@inkeep/agents-core 0.0.0-dev-20251217094718 → 0.0.0-dev-20251217181439

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (9) hide show
  1. package/dist/auth/auth.d.ts +6 -0
  2. package/dist/auth/auth.d.ts.map +1 -1
  3. package/dist/auth/auth.js +3 -0
  4. package/dist/auth/auth.js.map +1 -1
  5. package/dist/auth-schema.d.ts +82 -82
  6. package/dist/auth-validation-schemas.d.ts +129 -129
  7. package/dist/client.d.ts.map +1 -1
  8. package/dist/models.d.ts.map +1 -1
  9. package/package.json +1 -1
package/dist/auth/auth.d.ts CHANGED
@@ -754,6 +754,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
754
754
  statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
755
755
  };
756
756
  };
757
+ membershipLimit: number;
758
+ invitationLimit: number;
759
+ invitationExpiresIn: number;
757
760
  sendInvitationEmail(data: {
758
761
  id: string;
759
762
  role: string;
@@ -1030,6 +1033,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
1030
1033
  statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
1031
1034
  };
1032
1035
  };
1036
+ membershipLimit: number;
1037
+ invitationLimit: number;
1038
+ invitationExpiresIn: number;
1033
1039
  sendInvitationEmail(data: {
1034
1040
  id: string;
1035
1041
  role: string;
package/dist/auth/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;UAYiB,kBAAA;;;;;;;;;EAAA,IAAA,CAAA,EAAA,OAAA;EAoBA,OAAA,CAAA,EAAA;IAoBA,EAAA,CAAA,EAAA,MAAA;IASA,KAAA,CAAA,EAAA,MAAA;IAGL,aAAA,CAAA,EAAA,MAAA;IACK,IAAA,CAAA,EAAA,MAAA;IAEJ,KAAA,CAAA,EAAA,MAAA;IAEA,WAAA,CAAA,EAzCK,MAyCL,CAAA,MAAA,EAAA,MAAA,CAAA;EAAyB,CAAA;AAGtC;AACiB,UAzCA,kBAAA,CAyCA;EAEJ,UAAA,EAAA,MAAA;EAEA,IAAA,EAAA,MAAA;EAAyB,WAAA,EAAA,MAAA;EA0FtB,QAAA,CAAA,EAAA,MAAU;EAAS,oBAAA,CAAA,EAAA,OAAA;EAAgB,kBAAA,CAAA,EAAA,MAAA;;;;eAqGw0tJ;IAAA,KAAA,CAAA,EAAA,MAAA;WAAk+C,MAAA;IAAA,SAAA,CAAA,EAAA,MAAA;;;kBA5N30wJ;;;UAID,iBAAA;;;;;eAKF;eACA;;UAGE,gBAAA;;;YAGL;iBACK;;aAEJ;;aAEA;;UAGI,cAAA;iBACA;;aAEJ;;aAEA;;iBA0FG,UAAA,SAAmB,gCAAgB;;;sBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAqGw0tJ;;;6BAAA,YAAA,CAAA;;;;;gCAAk+C,YAAA;;;;;;;;;yBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QArG1ywJ,UAAA,CAAA,iCAAA,SAAA;QAAA,UAAA,CAAA,iCAAA,SAAA;QAoGa,MAAA,EAAX,MAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAAxC,MAAsB,kBAAkB"}
1
+ {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;UAYiB,kBAAA;;;;;;;;;EAAA,IAAA,CAAA,EAAA,OAAA;EAoBA,OAAA,CAAA,EAAA;IAoBA,EAAA,CAAA,EAAA,MAAA;IASA,KAAA,CAAA,EAAA,MAAA;IAGL,aAAA,CAAA,EAAA,MAAA;IACK,IAAA,CAAA,EAAA,MAAA;IAEJ,KAAA,CAAA,EAAA,MAAA;IAEA,WAAA,CAAA,EAzCK,MAyCL,CAAA,MAAA,EAAA,MAAA,CAAA;EAAyB,CAAA;AAGtC;AACiB,UAzCA,kBAAA,CAyCA;EAEJ,UAAA,EAAA,MAAA;EAEA,IAAA,EAAA,MAAA;EAAyB,WAAA,EAAA,MAAA;EA0FtB,QAAA,CAAA,EAAA,MAAU;EAAS,oBAAA,CAAA,EAAA,OAAA;EAAgB,kBAAA,CAAA,EAAA,MAAA;;;;eAwGsstJ;IAAA,KAAA,CAAA,EAAA,MAAA;WAAk+C,MAAA;IAAA,SAAA,CAAA,EAAA,MAAA;;;kBA/NzswJ;;;UAID,iBAAA;;;;;eAKF;eACA;;UAGE,gBAAA;;;YAGL;iBACK;;aAEJ;;aAEA;;UAGI,cAAA;iBACA;;aAEJ;;aAEA;;iBA0FG,UAAA,SAAmB,gCAAgB;;;sBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAwGsstJ;;;6BAAA,YAAA,CAAA;;;;;gCAAk+C,YAAA;;;;;;;;;yBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;QAxGxqwJ,UAAA,CAAA,iCAAA,SAAA;QAAA,UAAA,CAAA,iCAAA,SAAA;QAuGa,MAAA,EAAX,MAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAAxC,MAAsB,kBAAkB"}
package/dist/auth/auth.js CHANGED
@@ -110,6 +110,9 @@ function createAuth(config) {
110
110
  admin: adminRole,
111
111
  owner: ownerRole
112
112
  },
113
+ membershipLimit: 300,
114
+ invitationLimit: 300,
115
+ invitationExpiresIn: 10080 * 60,
113
116
  async sendInvitationEmail(data) {
114
117
  console.log("📧 Invitation created:", {
115
118
  email: data.email,
package/dist/auth/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: config.socialProviders.google,\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ,OAAO,gBAAgB,QAChC;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}
1
+ {"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: config.socialProviders.google,\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n membershipLimit: 300,\n invitationLimit: 300,\n invitationExpiresIn: 7 * 24 * 60 * 60, // 7 days (in seconds)\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ,OAAO,gBAAgB,QAChC;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB,QAAc;IACnC,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}