@inkeep/agents-core 0.46.1 → 0.47.0

package/dist/auth/auth.d.ts

@@ -2,7 +2,7 @@ import { AgentsRunDatabaseClient } from "../db/runtime/runtime-client.js";
 import * as _better_auth_sso0 from "@better-auth/sso";
 import * as better_auth0 from "better-auth";
 import { BetterAuthAdvancedOptions } from "better-auth";
-import * as better_auth_plugins0 from "better-auth/plugins";
+import * as better_auth_plugins20 from "better-auth/plugins";
 import * as zod0 from "zod";
 import { GoogleOptions } from "better-auth/social-providers";
 
@@ -247,7 +247,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
       }[];
     };
-    options: better_auth_plugins0.BearerOptions | undefined;
+    options: better_auth_plugins20.BearerOptions | undefined;
   }, {
     id: "sso";
     endpoints: {
@@ -875,30 +875,30 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     };
   }, {
     id: "organization";
-    endpoints: better_auth_plugins0.OrganizationEndpoints<{
+    endpoints: better_auth_plugins20.OrganizationEndpoints<{
       allowUserToCreateOrganization: true;
-      ac: better_auth_plugins0.AccessControl;
+      ac: better_auth_plugins20.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
       };
       creatorRole: "admin";
@@ -909,9 +909,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         id: string;
         role: string;
         email: string;
-        organization: better_auth_plugins0.Organization;
-        invitation: better_auth_plugins0.Invitation;
-        inviter: better_auth_plugins0.Member & {
+        organization: better_auth_plugins20.Organization;
+        invitation: better_auth_plugins20.Invitation;
+        inviter: better_auth_plugins20.Member & {
           user: better_auth0.User;
         };
       }): Promise<void>;
@@ -932,28 +932,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user,
           organization: org
         }: {
-          invitation: better_auth_plugins0.Invitation & Record<string, any>;
-          member: better_auth_plugins0.Member & Record<string, any>;
+          invitation: better_auth_plugins20.Invitation & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
         beforeUpdateMemberRole: ({
           member,
           organization: org,
           newRole
         }: {
-          member: better_auth_plugins0.Member & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           newRole: string;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
         afterRemoveMember: ({
           member,
           organization: org
         }: {
-          member: better_auth_plugins0.Member & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
       };
     }>;
@@ -1084,8 +1084,8 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "admin" | "owner";
-        status: better_auth_plugins0.InvitationStatus;
+        role: "member" | "owner" | "admin";
+        status: better_auth_plugins20.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
         createdAt: Date;
@@ -1094,7 +1094,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         createdAt: Date;
         userId: string;
         user: {
@@ -1110,7 +1110,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           createdAt: Date;
           userId: string;
           user: {
@@ -1124,8 +1124,8 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "admin" | "owner";
-          status: better_auth_plugins0.InvitationStatus;
+          role: "member" | "owner" | "admin";
+          status: better_auth_plugins20.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
           createdAt: Date;
@@ -1200,28 +1200,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     };
     options: NoInfer<{
       allowUserToCreateOrganization: true;
-      ac: better_auth_plugins0.AccessControl;
+      ac: better_auth_plugins20.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
+            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
+          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1232,9 +1232,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         id: string;
         role: string;
         email: string;
-        organization: better_auth_plugins0.Organization;
-        invitation: better_auth_plugins0.Invitation;
-        inviter: better_auth_plugins0.Member & {
+        organization: better_auth_plugins20.Organization;
+        invitation: better_auth_plugins20.Invitation;
+        inviter: better_auth_plugins20.Member & {
           user: better_auth0.User;
         };
       }): Promise<void>;
@@ -1255,28 +1255,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user,
           organization: org
         }: {
-          invitation: better_auth_plugins0.Invitation & Record<string, any>;
-          member: better_auth_plugins0.Member & Record<string, any>;
+          invitation: better_auth_plugins20.Invitation & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
         beforeUpdateMemberRole: ({
           member,
           organization: org,
           newRole
         }: {
-          member: better_auth_plugins0.Member & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           newRole: string;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
         afterRemoveMember: ({
           member,
           organization: org
         }: {
-          member: better_auth_plugins0.Member & Record<string, any>;
+          member: better_auth_plugins20.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins0.Organization & Record<string, any>;
+          organization: better_auth_plugins20.Organization & Record<string, any>;
         }) => Promise<void>;
       };
     }>;
@@ -1613,8 +1613,8 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       readonly AUTHENTICATION_REQUIRED: "Authentication required";
     };
     options: Partial<{
-      expiresIn: better_auth_plugins0.TimeString;
-      interval: better_auth_plugins0.TimeString;
+      expiresIn: better_auth_plugins20.TimeString;
+      interval: better_auth_plugins20.TimeString;
       deviceCodeLength: number;
       userCodeLength: number;
       schema: {

