@inkeep/agents-core 0.42.0 → 0.43.0

package/drizzle/manage/meta/_journal.json

@@ -22,6 +22,27 @@
       "when": 1768957920900,
       "tag": "0002_bent_sunfire",
       "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "7",
+      "when": 1769000000000,
+      "tag": "0003_tiny_captain_universe",
+      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "7",
+      "when": 1769200490876,
+      "tag": "0004_curious_phil_sheldon",
+      "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "7",
+      "when": 1769554137371,
+      "tag": "0005_silent_shatterstar",
+      "breakpoints": true
     }
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-core",
-  "version": "0.42.0",
+  "version": "0.43.0",
   "description": "Agents Core contains the database schema, types, and validation schemas for Inkeep Agent Framework, along with core components.",
   "type": "module",
   "license": "SEE LICENSE IN LICENSE.md",
@@ -66,6 +66,10 @@
       "types": "./dist/utils/schema-conversion.d.ts",
       "import": "./dist/utils/schema-conversion.js"
     },
+    "./utils/signature-validation": {
+      "types": "./dist/utils/signature-validation.d.ts",
+      "import": "./dist/utils/signature-validation.js"
+    },
     "./auth": {
       "types": "./dist/auth/auth.d.ts",
       "import": "./dist/auth/auth.js"
@@ -125,7 +129,8 @@
     "pino-pretty": "^13.1.1",
     "postgres": "^3.4.8",
     "traverse": "^0.6.10",
-    "ts-pattern": "^5.7.1"
+    "ts-pattern": "^5.7.1",
+    "@napi-rs/keyring": "^1.2.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",
@@ -139,8 +144,7 @@
     "@opentelemetry/sdk-metrics": "^2.0.1",
     "@opentelemetry/sdk-node": "^0.203.0",
     "@opentelemetry/sdk-trace-node": "^2.0.1",
-    "@opentelemetry/semantic-conventions": "^1.34.0",
-    "keytar": "^7.9.0"
+    "@opentelemetry/semantic-conventions": "^1.34.0"
   },
   "devDependencies": {
     "@types/jmespath": "^0.15.2",
@@ -163,6 +167,7 @@
   "files": [
     "dist",
     "drizzle",
+    "spicedb",
     "README.md",
     "LICENSE.md",
     "SUPPLEMENTAL_TERMS.md"

package/spicedb/schema.zed

@@ -0,0 +1,114 @@
+/**
+ * SpiceDB Schema for Project-Level Access Control
+ * 
+ * This schema defines the authorization model for the Inkeep Agent Framework.
+ * All projects are private by default and require explicit grants.
+ * 
+ * Naming Conventions (per SpiceDB best practices):
+ * - Relations: nouns (roles) - e.g., owner, admin, member
+ * - Permissions: verbs (actions) - e.g., view, edit, delete, manage
+ * 
+ * Future Extensibility:
+ * - Groups: Add `| group#member` to relation types
+ * - Service Accounts: Add `| service_account` to relation types  
+ * - Custom Roles: Define a `role` definition and bind it via `relation custom_role: role`
+ */
+
+/**
+ * user represents a human user in the system
+ */
+definition user {}
+
+/**
+ * organization represents a tenant/org boundary
+ * All authorization is scoped within an organization
+ */
+definition organization {
+    /**
+     * owner has full control over the organization
+     */
+    relation owner: user
+    
+    /**
+     * admin can manage org settings and all projects
+     */
+    relation admin: user
+    
+    /**
+     * member is a basic org member with no implicit project access
+     */
+    relation member: user
+    
+    /**
+     * Can view organization details
+     * "Can user VIEW organization?"
+     */
+    permission view = owner + admin + member
+    
+    /**
+     * Can manage organization settings and all projects
+     * "Can user MANAGE organization?"
+     */
+    permission manage = owner + admin
+}
+
+/**
+ * project is a container for agents, workflows, and other resources
+ * All projects are private by default - require explicit grants
+ * 
+ * Role Hierarchy:
+ * - project_admin: Full access (view + use + edit + manage members)
+ * - project_member: Operator access (view + use: invoke agents, create API keys)
+ * - project_viewer: Read-only access (view only)
+ */
+definition project {
+    /**
+     * The organization this project belongs to
+     */
+    relation organization: organization
+    
+    /**
+     * project_admin can manage project membership, settings, and configurations
+     * Includes all permissions: view, use, edit, delete
+     */
+    relation project_admin: user
+    
+    /**
+     * project_member can use the project (invoke agents, create API keys)
+     * but cannot edit configurations or manage members
+     * Includes: view, use
+     */
+    relation project_member: user
+    
+    /**
+     * project_viewer can only view the project and its resources (read-only)
+     * Cannot invoke agents, create API keys, or edit anything
+     * Includes: view only
+     */
+    relation project_viewer: user
+    
+    /**
+     * Can view the project and its resources (read-only)
+     * "Can user VIEW project?"
+     * - Org managers can always view
+     * - All project roles can view
+     */
+    permission view = organization->manage + project_admin + project_member + project_viewer
+    
+    /**
+     * Can use the project (invoke agents, create API keys, view traces)
+     * "Can user USE project?"
+     * - Org managers can always use
+     * - project_admin and project_member can use
+     * - project_viewer CANNOT use (read-only)
+     */
+    permission use = organization->manage + project_admin + project_member
+    
+    /**
+     * Can edit project configurations and manage members
+     * "Can user EDIT project?"
+     * - Org managers can always edit
+     * - Only project_admin can edit
+     */
+    permission edit = organization->manage + project_admin
+}