@inkeep/agents-api 0.0.0-dev-20260123202200 → 0.0.0-dev-20260123211824

package/dist/.well-known/workflow/v1/step.cjs

@@ -66455,7 +66455,7 @@ var require_pg_pool = __commonJS({
       throw new Error("Release called on client which has already been released to the pool.");
     }
     __name(throwOnDoubleRelease, "throwOnDoubleRelease");
-    function promisify4(Promise2, callback) {
+    function promisify5(Promise2, callback) {
       if (callback) {
         return {
           callback,
@@ -66479,7 +66479,7 @@ var require_pg_pool = __commonJS({
         result
       };
     }
-    __name(promisify4, "promisify");
+    __name(promisify5, "promisify");
     function makeIdleListener(pool2, client) {
       return /* @__PURE__ */ __name(function idleListener(err2) {
         err2.client = client;
@@ -66597,7 +66597,7 @@ var require_pg_pool = __commonJS({
           const err2 = new Error("Cannot use a pool after calling end on the pool");
           return cb ? cb(err2) : this.Promise.reject(err2);
         }
-        const response = promisify4(this.Promise, cb);
+        const response = promisify5(this.Promise, cb);
         const result = response.result;
         if (this._isFull() || this._idle.length) {
           if (this._idle.length) {
@@ -66751,7 +66751,7 @@ var require_pg_pool = __commonJS({
       }
       query(text3, values, cb) {
         if (typeof text3 === "function") {
-          const response2 = promisify4(this.Promise, text3);
+          const response2 = promisify5(this.Promise, text3);
           setImmediate(function() {
             return response2.callback(new Error("Passing a function as the first parameter to pool.query is not supported"));
           });
@@ -66761,7 +66761,7 @@ var require_pg_pool = __commonJS({
           cb = values;
           values = void 0;
         }
-        const response = promisify4(this.Promise, cb);
+        const response = promisify5(this.Promise, cb);
         cb = response.callback;
         this.connect((err2, client) => {
           if (err2) {
@@ -66806,7 +66806,7 @@ var require_pg_pool = __commonJS({
           return cb ? cb(err2) : this.Promise.reject(err2);
         }
         this.ending = true;
-        const promised = promisify4(this.Promise, cb);
+        const promised = promisify5(this.Promise, cb);
         this._endCallback = promised.callback;
         this._pulseQueue();
         return promised.result;
@@ -91427,7 +91427,7 @@ var require_mock_interceptor = __commonJS({
 var require_mock_client = __commonJS({
   "../node_modules/.pnpm/undici@6.22.0/node_modules/undici/lib/mock/mock-client.js"(exports2, module2) {
     "use strict";
-    var { promisify: promisify4 } = require("node:util");
+    var { promisify: promisify5 } = require("node:util");
     var Client10 = require_client4();
     var { buildMockDispatch } = require_mock_utils();
     var { kDispatches, kMockAgent, kClose, kOriginalClose, kOrigin, kOriginalDispatch, kConnected } = require_mock_symbols();
@@ -91462,7 +91462,7 @@ var require_mock_client = __commonJS({
         return new MockInterceptor(opts, this[kDispatches]);
       }
       async [kClose]() {
-        await promisify4(this[kOriginalClose])();
+        await promisify5(this[kOriginalClose])();
         this[kConnected] = 0;
         this[kMockAgent][Symbols.kClients].delete(this[kOrigin]);
       }
@@ -91475,7 +91475,7 @@ var require_mock_client = __commonJS({
 var require_mock_pool = __commonJS({
   "../node_modules/.pnpm/undici@6.22.0/node_modules/undici/lib/mock/mock-pool.js"(exports2, module2) {
     "use strict";
-    var { promisify: promisify4 } = require("node:util");
+    var { promisify: promisify5 } = require("node:util");
     var Pool3 = require_pool2();
     var { buildMockDispatch } = require_mock_utils();
     var { kDispatches, kMockAgent, kClose, kOriginalClose, kOrigin, kOriginalDispatch, kConnected } = require_mock_symbols();
@@ -91510,7 +91510,7 @@ var require_mock_pool = __commonJS({
         return new MockInterceptor(opts, this[kDispatches]);
       }
       async [kClose]() {
-        await promisify4(this[kOriginalClose])();
+        await promisify5(this[kOriginalClose])();
         this[kConnected] = 0;
         this[kMockAgent][Symbols.kClients].delete(this[kOrigin]);
       }
@@ -109784,6 +109784,7 @@ var subAgentFunctionToolRelations = pgTable("sub_agent_function_tool_relations",
   functionToolId: varchar("function_tool_id", {
     length: 256
   }).notNull(),
+  toolPolicies: jsonb("tool_policies").$type(),
   ...timestamps
 }, (table) => [
   primaryKey({
@@ -135259,6 +135260,156 @@ var Timestamp$Type = class extends import_runtime231.MessageType {
 };
 var Timestamp = new Timestamp$Type();
 
+// ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/v1.js
+var v1_exports = {};
+__export(v1_exports, {
+  AlgebraicSubjectSet: () => AlgebraicSubjectSet,
+  AlgebraicSubjectSet_Operation: () => AlgebraicSubjectSet_Operation,
+  BreakingSchemaChange: () => BreakingSchemaChange,
+  BulkCheckPermissionPair: () => BulkCheckPermissionPair,
+  BulkCheckPermissionRequest: () => BulkCheckPermissionRequest,
+  BulkCheckPermissionRequestItem: () => BulkCheckPermissionRequestItem,
+  BulkCheckPermissionResponse: () => BulkCheckPermissionResponse,
+  BulkCheckPermissionResponseItem: () => BulkCheckPermissionResponseItem,
+  BulkExportRelationshipsRequest: () => BulkExportRelationshipsRequest,
+  BulkExportRelationshipsResponse: () => BulkExportRelationshipsResponse,
+  BulkImportRelationshipsRequest: () => BulkImportRelationshipsRequest,
+  BulkImportRelationshipsResponse: () => BulkImportRelationshipsResponse,
+  CheckBulkPermissionsPair: () => CheckBulkPermissionsPair,
+  CheckBulkPermissionsRequest: () => CheckBulkPermissionsRequest,
+  CheckBulkPermissionsRequestItem: () => CheckBulkPermissionsRequestItem,
+  CheckBulkPermissionsResponse: () => CheckBulkPermissionsResponse,
+  CheckBulkPermissionsResponseItem: () => CheckBulkPermissionsResponseItem,
+  CheckPermissionRequest: () => CheckPermissionRequest,
+  CheckPermissionResponse: () => CheckPermissionResponse,
+  CheckPermissionResponse_Permissionship: () => CheckPermissionResponse_Permissionship,
+  ClientSecurity: () => ClientSecurity,
+  ComputablePermissionsRequest: () => ComputablePermissionsRequest,
+  ComputablePermissionsResponse: () => ComputablePermissionsResponse,
+  Consistency: () => Consistency,
+  ContextualizedCaveat: () => ContextualizedCaveat,
+  Cursor: () => Cursor,
+  DeleteRelationshipsRequest: () => DeleteRelationshipsRequest,
+  DeleteRelationshipsResponse: () => DeleteRelationshipsResponse,
+  DeleteRelationshipsResponse_DeletionProgress: () => DeleteRelationshipsResponse_DeletionProgress,
+  DependentRelationsRequest: () => DependentRelationsRequest,
+  DependentRelationsResponse: () => DependentRelationsResponse,
+  DiffSchemaRequest: () => DiffSchemaRequest,
+  DiffSchemaResponse: () => DiffSchemaResponse,
+  DirectSubjectSet: () => DirectSubjectSet,
+  ErrorReason: () => ErrorReason,
+  ExpCaveat: () => ExpCaveat,
+  ExpCaveatParameter: () => ExpCaveatParameter,
+  ExpCaveatParameterTypeChange: () => ExpCaveatParameterTypeChange,
+  ExpDefinition: () => ExpDefinition,
+  ExpPermission: () => ExpPermission,
+  ExpRelation: () => ExpRelation,
+  ExpRelationReference: () => ExpRelationReference,
+  ExpRelationSubjectTypeChange: () => ExpRelationSubjectTypeChange,
+  ExpSchemaDiff: () => ExpSchemaDiff,
+  ExpSchemaFilter: () => ExpSchemaFilter,
+  ExpTypeReference: () => ExpTypeReference,
+  ExpandPermissionTreeRequest: () => ExpandPermissionTreeRequest,
+  ExpandPermissionTreeResponse: () => ExpandPermissionTreeResponse,
+  ExperimentalComputablePermissionsRequest: () => ExperimentalComputablePermissionsRequest,
+  ExperimentalComputablePermissionsResponse: () => ExperimentalComputablePermissionsResponse,
+  ExperimentalCountRelationshipsRequest: () => ExperimentalCountRelationshipsRequest,
+  ExperimentalCountRelationshipsResponse: () => ExperimentalCountRelationshipsResponse,
+  ExperimentalDependentRelationsRequest: () => ExperimentalDependentRelationsRequest,
+  ExperimentalDependentRelationsResponse: () => ExperimentalDependentRelationsResponse,
+  ExperimentalDiffSchemaRequest: () => ExperimentalDiffSchemaRequest,
+  ExperimentalDiffSchemaResponse: () => ExperimentalDiffSchemaResponse,
+  ExperimentalReflectSchemaRequest: () => ExperimentalReflectSchemaRequest,
+  ExperimentalReflectSchemaResponse: () => ExperimentalReflectSchemaResponse,
+  ExperimentalRegisterRelationshipCounterRequest: () => ExperimentalRegisterRelationshipCounterRequest,
+  ExperimentalRegisterRelationshipCounterResponse: () => ExperimentalRegisterRelationshipCounterResponse,
+  ExperimentalService: () => ExperimentalService,
+  ExperimentalServiceClient: () => ExperimentalServiceClient,
+  ExperimentalUnregisterRelationshipCounterRequest: () => ExperimentalUnregisterRelationshipCounterRequest,
+  ExperimentalUnregisterRelationshipCounterResponse: () => ExperimentalUnregisterRelationshipCounterResponse,
+  ExportBulkRelationshipsRequest: () => ExportBulkRelationshipsRequest,
+  ExportBulkRelationshipsResponse: () => ExportBulkRelationshipsResponse,
+  ImportBulkRelationshipsRequest: () => ImportBulkRelationshipsRequest,
+  ImportBulkRelationshipsResponse: () => ImportBulkRelationshipsResponse,
+  LookupPermissionSetsRequest: () => LookupPermissionSetsRequest,
+  LookupPermissionSetsRequired: () => LookupPermissionSetsRequired,
+  LookupPermissionSetsResponse: () => LookupPermissionSetsResponse,
+  LookupPermissionship: () => LookupPermissionship,
+  LookupResourcesRequest: () => LookupResourcesRequest,
+  LookupResourcesResponse: () => LookupResourcesResponse,
+  LookupSubjectsRequest: () => LookupSubjectsRequest,
+  LookupSubjectsRequest_WildcardOption: () => LookupSubjectsRequest_WildcardOption,
+  LookupSubjectsResponse: () => LookupSubjectsResponse,
+  MaterializeCursor: () => Cursor2,
+  MemberReference: () => MemberReference,
+  NewClient: () => NewClient,
+  NewClientWithChannelCredentials: () => NewClientWithChannelCredentials,
+  NewClientWithCustomCert: () => NewClientWithCustomCert,
+  ObjectReference: () => ObjectReference,
+  PartialCaveatInfo: () => PartialCaveatInfo,
+  PbNullValue: () => NullValue,
+  PbStruct: () => Struct,
+  PermissionChange: () => PermissionChange,
+  PermissionChange_Permissionship: () => PermissionChange_Permissionship,
+  PermissionRelationshipTree: () => PermissionRelationshipTree,
+  PermissionSetChange: () => PermissionSetChange,
+  PermissionSetChange_SetOperation: () => PermissionSetChange_SetOperation,
+  PermissionsService: () => PermissionsService,
+  PermissionsServiceClient: () => PermissionsServiceClient,
+  Precondition: () => Precondition,
+  Precondition_Operation: () => Precondition_Operation,
+  ReadCounterValue: () => ReadCounterValue,
+  ReadRelationshipsRequest: () => ReadRelationshipsRequest,
+  ReadRelationshipsResponse: () => ReadRelationshipsResponse,
+  ReadSchemaRequest: () => ReadSchemaRequest,
+  ReadSchemaResponse: () => ReadSchemaResponse,
+  ReflectSchemaRequest: () => ReflectSchemaRequest,
+  ReflectSchemaResponse: () => ReflectSchemaResponse,
+  ReflectionCaveat: () => ReflectionCaveat,
+  ReflectionCaveatParameter: () => ReflectionCaveatParameter,
+  ReflectionCaveatParameterTypeChange: () => ReflectionCaveatParameterTypeChange,
+  ReflectionDefinition: () => ReflectionDefinition,
+  ReflectionPermission: () => ReflectionPermission,
+  ReflectionRelation: () => ReflectionRelation,
+  ReflectionRelationReference: () => ReflectionRelationReference,
+  ReflectionRelationSubjectTypeChange: () => ReflectionRelationSubjectTypeChange,
+  ReflectionSchemaDiff: () => ReflectionSchemaDiff,
+  ReflectionSchemaFilter: () => ReflectionSchemaFilter,
+  ReflectionTypeReference: () => ReflectionTypeReference,
+  Relationship: () => Relationship,
+  RelationshipFilter: () => RelationshipFilter,
+  RelationshipUpdate: () => RelationshipUpdate,
+  RelationshipUpdate_Operation: () => RelationshipUpdate_Operation,
+  ResolvedSubject: () => ResolvedSubject,
+  SchemaService: () => SchemaService,
+  SchemaServiceClient: () => SchemaServiceClient,
+  SetReference: () => SetReference,
+  SubjectFilter: () => SubjectFilter,
+  SubjectFilter_RelationFilter: () => SubjectFilter_RelationFilter,
+  SubjectReference: () => SubjectReference,
+  WatchKind: () => WatchKind,
+  WatchPermissionSetsRequest: () => WatchPermissionSetsRequest,
+  WatchPermissionSetsResponse: () => WatchPermissionSetsResponse,
+  WatchPermissionSetsServiceClient: () => WatchPermissionSetsServiceClient,
+  WatchPermissionsRequest: () => WatchPermissionsRequest,
+  WatchPermissionsResponse: () => WatchPermissionsResponse,
+  WatchPermissionsService: () => WatchPermissionsService,
+  WatchPermissionsServiceClient: () => WatchPermissionsServiceClient,
+  WatchRequest: () => WatchRequest,
+  WatchResponse: () => WatchResponse,
+  WatchService: () => WatchService,
