+	const cacheKey = `${tenantId}:${projectId}:${credentialReferenceId}`;
+	const cached = credentialCache.get(cacheKey);
+	if (cached && cached.expiresAt > Date.now()) return cached.secret;
+	const credentialRef = await withRef(manageDbPool_default, resolvedRef, (db) => getCredentialReference(db)({
+		scopes: {
+			tenantId,
+			projectId
+		},
+		id: credentialReferenceId
+	}));
+	if (!credentialRef) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId
+		}, "Credential reference not found");
+		return null;
+	}
+	const lookupKey = getCredentialStoreLookupKeyFromRetrievalParams({
+		retrievalParams: credentialRef.retrievalParams ?? {},
+		credentialStoreType: credentialRef.type
+	});
+	if (!lookupKey) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId,
+			retrievalParams: credentialRef.retrievalParams
+		}, "Could not determine lookup key from credential reference");
+		return null;
+	}
+	let secret = null;
+	if (credentialRef.type === "keychain" || credentialRef.credentialStoreId?.startsWith("keychain")) secret = await createKeyChainStore(credentialRef.credentialStoreId ?? "keychain-default").get(lookupKey);
+	else {
+		logger.warn({
+			credentialStoreType: credentialRef.type,
+			credentialStoreId: credentialRef.credentialStoreId
+		}, "Unsupported credential store type for signing secret");
+		return null;
+	}
+	if (!secret) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId,
+			lookupKey
+		}, "No secret found in credential store");
+		return null;
+	}
+	if (secret.startsWith("{")) try {
+		const parsed = JSON.parse(secret);
+		const extractedSecret = parsed.access_token || parsed.secret || parsed.value || parsed.token || parsed.key;
+		if (extractedSecret && typeof extractedSecret === "string") secret = extractedSecret;
+	} catch {}
+	credentialCache.set(cacheKey, {
+		secret,
+		expiresAt: Date.now() + CACHE_TTL_MS
+	});
+	return secret;
+}
+async function verifySignature(params) {
+	const { trigger, tenantId, projectId, resolvedRef, honoContext, rawBody } = params;
+	if (!trigger.signatureVerification || !trigger.signingSecretCredentialReferenceId) return { success: true };
+	try {
+		const secret = await resolveSigningSecret({
+			tenantId,
+			projectId,
+			credentialReferenceId: trigger.signingSecretCredentialReferenceId,
+			resolvedRef
+		});
+		if (!secret) return {
+			success: false,
+			error: "Failed to resolve signing secret from credential reference",
+			status: 500
+		};
+		const result = verifySignatureWithConfig(honoContext, trigger.signatureVerification, secret, rawBody);
+		if (!result.success) return {
+			success: false,
+			error: result.message || "Invalid signature",
+			status: 403
+		};
+		return { success: true };
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		logger.error({
+			error: errorMessage,
+			tenantId,
+			projectId
+		}, "Error during signature verification");
+		return {
+			success: false,
+			error: "Signature verification failed",
+			status: 500
+		};
+	}
 }
 function validatePayload(trigger, payload) {
 	if (!trigger.inputSchema) return { success: true };

package/dist/domains/run/tools/NativeSandboxExecutor.js

@@ -312,8 +312,6 @@ var NativeSandboxExecutor = class {
 			mkdirSync(runDir, { recursive: true });
 			writeFileSync(join(runDir, `index.${moduleType === "esm" ? "mjs" : "cjs"}`), executionCode, "utf8");
 			return await this.executeInSandbox(runDir, config.sandboxConfig?.timeout || FUNCTION_TOOL_EXECUTION_TIMEOUT_MS_DEFAULT, moduleType, config.sandboxConfig);
-		} catch (error) {
-			throw error;
 		} finally {
 			if (runDir) try {
 				rmSync(runDir, {

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core2 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core2.ContextBreakdown;
+  breakdown: _inkeep_agents_core3.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/factory.d.ts

@@ -795,25 +795,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;