@inkeep/agents-core 0.41.2 → 0.43.0

package/drizzle/{meta → runtime/meta}/_journal.json

@@ -57,6 +57,20 @@
       "when": 1767651466654,
       "tag": "0007_slim_karma",
       "breakpoints": true
+    },
+    {
+      "idx": 8,
+      "version": "7",
+      "when": 1768240742352,
+      "tag": "0008_silly_preak",
+      "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "7",
+      "when": 1768646273355,
+      "tag": "0009_freezing_leo",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-core",
-  "version": "0.41.2",
+  "version": "0.43.0",
   "description": "Agents Core contains the database schema, types, and validation schemas for Inkeep Agent Framework, along with core components.",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -10,13 +10,29 @@
       "types": "./dist/index.d.ts",
       "default": "./dist/index.js"
     },
-    "./schema": {
-      "types": "./dist/db/schema.d.ts",
-      "import": "./dist/db/schema.js"
+    "./db/manage-schema": {
+      "types": "./dist/db/manage/manage-schema.d.ts",
+      "import": "./dist/db/manage/manage-schema.js"
     },
-    "./db/schema": {
-      "types": "./dist/db/schema.d.ts",
-      "import": "./dist/db/schema.js"
+    "./db/run-schema": {
+      "types": "./dist/db/runtime/runtime-schema.d.ts",
+      "import": "./dist/db/runtime/runtime-schema.js"
+    },
+    "./db/manage-client": {
+      "types": "./dist/db/manage/manage-client.d.ts",
+      "import": "./dist/db/manage/manage-client.js"
+    },
+    "./db/test-manage-client": {
+      "types": "./dist/db/manage/test-manage-client.d.ts",
+      "import": "./dist/db/manage/test-manage-client.js"
+    },
+    "./db/test-runtime-client": {
+      "types": "./dist/db/runtime/test-runtime-client.d.ts",
+      "import": "./dist/db/runtime/test-runtime-client.js"
+    },
+    "./db/run-client": {
+      "types": "./dist/db/runtime/runtime-client.d.ts",
+      "import": "./dist/db/runtime/runtime-client.js"
     },
     "./types": {
       "types": "./dist/types/index.d.ts",
@@ -50,6 +66,10 @@
       "types": "./dist/utils/schema-conversion.d.ts",
       "import": "./dist/utils/schema-conversion.js"
     },
+    "./utils/signature-validation": {
+      "types": "./dist/utils/signature-validation.d.ts",
+      "import": "./dist/utils/signature-validation.js"
+    },
     "./auth": {
       "types": "./dist/auth/auth.d.ts",
       "import": "./dist/auth/auth.js"
@@ -66,16 +86,21 @@
       "types": "./dist/auth/permissions.d.ts",
       "import": "./dist/auth/permissions.js"
     },
+    "./auth/authz": {
+      "types": "./dist/auth/authz/index.d.ts",
+      "import": "./dist/auth/authz/index.js"
+    },
     "./drizzle": "./drizzle/",
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@ai-sdk/azure": "^3.0.4",
     "@ai-sdk/anthropic": "3.0.7",
+    "@ai-sdk/azure": "^3.0.4",
     "@ai-sdk/gateway": "3.0.9",
     "@ai-sdk/google": "3.0.4",
     "@ai-sdk/openai": "3.0.7",
     "@ai-sdk/openai-compatible": "2.0.4",
+    "@authzed/authzed-node": "^1.6.1",
     "@better-auth/sso": "~1.4.10",
     "@composio/core": "^0.2.4",
     "@electric-sql/pglite": "^0.3.13",
@@ -95,14 +120,17 @@
     "exit-hook": "^4.0.0",
     "find-up": "^7.0.0",
     "hono": "^4.10.4",
+    "iwanthue": "^2.0.0",
     "jmespath": "^0.16.0",
     "jose": "^6.1.0",
     "nanoid": "^5.0.9",
     "pg": "^8.16.3",
     "pino": "^9.11.0",
     "pino-pretty": "^13.1.1",
+    "postgres": "^3.4.8",
     "traverse": "^0.6.10",
-    "ts-pattern": "^5.7.1"
+    "ts-pattern": "^5.7.1",
+    "@napi-rs/keyring": "^1.2.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",
@@ -116,8 +144,7 @@
     "@opentelemetry/sdk-metrics": "^2.0.1",
     "@opentelemetry/sdk-node": "^0.203.0",
     "@opentelemetry/sdk-trace-node": "^2.0.1",
-    "@opentelemetry/semantic-conventions": "^1.34.0",
-    "keytar": "^7.9.0"
+    "@opentelemetry/semantic-conventions": "^1.34.0"
   },
   "devDependencies": {
     "@types/jmespath": "^0.15.2",
@@ -140,6 +167,7 @@
   "files": [
     "dist",
     "drizzle",
+    "spicedb",
     "README.md",
     "LICENSE.md",
     "SUPPLEMENTAL_TERMS.md"
@@ -154,8 +182,7 @@
     "build": "tsdown",
     "dev": "pnpm build --watch",
     "test": "vitest --run",
-    "test:unit": "vitest --run src/__tests__ --exclude src/__tests__/integration/**",
-    "test:integration": "vitest --run src/__tests__/integration/",
+    "test:integration": "vitest --run --config vitest.integration.config.ts src/__tests__/integration/",
     "test:coverage": "vitest --run --coverage",
     "test:watch": "vitest --watch",
     "lint": "biome lint --error-on-warnings",
@@ -164,13 +191,24 @@
     "format:check": "biome format src",
     "typecheck": "tsc --noEmit",
     "typecheck:watch": "tsc --noEmit --watch",
-    "db:generate": "drizzle-kit generate",
-    "db:migrate": "drizzle-kit migrate",
-    "db:drop": "drizzle-kit drop",
+    "db:generate": "pnpm db:manage:generate && pnpm db:run:generate",
+    "db:migrate": "pnpm db:manage:migrate && pnpm db:run:migrate",
+    "db:drop": "pnpm db:manage:drop && pnpm db:run:drop",
     "db:clean": "tsx src/db/clean.ts",
     "db:delete": "tsx src/db/delete.ts",
     "db:reset": "pnpm db:delete && pnpm db:migrate",
-    "db:studio": "drizzle-kit studio",
-    "db:check": "drizzle-kit check"
+    "db:studio": "echo 'Use db:manage:studio or db:run:studio'",
+    "db:check": "pnpm db:manage:check && pnpm db:run:check",
+    "db:manage:generate": "drizzle-kit generate --config=drizzle.manage.config.ts",
+    "db:manage:migrate": "tsx src/dolt/migrate-dolt.ts",
+    "db:manage:sync-all-branches": "tsx src/dolt/migrate-all-branches.ts",
+    "db:manage:drop": "drizzle-kit drop --config=drizzle.manage.config.ts",
+    "db:manage:studio": "drizzle-kit studio --config=drizzle.manage.config.ts",
+    "db:manage:check": "drizzle-kit check --config=drizzle.manage.config.ts",
+    "db:run:generate": "drizzle-kit generate --config=drizzle.run.config.ts",
+    "db:run:migrate": "drizzle-kit migrate --config=drizzle.run.config.ts",
+    "db:run:drop": "drizzle-kit drop --config=drizzle.run.config.ts",
+    "db:run:studio": "drizzle-kit studio --config=drizzle.run.config.ts",
+    "db:run:check": "drizzle-kit check --config=drizzle.run.config.ts"
   }
 }

package/spicedb/schema.zed

@@ -0,0 +1,114 @@
+/**
+ * SpiceDB Schema for Project-Level Access Control
+ * 
+ * This schema defines the authorization model for the Inkeep Agent Framework.
+ * All projects are private by default and require explicit grants.
+ * 
+ * Naming Conventions (per SpiceDB best practices):
+ * - Relations: nouns (roles) - e.g., owner, admin, member
+ * - Permissions: verbs (actions) - e.g., view, edit, delete, manage
+ * 
+ * Future Extensibility:
+ * - Groups: Add `| group#member` to relation types
+ * - Service Accounts: Add `| service_account` to relation types  
+ * - Custom Roles: Define a `role` definition and bind it via `relation custom_role: role`
+ */
+
+/**
+ * user represents a human user in the system
+ */
+definition user {}
+
+/**
+ * organization represents a tenant/org boundary
+ * All authorization is scoped within an organization
+ */
+definition organization {
+    /**
+     * owner has full control over the organization
+     */
+    relation owner: user
+    
+    /**
+     * admin can manage org settings and all projects
+     */
+    relation admin: user
+    
+    /**
+     * member is a basic org member with no implicit project access
+     */
+    relation member: user
+    
+    /**
+     * Can view organization details
+     * "Can user VIEW organization?"
+     */
+    permission view = owner + admin + member
+    
+    /**
+     * Can manage organization settings and all projects
+     * "Can user MANAGE organization?"
+     */
+    permission manage = owner + admin
+}
+
+/**
+ * project is a container for agents, workflows, and other resources
+ * All projects are private by default - require explicit grants
+ * 
+ * Role Hierarchy:
+ * - project_admin: Full access (view + use + edit + manage members)
+ * - project_member: Operator access (view + use: invoke agents, create API keys)
+ * - project_viewer: Read-only access (view only)
+ */
+definition project {
+    /**
+     * The organization this project belongs to
+     */
+    relation organization: organization
+    
+    /**
+     * project_admin can manage project membership, settings, and configurations
+     * Includes all permissions: view, use, edit, delete
+     */
+    relation project_admin: user
+    
+    /**
+     * project_member can use the project (invoke agents, create API keys)
+     * but cannot edit configurations or manage members
+     * Includes: view, use
+     */
+    relation project_member: user
+    
+    /**
+     * project_viewer can only view the project and its resources (read-only)
+     * Cannot invoke agents, create API keys, or edit anything
+     * Includes: view only
+     */
+    relation project_viewer: user
+    
+    /**
+     * Can view the project and its resources (read-only)
+     * "Can user VIEW project?"
+     * - Org managers can always view
+     * - All project roles can view
+     */
+    permission view = organization->manage + project_admin + project_member + project_viewer
+    
+    /**
+     * Can use the project (invoke agents, create API keys, view traces)
+     * "Can user USE project?"
+     * - Org managers can always use
+     * - project_admin and project_member can use
+     * - project_viewer CANNOT use (read-only)
+     */
+    permission use = organization->manage + project_admin + project_member
+    
+    /**
+     * Can edit project configurations and manage members
+     * "Can user EDIT project?"
+     * - Org managers can always edit
+     * - Only project_admin can edit
+     */
+    permission edit = organization->manage + project_admin
+}

package/dist/context/ContextFetcher.d.ts

@@ -1,73 +0,0 @@
-import { CredentialStoreRegistry } from "../credential-stores/CredentialStoreRegistry.js";
-import { TemplateContext } from "./TemplateEngine.js";
-import { ContextFetchDefinition } from "../types/utility.js";
-import { DatabaseClient } from "../db/client.js";
-
-//#region src/context/ContextFetcher.d.ts
-declare class MissingRequiredVariableError extends Error {
-  constructor(variable: string);
-}
-interface FetchResult {
-  data: unknown;
-  source: string;
-  durationMs: number;
-}
-declare class ContextFetcher {
-  private tenantId;
-  private projectId;
-  private defaultTimeout;
-  private credentialStuffer?;
-  private dbClient;
-  constructor(tenantId: string, projectId: string, dbClient: DatabaseClient, credentialStoreRegistry?: CredentialStoreRegistry, defaultTimeout?: number);
-  /**
-   * Fetch data according to a fetch definition
-   */
-  fetch(definition: ContextFetchDefinition, context: TemplateContext): Promise<{
-    data: unknown;
-    resolvedUrl: string;
-  }>;
-  private getCredential;
-  /**
-   * Resolve template variables in fetch configuration and inject credential headers
-   */
-  private resolveTemplateVariables;
-  /**
-   * Interpolate template variables in a string using TemplateEngine
-   */
-  private interpolateTemplate;
-  /**
-   * Interpolate template variables in an object recursively using TemplateEngine
-   */
-  private interpolateObjectTemplates;
-  /**
-   * Perform HTTP request
-   */
-  private performRequest;
-  /**
-   * Transform response data using JMESPath
-   */
-  private transformResponse;
-  /**
-   * Validate response against JSON Schema
-   */
-  private validateResponseWithJsonSchema;
-  /**
-   * Test a fetch definition without caching
-   */
-  test(definition: ContextFetchDefinition, context: TemplateContext): Promise<{
-    success: boolean;
-    data?: unknown;
-    resolvedUrl?: string;
-    error?: string;
-    durationMs: number;
-  }>;
-  /**
-   * Get fetcher statistics
-   */
-  getStats(): {
-    tenantId: string;
-    defaultTimeout: number;
-  };
-}
-//#endregion
-export { ContextFetcher, FetchResult, MissingRequiredVariableError };

package/dist/context/ContextFetcher.js

@@ -1,291 +0,0 @@
-import { getLogger } from "../utils/logger.js";
-import { TemplateEngine } from "./TemplateEngine.js";
-import { CredentialStuffer } from "../credential-stuffer/CredentialStuffer.js";
-import { getCredentialReference } from "../data-access/credentialReferences.js";
-import "../data-access/index.js";
-import { validateAgainstJsonSchema } from "../middleware/contextValidation.js";
-import "../middleware/index.js";
-import jmespath from "jmespath";
-
-//#region src/context/ContextFetcher.ts
-const logger = getLogger("context-fetcher");
-var MissingRequiredVariableError = class extends Error {
-	constructor(variable) {
-		super(`Missing required variable: ${variable}`);
-		this.name = "MissingRequiredVariableError";
-	}
-};
-/**
-* GraphQL error checker - validates response for GraphQL errors and throws if found
-*/
-const checkGraphQLErrors = (data) => {
-	if (data && typeof data === "object" && "errors" in data) {
-		const errorObj = data;
-		if (Array.isArray(errorObj.errors) && errorObj.errors.length > 0) {
-			const agentqlErrors = errorObj.errors;
-			const errorMessage = `GraphQL request failed with ${agentqlErrors.length} errors: ${agentqlErrors.map((e) => e.message || "Unknown error").join(", ")}`;
-			throw new Error(errorMessage);
-		}
-	}
-};
-const responseErrorCheckers = [checkGraphQLErrors];
-var ContextFetcher = class {
-	tenantId;
-	projectId;
-	defaultTimeout;
-	credentialStuffer;
-	dbClient;
-	constructor(tenantId, projectId, dbClient, credentialStoreRegistry, defaultTimeout = 1e4) {
-		this.tenantId = tenantId;
-		this.projectId = projectId;
-		this.defaultTimeout = defaultTimeout;
-		if (credentialStoreRegistry) this.credentialStuffer = new CredentialStuffer(credentialStoreRegistry);
-		this.dbClient = dbClient;
-		logger.info({
-			tenantId: this.tenantId,
-			defaultTimeout: this.defaultTimeout,
-			hasCredentialSupport: !!this.credentialStuffer
-		}, "ContextFetcher initialized");
-	}
-	/**
-	* Fetch data according to a fetch definition
-	*/
-	async fetch(definition, context) {
-		const startTime = Date.now();
-		logger.info({
-			definitionId: definition.id,
-			url: definition.fetchConfig.url
-		}, "Starting context fetch");
-		try {
-			const resolvedConfig = await this.resolveTemplateVariables(definition.fetchConfig, context, definition.credentialReferenceId);
-			const response = await this.performRequest(resolvedConfig);
-			let transformedData = response.data;
-			if (definition.fetchConfig.transform) transformedData = this.transformResponse(response.data, definition.fetchConfig.transform);
-			if (definition.responseSchema) this.validateResponseWithJsonSchema(transformedData, definition.responseSchema, definition.id);
-			const durationMs = Date.now() - startTime;
-			logger.info({
-				definitionId: definition.id,
-				source: response.source,
-				durationMs
-			}, "Context fetch completed successfully");
-			return {
-				data: transformedData,
-				resolvedUrl: resolvedConfig.url
-			};
-		} catch (error) {
-			const durationMs = Date.now() - startTime;
-			const errorMessage = error instanceof Error ? error.message : "Unknown error";
-			if (error instanceof MissingRequiredVariableError) logger.error({
-				definitionId: definition.id,
-				error: errorMessage,
-				durationMs
-			}, "Context fetch skipped due to missing required variable");
-			logger.error({
-				definitionId: definition.id,
-				error: errorMessage,
-				durationMs
-			}, "Context fetch failed");
-			throw error;
-		}
-	}
-	async getCredential(credentialReferenceId) {
-		try {
-			const credentialReference = await getCredentialReference(this.dbClient)({
-				scopes: {
-					tenantId: this.tenantId,
-					projectId: this.projectId
-				},
-				id: credentialReferenceId
-			});
-			logger.info({ credentialReference }, "Credential reference");
-			if (!credentialReference || !this.credentialStuffer) throw new Error(`Credential store not found for reference ID: ${credentialReferenceId}`);
-			const credentialContext = {
-				tenantId: this.tenantId,
-				projectId: this.projectId
-			};
-			const storeReference = {
-				credentialStoreId: credentialReference.credentialStoreId,
-				retrievalParams: credentialReference.retrievalParams || {}
-			};
-			return await this.credentialStuffer.getCredentials(credentialContext, storeReference);
-		} catch (error) {
-			logger.error({
-				credentialReferenceId,
-				error: error instanceof Error ? error.message : "Unknown error"
-			}, "Failed to resolve credentials for fetch request");
-			throw error;
-		}
-	}
-	/**
-	* Resolve template variables in fetch configuration and inject credential headers
-	*/
-	async resolveTemplateVariables(fetchConfig, context, credentialReferenceId) {
-		const resolved = { ...fetchConfig };
-		const filteredRequiredToFetch = fetchConfig.requiredToFetch?.filter((variable) => variable.startsWith("{{") && variable.endsWith("}}"));
-		if (filteredRequiredToFetch) for (const variable of filteredRequiredToFetch) {
-			let resolvedVariable;
-			try {
-				resolvedVariable = this.interpolateTemplate(variable, context);
-			} catch {
-				throw new MissingRequiredVariableError(variable);
-			}
-			if (resolvedVariable === "" || resolvedVariable === variable) throw new MissingRequiredVariableError(variable);
-		}
-		resolved.url = this.interpolateTemplate(fetchConfig.url, context);
-		logger.info({ resolvedUrl: resolved.url }, "Resolved URL");
-		if (fetchConfig.headers) {
-			resolved.headers = {};
-			for (const [key, value] of Object.entries(fetchConfig.headers)) resolved.headers[key] = this.interpolateTemplate(value, context);
-		}
-		if (fetchConfig.body) resolved.body = this.interpolateObjectTemplates(fetchConfig.body, context);
-		if (credentialReferenceId && this.credentialStuffer) try {
-			const credentialHeaders = (await this.getCredential(credentialReferenceId))?.headers;
-			if (credentialHeaders) {
-				resolved.headers = {
-					...resolved.headers,
-					...credentialHeaders
-				};
-				logger.info({ credentialReferenceId }, "Added credential headers to fetch request");
-			}
-		} catch (error) {
-			logger.error({
-				credentialReferenceId,
-				error: error instanceof Error ? error.message : "Unknown error"
-			}, "Failed to resolve credentials for fetch request");
-			throw error;
-		}
-		return resolved;
-	}
-	/**
-	* Interpolate template variables in a string using TemplateEngine
-	*/
-	interpolateTemplate(template, context) {
-		try {
-			return TemplateEngine.render(template, context, {
-				strict: false,
-				preserveUnresolved: true
-			});
-		} catch (error) {
-			logger.error({
-				template,
-				error: error instanceof Error ? error.message : "Unknown error"
-			}, "Failed to interpolate template variable");
-			return template;
-		}
-	}
-	/**
-	* Interpolate template variables in an object recursively using TemplateEngine
-	*/
-	interpolateObjectTemplates(obj, context) {
-		const result = {};
-		for (const [key, value] of Object.entries(obj)) if (typeof value === "string") result[key] = this.interpolateTemplate(value, context);
-		else if (value && typeof value === "object" && !Array.isArray(value)) result[key] = this.interpolateObjectTemplates(value, context);
-		else result[key] = value;
-		return result;
-	}
-	/**
-	* Perform HTTP request
-	*/
-	async performRequest(config) {
-		const startTime = Date.now();
-		try {
-			logger.debug({
-				url: config.url,
-				method: config.method
-			}, "Performing HTTP request");
-			const response = await fetch(config.url, {
-				method: config.method,
-				headers: config.headers,
-				body: config.body ? JSON.stringify(config.body) : void 0,
-				signal: AbortSignal.timeout(config.timeout || this.defaultTimeout)
-			});
-			if (!response.ok) {
-				const errorText = await response.text();
-				throw /* @__PURE__ */ new Error(`HTTP ${response.status}: ${response.statusText} - ${errorText}`);
-			}
-			const contentType = response.headers.get("content-type") || "";
-			let data;
-			if (contentType.includes("application/json")) data = await response.json();
-			else data = await response.text();
-			const durationMs = Date.now() - startTime;
-			for (const checker of responseErrorCheckers) checker(data);
-			return {
-				data,
-				source: config.url,
-				durationMs
-			};
-		} catch (error) {
-			const durationMs = Date.now() - startTime;
-			const requestError = error instanceof Error ? error : /* @__PURE__ */ new Error("Unknown error");
-			logger.warn({
-				url: config.url,
-				error: requestError.message,
-				durationMs
-			}, "HTTP request failed");
-			throw requestError;
-		}
-	}
-	/**
-	* Transform response data using JMESPath
-	*/
-	transformResponse(data, transform) {
-		try {
-			return jmespath.search(data, transform);
-		} catch (error) {
-			logger.error({
-				transform,
-				error: error instanceof Error ? error.message : "Unknown error"
-			}, "Failed to transform response data");
-			return data;
-		}
-	}
-	/**
-	* Validate response against JSON Schema
-	*/
-	validateResponseWithJsonSchema(data, jsonSchema, definitionId) {
-		try {
-			if (!validateAgainstJsonSchema(jsonSchema, data)) throw new Error("Data does not match JSON Schema");
-		} catch (error) {
-			const errorMessage = error instanceof Error ? error.message : "Unknown validation error";
-			logger.error({
-				definitionId,
-				jsonSchema,
-				error: errorMessage
-			}, "JSON Schema response validation failed");
-			throw new Error(`Response validation failed: ${errorMessage}`);
-		}
-	}
-	/**
-	* Test a fetch definition without caching
-	*/
-	async test(definition, context) {
-		const startTime = Date.now();
-		try {
-			const result = await this.fetch(definition, context);
-			return {
-				success: true,
-				data: result.data,
-				resolvedUrl: result.resolvedUrl,
-				durationMs: Date.now() - startTime
-			};
-		} catch (error) {
-			return {
-				success: false,
-				error: error instanceof Error ? error.message : "Unknown error",
-				durationMs: Date.now() - startTime
-			};
-		}
-	}
-	/**
-	* Get fetcher statistics
-	*/
-	getStats() {
-		return {
-			tenantId: this.tenantId,
-			defaultTimeout: this.defaultTimeout
-		};
-	}
-};
-
-//#endregion
-export { ContextFetcher, MissingRequiredVariableError };