@inkeep/agents-core 0.0.0-dev-20260118170655 → 0.0.0-dev-20260119170007

package/dist/auth/authz/permissions.d.ts

@@ -0,0 +1,57 @@
+import { OrgRole } from "./config.js";
+
+//#region src/auth/authz/permissions.d.ts
+
+/**
+ * Check if a user can view a project.
+ *
+ * - If authz is disabled: returns true (current behavior)
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB
+ */
+declare function canViewProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Check if a user can use a project (invoke agents, create API keys, view traces).
+ *
+ * - If authz is disabled: returns true (current behavior)
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB for use permission
+ */
+declare function canUseProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Check if a user can edit a project (modify configurations).
+ *
+ * - If authz is disabled: only org owner/admin can edit
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB for edit permission
+ */
+declare function canEditProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Get list of accessible project IDs for a user.
+ *
+ * - If authz is disabled: returns 'all' (no filtering needed)
+ * - If user is org owner/admin: returns 'all' (no filtering needed)
+ * - Otherwise: uses SpiceDB LookupResources
+ */
+declare function listAccessibleProjectIds(params: {
+  tenantId: string;
+  userId: string;
+  orgRole: OrgRole;
+}): Promise<string[] | 'all'>;
+//#endregion
+export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };

package/dist/auth/authz/permissions.js

@@ -0,0 +1,83 @@
+import { SpiceDbPermissions, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
+import { checkPermission, lookupResources } from "./client.js";
+
+//#region src/auth/authz/permissions.ts
+/**
+* SpiceDB Permission Check Functions
+*
+* High-level functions for checking project-level permissions.
+*/
+/**
+* Check if a user can view a project.
+*
+* - If authz is disabled: returns true (current behavior)
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB
+*/
+async function canViewProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return true;
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.VIEW,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Check if a user can use a project (invoke agents, create API keys, view traces).
+*
+* - If authz is disabled: returns true (current behavior)
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB for use permission
+*/
+async function canUseProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return true;
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.USE,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Check if a user can edit a project (modify configurations).
+*
+* - If authz is disabled: only org owner/admin can edit
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB for edit permission
+*/
+async function canEditProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return params.orgRole === "owner" || params.orgRole === "admin";
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.EDIT,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Get list of accessible project IDs for a user.
+*
+* - If authz is disabled: returns 'all' (no filtering needed)
+* - If user is org owner/admin: returns 'all' (no filtering needed)
+* - Otherwise: uses SpiceDB LookupResources
+*/
+async function listAccessibleProjectIds(params) {
+	if (!isAuthzEnabled(params.tenantId)) return "all";
+	if (params.orgRole === "owner" || params.orgRole === "admin") return "all";
+	return lookupResources({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		permission: SpiceDbPermissions.VIEW,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+
+//#endregion
+export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };

package/dist/auth/authz/sync.d.ts

@@ -0,0 +1,85 @@
+import { OrgRole, ProjectRole } from "./config.js";
+
+//#region src/auth/authz/sync.d.ts
+
+/**
+ * Sync a user's org membership to SpiceDB.
+ * Call when: user joins org, role changes, user leaves org.
+ */
+declare function syncOrgMemberToSpiceDb(params: {
+  tenantId: string;
+  userId: string;
+  role: OrgRole;
+  action: 'add' | 'remove';
+}): Promise<void>;
+/**
+ * Change a user's organization role.
+ * Removes the old role and adds the new one atomically in a single transaction.
+ * Call when: user's org role is updated (e.g., member -> admin).
+ */
+declare function changeOrgRole(params: {
+  tenantId: string;
+  userId: string;
+  oldRole: OrgRole;
+  newRole: OrgRole;
+}): Promise<void>;
+/**
+ * Sync a new project to SpiceDB.
+ * Links project to org and grants creator project_admin role.
+ * Call when: project is created.
+ */
+declare function syncProjectToSpiceDb(params: {
+  tenantId: string;
+  projectId: string;
+  creatorUserId: string;
+}): Promise<void>;
+/**
+ * Grant project access to a user.
+ */
+declare function grantProjectAccess(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  role: ProjectRole;
+}): Promise<void>;
+/**
+ * Revoke project access from a user.
+ */
+declare function revokeProjectAccess(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  role: ProjectRole;
+}): Promise<void>;
+/**
+ * Change a user's project role.
+ * Removes the old role and adds the new one atomically in a single transaction.
+ */
+declare function changeProjectRole(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  oldRole: ProjectRole;
+  newRole: ProjectRole;
+}): Promise<void>;
+/**
+ * Remove a project from SpiceDB.
+ * Call when: project is deleted.
+ */
+declare function removeProjectFromSpiceDb(params: {
+  tenantId: string;
+  projectId: string;
+}): Promise<void>;
+/**
+ * List all explicit project members from SpiceDB.
+ * Returns users with project_admin, project_member, or project_viewer roles.
+ */
+declare function listProjectMembers(params: {
+  tenantId: string;
+  projectId: string;
+}): Promise<Array<{
+  userId: string;
+  role: ProjectRole;
+}>>;
+//#endregion
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/authz/sync.js

@@ -0,0 +1,237 @@
+import { SpiceDbRelations, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
+import { deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
+
+//#region src/auth/authz/sync.ts
+/**
+* SpiceDB Sync Utilities
+*
+* Functions for syncing data between better-auth and SpiceDB.
+*/
+const RELATIONSHIP_OPERATION_CREATE = 1;
+const RELATIONSHIP_OPERATION_TOUCH = 2;
+const RELATIONSHIP_OPERATION_DELETE = 3;
+/**
+* Sync a user's org membership to SpiceDB.
+* Call when: user joins org, role changes, user leaves org.
+*/
+async function syncOrgMemberToSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	if (params.action === "add") await writeRelationship({
+		resourceType: SpiceDbResourceTypes.ORGANIZATION,
+		resourceId: params.tenantId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+	else await deleteRelationship({
+		resourceType: SpiceDbResourceTypes.ORGANIZATION,
+		resourceId: params.tenantId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Change a user's organization role.
+* Removes the old role and adds the new one atomically in a single transaction.
+* Call when: user's org role is updated (e.g., member -> admin).
+*/
+async function changeOrgRole(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	if (params.oldRole === params.newRole) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_DELETE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.ORGANIZATION,
+					objectId: params.tenantId
+				},
+				relation: params.oldRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_TOUCH,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.ORGANIZATION,
+					objectId: params.tenantId
+				},
+				relation: params.newRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Sync a new project to SpiceDB.
+* Links project to org and grants creator project_admin role.
+* Call when: project is created.
+*/
+async function syncProjectToSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_CREATE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: SpiceDbRelations.ORGANIZATION,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.ORGANIZATION,
+						objectId: params.tenantId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_CREATE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: SpiceDbRelations.PROJECT_ADMIN,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.creatorUserId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Grant project access to a user.
+*/
+async function grantProjectAccess(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	await writeRelationship({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Revoke project access from a user.
+*/
+async function revokeProjectAccess(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	await deleteRelationship({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Change a user's project role.
+* Removes the old role and adds the new one atomically in a single transaction.
+*/
+async function changeProjectRole(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	if (params.oldRole === params.newRole) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_DELETE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: params.oldRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_TOUCH,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: params.newRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Remove a project from SpiceDB.
+* Call when: project is deleted.
+*/
+async function removeProjectFromSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	await getSpiceClient().promises.deleteRelationships({
+		relationshipFilter: {
+			resourceType: SpiceDbResourceTypes.PROJECT,
+			optionalResourceId: params.projectId,
+			optionalResourceIdPrefix: "",
+			optionalRelation: ""
+		},
+		optionalPreconditions: [],
+		optionalLimit: 0,
+		optionalAllowPartialDeletions: false,
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* List all explicit project members from SpiceDB.
+* Returns users with project_admin, project_member, or project_viewer roles.
+*/
+async function listProjectMembers(params) {
+	if (!isAuthzEnabled(params.tenantId)) return [];
+	return (await readRelationships({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId
+	})).filter((rel) => rel.subjectType === SpiceDbResourceTypes.USER && (rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER)).map((rel) => ({
+		userId: rel.subjectId,
+		role: rel.relation
+	}));
+}
+
+//#endregion
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/permissions.d.ts

@@ -1,29 +1,29 @@
-import * as better_auth_plugins55 from "better-auth/plugins";
+import * as better_auth_plugins69 from "better-auth/plugins";
 import { AccessControl } from "better-auth/plugins/access";
 import { organizationClient } from "better-auth/client/plugins";
 
 //#region src/auth/permissions.d.ts
 declare const ac: AccessControl;
 declare const memberRole: {
-  authorize<K_1 extends "function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 declare const adminRole: {
-  authorize<K_1 extends "function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 declare const ownerRole: {
-  authorize<K_1 extends "function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "agent" | "project" | "organization" | "credential" | "tool" | "member" | "invitation" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 //#endregion
 export { ac, adminRole, memberRole, organizationClient, ownerRole };