+  WatchServiceClient: () => WatchServiceClient,
+  WatchedPermission: () => WatchedPermission,
+  WriteRelationshipsRequest: () => WriteRelationshipsRequest,
+  WriteRelationshipsResponse: () => WriteRelationshipsResponse,
+  WriteSchemaRequest: () => WriteSchemaRequest,
+  WriteSchemaResponse: () => WriteSchemaResponse,
+  ZedToken: () => ZedToken,
+  createStructFromObject: () => createStructFromObject,
+  default: () => v1_default
+});
+var import_util3 = require("util");
+
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/experimental_service.js
 var import_runtime_rpc2 = __toESM(require_commonjs2(), 1);
 var import_runtime266 = __toESM(require_commonjs(), 1);
@@ -135274,11 +135425,11 @@ var import_runtime235 = __toESM(require_commonjs(), 1);
 var import_runtime236 = __toESM(require_commonjs(), 1);
 var import_runtime237 = __toESM(require_commonjs(), 1);
 var RelationshipUpdate_Operation;
-(function(RelationshipUpdate_Operation2) {
-  RelationshipUpdate_Operation2[RelationshipUpdate_Operation2["UNSPECIFIED"] = 0] = "UNSPECIFIED";
-  RelationshipUpdate_Operation2[RelationshipUpdate_Operation2["CREATE"] = 1] = "CREATE";
-  RelationshipUpdate_Operation2[RelationshipUpdate_Operation2["TOUCH"] = 2] = "TOUCH";
-  RelationshipUpdate_Operation2[RelationshipUpdate_Operation2["DELETE"] = 3] = "DELETE";
+(function(RelationshipUpdate_Operation3) {
+  RelationshipUpdate_Operation3[RelationshipUpdate_Operation3["UNSPECIFIED"] = 0] = "UNSPECIFIED";
+  RelationshipUpdate_Operation3[RelationshipUpdate_Operation3["CREATE"] = 1] = "CREATE";
+  RelationshipUpdate_Operation3[RelationshipUpdate_Operation3["TOUCH"] = 2] = "TOUCH";
+  RelationshipUpdate_Operation3[RelationshipUpdate_Operation3["DELETE"] = 3] = "DELETE";
 })(RelationshipUpdate_Operation || (RelationshipUpdate_Operation = {}));
 var AlgebraicSubjectSet_Operation;
 (function(AlgebraicSubjectSet_Operation2) {
@@ -136994,11 +137145,11 @@ var DeleteRelationshipsResponse_DeletionProgress;
   DeleteRelationshipsResponse_DeletionProgress2[DeleteRelationshipsResponse_DeletionProgress2["PARTIAL"] = 2] = "PARTIAL";
 })(DeleteRelationshipsResponse_DeletionProgress || (DeleteRelationshipsResponse_DeletionProgress = {}));
 var CheckPermissionResponse_Permissionship;
-(function(CheckPermissionResponse_Permissionship2) {
-  CheckPermissionResponse_Permissionship2[CheckPermissionResponse_Permissionship2["UNSPECIFIED"] = 0] = "UNSPECIFIED";
-  CheckPermissionResponse_Permissionship2[CheckPermissionResponse_Permissionship2["NO_PERMISSION"] = 1] = "NO_PERMISSION";
-  CheckPermissionResponse_Permissionship2[CheckPermissionResponse_Permissionship2["HAS_PERMISSION"] = 2] = "HAS_PERMISSION";
-  CheckPermissionResponse_Permissionship2[CheckPermissionResponse_Permissionship2["CONDITIONAL_PERMISSION"] = 3] = "CONDITIONAL_PERMISSION";
+(function(CheckPermissionResponse_Permissionship3) {
+  CheckPermissionResponse_Permissionship3[CheckPermissionResponse_Permissionship3["UNSPECIFIED"] = 0] = "UNSPECIFIED";
+  CheckPermissionResponse_Permissionship3[CheckPermissionResponse_Permissionship3["NO_PERMISSION"] = 1] = "NO_PERMISSION";
+  CheckPermissionResponse_Permissionship3[CheckPermissionResponse_Permissionship3["HAS_PERMISSION"] = 2] = "HAS_PERMISSION";
+  CheckPermissionResponse_Permissionship3[CheckPermissionResponse_Permissionship3["CONDITIONAL_PERMISSION"] = 3] = "CONDITIONAL_PERMISSION";
 })(CheckPermissionResponse_Permissionship || (CheckPermissionResponse_Permissionship = {}));
 var LookupSubjectsRequest_WildcardOption;
 (function(LookupSubjectsRequest_WildcardOption2) {
@@ -143408,9 +143559,237 @@ var ExperimentalService = new import_runtime_rpc2.ServiceType("authzed.api.v1.Ex
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/experimental_service.grpc-client.js
 var grpc = __toESM(require_src3(), 1);
+var ExperimentalServiceClient = class extends grpc.Client {
+  static {
+    __name(this, "ExperimentalServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * DEPRECATED: Promoted to ImportBulkRelationships in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: BulkImportRelationships(stream authzed.api.v1.BulkImportRelationshipsRequest) returns (authzed.api.v1.BulkImportRelationshipsResponse);
+   */
+  bulkImportRelationships(metadata2, options, callback) {
+    const method = ExperimentalService.methods[0];
+    return this.makeClientStreamRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), metadata2, options, callback);
+  }
+  /**
+   * DEPRECATED: Promoted to ExportBulkRelationships in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: BulkExportRelationships(authzed.api.v1.BulkExportRelationshipsRequest) returns (stream authzed.api.v1.BulkExportRelationshipsResponse);
+   */
+  bulkExportRelationships(input, metadata2, options) {
+    const method = ExperimentalService.methods[1];
+    return this.makeServerStreamRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * DEPRECATED: Promoted to CheckBulkPermission in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: BulkCheckPermission(authzed.api.v1.BulkCheckPermissionRequest) returns (authzed.api.v1.BulkCheckPermissionResponse);
+   */
+  bulkCheckPermission(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[2];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DEPRECATED: Promoted to ReflectSchema in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: ExperimentalReflectSchema(authzed.api.v1.ExperimentalReflectSchemaRequest) returns (authzed.api.v1.ExperimentalReflectSchemaResponse);
+   */
+  experimentalReflectSchema(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[3];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DEPRECATED: Promoted to ComputablePermissions in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: ExperimentalComputablePermissions(authzed.api.v1.ExperimentalComputablePermissionsRequest) returns (authzed.api.v1.ExperimentalComputablePermissionsResponse);
+   */
+  experimentalComputablePermissions(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[4];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DEPRECATED: Promoted to DependentRelations in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: ExperimentalDependentRelations(authzed.api.v1.ExperimentalDependentRelationsRequest) returns (authzed.api.v1.ExperimentalDependentRelationsResponse);
+   */
+  experimentalDependentRelations(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[5];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DEPRECATED: Promoted to DiffSchema in the stable API.
+   *
+   * @deprecated
+   * @generated from protobuf rpc: ExperimentalDiffSchema(authzed.api.v1.ExperimentalDiffSchemaRequest) returns (authzed.api.v1.ExperimentalDiffSchemaResponse);
+   */
+  experimentalDiffSchema(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[6];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * EXPERIMENTAL: RegisterRelationshipCounter registers a new filter for counting relationships. A filter must be registered before
+   * a count can be requested.
+   *
+   * @generated from protobuf rpc: ExperimentalRegisterRelationshipCounter(authzed.api.v1.ExperimentalRegisterRelationshipCounterRequest) returns (authzed.api.v1.ExperimentalRegisterRelationshipCounterResponse);
+   */
+  experimentalRegisterRelationshipCounter(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[7];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * EXPERIMENTAL: CountRelationships returns the count of relationships for *pre-registered* filter.
+   *
+   * @generated from protobuf rpc: ExperimentalCountRelationships(authzed.api.v1.ExperimentalCountRelationshipsRequest) returns (authzed.api.v1.ExperimentalCountRelationshipsResponse);
+   */
+  experimentalCountRelationships(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[8];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * EXPERIMENTAL: UnregisterRelationshipCounter unregisters an existing filter for counting relationships.
+   *
+   * @generated from protobuf rpc: ExperimentalUnregisterRelationshipCounter(authzed.api.v1.ExperimentalUnregisterRelationshipCounterRequest) returns (authzed.api.v1.ExperimentalUnregisterRelationshipCounterResponse);
+   */
+  experimentalUnregisterRelationshipCounter(input, metadata2, options, callback) {
+    const method = ExperimentalService.methods[9];
+    return this.makeUnaryRequest(`/${ExperimentalService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/permission_service.grpc-client.js
 var grpc2 = __toESM(require_src3(), 1);
+var PermissionsServiceClient = class extends grpc2.Client {
+  static {
+    __name(this, "PermissionsServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * ReadRelationships reads a set of the relationships matching one or more
+   * filters.
+   *
+   * @generated from protobuf rpc: ReadRelationships(authzed.api.v1.ReadRelationshipsRequest) returns (stream authzed.api.v1.ReadRelationshipsResponse);
+   */
+  readRelationships(input, metadata2, options) {
+    const method = PermissionsService.methods[0];
+    return this.makeServerStreamRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * WriteRelationships atomically writes and/or deletes a set of specified
+   * relationships. An optional set of preconditions can be provided that must
+   * be satisfied for the operation to commit.
+   *
+   * @generated from protobuf rpc: WriteRelationships(authzed.api.v1.WriteRelationshipsRequest) returns (authzed.api.v1.WriteRelationshipsResponse);
+   */
+  writeRelationships(input, metadata2, options, callback) {
+    const method = PermissionsService.methods[1];
+    return this.makeUnaryRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DeleteRelationships atomically bulk deletes all relationships matching the
+   * provided filter. If no relationships match, none will be deleted and the
+   * operation will succeed. An optional set of preconditions can be provided that must
+   * be satisfied for the operation to commit.
+   *
+   * @generated from protobuf rpc: DeleteRelationships(authzed.api.v1.DeleteRelationshipsRequest) returns (authzed.api.v1.DeleteRelationshipsResponse);
+   */
+  deleteRelationships(input, metadata2, options, callback) {
+    const method = PermissionsService.methods[2];
+    return this.makeUnaryRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * CheckPermission determines for a given resource whether a subject computes
+   * to having a permission or is a direct member of a particular relation.
+   *
+   * @generated from protobuf rpc: CheckPermission(authzed.api.v1.CheckPermissionRequest) returns (authzed.api.v1.CheckPermissionResponse);
+   */
+  checkPermission(input, metadata2, options, callback) {
+    const method = PermissionsService.methods[3];
+    return this.makeUnaryRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * CheckBulkPermissions evaluates the given list of permission checks
+   * and returns the list of results.
+   *
+   * @generated from protobuf rpc: CheckBulkPermissions(authzed.api.v1.CheckBulkPermissionsRequest) returns (authzed.api.v1.CheckBulkPermissionsResponse);
+   */
+  checkBulkPermissions(input, metadata2, options, callback) {
+    const method = PermissionsService.methods[4];
+    return this.makeUnaryRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * ExpandPermissionTree reveals the graph structure for a resource's
+   * permission or relation. This RPC does not recurse infinitely deep and may
+   * require multiple calls to fully unnest a deeply nested graph.
+   *
+   * @generated from protobuf rpc: ExpandPermissionTree(authzed.api.v1.ExpandPermissionTreeRequest) returns (authzed.api.v1.ExpandPermissionTreeResponse);
+   */
+  expandPermissionTree(input, metadata2, options, callback) {
+    const method = PermissionsService.methods[5];
+    return this.makeUnaryRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * LookupResources returns all the resources of a given type that a subject
+   * can access whether via a computed permission or relation membership.
+   *
+   * @generated from protobuf rpc: LookupResources(authzed.api.v1.LookupResourcesRequest) returns (stream authzed.api.v1.LookupResourcesResponse);
+   */
+  lookupResources(input, metadata2, options) {
+    const method = PermissionsService.methods[6];
+    return this.makeServerStreamRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * LookupSubjects returns all the subjects of a given type that
+   * have access whether via a computed permission or relation membership.
+   *
+   * @generated from protobuf rpc: LookupSubjects(authzed.api.v1.LookupSubjectsRequest) returns (stream authzed.api.v1.LookupSubjectsResponse);
+   */
+  lookupSubjects(input, metadata2, options) {
+    const method = PermissionsService.methods[7];
+    return this.makeServerStreamRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * ImportBulkRelationships is a faster path to writing a large number of
+   * relationships at once. It is both batched and streaming. For maximum
+   * performance, the caller should attempt to write relationships in as close
+   * to relationship sort order as possible: (resource.object_type,
+   * resource.object_id, relation, subject.object.object_type,
+   * subject.object.object_id, subject.optional_relation). All relationships
+   * written are done so under a single transaction.
+   *
+   * @generated from protobuf rpc: ImportBulkRelationships(stream authzed.api.v1.ImportBulkRelationshipsRequest) returns (authzed.api.v1.ImportBulkRelationshipsResponse);
+   */
+  importBulkRelationships(metadata2, options, callback) {
+    const method = PermissionsService.methods[8];
+    return this.makeClientStreamRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), metadata2, options, callback);
+  }
+  /**
+   * ExportBulkRelationships is the fastest path available to exporting
+   * relationships from the server. It is resumable, and will return results
+   * in an order determined by the server.
+   *
+   * @generated from protobuf rpc: ExportBulkRelationships(authzed.api.v1.ExportBulkRelationshipsRequest) returns (stream authzed.api.v1.ExportBulkRelationshipsResponse);
+   */
+  exportBulkRelationships(input, metadata2, options) {
+    const method = PermissionsService.methods[9];
+    return this.makeServerStreamRequest(`/${PermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/schema_service.js
 var import_runtime_rpc3 = __toESM(require_commonjs2(), 1);
@@ -145461,6 +145840,81 @@ var SchemaService = new import_runtime_rpc3.ServiceType("authzed.api.v1.SchemaSe
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/schema_service.grpc-client.js
 var grpc3 = __toESM(require_src3(), 1);
+var SchemaServiceClient = class extends grpc3.Client {
+  static {
+    __name(this, "SchemaServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * Read returns the current Object Definitions for a Permissions System.
+   *
+   * Errors include:
+   * - INVALID_ARGUMENT: a provided value has failed to semantically validate
+   * - NOT_FOUND: no schema has been defined
+   *
+   * @generated from protobuf rpc: ReadSchema(authzed.api.v1.ReadSchemaRequest) returns (authzed.api.v1.ReadSchemaResponse);
+   */
+  readSchema(input, metadata2, options, callback) {
+    const method = SchemaService.methods[0];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * Write overwrites the current Object Definitions for a Permissions System.
+   *
+   * @generated from protobuf rpc: WriteSchema(authzed.api.v1.WriteSchemaRequest) returns (authzed.api.v1.WriteSchemaResponse);
+   */
+  writeSchema(input, metadata2, options, callback) {
+    const method = SchemaService.methods[1];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * ReflectSchema reflects the current schema stored in SpiceDB, returning a structural
+   * form of the schema for use by client tooling.
+   *
+   * @generated from protobuf rpc: ReflectSchema(authzed.api.v1.ReflectSchemaRequest) returns (authzed.api.v1.ReflectSchemaResponse);
+   */
+  reflectSchema(input, metadata2, options, callback) {
+    const method = SchemaService.methods[2];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * ComputablePermissions returns the set of permissions that compute based off a relation
+   * in the current schema. For example, if the schema has a relation `viewer` and a permission
+   * `view` defined as `permission view = viewer + editor`, then the
+   * computable permissions for the relation `viewer` will include `view`.
+   *
+   * @generated from protobuf rpc: ComputablePermissions(authzed.api.v1.ComputablePermissionsRequest) returns (authzed.api.v1.ComputablePermissionsResponse);
+   */
+  computablePermissions(input, metadata2, options, callback) {
+    const method = SchemaService.methods[3];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DependentRelations returns the set of relations and permissions that used
+   * to compute a permission, recursively, in the current schema. It is the
+   * inverse of the ComputablePermissions API.
+   *
+   * @generated from protobuf rpc: DependentRelations(authzed.api.v1.DependentRelationsRequest) returns (authzed.api.v1.DependentRelationsResponse);
+   */
+  dependentRelations(input, metadata2, options, callback) {
+    const method = SchemaService.methods[4];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+  /**
+   * DiffSchema returns the difference between the specified schema and the current
+   * schema stored in SpiceDB.
+   *
+   * @generated from protobuf rpc: DiffSchema(authzed.api.v1.DiffSchemaRequest) returns (authzed.api.v1.DiffSchemaResponse);
+   */
+  diffSchema(input, metadata2, options, callback) {
+    const method = SchemaService.methods[5];
+    return this.makeUnaryRequest(`/${SchemaService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/watch_service.js
 var import_runtime_rpc4 = __toESM(require_commonjs2(), 1);
@@ -145733,6 +146187,26 @@ var WatchService = new import_runtime_rpc4.ServiceType("authzed.api.v1.WatchServ
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/watch_service.grpc-client.js
 var grpc4 = __toESM(require_src3(), 1);
+var WatchServiceClient = class extends grpc4.Client {
+  static {
+    __name(this, "WatchServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * Watch returns a stream of events that occurred in the datastore in ascending timestamp order.
+   * The events can be relationship updates, schema updates, or checkpoints.
+   *
+   * @generated from protobuf rpc: Watch(authzed.api.v1.WatchRequest) returns (stream authzed.api.v1.WatchResponse);
+   */
+  watch(input, metadata2, options) {
+    const method = WatchService.methods[0];
+    return this.makeServerStreamRequest(`/${WatchService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/materialize/v0/watchpermissions.js
 var import_runtime_rpc5 = __toESM(require_commonjs2(), 1);
@@ -146087,6 +146561,39 @@ var WatchPermissionsService = new import_runtime_rpc5.ServiceType("authzed.api.m
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/materialize/v0/watchpermissions.grpc-client.js
 var grpc5 = __toESM(require_src3(), 1);
+var WatchPermissionsServiceClient = class extends grpc5.Client {
+  static {
+    __name(this, "WatchPermissionsServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * WatchPermissions returns a stream of PermissionChange events for the given permissions.
+   *
+   * WatchPermissions is a long-running RPC, and will stream events until the client
+   * closes the connection or the server terminates the stream. The consumer is responsible of
+   * keeping track of the last seen revision and resuming the stream from that point in the event
+   * of disconnection or client-side restarts.
+   *
+   * The API does not offer a sharding mechanism and thus there should only be one consumer per target system.
+   * Implementing an active-active HA consumer setup over the same target system will require coordinating which
+   * revisions have been consumed in order to prevent transitioning to an inconsistent state.
+   *
+   * Usage of WatchPermissions requires to be explicitly enabled on the service, including the permissions to be
+   * watched. It requires more resources and is less performant than WatchPermissionsSets. It's usage
+   * is only recommended when performing the set intersections of WatchPermissionSets in the client side is not viable
+   * or there is a strict application requirement to use consume the computed permissions.
+   *
+   * @generated from protobuf rpc: WatchPermissions(authzed.api.materialize.v0.WatchPermissionsRequest) returns (stream authzed.api.materialize.v0.WatchPermissionsResponse);
+   */
+  watchPermissions(input, metadata2, options) {
+    const method = WatchPermissionsService.methods[0];
+    return this.makeServerStreamRequest(`/${WatchPermissionsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/materialize/v0/watchpermissionsets.js
 var import_runtime_rpc6 = __toESM(require_commonjs2(), 1);
@@ -147056,9 +147563,164 @@ var WatchPermissionSetsService = new import_runtime_rpc6.ServiceType("authzed.ap
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/materialize/v0/watchpermissionsets.grpc-client.js
 var grpc6 = __toESM(require_src3(), 1);
+var WatchPermissionSetsServiceClient = class extends grpc6.Client {
+  static {
+    __name(this, "WatchPermissionSetsServiceClient");
+  }
+  _binaryOptions;
+  constructor(address, credentials2, options = {}, binaryOptions = {}) {
+    super(address, credentials2, options);
+    this._binaryOptions = binaryOptions;
+  }
+  /**
+   * WatchPermissionSets returns a stream of changes to the sets which can be used to compute the watched permissions.
+   *
+   * WatchPermissionSets lets consumers achieve the same thing as WatchPermissions, but trades off a simpler usage model with
+   * significantly lower computational requirements. Unlike WatchPermissions, this method returns changes to the sets of permissions,
+   * rather than the individual permissions. Permission sets are a normalized form of the computed permissions, which
+   * means that the consumer must perform an extra computation over this representation to obtain the final computed
+   * permissions, typically by intersecting the provided sets.
+   *
+   * For example, this would look like a JOIN between the
+   * materialize permission sets table in a target relation database, the table with the resources to authorize access
+   * to, and the table with the subject (e.g. a user).
+   *
+   * In exchange, the number of changes issued by WatchPermissionSets will be several orders of magnitude less than those
+   * emitted by WatchPermissions, which has several implications:
+   * - significantly less resources to compute the sets
+   * - significantly less messages to stream over the network
+   * - significantly less events to ingest on the consumer side
+   * - less ingestion lag from the origin SpiceDB mutation
+   *
+   * The type of scenarios WatchPermissionSets is particularly well suited is when a single change
+   * in the origin SpiceDB can yield millions of changes. For example, in the GitHub authorization model, assigning a role
+   * to a top-level team of an organization with hundreds of thousands of employees can lead to an explosion of
+   * permission change events that would require a lot of computational resources to process, both on Materialize and
+   * the consumer side.
+   *
+   * WatchPermissionSets is thus recommended for any larger scale use case where the fan-out in permission changes that
+   * emerges from a specific schema and data shape is too large to handle effectively.
+   *
+   * The API does not offer a sharding mechanism and thus there should only be one consumer per target system.
+   * Implementing an active-active HA consumer setup over the same target system will require coordinating which
+   * revisions have been consumed in order to prevent transitioning to an inconsistent state.
+   *
+   * @generated from protobuf rpc: WatchPermissionSets(authzed.api.materialize.v0.WatchPermissionSetsRequest) returns (stream authzed.api.materialize.v0.WatchPermissionSetsResponse);
+   */
+  watchPermissionSets(input, metadata2, options) {
+    const method = WatchPermissionSetsService.methods[0];
+    return this.makeServerStreamRequest(`/${WatchPermissionSetsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * LookupPermissionSets returns the current state of the permission sets which can be used to derive the computed permissions.
+   * It's typically used to backfill the state of the permission sets in the consumer side.
+   *
+   * It's a cursored API and the consumer is responsible to keep track of the cursor and use it on each subsequent call.
+   * Each stream will return <N> permission sets defined by the specified request limit. The server will keep streaming until
+   * the sets per stream is hit, or the current state of the sets is reached,
+   * whatever happens first, and then close the stream. The server will indicate there are no more changes to stream
+   * through the `completed_members` in the cursor.
+   *
+   * There may be many elements to stream, and so the consumer should be prepared to resume the stream from the last
+   * cursor received. Once completed, the consumer may start streaming permission set changes using WatchPermissionSets
+   * and the revision token from the last LookupPermissionSets response.
+   *
+   * @generated from protobuf rpc: LookupPermissionSets(authzed.api.materialize.v0.LookupPermissionSetsRequest) returns (stream authzed.api.materialize.v0.LookupPermissionSetsResponse);
+   */
+  lookupPermissionSets(input, metadata2, options) {
+    const method = WatchPermissionSetsService.methods[1];
+    return this.makeServerStreamRequest(`/${WatchPermissionSetsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options);
+  }
+  /**
+   * DownloadPermissionSets returns URLs to download permission sets data as Avro files.
+   * This provides an alternative to LookupPermissionSets for customers who need to download
+   * large datasets efficiently. The returned URLs point to compressed Avro files containing
+   * the permission sets data in a normalized format.
+   *
+   * @generated from protobuf rpc: DownloadPermissionSets(authzed.api.materialize.v0.DownloadPermissionSetsRequest) returns (authzed.api.materialize.v0.DownloadPermissionSetsResponse);
+   */
+  downloadPermissionSets(input, metadata2, options, callback) {
+    const method = WatchPermissionSetsService.methods[2];
+    return this.makeUnaryRequest(`/${WatchPermissionSetsService.typeName}/${method.name}`, (value) => Buffer.from(method.I.toBinary(value, this._binaryOptions)), (value) => method.O.fromBinary(value, this._binaryOptions), input, metadata2, options, callback);
+  }
+};
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/util.js
 var grpc7 = __toESM(require_src3(), 1);
+var ComposedChannelCredentials = class _ComposedChannelCredentials extends grpc7.ChannelCredentials {
+  static {
+    __name(this, "ComposedChannelCredentials");
+  }
+  channelCredentials;
+  callCreds;
+  constructor(channelCredentials, callCreds) {
+    super();
+    this.channelCredentials = channelCredentials;
+    this.callCreds = callCreds;
+  }
+  compose(callCredentials) {
+    const combinedCallCredentials = this.callCreds.compose(callCredentials);
+    return new _ComposedChannelCredentials(this.channelCredentials, combinedCallCredentials);
+  }
+  _isSecure() {
+    return false;
+  }
+  // NOTE: this is copied from the InsecureChannelCredentialsImpl class
+  _createSecureConnector(channelTarget, options, callCredentials) {
+    return {
+      connect: /* @__PURE__ */ __name(async (socket) => {
+        return {
+          socket,
+          secure: false
+        };
+      }, "connect"),
+      waitForReady: /* @__PURE__ */ __name(async () => {
+      }, "waitForReady"),
+      getCallCredentials: /* @__PURE__ */ __name(() => callCredentials || this.callCreds, "getCallCredentials"),
+      destroy: /* @__PURE__ */ __name(() => {
+      }, "destroy")
+    };
+  }
+  _equals(other) {
+    if (this === other) {
+      return true;
+    }
+    if (other instanceof _ComposedChannelCredentials) {
+      return this.channelCredentials._equals(other.channelCredentials) && this.callCreds._equals(other.callCreds);
+    } else {
+      return false;
+    }
+  }
+};
+var KnownInsecureChannelCredentialsImpl = class _KnownInsecureChannelCredentialsImpl extends grpc7.ChannelCredentials {
+  static {
+    __name(this, "KnownInsecureChannelCredentialsImpl");
+  }
+  compose(callCredentials) {
+    return new ComposedChannelCredentials(this, callCredentials);
+  }
+  _isSecure() {
+    return false;
+  }
+  _equals(other) {
+    return other instanceof _KnownInsecureChannelCredentialsImpl;
+  }
+  _createSecureConnector(channelTarget, options, callCredentials) {
+    return {
+      connect: /* @__PURE__ */ __name(async (socket) => {
+        return {
+          socket,
+          secure: false
+        };
+      }, "connect"),
+      waitForReady: /* @__PURE__ */ __name(async () => {
+      }, "waitForReady"),
+      getCallCredentials: /* @__PURE__ */ __name(() => callCredentials, "getCallCredentials"),
+      destroy: /* @__PURE__ */ __name(() => {
+      }, "destroy")
+    };
+  }
+};
 var ClientSecurity;
 (function(ClientSecurity2) {
   ClientSecurity2[ClientSecurity2["SECURE"] = 0] = "SECURE";
