@inkeep/agents-api 0.0.0-dev-20260126093157 → 0.0.0-dev-20260126174131

package/dist/domains/github/oidcToken.js

@@ -0,0 +1,140 @@
+import { getLogger } from "../../logger.js";
+import { getJwkForToken } from "./jwks.js";
+import { decodeProtectedHeader, errors, jwtVerify } from "jose";
+
+//#region src/domains/github/oidcToken.ts
+const logger = getLogger("github-oidc-token");
+const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+const EXPECTED_AUDIENCE = "inkeep-agents-action";
+async function validateOidcToken(token) {
+	let header;
+	try {
+		header = decodeProtectedHeader(token);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.warn({ error: message }, "Failed to decode JWT header");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: "Invalid JWT format: unable to decode token header"
+		};
+	}
+	if (header.alg !== "RS256") {
+		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
+		};
+	}
+	const jwkResult = await getJwkForToken(header);
+	if (!jwkResult.success) {
+		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
+		return {
+			success: false,
+			errorType: "jwks_error",
+			message: jwkResult.error
+		};
+	}
+	try {
+		const { payload } = await jwtVerify(token, jwkResult.key, {
+			issuer: GITHUB_OIDC_ISSUER,
+			audience: EXPECTED_AUDIENCE
+		});
+		const repository = payload.repository;
+		const repositoryOwner = payload.repository_owner;
+		const repositoryId = payload.repository_id;
+		const workflow = payload.workflow;
+		const actor = payload.actor;
+		const ref = payload.ref;
+		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
+			logger.warn({ payload }, "OIDC token missing required claims");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
+			};
+		}
+		logger.info({
+			repository,
+			actor
+		}, "Successfully validated OIDC token");
+		return {
+			success: true,
+			claims: {
+				repository,
+				repository_owner: repositoryOwner,
+				repository_id: repositoryId,
+				workflow,
+				actor,
+				ref
+			}
+		};
+	} catch (error) {
+		if (error instanceof errors.JWTExpired) {
+			logger.warn({}, "OIDC token has expired");
+			return {
+				success: false,
+				errorType: "expired",
+				message: "OIDC token has expired"
+			};
+		}
+		if (error instanceof errors.JWTClaimValidationFailed) {
+			const claimError = error;
+			if (claimError.claim === "iss") {
+				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
+				return {
+					success: false,
+					errorType: "wrong_issuer",
+					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
+				};
+			}
+			if (claimError.claim === "aud") {
+				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
+				return {
+					success: false,
+					errorType: "wrong_audience",
+					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
+				};
+			}
+			logger.warn({
+				claim: claimError.claim,
+				reason: claimError.reason
+			}, "JWT claim validation failed");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
+			};
+		}
+		if (error instanceof errors.JWSSignatureVerificationFailed) {
+			logger.warn({}, "Invalid OIDC token signature");
+			return {
+				success: false,
+				errorType: "invalid_signature",
+				message: "Invalid token signature"
+			};
+		}
+		if (error instanceof errors.JOSEError) {
+			logger.error({
+				error: error.message,
+				code: error.code
+			}, "JOSE error during token validation");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `Token validation error: ${error.message}`
+			};
+		}
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Unexpected error during token validation");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Token validation error: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { validateOidcToken };

package/dist/domains/github/routes/tokenExchange.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types7 from "hono/types";
+
+//#region src/domains/github/routes/tokenExchange.d.ts
+declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+//#endregion
+export { app as default };

package/dist/domains/github/routes/tokenExchange.js

@@ -0,0 +1,130 @@
+import { getLogger } from "../../../logger.js";
+import { isGitHubAppConfigured } from "../config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
+import { validateOidcToken } from "../oidcToken.js";
+import { Hono } from "hono";
+import { z } from "zod";
+
+//#region src/domains/github/routes/tokenExchange.ts
+const logger = getLogger("github-token-exchange");
+const TokenExchangeRequestSchema = z.object({ oidc_token: z.string() });
+const app = new Hono();
+/**
+* Exchange GitHub OIDC token for installation token.
+*
+* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
+* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
+* Not included in the public OpenAPI spec.
+*/
+app.post("/", async (c) => {
+	const rawBody = await c.req.json().catch(() => null);
+	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: errorMessage,
+			error: errorMessage
+		}, 400);
+	}
+	const body = parseResult.data;
+	logger.info({}, "Processing token exchange request");
+	if (!isGitHubAppConfigured()) {
+		logger.error({}, "GitHub App credentials not configured");
+		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "GitHub App Not Configured",
+			status: 500,
+			detail: errorMessage,
+			error: errorMessage
+		}, 500);
+	}
+	const validationResult = await validateOidcToken(body.oidc_token);
+	if (!validationResult.success) {
+		const errorType = validationResult.errorType;
+		logger.warn({
+			errorType,
+			message: validationResult.message
+		}, "OIDC token validation failed");
+		c.header("Content-Type", "application/problem+json");
+		if (errorType === "malformed") return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 400);
+		return c.json({
+			title: "Token Validation Failed",
+			status: 401,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 401);
+	}
+	const { claims } = validationResult;
+	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
+	if (!installationResult.success) {
+		const { errorType, message } = installationResult;
+		if (errorType === "not_installed") {
+			c.header("Content-Type", "application/problem+json");
+			return c.json({
+				title: "GitHub App Not Installed",
+				status: 403,
+				detail: message,
+				error: message
+			}, 403);
+		}
+		logger.error({
+			errorType,
+			message,
+			repository: claims.repository
+		}, "Failed to look up GitHub App installation");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Lookup Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { installation } = installationResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository
+	}, "Found GitHub App installation");
+	const tokenResult = await generateInstallationAccessToken(installation.installationId);
+	if (!tokenResult.success) {
+		const { errorType, message } = tokenResult;
+		logger.error({
+			errorType,
+			message,
+			installationId: installation.installationId,
+			repository: claims.repository
+		}, "Failed to generate installation access token");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Token Generation Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { accessToken } = tokenResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository,
+		expiresAt: accessToken.expiresAt
+	}, "Token exchange completed successfully");
+	return c.json({
+		token: accessToken.token,
+		expires_at: accessToken.expiresAt,
+		repository: claims.repository,
+		installation_id: installation.installationId
+	}, 200);
+});
+var tokenExchange_default = app;
+
+//#endregion
+export { tokenExchange_default as default };

package/dist/domains/index.d.ts

@@ -1,4 +1,5 @@
 import { createEvalRoutes, evalRoutes } from "./evals/index.js";
+import { createGithubRoutes, githubRoutes } from "./github/index.js";
 import { createManageRoutes, manageRoutes } from "./manage/index.js";
 import { createRunRoutes, runRoutes } from "./run/index.js";
-export { createEvalRoutes, createManageRoutes, createRunRoutes, evalRoutes, manageRoutes, runRoutes };
+export { createEvalRoutes, createGithubRoutes, createManageRoutes, createRunRoutes, evalRoutes, githubRoutes, manageRoutes, runRoutes };

package/dist/domains/index.js

@@ -1,5 +1,6 @@
 import { createEvalRoutes, evalRoutes } from "./evals/index.js";
+import { createGithubRoutes, githubRoutes } from "./github/index.js";
 import { createManageRoutes, manageRoutes } from "./manage/index.js";
 import { createRunRoutes, runRoutes } from "./run/index.js";
 
-export { createEvalRoutes, createManageRoutes, createRunRoutes, evalRoutes, manageRoutes, runRoutes };
+export { createEvalRoutes, createGithubRoutes, createManageRoutes, createRunRoutes, evalRoutes, githubRoutes, manageRoutes, runRoutes };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono10 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono10.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
+import * as hono17 from "hono";
 
 //#region src/domains/manage/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<hono17.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono6 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono6.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types13 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const app: Hono<hono_types13.BlankEnv, hono_types13.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types9 from "hono/types";
+import * as hono_types15 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types9.BlankSchema, "/">;
+}, hono_types15.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/run/agents/relationTools.d.ts

@@ -1,6 +1,6 @@
 import { AgentConfig, DelegateRelation } from "./Agent.js";
 import { InternalRelation } from "../utils/project.js";
-import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+import * as _inkeep_agents_core2 from "@inkeep/agents-core";
 import { CredentialStoreRegistry, FullExecutionContext } from "@inkeep/agents-core";
 import * as ai0 from "ai";
 
@@ -44,7 +44,7 @@ declare function createDelegateToAgentTool({
   message: string;
 }, {
   toolCallId: any;
-  result: _inkeep_agents_core1.Message | _inkeep_agents_core1.Task;
+  result: _inkeep_agents_core2.Message | _inkeep_agents_core2.Task;
 }>;
 /**
  * Parameters for building a transfer relation config

package/dist/domains/run/context/ContextResolver.js

@@ -1,8 +1,8 @@
 import { ContextCache } from "./contextCache.js";
 import { ContextFetcher, MissingRequiredVariableError } from "./ContextFetcher.js";
 import { getLogger, getTracer, setSpanWithError } from "@inkeep/agents-core";
-import { SpanStatusCode } from "@opentelemetry/api";
 import crypto from "node:crypto";
+import { SpanStatusCode } from "@opentelemetry/api";
 
 //#region src/domains/run/context/ContextResolver.ts
 const logger = getLogger("context-resolver");

package/dist/domains/run/services/BaseCompressor.js

@@ -5,8 +5,8 @@ import { getCompressionConfigForModel } from "../utils/model-context-utils.js";
 import { tracer } from "../utils/tracer.js";
 import { agentSessionManager } from "./AgentSession.js";
 import { getLedgerArtifacts } from "@inkeep/agents-core";
-import { SpanStatusCode } from "@opentelemetry/api";
 import { randomUUID } from "node:crypto";
+import { SpanStatusCode } from "@opentelemetry/api";
 
 //#region src/domains/run/services/BaseCompressor.ts
 const logger = getLogger$1("BaseCompressor");

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core3 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core3.ContextBreakdown;
+  breakdown: _inkeep_agents_core1.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/factory.d.ts

@@ -795,25 +795,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -987,7 +987,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "owner" | "admin";
+        role: "owner" | "admin" | "member";
         status: better_auth_plugins0.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -996,7 +996,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "owner" | "admin";
+        role: "owner" | "admin" | "member";
         createdAt: Date;
         userId: string;
         user: {
@@ -1012,7 +1012,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "owner" | "admin";
+          role: "owner" | "admin" | "member";
           createdAt: Date;
           userId: string;
           user: {
@@ -1026,7 +1026,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "owner" | "admin";
+          role: "owner" | "admin" | "member";
           status: better_auth_plugins0.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "project" | "member" | "invitation" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "project" | "member" | "invitation" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;