@inkeep/agents-api 0.42.0 → 0.43.0

package/dist/domains/run/utils/stream-helpers.js

@@ -5,6 +5,7 @@ import { parsePartialJson } from "ai";
 var SSEStreamHelper = class {
 	isTextStreaming = false;
 	queuedEvents = [];
+	toolCallIndexById = /* @__PURE__ */ new Map();
 	constructor(stream, requestId, timestamp) {
 		this.stream = stream;
 		this.requestId = requestId;
@@ -40,6 +41,25 @@ var SSEStreamHelper = class {
 			}]
 		}) });
 	}
+	getToolIndex(toolCallId) {
+		const existing = this.toolCallIndexById.get(toolCallId);
+		if (existing !== void 0) return existing;
+		const next = this.toolCallIndexById.size;
+		this.toolCallIndexById.set(toolCallId, next);
+		return next;
+	}
+	async writeToolCallsDelta(toolCalls) {
+		await this.stream.writeSSE({ data: JSON.stringify({
+			id: this.requestId,
+			object: "chat.completion.chunk",
+			created: this.timestamp,
+			choices: [{
+				index: 0,
+				delta: { tool_calls: toolCalls },
+				finish_reason: null
+			}]
+		}) });
+	}
 	/**
 	* Stream text word by word with optional delay
 	*/
@@ -97,6 +117,65 @@ var SSEStreamHelper = class {
 			}]
 		}) });
 	}
+	async writeToolInputStart(params) {
+		const index = this.getToolIndex(params.toolCallId);
+		await this.writeToolCallsDelta([{
+			index,
+			id: params.toolCallId,
+			type: "function",
+			function: {
+				name: params.toolName,
+				arguments: ""
+			}
+		}]);
+	}
+	async writeToolInputDelta(params) {
+		const index = this.getToolIndex(params.toolCallId);
+		await this.writeToolCallsDelta([{
+			index,
+			id: null,
+			type: null,
+			function: {
+				name: null,
+				arguments: params.inputTextDelta
+			}
+		}]);
+	}
+	async writeToolInputAvailable(params) {
+		const fullArgs = JSON.stringify(params.input ?? {});
+		if (fullArgs) await this.writeToolInputDelta({
+			toolCallId: params.toolCallId,
+			inputTextDelta: fullArgs
+		});
+	}
+	async writeToolOutputAvailable(params) {
+		await this.writeContent(JSON.stringify({
+			type: "tool-output-available",
+			toolCallId: params.toolCallId,
+			output: params.output
+		}));
+	}
+	async writeToolOutputError(params) {
+		await this.writeContent(JSON.stringify({
+			type: "tool-output-error",
+			toolCallId: params.toolCallId,
+			errorText: params.errorText,
+			output: params.output ?? null
+		}));
+	}
+	async writeToolApprovalRequest(params) {
+		await this.writeContent(JSON.stringify({
+			type: "tool-approval-request",
+			approvalId: params.approvalId,
+			toolCallId: params.toolCallId
+		}));
+	}
+	async writeToolOutputDenied(params) {
+		await this.writeContent(JSON.stringify({
+			type: "tool-output-denied",
+			toolCallId: params.toolCallId
+		}));
+	}
 	async writeSummary(summary) {
 		if (this.isTextStreaming) {
 			this.queuedEvents.push({
@@ -166,6 +245,7 @@ var VercelDataStreamHelper = class VercelDataStreamHelper {
 			this.forceCleanup("Connection lifetime exceeded");
 		}, STREAM_MAX_LIFETIME_MS);
 	}
+	setSessionId(_sessionId) {}
 	async writeRole(_ = "assistant") {}
 	async writeContent(content) {
 		if (this.isCompleted) {
@@ -272,6 +352,64 @@ var VercelDataStreamHelper = class VercelDataStreamHelper {
 			type: "error"
 		});
 	}
+	async writeToolInputStart(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-input-start",
+			toolCallId: params.toolCallId,
+			toolName: params.toolName
+		});
+	}
+	async writeToolInputDelta(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-input-delta",
+			toolCallId: params.toolCallId,
+			inputTextDelta: params.inputTextDelta
+		});
+	}
+	async writeToolInputAvailable(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-input-available",
+			toolCallId: params.toolCallId,
+			toolName: params.toolName,
+			input: params.input,
+			...params.providerMetadata ? { providerMetadata: params.providerMetadata } : {}
+		});
+	}
+	async writeToolOutputAvailable(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-output-available",
+			toolCallId: params.toolCallId,
+			output: params.output
+		});
+	}
+	async writeToolOutputError(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-output-error",
+			toolCallId: params.toolCallId,
+			errorText: params.errorText,
+			output: params.output ?? null
+		});
+	}
+	async writeToolApprovalRequest(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-approval-request",
+			approvalId: params.approvalId,
+			toolCallId: params.toolCallId
+		});
+	}
+	async writeToolOutputDenied(params) {
+		if (this.isCompleted) return;
+		this.writer.write({
+			type: "tool-output-denied",
+			toolCallId: params.toolCallId
+		});
+	}
 	async streamData(data) {
 		await this.writeContent(JSON.stringify(data));
 	}
@@ -458,6 +596,7 @@ var BufferingStreamHelper = class {
 	capturedSummaries = [];
 	hasError = false;
 	errorMessage = "";
+	setSessionId(_sessionId) {}
 	async writeRole(_role) {}
 	async writeContent(content) {
 		this.capturedText += content;
@@ -487,6 +626,49 @@ var BufferingStreamHelper = class {
 		this.hasError = true;
 		this.errorMessage = typeof error === "string" ? error : error.message;
 	}
+	async writeToolInputStart(params) {
+		this.capturedData.push({
+			type: "tool-input-start",
+			...params
+		});
+	}
+	async writeToolInputDelta(params) {
+		this.capturedData.push({
+			type: "tool-input-delta",
+			...params
+		});
+	}
+	async writeToolInputAvailable(params) {
+		this.capturedData.push({
+			type: "tool-input-available",
+			...params
+		});
+	}
+	async writeToolOutputAvailable(params) {
+		this.capturedData.push({
+			type: "tool-output-available",
+			...params
+		});
+	}
+	async writeToolOutputError(params) {
+		this.capturedData.push({
+			type: "tool-output-error",
+			...params,
+			output: params.output ?? null
+		});
+	}
+	async writeToolApprovalRequest(params) {
+		this.capturedData.push({
+			type: "tool-approval-request",
+			...params
+		});
+	}
+	async writeToolOutputDenied(params) {
+		this.capturedData.push({
+			type: "tool-output-denied",
+			...params
+		});
+	}
 	async complete() {}
 	/**
 	* Get the captured response for non-streaming output

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core3 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core3.ContextBreakdown;
+  breakdown: _inkeep_agents_core1.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/factory.d.ts

@@ -795,25 +795,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -840,13 +840,13 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins0.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1149,13 +1149,13 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins0.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;

package/dist/index.d.ts

@@ -796,25 +796,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       membershipLimit: number;
@@ -841,13 +841,13 @@ declare const auth: better_auth78.Auth<{
           user: better_auth78.User & Record<string, any>;
           organization: better_auth_plugins69.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins69.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth78.User & Record<string, any>;
           organization: better_auth_plugins69.Organization & Record<string, any>;
         }) => Promise<void>;
@@ -1105,25 +1105,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       membershipLimit: number;
@@ -1150,13 +1150,13 @@ declare const auth: better_auth78.Auth<{
           user: better_auth78.User & Record<string, any>;
           organization: better_auth_plugins69.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins69.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth78.User & Record<string, any>;
           organization: better_auth_plugins69.Organization & Record<string, any>;
         }) => Promise<void>;

package/dist/initialization.js

@@ -1,7 +1,7 @@
 import { getLogger as getLogger$1 } from "./logger.js";
 import { env } from "./env.js";
 import runDbClient_default from "./data/db/runDbClient.js";
-import { addUserToOrganization, getUserByEmail, upsertOrganization } from "@inkeep/agents-core";
+import { OrgRoles, addUserToOrganization, getUserByEmail, syncOrgMemberToSpiceDb, upsertOrganization } from "@inkeep/agents-core";
 
