@inkeep/agents-core 0.41.2 → 0.42.0

package/dist/auth/authz/config.js

@@ -0,0 +1,76 @@
+//#region src/auth/authz/config.ts
+/**
+* SpiceDB Authorization Configuration
+*
+* Feature flag and configuration for the SpiceDB authorization system.
+*/
+/**
+* Check if authorization is enabled.
+*
+* When called without tenantId:
+* - Returns true if ENABLE_AUTHZ=true
+*
+* When called with tenantId:
+* - If ENABLE_AUTHZ=false → returns false
+* - If ENABLE_AUTHZ=true and TENANT_ID is not set → returns true (all tenants)
+* - If ENABLE_AUTHZ=true and TENANT_ID is set → returns true only if tenantId matches
+*/
+function isAuthzEnabled(tenantId) {
+	if (process.env.ENABLE_AUTHZ !== "true") return false;
+	const configuredTenantId = process.env.TENANT_ID?.trim();
+	if (!configuredTenantId) return true;
+	return tenantId === configuredTenantId;
+}
+/**
+* Get SpiceDB connection configuration from environment variables.
+*/
+function getSpiceDbConfig() {
+	return {
+		endpoint: process.env.SPICEDB_ENDPOINT || "localhost:50051",
+		token: process.env.SPICEDB_PRESHARED_KEY || "",
+		tlsEnabled: process.env.SPICEDB_TLS_ENABLED === "true"
+	};
+}
+/**
+* SpiceDB resource types used in the schema
+*/
+const SpiceDbResourceTypes = {
+	USER: "user",
+	ORGANIZATION: "organization",
+	PROJECT: "project"
+};
+/**
+* SpiceDB relations used in the schema
+*
+* Relations are named as nouns (roles) per SpiceDB best practices.
+* Project roles are prefixed for clarity when debugging/grepping.
+*/
+const SpiceDbRelations = {
+	OWNER: "owner",
+	ADMIN: "admin",
+	MEMBER: "member",
+	ORGANIZATION: "organization",
+	PROJECT_ADMIN: "project_admin",
+	PROJECT_MEMBER: "project_member",
+	PROJECT_VIEWER: "project_viewer"
+};
+/**
+* SpiceDB permissions used in the schema
+*
+* Permissions are named as verbs (actions) per SpiceDB best practices.
+*/
+/**
+* SpiceDB permissions used in permission checks.
+*
+* Note: Organization-level permissions (manage) are handled via
+* orgRole bypass in permission functions, not direct SpiceDB checks.
+*/
+const SpiceDbPermissions = {
+	VIEW: "view",
+	USE: "use",
+	EDIT: "edit",
+	DELETE: "delete"
+};
+
+//#endregion
+export { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };

package/dist/auth/authz/index.d.ts

@@ -0,0 +1,5 @@
+import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
+import { OrgRole, ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
+import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
+import { changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
+export { type OrgRole, type ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };

package/dist/auth/authz/index.js

@@ -0,0 +1,6 @@
+import { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
+import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
+import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
+import { changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
+
+export { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };

package/dist/auth/authz/permissions.d.ts

@@ -0,0 +1,57 @@
+import { OrgRole } from "./config.js";
+
+//#region src/auth/authz/permissions.d.ts
+
+/**
+ * Check if a user can view a project.
+ *
+ * - If authz is disabled: returns true (current behavior)
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB
+ */
+declare function canViewProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Check if a user can use a project (invoke agents, create API keys, view traces).
+ *
+ * - If authz is disabled: returns true (current behavior)
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB for use permission
+ */
+declare function canUseProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Check if a user can edit a project (modify configurations).
+ *
+ * - If authz is disabled: only org owner/admin can edit
+ * - If user is org owner/admin: returns true (bypass)
+ * - Otherwise: checks SpiceDB for edit permission
+ */
+declare function canEditProject(params: {
+  tenantId: string;
+  userId: string;
+  projectId: string;
+  orgRole: OrgRole;
+}): Promise<boolean>;
+/**
+ * Get list of accessible project IDs for a user.
+ *
+ * - If authz is disabled: returns 'all' (no filtering needed)
+ * - If user is org owner/admin: returns 'all' (no filtering needed)
+ * - Otherwise: uses SpiceDB LookupResources
+ */
+declare function listAccessibleProjectIds(params: {
+  tenantId: string;
+  userId: string;
+  orgRole: OrgRole;
+}): Promise<string[] | 'all'>;
+//#endregion
+export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };

package/dist/auth/authz/permissions.js

@@ -0,0 +1,83 @@
+import { SpiceDbPermissions, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
+import { checkPermission, lookupResources } from "./client.js";
+
+//#region src/auth/authz/permissions.ts
+/**
+* SpiceDB Permission Check Functions
+*
+* High-level functions for checking project-level permissions.
+*/
+/**
+* Check if a user can view a project.
+*
+* - If authz is disabled: returns true (current behavior)
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB
+*/
+async function canViewProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return true;
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.VIEW,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Check if a user can use a project (invoke agents, create API keys, view traces).
+*
+* - If authz is disabled: returns true (current behavior)
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB for use permission
+*/
+async function canUseProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return true;
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.USE,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Check if a user can edit a project (modify configurations).
+*
+* - If authz is disabled: only org owner/admin can edit
+* - If user is org owner/admin: returns true (bypass)
+* - Otherwise: checks SpiceDB for edit permission
+*/
+async function canEditProject(params) {
+	if (!isAuthzEnabled(params.tenantId)) return params.orgRole === "owner" || params.orgRole === "admin";
+	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		permission: SpiceDbPermissions.EDIT,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Get list of accessible project IDs for a user.
+*
+* - If authz is disabled: returns 'all' (no filtering needed)
+* - If user is org owner/admin: returns 'all' (no filtering needed)
+* - Otherwise: uses SpiceDB LookupResources
+*/
+async function listAccessibleProjectIds(params) {
+	if (!isAuthzEnabled(params.tenantId)) return "all";
+	if (params.orgRole === "owner" || params.orgRole === "admin") return "all";
+	return lookupResources({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		permission: SpiceDbPermissions.VIEW,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+
+//#endregion
+export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };

package/dist/auth/authz/sync.d.ts

@@ -0,0 +1,85 @@
+import { OrgRole, ProjectRole } from "./config.js";
+
+//#region src/auth/authz/sync.d.ts
+
+/**
+ * Sync a user's org membership to SpiceDB.
+ * Call when: user joins org, role changes, user leaves org.
+ */
+declare function syncOrgMemberToSpiceDb(params: {
+  tenantId: string;
+  userId: string;
+  role: OrgRole;
+  action: 'add' | 'remove';
+}): Promise<void>;
+/**
+ * Change a user's organization role.
+ * Removes the old role and adds the new one atomically in a single transaction.
+ * Call when: user's org role is updated (e.g., member -> admin).
+ */
+declare function changeOrgRole(params: {
+  tenantId: string;
+  userId: string;
+  oldRole: OrgRole;
+  newRole: OrgRole;
+}): Promise<void>;
+/**
+ * Sync a new project to SpiceDB.
+ * Links project to org and grants creator project_admin role.
+ * Call when: project is created.
+ */
+declare function syncProjectToSpiceDb(params: {
+  tenantId: string;
+  projectId: string;
+  creatorUserId: string;
+}): Promise<void>;
+/**
+ * Grant project access to a user.
+ */
+declare function grantProjectAccess(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  role: ProjectRole;
+}): Promise<void>;
+/**
+ * Revoke project access from a user.
+ */
+declare function revokeProjectAccess(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  role: ProjectRole;
+}): Promise<void>;
+/**
+ * Change a user's project role.
+ * Removes the old role and adds the new one atomically in a single transaction.
+ */
+declare function changeProjectRole(params: {
+  tenantId: string;
+  projectId: string;
+  userId: string;
+  oldRole: ProjectRole;
+  newRole: ProjectRole;
+}): Promise<void>;
+/**
+ * Remove a project from SpiceDB.
+ * Call when: project is deleted.
+ */
+declare function removeProjectFromSpiceDb(params: {
+  tenantId: string;
+  projectId: string;
+}): Promise<void>;
+/**
+ * List all explicit project members from SpiceDB.
+ * Returns users with project_admin, project_member, or project_viewer roles.
+ */
+declare function listProjectMembers(params: {
+  tenantId: string;
+  projectId: string;
+}): Promise<Array<{
+  userId: string;
+  role: ProjectRole;
+}>>;
+//#endregion
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/authz/sync.js

