@inkeep/agents-api 0.42.0 → 0.44.0

package/dist/domains/manage/routes/mcpToolGithubAccess.js

@@ -0,0 +1,205 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import runDbClient_default from "../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../middleware/projectAccess.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { TenantProjectParamsSchema, WorkAppGitHubAccessModeSchema, WorkAppGitHubAccessSetRequestSchema, WorkAppGitHubAccessSetResponseSchema, WorkAppGitHubRepositorySelectSchema, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, getMcpToolAccessMode, getMcpToolRepositoryAccessWithDetails, getToolById, setMcpToolAccessMode, setMcpToolRepositoryAccess, validateRepositoryOwnership } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/mcpToolGithubAccess.ts
+const logger = getLogger$1("mcp-tool-github-access");
+const app = new OpenAPIHono();
+const TenantProjectToolParamsSchema = TenantProjectParamsSchema.extend({ toolId: z.string().min(1).describe("The tool ID") });
+const McpToolGitHubAccessModeSchema = WorkAppGitHubAccessModeSchema.describe("Access mode: \"all\" means the MCP tool has access to all project repositories, \"selected\" means the tool is scoped to specific repositories");
+const SetGitHubAccessRequestSchema = WorkAppGitHubAccessSetRequestSchema.extend({ mode: McpToolGitHubAccessModeSchema });
+const GetGitHubAccessResponseSchema = z.object({
+	mode: McpToolGitHubAccessModeSchema,
+	repositories: z.array(WorkAppGitHubRepositorySelectSchema.extend({ installationAccountLogin: z.string().describe("The GitHub account login for the installation") })).describe("List of repositories the MCP tool has access to (only populated when mode=\"selected\")")
+});
+const SetGitHubAccessResponseSchema = WorkAppGitHubAccessSetResponseSchema.extend({
+	mode: McpToolGitHubAccessModeSchema,
+	repositoryCount: z.number().describe("Number of repositories the MCP tool now has access to (0 when mode=\"all\")")
+});
+async function validateGitHubWorkappTool(db, tenantId, projectId, toolId) {
+	const tool = await getToolById(db)({
+		scopes: {
+			tenantId,
+			projectId
+		},
+		toolId
+	});
+	if (!tool) throw createApiError({
+		code: "not_found",
+		message: `Tool not found: ${toolId}`
+	});
+	if (!tool.isWorkApp) throw createApiError({
+		code: "bad_request",
+		message: "GitHub access can only be configured for workapp MCP tools"
+	});
+	if (!tool.config.mcp.server.url?.includes("/github")) throw createApiError({
+		code: "bad_request",
+		message: "GitHub access can only be configured for GitHub MCP tools"
+	});
+}
+app.use("/", requireProjectPermission("edit"));
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "Get MCP tool GitHub repository access",
+	operationId: "get-mcp-tool-github-access",
+	tags: ["Tools"],
+	description: "Returns the current GitHub repository access configuration for an MCP tool. If mode is \"all\", the tool has access to all repositories the project can access. If mode is \"selected\", the tool is scoped to specific repositories. ",
+	request: { params: TenantProjectToolParamsSchema },
+	responses: {
+		200: {
+			description: "GitHub access configuration retrieved successfully",
+			content: { "application/json": { schema: GetGitHubAccessResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId, toolId } = c.req.valid("param");
+	const db = c.get("db");
+	logger.info({
+		tenantId,
+		projectId,
+		toolId
+	}, "Getting MCP tool GitHub access configuration");
+	await validateGitHubWorkappTool(db, tenantId, projectId, toolId);
+	if (await getMcpToolAccessMode(runDbClient_default)(toolId) === "all") {
+		logger.info({
+			tenantId,
+			projectId,
+			toolId
+		}, "MCP tool has access to all project repositories (mode=all)");
+		return c.json({
+			mode: "all",
+			repositories: []
+		}, 200);
+	}
+	const repositoriesWithDetails = await getMcpToolRepositoryAccessWithDetails(runDbClient_default)(toolId);
+	logger.info({
+		tenantId,
+		projectId,
+		toolId,
+		repositoryCount: repositoriesWithDetails.length
+	}, "Got MCP tool GitHub access configuration (mode=selected)");
+	return c.json({
+		mode: "selected",
+		repositories: repositoriesWithDetails.map((repo) => ({
+			id: repo.id,
+			installationDbId: repo.installationDbId,
+			repositoryId: repo.repositoryId,
+			repositoryName: repo.repositoryName,
+			repositoryFullName: repo.repositoryFullName,
+			private: repo.private,
+			createdAt: repo.createdAt,
+			updatedAt: repo.updatedAt,
+			installationAccountLogin: repo.installationAccountLogin
+		}))
+	}, 200);
+});
+app.openapi(createRoute({
+	method: "put",
+	path: "/",
+	summary: "Set MCP tool GitHub repository access",
+	operationId: "set-mcp-tool-github-access",
+	tags: ["Tools"],
+	description: "Configures which GitHub repositories an MCP tool can access. When mode is \"all\", the tool has access to all repositories the project can access. When mode is \"selected\", the tool is scoped to specific repositories (repositoryIds required). This replaces any existing access configuration. This endpoint only works for GitHub workapp MCP tools (isWorkApp=true and URL contains /github).",
+	request: {
+		params: TenantProjectToolParamsSchema,
+		body: { content: { "application/json": { schema: SetGitHubAccessRequestSchema } } }
+	},
+	responses: {
+		200: {
+			description: "GitHub access configuration updated successfully",
+			content: { "application/json": { schema: SetGitHubAccessResponseSchema } }
+		},
+		...commonUpdateErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId, toolId } = c.req.valid("param");
+	const { mode, repositoryIds } = c.req.valid("json");
+	const db = c.get("db");
+	logger.info({
+		tenantId,
+		projectId,
+		toolId,
+		mode
+	}, "Setting MCP tool GitHub access configuration");
+	await validateGitHubWorkappTool(db, tenantId, projectId, toolId);
+	if (mode === "selected") {
+		if (!repositoryIds || repositoryIds.length === 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				toolId
+			}, "repositoryIds required when mode is selected");
+			throw createApiError({
+				code: "bad_request",
+				message: "repositoryIds is required when mode is \"selected\""
+			});
+		}
+		const invalidRepoIds = await validateRepositoryOwnership(runDbClient_default)({
+			tenantId,
+			repositoryIds
+		});
+		if (invalidRepoIds.length > 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				toolId,
+				invalidRepoIds
+			}, "Some repository IDs do not belong to tenant installations");
+			throw createApiError({
+				code: "bad_request",
+				message: `Invalid repository IDs: ${invalidRepoIds.join(", ")}. Repositories must belong to GitHub installations owned by this tenant.`
+			});
+		}
+		await setMcpToolAccessMode(runDbClient_default)({
+			toolId,
+			tenantId,
+			projectId,
+			mode: "selected"
+		});
+		await setMcpToolRepositoryAccess(runDbClient_default)({
+			toolId,
+			tenantId,
+			projectId,
+			repositoryIds
+		});
+		logger.info({
+			tenantId,
+			projectId,
+			toolId,
+			repositoryCount: repositoryIds.length
+		}, "MCP tool GitHub access set to selected repositories");
+		return c.json({
+			mode: "selected",
+			repositoryCount: repositoryIds.length
+		}, 200);
+	}
+	await setMcpToolAccessMode(runDbClient_default)({
+		toolId,
+		tenantId,
+		projectId,
+		mode: "all"
+	});
+	await setMcpToolRepositoryAccess(runDbClient_default)({
+		toolId,
+		tenantId,
+		projectId,
+		repositoryIds: []
+	});
+	logger.info({
+		tenantId,
+		projectId,
+		toolId
+	}, "MCP tool GitHub access set to all project repositories");
+	return c.json({
+		mode: "all",
+		repositoryCount: 0
+	}, 200);
+});
+var mcpToolGithubAccess_default = app;
+
+//#endregion
+export { mcpToolGithubAccess_default as default };

package/dist/domains/manage/routes/playgroundToken.js

@@ -19,7 +19,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "Generate temporary API key for playground",
 	operationId: "create-playground-token",
-	tags: ["Playground"],
+	tags: ["API Keys"],
 	description: "Generates a short-lived API key (1 hour expiry) for authenticated users to access the run-api from the playground",
 	security: [{ cookieAuth: [] }],
 	request: {
@@ -53,7 +53,6 @@ app.openapi(createRoute({
 		agentId
 	}, "Generating temporary JWT token for playground");
 	if (!await canUseProject({
-		tenantId,
 		userId,
 		projectId,
 		orgRole: tenantRole

package/dist/domains/manage/routes/projectFull.js

@@ -14,16 +14,33 @@ app.use("/project-full", async (c, next) => {
 	return next();
 });
 app.use("/project-full/:projectId", async (c, next) => {
-	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
-	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "GET") return requireProjectPermission("view")(c, next);
 	return next();
 });
+app.use("/project-full/:projectId/with-relation-ids", async (c, next) => {
+	if (c.req.method === "GET") return requireProjectPermission("view")(c, next);
+	return next();
+});
+const requireProjectUpsertPermission = async (c, next) => {
+	const tenantId = c.get("tenantId");
+	const projectId = c.req.param("projectId");
+	if (!tenantId || !projectId) throw createApiError({
+		code: "bad_request",
+		message: "Missing tenantId or projectId"
+	});
+	const exists = await getProjectMetadata(runDbClient_default)({
+		tenantId,
+		projectId
+	});
+	c.set("isProjectCreate", !exists);
+	return exists ? requireProjectPermission("edit")(c, next) : requirePermission({ project: ["create"] })(c, next);
+};
 app.openapi(createRoute({
 	method: "post",
 	path: "/project-full",
 	summary: "Create Full Project",
 	operationId: "create-full-project",
-	tags: ["Full Project"],
+	tags: ["Projects"],
 	description: "Create a complete project with all Agents, Sub Agents, tools, and relationships from JSON definition",
 	request: {
 		params: TenantParamsSchema,
@@ -90,7 +107,7 @@ app.openapi(createRoute({
 	path: "/project-full/{projectId}",
 	summary: "Get Full Project",
 	operationId: "get-full-project",
-	tags: ["Full Project"],
+	tags: ["Projects"],
 	description: "Retrieve a complete project definition with all Agents, Sub Agents, tools, and relationships",
 	request: { params: TenantProjectParamsSchema },
 	responses: {
@@ -129,7 +146,7 @@ app.openapi(createRoute({
 	path: "/project-full/{projectId}/with-relation-ids",
 	summary: "Get Full Project with Relation IDs",
 	operationId: "get-full-project-with-relation-ids",
-	tags: ["Full Project"],
+	tags: ["Projects"],
 	description: "Retrieve a complete project definition with all Agents, Sub Agents, tools, and relationships",
 	request: { params: TenantProjectParamsSchema },
 	responses: {
@@ -163,12 +180,16 @@ app.openapi(createRoute({
 		});
 	}
 });
+app.use("/project-full/:projectId", async (c, next) => {
+	if (c.req.method === "PUT") return requireProjectUpsertPermission(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "put",
 	path: "/project-full/{projectId}",
 	summary: "Update Full Project",
 	operationId: "update-full-project",
-	tags: ["Full Project"],
+	tags: ["Projects"],
 	description: "Update or create a complete project with all Agents, Sub Agents, tools, and relationships from JSON definition",
 	request: {
 		params: TenantProjectParamsSchema,
@@ -196,10 +217,7 @@ app.openapi(createRoute({
 			code: "bad_request",
 			message: `Project ID mismatch: expected ${projectId}, got ${validatedProjectData.id}`
 		});
-		const isCreate = !await getProjectMetadata(runDbClient_default)({
-			tenantId,
-			projectId
-		});
+		const isCreate = c.get("isProjectCreate") ?? false;
 		if (isCreate) {
 			await createProjectMetadataAndBranch(runDbClient_default, configDb)({
 				tenantId,
@@ -245,12 +263,16 @@ app.openapi(createRoute({
 		});
 	}
 });
+app.use("/project-full/:projectId", async (c, next) => {
+	if (c.req.method === "DELETE") return requirePermission({ project: ["delete"] })(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "delete",
 	path: "/project-full/{projectId}",
 	summary: "Delete Full Project",
 	operationId: "delete-full-project",
-	tags: ["Full Project"],
+	tags: ["Projects"],
 	description: "Delete a complete project and cascade to all related entities (Agents, Sub Agents, tools, relationships)",
 	request: { params: TenantProjectParamsSchema },
 	responses: {

package/dist/domains/manage/routes/projectGithubAccess.d.ts

@@ -0,0 +1,9 @@
+import { ManageAppVariables } from "../../../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/domains/manage/routes/projectGithubAccess.d.ts
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/domains/manage/routes/projectGithubAccess.js

@@ -0,0 +1,167 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import runDbClient_default from "../../../data/db/runDbClient.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { TenantProjectParamsSchema, WorkAppGitHubAccessGetResponseSchema, WorkAppGitHubAccessModeSchema, WorkAppGitHubAccessSetRequestSchema, WorkAppGitHubAccessSetResponseSchema, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, getProjectAccessMode, getProjectRepositoryAccessWithDetails, setProjectAccessMode, setProjectRepositoryAccess, validateRepositoryOwnership } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/projectGithubAccess.ts
+const logger = getLogger$1("project-github-access");
+const app = new OpenAPIHono();
+const ProjectGitHubAccessModeSchema = WorkAppGitHubAccessModeSchema.describe("Access mode: \"all\" means project has access to all tenant repositories, \"selected\" means project is scoped to specific repositories");
+const SetGitHubAccessRequestSchema = WorkAppGitHubAccessSetRequestSchema.extend({ mode: ProjectGitHubAccessModeSchema });
+const GetGitHubAccessResponseSchema = WorkAppGitHubAccessGetResponseSchema.extend({ mode: ProjectGitHubAccessModeSchema }).describe("GitHub access configuration for a project");
+const SetGitHubAccessResponseSchema = WorkAppGitHubAccessSetResponseSchema.extend({
+	mode: ProjectGitHubAccessModeSchema,
+	repositoryCount: z.number().describe("Number of repositories the project now has access to (0 when mode=\"all\")")
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "Get project GitHub repository access",
+	operationId: "get-project-github-access",
+	tags: ["Projects"],
+	description: "Returns the current GitHub repository access configuration for a project. If mode is \"all\", the project has access to all repositories from tenant GitHub installations. If mode is \"selected\", the project is scoped to specific repositories.",
+	request: { params: TenantProjectParamsSchema },
+	responses: {
+		200: {
+			description: "GitHub access configuration retrieved successfully",
+			content: { "application/json": { schema: GetGitHubAccessResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	logger.info({
+		tenantId,
+		projectId
+	}, "Getting project GitHub access configuration");
+	if (await getProjectAccessMode(runDbClient_default)({
+		tenantId,
+		projectId
+	}) === "all") {
+		logger.info({
+			tenantId,
+			projectId
+		}, "Project has access to all repositories (mode=all)");
+		return c.json({
+			mode: "all",
+			repositories: []
+		}, 200);
+	}
+	const repositoriesWithDetails = await getProjectRepositoryAccessWithDetails(runDbClient_default)({
+		tenantId,
+		projectId
+	});
+	logger.info({
+		tenantId,
+		projectId,
+		repositoryCount: repositoriesWithDetails.length
+	}, "Got project GitHub access configuration (mode=selected)");
+	return c.json({
+		mode: "selected",
+		repositories: repositoriesWithDetails.map((repo) => ({
+			id: repo.id,
+			installationDbId: repo.installationDbId,
+			repositoryId: repo.repositoryId,
+			repositoryName: repo.repositoryName,
+			repositoryFullName: repo.repositoryFullName,
+			private: repo.private,
+			createdAt: repo.createdAt,
+			updatedAt: repo.updatedAt
+		}))
+	}, 200);
+});
+app.openapi(createRoute({
+	method: "put",
+	path: "/",
+	summary: "Set project GitHub repository access",
+	operationId: "set-project-github-access",
+	tags: ["Projects"],
+	description: "Configures which GitHub repositories a project can access. When mode is \"all\", the project has access to all repositories from tenant GitHub installations. When mode is \"selected\", the project is scoped to specific repositories (repositoryIds required). This replaces any existing access configuration.",
+	request: {
+		params: TenantProjectParamsSchema,
+		body: { content: { "application/json": { schema: SetGitHubAccessRequestSchema } } }
+	},
+	responses: {
+		200: {
+			description: "GitHub access configuration updated successfully",
+			content: { "application/json": { schema: SetGitHubAccessResponseSchema } }
+		},
+		...commonUpdateErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	const { mode, repositoryIds } = c.req.valid("json");
+	logger.info({
+		tenantId,
+		projectId,
+		mode
+	}, "Setting project GitHub access configuration");
+	if (mode === "selected") {
+		if (!repositoryIds || repositoryIds.length === 0) {
+			logger.warn({
+				tenantId,
+				projectId
+			}, "repositoryIds required when mode is selected");
+			throw createApiError({
+				code: "bad_request",
+				message: "repositoryIds is required when mode is \"selected\""
+			});
+		}
+		const invalidRepoIds = await validateRepositoryOwnership(runDbClient_default)({
+			tenantId,
+			repositoryIds
+		});
+		if (invalidRepoIds.length > 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				invalidRepoIds
+			}, "Some repository IDs do not belong to tenant installations");
+			throw createApiError({
+				code: "bad_request",
+				message: `Invalid repository IDs: ${invalidRepoIds.join(", ")}. Repositories must belong to GitHub installations owned by this tenant.`
+			});
+		}
+		await setProjectAccessMode(runDbClient_default)({
+			tenantId,
+			projectId,
+			mode: "selected"
+		});
+		await setProjectRepositoryAccess(runDbClient_default)({
+			tenantId,
+			projectId,
+			repositoryIds
+		});
+		logger.info({
+			tenantId,
+			projectId,
+			repositoryCount: repositoryIds.length
+		}, "Project GitHub access set to selected repositories");
+		return c.json({
+			mode: "selected",
+			repositoryCount: repositoryIds.length
+		}, 200);
+	}
+	await setProjectAccessMode(runDbClient_default)({
+		tenantId,
+		projectId,
+		mode: "all"
+	});
+	await setProjectRepositoryAccess(runDbClient_default)({
+		tenantId,
+		projectId,
+		repositoryIds: []
+	});
+	logger.info({
+		tenantId,
+		projectId
+	}, "Project GitHub access set to all repositories");
+	return c.json({
+		mode: "all",
+		repositoryCount: 0
+	}, 200);
+});
+var projectGithubAccess_default = app;
+
+//#endregion
+export { projectGithubAccess_default as default };

package/dist/domains/manage/routes/projectMembers.js

@@ -1,24 +1,21 @@
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { changeProjectRole, commonGetErrorResponses, createApiError, grantProjectAccess, isAuthzEnabled, listProjectMembers, revokeProjectAccess } from "@inkeep/agents-core";
+import { ProjectRoles, changeProjectRole, commonGetErrorResponses, createApiError, grantProjectAccess, listProjectMembers, revokeProjectAccess } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/projectMembers.ts
 const app = new OpenAPIHono();
+const projectRoleEnum = z.enum([
+	ProjectRoles.ADMIN,
+	ProjectRoles.MEMBER,
+	ProjectRoles.VIEWER
+]);
 const ProjectMemberSchema = z.object({
 	userId: z.string().min(1),
-	role: z.enum([
-		"project_admin",
-		"project_member",
-		"project_viewer"
-	])
+	role: projectRoleEnum
 });
 const ProjectMemberResponseSchema = z.object({ data: z.object({
 	userId: z.string(),
-	role: z.enum([
-		"project_admin",
-		"project_member",
-		"project_viewer"
-	]),
+	role: projectRoleEnum,
 	projectId: z.string()
 }) });
 const ProjectMemberParamsSchema = z.object({
@@ -31,16 +28,8 @@ const ProjectMemberUserParamsSchema = z.object({
 	userId: z.string()
 });
 const UpdateRoleSchema = z.object({
-	role: z.enum([
-		"project_admin",
-		"project_member",
-		"project_viewer"
-	]),
-	previousRole: z.enum([
-		"project_admin",
-		"project_member",
-		"project_viewer"
-	]).optional()
+	role: projectRoleEnum,
+	previousRole: projectRoleEnum.optional()
 });
 app.openapi(createRoute({
 	method: "get",
@@ -55,18 +44,13 @@ app.openapi(createRoute({
 			description: "List of project members",
 			content: { "application/json": { schema: z.object({ data: z.array(z.object({
 				userId: z.string(),
-				role: z.enum([
-					"project_admin",
-					"project_member",
-					"project_viewer"
-				])
+				role: projectRoleEnum
 			})) }) } }
 		},
 		...commonGetErrorResponses
 	}
 }), async (c) => {
 	const { projectId, tenantId } = c.req.valid("param");
-	if (!isAuthzEnabled(tenantId)) return c.json({ data: [] });
 	const members = await listProjectMembers({
 		tenantId,
 		projectId
@@ -98,10 +82,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, tenantId } = c.req.valid("param");
 	const { userId, role } = c.req.valid("json");
-	if (!isAuthzEnabled(tenantId)) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	await grantProjectAccess({
 		tenantId,
 		projectId,
@@ -135,10 +115,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, userId, tenantId } = c.req.valid("param");
 	const { role: newRole, previousRole } = c.req.valid("json");
-	if (!isAuthzEnabled(tenantId)) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	if (!previousRole) throw createApiError({
 		code: "bad_request",
 		message: "previousRole is required to update a member role"
@@ -170,11 +146,7 @@ app.openapi(createRoute({
 	tags: ["Project Members"],
 	request: {
 		params: ProjectMemberUserParamsSchema,
-		query: z.object({ role: z.enum([
-			"project_admin",
-			"project_member",
-			"project_viewer"
-		]) })
+		query: z.object({ role: projectRoleEnum })
 	},
 	responses: {
 		204: { description: "Member removed successfully" },
@@ -183,10 +155,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, userId, tenantId } = c.req.valid("param");
 	const { role } = c.req.valid("query");
-	if (!isAuthzEnabled(tenantId)) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	await revokeProjectAccess({
 		tenantId,
 		projectId,

package/dist/domains/manage/routes/projectPermissions.js

@@ -1,5 +1,5 @@
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { SpiceDbPermissions, SpiceDbResourceTypes, checkBulkPermissions, commonGetErrorResponses, createApiError, isAuthzEnabled } from "@inkeep/agents-core";
+import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes, checkBulkPermissions, commonGetErrorResponses, createApiError } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/projectPermissions.ts
 const app = new OpenAPIHono();
@@ -28,18 +28,18 @@ app.openapi(createRoute({
 		...commonGetErrorResponses
 	}
 }), async (c) => {
-	const { projectId, tenantId } = c.req.valid("param");
+	const { projectId } = c.req.valid("param");
 	const userId = c.get("userId");
 	const tenantRole = c.get("tenantRole");
-	if (tenantRole === "owner" || tenantRole === "admin") return c.json({ data: {
+	if (process.env.ENVIRONMENT === "test") return c.json({ data: {
 		canView: true,
 		canUse: true,
 		canEdit: true
 	} });
-	if (!isAuthzEnabled(tenantId)) return c.json({ data: {
+	if (tenantRole === OrgRoles.OWNER || tenantRole === OrgRoles.ADMIN) return c.json({ data: {
 		canView: true,
 		canUse: true,
-		canEdit: false
+		canEdit: true
 	} });
 	if (!userId) throw createApiError({
 		code: "unauthorized",
@@ -49,17 +49,17 @@ app.openapi(createRoute({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		resourceId: projectId,
 		permissions: [
-			SpiceDbPermissions.VIEW,
-			SpiceDbPermissions.USE,
-			SpiceDbPermissions.EDIT
+			SpiceDbProjectPermissions.VIEW,
+			SpiceDbProjectPermissions.USE,
+			SpiceDbProjectPermissions.EDIT
 		],
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: userId
 	});
 	return c.json({ data: {
-		canView: permissions[SpiceDbPermissions.VIEW] ?? false,
-		canUse: permissions[SpiceDbPermissions.USE] ?? false,
-		canEdit: permissions[SpiceDbPermissions.EDIT] ?? false
+		canView: permissions[SpiceDbProjectPermissions.VIEW] ?? false,
+		canUse: permissions[SpiceDbProjectPermissions.USE] ?? false,
+		canEdit: permissions[SpiceDbProjectPermissions.EDIT] ?? false
 	} });
 });
 var projectPermissions_default = app;