package/dist/auth/auth.js

@@ -1,5 +1,5 @@
 import { member, ssoProvider } from "./auth-schema.js";
-import { OrgRoles } from "./authz/config.js";
+import { OrgRoles } from "./authz/types.js";
 import { env } from "../env.js";
 import { setPasswordResetLink } from "./password-reset-link-store.js";
 import { generateId } from "../utils/conversations.js";

package/dist/auth/authz/config.d.ts

@@ -12,90 +12,5 @@ declare function getSpiceDbConfig(): {
   token: string;
   tlsEnabled: boolean;
 };
-/**
- * SpiceDB resource types used in the schema
- */
-declare const SpiceDbResourceTypes: {
-  readonly USER: "user";
-  readonly ORGANIZATION: "organization";
-  readonly PROJECT: "project";
-};
-/**
- * SpiceDB relations used in the schema
- *
- * Relations are named as nouns (roles) per SpiceDB best practices.
- * Project roles are prefixed for clarity when debugging/grepping.
- */
-declare const SpiceDbRelations: {
-  readonly OWNER: "owner";
-  readonly ADMIN: "admin";
-  readonly MEMBER: "member";
-  readonly ORGANIZATION: "organization";
-  readonly PROJECT_ADMIN: "project_admin";
-  readonly PROJECT_MEMBER: "project_member";
-  readonly PROJECT_VIEWER: "project_viewer";
-};
-/**
- * SpiceDB permissions for organization resources.
- *
- * From schema.zed definition organization:
- * - view: owner + admin + member
- * - manage: owner + admin (includes managing org settings and all projects)
- */
-declare const SpiceDbOrgPermissions: {
-  readonly VIEW: "view";
-  readonly MANAGE: "manage";
-};
-type SpiceDbOrgPermission = (typeof SpiceDbOrgPermissions)[keyof typeof SpiceDbOrgPermissions];
-/**
- * SpiceDB permissions for project resources.
- *
- * From schema.zed definition project:
- * - view: read-only access to project and its resources
- * - use: invoke agents, create API keys, view traces
- * - edit: modify configurations, manage members
- */
-declare const SpiceDbProjectPermissions: {
-  readonly VIEW: "view";
-  readonly USE: "use";
-  readonly EDIT: "edit";
-};
-type SpiceDbProjectPermission = (typeof SpiceDbProjectPermissions)[keyof typeof SpiceDbProjectPermissions];
-/**
- * Permission levels for project access checks.
- */
-type ProjectPermissionLevel = SpiceDbProjectPermission;
-/**
- * Organization roles from SpiceDB schema.
- */
-declare const OrgRoles: {
-  readonly OWNER: "owner";
-  readonly ADMIN: "admin";
-  readonly MEMBER: "member";
-};
-type OrgRole = (typeof OrgRoles)[keyof typeof OrgRoles];
-/**
- * Project roles from SpiceDB schema.
- *
- * Hierarchy:
- * - project_admin: Full access (view + use + edit + manage members)
- * - project_member: Operator access (view + use: invoke agents, create API keys)
- * - project_viewer: Read-only access (view only)
- */
-declare const ProjectRoles: {
-  readonly ADMIN: "project_admin";
-  readonly MEMBER: "project_member";
-  readonly VIEWER: "project_viewer";
-};
-type ProjectRole = (typeof ProjectRoles)[keyof typeof ProjectRoles];
-/**
- * Project permission capabilities.
- * Maps to the SpiceDB permission checks (view, use, edit).
- */
-interface ProjectPermissions {
-  canView: boolean;
-  canUse: boolean;
-  canEdit: boolean;
-}
 //#endregion
-export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isLocalhostEndpoint };
+export { getSpiceDbConfig, isLocalhostEndpoint };

package/dist/auth/authz/config.js

@@ -1,3 +1,5 @@
+import { env } from "../../env.js";
+
 //#region src/auth/authz/config.ts
 /**
 * Check if a SpiceDB endpoint is localhost (used for TLS auto-detection).
@@ -10,81 +12,13 @@ function isLocalhostEndpoint(endpoint) {
 * TLS is auto-detected: disabled for localhost, enabled for remote endpoints.
 */
 function getSpiceDbConfig() {
-	const endpoint = process.env.SPICEDB_ENDPOINT || "localhost:50051";
+	const endpoint = env.SPICEDB_ENDPOINT || "localhost:50051";
 	return {
 		endpoint,
-		token: process.env.SPICEDB_PRESHARED_KEY || "",
-		tlsEnabled: !isLocalhostEndpoint(endpoint)
+		token: env.SPICEDB_PRESHARED_KEY || "",
+		tlsEnabled: env.SPICEDB_TLS_ENABLED ?? !isLocalhostEndpoint(endpoint)
 	};
 }
-/**
-* SpiceDB resource types used in the schema
-*/
-const SpiceDbResourceTypes = {
-	USER: "user",
-	ORGANIZATION: "organization",
-	PROJECT: "project"
-};
-/**
-* SpiceDB relations used in the schema
-*
-* Relations are named as nouns (roles) per SpiceDB best practices.
-* Project roles are prefixed for clarity when debugging/grepping.
-*/
-const SpiceDbRelations = {
-	OWNER: "owner",
-	ADMIN: "admin",
-	MEMBER: "member",
-	ORGANIZATION: "organization",
-	PROJECT_ADMIN: "project_admin",
-	PROJECT_MEMBER: "project_member",
-	PROJECT_VIEWER: "project_viewer"
-};
-/**
-* SpiceDB permissions for organization resources.
-*
-* From schema.zed definition organization:
-* - view: owner + admin + member
-* - manage: owner + admin (includes managing org settings and all projects)
-*/
-const SpiceDbOrgPermissions = {
-	VIEW: "view",
-	MANAGE: "manage"
-};
-/**
-* SpiceDB permissions for project resources.
-*
-* From schema.zed definition project:
-* - view: read-only access to project and its resources
-* - use: invoke agents, create API keys, view traces
-* - edit: modify configurations, manage members
-*/
-const SpiceDbProjectPermissions = {
-	VIEW: "view",
-	USE: "use",
-	EDIT: "edit"
-};
-/**
-* Organization roles from SpiceDB schema.
-*/
-const OrgRoles = {
-	OWNER: "owner",
-	ADMIN: "admin",
-	MEMBER: "member"
-};
-/**
-* Project roles from SpiceDB schema.
-*
-* Hierarchy:
-* - project_admin: Full access (view + use + edit + manage members)
-* - project_member: Operator access (view + use: invoke agents, create API keys)
-* - project_viewer: Read-only access (view only)
-*/
-const ProjectRoles = {
-	ADMIN: "project_admin",
-	MEMBER: "project_member",
-	VIEWER: "project_viewer"
-};
 
 //#endregion
-export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig, isLocalhostEndpoint };
+export { getSpiceDbConfig, isLocalhostEndpoint };

package/dist/auth/authz/index.d.ts

@@ -1,5 +1,6 @@
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
-import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig } from "./config.js";
+import { getSpiceDbConfig } from "./config.js";
+import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
 export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };

package/dist/auth/authz/index.js

@@ -1,4 +1,5 @@
-import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, getSpiceDbConfig } from "./config.js";
+import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
+import { getSpiceDbConfig } from "./config.js";
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";

package/dist/auth/authz/permissions.d.ts

@@ -1,4 +1,4 @@
-import { OrgRole } from "./config.js";
+import { OrgRole } from "./types.js";
 
