@inkeep/agents-core 0.0.0-dev-20251219041142 → 0.0.0-dev-20251219042219

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (13) hide show
  1. package/dist/auth/auth.d.ts +37 -37
  2. package/dist/auth/auth.d.ts.map +1 -1
  3. package/dist/auth/auth.js +2 -1
  4. package/dist/auth/auth.js.map +1 -1
  5. package/dist/auth/permissions.d.ts +13 -13
  6. package/dist/auth/permissions.d.ts.map +1 -1
  7. package/dist/client-exports.d.ts +1 -1
  8. package/dist/client.d.ts +487 -487
  9. package/dist/client.d.ts.map +1 -1
  10. package/dist/env.js +1 -0
  11. package/dist/env.js.map +1 -1
  12. package/dist/models.d.ts.map +1 -1
  13. package/package.json +1 -1
package/dist/auth/auth.d.ts CHANGED
@@ -5,7 +5,7 @@ import "../schema-conversion.js";
5
5
  import * as _better_auth_sso0 from "@better-auth/sso";
6
6
  import * as better_auth0 from "better-auth";
7
7
  import { BetterAuthAdvancedOptions } from "better-auth";
8
- import * as better_auth_plugins0 from "better-auth/plugins";
8
+ import * as better_auth_plugins20 from "better-auth/plugins";
9
9
  import * as better_auth_social_providers0 from "better-auth/social-providers";
10
10
  import { GoogleOptions } from "better-auth/social-providers";
11
11
  import * as zod0 from "zod";
@@ -773,7 +773,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
773
773
  };
774
774
  }, {
775
775
  id: "oauth-proxy";
776
- options: better_auth_plugins0.OAuthProxyOptions | undefined;
776
+ options: better_auth_plugins20.OAuthProxyOptions | undefined;
777
777
  endpoints: {
778
778
  oAuthProxy: better_auth0.StrictEndpoint<"/oauth-proxy-callback", {
779
779
  method: "GET";
@@ -824,30 +824,30 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
824
824
  };
825
825
  }, {
826
826
  id: "organization";
827
- endpoints: better_auth_plugins0.OrganizationEndpoints<{
827
+ endpoints: better_auth_plugins20.OrganizationEndpoints<{
828
828
  allowUserToCreateOrganization: true;
829
- ac: better_auth_plugins0.AccessControl;
829
+ ac: better_auth_plugins20.AccessControl;
830
830
  roles: {
831
831
  member: {
832
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
833
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
832
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
833
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
834
834
  connector: "OR" | "AND";
835
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
836
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
835
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
836
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
837
837
  };
838
838
  admin: {
839
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
840
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
839
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
840
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
841
841
  connector: "OR" | "AND";
842
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
843
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
842
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
843
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
844
844
  };
845
845
  owner: {
846
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
847
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
846
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
847
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
848
848
  connector: "OR" | "AND";
849
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
850
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
849
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
850
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
851
851
  };
852
852
  };
853
853