@@ -147075,6 +147737,61 @@ var PreconnectServices;
   PreconnectServices2[PreconnectServices2["WATCH_PERMISSIONS_SERVICE"] = 9] = "WATCH_PERMISSIONS_SERVICE";
   PreconnectServices2[PreconnectServices2["WATCH_PERMISSIONSETS_SERVICE"] = 10] = "WATCH_PERMISSIONSETS_SERVICE";
 })(PreconnectServices || (PreconnectServices = {}));
+function createClientCreds(endpoint, token, security = ClientSecurity.SECURE) {
+  const metadata2 = new grpc7.Metadata();
+  metadata2.set("authorization", "Bearer " + token);
+  const creds = [];
+  if (security === ClientSecurity.SECURE || security === ClientSecurity.INSECURE_PLAINTEXT_CREDENTIALS || security === ClientSecurity.INSECURE_LOCALHOST_ALLOWED && endpoint.startsWith("localhost:")) {
+    creds.push(grpc7.credentials.createFromMetadataGenerator((_3, callback) => {
+      callback(null, metadata2);
+    }));
+  }
+  return grpc7.credentials.combineChannelCredentials(security === ClientSecurity.SECURE ? grpc7.credentials.createSsl() : new KnownInsecureChannelCredentialsImpl(), ...creds);
+}
+__name(createClientCreds, "createClientCreds");
+function createClientCredsWithCustomCert(token, certificate) {
+  const metadata2 = new grpc7.Metadata();
+  metadata2.set("authorization", "Bearer " + token);
+  const creds = [];
+  creds.push(grpc7.credentials.createFromMetadataGenerator((_3, callback) => {
+    callback(null, metadata2);
+  }));
+  return grpc7.credentials.combineChannelCredentials(grpc7.credentials.createSsl(certificate), ...creds);
+}
+__name(createClientCredsWithCustomCert, "createClientCredsWithCustomCert");
+function promisifyStream(fn2, bind2) {
+  return (req) => {
+    return new Promise((resolve4, reject) => {
+      const results = [];
+      const stream4 = fn2.bind(bind2)(req);
+      stream4.on("data", function(response) {
+        results.push(response);
+      });
+      stream4.on("error", function(e) {
+        return reject(e);
+      });
+      stream4.on("end", function() {
+        return resolve4(results);
+      });
+      stream4.on("status", function(status2) {
+        if (status2.code !== grpc7.status.OK) {
+          return reject(status2);
+        }
+      });
+    });
+  };
+}
+__name(promisifyStream, "promisifyStream");
+function deadlineInterceptor(timeoutInMS) {
+  return (options, nextCall) => {
+    if (!options.deadline) {
+      options.deadline = Date.now() + (timeoutInMS ? timeoutInMS : 6e4);
+    }
+    return new grpc7.InterceptingCall(nextCall(options));
+  };
+}
+__name(deadlineInterceptor, "deadlineInterceptor");
+var authzedEndpoint = "grpc.authzed.com:443";
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/authzedapi/authzed/api/v1/error_reason.js
 var ErrorReason;
@@ -147113,6 +147830,208 @@ var ErrorReason;
 
 // ../node_modules/.pnpm/@authzed+authzed-node@1.6.1/node_modules/@authzed/authzed-node/dist/src/v1.js
 var DEFAULT_DEADLINE_MS = 30 * 1e3;
+var ZedClient = class _ZedClient {
+  static {
+    __name(this, "ZedClient");
+  }
+  endpoint;
+  creds;
+  acl;
+  ns;
+  watch;
+  experimental;
+  watchPermissions;
+  watchPermissionSets;
+  options;
+  constructor(endpoint, creds, preconnect, options) {
+    this.endpoint = endpoint;
+    this.creds = creds;
+    this.options = {
+      ...options ?? {},
+      interceptors: [
+        ...options?.interceptors ?? [],
+        // We put this interceptor last because it checks if the deadline is already
+        // set and, if so, does not overwrite it.
+        deadlineInterceptor(DEFAULT_DEADLINE_MS)
+      ]
+    };
+    if (preconnect & PreconnectServices.PERMISSIONS_SERVICE) {
+      this.acl = new PermissionsServiceClient(this.endpoint, this.creds, options);
+    }
+    if (preconnect & PreconnectServices.SCHEMA_SERVICE) {
+      this.ns = new SchemaServiceClient(this.endpoint, this.creds, options);
+    }
+    if (preconnect & PreconnectServices.WATCH_SERVICE) {
+      this.watch = new WatchServiceClient(this.endpoint, this.creds, options);
+    }
+    if (preconnect & PreconnectServices.WATCH_PERMISSIONS_SERVICE) {
+      this.watchPermissions = new WatchPermissionsServiceClient(this.endpoint, this.creds, options);
+    }
+    if (preconnect & PreconnectServices.WATCH_PERMISSIONSETS_SERVICE) {
+      this.watchPermissionSets = new WatchPermissionSetsServiceClient(this.endpoint, this.creds, options);
+    }
+    if (preconnect & PreconnectServices.EXPERIMENTAL_SERVICE) {
+      this.experimental = new ExperimentalServiceClient(this.endpoint, this.creds, options);
+    }
+  }
+  static create(endpoint, creds, preconnect, options) {
+    return new Proxy({}, new _ZedClient(endpoint, creds, preconnect, options));
+  }
+  close = /* @__PURE__ */ __name(() => {
+    [
+      this.acl,
+      this.ns,
+      this.watch,
+      this.experimental,
+      this.watchPermissions,
+      this.watchPermissionSets
+    ].forEach((client) => client?.close());
+  }, "close");
+  get(_target, name18) {
+    if (name18 === "close") {
+      return this.close;
+    }
+    if (typeof name18 === "symbol") {
+      if (this.acl === void 0) {
+        this.acl = new PermissionsServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.acl[name18];
+    }
+    if (name18 in PermissionsServiceClient.prototype) {
+      if (this.acl === void 0) {
+        this.acl = new PermissionsServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.acl[name18];
+    }
+    if (name18 in SchemaServiceClient.prototype) {
+      if (this.ns === void 0) {
+        this.ns = new SchemaServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.ns[name18];
+    }
+    if (name18 in WatchServiceClient.prototype) {
+      if (this.watch === void 0) {
+        this.watch = new WatchServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.watch[name18];
+    }
+    if (name18 in WatchPermissionsServiceClient.prototype) {
+      if (this.watchPermissions === void 0) {
+        this.watchPermissions = new WatchPermissionsServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.watchPermissions[name18];
+    }
+    if (name18 in WatchPermissionSetsServiceClient.prototype) {
+      if (this.watchPermissionSets === void 0) {
+        this.watchPermissionSets = new WatchPermissionSetsServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.watchPermissionSets[name18];
+    }
+    if (name18 in ExperimentalServiceClient.prototype) {
+      if (this.experimental === void 0) {
+        this.experimental = new ExperimentalServiceClient(this.endpoint, this.creds, this.options);
+      }
+      return this.experimental[name18];
+    }
+    return void 0;
+  }
+};
+var ZedPromiseClient = class _ZedPromiseClient {
+  static {
+    __name(this, "ZedPromiseClient");
+  }
+  client;
+  promiseCache = {};
+  streamMethods = /* @__PURE__ */ new Set([
+    "readRelationships",
+    "lookupResources",
+    "lookupSubjects",
+    "bulkExportRelationships",
+    "exportBulkRelationships",
+    "watchPermissions",
+    "watchPermissionSets"
