@inkeep/agents-core 0.41.2 → 0.43.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api-client/base-client.d.ts +87 -8
- package/dist/api-client/base-client.js +174 -1
- package/dist/api-client/eval-api-client.d.ts +47 -0
- package/dist/api-client/eval-api-client.js +65 -0
- package/dist/api-client/index.d.ts +4 -0
- package/dist/api-client/index.js +5 -0
- package/dist/api-client/manage-api-client.d.ts +34 -0
- package/dist/api-client/manage-api-client.js +104 -0
- package/dist/auth/auth.d.ts +86 -20
- package/dist/auth/auth.js +60 -2
- package/dist/auth/authz/client.d.ts +87 -0
- package/dist/auth/authz/client.js +196 -0
- package/dist/auth/authz/config.d.ts +103 -0
- package/dist/auth/authz/config.js +93 -0
- package/dist/auth/authz/index.d.ts +5 -0
- package/dist/auth/authz/index.js +6 -0
- package/dist/auth/authz/permissions.d.ts +53 -0
- package/dist/auth/authz/permissions.js +83 -0
- package/dist/auth/authz/sync.d.ts +106 -0
- package/dist/auth/authz/sync.js +321 -0
- package/dist/auth/permissions.d.ts +13 -13
- package/dist/auth/permissions.js +2 -181
- package/dist/client-exports.d.ts +9 -3
- package/dist/client-exports.js +4 -2
- package/dist/constants/context-breakdown.d.ts +61 -0
- package/dist/constants/context-breakdown.js +124 -0
- package/dist/constants/execution-limits-shared/defaults.d.ts +1 -1
- package/dist/constants/execution-limits-shared/defaults.js +1 -1
- package/dist/constants/execution-limits-shared/index.d.ts +1 -1
- package/dist/constants/otel-attributes.d.ts +4 -0
- package/dist/constants/otel-attributes.js +4 -0
- package/dist/context/ContextConfig.d.ts +2 -2
- package/dist/context/ContextConfig.js +3 -3
- package/dist/context/TemplateEngine.d.ts +0 -6
- package/dist/context/TemplateEngine.js +4 -19
- package/dist/context/index.d.ts +1 -5
- package/dist/context/index.js +1 -5
- package/dist/credential-stores/keychain-store.d.ts +20 -8
- package/dist/credential-stores/keychain-store.js +107 -43
- package/dist/credential-stuffer/CredentialStuffer.d.ts +1 -1
- package/dist/data-access/index.d.ts +34 -26
- package/dist/data-access/index.js +34 -26
- package/dist/data-access/manage/agentFull.d.ts +36 -0
- package/dist/data-access/{agentFull.js → manage/agentFull.js} +209 -7
- package/dist/data-access/{agents.d.ts → manage/agents.d.ts} +64 -63
- package/dist/data-access/{agents.js → manage/agents.js} +80 -27
- package/dist/data-access/{artifactComponents.d.ts → manage/artifactComponents.d.ts} +33 -33
- package/dist/data-access/{artifactComponents.js → manage/artifactComponents.js} +5 -5
- package/dist/data-access/{contextConfigs.d.ts → manage/contextConfigs.d.ts} +26 -26
- package/dist/data-access/{contextConfigs.js → manage/contextConfigs.js} +3 -3
- package/dist/data-access/{credentialReferences.d.ts → manage/credentialReferences.d.ts} +17 -17
- package/dist/data-access/{credentialReferences.js → manage/credentialReferences.js} +2 -2
- package/dist/data-access/{dataComponents.d.ts → manage/dataComponents.d.ts} +26 -26
- package/dist/data-access/{dataComponents.js → manage/dataComponents.js} +7 -7
- package/dist/data-access/manage/evalConfig.d.ts +221 -0
- package/dist/data-access/manage/evalConfig.js +275 -0
- package/dist/data-access/{externalAgents.d.ts → manage/externalAgents.d.ts} +16 -16
- package/dist/data-access/{externalAgents.js → manage/externalAgents.js} +2 -2
- package/dist/data-access/manage/functionTools.d.ts +242 -0
- package/dist/data-access/{functionTools.js → manage/functionTools.js} +124 -30
- package/dist/data-access/{functions.d.ts → manage/functions.d.ts} +9 -9
- package/dist/data-access/{functions.js → manage/functions.js} +3 -3
- package/dist/data-access/manage/projectFull.d.ts +38 -0
- package/dist/data-access/{projectFull.js → manage/projectFull.js} +64 -65
- package/dist/data-access/manage/projectLifecycle.d.ts +119 -0
- package/dist/data-access/manage/projectLifecycle.js +234 -0
- package/dist/data-access/manage/projects.d.ts +75 -0
- package/dist/data-access/{projects.js → manage/projects.js} +15 -16
- package/dist/data-access/{subAgentExternalAgentRelations.d.ts → manage/subAgentExternalAgentRelations.d.ts} +43 -43
- package/dist/data-access/{subAgentExternalAgentRelations.js → manage/subAgentExternalAgentRelations.js} +2 -2
- package/dist/data-access/{subAgentRelations.d.ts → manage/subAgentRelations.d.ts} +65 -65
- package/dist/data-access/{subAgentRelations.js → manage/subAgentRelations.js} +3 -3
- package/dist/data-access/{subAgentTeamAgentRelations.d.ts → manage/subAgentTeamAgentRelations.d.ts} +43 -43
- package/dist/data-access/{subAgentTeamAgentRelations.js → manage/subAgentTeamAgentRelations.js} +2 -2
- package/dist/data-access/{subAgents.d.ts → manage/subAgents.d.ts} +28 -28
- package/dist/data-access/{subAgents.js → manage/subAgents.js} +4 -4
- package/dist/data-access/{tools.d.ts → manage/tools.d.ts} +65 -52
- package/dist/data-access/{tools.js → manage/tools.js} +109 -64
- package/dist/data-access/manage/triggers.d.ts +106 -0
- package/dist/data-access/manage/triggers.js +81 -0
- package/dist/data-access/{apiKeys.d.ts → runtime/apiKeys.d.ts} +37 -37
- package/dist/data-access/{apiKeys.js → runtime/apiKeys.js} +3 -3
- package/dist/data-access/runtime/cascade-delete.d.ts +77 -0
- package/dist/data-access/runtime/cascade-delete.js +111 -0
- package/dist/data-access/{contextCache.d.ts → runtime/contextCache.d.ts} +13 -13
- package/dist/data-access/{contextCache.js → runtime/contextCache.js} +5 -5
- package/dist/data-access/{conversations.d.ts → runtime/conversations.d.ts} +80 -31
- package/dist/data-access/{conversations.js → runtime/conversations.js} +13 -7
- package/dist/data-access/runtime/evalRuns.d.ts +120 -0
- package/dist/data-access/runtime/evalRuns.js +168 -0
- package/dist/data-access/{ledgerArtifacts.d.ts → runtime/ledgerArtifacts.d.ts} +13 -13
- package/dist/data-access/{ledgerArtifacts.js → runtime/ledgerArtifacts.js} +3 -3
- package/dist/data-access/{messages.d.ts → runtime/messages.d.ts} +24 -24
- package/dist/data-access/{messages.js → runtime/messages.js} +2 -2
- package/dist/data-access/{organizations.d.ts → runtime/organizations.d.ts} +16 -7
- package/dist/data-access/{organizations.js → runtime/organizations.js} +16 -4
- package/dist/data-access/runtime/projects.d.ts +62 -0
- package/dist/data-access/runtime/projects.js +90 -0
- package/dist/data-access/runtime/tasks.d.ts +55 -0
- package/dist/data-access/{tasks.js → runtime/tasks.js} +2 -2
- package/dist/data-access/runtime/triggerInvocations.d.ts +62 -0
- package/dist/data-access/runtime/triggerInvocations.js +54 -0
- package/dist/data-access/runtime/users.d.ts +19 -0
- package/dist/data-access/{users.js → runtime/users.js} +2 -2
- package/dist/data-access/validation.d.ts +4 -4
- package/dist/data-access/validation.js +1 -1
- package/dist/db/clean.d.ts +8 -4
- package/dist/db/clean.js +14 -105
- package/dist/db/delete.d.ts +1 -1
- package/dist/db/delete.js +7 -10
- package/dist/db/manage/dolt-cleanup.d.ts +51 -0
- package/dist/db/manage/dolt-cleanup.js +132 -0
- package/dist/db/manage/manage-client.d.ts +26 -0
- package/dist/db/manage/manage-client.js +68 -0
- package/dist/db/{schema.d.ts → manage/manage-schema.d.ts} +1257 -969
- package/dist/db/{schema.js → manage/manage-schema.js} +436 -334
- package/dist/db/manage/test-manage-client.d.ts +27 -0
- package/dist/db/manage/test-manage-client.js +68 -0
- package/dist/db/runtime/runtime-client.d.ts +20 -0
- package/dist/db/runtime/runtime-client.js +30 -0
- package/dist/db/runtime/runtime-schema.d.ts +2834 -0
- package/dist/db/runtime/runtime-schema.js +483 -0
- package/dist/db/runtime/test-runtime-client.d.ts +27 -0
- package/dist/db/{test-client.js → runtime/test-runtime-client.js} +11 -25
- package/dist/db/utils.d.ts +6 -0
- package/dist/db/utils.js +42 -0
- package/dist/dolt/branch.d.ts +62 -0
- package/dist/dolt/branch.js +82 -0
- package/dist/dolt/branches-api.d.ts +108 -0
- package/dist/dolt/branches-api.js +162 -0
- package/dist/dolt/commit.d.ts +94 -0
- package/dist/dolt/commit.js +103 -0
- package/dist/dolt/diff.d.ts +27 -0
- package/dist/dolt/diff.js +21 -0
- package/dist/dolt/index.d.ts +10 -0
- package/dist/dolt/index.js +11 -0
- package/dist/dolt/merge.d.ts +63 -0
- package/dist/dolt/merge.js +81 -0
- package/dist/dolt/migrate-all-branches.d.ts +4 -0
- package/dist/dolt/migrate-all-branches.js +83 -0
- package/dist/dolt/migrate-dolt.d.ts +1 -0
- package/dist/dolt/migrate-dolt.js +25 -0
- package/dist/dolt/ref-helpers.d.ts +19 -0
- package/dist/dolt/ref-helpers.js +65 -0
- package/dist/dolt/ref-middleware.d.ts +82 -0
- package/dist/dolt/ref-middleware.js +217 -0
- package/dist/dolt/ref-scope.d.ts +101 -0
- package/dist/dolt/ref-scope.js +231 -0
- package/dist/dolt/schema-sync.d.ts +135 -0
- package/dist/dolt/schema-sync.js +255 -0
- package/dist/env.d.ts +6 -4
- package/dist/env.js +3 -2
- package/dist/index.d.ts +73 -46
- package/dist/index.js +76 -49
- package/dist/types/@napi-rs__keyring/index.d.ts +14 -0
- package/dist/types/entities.d.ts +81 -2
- package/dist/types/index.d.ts +3 -3
- package/dist/types/utility.d.ts +46 -5
- package/dist/types/utility.js +2 -1
- package/dist/utils/JsonTransformer.d.ts +42 -0
- package/dist/utils/JsonTransformer.js +103 -0
- package/dist/utils/apiKeys.d.ts +5 -1
- package/dist/utils/apiKeys.js +11 -1
- package/dist/utils/colors.d.ts +34 -0
- package/dist/utils/colors.js +49 -0
- package/dist/utils/credential-store-utils.d.ts +1 -1
- package/dist/utils/format-messages.d.ts +1 -1
- package/dist/utils/index.d.ts +8 -4
- package/dist/utils/index.js +8 -4
- package/dist/utils/internal-service-auth.d.ts +79 -0
- package/dist/utils/internal-service-auth.js +140 -0
- package/dist/utils/jmespath-utils.d.ts +152 -0
- package/dist/utils/jmespath-utils.js +213 -0
- package/dist/utils/jwt-helpers.d.ts +56 -0
- package/dist/utils/jwt-helpers.js +90 -0
- package/dist/utils/mcp-client.d.ts +1 -1
- package/dist/utils/mcp-client.js +1 -1
- package/dist/utils/service-token-auth.d.ts +9 -27
- package/dist/utils/service-token-auth.js +48 -96
- package/dist/utils/signature-validation.d.ts +2 -0
- package/dist/utils/signature-validation.js +3 -0
- package/dist/utils/template-interpolation.d.ts +22 -0
- package/dist/utils/template-interpolation.js +62 -0
- package/dist/utils/third-party-mcp-servers/composio-client.d.ts +13 -1
- package/dist/utils/third-party-mcp-servers/composio-client.js +47 -29
- package/dist/utils/third-party-mcp-servers/index.d.ts +2 -2
- package/dist/utils/third-party-mcp-servers/index.js +2 -2
- package/dist/utils/trigger-auth.d.ts +85 -0
- package/dist/utils/trigger-auth.js +233 -0
- package/dist/validation/agentFull.js +2 -4
- package/dist/validation/dolt-schemas.d.ts +49 -0
- package/dist/validation/dolt-schemas.js +44 -0
- package/dist/validation/drizzle-schema-helpers.d.ts +4 -26
- package/dist/validation/drizzle-schema-helpers.js +5 -151
- package/dist/validation/index.d.ts +5 -4
- package/dist/validation/index.js +4 -3
- package/dist/validation/render-validation.js +19 -0
- package/dist/validation/schemas.d.ts +18223 -5148
- package/dist/validation/schemas.js +559 -12
- package/dist/validation/stream-event-schemas.d.ts +96 -1
- package/dist/validation/stream-event-schemas.js +67 -2
- package/drizzle/manage/0000_tearful_rhodey.sql +414 -0
- package/drizzle/manage/0001_broken_wendell_vaughn.sql +19 -0
- package/drizzle/manage/0002_bent_sunfire.sql +1 -0
- package/drizzle/manage/0003_tiny_captain_universe.sql +8 -0
- package/drizzle/manage/0004_curious_phil_sheldon.sql +2 -0
- package/drizzle/manage/0005_silent_shatterstar.sql +53 -0
- package/drizzle/manage/meta/0000_snapshot.json +2987 -0
- package/drizzle/manage/meta/0001_snapshot.json +3115 -0
- package/drizzle/manage/meta/0002_snapshot.json +3115 -0
- package/drizzle/manage/meta/0003_snapshot.json +3134 -0
- package/drizzle/manage/meta/0004_snapshot.json +3141 -0
- package/drizzle/manage/meta/0005_snapshot.json +3141 -0
- package/drizzle/manage/meta/_journal.json +48 -0
- package/drizzle/runtime/0008_silly_preak.sql +127 -0
- package/drizzle/runtime/0009_freezing_leo.sql +17 -0
- package/drizzle/runtime/meta/0008_snapshot.json +2263 -0
- package/drizzle/runtime/meta/0009_snapshot.json +2397 -0
- package/drizzle/{meta → runtime/meta}/_journal.json +14 -0
- package/package.json +56 -18
- package/spicedb/schema.zed +114 -0
- package/dist/context/ContextFetcher.d.ts +0 -73
- package/dist/context/ContextFetcher.js +0 -291
- package/dist/context/ContextResolver.d.ts +0 -60
- package/dist/context/ContextResolver.js +0 -278
- package/dist/context/context.d.ts +0 -27
- package/dist/context/context.js +0 -128
- package/dist/context/contextCache.d.ts +0 -58
- package/dist/context/contextCache.js +0 -177
- package/dist/data-access/agentFull.d.ts +0 -33
- package/dist/data-access/functionTools.d.ts +0 -169
- package/dist/data-access/projectFull.d.ts +0 -32
- package/dist/data-access/projects.d.ts +0 -71
- package/dist/data-access/tasks.d.ts +0 -45
- package/dist/data-access/users.d.ts +0 -19
- package/dist/db/client.d.ts +0 -20
- package/dist/db/client.js +0 -28
- package/dist/db/test-client.d.ts +0 -31
- package/dist/middleware/contextValidation.d.ts +0 -46
- package/dist/middleware/contextValidation.js +0 -280
- package/dist/middleware/index.d.ts +0 -2
- package/dist/middleware/index.js +0 -3
- package/dist/utils/execution.d.ts +0 -22
- package/dist/utils/execution.js +0 -25
- /package/drizzle/{0000_exotic_mysterio.sql → runtime/0000_exotic_mysterio.sql} +0 -0
- /package/drizzle/{0001_calm_sheva_callister.sql → runtime/0001_calm_sheva_callister.sql} +0 -0
- /package/drizzle/{0002_puzzling_goblin_queen.sql → runtime/0002_puzzling_goblin_queen.sql} +0 -0
- /package/drizzle/{0003_sweet_human_robot.sql → runtime/0003_sweet_human_robot.sql} +0 -0
- /package/drizzle/{0004_cuddly_shooting_star.sql → runtime/0004_cuddly_shooting_star.sql} +0 -0
- /package/drizzle/{0005_reflective_starfox.sql → runtime/0005_reflective_starfox.sql} +0 -0
- /package/drizzle/{0006_stale_thaddeus_ross.sql → runtime/0006_stale_thaddeus_ross.sql} +0 -0
- /package/drizzle/{0007_slim_karma.sql → runtime/0007_slim_karma.sql} +0 -0
- /package/drizzle/{meta → runtime/meta}/0000_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0001_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0003_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0005_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0006_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0007_snapshot.json +0 -0
package/dist/auth/auth.d.ts
CHANGED
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
import {
|
|
1
|
+
import { AgentsRunDatabaseClient } from "../db/runtime/runtime-client.js";
|
|
2
2
|
import * as _better_auth_sso0 from "@better-auth/sso";
|
|
3
3
|
import * as better_auth0 from "better-auth";
|
|
4
4
|
import { BetterAuthAdvancedOptions } from "better-auth";
|
|
@@ -56,7 +56,7 @@ interface SSOProviderConfig {
|
|
|
56
56
|
interface BetterAuthConfig {
|
|
57
57
|
baseURL: string;
|
|
58
58
|
secret: string;
|
|
59
|
-
dbClient:
|
|
59
|
+
dbClient: AgentsRunDatabaseClient;
|
|
60
60
|
ssoProviders?: SSOProviderConfig[];
|
|
61
61
|
socialProviders?: {
|
|
62
62
|
google?: GoogleOptions;
|
|
@@ -81,6 +81,12 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
81
81
|
requireEmailVerification: false;
|
|
82
82
|
autoSignIn: true;
|
|
83
83
|
};
|
|
84
|
+
account: {
|
|
85
|
+
accountLinking: {
|
|
86
|
+
enabled: true;
|
|
87
|
+
trustedProviders: ("google" | "email-password" | "auth0")[];
|
|
88
|
+
};
|
|
89
|
+
};
|
|
84
90
|
databaseHooks: {
|
|
85
91
|
session: {
|
|
86
92
|
create: {
|
|
@@ -846,25 +852,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
846
852
|
ac: better_auth_plugins0.AccessControl;
|
|
847
853
|
roles: {
|
|
848
854
|
member: {
|
|
849
|
-
authorize<K_1 extends "
|
|
850
|
-
actions: better_auth_plugins0.Subset<"
|
|
855
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
856
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
851
857
|
connector: "OR" | "AND";
|
|
852
858
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
853
|
-
statements: better_auth_plugins0.Subset<"
|
|
859
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
854
860
|
};
|
|
855
861
|
admin: {
|
|
856
|
-
authorize<K_1 extends "
|
|
857
|
-
actions: better_auth_plugins0.Subset<"
|
|
862
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
863
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
858
864
|
connector: "OR" | "AND";
|
|
859
865
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
860
|
-
statements: better_auth_plugins0.Subset<"
|
|
866
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
861
867
|
};
|
|
862
868
|
owner: {
|
|
863
|
-
authorize<K_1 extends "
|
|
864
|
-
actions: better_auth_plugins0.Subset<"
|
|
869
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
870
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
865
871
|
connector: "OR" | "AND";
|
|
866
872
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
867
|
-
statements: better_auth_plugins0.Subset<"
|
|
873
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
868
874
|
};
|
|
869
875
|
};
|
|
870
876
|
membershipLimit: number;
|
|
@@ -880,6 +886,36 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
880
886
|
user: better_auth0.User;
|
|
881
887
|
};
|
|
882
888
|
}): Promise<void>;
|
|
889
|
+
organizationHooks: {
|
|
890
|
+
afterAcceptInvitation: ({
|
|
891
|
+
member,
|
|
892
|
+
user,
|
|
893
|
+
organization: org
|
|
894
|
+
}: {
|
|
895
|
+
invitation: better_auth_plugins0.Invitation & Record<string, any>;
|
|
896
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
897
|
+
user: better_auth0.User & Record<string, any>;
|
|
898
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
899
|
+
}) => Promise<void>;
|
|
900
|
+
beforeUpdateMemberRole: ({
|
|
901
|
+
member,
|
|
902
|
+
organization: org,
|
|
903
|
+
newRole
|
|
904
|
+
}: {
|
|
905
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
906
|
+
newRole: string;
|
|
907
|
+
user: better_auth0.User & Record<string, any>;
|
|
908
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
909
|
+
}) => Promise<void>;
|
|
910
|
+
afterRemoveMember: ({
|
|
911
|
+
member,
|
|
912
|
+
organization: org
|
|
913
|
+
}: {
|
|
914
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
915
|
+
user: better_auth0.User & Record<string, any>;
|
|
916
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
917
|
+
}) => Promise<void>;
|
|
918
|
+
};
|
|
883
919
|
}>;
|
|
884
920
|
schema: {
|
|
885
921
|
organization: {
|
|
@@ -1125,25 +1161,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
1125
1161
|
ac: better_auth_plugins0.AccessControl;
|
|
1126
1162
|
roles: {
|
|
1127
1163
|
member: {
|
|
1128
|
-
authorize<K_1 extends "
|
|
1129
|
-
actions: better_auth_plugins0.Subset<"
|
|
1164
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
1165
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
1130
1166
|
connector: "OR" | "AND";
|
|
1131
1167
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
1132
|
-
statements: better_auth_plugins0.Subset<"
|
|
1168
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
1133
1169
|
};
|
|
1134
1170
|
admin: {
|
|
1135
|
-
authorize<K_1 extends "
|
|
1136
|
-
actions: better_auth_plugins0.Subset<"
|
|
1171
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
1172
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
1137
1173
|
connector: "OR" | "AND";
|
|
1138
1174
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
1139
|
-
statements: better_auth_plugins0.Subset<"
|
|
1175
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
1140
1176
|
};
|
|
1141
1177
|
owner: {
|
|
1142
|
-
authorize<K_1 extends "
|
|
1143
|
-
actions: better_auth_plugins0.Subset<"
|
|
1178
|
+
authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
|
|
1179
|
+
actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
|
|
1144
1180
|
connector: "OR" | "AND";
|
|
1145
1181
|
} | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
|
|
1146
|
-
statements: better_auth_plugins0.Subset<"
|
|
1182
|
+
statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
|
|
1147
1183
|
};
|
|
1148
1184
|
};
|
|
1149
1185
|
membershipLimit: number;
|
|
@@ -1159,6 +1195,36 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
|
|
|
1159
1195
|
user: better_auth0.User;
|
|
1160
1196
|
};
|
|
1161
1197
|
}): Promise<void>;
|
|
1198
|
+
organizationHooks: {
|
|
1199
|
+
afterAcceptInvitation: ({
|
|
1200
|
+
member,
|
|
1201
|
+
user,
|
|
1202
|
+
organization: org
|
|
1203
|
+
}: {
|
|
1204
|
+
invitation: better_auth_plugins0.Invitation & Record<string, any>;
|
|
1205
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
1206
|
+
user: better_auth0.User & Record<string, any>;
|
|
1207
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
1208
|
+
}) => Promise<void>;
|
|
1209
|
+
beforeUpdateMemberRole: ({
|
|
1210
|
+
member,
|
|
1211
|
+
organization: org,
|
|
1212
|
+
newRole
|
|
1213
|
+
}: {
|
|
1214
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
1215
|
+
newRole: string;
|
|
1216
|
+
user: better_auth0.User & Record<string, any>;
|
|
1217
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
1218
|
+
}) => Promise<void>;
|
|
1219
|
+
afterRemoveMember: ({
|
|
1220
|
+
member,
|
|
1221
|
+
organization: org
|
|
1222
|
+
}: {
|
|
1223
|
+
member: better_auth_plugins0.Member & Record<string, any>;
|
|
1224
|
+
user: better_auth0.User & Record<string, any>;
|
|
1225
|
+
organization: better_auth_plugins0.Organization & Record<string, any>;
|
|
1226
|
+
}) => Promise<void>;
|
|
1227
|
+
};
|
|
1162
1228
|
}>;
|
|
1163
1229
|
}, {
|
|
1164
1230
|
id: "device-authorization";
|
package/dist/auth/auth.js
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
import { member, ssoProvider } from "./auth-schema.js";
|
|
2
|
+
import { OrgRoles } from "./authz/config.js";
|
|
2
3
|
import { env } from "../env.js";
|
|
3
4
|
import { generateId } from "../utils/conversations.js";
|
|
4
5
|
import "../utils/index.js";
|
|
@@ -22,7 +23,7 @@ async function getInitialOrganization(dbClient, userId) {
|
|
|
22
23
|
/**
|
|
23
24
|
* Extracts the root domain from a URL for cross-subdomain cookie sharing.
|
|
24
25
|
* For example:
|
|
25
|
-
* - https://
|
|
26
|
+
* - https://api.pilot.inkeep.com -> .pilot.inkeep.com
|
|
26
27
|
* - https://pilot.inkeep.com -> .pilot.inkeep.com
|
|
27
28
|
* - http://localhost:3002 -> undefined (no domain for localhost)
|
|
28
29
|
*
|
|
@@ -76,6 +77,14 @@ function createAuth(config) {
|
|
|
76
77
|
requireEmailVerification: false,
|
|
77
78
|
autoSignIn: true
|
|
78
79
|
},
|
|
80
|
+
account: { accountLinking: {
|
|
81
|
+
enabled: true,
|
|
82
|
+
trustedProviders: [
|
|
83
|
+
"auth0",
|
|
84
|
+
"google",
|
|
85
|
+
"email-password"
|
|
86
|
+
]
|
|
87
|
+
} },
|
|
79
88
|
databaseHooks: { session: { create: { before: async (session) => {
|
|
80
89
|
const organization$1 = await getInitialOrganization(config.dbClient, session.userId);
|
|
81
90
|
return { data: {
|
|
@@ -114,7 +123,7 @@ function createAuth(config) {
|
|
|
114
123
|
"http://localhost:3000",
|
|
115
124
|
"http://localhost:3002",
|
|
116
125
|
env.INKEEP_AGENTS_MANAGE_UI_URL,
|
|
117
|
-
env.
|
|
126
|
+
env.INKEEP_AGENTS_API_URL,
|
|
118
127
|
env.TRUSTED_ORIGIN
|
|
119
128
|
].filter((origin) => typeof origin === "string" && origin.length > 0),
|
|
120
129
|
plugins: [
|
|
@@ -139,6 +148,55 @@ function createAuth(config) {
|
|
|
139
148
|
organization: data.organization.name,
|
|
140
149
|
invitationId: data.id
|
|
141
150
|
});
|
|
151
|
+
},
|
|
152
|
+
organizationHooks: {
|
|
153
|
+
afterAcceptInvitation: async ({ member: member$1, user, organization: org }) => {
|
|
154
|
+
try {
|
|
155
|
+
const { syncOrgMemberToSpiceDb } = await import("./authz/sync.js");
|
|
156
|
+
await syncOrgMemberToSpiceDb({
|
|
157
|
+
tenantId: org.id,
|
|
158
|
+
userId: user.id,
|
|
159
|
+
role: member$1.role,
|
|
160
|
+
action: "add"
|
|
161
|
+
});
|
|
162
|
+
console.log(`🔐 SpiceDB: Synced member ${user.email} as ${member$1.role} to org ${org.name}`);
|
|
163
|
+
} catch (error) {
|
|
164
|
+
console.error("❌ SpiceDB sync failed for new member:", error);
|
|
165
|
+
}
|
|
166
|
+
},
|
|
167
|
+
beforeUpdateMemberRole: async ({ member: member$1, organization: org, newRole }) => {
|
|
168
|
+
const { changeOrgRole, revokeAllProjectMemberships } = await import("./authz/sync.js");
|
|
169
|
+
const oldRole = member$1.role;
|
|
170
|
+
const targetRole = newRole;
|
|
171
|
+
await changeOrgRole({
|
|
172
|
+
tenantId: org.id,
|
|
173
|
+
userId: member$1.userId,
|
|
174
|
+
oldRole,
|
|
175
|
+
newRole: targetRole
|
|
176
|
+
});
|
|
177
|
+
console.log(`🔐 SpiceDB: Updated member ${member$1.userId} role from ${oldRole} to ${targetRole} in org ${org.name}`);
|
|
178
|
+
if (oldRole === OrgRoles.MEMBER && (targetRole === OrgRoles.ADMIN || targetRole === OrgRoles.OWNER)) {
|
|
179
|
+
await revokeAllProjectMemberships({
|
|
180
|
+
tenantId: org.id,
|
|
181
|
+
userId: member$1.userId
|
|
182
|
+
});
|
|
183
|
+
console.log(`🔐 SpiceDB: Revoked all project memberships for ${member$1.userId} (promoted to ${targetRole})`);
|
|
184
|
+
}
|
|
185
|
+
},
|
|
186
|
+
afterRemoveMember: async ({ member: member$1, organization: org }) => {
|
|
187
|
+
try {
|
|
188
|
+
const { syncOrgMemberToSpiceDb } = await import("./authz/sync.js");
|
|
189
|
+
await syncOrgMemberToSpiceDb({
|
|
190
|
+
tenantId: org.id,
|
|
191
|
+
userId: member$1.userId,
|
|
192
|
+
role: member$1.role,
|
|
193
|
+
action: "remove"
|
|
194
|
+
});
|
|
195
|
+
console.log(`🔐 SpiceDB: Removed member ${member$1.userId} from org ${org.name}`);
|
|
196
|
+
} catch (error) {
|
|
197
|
+
console.error("❌ SpiceDB sync failed for member removal:", error);
|
|
198
|
+
}
|
|
199
|
+
}
|
|
142
200
|
}
|
|
143
201
|
}),
|
|
144
202
|
deviceAuthorization({
|
|
@@ -0,0 +1,87 @@
|
|
|
1
|
+
import { v1 } from "@authzed/authzed-node";
|
|
2
|
+
|
|
3
|
+
//#region src/auth/authz/client.d.ts
|
|
4
|
+
|
|
5
|
+
type ZedClientInterface = ReturnType<typeof v1.NewClient>;
|
|
6
|
+
/**
|
|
7
|
+
* Get the SpiceDB client singleton.
|
|
8
|
+
* Creates a new client on first call.
|
|
9
|
+
*/
|
|
10
|
+
declare function getSpiceClient(): ZedClientInterface;
|
|
11
|
+
/**
|
|
12
|
+
* Reset the client (useful for testing)
|
|
13
|
+
*/
|
|
14
|
+
declare function resetSpiceClient(): void;
|
|
15
|
+
declare const RelationshipOperation: typeof v1.RelationshipUpdate_Operation;
|
|
16
|
+
declare const Permissionship: typeof v1.CheckPermissionResponse_Permissionship;
|
|
17
|
+
/**
|
|
18
|
+
* Check if a subject has a permission on a resource.
|
|
19
|
+
* Note: Caller must verify isAuthzEnabled() before calling.
|
|
20
|
+
*/
|
|
21
|
+
declare function checkPermission(params: {
|
|
22
|
+
resourceType: string;
|
|
23
|
+
resourceId: string;
|
|
24
|
+
permission: string;
|
|
25
|
+
subjectType: string;
|
|
26
|
+
subjectId: string;
|
|
27
|
+
}): Promise<boolean>;
|
|
28
|
+
/**
|
|
29
|
+
* Check multiple permissions on a resource in a single request.
|
|
30
|
+
* More efficient than multiple checkPermission calls.
|
|
31
|
+
*
|
|
32
|
+
* @returns Record mapping permission names to boolean results
|
|
33
|
+
*/
|
|
34
|
+
declare function checkBulkPermissions(params: {
|
|
35
|
+
resourceType: string;
|
|
36
|
+
resourceId: string;
|
|
37
|
+
permissions: string[];
|
|
38
|
+
subjectType: string;
|
|
39
|
+
subjectId: string;
|
|
40
|
+
}): Promise<Record<string, boolean>>;
|
|
41
|
+
/**
|
|
42
|
+
* Find all resources of a type that a subject has a permission on.
|
|
43
|
+
*/
|
|
44
|
+
declare function lookupResources(params: {
|
|
45
|
+
resourceType: string;
|
|
46
|
+
permission: string;
|
|
47
|
+
subjectType: string;
|
|
48
|
+
subjectId: string;
|
|
49
|
+
}): Promise<string[]>;
|
|
50
|
+
/**
|
|
51
|
+
* Write a relationship to SpiceDB.
|
|
52
|
+
*/
|
|
53
|
+
declare function writeRelationship(params: {
|
|
54
|
+
resourceType: string;
|
|
55
|
+
resourceId: string;
|
|
56
|
+
relation: string;
|
|
57
|
+
subjectType: string;
|
|
58
|
+
subjectId: string;
|
|
59
|
+
}): Promise<void>;
|
|
60
|
+
/**
|
|
61
|
+
* Delete a relationship from SpiceDB.
|
|
62
|
+
*/
|
|
63
|
+
declare function deleteRelationship(params: {
|
|
64
|
+
resourceType: string;
|
|
65
|
+
resourceId: string;
|
|
66
|
+
relation: string;
|
|
67
|
+
subjectType: string;
|
|
68
|
+
subjectId: string;
|
|
69
|
+
}): Promise<void>;
|
|
70
|
+
/**
|
|
71
|
+
* Read relationships for a resource to list subjects with access.
|
|
72
|
+
* Optionally filter by subject type and ID.
|
|
73
|
+
*/
|
|
74
|
+
declare function readRelationships(params: {
|
|
75
|
+
resourceType: string;
|
|
76
|
+
resourceId?: string;
|
|
77
|
+
relation?: string;
|
|
78
|
+
subjectType?: string;
|
|
79
|
+
subjectId?: string;
|
|
80
|
+
}): Promise<Array<{
|
|
81
|
+
resourceId: string;
|
|
82
|
+
subjectType: string;
|
|
83
|
+
subjectId: string;
|
|
84
|
+
relation: string;
|
|
85
|
+
}>>;
|
|
86
|
+
//#endregion
|
|
87
|
+
export { Permissionship, RelationshipOperation, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };
|
|
@@ -0,0 +1,196 @@
|
|
|
1
|
+
import { getSpiceDbConfig } from "./config.js";
|
|
2
|
+
import { v1 } from "@authzed/authzed-node";
|
|
3
|
+
|
|
4
|
+
//#region src/auth/authz/client.ts
|
|
5
|
+
/**
|
|
6
|
+
* SpiceDB Client Wrapper
|
|
7
|
+
*
|
|
8
|
+
* Provides a singleton SpiceDB client and helper functions for common operations.
|
|
9
|
+
*/
|
|
10
|
+
const { RelationshipUpdate_Operation, CheckPermissionResponse_Permissionship } = v1;
|
|
11
|
+
let client = null;
|
|
12
|
+
/**
|
|
13
|
+
* Get the SpiceDB client singleton.
|
|
14
|
+
* Creates a new client on first call.
|
|
15
|
+
*/
|
|
16
|
+
function getSpiceClient() {
|
|
17
|
+
if (!client) {
|
|
18
|
+
const config = getSpiceDbConfig();
|
|
19
|
+
client = v1.NewClient(config.token, config.endpoint, config.tlsEnabled ? v1.ClientSecurity.SECURE : v1.ClientSecurity.INSECURE_LOCALHOST_ALLOWED);
|
|
20
|
+
}
|
|
21
|
+
return client;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Reset the client (useful for testing)
|
|
25
|
+
*/
|
|
26
|
+
function resetSpiceClient() {
|
|
27
|
+
client = null;
|
|
28
|
+
}
|
|
29
|
+
const RelationshipOperation = RelationshipUpdate_Operation;
|
|
30
|
+
const Permissionship = CheckPermissionResponse_Permissionship;
|
|
31
|
+
/**
|
|
32
|
+
* Check if a subject has a permission on a resource.
|
|
33
|
+
* Note: Caller must verify isAuthzEnabled() before calling.
|
|
34
|
+
*/
|
|
35
|
+
async function checkPermission(params) {
|
|
36
|
+
return (await getSpiceClient().promises.checkPermission({
|
|
37
|
+
resource: {
|
|
38
|
+
objectType: params.resourceType,
|
|
39
|
+
objectId: params.resourceId
|
|
40
|
+
},
|
|
41
|
+
permission: params.permission,
|
|
42
|
+
subject: {
|
|
43
|
+
object: {
|
|
44
|
+
objectType: params.subjectType,
|
|
45
|
+
objectId: params.subjectId
|
|
46
|
+
},
|
|
47
|
+
optionalRelation: ""
|
|
48
|
+
},
|
|
49
|
+
consistency: { requirement: {
|
|
50
|
+
oneofKind: "fullyConsistent",
|
|
51
|
+
fullyConsistent: true
|
|
52
|
+
} },
|
|
53
|
+
context: void 0,
|
|
54
|
+
withTracing: false
|
|
55
|
+
})).permissionship === CheckPermissionResponse_Permissionship.HAS_PERMISSION;
|
|
56
|
+
}
|
|
57
|
+
/**
|
|
58
|
+
* Check multiple permissions on a resource in a single request.
|
|
59
|
+
* More efficient than multiple checkPermission calls.
|
|
60
|
+
*
|
|
61
|
+
* @returns Record mapping permission names to boolean results
|
|
62
|
+
*/
|
|
63
|
+
async function checkBulkPermissions(params) {
|
|
64
|
+
const spice = getSpiceClient();
|
|
65
|
+
const items = params.permissions.map((permission) => v1.CheckBulkPermissionsRequestItem.create({
|
|
66
|
+
resource: v1.ObjectReference.create({
|
|
67
|
+
objectType: params.resourceType,
|
|
68
|
+
objectId: params.resourceId
|
|
69
|
+
}),
|
|
70
|
+
permission,
|
|
71
|
+
subject: v1.SubjectReference.create({ object: v1.ObjectReference.create({
|
|
72
|
+
objectType: params.subjectType,
|
|
73
|
+
objectId: params.subjectId
|
|
74
|
+
}) })
|
|
75
|
+
}));
|
|
76
|
+
const response = await spice.promises.checkBulkPermissions(v1.CheckBulkPermissionsRequest.create({
|
|
77
|
+
items,
|
|
78
|
+
consistency: { requirement: {
|
|
79
|
+
oneofKind: "fullyConsistent",
|
|
80
|
+
fullyConsistent: true
|
|
81
|
+
} }
|
|
82
|
+
}));
|
|
83
|
+
const result = {};
|
|
84
|
+
for (let i = 0; i < params.permissions.length; i++) {
|
|
85
|
+
const permission = params.permissions[i];
|
|
86
|
+
const pair = response.pairs[i];
|
|
87
|
+
if (pair.response.oneofKind === "item") result[permission] = pair.response.item.permissionship === CheckPermissionResponse_Permissionship.HAS_PERMISSION;
|
|
88
|
+
else result[permission] = false;
|
|
89
|
+
}
|
|
90
|
+
return result;
|
|
91
|
+
}
|
|
92
|
+
/**
|
|
93
|
+
* Find all resources of a type that a subject has a permission on.
|
|
94
|
+
*/
|
|
95
|
+
async function lookupResources(params) {
|
|
96
|
+
return (await getSpiceClient().promises.lookupResources({
|
|
97
|
+
resourceObjectType: params.resourceType,
|
|
98
|
+
permission: params.permission,
|
|
99
|
+
subject: {
|
|
100
|
+
object: {
|
|
101
|
+
objectType: params.subjectType,
|
|
102
|
+
objectId: params.subjectId
|
|
103
|
+
},
|
|
104
|
+
optionalRelation: ""
|
|
105
|
+
},
|
|
106
|
+
consistency: { requirement: {
|
|
107
|
+
oneofKind: "fullyConsistent",
|
|
108
|
+
fullyConsistent: true
|
|
109
|
+
} },
|
|
110
|
+
context: void 0,
|
|
111
|
+
optionalLimit: 0,
|
|
112
|
+
optionalCursor: void 0
|
|
113
|
+
})).map((item) => item.resourceObjectId);
|
|
114
|
+
}
|
|
115
|
+
/**
|
|
116
|
+
* Write a relationship to SpiceDB.
|
|
117
|
+
*/
|
|
118
|
+
async function writeRelationship(params) {
|
|
119
|
+
await getSpiceClient().promises.writeRelationships({
|
|
120
|
+
updates: [{
|
|
121
|
+
operation: RelationshipUpdate_Operation.TOUCH,
|
|
122
|
+
relationship: {
|
|
123
|
+
resource: {
|
|
124
|
+
objectType: params.resourceType,
|
|
125
|
+
objectId: params.resourceId
|
|
126
|
+
},
|
|
127
|
+
relation: params.relation,
|
|
128
|
+
subject: {
|
|
129
|
+
object: {
|
|
130
|
+
objectType: params.subjectType,
|
|
131
|
+
objectId: params.subjectId
|
|
132
|
+
},
|
|
133
|
+
optionalRelation: ""
|
|
134
|
+
},
|
|
135
|
+
optionalCaveat: void 0
|
|
136
|
+
}
|
|
137
|
+
}],
|
|
138
|
+
optionalPreconditions: [],
|
|
139
|
+
optionalTransactionMetadata: void 0
|
|
140
|
+
});
|
|
141
|
+
}
|
|
142
|
+
/**
|
|
143
|
+
* Delete a relationship from SpiceDB.
|
|
144
|
+
*/
|
|
145
|
+
async function deleteRelationship(params) {
|
|
146
|
+
await getSpiceClient().promises.deleteRelationships({
|
|
147
|
+
relationshipFilter: {
|
|
148
|
+
resourceType: params.resourceType,
|
|
149
|
+
optionalResourceId: params.resourceId,
|
|
150
|
+
optionalResourceIdPrefix: "",
|
|
151
|
+
optionalRelation: params.relation,
|
|
152
|
+
optionalSubjectFilter: {
|
|
153
|
+
subjectType: params.subjectType,
|
|
154
|
+
optionalSubjectId: params.subjectId,
|
|
155
|
+
optionalRelation: void 0
|
|
156
|
+
}
|
|
157
|
+
},
|
|
158
|
+
optionalPreconditions: [],
|
|
159
|
+
optionalLimit: 0,
|
|
160
|
+
optionalAllowPartialDeletions: false,
|
|
161
|
+
optionalTransactionMetadata: void 0
|
|
162
|
+
});
|
|
163
|
+
}
|
|
164
|
+
/**
|
|
165
|
+
* Read relationships for a resource to list subjects with access.
|
|
166
|
+
* Optionally filter by subject type and ID.
|
|
167
|
+
*/
|
|
168
|
+
async function readRelationships(params) {
|
|
169
|
+
return (await getSpiceClient().promises.readRelationships({
|
|
170
|
+
relationshipFilter: {
|
|
171
|
+
resourceType: params.resourceType,
|
|
172
|
+
optionalResourceId: params.resourceId || "",
|
|
173
|
+
optionalResourceIdPrefix: "",
|
|
174
|
+
optionalRelation: params.relation || "",
|
|
175
|
+
optionalSubjectFilter: params.subjectType || params.subjectId ? {
|
|
176
|
+
subjectType: params.subjectType || "",
|
|
177
|
+
optionalSubjectId: params.subjectId || "",
|
|
178
|
+
optionalRelation: void 0
|
|
179
|
+
} : void 0
|
|
180
|
+
},
|
|
181
|
+
consistency: { requirement: {
|
|
182
|
+
oneofKind: "fullyConsistent",
|
|
183
|
+
fullyConsistent: true
|
|
184
|
+
} },
|
|
185
|
+
optionalLimit: 0,
|
|
186
|
+
optionalCursor: void 0
|
|
187
|
+
})).map((item) => ({
|
|
188
|
+
resourceId: item.relationship?.resource?.objectId || "",
|
|
189
|
+
subjectType: item.relationship?.subject?.object?.objectType || "",
|
|
190
|
+
subjectId: item.relationship?.subject?.object?.objectId || "",
|
|
191
|
+
relation: item.relationship?.relation || ""
|
|
192
|
+
}));
|
|
193
|
+
}
|
|
194
|
+
|
|
195
|
+
//#endregion
|
|
196
|
+
export { Permissionship, RelationshipOperation, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };
|
|
@@ -0,0 +1,103 @@
|
|
|
1
|
+
//#region src/auth/authz/config.d.ts
|
|
2
|
+
/**
|
|
3
|
+
* SpiceDB Authorization Configuration
|
|
4
|
+
*
|
|
5
|
+
* Feature flag and configuration for the SpiceDB authorization system.
|
|
6
|
+
*/
|
|
7
|
+
declare function isAuthzEnabled(): boolean;
|
|
8
|
+
/**
|
|
9
|
+
* Get SpiceDB connection configuration from environment variables.
|
|
10
|
+
* TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
|
|
11
|
+
*/
|
|
12
|
+
declare function getSpiceDbConfig(): {
|
|
13
|
+
endpoint: string;
|
|
14
|
+
token: string;
|
|
15
|
+
tlsEnabled: boolean;
|
|
16
|
+
};
|
|
17
|
+
/**
|
|
18
|
+
* SpiceDB resource types used in the schema
|
|
19
|
+
*/
|
|
20
|
+
declare const SpiceDbResourceTypes: {
|
|
21
|
+
readonly USER: "user";
|
|
22
|
+
readonly ORGANIZATION: "organization";
|
|
23
|
+
readonly PROJECT: "project";
|
|
24
|
+
};
|
|
25
|
+
/**
|
|
26
|
+
* SpiceDB relations used in the schema
|
|
27
|
+
*
|
|
28
|
+
* Relations are named as nouns (roles) per SpiceDB best practices.
|
|
29
|
+
* Project roles are prefixed for clarity when debugging/grepping.
|
|
30
|
+
*/
|
|
31
|
+
declare const SpiceDbRelations: {
|
|
32
|
+
readonly OWNER: "owner";
|
|
33
|
+
readonly ADMIN: "admin";
|
|
34
|
+
readonly MEMBER: "member";
|
|
35
|
+
readonly ORGANIZATION: "organization";
|
|
36
|
+
readonly PROJECT_ADMIN: "project_admin";
|
|
37
|
+
readonly PROJECT_MEMBER: "project_member";
|
|
38
|
+
readonly PROJECT_VIEWER: "project_viewer";
|
|
39
|
+
};
|
|
40
|
+
/**
|
|
41
|
+
* SpiceDB permissions for organization resources.
|
|
42
|
+
*
|
|
43
|
+
* From schema.zed definition organization:
|
|
44
|
+
* - view: owner + admin + member
|
|
45
|
+
* - manage: owner + admin (includes managing org settings and all projects)
|
|
46
|
+
*/
|
|
47
|
+
declare const SpiceDbOrgPermissions: {
|
|
48
|
+
readonly VIEW: "view";
|
|
49
|
+
readonly MANAGE: "manage";
|
|
50
|
+
};
|
|
51
|
+
type SpiceDbOrgPermission = (typeof SpiceDbOrgPermissions)[keyof typeof SpiceDbOrgPermissions];
|
|
52
|
+
/**
|
|
53
|
+
* SpiceDB permissions for project resources.
|
|
54
|
+
*
|
|
55
|
+
* From schema.zed definition project:
|
|
56
|
+
* - view: read-only access to project and its resources
|
|
57
|
+
* - use: invoke agents, create API keys, view traces
|
|
58
|
+
* - edit: modify configurations, manage members
|
|
59
|
+
*/
|
|
60
|
+
declare const SpiceDbProjectPermissions: {
|
|
61
|
+
readonly VIEW: "view";
|
|
62
|
+
readonly USE: "use";
|
|
63
|
+
readonly EDIT: "edit";
|
|
64
|
+
};
|
|
65
|
+
type SpiceDbProjectPermission = (typeof SpiceDbProjectPermissions)[keyof typeof SpiceDbProjectPermissions];
|
|
66
|
+
/**
|
|
67
|
+
* Permission levels for project access checks.
|
|
68
|
+
*/
|
|
69
|
+
type ProjectPermissionLevel = SpiceDbProjectPermission;
|
|
70
|
+
/**
|
|
71
|
+
* Organization roles from SpiceDB schema.
|
|
72
|
+
*/
|
|
73
|
+
declare const OrgRoles: {
|
|
74
|
+
readonly OWNER: "owner";
|
|
75
|
+
readonly ADMIN: "admin";
|
|
76
|
+
readonly MEMBER: "member";
|
|
77
|
+
};
|
|
78
|
+
type OrgRole = (typeof OrgRoles)[keyof typeof OrgRoles];
|
|
79
|
+
/**
|
|
80
|
+
* Project roles from SpiceDB schema.
|
|
81
|
+
*
|
|
82
|
+
* Hierarchy:
|
|
83
|
+
* - project_admin: Full access (view + use + edit + manage members)
|
|
84
|
+
* - project_member: Operator access (view + use: invoke agents, create API keys)
|
|
85
|
+
* - project_viewer: Read-only access (view only)
|
|
86
|
+
*/
|
|
87
|
+
declare const ProjectRoles: {
|
|
88
|
+
readonly ADMIN: "project_admin";
|
|
89
|
+
readonly MEMBER: "project_member";
|
|
90
|
+
readonly VIEWER: "project_viewer";
|
|
91
|
+
};
|
|
92
|
+
type ProjectRole = (typeof ProjectRoles)[keyof typeof ProjectRoles];
|
|
93
|
+
/**
|
|
94
|
+
* Project permission capabilities.
|
|
95
|
+
* Maps to the SpiceDB permission checks (view, use, edit).
|
|
96
|
+
*/
|
|
97
|
+
interface ProjectPermissions {
|
|
98
|
+
canView: boolean;
|
|
99
|
+
canUse: boolean;
|
|
100
|
+
canEdit: boolean;
|
|
101
|
+
}
|
|
102
|
+
//#endregion
|
|
103
|
+
export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };
|