  membershipLimit: number;
@@ -857,9 +857,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
857
857
  id: string;
858
858
  role: string;
859
859
  email: string;
860
- organization: better_auth_plugins0.Organization;
861
- invitation: better_auth_plugins0.Invitation;
862
- inviter: better_auth_plugins0.Member & {
860
+ organization: better_auth_plugins20.Organization;
861
+ invitation: better_auth_plugins20.Invitation;
862
+ inviter: better_auth_plugins20.Member & {
863
863
  user: better_auth0.User;
864
864
  };
865
865
  }): Promise<void>;
@@ -992,7 +992,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
992
992
  organizationId: string;
993
993
  email: string;
994
994
  role: "member" | "admin" | "owner";
995
- status: better_auth_plugins0.InvitationStatus;
995
+ status: better_auth_plugins20.InvitationStatus;
996
996
  inviterId: string;
997
997
  expiresAt: Date;
998
998
  createdAt: Date;
@@ -1031,7 +1031,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
1031
1031
  organizationId: string;
1032
1032
  email: string;
1033
1033
  role: "member" | "admin" | "owner";
1034
- status: better_auth_plugins0.InvitationStatus;
1034
+ status: better_auth_plugins20.InvitationStatus;
1035
1035
  inviterId: string;
1036
1036
  expiresAt: Date;
1037
1037
  createdAt: Date;
@@ -1105,28 +1105,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
1105
1105
  };
1106
1106
  options: {
1107
1107
  allowUserToCreateOrganization: true;
1108
- ac: better_auth_plugins0.AccessControl;
1108
+ ac: better_auth_plugins20.AccessControl;
1109
1109
  roles: {
1110
1110
  member: {
1111
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
1112
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
1111
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
1112
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
1113
1113
  connector: "OR" | "AND";
1114
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
1115
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
1114
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
1115
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
1116
1116
  };
1117
1117
  admin: {
1118
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
1119
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
1118
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
1119
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
1120
1120
  connector: "OR" | "AND";
1121
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
1122
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
1121
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
1122
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
1123
1123
  };
1124
1124
  owner: {
1125
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
1126
- actions: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>[key];
1125
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key] | {
1126
+ actions: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>[key];
1127
1127
  connector: "OR" | "AND";
1128
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
1129
- statements: better_auth_plugins0.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins0.Statements>;
1128
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
1129
+ statements: better_auth_plugins20.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins20.Statements>;
1130
1130
  };
1131
1131
  };
1132
1132
  membershipLimit: number;
@@ -1136,9 +1136,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
1136
1136
  id: string;
1137
1137
  role: string;
1138
1138
  email: string;
1139
- organization: better_auth_plugins0.Organization;
1140
- invitation: better_auth_plugins0.Invitation;
1141
- inviter: better_auth_plugins0.Member & {
1139
+ organization: better_auth_plugins20.Organization;
1140
+ invitation: better_auth_plugins20.Invitation;
1141
+ inviter: better_auth_plugins20.Member & {
1142
1142
  user: better_auth0.User;
1143
1143
  };
1144
1144
  }): Promise<void>;
package/dist/auth/auth.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;UAYiB,kBAAA;;;;;;;;;;EAAA,OAAA,CAAA,EAAA;IAoBA,EAAA,CAAA,EAAA,MAAA;IAoBA,KAAA,CAAA,EAAA,MAAA;IASA,aAAA,CAAA,EAAgB,MAAA;IAGrB,IAAA,CAAA,EAAA,MAAA;IACK,KAAA,CAAA,EAAA,MAAA;IAEJ,WAAA,CAAA,EAvCK,MAuCL,CAAA,MAAA,EAAA,MAAA,CAAA;EAEA,CAAA;;AAGI,UAxCA,kBAAA,CAwCc;EACd,UAAA,EAAA,MAAA;EAEJ,IAAA,EAAA,MAAA;EAEA,WAAA,EAAA,MAAA;EAAyB,QAAA,CAAA,EAAA,MAAA;EA0FtB,oBAAU,CAAA,EAAA,OAAA;EAAS,kBAAA,CAAA,EAAA,MAAA;EAAgB,eAAA,CAAA,EAAA,MAAA;;;IAiHuxhB,EAAA,CAAA,EAAA,MAAA;IAAA,KAAA,CAAA,EAAA,MAAA;;;;;kBAxOxzhB;;;UAID,iBAAA,CAoOu1vJ;EAAA,UAAA,EAAA,MAAA;;;;eA/Nz1vJ;eACA;;UAGE,gBAAA;;;YAGL;iBACK;;aAEJ;;aAEA;;UAGI,cAAA;iBACA;;aAEJ;;aAEA;;iBA0FG,UAAA,SAAmB,gCAAgB;;;sBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;0DAiHuxhB;6BAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA4jrI;;;6BAAA,YAAA,CAAA;;;;;gCAAk+C,YAAA;;;;;;;;;yBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAjHrzvJ,WAAA,EAAA,MAAA;wBAAA,CAAA;wBAgHN,WAAA,EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAAhC,MAAsB,kBAAkB"}
1
+ {"version":3,"file":"auth.d.ts","names":[],"sources":["../../src/auth/auth.ts"],"sourcesContent":[],"mappings":";;;;;;;;;;;;;UAYiB,kBAAA;;;;;;;;;;EAAA,OAAA,CAAA,EAAA;IAoBA,EAAA,CAAA,EAAA,MAAA;IAoBA,KAAA,CAAA,EAAA,MAAA;IASA,aAAA,CAAA,EAAgB,MAAA;IAGrB,IAAA,CAAA,EAAA,MAAA;IACK,KAAA,CAAA,EAAA,MAAA;IAEJ,WAAA,CAAA,EAvCK,MAuCL,CAAA,MAAA,EAAA,MAAA,CAAA;EAEA,CAAA;;AAGI,UAxCA,kBAAA,CAwCc;EACd,UAAA,EAAA,MAAA;EAEJ,IAAA,EAAA,MAAA;EAEA,WAAA,EAAA,MAAA;EAAyB,QAAA,CAAA,EAAA,MAAA;EA0FtB,oBAAU,CAAA,EAAA,OAAA;EAAS,kBAAA,CAAA,EAAA,MAAA;EAAgB,eAAA,CAAA,EAAA,MAAA;;;IAkH6vhB,EAAA,CAAA,EAAA,MAAA;IAAA,KAAA,CAAA,EAAA,MAAA;;;;;kBAzO9xhB;;;UAID,iBAAA,CAqO6zvJ;EAAA,UAAA,EAAA,MAAA;;;;eAhO/zvJ;eACA;;UAGE,gBAAA;;;YAGL;iBACK;;aAEJ;;aAEA;;UAGI,cAAA;iBACA;;aAEJ;;aAEA;;iBA0FG,UAAA,SAAmB,gCAAgB;;;sBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;0DAkH6vhB;6BAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAA4jrI;;;6BAAA,YAAA,CAAA;;;;;gCAAk+C,YAAA;;;;;;;;;yBAAA,YAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;0BAlH3xvJ,WAAA,EAAA,MAAA;wBAAA,CAAA;wBAiHN,WAAA,EAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAAhC,MAAsB,kBAAkB"}
package/dist/auth/auth.js CHANGED
@@ -100,7 +100,8 @@ function createAuth(config) {
100
100
  "http://localhost:3000",
101
101
  "http://localhost:3002",
102
102
  env.INKEEP_AGENTS_MANAGE_UI_URL,
103
- env.INKEEP_AGENTS_MANAGE_API_URL
103
+ env.INKEEP_AGENTS_MANAGE_API_URL,
104
+ env.TRUSTED_ORIGIN
104
105
  ].filter((origin) => typeof origin === "string" && origin.length > 0),
105
106
  plugins: [
106
107
  bearer(),
package/dist/auth/auth.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, oAuthProxy, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: {\n ...config.socialProviders.google,\n // For local/preview env, redirect to production URL registered in Google Console\n ...(env.OAUTH_PROXY_PRODUCTION_URL && {\n redirectURI: `${env.OAUTH_PROXY_PRODUCTION_URL}/api/auth/callback/google`,\n }),\n },\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n oAuthProxy({\n productionURL: env.OAUTH_PROXY_PRODUCTION_URL || config.baseURL,\n }),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n membershipLimit: 300,\n invitationLimit: 300,\n invitationExpiresIn: 7 * 24 * 60 * 60, // 7 days (in seconds)\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ;GACN,GAAG,OAAO,gBAAgB;GAE1B,GAAI,IAAI,8BAA8B,EACpC,aAAa,GAAG,IAAI,2BAA2B,4BAChD;GACF,EACF;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,WAAW,EACT,eAAe,IAAI,8BAA8B,OAAO,SACzD,CAAC;GACF,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB,QAAc;IACnC,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}
1
+ {"version":3,"file":"auth.js","names":["domainParts: string[]","authSchema.ssoProvider","auth"],"sources":["../../src/auth/auth.ts"],"sourcesContent":["import { sso } from '@better-auth/sso';\nimport { type BetterAuthAdvancedOptions, betterAuth } from 'better-auth';\nimport { drizzleAdapter } from 'better-auth/adapters/drizzle';\nimport { bearer, deviceAuthorization, oAuthProxy, organization } from 'better-auth/plugins';\nimport type { GoogleOptions } from 'better-auth/social-providers';\nimport { eq } from 'drizzle-orm';\nimport type { DatabaseClient } from '../db/client';\nimport { env } from '../env';\nimport { generateId } from '../utils';\nimport * as authSchema from './auth-schema';\nimport { ac, adminRole, memberRole, ownerRole } from './permissions';\n\nexport interface OIDCProviderConfig {\n clientId: string;\n clientSecret: string;\n authorizationEndpoint?: string;\n tokenEndpoint?: string;\n userinfoEndpoint?: string;\n jwksEndpoint?: string;\n discoveryEndpoint?: string;\n scopes?: string[];\n pkce?: boolean;\n mapping?: {\n id?: string;\n email?: string;\n emailVerified?: string;\n name?: string;\n image?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SAMLProviderConfig {\n entryPoint: string;\n cert: string;\n callbackUrl: string;\n audience?: string;\n wantAssertionsSigned?: boolean;\n signatureAlgorithm?: string;\n digestAlgorithm?: string;\n identifierFormat?: string;\n mapping?: {\n id?: string;\n email?: string;\n name?: string;\n firstName?: string;\n lastName?: string;\n emailVerified?: string;\n extraFields?: Record<string, string>;\n };\n}\n\nexport interface SSOProviderConfig {\n providerId: string;\n issuer: string;\n domain: string;\n organizationId?: string;\n oidcConfig?: OIDCProviderConfig;\n samlConfig?: SAMLProviderConfig;\n}\n\nexport interface BetterAuthConfig {\n baseURL: string;\n secret: string;\n dbClient: DatabaseClient;\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\nexport interface UserAuthConfig {\n ssoProviders?: SSOProviderConfig[];\n socialProviders?: {\n google?: GoogleOptions;\n };\n advanced?: BetterAuthAdvancedOptions;\n}\n\n/**\n * Extracts the root domain from a URL for cross-subdomain cookie sharing.\n * For example:\n * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com\n * - https://pilot.inkeep.com -> .pilot.inkeep.com\n * - http://localhost:3002 -> undefined (no domain for localhost)\n *\n * The logic extracts the parent domain that can be shared across subdomains.\n * For domains with 3+ parts, it takes everything except the first part.\n * For domains with exactly 2 parts, it takes both parts.\n */\nfunction extractCookieDomain(baseURL: string): string | undefined {\n try {\n const url = new URL(baseURL);\n const hostname = url.hostname;\n\n // Don't set domain for localhost or IP addresses\n if (hostname === 'localhost' || hostname.match(/^\\d+\\.\\d+\\.\\d+\\.\\d+$/)) {\n return undefined;\n }\n\n // Split hostname into parts\n const parts = hostname.split('.');\n\n // We need at least 2 parts to form a domain (e.g., inkeep.com)\n if (parts.length < 2) {\n return undefined;\n }\n\n // Extract the parent domain that can be shared across subdomains\n // Examples:\n // - pilot.inkeep.com (3 parts) -> take all 3 parts -> .pilot.inkeep.com\n // - manage-api.pilot.inkeep.com (4 parts) -> take last 3 parts -> .pilot.inkeep.com\n // - inkeep.com (2 parts) -> take both parts -> .inkeep.com\n\n let domainParts: string[];\n if (parts.length === 3) {\n // For 3-part domains like pilot.inkeep.com, take all parts\n domainParts = parts;\n } else if (parts.length > 3) {\n // For 4+ part domains like manage-api.pilot.inkeep.com, take everything except first\n domainParts = parts.slice(1);\n } else {\n // For 2-part domains like inkeep.com, take both parts\n domainParts = parts;\n }\n\n return `.${domainParts.join('.')}`;\n } catch {\n return undefined;\n }\n}\n\nasync function registerSSOProvider(\n dbClient: DatabaseClient,\n provider: SSOProviderConfig\n): Promise<void> {\n try {\n const existing = await dbClient\n .select()\n .from(authSchema.ssoProvider)\n .where(eq(authSchema.ssoProvider.providerId, provider.providerId))\n .limit(1);\n\n if (existing.length > 0) {\n return;\n }\n\n if (!provider.domain) {\n throw new Error(`SSO provider '${provider.providerId}' must have a domain`);\n }\n\n await dbClient.insert(authSchema.ssoProvider).values({\n id: generateId(),\n providerId: provider.providerId,\n issuer: provider.issuer,\n domain: provider.domain,\n oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,\n samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,\n userId: null,\n organizationId: provider.organizationId || null,\n });\n } catch (error) {\n console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);\n }\n}\n\nexport function createAuth(config: BetterAuthConfig) {\n // Extract cookie domain from baseURL for cross-subdomain cookie sharing\n const cookieDomain = extractCookieDomain(config.baseURL);\n\n const auth = betterAuth({\n baseURL: config.baseURL,\n secret: config.secret,\n database: drizzleAdapter(config.dbClient, {\n provider: 'pg',\n }),\n emailAndPassword: {\n enabled: true,\n minPasswordLength: 8,\n maxPasswordLength: 128,\n requireEmailVerification: false,\n autoSignIn: true,\n },\n socialProviders: config.socialProviders?.google && {\n google: {\n ...config.socialProviders.google,\n // For local/preview env, redirect to production URL registered in Google Console\n ...(env.OAUTH_PROXY_PRODUCTION_URL && {\n redirectURI: `${env.OAUTH_PROXY_PRODUCTION_URL}/api/auth/callback/google`,\n }),\n },\n },\n session: {\n expiresIn: 60 * 60 * 24 * 7,\n updateAge: 60 * 60 * 24,\n cookieCache: {\n enabled: true,\n maxAge: 5 * 60,\n strategy: 'compact',\n },\n },\n advanced: {\n crossSubDomainCookies: {\n enabled: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n defaultCookieAttributes: {\n sameSite: 'none',\n secure: true,\n httpOnly: true,\n partitioned: true,\n ...(cookieDomain && { domain: cookieDomain }),\n },\n ...config.advanced,\n },\n trustedOrigins: [\n 'http://localhost:3000',\n 'http://localhost:3002',\n env.INKEEP_AGENTS_MANAGE_UI_URL,\n env.INKEEP_AGENTS_MANAGE_API_URL,\n env.TRUSTED_ORIGIN,\n ].filter((origin): origin is string => typeof origin === 'string' && origin.length > 0),\n plugins: [\n bearer(),\n sso(),\n oAuthProxy({\n productionURL: env.OAUTH_PROXY_PRODUCTION_URL || config.baseURL,\n }),\n organization({\n allowUserToCreateOrganization: true,\n ac,\n roles: {\n member: memberRole,\n admin: adminRole,\n owner: ownerRole,\n },\n membershipLimit: 300,\n invitationLimit: 300,\n invitationExpiresIn: 7 * 24 * 60 * 60, // 7 days (in seconds)\n async sendInvitationEmail(data) {\n console.log('📧 Invitation created:', {\n email: data.email,\n invitedBy: data.inviter.user.name || data.inviter.user.email,\n organization: data.organization.name,\n invitationId: data.id,\n });\n\n // Note: The invitation link is displayed in the UI with a copy button.\n // If you want to send actual emails, configure an email provider:\n // - Resend: await resend.emails.send({ ... })\n // - SendGrid: await sgMail.send({ ... })\n // - AWS SES: await ses.sendEmail({ ... })\n // - Postmark: await postmark.sendEmail({ ... })\n },\n }),\n deviceAuthorization({\n verificationUri: '/device',\n expiresIn: '60m', // 30 minutes\n interval: '5s', // 5 second polling interval\n userCodeLength: 8, // e.g., \"ABCD-EFGH\"\n }),\n ],\n });\n\n if (config.ssoProviders?.length) {\n const providers = config.ssoProviders;\n setTimeout(async () => {\n for (const provider of providers) {\n await registerSSOProvider(config.dbClient, provider);\n }\n }, 1000);\n }\n\n return auth;\n}\n\n// Type placeholder for type inference in consuming code (e.g., app.ts AppVariables)\n// Actual auth instances should be created using createAuth() with a real database client\n// This is cast as any to avoid instantiation while preserving type information\nexport const auth = null as any as ReturnType<typeof createAuth>;\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AA2FA,SAAS,oBAAoB,SAAqC;AAChE,KAAI;EAEF,MAAM,WADM,IAAI,IAAI,QAAQ,CACP;AAGrB,MAAI,aAAa,eAAe,SAAS,MAAM,uBAAuB,CACpE;EAIF,MAAM,QAAQ,SAAS,MAAM,IAAI;AAGjC,MAAI,MAAM,SAAS,EACjB;EASF,IAAIA;AACJ,MAAI,MAAM,WAAW,EAEnB,eAAc;WACL,MAAM,SAAS,EAExB,eAAc,MAAM,MAAM,EAAE;MAG5B,eAAc;AAGhB,SAAO,IAAI,YAAY,KAAK,IAAI;SAC1B;AACN;;;AAIJ,eAAe,oBACb,UACA,UACe;AACf,KAAI;AAOF,OANiB,MAAM,SACpB,QAAQ,CACR,KAAKC,YAAuB,CAC5B,MAAM,eAA0B,YAAY,SAAS,WAAW,CAAC,CACjE,MAAM,EAAE,EAEE,SAAS,EACpB;AAGF,MAAI,CAAC,SAAS,OACZ,OAAM,IAAI,MAAM,iBAAiB,SAAS,WAAW,sBAAsB;AAG7E,QAAM,SAAS,OAAOA,YAAuB,CAAC,OAAO;GACnD,IAAI,YAAY;GAChB,YAAY,SAAS;GACrB,QAAQ,SAAS;GACjB,QAAQ,SAAS;GACjB,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,YAAY,SAAS,aAAa,KAAK,UAAU,SAAS,WAAW,GAAG;GACxE,QAAQ;GACR,gBAAgB,SAAS,kBAAkB;GAC5C,CAAC;UACK,OAAO;AACd,UAAQ,MAAM,sCAAsC,SAAS,WAAW,KAAK,MAAM;;;AAIvF,SAAgB,WAAW,QAA0B;CAEnD,MAAM,eAAe,oBAAoB,OAAO,QAAQ;CAExD,MAAMC,SAAO,WAAW;EACtB,SAAS,OAAO;EAChB,QAAQ,OAAO;EACf,UAAU,eAAe,OAAO,UAAU,EACxC,UAAU,MACX,CAAC;EACF,kBAAkB;GAChB,SAAS;GACT,mBAAmB;GACnB,mBAAmB;GACnB,0BAA0B;GAC1B,YAAY;GACb;EACD,iBAAiB,OAAO,iBAAiB,UAAU,EACjD,QAAQ;GACN,GAAG,OAAO,gBAAgB;GAE1B,GAAI,IAAI,8BAA8B,EACpC,aAAa,GAAG,IAAI,2BAA2B,4BAChD;GACF,EACF;EACD,SAAS;GACP,WAAW,OAAU,KAAK;GAC1B,WAAW,OAAU;GACrB,aAAa;IACX,SAAS;IACT,QAAQ;IACR,UAAU;IACX;GACF;EACD,UAAU;GACR,uBAAuB;IACrB,SAAS;IACT,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,yBAAyB;IACvB,UAAU;IACV,QAAQ;IACR,UAAU;IACV,aAAa;IACb,GAAI,gBAAgB,EAAE,QAAQ,cAAc;IAC7C;GACD,GAAG,OAAO;GACX;EACD,gBAAgB;GACd;GACA;GACA,IAAI;GACJ,IAAI;GACJ,IAAI;GACL,CAAC,QAAQ,WAA6B,OAAO,WAAW,YAAY,OAAO,SAAS,EAAE;EACvF,SAAS;GACP,QAAQ;GACR,KAAK;GACL,WAAW,EACT,eAAe,IAAI,8BAA8B,OAAO,SACzD,CAAC;GACF,aAAa;IACX,+BAA+B;IAC/B;IACA,OAAO;KACL,QAAQ;KACR,OAAO;KACP,OAAO;KACR;IACD,iBAAiB;IACjB,iBAAiB;IACjB,qBAAqB,QAAc;IACnC,MAAM,oBAAoB,MAAM;AAC9B,aAAQ,IAAI,0BAA0B;MACpC,OAAO,KAAK;MACZ,WAAW,KAAK,QAAQ,KAAK,QAAQ,KAAK,QAAQ,KAAK;MACvD,cAAc,KAAK,aAAa;MAChC,cAAc,KAAK;MACpB,CAAC;;IASL,CAAC;GACF,oBAAoB;IAClB,iBAAiB;IACjB,WAAW;IACX,UAAU;IACV,gBAAgB;IACjB,CAAC;GACH;EACF,CAAC;AAEF,KAAI,OAAO,cAAc,QAAQ;EAC/B,MAAM,YAAY,OAAO;AACzB,aAAW,YAAY;AACrB,QAAK,MAAM,YAAY,UACrB,OAAM,oBAAoB,OAAO,UAAU,SAAS;KAErD,IAAK;;AAGV,QAAOA;;AAMT,MAAa,OAAO"}
package/dist/auth/permissions.d.ts CHANGED
@@ -1,28 +1,28 @@
1
- import * as better_auth_plugins53 from "better-auth/plugins";
1
+ import * as better_auth_plugins0 from "better-auth/plugins";
2
2
  import { AccessControl } from "better-auth/plugins/access";
3
3
 
4
4
  //#region src/auth/permissions.d.ts
5
5
  declare const ac: AccessControl;
6
6
  declare const memberRole: {
7
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key] | {
8
- actions: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key];
7
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
8
+ actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key];
9
9
  connector: "OR" | "AND";
10
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins53.AuthorizeResponse;
11
- statements: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>;
10
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
11
+ statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>;
12
12
  };
13
13
  declare const adminRole: {
14
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key] | {
15
- actions: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key];
14
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
15
+ actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key];
16
16
  connector: "OR" | "AND";
17
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins53.AuthorizeResponse;
18
- statements: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>;
17
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
18
+ statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>;
19
19
  };
20
20
  declare const ownerRole: {
21
- authorize<K_1 extends "function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key] | {
22
- actions: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>[key];
21
+ authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key] | {
22
+ actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>[key];
23
23
  connector: "OR" | "AND";
24
- } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins53.AuthorizeResponse;
25
- statements: better_auth_plugins53.Subset<"function" | "organization" | "ac" | "member" | "project" | "agent" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "invitation" | "team", better_auth_plugins53.Statements>;
24
+ } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
25
+ statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "ac" | "member" | "invitation" | "team", better_auth_plugins0.Statements>;
26
26
  };
27
27
  //#endregion
28
28
  export { ac, adminRole, memberRole, ownerRole };
package/dist/auth/permissions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permissions.d.ts","names":[],"sources":["../../src/auth/permissions.ts"],"sourcesContent":[],"mappings":";;;;cAwBa,IAAuC;cAEvC;;IAFA,OAAoD,8BAAA,CAAA,UAAA,GAAA,cAAA,GAAA,IAAA,GAAA,QAAA,GAAA,SAAA,GAAA,OAAA,GAAA,WAAA,GAAA,MAAA,GAAA,SAAA,GAAA,YAAA,GAAA,gBAAA,GAAA,oBAAA,GAAA,gBAAA,GAAA,gBAAA,GAAA,YAAA,GAAA,MAAA,mCAAA,IAAA,CAAA;IAEpD,SAaX,EAAA,IAAA,GAAA,KAAA;;;;cAEW;;;;;;;cAeA;;;IAfA,SAaX,EAAA,IAAA,GAAA,KAAA"}
1
+ {"version":3,"file":"permissions.d.ts","names":[],"sources":["../../src/auth/permissions.ts"],"sourcesContent":[],"mappings":";;;;cAwBa,IAAuC;cAEvC;;IAFA,OAAoD,6BAAA,CAAA,UAAA,GAAA,cAAA,GAAA,OAAA,GAAA,SAAA,GAAA,MAAA,GAAA,WAAA,GAAA,SAAA,GAAA,YAAA,GAAA,gBAAA,GAAA,oBAAA,GAAA,gBAAA,GAAA,gBAAA,GAAA,IAAA,GAAA,QAAA,GAAA,YAAA,GAAA,MAAA,kCAAA,IAAA,CAAA;IAEpD,SAaX,EAAA,IAAA,GAAA,KAAA;;;;cAEW;;;;;;;cAeA;;;IAfA,SAaX,EAAA,IAAA,GAAA,KAAA"}
package/dist/client-exports.d.ts CHANGED
@@ -177,9 +177,9 @@ declare const FullAgentDefinitionSchema: z.ZodObject<{
177
177
  subAgents: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodObject<{
178
178
  id: z.ZodString;
179
179
  name: z.ZodString;
180
+ description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
180
181
  createdAt: z.ZodOptional<z.ZodString>;
181
182
  updatedAt: z.ZodOptional<z.ZodString>;
182
- description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
183
183
  models: z.ZodOptional<z.ZodObject<{
184
184
  base: z.ZodOptional<z.ZodObject<{
185
185
  model: z.ZodOptional<z.ZodString>;