@inkeep/agents-core 0.41.1 → 0.42.0

package/dist/auth/auth.d.ts

@@ -1,4 +1,4 @@
-import { DatabaseClient } from "../db/client.js";
+import { AgentsRunDatabaseClient } from "../db/runtime/runtime-client.js";
 import * as _better_auth_sso0 from "@better-auth/sso";
 import * as better_auth0 from "better-auth";
 import { BetterAuthAdvancedOptions } from "better-auth";
@@ -56,7 +56,7 @@ interface SSOProviderConfig {
 interface BetterAuthConfig {
   baseURL: string;
   secret: string;
-  dbClient: DatabaseClient;
+  dbClient: AgentsRunDatabaseClient;
   ssoProviders?: SSOProviderConfig[];
   socialProviders?: {
     google?: GoogleOptions;
@@ -81,6 +81,40 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     requireEmailVerification: false;
     autoSignIn: true;
   };
+  account: {
+    accountLinking: {
+      enabled: true;
+      trustedProviders: ("google" | "email-password" | "auth0")[];
+    };
+  };
+  databaseHooks: {
+    session: {
+      create: {
+        before: (session: {
+          id: string;
+          createdAt: Date;
+          updatedAt: Date;
+          userId: string;
+          expiresAt: Date;
+          token: string;
+          ipAddress?: string | null | undefined;
+          userAgent?: string | null | undefined;
+        } & Record<string, unknown>) => Promise<{
+          data: {
+            activeOrganizationId: string | null;
+            id: string;
+            createdAt: Date;
+            updatedAt: Date;
+            userId: string;
+            expiresAt: Date;
+            token: string;
+            ipAddress?: string | null | undefined;
+            userAgent?: string | null | undefined;
+          };
+        }>;
+      };
+    };
+  };
   socialProviders: {
     google: {
       redirectURI?: string | undefined;
@@ -818,25 +852,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -852,6 +886,36 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      organizationHooks: {
+        afterAcceptInvitation: ({
+          member,
+          user,
+          organization: org
+        }: {
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterUpdateMemberRole: ({
+          member,
+          organization: org,
+          previousRole
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          previousRole: string;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterRemoveMember: ({
+          member,
+          organization: org
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+      };
     }>;
     schema: {
       organization: {
@@ -1097,25 +1161,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "organization" | "agent" | "project" | "tool" | "invitation" | "member" | "credential" | "ac" | "sub_agent" | "api_key" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1131,6 +1195,36 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      organizationHooks: {
+        afterAcceptInvitation: ({
+          member,
+          user,
+          organization: org
+        }: {
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterUpdateMemberRole: ({
+          member,
+          organization: org,
+          previousRole
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          previousRole: string;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterRemoveMember: ({
+          member,
+          organization: org
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+      };
     }>;
   }, {
     id: "device-authorization";

package/dist/auth/auth.js

@@ -1,4 +1,4 @@
-import { ssoProvider } from "./auth-schema.js";
+import { member, ssoProvider } from "./auth-schema.js";
 import { env } from "../env.js";
 import { generateId } from "../utils/conversations.js";
 import "../utils/index.js";
@@ -11,6 +11,15 @@ import { bearer, deviceAuthorization, oAuthProxy, organization } from "better-au
 