 //#region src/initialization.ts
 const logger = getLogger$1("initialization");
@@ -45,8 +45,15 @@ async function initializeDefaultUser(authInstance) {
 		await addUserToOrganization(runDbClient_default)({
 			userId: user.id,
 			organizationId: orgId,
-			role: "owner"
+			role: OrgRoles.ADMIN
 		});
+		await syncOrgMemberToSpiceDb({
+			tenantId: orgId,
+			userId: user.id,
+			role: OrgRoles.ADMIN,
+			action: "add"
+		});
+		console.log(`🔐 SpiceDB: Synced member ${user.email} as ${OrgRoles.ADMIN} to org ${orgId}`);
 		logger.info({
 			organizationId: orgId,
 			organizationSlug: env.TENANT_ID,

package/dist/middleware/cors.js

@@ -18,7 +18,7 @@ function isOriginAllowed(origin) {
 	if (!origin) return false;
 	try {
 		const requestUrl = new URL(origin);
-		const apiUrl = new URL(env.INKEEP_AGENTS_API_URL || `http://localhost:3002`);
+		const apiUrl = new URL(env.INKEEP_AGENTS_API_URL || "http://localhost:3002");
 		const uiUrl = env.INKEEP_AGENTS_MANAGE_UI_URL ? new URL(env.INKEEP_AGENTS_MANAGE_UI_URL) : null;
 		if (requestUrl.hostname === "localhost" || requestUrl.hostname === "127.0.0.1") return true;
 		if (uiUrl && requestUrl.hostname === uiUrl.hostname) return true;

package/dist/middleware/manageAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono1 from "hono";
+import * as hono4 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
 import { createAuth } from "@inkeep/agents-core/auth";
 
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono1.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono4.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/projectAccess.d.ts

@@ -1,16 +1,9 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono2 from "hono";
+import * as hono3 from "hono";
+import { ProjectPermissionLevel } from "@inkeep/agents-core";
 
 //#region src/middleware/projectAccess.d.ts
 
-/**
- * Permission levels for project access
- *
- * - view: Can see project and resources (read-only)
- * - use: Can invoke agents, create API keys, view traces
- * - edit: Can modify configurations and manage members
- */
-type ProjectPermission = 'view' | 'use' | 'edit';
 /**
  * Middleware to check project-level access.
  *
@@ -26,6 +19,6 @@ declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermission) => hono2.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => hono3.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
-export { ProjectPermission, requireProjectPermission };
+export { requireProjectPermission };

package/dist/middleware/projectAccess.js

@@ -44,7 +44,6 @@ const requireProjectPermission = (permission = "view") => createMiddleware(async
 		switch (permission) {
 			case "view":
 				hasAccess = await canViewProject({
-					tenantId,
 					userId,
 					projectId,
 					orgRole: tenantRole
@@ -52,7 +51,6 @@ const requireProjectPermission = (permission = "view") => createMiddleware(async
 				break;
 			case "use":
 				hasAccess = await canUseProject({
-					tenantId,
 					userId,
 					projectId,
 					orgRole: tenantRole
@@ -60,7 +58,6 @@ const requireProjectPermission = (permission = "view") => createMiddleware(async
 				break;
 			case "edit":
 				hasAccess = await canEditProject({
-					tenantId,
 					userId,
 					projectId,
 					orgRole: tenantRole
@@ -68,20 +65,7 @@ const requireProjectPermission = (permission = "view") => createMiddleware(async
 				break;
 		}
 		if (!hasAccess) {
-			if (isAuthzEnabled(tenantId) && permission !== "view") {
-				if (await canViewProject({
-					tenantId,
-					userId,
-					projectId,
-					orgRole: tenantRole
-				})) throw createApiError({
-					code: "forbidden",
-					message: `Permission denied. Required: project:${permission}`,
-					instance: c.req.path,
-					extensions: { requiredPermissions: [`project:${permission}`] }
-				});
-			}
-			if (isAuthzEnabled(tenantId)) throw createApiError({
+			if (isAuthzEnabled()) throw createApiError({
 				code: "not_found",
 				message: "Project not found",
 				instance: c.req.path

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
-import * as hono3 from "hono";
+import * as hono1 from "hono";
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono3.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono1.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono3.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono3.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono1.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono5 from "hono";
+import * as hono14 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono5.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono14.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };