@inkeep/agents-core 0.0.0-dev-20260319140628 → 0.0.0-dev-20260319160044

package/dist/data-access/runtime/apiKeys.d.ts

@@ -8,11 +8,11 @@ declare const getApiKeyById: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   id: string;
 }) => Promise<{
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   id: string;
   name: string | null;
-  tenantId: string;
-  projectId: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
@@ -22,11 +22,11 @@ declare const getApiKeyById: (db: AgentsRunDatabaseClient) => (params: {
   lastUsedAt: string | null;
 } | undefined>;
 declare const getApiKeyByPublicId: (db: AgentsRunDatabaseClient) => (publicId: string) => Promise<{
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   id: string;
   name: string | null;
-  tenantId: string;
-  projectId: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
@@ -39,11 +39,11 @@ declare const listApiKeys: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   agentId?: string;
 }) => Promise<{
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   id: string;
   name: string | null;
-  tenantId: string;
-  projectId: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
@@ -66,11 +66,11 @@ declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
   };
 }>;
 declare const createApiKey: (db: AgentsRunDatabaseClient) => (params: ApiKeyInsert) => Promise<{
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   id: string;
   name: string | null;
-  tenantId: string;
-  projectId: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;

package/dist/data-access/runtime/apps.d.ts

@@ -5,12 +5,12 @@ import { AppInsert, AppSelect, AppUpdate } from "../../types/entities.js";
 
 //#region src/data-access/runtime/apps.d.ts
 declare const getAppById: (db: AgentsRunDatabaseClient) => (id: string) => Promise<{
+  type: AppType;
+  projectId: string | null;
+  tenantId: string | null;
   id: string;
   name: string;
   description: string | null;
-  tenantId: string | null;
-  projectId: string | null;
-  type: AppType;
   createdAt: string;
   updatedAt: string;
   enabled: boolean;
@@ -52,12 +52,12 @@ declare const listAppsPaginated: (db: AgentsRunDatabaseClient) => (params: {
   };
 }>;
 declare const createApp: (db: AgentsRunDatabaseClient) => (params: AppInsert) => Promise<{
+  type: AppType;
+  projectId: string | null;
+  tenantId: string | null;
   id: string;
   name: string;
   description: string | null;
-  tenantId: string | null;
-  projectId: string | null;
-  type: AppType;
   createdAt: string;
   updatedAt: string;
   enabled: boolean;

package/dist/data-access/runtime/auth.d.ts

@@ -5,14 +5,14 @@ declare const getInitialOrganization: (db: AgentsRunDatabaseClient) => (userId:
   id: string;
 } | null>;
 declare const queryHasCredentialAccount: (db: AgentsRunDatabaseClient) => (userId: string) => Promise<boolean>;
-interface SSOProviderRegistration {
-  providerId: string;
+declare const querySsoProviderIssuers: (db: AgentsRunDatabaseClient) => () => Promise<{
   issuer: string;
-  domain: string;
-  organizationId?: string;
-  oidcConfig?: object;
-  samlConfig?: object;
-}
-declare const registerSSOProvider: (db: AgentsRunDatabaseClient) => (provider: SSOProviderRegistration) => Promise<void>;
+}[]>;
+declare const querySsoProviderIds: (db: AgentsRunDatabaseClient) => () => Promise<string[]>;
+declare const queryOrgAllowedAuthMethods: (db: AgentsRunDatabaseClient) => (orgId: string) => Promise<{
+  allowedAuthMethods: string | null;
+} | undefined>;
+declare const queryMemberExists: (db: AgentsRunDatabaseClient) => (userId: string, organizationId: string) => Promise<boolean>;
+declare const queryPendingInvitationExists: (db: AgentsRunDatabaseClient) => (email: string, organizationId: string) => Promise<boolean>;
 //#endregion
-export { SSOProviderRegistration, getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };
+export { getInitialOrganization, queryHasCredentialAccount, queryMemberExists, queryOrgAllowedAuthMethods, queryPendingInvitationExists, querySsoProviderIds, querySsoProviderIssuers };

package/dist/data-access/runtime/auth.js

@@ -1,6 +1,4 @@
-import { account, member, ssoProvider } from "../../auth/auth-schema.js";
-import { generateId } from "../../utils/conversations.js";
-import "../../utils/index.js";
+import { account, invitation, member, organization, ssoProvider } from "../../auth/auth-schema.js";
 import { and, eq } from "drizzle-orm";
 
