@inkeep/agents-core 0.42.0 → 0.43.0

package/dist/auth/auth.d.ts

@@ -852,25 +852,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -897,13 +897,13 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins0.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
@@ -1161,25 +1161,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1206,13 +1206,13 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterUpdateMemberRole: ({
+        beforeUpdateMemberRole: ({
           member,
           organization: org,
-          previousRole
+          newRole
         }: {
           member: better_auth_plugins0.Member & Record<string, any>;
-          previousRole: string;
+          newRole: string;
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;

package/dist/auth/auth.js

@@ -1,4 +1,5 @@
 import { member, ssoProvider } from "./auth-schema.js";
+import { OrgRoles } from "./authz/config.js";
 import { env } from "../env.js";
 import { generateId } from "../utils/conversations.js";
 import "../utils/index.js";
@@ -22,7 +23,7 @@ async function getInitialOrganization(dbClient, userId) {
 /**
 * Extracts the root domain from a URL for cross-subdomain cookie sharing.
 * For example:
-* - https://manage-api.pilot.inkeep.com -> .pilot.inkeep.com
+* - https://api.pilot.inkeep.com -> .pilot.inkeep.com
 * - https://pilot.inkeep.com -> .pilot.inkeep.com
 * - http://localhost:3002 -> undefined (no domain for localhost)
 *
@@ -163,20 +164,23 @@ function createAuth(config) {
 							console.error("❌ SpiceDB sync failed for new member:", error);
 						}
 					},
-					afterUpdateMemberRole: async ({ member: member$1, organization: org, previousRole }) => {
-						try {
-							const { changeOrgRole } = await import("./authz/sync.js");
-							const oldRole = previousRole;
-							const newRole = member$1.role;
-							await changeOrgRole({
+					beforeUpdateMemberRole: async ({ member: member$1, organization: org, newRole }) => {
+						const { changeOrgRole, revokeAllProjectMemberships } = await import("./authz/sync.js");
+						const oldRole = member$1.role;
+						const targetRole = newRole;
+						await changeOrgRole({
+							tenantId: org.id,
+							userId: member$1.userId,
+							oldRole,
+							newRole: targetRole
+						});
+						console.log(`🔐 SpiceDB: Updated member ${member$1.userId} role from ${oldRole} to ${targetRole} in org ${org.name}`);
+						if (oldRole === OrgRoles.MEMBER && (targetRole === OrgRoles.ADMIN || targetRole === OrgRoles.OWNER)) {
+							await revokeAllProjectMemberships({
 								tenantId: org.id,
-								userId: member$1.userId,
-								oldRole,
-								newRole
+								userId: member$1.userId
 							});
-							console.log(`🔐 SpiceDB: Updated member ${member$1.userId} role from ${oldRole} to ${newRole} in org ${org.name}`);
-						} catch (error) {
-							console.error("❌ SpiceDB sync failed for role update:", error);
+							console.log(`🔐 SpiceDB: Revoked all project memberships for ${member$1.userId} (promoted to ${targetRole})`);
 						}
 					},
 					afterRemoveMember: async ({ member: member$1, organization: org }) => {

package/dist/auth/authz/client.d.ts

@@ -12,9 +12,11 @@ declare function getSpiceClient(): ZedClientInterface;
  * Reset the client (useful for testing)
  */
 declare function resetSpiceClient(): void;
+declare const RelationshipOperation: typeof v1.RelationshipUpdate_Operation;
+declare const Permissionship: typeof v1.CheckPermissionResponse_Permissionship;
 /**
  * Check if a subject has a permission on a resource.
- * Note: Caller must verify isAuthzEnabled(tenantId) before calling.
+ * Note: Caller must verify isAuthzEnabled() before calling.
  */
 declare function checkPermission(params: {
   resourceType: string;
@@ -67,15 +69,19 @@ declare function deleteRelationship(params: {
 }): Promise<void>;
 /**
  * Read relationships for a resource to list subjects with access.
+ * Optionally filter by subject type and ID.
  */
 declare function readRelationships(params: {
   resourceType: string;
-  resourceId: string;
+  resourceId?: string;
   relation?: string;
+  subjectType?: string;
+  subjectId?: string;
 }): Promise<Array<{
+  resourceId: string;
   subjectType: string;
   subjectId: string;
   relation: string;
 }>>;
 //#endregion
-export { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };
+export { Permissionship, RelationshipOperation, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };

package/dist/auth/authz/client.js

@@ -7,6 +7,7 @@ import { v1 } from "@authzed/authzed-node";
 *
 * Provides a singleton SpiceDB client and helper functions for common operations.
 */
+const { RelationshipUpdate_Operation, CheckPermissionResponse_Permissionship } = v1;
 let client = null;
 /**
 * Get the SpiceDB client singleton.
@@ -25,11 +26,11 @@ function getSpiceClient() {
 function resetSpiceClient() {
 	client = null;
 }
-const PERMISSIONSHIP_HAS_PERMISSION = 2;
-const RELATIONSHIP_OPERATION_CREATE = 1;
+const RelationshipOperation = RelationshipUpdate_Operation;
+const Permissionship = CheckPermissionResponse_Permissionship;
 /**
 * Check if a subject has a permission on a resource.
-* Note: Caller must verify isAuthzEnabled(tenantId) before calling.
+* Note: Caller must verify isAuthzEnabled() before calling.
 */
 async function checkPermission(params) {
 	return (await getSpiceClient().promises.checkPermission({
@@ -46,12 +47,12 @@ async function checkPermission(params) {
 			optionalRelation: ""
 		},
 		consistency: { requirement: {
-			oneofKind: "minimizeLatency",
-			minimizeLatency: true
+			oneofKind: "fullyConsistent",
+			fullyConsistent: true
 		} },
 		context: void 0,
 		withTracing: false
-	})).permissionship === PERMISSIONSHIP_HAS_PERMISSION;
+	})).permissionship === CheckPermissionResponse_Permissionship.HAS_PERMISSION;
 }
 /**
 * Check multiple permissions on a resource in a single request.
@@ -75,15 +76,15 @@ async function checkBulkPermissions(params) {
 	const response = await spice.promises.checkBulkPermissions(v1.CheckBulkPermissionsRequest.create({
 		items,
 		consistency: { requirement: {
-			oneofKind: "minimizeLatency",
-			minimizeLatency: true
+			oneofKind: "fullyConsistent",
+			fullyConsistent: true
 		} }
 	}));
 	const result = {};
 	for (let i = 0; i < params.permissions.length; i++) {
 		const permission = params.permissions[i];
 		const pair = response.pairs[i];
-		if (pair.response.oneofKind === "item") result[permission] = pair.response.item.permissionship === PERMISSIONSHIP_HAS_PERMISSION;
+		if (pair.response.oneofKind === "item") result[permission] = pair.response.item.permissionship === CheckPermissionResponse_Permissionship.HAS_PERMISSION;
 		else result[permission] = false;
 	}
 	return result;
@@ -103,8 +104,8 @@ async function lookupResources(params) {
 			optionalRelation: ""
 		},
 		consistency: { requirement: {
-			oneofKind: "minimizeLatency",
-			minimizeLatency: true
+			oneofKind: "fullyConsistent",
+			fullyConsistent: true
 		} },
 		context: void 0,
 		optionalLimit: 0,
@@ -117,7 +118,7 @@ async function lookupResources(params) {
 async function writeRelationship(params) {
 	await getSpiceClient().promises.writeRelationships({
 		updates: [{
-			operation: RELATIONSHIP_OPERATION_CREATE,
+			operation: RelationshipUpdate_Operation.TOUCH,
 			relationship: {
 				resource: {
 					objectType: params.resourceType,
@@ -162,23 +163,29 @@ async function deleteRelationship(params) {
 }
 /**
 * Read relationships for a resource to list subjects with access.
+* Optionally filter by subject type and ID.
 */
 async function readRelationships(params) {
 	return (await getSpiceClient().promises.readRelationships({
 		relationshipFilter: {
 			resourceType: params.resourceType,
-			optionalResourceId: params.resourceId,
+			optionalResourceId: params.resourceId || "",
 			optionalResourceIdPrefix: "",
 			optionalRelation: params.relation || "",
-			optionalSubjectFilter: void 0
+			optionalSubjectFilter: params.subjectType || params.subjectId ? {
+				subjectType: params.subjectType || "",
+				optionalSubjectId: params.subjectId || "",
+				optionalRelation: void 0
+			} : void 0
 		},
 		consistency: { requirement: {
-			oneofKind: "minimizeLatency",
-			minimizeLatency: true
+			oneofKind: "fullyConsistent",
+			fullyConsistent: true
 		} },
 		optionalLimit: 0,
 		optionalCursor: void 0
 	})).map((item) => ({
+		resourceId: item.relationship?.resource?.objectId || "",
 		subjectType: item.relationship?.subject?.object?.objectType || "",
 		subjectId: item.relationship?.subject?.object?.objectId || "",
 		relation: item.relationship?.relation || ""
@@ -186,4 +193,4 @@ async function readRelationships(params) {
 }
 
 //#endregion
-export { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };
+export { Permissionship, RelationshipOperation, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, v1, writeRelationship };

package/dist/auth/authz/config.d.ts

@@ -4,20 +4,10 @@
  *
  * Feature flag and configuration for the SpiceDB authorization system.
  */
-/**
- * Check if authorization is enabled.
- *
- * When called without tenantId:
- * - Returns true if ENABLE_AUTHZ=true
- *
- * When called with tenantId:
- * - If ENABLE_AUTHZ=false → returns false
- * - If ENABLE_AUTHZ=true and TENANT_ID is not set → returns true (all tenants)
- * - If ENABLE_AUTHZ=true and TENANT_ID is set → returns true only if tenantId matches
- */
-declare function isAuthzEnabled(tenantId: string): boolean;
+declare function isAuthzEnabled(): boolean;
 /**
  * Get SpiceDB connection configuration from environment variables.
+ * TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
  */
 declare function getSpiceDbConfig(): {
   endpoint: string;
@@ -48,29 +38,66 @@ declare const SpiceDbRelations: {
   readonly PROJECT_VIEWER: "project_viewer";
 };
 /**
- * SpiceDB permissions used in the schema
+ * SpiceDB permissions for organization resources.
  *
- * Permissions are named as verbs (actions) per SpiceDB best practices.
+ * From schema.zed definition organization:
+ * - view: owner + admin + member
+ * - manage: owner + admin (includes managing org settings and all projects)
  */
+declare const SpiceDbOrgPermissions: {
+  readonly VIEW: "view";
+  readonly MANAGE: "manage";
+};
+type SpiceDbOrgPermission = (typeof SpiceDbOrgPermissions)[keyof typeof SpiceDbOrgPermissions];
 /**
- * SpiceDB permissions used in permission checks.
+ * SpiceDB permissions for project resources.
  *
- * Note: Organization-level permissions (manage) are handled via
- * orgRole bypass in permission functions, not direct SpiceDB checks.
+ * From schema.zed definition project:
+ * - view: read-only access to project and its resources
+ * - use: invoke agents, create API keys, view traces
+ * - edit: modify configurations, manage members
  */
-declare const SpiceDbPermissions: {
+declare const SpiceDbProjectPermissions: {
   readonly VIEW: "view";
   readonly USE: "use";
   readonly EDIT: "edit";
-  readonly DELETE: "delete";
 };
-type OrgRole = 'owner' | 'admin' | 'member';
+type SpiceDbProjectPermission = (typeof SpiceDbProjectPermissions)[keyof typeof SpiceDbProjectPermissions];
+/**
+ * Permission levels for project access checks.
+ */
+type ProjectPermissionLevel = SpiceDbProjectPermission;
+/**
+ * Organization roles from SpiceDB schema.
+ */
+declare const OrgRoles: {
+  readonly OWNER: "owner";
+  readonly ADMIN: "admin";
+  readonly MEMBER: "member";
+};
+type OrgRole = (typeof OrgRoles)[keyof typeof OrgRoles];
 /**
- * Project roles hierarchy:
- * - project_admin: Full access (view + use + edit + manage members + delete)
+ * Project roles from SpiceDB schema.
+ *
+ * Hierarchy:
+ * - project_admin: Full access (view + use + edit + manage members)
  * - project_member: Operator access (view + use: invoke agents, create API keys)
  * - project_viewer: Read-only access (view only)
  */
-type ProjectRole = 'project_admin' | 'project_member' | 'project_viewer';
+declare const ProjectRoles: {
+  readonly ADMIN: "project_admin";
+  readonly MEMBER: "project_member";
+  readonly VIEWER: "project_viewer";
+};
+type ProjectRole = (typeof ProjectRoles)[keyof typeof ProjectRoles];
+/**
+ * Project permission capabilities.
+ * Maps to the SpiceDB permission checks (view, use, edit).
+ */
+interface ProjectPermissions {
+  canView: boolean;
+  canUse: boolean;
+  canEdit: boolean;
+}
 //#endregion
-export { OrgRole, ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };
+export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };

package/dist/auth/authz/config.js

@@ -4,31 +4,20 @@
 *
 * Feature flag and configuration for the SpiceDB authorization system.
 */
-/**
-* Check if authorization is enabled.
-*
-* When called without tenantId:
-* - Returns true if ENABLE_AUTHZ=true
-*
-* When called with tenantId:
-* - If ENABLE_AUTHZ=false → returns false
-* - If ENABLE_AUTHZ=true and TENANT_ID is not set → returns true (all tenants)
-* - If ENABLE_AUTHZ=true and TENANT_ID is set → returns true only if tenantId matches
-*/
-function isAuthzEnabled(tenantId) {
-	if (process.env.ENABLE_AUTHZ !== "true") return false;
-	const configuredTenantId = process.env.TENANT_ID?.trim();
-	if (!configuredTenantId) return true;
-	return tenantId === configuredTenantId;
+function isAuthzEnabled() {
+	return process.env.ENABLE_AUTHZ === "true";
 }
 /**
 * Get SpiceDB connection configuration from environment variables.
+* TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
 */
 function getSpiceDbConfig() {
+	const endpoint = process.env.SPICEDB_ENDPOINT || "localhost:50051";
+	const isLocalhost = endpoint.startsWith("localhost") || endpoint.startsWith("127.0.0.1");
 	return {
-		endpoint: process.env.SPICEDB_ENDPOINT || "localhost:50051",
+		endpoint,
 		token: process.env.SPICEDB_PRESHARED_KEY || "",
-		tlsEnabled: process.env.SPICEDB_TLS_ENABLED === "true"
+		tlsEnabled: !isLocalhost
 	};
 }
 /**
@@ -55,22 +44,50 @@ const SpiceDbRelations = {
 	PROJECT_VIEWER: "project_viewer"
 };
 /**
-* SpiceDB permissions used in the schema
+* SpiceDB permissions for organization resources.
 *
-* Permissions are named as verbs (actions) per SpiceDB best practices.
+* From schema.zed definition organization:
+* - view: owner + admin + member
+* - manage: owner + admin (includes managing org settings and all projects)
 */
+const SpiceDbOrgPermissions = {
+	VIEW: "view",
+	MANAGE: "manage"
+};
 /**
-* SpiceDB permissions used in permission checks.
+* SpiceDB permissions for project resources.
 *
-* Note: Organization-level permissions (manage) are handled via
-* orgRole bypass in permission functions, not direct SpiceDB checks.
+* From schema.zed definition project:
+* - view: read-only access to project and its resources
+* - use: invoke agents, create API keys, view traces
+* - edit: modify configurations, manage members
 */
-const SpiceDbPermissions = {
+const SpiceDbProjectPermissions = {
 	VIEW: "view",
 	USE: "use",
-	EDIT: "edit",
-	DELETE: "delete"
+	EDIT: "edit"
+};
+/**
+* Organization roles from SpiceDB schema.
+*/
+const OrgRoles = {
+	OWNER: "owner",
+	ADMIN: "admin",
+	MEMBER: "member"
+};
+/**
+* Project roles from SpiceDB schema.
+*
+* Hierarchy:
+* - project_admin: Full access (view + use + edit + manage members)
+* - project_member: Operator access (view + use: invoke agents, create API keys)
+* - project_viewer: Read-only access (view only)
+*/
+const ProjectRoles = {
+	ADMIN: "project_admin",
+	MEMBER: "project_member",
+	VIEWER: "project_viewer"
 };
 
 //#endregion
-export { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };
+export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled };

package/dist/auth/authz/index.d.ts

@@ -1,5 +1,5 @@
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
-import { OrgRole, ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
+import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
 import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
-import { changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
-export { type OrgRole, type ProjectRole, SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
+import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
+export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };

package/dist/auth/authz/index.js

@@ -1,6 +1,6 @@
-import { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
+import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isAuthzEnabled } from "./config.js";
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
 import { canEditProject, canUseProject, canViewProject, listAccessibleProjectIds } from "./permissions.js";
-import { changeProjectRole, grantProjectAccess, listProjectMembers, removeProjectFromSpiceDb, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
+import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
 
-export { SpiceDbPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
+export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, isAuthzEnabled, listAccessibleProjectIds, listProjectMembers, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };

package/dist/auth/authz/permissions.d.ts

@@ -10,7 +10,6 @@ import { OrgRole } from "./config.js";
  * - Otherwise: checks SpiceDB
  */
 declare function canViewProject(params: {
-  tenantId: string;
   userId: string;
   projectId: string;
   orgRole: OrgRole;
@@ -23,7 +22,6 @@ declare function canViewProject(params: {
  * - Otherwise: checks SpiceDB for use permission
  */
 declare function canUseProject(params: {
-  tenantId: string;
   userId: string;
   projectId: string;
   orgRole: OrgRole;
@@ -36,7 +34,6 @@ declare function canUseProject(params: {
  * - Otherwise: checks SpiceDB for edit permission
  */
 declare function canEditProject(params: {
-  tenantId: string;
   userId: string;
   projectId: string;
   orgRole: OrgRole;
@@ -49,7 +46,6 @@ declare function canEditProject(params: {
  * - Otherwise: uses SpiceDB LookupResources
  */
 declare function listAccessibleProjectIds(params: {
-  tenantId: string;
   userId: string;
   orgRole: OrgRole;
 }): Promise<string[] | 'all'>;

package/dist/auth/authz/permissions.js

@@ -1,4 +1,4 @@
-import { SpiceDbPermissions, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
+import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes, isAuthzEnabled } from "./config.js";
 import { checkPermission, lookupResources } from "./client.js";
 
 //#region src/auth/authz/permissions.ts
@@ -15,12 +15,12 @@ import { checkPermission, lookupResources } from "./client.js";
 * - Otherwise: checks SpiceDB
 */
 async function canViewProject(params) {
-	if (!isAuthzEnabled(params.tenantId)) return true;
-	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
+	if (!isAuthzEnabled() || isAdmin) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		resourceId: params.projectId,
-		permission: SpiceDbPermissions.VIEW,
+		permission: SpiceDbProjectPermissions.VIEW,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
 	});
@@ -33,12 +33,12 @@ async function canViewProject(params) {
 * - Otherwise: checks SpiceDB for use permission
 */
 async function canUseProject(params) {
-	if (!isAuthzEnabled(params.tenantId)) return true;
-	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
+	if (!isAuthzEnabled() || isAdmin) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		resourceId: params.projectId,
-		permission: SpiceDbPermissions.USE,
+		permission: SpiceDbProjectPermissions.USE,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
 	});
@@ -51,12 +51,12 @@ async function canUseProject(params) {
 * - Otherwise: checks SpiceDB for edit permission
 */
 async function canEditProject(params) {
-	if (!isAuthzEnabled(params.tenantId)) return params.orgRole === "owner" || params.orgRole === "admin";
-	if (params.orgRole === "owner" || params.orgRole === "admin") return true;
+	if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return true;
+	if (!isAuthzEnabled()) return false;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		resourceId: params.projectId,
-		permission: SpiceDbPermissions.EDIT,
+		permission: SpiceDbProjectPermissions.EDIT,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
 	});
@@ -69,11 +69,11 @@ async function canEditProject(params) {
 * - Otherwise: uses SpiceDB LookupResources
 */
 async function listAccessibleProjectIds(params) {
-	if (!isAuthzEnabled(params.tenantId)) return "all";
-	if (params.orgRole === "owner" || params.orgRole === "admin") return "all";
+	const isAdmin = params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN;
+	if (!isAuthzEnabled() || isAdmin) return "all";
 	return lookupResources({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		permission: SpiceDbPermissions.VIEW,
+		permission: SpiceDbProjectPermissions.VIEW,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
 	});