+  ]);
+  writableStreamMethods = /* @__PURE__ */ new Set([
+    "bulkImportRelationships",
+    "importBulkRelationships"
+  ]);
+  constructor(client) {
+    this.client = client;
+  }
+  static create(client) {
+    return new Proxy({}, new _ZedPromiseClient(client));
+  }
+  get(_target, name18) {
+    if (!(name18 in this.promiseCache)) {
+      const clientMethod = this.client[name18];
+      if (clientMethod !== void 0) {
+        if (this.streamMethods.has(name18)) {
+          this.promiseCache[name18] = promisifyStream(clientMethod, this.client);
+        } else if (this.writableStreamMethods.has(name18)) {
+          this.promiseCache[name18] = clientMethod.bind(this.client);
+        } else if (typeof clientMethod === "function") {
+          this.promiseCache[name18] = (0, import_util3.promisify)(this.client[name18]).bind(this.client);
+        } else {
+          return clientMethod;
+        }
+      }
+    }
+    return this.promiseCache[name18];
+  }
+};
+var ZedCombinedClient = class _ZedCombinedClient {
+  static {
+    __name(this, "ZedCombinedClient");
+  }
+  client;
+  promiseClient;
+  constructor(client, promiseClient) {
+    this.client = client;
+    this.promiseClient = promiseClient;
+  }
+  static create(endpoint, creds, preconnect, options) {
+    const client = ZedClient.create(endpoint, creds, preconnect, options);
+    const promiseClient = ZedPromiseClient.create(client);
+    return new Proxy({}, new _ZedCombinedClient(client, promiseClient));
+  }
+  get(_target, name18) {
+    if (name18 === "promises") {
+      return this.promiseClient;
+    }
+    return this.client[name18];
+  }
+};
+function NewClient(token, endpoint = authzedEndpoint, security = ClientSecurity.SECURE, preconnect = PreconnectServices.PERMISSIONS_SERVICE, options = void 0) {
+  const creds = createClientCreds(endpoint, token, security);
+  return NewClientWithChannelCredentials(endpoint, creds, preconnect, options);
+}
+__name(NewClient, "NewClient");
+function NewClientWithCustomCert(token, endpoint = authzedEndpoint, certificate, preconnect = PreconnectServices.PERMISSIONS_SERVICE, options = void 0) {
+  const creds = createClientCredsWithCustomCert(token, certificate);
+  return NewClientWithChannelCredentials(endpoint, creds, preconnect, options);
+}
+__name(NewClientWithCustomCert, "NewClientWithCustomCert");
+function NewClientWithChannelCredentials(endpoint = authzedEndpoint, creds, preconnect = PreconnectServices.PERMISSIONS_SERVICE, options = void 0) {
+  return ZedCombinedClient.create(endpoint, creds, preconnect, options);
+}
+__name(NewClientWithChannelCredentials, "NewClientWithChannelCredentials");
+function createStructFromObject(data) {
+  try {
+    return Struct.fromJson(data);
+  } catch (error46) {
+    if (error46 instanceof Error && error46.message.includes("Unable to parse message google.protobuf.Struct from JSON")) {
+      throw new Error("Input data for createStructFromObject must be a non-null object.");
+    }
+    throw error46;
+  }
+}
+__name(createStructFromObject, "createStructFromObject");
+var v1_default = {
+  NewClient
+};
+
+// ../packages/agents-core/dist/auth/authz/client.js
+var { RelationshipUpdate_Operation: RelationshipUpdate_Operation2, CheckPermissionResponse_Permissionship: CheckPermissionResponse_Permissionship2 } = v1_exports;
 
 // ../packages/agents-core/dist/constants/execution-limits-shared/defaults.js
 var executionLimitsSharedDefaults = {
@@ -148581,7 +149500,7 @@ __name(buildFullPath, "buildFullPath");
 var import_proxy_from_env = __toESM(require_proxy_from_env(), 1);
 var import_http = __toESM(require("http"), 1);
 var import_https = __toESM(require("https"), 1);
-var import_util7 = __toESM(require("util"), 1);
+var import_util8 = __toESM(require("util"), 1);
 var import_follow_redirects = __toESM(require_follow_redirects(), 1);
 var import_zlib = __toESM(require("zlib"), 1);
 
@@ -148754,7 +149673,7 @@ var AxiosTransformStream_default = AxiosTransformStream;
 var import_events = require("events");
 
 // ../node_modules/.pnpm/axios@1.12.0/node_modules/axios/lib/helpers/formDataToStream.js
-var import_util6 = __toESM(require("util"), 1);
+var import_util7 = __toESM(require("util"), 1);
 var import_stream2 = require("stream");
 
 // ../node_modules/.pnpm/axios@1.12.0/node_modules/axios/lib/helpers/readBlob.js
@@ -148774,7 +149693,7 @@ var readBlob_default = readBlob;
 
 // ../node_modules/.pnpm/axios@1.12.0/node_modules/axios/lib/helpers/formDataToStream.js
 var BOUNDARY_ALPHABET = platform_default.ALPHABET.ALPHA_DIGIT + "-_";
-var textEncoder = typeof TextEncoder === "function" ? new TextEncoder() : new import_util6.default.TextEncoder();
+var textEncoder = typeof TextEncoder === "function" ? new TextEncoder() : new import_util7.default.TextEncoder();
 var CRLF = "\r\n";
 var CRLF_BYTES = textEncoder.encode(CRLF);
 var CRLF_BYTES_COUNT = 2;
@@ -149268,7 +150187,7 @@ var http_default = isHttpAdapterSupported && /* @__PURE__ */ __name(function htt
       headers2.set(data.getHeaders());
       if (!headers2.hasContentLength()) {
         try {
-          const knownLength = await import_util7.default.promisify(data.getLength).call(data);
+          const knownLength = await import_util8.default.promisify(data.getLength).call(data);
           Number.isFinite(knownLength) && knownLength >= 0 && headers2.setContentLength(knownLength);
         } catch (e) {
         }
@@ -210538,7 +211457,8 @@ var getFullAgentDefinitionInternal = /* @__PURE__ */ __name((db) => async ({ sco
       tenantId: functionTools.tenantId,
       projectId: functionTools.projectId,
       agentId: functionTools.agentId,
-      agentToolRelationId: subAgentFunctionToolRelations.id
+      agentToolRelationId: subAgentFunctionToolRelations.id,
+      toolPolicies: subAgentFunctionToolRelations.toolPolicies
     }).from(subAgentFunctionToolRelations).innerJoin(functionTools, and(eq(subAgentFunctionToolRelations.functionToolId, functionTools.id), eq(subAgentFunctionToolRelations.tenantId, functionTools.tenantId), eq(subAgentFunctionToolRelations.projectId, functionTools.projectId), eq(subAgentFunctionToolRelations.agentId, functionTools.agentId))).where(and(eq(subAgentFunctionToolRelations.tenantId, tenantId), eq(subAgentFunctionToolRelations.projectId, projectId), eq(subAgentFunctionToolRelations.agentId, agentId), eq(subAgentFunctionToolRelations.subAgentId, agent$1.id)));
     const agentDataComponentIds = (await db.query.subAgentDataComponents.findMany({
       where: and(eq(subAgentDataComponents.tenantId, tenantId), eq(subAgentDataComponents.subAgentId, agent$1.id))
@@ -210558,7 +211478,7 @@ var getFullAgentDefinitionInternal = /* @__PURE__ */ __name((db) => async ({ sco
       toolId: tool2.id,
       toolSelection: null,
       headers: null,
-      toolPolicies: null
+      toolPolicies: tool2.toolPolicies || null
     }));
     const canUse = [
       ...mcpToolCanUse,