 //#region src/data-access/runtime/auth.ts
@@ -12,24 +10,24 @@ const queryHasCredentialAccount = (db) => async (userId) => {
 	const [row] = await db.select({ id: account.id }).from(account).where(and(eq(account.userId, userId), eq(account.providerId, "credential"))).limit(1);
 	return !!row;
 };
-const registerSSOProvider = (db) => async (provider) => {
-	try {
-		if ((await db.select().from(ssoProvider).where(eq(ssoProvider.providerId, provider.providerId)).limit(1)).length > 0) return;
-		if (!provider.domain) throw new Error(`SSO provider '${provider.providerId}' must have a domain`);
-		await db.insert(ssoProvider).values({
-			id: generateId(),
-			providerId: provider.providerId,
-			issuer: provider.issuer,
-			domain: provider.domain,
-			oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,
-			samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,
-			userId: null,
-			organizationId: provider.organizationId || null
-		});
-	} catch (error) {
-		console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);
-	}
+const querySsoProviderIssuers = (db) => async () => {
+	return db.select({ issuer: ssoProvider.issuer }).from(ssoProvider);
+};
+const querySsoProviderIds = (db) => async () => {
+	return (await db.select({ providerId: ssoProvider.providerId }).from(ssoProvider)).map((r) => r.providerId);
+};
+const queryOrgAllowedAuthMethods = (db) => async (orgId) => {
+	const [org] = await db.select({ allowedAuthMethods: organization.allowedAuthMethods }).from(organization).where(eq(organization.id, orgId)).limit(1);
+	return org;
+};
+const queryMemberExists = (db) => async (userId, organizationId) => {
+	const [row] = await db.select({ id: member.id }).from(member).where(and(eq(member.userId, userId), eq(member.organizationId, organizationId))).limit(1);
+	return !!row;
+};
+const queryPendingInvitationExists = (db) => async (email, organizationId) => {
+	const [row] = await db.select({ id: invitation.id }).from(invitation).where(and(eq(invitation.email, email), eq(invitation.organizationId, organizationId), eq(invitation.status, "pending"))).limit(1);
+	return !!row;
 };
 
 //#endregion
-export { getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };
+export { getInitialOrganization, queryHasCredentialAccount, queryMemberExists, queryOrgAllowedAuthMethods, queryPendingInvitationExists, querySsoProviderIds, querySsoProviderIssuers };

package/dist/data-access/runtime/conversations.d.ts

@@ -16,20 +16,20 @@ declare const listConversations: (db: AgentsRunDatabaseClient) => (params: {
   total: number;
 }>;
 declare const createConversation: (db: AgentsRunDatabaseClient) => (params: ConversationInsert) => Promise<{
-  id: string;
-  tenantId: string;
-  projectId: string;
   agentId: string | null;
+  projectId: string;
+  tenantId: string;
+  userId: string | null;
+  id: string;
   title: string | null;
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -44,7 +44,7 @@ declare const updateConversation: (db: AgentsRunDatabaseClient) => (params: {
   agentId: string | null;
   activeSubAgentId: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
@@ -70,7 +70,7 @@ declare const updateConversationActiveSubAgent: (db: AgentsRunDatabaseClient) =>
   agentId: string | null;
   activeSubAgentId: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
@@ -85,20 +85,20 @@ declare const getConversation: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   conversationId: string;
 }) => Promise<{
-  id: string;
-  tenantId: string;
-  projectId: string;
   agentId: string | null;
+  projectId: string;
+  tenantId: string;
+  userId: string | null;
+  id: string;
   title: string | null;
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;
@@ -108,7 +108,7 @@ declare const createOrGetConversation: (db: AgentsRunDatabaseClient) => (input:
   tenantId: string;
   id: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   };
@@ -121,20 +121,20 @@ declare const createOrGetConversation: (db: AgentsRunDatabaseClient) => (input:
   metadata?: ConversationMetadata | null | undefined;
   contextConfigId?: string | undefined;
 } | {
-  id: string;
-  tenantId: string;
-  projectId: string;
   agentId: string | null;
+  projectId: string;
+  tenantId: string;
+  userId: string | null;
+  id: string;
   title: string | null;
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -153,20 +153,20 @@ declare const getActiveAgentForConversation: (db: AgentsRunDatabaseClient) => (p
   scopes: ProjectScopeConfig;
   conversationId: string;
 }) => Promise<{
-  id: string;
-  tenantId: string;
-  projectId: string;
   agentId: string | null;
+  projectId: string;
+  tenantId: string;
+  userId: string | null;
+  id: string;
   title: string | null;
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;

package/dist/data-access/runtime/messages.d.ts

@@ -10,9 +10,9 @@ declare const getMessageById: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   messageId: string;
 }) => Promise<{
-  id: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
   metadata: MessageMetadata | null;
@@ -144,9 +144,9 @@ declare const createMessage: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   data: Omit<MessageInsert, "tenantId" | "projectId">;
 }) => Promise<{
-  id: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
   metadata: MessageMetadata | null;
@@ -197,9 +197,9 @@ declare const deleteMessage: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   messageId: string;
 }) => Promise<{
-  id: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
   metadata: MessageMetadata | null;

package/dist/data-access/runtime/organizations.d.ts

@@ -1,4 +1,5 @@
 import { AgentsRunDatabaseClient } from "../../db/runtime/runtime-client.js";
+import { AllowedAuthMethod, MethodOption, OrgAuthInfo } from "../../auth/auth-types.js";
 import { UserOrganization } from "../../auth/auth-validation-schemas.js";
 
 //#region src/data-access/runtime/organizations.d.ts
@@ -39,6 +40,7 @@ declare const addUserToOrganization: (db: AgentsRunDatabaseClient) => (data: {
   userId: string;
   organizationId: string;
   role: string;
+  isServiceAccount?: boolean;
 }) => Promise<void>;
 declare const upsertOrganization: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
@@ -55,19 +57,41 @@ interface UserProviderInfo {
 }
 /**
  * Get authentication providers for a list of users.
- * Returns which providers each user has linked (e.g., 'credential', 'google', 'auth0').
+ * Returns which providers each user has linked (e.g., 'credential', 'google').
  */
 declare const getUserProvidersFromDb: (db: AgentsRunDatabaseClient) => (userIds: string[]) => Promise<UserProviderInfo[]>;
+declare const getAllowedAuthMethods: (db: AgentsRunDatabaseClient) => (organizationId: string) => Promise<AllowedAuthMethod[]>;
 /**
- * Create an invitation directly in db
- * Used when shouldAllowJoinFromWorkspace is enabled for a work_app_slack_workspaces
+ * Create an invitation directly in db.
+ * Accepts an optional explicit authMethod; defaults to email-password.
  */
 declare const createInvitationInDb: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
   email: string;
+  authMethod?: string;
 }) => Promise<{
   id: string;
   authMethod: string;
 }>;
+interface SSOProviderLookupResult {
+  providerId: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  providerType: 'oidc' | 'saml';
+}
+declare const getSSOProvidersByDomain: (db: AgentsRunDatabaseClient) => (domain: string) => Promise<SSOProviderLookupResult[]>;
+/**
+ * Filters org-allowed auth methods by email domain.
+ * SSO providers are only included if their domain matches the user's email domain.
+ * Non-SSO methods (email-password, google) pass through unfiltered.
+ */
+declare const getFilteredAuthMethodsForEmail: (db: AgentsRunDatabaseClient) => (organizationId: string, email: string) => Promise<MethodOption[]>;
+declare function allowedMethodsToMethodOptions(methods: AllowedAuthMethod[], ssoProviders: SSOProviderLookupResult[]): MethodOption[];
+/**
+ * Main auth-lookup query for the login flow.
+ * Returns org-grouped methods based on SSO domain match and/or user org membership.
+ */
+declare const getAuthLookupForEmail: (db: AgentsRunDatabaseClient) => (email: string) => Promise<OrgAuthInfo[]>;
 //#endregion
-export { UserProviderInfo, addUserToOrganization, createInvitationInDb, getPendingInvitationsByEmail, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };
+export { type MethodOption, type OrgAuthInfo, SSOProviderLookupResult, UserProviderInfo, addUserToOrganization, allowedMethodsToMethodOptions, createInvitationInDb, getAllowedAuthMethods, getAuthLookupForEmail, getFilteredAuthMethodsForEmail, getPendingInvitationsByEmail, getSSOProvidersByDomain, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };

package/dist/data-access/runtime/organizations.js

@@ -1,4 +1,5 @@
-import { account, invitation, member, organization } from "../../auth/auth-schema.js";
+import { account, invitation, member, organization, ssoProvider, user } from "../../auth/auth-schema.js";
+import { parseAllowedAuthMethods } from "../../auth/auth-types.js";
 import { and, desc, eq, inArray, or } from "drizzle-orm";
 import { generateId } from "better-auth";
 
@@ -51,7 +52,10 @@ const getPendingInvitationsByEmail = (db) => async (email) => {
 */
 const addUserToOrganization = (db) => async (data) => {
 	if ((await db.select().from(organization).where(eq(organization.id, data.organizationId)).limit(1)).length === 0) throw new Error(`Organization ${data.organizationId} does not exist`);
-	if ((await db.select().from(member).where(and(eq(member.userId, data.userId), eq(member.organizationId, data.organizationId))).limit(1)).length > 0) return;
+	if ((await db.select().from(member).where(and(eq(member.userId, data.userId), eq(member.organizationId, data.organizationId))).limit(1)).length > 0) {
+		if (data.isServiceAccount) await db.update(organization).set({ serviceAccountUserId: data.userId }).where(eq(organization.id, data.organizationId));
+		return;
+	}
 	await db.insert(member).values({
 		id: `${data.userId}_${data.organizationId}`,
 		userId: data.userId,
@@ -59,6 +63,7 @@ const addUserToOrganization = (db) => async (data) => {
 		role: data.role,
 		createdAt: /* @__PURE__ */ new Date()
 	});
+	if (data.isServiceAccount) await db.update(organization).set({ serviceAccountUserId: data.userId }).where(eq(organization.id, data.organizationId));
 };
 const upsertOrganization = (db) => async (data) => {
 	if ((await db.select().from(organization).where(or(eq(organization.id, data.organizationId), eq(organization.slug, data.slug))).limit(1)).length > 0) return { created: false };
@@ -74,7 +79,7 @@ const upsertOrganization = (db) => async (data) => {
 };
 /**
 * Get authentication providers for a list of users.
-* Returns which providers each user has linked (e.g., 'credential', 'google', 'auth0').
+* Returns which providers each user has linked (e.g., 'credential', 'google').
 */
 const getUserProvidersFromDb = (db) => async (userIds) => {
 	if (userIds.length === 0) return [];
@@ -93,17 +98,23 @@ const getUserProvidersFromDb = (db) => async (userIds) => {
 		providers: providerMap.get(userId) || []
 	}));
 };
+const getAllowedAuthMethods = (db) => async (organizationId) => {
+	const org = (await db.select({ allowedAuthMethods: organization.allowedAuthMethods }).from(organization).where(eq(organization.id, organizationId)).limit(1))[0];
+	if (!org) return [{ method: "email-password" }];
+	return parseAllowedAuthMethods(org.allowedAuthMethods);
+};
 /**
-* Create an invitation directly in db
-* Used when shouldAllowJoinFromWorkspace is enabled for a work_app_slack_workspaces
+* Create an invitation directly in db.
+* Accepts an optional explicit authMethod; defaults to email-password.
 */
 const createInvitationInDb = (db) => async (data) => {
 	const orgSettings = (await db.select({
 		serviceAccountUserId: organization.serviceAccountUserId,
+		allowedAuthMethods: organization.allowedAuthMethods,
 		preferredAuthMethod: organization.preferredAuthMethod
 	}).from(organization).where(eq(organization.id, data.organizationId)).limit(1))[0];
 	if (!orgSettings?.serviceAccountUserId) throw new Error(`Organization ${data.organizationId} does not have a serviceAccountUserId configured`);
-	if (!orgSettings?.preferredAuthMethod) throw new Error(`Organization ${data.organizationId} does not have a preferredAuthMethod configured`);
+	const resolvedMethod = data.authMethod || orgSettings.preferredAuthMethod || "email-password";
 	const inviteId = generateId();
 	const expiresAt = new Date(Date.now() + 3600 * 1e3);
 	await db.insert(invitation).values({
@@ -114,13 +125,124 @@ const createInvitationInDb = (db) => async (data) => {
 		status: "pending",
 		expiresAt,
 		inviterId: orgSettings.serviceAccountUserId,
-		authMethod: orgSettings.preferredAuthMethod
+		authMethod: resolvedMethod
 	});
 	return {
 		id: inviteId,
-		authMethod: orgSettings.preferredAuthMethod
+		authMethod: resolvedMethod
 	};
 };
+const getSSOProvidersByDomain = (db) => async (domain) => {
+	return (await db.select({
+		providerId: ssoProvider.providerId,
+		issuer: ssoProvider.issuer,
+		domain: ssoProvider.domain,
+		organizationId: ssoProvider.organizationId,
+		oidcConfig: ssoProvider.oidcConfig,
+		samlConfig: ssoProvider.samlConfig
+	}).from(ssoProvider).where(eq(ssoProvider.domain, domain))).map((provider) => ({
+		providerId: provider.providerId,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId,
+		providerType: provider.samlConfig ? "saml" : "oidc"
+	}));
+};
+/**
+* Filters org-allowed auth methods by email domain.
+* SSO providers are only included if their domain matches the user's email domain.
+* Non-SSO methods (email-password, google) pass through unfiltered.
+*/
+const getFilteredAuthMethodsForEmail = (db) => async (organizationId, email) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain) return [];
+	const [allowed, domainProviders] = await Promise.all([getAllowedAuthMethods(db)(organizationId), getSSOProvidersByDomain(db)(emailDomain)]);
+	return allowedMethodsToMethodOptions(allowed, domainProviders.filter((p) => p.organizationId === organizationId));
+};
+function allowedMethodsToMethodOptions(methods, ssoProviders) {
+	const options = [];
+	for (const m of methods) if (m.method === "email-password") options.push({ method: "email-password" });
+	else if (m.method === "google") options.push({ method: "google" });
+	else if (m.method === "sso") {
+		if (!m.enabled) continue;
+		const provider = ssoProviders.find((p) => p.providerId === m.providerId);
+		if (!provider) continue;
+		options.push({
+			method: "sso",
+			providerId: m.providerId,
+			providerType: provider.providerType,
+			displayName: m.displayName
+		});
+	}
+	return options;
+}
+/**
+* Main auth-lookup query for the login flow.
+* Returns org-grouped methods based on SSO domain match and/or user org membership.
+*/
+const getAuthLookupForEmail = (db) => async (email) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain) return [];
+	const orgMap = /* @__PURE__ */ new Map();
+	const domainProviders = await getSSOProvidersByDomain(db)(emailDomain);
+	const orgIdsFromSSO = [...new Set(domainProviders.map((p) => p.organizationId).filter(Boolean))];
+	for (const orgId of orgIdsFromSSO) {
+		const org = (await db.select({
+			id: organization.id,
+			name: organization.name,
+			slug: organization.slug,
+			allowedAuthMethods: organization.allowedAuthMethods,
+			preferredAuthMethod: organization.preferredAuthMethod
+		}).from(organization).where(eq(organization.id, orgId)).limit(1))[0];
+		if (!org) continue;
+		const allowed = parseAllowedAuthMethods(org.allowedAuthMethods);
+		const orgSSO = domainProviders.filter((p) => p.organizationId === orgId);
+		orgMap.set(orgId, {
+			organizationId: org.id,
+			organizationName: org.name,
+			organizationSlug: org.slug,
+			methods: allowedMethodsToMethodOptions(allowed, orgSSO)
+		});
+	}
+	const userRow = await db.select({ id: user.id }).from(user).where(eq(user.email, email.toLowerCase())).limit(1);
+	if (userRow[0]) {
+		const memberships = await db.select({
+			organizationId: member.organizationId,
+			orgName: organization.name,
+			orgSlug: organization.slug,
+			allowedAuthMethods: organization.allowedAuthMethods,
+			preferredAuthMethod: organization.preferredAuthMethod
+		}).from(member).innerJoin(organization, eq(member.organizationId, organization.id)).where(eq(member.userId, userRow[0].id));
+		for (const m of memberships) {
+			if (orgMap.has(m.organizationId)) continue;
+			const allowed = parseAllowedAuthMethods(m.allowedAuthMethods);
+			const orgSSO = domainProviders.filter((p) => p.organizationId === m.organizationId);
+			orgMap.set(m.organizationId, {
+				organizationId: m.organizationId,
+				organizationName: m.orgName,
+				organizationSlug: m.orgSlug,
+				methods: allowedMethodsToMethodOptions(allowed, orgSSO)
+			});
+		}
+		const serviceAccountOrgs = await db.select({
+			id: organization.id,
+			name: organization.name,
+			slug: organization.slug
+		}).from(organization).where(eq(organization.serviceAccountUserId, userRow[0].id));
+		for (const org of serviceAccountOrgs) {
+			const existing = orgMap.get(org.id);
+			if (existing) {
+				if (!existing.methods.some((m) => m.method === "email-password")) existing.methods.unshift({ method: "email-password" });
+			} else orgMap.set(org.id, {
+				organizationId: org.id,
+				organizationName: org.name,
+				organizationSlug: org.slug,
+				methods: [{ method: "email-password" }]
+			});
+		}
+	}
+	return [...orgMap.values()];
+};
 
 //#endregion
-export { addUserToOrganization, createInvitationInDb, getPendingInvitationsByEmail, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };
+export { addUserToOrganization, allowedMethodsToMethodOptions, createInvitationInDb, getAllowedAuthMethods, getAuthLookupForEmail, getFilteredAuthMethodsForEmail, getPendingInvitationsByEmail, getSSOProvidersByDomain, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };

package/dist/data-access/runtime/scheduledTriggerInvocations.d.ts

@@ -35,11 +35,11 @@ declare const listScheduledTriggerInvocationsPaginated: (db: AgentsRunDatabaseCl
   data: {
     scheduledTriggerId: string;
     ref: {
-      type: "commit" | "tag" | "branch";
+      type: "tag" | "commit" | "branch";
       name: string;
       hash: string;
     } | null;
-    status: "pending" | "failed" | "running" | "completed" | "cancelled";
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
     scheduledFor: string;
     startedAt: string | null;
     completedAt: string | null;
@@ -180,11 +180,11 @@ declare const listUpcomingInvocationsForAgentPaginated: (db: AgentsRunDatabaseCl
   data: {
     scheduledTriggerId: string;
     ref: {
-      type: "commit" | "tag" | "branch";
+      type: "tag" | "commit" | "branch";
       name: string;
       hash: string;
     } | null;
-    status: "pending" | "failed" | "running" | "completed" | "cancelled";
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
     scheduledFor: string;
     startedAt: string | null;
     completedAt: string | null;
@@ -219,11 +219,11 @@ declare const listProjectScheduledTriggerInvocationsPaginated: (db: AgentsRunDat
   data: {
     scheduledTriggerId: string;
     ref: {
-      type: "commit" | "tag" | "branch";
+      type: "tag" | "commit" | "branch";
       name: string;
       hash: string;
     } | null;
-    status: "pending" | "failed" | "running" | "completed" | "cancelled";
+    status: "pending" | "running" | "completed" | "failed" | "cancelled";
     scheduledFor: string;
     startedAt: string | null;
     completedAt: string | null;

package/dist/data-access/runtime/tasks.d.ts

@@ -7,20 +7,20 @@ import { TaskInsert, TaskSelect } from "../../types/entities.js";
 
 //#region src/data-access/runtime/tasks.d.ts
 declare const createTask: (db: AgentsRunDatabaseClient) => (params: TaskInsert) => Promise<{
-  id: string;
-  tenantId: string;
-  projectId: string;
   agentId: string;
+  projectId: string;
+  tenantId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
   metadata: TaskMetadataConfig | null;
+  subAgentId: string;
+  status: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
-  status: string;
-  subAgentId: string;
   contextId: string;
 }>;
 declare const getTask: (db: AgentsRunDatabaseClient) => (params: {
@@ -39,7 +39,7 @@ declare const updateTask: (db: AgentsRunDatabaseClient) => (params: {
   updatedAt: string;
   contextId: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;

package/dist/data-access/runtime/triggerInvocations.d.ts

@@ -29,7 +29,7 @@ declare const listTriggerInvocationsPaginated: (db: AgentsRunDatabaseClient) =>
     triggerId: string;
     conversationId: string | null;
     ref: {
-      type: "commit" | "tag" | "branch";
+      type: "tag" | "commit" | "branch";
       name: string;
       hash: string;
     } | null;