 //#region src/auth/auth.ts
 /**
+* Get the user's initial organization for a new session.
+* Returns the oldest organization the user is a member of.
+* See: https://www.better-auth.com/docs/plugins/organization#active-organization
+*/
+async function getInitialOrganization(dbClient, userId) {
+	const [membership] = await dbClient.select({ organizationId: member.organizationId }).from(member).where(eq(member.userId, userId)).orderBy(member.createdAt).limit(1);
+	return membership ? { id: membership.organizationId } : null;
+}
+/**
 * Extracts the root domain from a URL for cross-subdomain cookie sharing.
 * For example:
 * - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com
@@ -67,6 +76,21 @@ function createAuth(config) {
 			requireEmailVerification: false,
 			autoSignIn: true
 		},
+		account: { accountLinking: {
+			enabled: true,
+			trustedProviders: [
+				"auth0",
+				"google",
+				"email-password"
+			]
+		} },
+		databaseHooks: { session: { create: { before: async (session) => {
+			const organization$1 = await getInitialOrganization(config.dbClient, session.userId);
+			return { data: {
+				...session,
+				activeOrganizationId: organization$1?.id ?? null
+			} };
+		} } } },
 		socialProviders: config.socialProviders?.google && { google: {
 			...config.socialProviders.google,
 			...env.OAUTH_PROXY_PRODUCTION_URL && { redirectURI: `${env.OAUTH_PROXY_PRODUCTION_URL}/api/auth/callback/google` }
@@ -98,7 +122,7 @@ function createAuth(config) {
 			"http://localhost:3000",
 			"http://localhost:3002",
 			env.INKEEP_AGENTS_MANAGE_UI_URL,
-			env.INKEEP_AGENTS_MANAGE_API_URL,
+			env.INKEEP_AGENTS_API_URL,
 			env.TRUSTED_ORIGIN
 		].filter((origin) => typeof origin === "string" && origin.length > 0),
 		plugins: [
@@ -123,6 +147,52 @@ function createAuth(config) {
 						organization: data.organization.name,
 						invitationId: data.id
 					});
+				},
+				organizationHooks: {
+					afterAcceptInvitation: async ({ member: member$1, user, organization: org }) => {
+						try {
+							const { syncOrgMemberToSpiceDb } = await import("./authz/sync.js");
+							await syncOrgMemberToSpiceDb({
+								tenantId: org.id,
+								userId: user.id,
+								role: member$1.role,
+								action: "add"
+							});
+							console.log(`🔐 SpiceDB: Synced member ${user.email} as ${member$1.role} to org ${org.name}`);
+						} catch (error) {
+							console.error("❌ SpiceDB sync failed for new member:", error);
+						}
+					},
+					afterUpdateMemberRole: async ({ member: member$1, organization: org, previousRole }) => {
+						try {
+							const { changeOrgRole } = await import("./authz/sync.js");
+							const oldRole = previousRole;
+							const newRole = member$1.role;
+							await changeOrgRole({
+								tenantId: org.id,
+								userId: member$1.userId,
+								oldRole,
+								newRole
+							});
+							console.log(`🔐 SpiceDB: Updated member ${member$1.userId} role from ${oldRole} to ${newRole} in org ${org.name}`);
+						} catch (error) {
+							console.error("❌ SpiceDB sync failed for role update:", error);
+						}
+					},
+					afterRemoveMember: async ({ member: member$1, organization: org }) => {
+						try {
+							const { syncOrgMemberToSpiceDb } = await import("./authz/sync.js");
+							await syncOrgMemberToSpiceDb({
+								tenantId: org.id,
+								userId: member$1.userId,
+								role: member$1.role,
+								action: "remove"
+							});
+							console.log(`🔐 SpiceDB: Removed member ${member$1.userId} from org ${org.name}`);
+						} catch (error) {
+							console.error("❌ SpiceDB sync failed for member removal:", error);
+						}
+					}
 				}
 			}),
 			deviceAuthorization({

package/dist/auth/authz/client.d.ts

@@ -0,0 +1,81 @@
+import { v1 } from "@authzed/authzed-node";
+
+//#region src/auth/authz/client.d.ts
+
+type ZedClientInterface = ReturnType<typeof v1.NewClient>;
+/**
+ * Get the SpiceDB client singleton.
+ * Creates a new client on first call.
+ */
+declare function getSpiceClient(): ZedClientInterface;
+/**
+ * Reset the client (useful for testing)
+ */
+declare function resetSpiceClient(): void;
+/**
+ * Check if a subject has a permission on a resource.
+ * Note: Caller must verify isAuthzEnabled(tenantId) before calling.
+ */
+declare function checkPermission(params: {
+  resourceType: string;
+  resourceId: string;
+  permission: string;
+  subjectType: string;
+  subjectId: string;
+}): Promise<boolean>;
+/**
+ * Check multiple permissions on a resource in a single request.
+ * More efficient than multiple checkPermission calls.
+ *
+ * @returns Record mapping permission names to boolean results
+ */
+declare function checkBulkPermissions(params: {
+  resourceType: string;
+  resourceId: string;
+  permissions: string[];
+  subjectType: string;
+  subjectId: string;
+}): Promise<Record<string, boolean>>;
+/**
+ * Find all resources of a type that a subject has a permission on.
+ */
+declare function lookupResources(params: {
+  resourceType: string;
+  permission: string;
+  subjectType: string;
+  subjectId: string;
+}): Promise<string[]>;
+/**
+ * Write a relationship to SpiceDB.
+ */
+declare function writeRelationship(params: {
+  resourceType: string;
+  resourceId: string;
+  relation: string;
+  subjectType: string;
+  subjectId: string;
+}): Promise<void>;
+/**
+ * Delete a relationship from SpiceDB.
+ */
+declare function deleteRelationship(params: {
+  resourceType: string;
+  resourceId: string;
+  relation: string;
+  subjectType: string;
+  subjectId: string;
+}): Promise<void>;
+/**
+ * Read relationships for a resource to list subjects with access.
+ */
+declare function readRelationships(params: {
+  resourceType: string;
+  resourceId: string;
+  relation?: string;
+}): Promise<Array<{
+  subjectType: string;
+  subjectId: string;
+  relation: string;
+}>>;
+//#endregion
+export { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };

package/dist/auth/authz/client.js

@@ -0,0 +1,189 @@
+import { getSpiceDbConfig } from "./config.js";
+import { v1 } from "@authzed/authzed-node";
+
+//#region src/auth/authz/client.ts
+/**
+* SpiceDB Client Wrapper
+*
+* Provides a singleton SpiceDB client and helper functions for common operations.
+*/
+let client = null;
+/**
+* Get the SpiceDB client singleton.
+* Creates a new client on first call.
+*/
+function getSpiceClient() {
+	if (!client) {
+		const config = getSpiceDbConfig();
+		client = v1.NewClient(config.token, config.endpoint, config.tlsEnabled ? v1.ClientSecurity.SECURE : v1.ClientSecurity.INSECURE_LOCALHOST_ALLOWED);
+	}
+	return client;
+}
+/**
+* Reset the client (useful for testing)
+*/
+function resetSpiceClient() {
+	client = null;
+}
+const PERMISSIONSHIP_HAS_PERMISSION = 2;
+const RELATIONSHIP_OPERATION_CREATE = 1;
+/**
+* Check if a subject has a permission on a resource.
+* Note: Caller must verify isAuthzEnabled(tenantId) before calling.
+*/
+async function checkPermission(params) {
+	return (await getSpiceClient().promises.checkPermission({
+		resource: {
+			objectType: params.resourceType,
+			objectId: params.resourceId
+		},
+		permission: params.permission,
+		subject: {
+			object: {
+				objectType: params.subjectType,
+				objectId: params.subjectId
+			},
+			optionalRelation: ""
+		},
+		consistency: { requirement: {
+			oneofKind: "minimizeLatency",
+			minimizeLatency: true
+		} },
+		context: void 0,
+		withTracing: false
+	})).permissionship === PERMISSIONSHIP_HAS_PERMISSION;
+}
+/**
+* Check multiple permissions on a resource in a single request.
+* More efficient than multiple checkPermission calls.
+*
+* @returns Record mapping permission names to boolean results
+*/
+async function checkBulkPermissions(params) {
+	const spice = getSpiceClient();
+	const items = params.permissions.map((permission) => v1.CheckBulkPermissionsRequestItem.create({
+		resource: v1.ObjectReference.create({
+			objectType: params.resourceType,
+			objectId: params.resourceId
+		}),
+		permission,
+		subject: v1.SubjectReference.create({ object: v1.ObjectReference.create({
+			objectType: params.subjectType,
+			objectId: params.subjectId
+		}) })
+	}));
+	const response = await spice.promises.checkBulkPermissions(v1.CheckBulkPermissionsRequest.create({
+		items,
+		consistency: { requirement: {
+			oneofKind: "minimizeLatency",
+			minimizeLatency: true
+		} }
+	}));
+	const result = {};
+	for (let i = 0; i < params.permissions.length; i++) {
+		const permission = params.permissions[i];
+		const pair = response.pairs[i];
+		if (pair.response.oneofKind === "item") result[permission] = pair.response.item.permissionship === PERMISSIONSHIP_HAS_PERMISSION;
+		else result[permission] = false;
+	}
+	return result;
+}
+/**
+* Find all resources of a type that a subject has a permission on.
+*/
+async function lookupResources(params) {
+	return (await getSpiceClient().promises.lookupResources({
+		resourceObjectType: params.resourceType,
+		permission: params.permission,
+		subject: {
+			object: {
+				objectType: params.subjectType,
+				objectId: params.subjectId
+			},
+			optionalRelation: ""
+		},
+		consistency: { requirement: {
+			oneofKind: "minimizeLatency",
+			minimizeLatency: true
+		} },
+		context: void 0,
+		optionalLimit: 0,
+		optionalCursor: void 0
+	})).map((item) => item.resourceObjectId);
+}
+/**
+* Write a relationship to SpiceDB.
+*/
+async function writeRelationship(params) {
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_CREATE,
+			relationship: {
+				resource: {
+					objectType: params.resourceType,
+					objectId: params.resourceId
+				},
+				relation: params.relation,
+				subject: {
+					object: {
+						objectType: params.subjectType,
+						objectId: params.subjectId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Delete a relationship from SpiceDB.
+*/
+async function deleteRelationship(params) {
+	await getSpiceClient().promises.deleteRelationships({
+		relationshipFilter: {
+			resourceType: params.resourceType,
+			optionalResourceId: params.resourceId,
+			optionalResourceIdPrefix: "",
+			optionalRelation: params.relation,
+			optionalSubjectFilter: {
+				subjectType: params.subjectType,
+				optionalSubjectId: params.subjectId,
+				optionalRelation: void 0
+			}
+		},
+		optionalPreconditions: [],
+		optionalLimit: 0,
+		optionalAllowPartialDeletions: false,
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Read relationships for a resource to list subjects with access.
+*/
+async function readRelationships(params) {
+	return (await getSpiceClient().promises.readRelationships({
+		relationshipFilter: {
+			resourceType: params.resourceType,
+			optionalResourceId: params.resourceId,
+			optionalResourceIdPrefix: "",
+			optionalRelation: params.relation || "",
+			optionalSubjectFilter: void 0
+		},
+		consistency: { requirement: {
+			oneofKind: "minimizeLatency",
+			minimizeLatency: true
+		} },
+		optionalLimit: 0,
+		optionalCursor: void 0
+	})).map((item) => ({
+		subjectType: item.relationship?.subject?.object?.objectType || "",
+		subjectId: item.relationship?.subject?.object?.objectId || "",
+		relation: item.relationship?.relation || ""
+	}));
+}
+
+//#endregion
+export { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };

package/dist/auth/authz/config.d.ts

@@ -0,0 +1,76 @@
+//#region src/auth/authz/config.d.ts
+/**
+ * SpiceDB Authorization Configuration
+ *
+ * Feature flag and configuration for the SpiceDB authorization system.
+ */
+/**
+ * Check if authorization is enabled.
+ *
+ * When called without tenantId:
+ * - Returns true if ENABLE_AUTHZ=true
+ *
+ * When called with tenantId:
+ * - If ENABLE_AUTHZ=false → returns false
+ * - If ENABLE_AUTHZ=true and TENANT_ID is not set → returns true (all tenants)
+ * - If ENABLE_AUTHZ=true and TENANT_ID is set → returns true only if tenantId matches
+ */
+declare function isAuthzEnabled(tenantId: string): boolean;
+/**
+ * Get SpiceDB connection configuration from environment variables.
+ */
+declare function getSpiceDbConfig(): {
+  endpoint: string;
+  token: string;
+  tlsEnabled: boolean;
+};
+/**
+ * SpiceDB resource types used in the schema
+ */
+declare const SpiceDbResourceTypes: {
+  readonly USER: "user";
+  readonly ORGANIZATION: "organization";
+  readonly PROJECT: "project";
+};
+/**
+ * SpiceDB relations used in the schema
+ *
+ * Relations are named as nouns (roles) per SpiceDB best practices.
+ * Project roles are prefixed for clarity when debugging/grepping.
+ */
+declare const SpiceDbRelations: {
+  readonly OWNER: "owner";
+  readonly ADMIN: "admin";
+  readonly MEMBER: "member";
+  readonly ORGANIZATION: "organization";
+  readonly PROJECT_ADMIN: "project_admin";
+  readonly PROJECT_MEMBER: "project_member";
+  readonly PROJECT_VIEWER: "project_viewer";
+};
+/**
+ * SpiceDB permissions used in the schema
+ *
+ * Permissions are named as verbs (actions) per SpiceDB best practices.
+ */
+/**
+ * SpiceDB permissions used in permission checks.
+ *
+ * Note: Organization-level permissions (manage) are handled via
+ * orgRole bypass in permission functions, not direct SpiceDB checks.
+ */
+declare const SpiceDbPermissions: {
+  readonly VIEW: "view";
+  readonly USE: "use";
+  readonly EDIT: "edit";
+  readonly DELETE: "delete";
+};
+type OrgRole = 'owner' | 'admin' | 'member';
+/**
+ * Project roles hierarchy:
+ * - project_admin: Full access (view + use + edit + manage members + delete)
+ * - project_member: Operator access (view + use: invoke agents, create API keys)
+ * - project_viewer: Read-only access (view only)
+ */
+type ProjectRole = 'project_admin' | 'project_member' | 'project_viewer';
+//#endregion
+export { OrgRole, ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };