@inkeep/agents-core 0.41.2 → 0.43.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/api-client/base-client.d.ts +87 -8
- package/dist/api-client/base-client.js +174 -1
- package/dist/api-client/eval-api-client.d.ts +47 -0
- package/dist/api-client/eval-api-client.js +65 -0
- package/dist/api-client/index.d.ts +4 -0
- package/dist/api-client/index.js +5 -0
- package/dist/api-client/manage-api-client.d.ts +34 -0
- package/dist/api-client/manage-api-client.js +104 -0
- package/dist/auth/auth.d.ts +86 -20
- package/dist/auth/auth.js +60 -2
- package/dist/auth/authz/client.d.ts +87 -0
- package/dist/auth/authz/client.js +196 -0
- package/dist/auth/authz/config.d.ts +103 -0
- package/dist/auth/authz/config.js +93 -0
- package/dist/auth/authz/index.d.ts +5 -0
- package/dist/auth/authz/index.js +6 -0
- package/dist/auth/authz/permissions.d.ts +53 -0
- package/dist/auth/authz/permissions.js +83 -0
- package/dist/auth/authz/sync.d.ts +106 -0
- package/dist/auth/authz/sync.js +321 -0
- package/dist/auth/permissions.d.ts +13 -13
- package/dist/auth/permissions.js +2 -181
- package/dist/client-exports.d.ts +9 -3
- package/dist/client-exports.js +4 -2
- package/dist/constants/context-breakdown.d.ts +61 -0
- package/dist/constants/context-breakdown.js +124 -0
- package/dist/constants/execution-limits-shared/defaults.d.ts +1 -1
- package/dist/constants/execution-limits-shared/defaults.js +1 -1
- package/dist/constants/execution-limits-shared/index.d.ts +1 -1
- package/dist/constants/otel-attributes.d.ts +4 -0
- package/dist/constants/otel-attributes.js +4 -0
- package/dist/context/ContextConfig.d.ts +2 -2
- package/dist/context/ContextConfig.js +3 -3
- package/dist/context/TemplateEngine.d.ts +0 -6
- package/dist/context/TemplateEngine.js +4 -19
- package/dist/context/index.d.ts +1 -5
- package/dist/context/index.js +1 -5
- package/dist/credential-stores/keychain-store.d.ts +20 -8
- package/dist/credential-stores/keychain-store.js +107 -43
- package/dist/credential-stuffer/CredentialStuffer.d.ts +1 -1
- package/dist/data-access/index.d.ts +34 -26
- package/dist/data-access/index.js +34 -26
- package/dist/data-access/manage/agentFull.d.ts +36 -0
- package/dist/data-access/{agentFull.js → manage/agentFull.js} +209 -7
- package/dist/data-access/{agents.d.ts → manage/agents.d.ts} +64 -63
- package/dist/data-access/{agents.js → manage/agents.js} +80 -27
- package/dist/data-access/{artifactComponents.d.ts → manage/artifactComponents.d.ts} +33 -33
- package/dist/data-access/{artifactComponents.js → manage/artifactComponents.js} +5 -5
- package/dist/data-access/{contextConfigs.d.ts → manage/contextConfigs.d.ts} +26 -26
- package/dist/data-access/{contextConfigs.js → manage/contextConfigs.js} +3 -3
- package/dist/data-access/{credentialReferences.d.ts → manage/credentialReferences.d.ts} +17 -17
- package/dist/data-access/{credentialReferences.js → manage/credentialReferences.js} +2 -2
- package/dist/data-access/{dataComponents.d.ts → manage/dataComponents.d.ts} +26 -26
- package/dist/data-access/{dataComponents.js → manage/dataComponents.js} +7 -7
- package/dist/data-access/manage/evalConfig.d.ts +221 -0
- package/dist/data-access/manage/evalConfig.js +275 -0
- package/dist/data-access/{externalAgents.d.ts → manage/externalAgents.d.ts} +16 -16
- package/dist/data-access/{externalAgents.js → manage/externalAgents.js} +2 -2
- package/dist/data-access/manage/functionTools.d.ts +242 -0
- package/dist/data-access/{functionTools.js → manage/functionTools.js} +124 -30
- package/dist/data-access/{functions.d.ts → manage/functions.d.ts} +9 -9
- package/dist/data-access/{functions.js → manage/functions.js} +3 -3
- package/dist/data-access/manage/projectFull.d.ts +38 -0
- package/dist/data-access/{projectFull.js → manage/projectFull.js} +64 -65
- package/dist/data-access/manage/projectLifecycle.d.ts +119 -0
- package/dist/data-access/manage/projectLifecycle.js +234 -0
- package/dist/data-access/manage/projects.d.ts +75 -0
- package/dist/data-access/{projects.js → manage/projects.js} +15 -16
- package/dist/data-access/{subAgentExternalAgentRelations.d.ts → manage/subAgentExternalAgentRelations.d.ts} +43 -43
- package/dist/data-access/{subAgentExternalAgentRelations.js → manage/subAgentExternalAgentRelations.js} +2 -2
- package/dist/data-access/{subAgentRelations.d.ts → manage/subAgentRelations.d.ts} +65 -65
- package/dist/data-access/{subAgentRelations.js → manage/subAgentRelations.js} +3 -3
- package/dist/data-access/{subAgentTeamAgentRelations.d.ts → manage/subAgentTeamAgentRelations.d.ts} +43 -43
- package/dist/data-access/{subAgentTeamAgentRelations.js → manage/subAgentTeamAgentRelations.js} +2 -2
- package/dist/data-access/{subAgents.d.ts → manage/subAgents.d.ts} +28 -28
- package/dist/data-access/{subAgents.js → manage/subAgents.js} +4 -4
- package/dist/data-access/{tools.d.ts → manage/tools.d.ts} +65 -52
- package/dist/data-access/{tools.js → manage/tools.js} +109 -64
- package/dist/data-access/manage/triggers.d.ts +106 -0
- package/dist/data-access/manage/triggers.js +81 -0
- package/dist/data-access/{apiKeys.d.ts → runtime/apiKeys.d.ts} +37 -37
- package/dist/data-access/{apiKeys.js → runtime/apiKeys.js} +3 -3
- package/dist/data-access/runtime/cascade-delete.d.ts +77 -0
- package/dist/data-access/runtime/cascade-delete.js +111 -0
- package/dist/data-access/{contextCache.d.ts → runtime/contextCache.d.ts} +13 -13
- package/dist/data-access/{contextCache.js → runtime/contextCache.js} +5 -5
- package/dist/data-access/{conversations.d.ts → runtime/conversations.d.ts} +80 -31
- package/dist/data-access/{conversations.js → runtime/conversations.js} +13 -7
- package/dist/data-access/runtime/evalRuns.d.ts +120 -0
- package/dist/data-access/runtime/evalRuns.js +168 -0
- package/dist/data-access/{ledgerArtifacts.d.ts → runtime/ledgerArtifacts.d.ts} +13 -13
- package/dist/data-access/{ledgerArtifacts.js → runtime/ledgerArtifacts.js} +3 -3
- package/dist/data-access/{messages.d.ts → runtime/messages.d.ts} +24 -24
- package/dist/data-access/{messages.js → runtime/messages.js} +2 -2
- package/dist/data-access/{organizations.d.ts → runtime/organizations.d.ts} +16 -7
- package/dist/data-access/{organizations.js → runtime/organizations.js} +16 -4
- package/dist/data-access/runtime/projects.d.ts +62 -0
- package/dist/data-access/runtime/projects.js +90 -0
- package/dist/data-access/runtime/tasks.d.ts +55 -0
- package/dist/data-access/{tasks.js → runtime/tasks.js} +2 -2
- package/dist/data-access/runtime/triggerInvocations.d.ts +62 -0
- package/dist/data-access/runtime/triggerInvocations.js +54 -0
- package/dist/data-access/runtime/users.d.ts +19 -0
- package/dist/data-access/{users.js → runtime/users.js} +2 -2
- package/dist/data-access/validation.d.ts +4 -4
- package/dist/data-access/validation.js +1 -1
- package/dist/db/clean.d.ts +8 -4
- package/dist/db/clean.js +14 -105
- package/dist/db/delete.d.ts +1 -1
- package/dist/db/delete.js +7 -10
- package/dist/db/manage/dolt-cleanup.d.ts +51 -0
- package/dist/db/manage/dolt-cleanup.js +132 -0
- package/dist/db/manage/manage-client.d.ts +26 -0
- package/dist/db/manage/manage-client.js +68 -0
- package/dist/db/{schema.d.ts → manage/manage-schema.d.ts} +1257 -969
- package/dist/db/{schema.js → manage/manage-schema.js} +436 -334
- package/dist/db/manage/test-manage-client.d.ts +27 -0
- package/dist/db/manage/test-manage-client.js +68 -0
- package/dist/db/runtime/runtime-client.d.ts +20 -0
- package/dist/db/runtime/runtime-client.js +30 -0
- package/dist/db/runtime/runtime-schema.d.ts +2834 -0
- package/dist/db/runtime/runtime-schema.js +483 -0
- package/dist/db/runtime/test-runtime-client.d.ts +27 -0
- package/dist/db/{test-client.js → runtime/test-runtime-client.js} +11 -25
- package/dist/db/utils.d.ts +6 -0
- package/dist/db/utils.js +42 -0
- package/dist/dolt/branch.d.ts +62 -0
- package/dist/dolt/branch.js +82 -0
- package/dist/dolt/branches-api.d.ts +108 -0
- package/dist/dolt/branches-api.js +162 -0
- package/dist/dolt/commit.d.ts +94 -0
- package/dist/dolt/commit.js +103 -0
- package/dist/dolt/diff.d.ts +27 -0
- package/dist/dolt/diff.js +21 -0
- package/dist/dolt/index.d.ts +10 -0
- package/dist/dolt/index.js +11 -0
- package/dist/dolt/merge.d.ts +63 -0
- package/dist/dolt/merge.js +81 -0
- package/dist/dolt/migrate-all-branches.d.ts +4 -0
- package/dist/dolt/migrate-all-branches.js +83 -0
- package/dist/dolt/migrate-dolt.d.ts +1 -0
- package/dist/dolt/migrate-dolt.js +25 -0
- package/dist/dolt/ref-helpers.d.ts +19 -0
- package/dist/dolt/ref-helpers.js +65 -0
- package/dist/dolt/ref-middleware.d.ts +82 -0
- package/dist/dolt/ref-middleware.js +217 -0
- package/dist/dolt/ref-scope.d.ts +101 -0
- package/dist/dolt/ref-scope.js +231 -0
- package/dist/dolt/schema-sync.d.ts +135 -0
- package/dist/dolt/schema-sync.js +255 -0
- package/dist/env.d.ts +6 -4
- package/dist/env.js +3 -2
- package/dist/index.d.ts +73 -46
- package/dist/index.js +76 -49
- package/dist/types/@napi-rs__keyring/index.d.ts +14 -0
- package/dist/types/entities.d.ts +81 -2
- package/dist/types/index.d.ts +3 -3
- package/dist/types/utility.d.ts +46 -5
- package/dist/types/utility.js +2 -1
- package/dist/utils/JsonTransformer.d.ts +42 -0
- package/dist/utils/JsonTransformer.js +103 -0
- package/dist/utils/apiKeys.d.ts +5 -1
- package/dist/utils/apiKeys.js +11 -1
- package/dist/utils/colors.d.ts +34 -0
- package/dist/utils/colors.js +49 -0
- package/dist/utils/credential-store-utils.d.ts +1 -1
- package/dist/utils/format-messages.d.ts +1 -1
- package/dist/utils/index.d.ts +8 -4
- package/dist/utils/index.js +8 -4
- package/dist/utils/internal-service-auth.d.ts +79 -0
- package/dist/utils/internal-service-auth.js +140 -0
- package/dist/utils/jmespath-utils.d.ts +152 -0
- package/dist/utils/jmespath-utils.js +213 -0
- package/dist/utils/jwt-helpers.d.ts +56 -0
- package/dist/utils/jwt-helpers.js +90 -0
- package/dist/utils/mcp-client.d.ts +1 -1
- package/dist/utils/mcp-client.js +1 -1
- package/dist/utils/service-token-auth.d.ts +9 -27
- package/dist/utils/service-token-auth.js +48 -96
- package/dist/utils/signature-validation.d.ts +2 -0
- package/dist/utils/signature-validation.js +3 -0
- package/dist/utils/template-interpolation.d.ts +22 -0
- package/dist/utils/template-interpolation.js +62 -0
- package/dist/utils/third-party-mcp-servers/composio-client.d.ts +13 -1
- package/dist/utils/third-party-mcp-servers/composio-client.js +47 -29
- package/dist/utils/third-party-mcp-servers/index.d.ts +2 -2
- package/dist/utils/third-party-mcp-servers/index.js +2 -2
- package/dist/utils/trigger-auth.d.ts +85 -0
- package/dist/utils/trigger-auth.js +233 -0
- package/dist/validation/agentFull.js +2 -4
- package/dist/validation/dolt-schemas.d.ts +49 -0
- package/dist/validation/dolt-schemas.js +44 -0
- package/dist/validation/drizzle-schema-helpers.d.ts +4 -26
- package/dist/validation/drizzle-schema-helpers.js +5 -151
- package/dist/validation/index.d.ts +5 -4
- package/dist/validation/index.js +4 -3
- package/dist/validation/render-validation.js +19 -0
- package/dist/validation/schemas.d.ts +18223 -5148
- package/dist/validation/schemas.js +559 -12
- package/dist/validation/stream-event-schemas.d.ts +96 -1
- package/dist/validation/stream-event-schemas.js +67 -2
- package/drizzle/manage/0000_tearful_rhodey.sql +414 -0
- package/drizzle/manage/0001_broken_wendell_vaughn.sql +19 -0
- package/drizzle/manage/0002_bent_sunfire.sql +1 -0
- package/drizzle/manage/0003_tiny_captain_universe.sql +8 -0
- package/drizzle/manage/0004_curious_phil_sheldon.sql +2 -0
- package/drizzle/manage/0005_silent_shatterstar.sql +53 -0
- package/drizzle/manage/meta/0000_snapshot.json +2987 -0
- package/drizzle/manage/meta/0001_snapshot.json +3115 -0
- package/drizzle/manage/meta/0002_snapshot.json +3115 -0
- package/drizzle/manage/meta/0003_snapshot.json +3134 -0
- package/drizzle/manage/meta/0004_snapshot.json +3141 -0
- package/drizzle/manage/meta/0005_snapshot.json +3141 -0
- package/drizzle/manage/meta/_journal.json +48 -0
- package/drizzle/runtime/0008_silly_preak.sql +127 -0
- package/drizzle/runtime/0009_freezing_leo.sql +17 -0
- package/drizzle/runtime/meta/0008_snapshot.json +2263 -0
- package/drizzle/runtime/meta/0009_snapshot.json +2397 -0
- package/drizzle/{meta → runtime/meta}/_journal.json +14 -0
- package/package.json +56 -18
- package/spicedb/schema.zed +114 -0
- package/dist/context/ContextFetcher.d.ts +0 -73
- package/dist/context/ContextFetcher.js +0 -291
- package/dist/context/ContextResolver.d.ts +0 -60
- package/dist/context/ContextResolver.js +0 -278
- package/dist/context/context.d.ts +0 -27
- package/dist/context/context.js +0 -128
- package/dist/context/contextCache.d.ts +0 -58
- package/dist/context/contextCache.js +0 -177
- package/dist/data-access/agentFull.d.ts +0 -33
- package/dist/data-access/functionTools.d.ts +0 -169
- package/dist/data-access/projectFull.d.ts +0 -32
- package/dist/data-access/projects.d.ts +0 -71
- package/dist/data-access/tasks.d.ts +0 -45
- package/dist/data-access/users.d.ts +0 -19
- package/dist/db/client.d.ts +0 -20
- package/dist/db/client.js +0 -28
- package/dist/db/test-client.d.ts +0 -31
- package/dist/middleware/contextValidation.d.ts +0 -46
- package/dist/middleware/contextValidation.js +0 -280
- package/dist/middleware/index.d.ts +0 -2
- package/dist/middleware/index.js +0 -3
- package/dist/utils/execution.d.ts +0 -22
- package/dist/utils/execution.js +0 -25
- /package/drizzle/{0000_exotic_mysterio.sql → runtime/0000_exotic_mysterio.sql} +0 -0
- /package/drizzle/{0001_calm_sheva_callister.sql → runtime/0001_calm_sheva_callister.sql} +0 -0
- /package/drizzle/{0002_puzzling_goblin_queen.sql → runtime/0002_puzzling_goblin_queen.sql} +0 -0
- /package/drizzle/{0003_sweet_human_robot.sql → runtime/0003_sweet_human_robot.sql} +0 -0
- /package/drizzle/{0004_cuddly_shooting_star.sql → runtime/0004_cuddly_shooting_star.sql} +0 -0
- /package/drizzle/{0005_reflective_starfox.sql → runtime/0005_reflective_starfox.sql} +0 -0
- /package/drizzle/{0006_stale_thaddeus_ross.sql → runtime/0006_stale_thaddeus_ross.sql} +0 -0
- /package/drizzle/{0007_slim_karma.sql → runtime/0007_slim_karma.sql} +0 -0
- /package/drizzle/{meta → runtime/meta}/0000_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0001_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0003_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0005_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0006_snapshot.json +0 -0
- /package/drizzle/{meta → runtime/meta}/0007_snapshot.json +0 -0
|
@@ -0,0 +1,93 @@
|
|
|
1
|
+
//#region src/auth/authz/config.ts
|
|
2
|
+
/**
|
|
3
|
+
* SpiceDB Authorization Configuration
|
|
4
|
+
*
|
|
5
|
+
* Feature flag and configuration for the SpiceDB authorization system.
|
|
6
|
+
*/
|
|
7
|
+
function isAuthzEnabled() {
|
|
8
|
+
return process.env.ENABLE_AUTHZ === "true";
|
|
9
|
+
}
|
|
10
|
+
/**
|
|
11
|
+
* Get SpiceDB connection configuration from environment variables.
|
|
12
|
+
* TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
|
|
13
|
+
*/
|
|
14
|
+
function getSpiceDbConfig() {
|
|
15
|
+
const endpoint = process.env.SPICEDB_ENDPOINT || "localhost:50051";
|
|
16
|
+
const isLocalhost = endpoint.startsWith("localhost") || endpoint.startsWith("127.0.0.1");
|
|
17
|
+
return {
|
|
18
|
+
endpoint,
|
|
19
|
+
token: process.env.SPICEDB_PRESHARED_KEY || "",
|
|
20
|
+
tlsEnabled: !isLocalhost
|
|
21
|
+
};
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* SpiceDB resource types used in the schema
|
|
25
|
+
*/
|
|
26
|
+
const SpiceDbResourceTypes = {
|
|
27
|
+
USER: "user",
|
|
28
|
+
ORGANIZATION: "organization",
|
|
29
|
+
PROJECT: "project"
|
|
30
|
+
};
|
|
31
|
+
/**
|
|
32
|
+
* SpiceDB relations used in the schema
|
|
33
|
+
*
|
|
34
|
+
* Relations are named as nouns (roles) per SpiceDB best practices.
|
|
35
|
+
* Project roles are prefixed for clarity when debugging/grepping.
|
|
36
|
+
*/
|
|
37
|
+
const SpiceDbRelations = {
|
|
38
|
+
OWNER: "owner",
|
|
39
|
+
ADMIN: "admin",
|
|
40
|
+
MEMBER: "member",
|
|
41
|
+
ORGANIZATION: "organization",
|
|
42
|
+
PROJECT_ADMIN: "project_admin",
|
|
43
|
+
PROJECT_MEMBER: "project_member",
|
|
44
|
+
PROJECT_VIEWER: "project_viewer"
|
|
45
|
+
};
|
|
46
|
+
/**
|
|
47
|
+
* SpiceDB permissions for organization resources.
|
|
48
|
+
*
|
|
49
|
+
* From schema.zed definition organization:
|
|
50
|
+
* - view: owner + admin + member
|
|
51
|
+
* - manage: owner + admin (includes managing org settings and all projects)
|
|
52
|
+
*/
|
|
53
|
+
const SpiceDbOrgPermissions = {
|
|
54
|
+
VIEW: "view",
|
|
55
|
+
MANAGE: "manage"
|
|
56
|
+
};
|
|
57
|
+
/**
|
|
58
|
+
* SpiceDB permissions for project resources.
|
|
59
|
+
*
|
|
60
|
+
* From schema.zed definition project:
|
|
61
|
+
* - view: read-only access to project and its resources
|
|
62
|
+
* - use: invoke agents, create API keys, view traces
|
|
63
|
+
* - edit: modify configurations, manage members
|
|
64
|
+
*/
|
|
65
|
+
const SpiceDbProjectPermissions = {
|
|
66
|
+
VIEW: "view",
|
|
67
|
+
USE: "use",
|
|
68
|
+
EDIT: "edit"
|
|
69
|
+
};
|
|
70
|
+
/**
|
|
71
|
+
* Organization roles from SpiceDB schema.
|
|
72
|
+
*/
|
|
73
|
+
const OrgRoles = {
|
|
74
|
+
OWNER: "owner",
|
|
75
|
+
ADMIN: "admin",
|
|
76
|
+
MEMBER: "member"
|
|
77
|
+
};
|
|
78
|
+
/**
|
|
79
|
+
* Project roles from SpiceDB schema.
|
|
80
|
+
*
|
|
81
|
+
* Hierarchy:
|
|
82
|
+
* - project_admin: Full access (view + use + edit + manage members)
|
|
83
|
+
* - project_member: Operator access (view + use: invoke agents, create API keys)
|
|
84
|
+
* - project_viewer: Read-only access (view only)
|
|
85
|
+
*/
|
|
86
|
+
const ProjectRoles = {
|
|
87
|
+
ADMIN: "project_admin",
|
|
88
|
+
MEMBER: "project_member",
|
|
89
|
+
VIEWER: "project_viewer"
|
|
90
|
+
};
|
|
91
|
+
|
|
92
|
+
//#endregion
|
|
93
|
+
export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };
|
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
|
|
2
|
+
import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
|
|
3
|
+
import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
|
|
4
|
+
import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
|
|
5
|
+
export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
|
|
@@ -0,0 +1,6 @@
|
|
|
1
|
+
import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
|
|
2
|
+
import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
|
|
3
|
+
import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
|
|
4
|
+
import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
|
|
5
|
+
|
|
6
|
+
export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
|
|
@@ -0,0 +1,53 @@
|
|
|
1
|
+
import { OrgRole } from "./config.js";
|
|
2
|
+
|
|
3
|
+
//#region src/auth/authz/permissions.d.ts
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Check if a user can view a project.
|
|
7
|
+
*
|
|
8
|
+
* - If authz is disabled: returns true (current behavior)
|
|
9
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
10
|
+
* - Otherwise: checks SpiceDB
|
|
11
|
+
*/
|
|
12
|
+
declare function canViewProject(params: {
|
|
13
|
+
userId: string;
|
|
14
|
+
projectId: string;
|
|
15
|
+
orgRole: OrgRole;
|
|
16
|
+
}): Promise<boolean>;
|
|
17
|
+
/**
|
|
18
|
+
* Check if a user can use a project (invoke agents, create API keys, view traces).
|
|
19
|
+
*
|
|
20
|
+
* - If authz is disabled: returns true (current behavior)
|
|
21
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
22
|
+
* - Otherwise: checks SpiceDB for use permission
|
|
23
|
+
*/
|
|
24
|
+
declare function canUseProject(params: {
|
|
25
|
+
userId: string;
|
|
26
|
+
projectId: string;
|
|
27
|
+
orgRole: OrgRole;
|
|
28
|
+
}): Promise<boolean>;
|
|
29
|
+
/**
|
|
30
|
+
* Check if a user can edit a project (modify configurations).
|
|
31
|
+
*
|
|
32
|
+
* - If authz is disabled: only org owner/admin can edit
|
|
33
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
34
|
+
* - Otherwise: checks SpiceDB for edit permission
|
|
35
|
+
*/
|
|
36
|
+
declare function canEditProject(params: {
|
|
37
|
+
userId: string;
|
|
38
|
+
projectId: string;
|
|
39
|
+
orgRole: OrgRole;
|
|
40
|
+
}): Promise<boolean>;
|
|
41
|
+
/**
|
|
42
|
+
* Get list of accessible project IDs for a user.
|
|
43
|
+
*
|
|
44
|
+
* - If authz is disabled: returns 'all' (no filtering needed)
|
|
45
|
+
* - If user is org owner/admin: returns 'all' (no filtering needed)
|
|
46
|
+
* - Otherwise: uses SpiceDB LookupResources
|
|
47
|
+
*/
|
|
48
|
+
declare function listAccessibleProjectIds(params: {
|
|
49
|
+
userId: string;
|
|
50
|
+
orgRole: OrgRole;
|
|
51
|
+
}): Promise<string[] | 'all'>;
|
|
52
|
+
//#endregion
|
|
53
|
+
export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };
|
|
@@ -0,0 +1,83 @@
|
|
|
1
|
+
import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
|
|
2
|
+
import { checkPermission, lookupResources } from "./client.js";
|
|
3
|
+
|
|
4
|
+
//#region src/auth/authz/permissions.ts
|
|
5
|
+
/**
|
|
6
|
+
* SpiceDB Permission Check Functions
|
|
7
|
+
*
|
|
8
|
+
* High-level functions for checking project-level permissions.
|
|
9
|
+
*/
|
|
10
|
+
/**
|
|
11
|
+
* Check if a user can view a project.
|
|
12
|
+
*
|
|
13
|
+
* - If authz is disabled: returns true (current behavior)
|
|
14
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
15
|
+
* - Otherwise: checks SpiceDB
|
|
16
|
+
*/
|
|
17
|
+
async function canViewProject(params) {
|
|
18
|
+
const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
|
|
19
|
+
if (!isAuthzEnabled() || isAdmin) return true;
|
|
20
|
+
return checkPermission({
|
|
21
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
22
|
+
resourceId: params.projectId,
|
|
23
|
+
permission: SpiceDbProjectPermissions.VIEW,
|
|
24
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
25
|
+
subjectId: params.userId
|
|
26
|
+
});
|
|
27
|
+
}
|
|
28
|
+
/**
|
|
29
|
+
* Check if a user can use a project (invoke agents, create API keys, view traces).
|
|
30
|
+
*
|
|
31
|
+
* - If authz is disabled: returns true (current behavior)
|
|
32
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
33
|
+
* - Otherwise: checks SpiceDB for use permission
|
|
34
|
+
*/
|
|
35
|
+
async function canUseProject(params) {
|
|
36
|
+
const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
|
|
37
|
+
if (!isAuthzEnabled() || isAdmin) return true;
|
|
38
|
+
return checkPermission({
|
|
39
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
40
|
+
resourceId: params.projectId,
|
|
41
|
+
permission: SpiceDbProjectPermissions.USE,
|
|
42
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
43
|
+
subjectId: params.userId
|
|
44
|
+
});
|
|
45
|
+
}
|
|
46
|
+
/**
|
|
47
|
+
* Check if a user can edit a project (modify configurations).
|
|
48
|
+
*
|
|
49
|
+
* - If authz is disabled: only org owner/admin can edit
|
|
50
|
+
* - If user is org owner/admin: returns true (bypass)
|
|
51
|
+
* - Otherwise: checks SpiceDB for edit permission
|
|
52
|
+
*/
|
|
53
|
+
async function canEditProject(params) {
|
|
54
|
+
if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return true;
|
|
55
|
+
if (!isAuthzEnabled()) return false;
|
|
56
|
+
return checkPermission({
|
|
57
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
58
|
+
resourceId: params.projectId,
|
|
59
|
+
permission: SpiceDbProjectPermissions.EDIT,
|
|
60
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
61
|
+
subjectId: params.userId
|
|
62
|
+
});
|
|
63
|
+
}
|
|
64
|
+
/**
|
|
65
|
+
* Get list of accessible project IDs for a user.
|
|
66
|
+
*
|
|
67
|
+
* - If authz is disabled: returns 'all' (no filtering needed)
|
|
68
|
+
* - If user is org owner/admin: returns 'all' (no filtering needed)
|
|
69
|
+
* - Otherwise: uses SpiceDB LookupResources
|
|
70
|
+
*/
|
|
71
|
+
async function listAccessibleProjectIds(params) {
|
|
72
|
+
const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
|
|
73
|
+
if (!isAuthzEnabled() || isAdmin) return "all";
|
|
74
|
+
return lookupResources({
|
|
75
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
76
|
+
permission: SpiceDbProjectPermissions.VIEW,
|
|
77
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
78
|
+
subjectId: params.userId
|
|
79
|
+
});
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
//#endregion
|
|
83
|
+
export { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds };
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
import { OrgRole, ProjectRole } from "./config.js";
|
|
2
|
+
|
|
3
|
+
//#region src/auth/authz/sync.d.ts
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Sync a user's org membership to SpiceDB.
|
|
7
|
+
* Call when: user joins org, role changes, user leaves org.
|
|
8
|
+
*/
|
|
9
|
+
declare function syncOrgMemberToSpiceDb(params: {
|
|
10
|
+
tenantId: string;
|
|
11
|
+
userId: string;
|
|
12
|
+
role: OrgRole;
|
|
13
|
+
action: 'add' | 'remove';
|
|
14
|
+
}): Promise<void>;
|
|
15
|
+
/**
|
|
16
|
+
* Change a user's organization role.
|
|
17
|
+
* Removes the old role and adds the new one atomically in a single transaction.
|
|
18
|
+
* Call when: user's org role is updated (e.g., member -> admin).
|
|
19
|
+
*/
|
|
20
|
+
declare function changeOrgRole(params: {
|
|
21
|
+
tenantId: string;
|
|
22
|
+
userId: string;
|
|
23
|
+
oldRole: OrgRole;
|
|
24
|
+
newRole: OrgRole;
|
|
25
|
+
}): Promise<void>;
|
|
26
|
+
/**
|
|
27
|
+
* Sync a new project to SpiceDB.
|
|
28
|
+
* Links project to org and grants creator project_admin role (if not already org admin/owner).
|
|
29
|
+
* Call when: project is created.
|
|
30
|
+
*/
|
|
31
|
+
declare function syncProjectToSpiceDb(params: {
|
|
32
|
+
tenantId: string;
|
|
33
|
+
projectId: string;
|
|
34
|
+
creatorUserId: string;
|
|
35
|
+
}): Promise<void>;
|
|
36
|
+
/**
|
|
37
|
+
* Grant project access to a user.
|
|
38
|
+
*/
|
|
39
|
+
declare function grantProjectAccess(params: {
|
|
40
|
+
tenantId: string;
|
|
41
|
+
projectId: string;
|
|
42
|
+
userId: string;
|
|
43
|
+
role: ProjectRole;
|
|
44
|
+
}): Promise<void>;
|
|
45
|
+
/**
|
|
46
|
+
* Revoke project access from a user.
|
|
47
|
+
*/
|
|
48
|
+
declare function revokeProjectAccess(params: {
|
|
49
|
+
tenantId: string;
|
|
50
|
+
projectId: string;
|
|
51
|
+
userId: string;
|
|
52
|
+
role: ProjectRole;
|
|
53
|
+
}): Promise<void>;
|
|
54
|
+
/**
|
|
55
|
+
* Change a user's project role.
|
|
56
|
+
* Removes the old role and adds the new one atomically in a single transaction.
|
|
57
|
+
*/
|
|
58
|
+
declare function changeProjectRole(params: {
|
|
59
|
+
tenantId: string;
|
|
60
|
+
projectId: string;
|
|
61
|
+
userId: string;
|
|
62
|
+
oldRole: ProjectRole;
|
|
63
|
+
newRole: ProjectRole;
|
|
64
|
+
}): Promise<void>;
|
|
65
|
+
/**
|
|
66
|
+
* Remove a project from SpiceDB.
|
|
67
|
+
* Call when: project is deleted.
|
|
68
|
+
*/
|
|
69
|
+
declare function removeProjectFromSpiceDb(params: {
|
|
70
|
+
tenantId: string;
|
|
71
|
+
projectId: string;
|
|
72
|
+
}): Promise<void>;
|
|
73
|
+
/**
|
|
74
|
+
* List all explicit project members from SpiceDB.
|
|
75
|
+
* Returns users with project_admin, project_member, or project_viewer roles.
|
|
76
|
+
*/
|
|
77
|
+
declare function listProjectMembers(params: {
|
|
78
|
+
tenantId: string;
|
|
79
|
+
projectId: string;
|
|
80
|
+
}): Promise<Array<{
|
|
81
|
+
userId: string;
|
|
82
|
+
role: ProjectRole;
|
|
83
|
+
}>>;
|
|
84
|
+
/**
|
|
85
|
+
* List all project memberships for a specific user.
|
|
86
|
+
* Returns projects where the user has explicit project_admin, project_member, or project_viewer roles.
|
|
87
|
+
*/
|
|
88
|
+
declare function listUserProjectMembershipsInSpiceDb(params: {
|
|
89
|
+
tenantId: string;
|
|
90
|
+
userId: string;
|
|
91
|
+
}): Promise<Array<{
|
|
92
|
+
projectId: string;
|
|
93
|
+
role: ProjectRole;
|
|
94
|
+
}>>;
|
|
95
|
+
/**
|
|
96
|
+
* Revoke all project memberships for a user.
|
|
97
|
+
* Call when: user is promoted to org admin (they get inherited access, explicit project roles become redundant).
|
|
98
|
+
*
|
|
99
|
+
* Uses efficient bulk delete - deletes all project relationships for user without listing first.
|
|
100
|
+
*/
|
|
101
|
+
declare function revokeAllProjectMemberships(params: {
|
|
102
|
+
tenantId: string;
|
|
103
|
+
userId: string;
|
|
104
|
+
}): Promise<void>;
|
|
105
|
+
//#endregion
|
|
106
|
+
export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };
|
|
@@ -0,0 +1,321 @@
|
|
|
1
|
+
import { SpiceDbRelations, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
|
|
2
|
+
import { RelationshipOperation, deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
|
|
3
|
+
|
|
4
|
+
//#region src/auth/authz/sync.ts
|
|
5
|
+
/**
|
|
6
|
+
* SpiceDB Sync Utilities
|
|
7
|
+
*
|
|
8
|
+
* Functions for syncing data between better-auth and SpiceDB.
|
|
9
|
+
*/
|
|
10
|
+
/**
|
|
11
|
+
* Sync a user's org membership to SpiceDB.
|
|
12
|
+
* Call when: user joins org, role changes, user leaves org.
|
|
13
|
+
*/
|
|
14
|
+
async function syncOrgMemberToSpiceDb(params) {
|
|
15
|
+
if (!isAuthzEnabled()) return;
|
|
16
|
+
if (params.action === "add") await writeRelationship({
|
|
17
|
+
resourceType: SpiceDbResourceTypes.ORGANIZATION,
|
|
18
|
+
resourceId: params.tenantId,
|
|
19
|
+
relation: params.role,
|
|
20
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
21
|
+
subjectId: params.userId
|
|
22
|
+
});
|
|
23
|
+
else await deleteRelationship({
|
|
24
|
+
resourceType: SpiceDbResourceTypes.ORGANIZATION,
|
|
25
|
+
resourceId: params.tenantId,
|
|
26
|
+
relation: params.role,
|
|
27
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
28
|
+
subjectId: params.userId
|
|
29
|
+
});
|
|
30
|
+
}
|
|
31
|
+
/**
|
|
32
|
+
* Change a user's organization role.
|
|
33
|
+
* Removes the old role and adds the new one atomically in a single transaction.
|
|
34
|
+
* Call when: user's org role is updated (e.g., member -> admin).
|
|
35
|
+
*/
|
|
36
|
+
async function changeOrgRole(params) {
|
|
37
|
+
if (!isAuthzEnabled()) return;
|
|
38
|
+
if (params.oldRole === params.newRole) return;
|
|
39
|
+
await getSpiceClient().promises.writeRelationships({
|
|
40
|
+
updates: [{
|
|
41
|
+
operation: RelationshipOperation.DELETE,
|
|
42
|
+
relationship: {
|
|
43
|
+
resource: {
|
|
44
|
+
objectType: SpiceDbResourceTypes.ORGANIZATION,
|
|
45
|
+
objectId: params.tenantId
|
|
46
|
+
},
|
|
47
|
+
relation: params.oldRole,
|
|
48
|
+
subject: {
|
|
49
|
+
object: {
|
|
50
|
+
objectType: SpiceDbResourceTypes.USER,
|
|
51
|
+
objectId: params.userId
|
|
52
|
+
},
|
|
53
|
+
optionalRelation: ""
|
|
54
|
+
},
|
|
55
|
+
optionalCaveat: void 0
|
|
56
|
+
}
|
|
57
|
+
}, {
|
|
58
|
+
operation: RelationshipOperation.TOUCH,
|
|
59
|
+
relationship: {
|
|
60
|
+
resource: {
|
|
61
|
+
objectType: SpiceDbResourceTypes.ORGANIZATION,
|
|
62
|
+
objectId: params.tenantId
|
|
63
|
+
},
|
|
64
|
+
relation: params.newRole,
|
|
65
|
+
subject: {
|
|
66
|
+
object: {
|
|
67
|
+
objectType: SpiceDbResourceTypes.USER,
|
|
68
|
+
objectId: params.userId
|
|
69
|
+
},
|
|
70
|
+
optionalRelation: ""
|
|
71
|
+
},
|
|
72
|
+
optionalCaveat: void 0
|
|
73
|
+
}
|
|
74
|
+
}],
|
|
75
|
+
optionalPreconditions: [],
|
|
76
|
+
optionalTransactionMetadata: void 0
|
|
77
|
+
});
|
|
78
|
+
}
|
|
79
|
+
/**
|
|
80
|
+
* Sync a new project to SpiceDB.
|
|
81
|
+
* Links project to org and grants creator project_admin role (if not already org admin/owner).
|
|
82
|
+
* Call when: project is created.
|
|
83
|
+
*/
|
|
84
|
+
async function syncProjectToSpiceDb(params) {
|
|
85
|
+
if (!isAuthzEnabled()) return;
|
|
86
|
+
const spice = getSpiceClient();
|
|
87
|
+
const isOrgAdminOrOwner = (await readRelationships({
|
|
88
|
+
resourceType: SpiceDbResourceTypes.ORGANIZATION,
|
|
89
|
+
resourceId: params.tenantId,
|
|
90
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
91
|
+
subjectId: params.creatorUserId
|
|
92
|
+
})).some((r) => r.relation === SpiceDbRelations.ADMIN || r.relation === SpiceDbRelations.OWNER);
|
|
93
|
+
const updates = [{
|
|
94
|
+
operation: RelationshipOperation.CREATE,
|
|
95
|
+
relationship: {
|
|
96
|
+
resource: {
|
|
97
|
+
objectType: SpiceDbResourceTypes.PROJECT,
|
|
98
|
+
objectId: params.projectId
|
|
99
|
+
},
|
|
100
|
+
relation: SpiceDbRelations.ORGANIZATION,
|
|
101
|
+
subject: {
|
|
102
|
+
object: {
|
|
103
|
+
objectType: SpiceDbResourceTypes.ORGANIZATION,
|
|
104
|
+
objectId: params.tenantId
|
|
105
|
+
},
|
|
106
|
+
optionalRelation: ""
|
|
107
|
+
},
|
|
108
|
+
optionalCaveat: void 0
|
|
109
|
+
}
|
|
110
|
+
}];
|
|
111
|
+
if (!isOrgAdminOrOwner) updates.push({
|
|
112
|
+
operation: RelationshipOperation.CREATE,
|
|
113
|
+
relationship: {
|
|
114
|
+
resource: {
|
|
115
|
+
objectType: SpiceDbResourceTypes.PROJECT,
|
|
116
|
+
objectId: params.projectId
|
|
117
|
+
},
|
|
118
|
+
relation: SpiceDbRelations.PROJECT_ADMIN,
|
|
119
|
+
subject: {
|
|
120
|
+
object: {
|
|
121
|
+
objectType: SpiceDbResourceTypes.USER,
|
|
122
|
+
objectId: params.creatorUserId
|
|
123
|
+
},
|
|
124
|
+
optionalRelation: ""
|
|
125
|
+
},
|
|
126
|
+
optionalCaveat: void 0
|
|
127
|
+
}
|
|
128
|
+
});
|
|
129
|
+
await spice.promises.writeRelationships({
|
|
130
|
+
updates,
|
|
131
|
+
optionalPreconditions: [],
|
|
132
|
+
optionalTransactionMetadata: void 0
|
|
133
|
+
});
|
|
134
|
+
}
|
|
135
|
+
/**
|
|
136
|
+
* Grant project access to a user.
|
|
137
|
+
*/
|
|
138
|
+
async function grantProjectAccess(params) {
|
|
139
|
+
if (!isAuthzEnabled()) throw new Error("Authorization is not enabled");
|
|
140
|
+
await writeRelationship({
|
|
141
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
142
|
+
resourceId: params.projectId,
|
|
143
|
+
relation: params.role,
|
|
144
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
145
|
+
subjectId: params.userId
|
|
146
|
+
});
|
|
147
|
+
}
|
|
148
|
+
/**
|
|
149
|
+
* Revoke project access from a user.
|
|
150
|
+
*/
|
|
151
|
+
async function revokeProjectAccess(params) {
|
|
152
|
+
if (!isAuthzEnabled()) throw new Error("Authorization is not enabled");
|
|
153
|
+
await deleteRelationship({
|
|
154
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
155
|
+
resourceId: params.projectId,
|
|
156
|
+
relation: params.role,
|
|
157
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
158
|
+
subjectId: params.userId
|
|
159
|
+
});
|
|
160
|
+
}
|
|
161
|
+
/**
|
|
162
|
+
* Change a user's project role.
|
|
163
|
+
* Removes the old role and adds the new one atomically in a single transaction.
|
|
164
|
+
*/
|
|
165
|
+
async function changeProjectRole(params) {
|
|
166
|
+
if (!isAuthzEnabled()) throw new Error("Authorization is not enabled");
|
|
167
|
+
if (params.oldRole === params.newRole) return;
|
|
168
|
+
await getSpiceClient().promises.writeRelationships({
|
|
169
|
+
updates: [{
|
|
170
|
+
operation: RelationshipOperation.DELETE,
|
|
171
|
+
relationship: {
|
|
172
|
+
resource: {
|
|
173
|
+
objectType: SpiceDbResourceTypes.PROJECT,
|
|
174
|
+
objectId: params.projectId
|
|
175
|
+
},
|
|
176
|
+
relation: params.oldRole,
|
|
177
|
+
subject: {
|
|
178
|
+
object: {
|
|
179
|
+
objectType: SpiceDbResourceTypes.USER,
|
|
180
|
+
objectId: params.userId
|
|
181
|
+
},
|
|
182
|
+
optionalRelation: ""
|
|
183
|
+
},
|
|
184
|
+
optionalCaveat: void 0
|
|
185
|
+
}
|
|
186
|
+
}, {
|
|
187
|
+
operation: RelationshipOperation.TOUCH,
|
|
188
|
+
relationship: {
|
|
189
|
+
resource: {
|
|
190
|
+
objectType: SpiceDbResourceTypes.PROJECT,
|
|
191
|
+
objectId: params.projectId
|
|
192
|
+
},
|
|
193
|
+
relation: params.newRole,
|
|
194
|
+
subject: {
|
|
195
|
+
object: {
|
|
196
|
+
objectType: SpiceDbResourceTypes.USER,
|
|
197
|
+
objectId: params.userId
|
|
198
|
+
},
|
|
199
|
+
optionalRelation: ""
|
|
200
|
+
},
|
|
201
|
+
optionalCaveat: void 0
|
|
202
|
+
}
|
|
203
|
+
}],
|
|
204
|
+
optionalPreconditions: [],
|
|
205
|
+
optionalTransactionMetadata: void 0
|
|
206
|
+
});
|
|
207
|
+
}
|
|
208
|
+
/**
|
|
209
|
+
* Remove a project from SpiceDB.
|
|
210
|
+
* Call when: project is deleted.
|
|
211
|
+
*/
|
|
212
|
+
async function removeProjectFromSpiceDb(params) {
|
|
213
|
+
if (!isAuthzEnabled()) return;
|
|
214
|
+
await getSpiceClient().promises.deleteRelationships({
|
|
215
|
+
relationshipFilter: {
|
|
216
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
217
|
+
optionalResourceId: params.projectId,
|
|
218
|
+
optionalResourceIdPrefix: "",
|
|
219
|
+
optionalRelation: ""
|
|
220
|
+
},
|
|
221
|
+
optionalPreconditions: [],
|
|
222
|
+
optionalLimit: 0,
|
|
223
|
+
optionalAllowPartialDeletions: false,
|
|
224
|
+
optionalTransactionMetadata: void 0
|
|
225
|
+
});
|
|
226
|
+
}
|
|
227
|
+
/**
|
|
228
|
+
* List all explicit project members from SpiceDB.
|
|
229
|
+
* Returns users with project_admin, project_member, or project_viewer roles.
|
|
230
|
+
*/
|
|
231
|
+
async function listProjectMembers(params) {
|
|
232
|
+
if (!isAuthzEnabled()) return [];
|
|
233
|
+
return (await readRelationships({
|
|
234
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
235
|
+
resourceId: params.projectId
|
|
236
|
+
})).filter((rel) => rel.subjectType === SpiceDbResourceTypes.USER && (rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER)).map((rel) => ({
|
|
237
|
+
userId: rel.subjectId,
|
|
238
|
+
role: rel.relation
|
|
239
|
+
}));
|
|
240
|
+
}
|
|
241
|
+
/**
|
|
242
|
+
* List all project memberships for a specific user.
|
|
243
|
+
* Returns projects where the user has explicit project_admin, project_member, or project_viewer roles.
|
|
244
|
+
*/
|
|
245
|
+
async function listUserProjectMembershipsInSpiceDb(params) {
|
|
246
|
+
if (!isAuthzEnabled()) return [];
|
|
247
|
+
return (await readRelationships({
|
|
248
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
249
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
250
|
+
subjectId: params.userId
|
|
251
|
+
})).filter((rel) => rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER).map((rel) => ({
|
|
252
|
+
projectId: rel.resourceId,
|
|
253
|
+
role: rel.relation
|
|
254
|
+
}));
|
|
255
|
+
}
|
|
256
|
+
/**
|
|
257
|
+
* Revoke all project memberships for a user.
|
|
258
|
+
* Call when: user is promoted to org admin (they get inherited access, explicit project roles become redundant).
|
|
259
|
+
*
|
|
260
|
+
* Uses efficient bulk delete - deletes all project relationships for user without listing first.
|
|
261
|
+
*/
|
|
262
|
+
async function revokeAllProjectMemberships(params) {
|
|
263
|
+
if (!isAuthzEnabled()) return;
|
|
264
|
+
const spice = getSpiceClient();
|
|
265
|
+
await Promise.all([
|
|
266
|
+
spice.promises.deleteRelationships({
|
|
267
|
+
relationshipFilter: {
|
|
268
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
269
|
+
optionalResourceId: "",
|
|
270
|
+
optionalResourceIdPrefix: "",
|
|
271
|
+
optionalRelation: SpiceDbRelations.PROJECT_ADMIN,
|
|
272
|
+
optionalSubjectFilter: {
|
|
273
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
274
|
+
optionalSubjectId: params.userId,
|
|
275
|
+
optionalRelation: void 0
|
|
276
|
+
}
|
|
277
|
+
},
|
|
278
|
+
optionalPreconditions: [],
|
|
279
|
+
optionalLimit: 0,
|
|
280
|
+
optionalAllowPartialDeletions: false,
|
|
281
|
+
optionalTransactionMetadata: void 0
|
|
282
|
+
}),
|
|
283
|
+
spice.promises.deleteRelationships({
|
|
284
|
+
relationshipFilter: {
|
|
285
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
286
|
+
optionalResourceId: "",
|
|
287
|
+
optionalResourceIdPrefix: "",
|
|
288
|
+
optionalRelation: SpiceDbRelations.PROJECT_MEMBER,
|
|
289
|
+
optionalSubjectFilter: {
|
|
290
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
291
|
+
optionalSubjectId: params.userId,
|
|
292
|
+
optionalRelation: void 0
|
|
293
|
+
}
|
|
294
|
+
},
|
|
295
|
+
optionalPreconditions: [],
|
|
296
|
+
optionalLimit: 0,
|
|
297
|
+
optionalAllowPartialDeletions: false,
|
|
298
|
+
optionalTransactionMetadata: void 0
|
|
299
|
+
}),
|
|
300
|
+
spice.promises.deleteRelationships({
|
|
301
|
+
relationshipFilter: {
|
|
302
|
+
resourceType: SpiceDbResourceTypes.PROJECT,
|
|
303
|
+
optionalResourceId: "",
|
|
304
|
+
optionalResourceIdPrefix: "",
|
|
305
|
+
optionalRelation: SpiceDbRelations.PROJECT_VIEWER,
|
|
306
|
+
optionalSubjectFilter: {
|
|
307
|
+
subjectType: SpiceDbResourceTypes.USER,
|
|
308
|
+
optionalSubjectId: params.userId,
|
|
309
|
+
optionalRelation: void 0
|
|
310
|
+
}
|
|
311
|
+
},
|
|
312
|
+
optionalPreconditions: [],
|
|
313
|
+
optionalLimit: 0,
|
|
314
|
+
optionalAllowPartialDeletions: false,
|
|
315
|
+
optionalTransactionMetadata: void 0
|
|
316
|
+
})
|
|
317
|
+
]);
|
|
318
|
+
}
|
|
319
|
+
|
|
320
|
+
//#endregion
|
|
321
|
+
export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };
|