@@ -0,0 +1,237 @@
+import { SpiceDbRelations, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
+import { deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
+
+//#region src/auth/authz/sync.ts
+/**
+* SpiceDB Sync Utilities
+*
+* Functions for syncing data between better-auth and SpiceDB.
+*/
+const RELATIONSHIP_OPERATION_CREATE = 1;
+const RELATIONSHIP_OPERATION_TOUCH = 2;
+const RELATIONSHIP_OPERATION_DELETE = 3;
+/**
+* Sync a user's org membership to SpiceDB.
+* Call when: user joins org, role changes, user leaves org.
+*/
+async function syncOrgMemberToSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	if (params.action === "add") await writeRelationship({
+		resourceType: SpiceDbResourceTypes.ORGANIZATION,
+		resourceId: params.tenantId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+	else await deleteRelationship({
+		resourceType: SpiceDbResourceTypes.ORGANIZATION,
+		resourceId: params.tenantId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Change a user's organization role.
+* Removes the old role and adds the new one atomically in a single transaction.
+* Call when: user's org role is updated (e.g., member -> admin).
+*/
+async function changeOrgRole(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	if (params.oldRole === params.newRole) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_DELETE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.ORGANIZATION,
+					objectId: params.tenantId
+				},
+				relation: params.oldRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_TOUCH,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.ORGANIZATION,
+					objectId: params.tenantId
+				},
+				relation: params.newRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Sync a new project to SpiceDB.
+* Links project to org and grants creator project_admin role.
+* Call when: project is created.
+*/
+async function syncProjectToSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_CREATE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: SpiceDbRelations.ORGANIZATION,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.ORGANIZATION,
+						objectId: params.tenantId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_CREATE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: SpiceDbRelations.PROJECT_ADMIN,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.creatorUserId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Grant project access to a user.
+*/
+async function grantProjectAccess(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	await writeRelationship({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Revoke project access from a user.
+*/
+async function revokeProjectAccess(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	await deleteRelationship({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId,
+		relation: params.role,
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: params.userId
+	});
+}
+/**
+* Change a user's project role.
+* Removes the old role and adds the new one atomically in a single transaction.
+*/
+async function changeProjectRole(params) {
+	if (!isAuthzEnabled(params.tenantId)) throw new Error("Authorization is not enabled");
+	if (params.oldRole === params.newRole) return;
+	await getSpiceClient().promises.writeRelationships({
+		updates: [{
+			operation: RELATIONSHIP_OPERATION_DELETE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: params.oldRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}, {
+			operation: RELATIONSHIP_OPERATION_TOUCH,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.PROJECT,
+					objectId: params.projectId
+				},
+				relation: params.newRole,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.USER,
+						objectId: params.userId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		}],
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* Remove a project from SpiceDB.
+* Call when: project is deleted.
+*/
+async function removeProjectFromSpiceDb(params) {
+	if (!isAuthzEnabled(params.tenantId)) return;
+	await getSpiceClient().promises.deleteRelationships({
+		relationshipFilter: {
+			resourceType: SpiceDbResourceTypes.PROJECT,
+			optionalResourceId: params.projectId,
+			optionalResourceIdPrefix: "",
+			optionalRelation: ""
+		},
+		optionalPreconditions: [],
+		optionalLimit: 0,
+		optionalAllowPartialDeletions: false,
+		optionalTransactionMetadata: void 0
+	});
+}
+/**
+* List all explicit project members from SpiceDB.
+* Returns users with project_admin, project_member, or project_viewer roles.
+*/
+async function listProjectMembers(params) {
+	if (!isAuthzEnabled(params.tenantId)) return [];
+	return (await readRelationships({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: params.projectId
+	})).filter((rel) => rel.subjectType === SpiceDbResourceTypes.USER && (rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER)).map((rel) => ({
+		userId: rel.subjectId,
+		role: rel.relation
+	}));
+}
+
+//#endregion
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/permissions.d.ts

@@ -1,29 +1,29 @@
-import * as better_auth_plugins55 from "better-auth/plugins";
+import * as better_auth_plugins69 from "better-auth/plugins";
 import { AccessControl } from "better-auth/plugins/access";
 import { organizationClient } from "better-auth/client/plugins";
 
 //#region src/auth/permissions.d.ts
 declare const ac: AccessControl;
 declare const memberRole: {
-  authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 declare const adminRole: {
-  authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 declare const ownerRole: {
-  authorize<K_1 extends "function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key] | {
-    actions: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>[key];
+  authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins55.AuthorizeResponse;
-  statements: better_auth_plugins55.Subset<"function" | "organization" | "agent" | "member" | "invitation" | "project" | "tool" | "ac" | "sub_agent" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins55.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
+  statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
 };
 //#endregion
 export { ac, adminRole, memberRole, organizationClient, ownerRole };