 //#region src/auth/authz/permissions.d.ts
 

package/dist/auth/authz/permissions.js

@@ -1,4 +1,4 @@
-import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes } from "./config.js";
+import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes } from "./types.js";
 import { checkPermission, lookupResources } from "./client.js";
 
 //#region src/auth/authz/permissions.ts

package/dist/auth/authz/sync.d.ts

@@ -1,4 +1,4 @@
-import { OrgRole, ProjectRole } from "./config.js";
+import { OrgRole, ProjectRole } from "./types.js";
 
 //#region src/auth/authz/sync.d.ts
 

package/dist/auth/authz/sync.js

@@ -1,4 +1,4 @@
-import { SpiceDbRelations, SpiceDbResourceTypes } from "./config.js";
+import { SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
 import { RelationshipOperation, deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
 
 //#region src/auth/authz/sync.ts

package/dist/auth/authz/types.d.ts

@@ -0,0 +1,92 @@
+//#region src/auth/authz/types.d.ts
+/**
+ * Client-safe authz types and constants.
+ * These can be safely imported in client-side code without any Node.js dependencies.
+ */
+/**
+ * SpiceDB resource types used in the schema
+ */
+declare const SpiceDbResourceTypes: {
+  readonly USER: "user";
+  readonly ORGANIZATION: "organization";
+  readonly PROJECT: "project";
+};
+/**
+ * SpiceDB relations used in the schema
+ *
+ * Relations are named as nouns (roles) per SpiceDB best practices.
+ * Project roles are prefixed for clarity when debugging/grepping.
+ */
+declare const SpiceDbRelations: {
+  readonly OWNER: "owner";
+  readonly ADMIN: "admin";
+  readonly MEMBER: "member";
+  readonly ORGANIZATION: "organization";
+  readonly PROJECT_ADMIN: "project_admin";
+  readonly PROJECT_MEMBER: "project_member";
+  readonly PROJECT_VIEWER: "project_viewer";
+};
+/**
+ * SpiceDB permissions for organization resources.
+ *
+ * From schema.zed definition organization:
+ * - view: owner + admin + member
+ * - manage: owner + admin (includes managing org settings and all projects)
+ */
+declare const SpiceDbOrgPermissions: {
+  readonly VIEW: "view";
+  readonly MANAGE: "manage";
+};
+type SpiceDbOrgPermission = (typeof SpiceDbOrgPermissions)[keyof typeof SpiceDbOrgPermissions];
+/**
+ * SpiceDB permissions for project resources.
+ *
+ * From schema.zed definition project:
+ * - view: read-only access to project and its resources
+ * - use: invoke agents, create API keys, view traces
+ * - edit: modify configurations, manage members
+ */
+declare const SpiceDbProjectPermissions: {
+  readonly VIEW: "view";
+  readonly USE: "use";
+  readonly EDIT: "edit";
+};
+type SpiceDbProjectPermission = (typeof SpiceDbProjectPermissions)[keyof typeof SpiceDbProjectPermissions];
+/**
+ * Permission levels for project access checks.
+ */
+type ProjectPermissionLevel = SpiceDbProjectPermission;
+/**
+ * Organization roles from SpiceDB schema.
+ */
+declare const OrgRoles: {
+  readonly OWNER: "owner";
+  readonly ADMIN: "admin";
+  readonly MEMBER: "member";
+};
+type OrgRole = (typeof OrgRoles)[keyof typeof OrgRoles];
+/**
+ * Project roles from SpiceDB schema.
+ *
+ * Hierarchy:
+ * - project_admin: Full access (view + use + edit + manage members)
+ * - project_member: Operator access (view + use: invoke agents, create API keys)
+ * - project_viewer: Read-only access (view only)
+ */
+declare const ProjectRoles: {
+  readonly ADMIN: "project_admin";
+  readonly MEMBER: "project_member";
+  readonly VIEWER: "project_viewer";
+};
+type ProjectRole = (typeof ProjectRoles)[keyof typeof ProjectRoles];
+/**
+ * Project permission capabilities.
+ * Maps to the SpiceDB permission checks (view, use, edit).
+ */
+interface ProjectPermissions {
+  canView: boolean;
+  canUse: boolean;
+  canEdit: boolean;
+}
+//#endregion
+export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes };