@inkeep/agents-core 0.48.7 → 0.50.0

package/dist/auth/auth.d.ts

@@ -3,7 +3,7 @@ import * as zod0 from "zod";
 import * as _better_auth_sso0 from "@better-auth/sso";
 import * as better_auth0 from "better-auth";
 import { BetterAuthAdvancedOptions } from "better-auth";
-import * as better_auth_plugins20 from "better-auth/plugins";
+import * as better_auth_plugins0 from "better-auth/plugins";
 import { GoogleOptions } from "better-auth/social-providers";
 
 //#region src/auth/auth.d.ts
@@ -247,7 +247,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
       }[];
     };
-    options: better_auth_plugins20.BearerOptions | undefined;
+    options: better_auth_plugins0.BearerOptions | undefined;
   }, {
     id: "sso";
     endpoints: {
@@ -875,30 +875,30 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     };
   }, {
     id: "organization";
-    endpoints: better_auth_plugins20.OrganizationEndpoints<{
+    endpoints: better_auth_plugins0.OrganizationEndpoints<{
       allowUserToCreateOrganization: true;
-      ac: better_auth_plugins20.AccessControl;
+      ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -909,9 +909,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         id: string;
         role: string;
         email: string;
-        organization: better_auth_plugins20.Organization;
-        invitation: better_auth_plugins20.Invitation;
-        inviter: better_auth_plugins20.Member & {
+        organization: better_auth_plugins0.Organization;
+        invitation: better_auth_plugins0.Invitation;
+        inviter: better_auth_plugins0.Member & {
           user: better_auth0.User;
         };
       }): Promise<void>;
@@ -932,28 +932,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user,
           organization: org
         }: {
-          invitation: better_auth_plugins20.Invitation & Record<string, any>;
-          member: better_auth_plugins20.Member & Record<string, any>;
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
         beforeUpdateMemberRole: ({
           member,
           organization: org,
           newRole
         }: {
-          member: better_auth_plugins20.Member & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           newRole: string;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
         afterRemoveMember: ({
           member,
           organization: org
         }: {
-          member: better_auth_plugins20.Member & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
       };
     }>;
@@ -1085,7 +1085,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         organizationId: string;
         email: string;
         role: "member" | "admin" | "owner";
-        status: better_auth_plugins20.InvitationStatus;
+        status: better_auth_plugins0.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
         createdAt: Date;
@@ -1125,7 +1125,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           organizationId: string;
           email: string;
           role: "member" | "admin" | "owner";
-          status: better_auth_plugins20.InvitationStatus;
+          status: better_auth_plugins0.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
           createdAt: Date;
@@ -1200,28 +1200,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
     };
     options: NoInfer<{
       allowUserToCreateOrganization: true;
-      ac: better_auth_plugins20.AccessControl;
+      ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key] | {
-            actions: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
-          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins20.AuthorizeResponse;
-          statements: better_auth_plugins20.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins20.Statements>;
+          } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1232,9 +1232,9 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
         id: string;
         role: string;
         email: string;
-        organization: better_auth_plugins20.Organization;
-        invitation: better_auth_plugins20.Invitation;
-        inviter: better_auth_plugins20.Member & {
+        organization: better_auth_plugins0.Organization;
+        invitation: better_auth_plugins0.Invitation;
+        inviter: better_auth_plugins0.Member & {
           user: better_auth0.User;
         };
       }): Promise<void>;
@@ -1255,28 +1255,28 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user,
           organization: org
         }: {
-          invitation: better_auth_plugins20.Invitation & Record<string, any>;
-          member: better_auth_plugins20.Member & Record<string, any>;
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
         beforeUpdateMemberRole: ({
           member,
           organization: org,
           newRole
         }: {
-          member: better_auth_plugins20.Member & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           newRole: string;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
         afterRemoveMember: ({
           member,
           organization: org
         }: {
-          member: better_auth_plugins20.Member & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
           user: better_auth0.User & Record<string, any>;
-          organization: better_auth_plugins20.Organization & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
       };
     }>;
@@ -1613,8 +1613,8 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       readonly AUTHENTICATION_REQUIRED: "Authentication required";
     };
     options: Partial<{
-      expiresIn: better_auth_plugins20.TimeString;
-      interval: better_auth_plugins20.TimeString;
+      expiresIn: better_auth_plugins0.TimeString;
+      interval: better_auth_plugins0.TimeString;
       deviceCodeLength: number;
       userCodeLength: number;
       schema: {

package/dist/auth/authz/config.d.ts

@@ -12,5 +12,24 @@ declare function getSpiceDbConfig(): {
   token: string;
   tlsEnabled: boolean;
 };
+/**
+ * Compose a tenant-scoped SpiceDB project object ID.
+ *
+ * SpiceDB object IDs are global, so we namespace projects under their tenant
+ * to prevent cross-tenant collisions (e.g. two orgs with a project called "default").
+ *
+ * Format: `{tenantId}/{projectId}`
+ */
+declare function toSpiceDbProjectId(tenantId: string, projectId: string): string;
+/**
+ * Parse a tenant-scoped SpiceDB project object ID back into its parts.
+ *
+ * @returns `{ tenantId, projectId }` extracted from the composite ID.
+ * @throws if the ID does not contain the separator.
+ */
+declare function fromSpiceDbProjectId(spiceDbProjectId: string): {
+  tenantId: string;
+  projectId: string;
+};
 //#endregion
-export { getSpiceDbConfig, isLocalhostEndpoint };
+export { fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbProjectId };

package/dist/auth/authz/config.js

@@ -19,6 +19,32 @@ function getSpiceDbConfig() {
 		tlsEnabled: env.SPICEDB_TLS_ENABLED ?? !isLocalhostEndpoint(endpoint)
 	};
 }
+const SPICEDB_PROJECT_ID_SEPARATOR = "/";
+/**
+* Compose a tenant-scoped SpiceDB project object ID.
+*
+* SpiceDB object IDs are global, so we namespace projects under their tenant
+* to prevent cross-tenant collisions (e.g. two orgs with a project called "default").
+*
+* Format: `{tenantId}/{projectId}`
+*/
+function toSpiceDbProjectId(tenantId, projectId) {
+	return `${tenantId}${SPICEDB_PROJECT_ID_SEPARATOR}${projectId}`;
+}
+/**
+* Parse a tenant-scoped SpiceDB project object ID back into its parts.
+*
+* @returns `{ tenantId, projectId }` extracted from the composite ID.
+* @throws if the ID does not contain the separator.
+*/
+function fromSpiceDbProjectId(spiceDbProjectId) {
+	const separatorIndex = spiceDbProjectId.indexOf(SPICEDB_PROJECT_ID_SEPARATOR);
+	if (separatorIndex === -1) throw new Error(`Invalid SpiceDB project ID format: ${spiceDbProjectId}`);
+	return {
+		tenantId: spiceDbProjectId.substring(0, separatorIndex),
+		projectId: spiceDbProjectId.substring(separatorIndex + 1)
+	};
+}
 
 //#endregion
-export { getSpiceDbConfig, isLocalhostEndpoint };
+export { fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbProjectId };

package/dist/auth/authz/index.d.ts

@@ -1,6 +1,6 @@
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
-import { getSpiceDbConfig } from "./config.js";
+import { fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbProjectId } from "./config.js";
 import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
-export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
+export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbProjectId, writeRelationship };

package/dist/auth/authz/index.js

@@ -1,7 +1,7 @@
 import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
-import { getSpiceDbConfig } from "./config.js";
+import { fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbProjectId } from "./config.js";
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
 
-export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, writeRelationship };
+export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbProjectId, writeRelationship };

package/dist/auth/authz/permissions.d.ts

@@ -11,6 +11,7 @@ import { OrgRole } from "./types.js";
  */
 declare function canViewProject(params: {
   userId: string;
+  tenantId: string;
   projectId: string;
   orgRole: OrgRole;
 }): Promise<boolean>;
@@ -23,6 +24,7 @@ declare function canViewProject(params: {
  */
 declare function canUseProject(params: {
   userId: string;
+  tenantId: string;
   projectId: string;
   orgRole: OrgRole;
 }): Promise<boolean>;
@@ -33,6 +35,7 @@ declare function canUseProject(params: {
  */
 declare function canUseProjectStrict(params: {
   userId: string;
+  tenantId: string;
   projectId: string;
 }): Promise<boolean>;
 /**
@@ -44,6 +47,7 @@ declare function canUseProjectStrict(params: {
  */
 declare function canEditProject(params: {
   userId: string;
+  tenantId: string;
   projectId: string;
   orgRole: OrgRole;
 }): Promise<boolean>;
@@ -56,6 +60,7 @@ declare function canEditProject(params: {
  */
 declare function listAccessibleProjectIds(params: {
   userId: string;
+  tenantId: string;
   orgRole: OrgRole;
 }): Promise<string[] | 'all'>;
 /**
@@ -63,6 +68,7 @@ declare function listAccessibleProjectIds(params: {
  */
 declare function listUsableProjectIds(params: {
   userId: string;
+  tenantId: string;
 }): Promise<string[]>;
 //#endregion
 export { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds };

package/dist/auth/authz/permissions.js

@@ -1,4 +1,5 @@
 import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes } from "./types.js";
+import { fromSpiceDbProjectId, toSpiceDbProjectId } from "./config.js";
 import { checkPermission, lookupResources } from "./client.js";
 
 //#region src/auth/authz/permissions.ts
@@ -18,7 +19,7 @@ async function canViewProject(params) {
 	if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		permission: SpiceDbProjectPermissions.VIEW,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -35,7 +36,7 @@ async function canUseProject(params) {
 	if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		permission: SpiceDbProjectPermissions.USE,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -50,7 +51,7 @@ async function canUseProjectStrict(params) {
 	if (params.userId === "system" || params.userId.startsWith("apikey:")) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		permission: SpiceDbProjectPermissions.USE,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -67,7 +68,7 @@ async function canEditProject(params) {
 	if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return true;
 	return checkPermission({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		permission: SpiceDbProjectPermissions.EDIT,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -82,22 +83,36 @@ async function canEditProject(params) {
 */
 async function listAccessibleProjectIds(params) {
 	if (params.orgRole === OrgRoles.OWNER || params.orgRole === OrgRoles.ADMIN) return "all";
-	return lookupResources({
+	return (await lookupResources({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		permission: SpiceDbProjectPermissions.VIEW,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
+	})).flatMap((id) => {
+		try {
+			const parsed = fromSpiceDbProjectId(id);
+			return parsed.tenantId === params.tenantId ? [parsed.projectId] : [];
+		} catch {
+			return [];
+		}
 	});
 }
 /**
 * Get list of usable project IDs for a user - always checks SpiceDB.
 */
 async function listUsableProjectIds(params) {
-	return lookupResources({
+	return (await lookupResources({
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		permission: SpiceDbProjectPermissions.USE,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
+	})).flatMap((id) => {
+		try {
+			const parsed = fromSpiceDbProjectId(id);
+			return parsed.tenantId === params.tenantId ? [parsed.projectId] : [];
+		} catch {
+			return [];
+		}
 	});
 }
 

package/dist/auth/authz/sync.js

@@ -1,4 +1,5 @@
 import { SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
+import { fromSpiceDbProjectId, toSpiceDbProjectId } from "./config.js";
 import { RelationshipOperation, deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
 
 //#region src/auth/authz/sync.ts
@@ -87,12 +88,13 @@ async function syncProjectToSpiceDb(params) {
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.creatorUserId
 	})).some((r) => r.relation === SpiceDbRelations.ADMIN || r.relation === SpiceDbRelations.OWNER);
+	const spiceProjectId = toSpiceDbProjectId(params.tenantId, params.projectId);
 	const updates = [{
-		operation: RelationshipOperation.CREATE,
+		operation: RelationshipOperation.TOUCH,
 		relationship: {
 			resource: {
 				objectType: SpiceDbResourceTypes.PROJECT,
-				objectId: params.projectId
+				objectId: spiceProjectId
 			},
 			relation: SpiceDbRelations.ORGANIZATION,
 			subject: {
@@ -106,11 +108,11 @@ async function syncProjectToSpiceDb(params) {
 		}
 	}];
 	if (!isOrgAdminOrOwner) updates.push({
-		operation: RelationshipOperation.CREATE,
+		operation: RelationshipOperation.TOUCH,
 		relationship: {
 			resource: {
 				objectType: SpiceDbResourceTypes.PROJECT,
-				objectId: params.projectId
+				objectId: spiceProjectId
 			},
 			relation: SpiceDbRelations.PROJECT_ADMIN,
 			subject: {
@@ -135,7 +137,7 @@ async function syncProjectToSpiceDb(params) {
 async function grantProjectAccess(params) {
 	await writeRelationship({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		relation: params.role,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -147,7 +149,7 @@ async function grantProjectAccess(params) {
 async function revokeProjectAccess(params) {
 	await deleteRelationship({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId,
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 		relation: params.role,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
@@ -159,13 +161,15 @@ async function revokeProjectAccess(params) {
 */
 async function changeProjectRole(params) {
 	if (params.oldRole === params.newRole) return;
-	await getSpiceClient().promises.writeRelationships({
+	const spice = getSpiceClient();
+	const spiceProjectId = toSpiceDbProjectId(params.tenantId, params.projectId);
+	await spice.promises.writeRelationships({
 		updates: [{
 			operation: RelationshipOperation.DELETE,
 			relationship: {
 				resource: {
 					objectType: SpiceDbResourceTypes.PROJECT,
-					objectId: params.projectId
+					objectId: spiceProjectId
 				},
 				relation: params.oldRole,
 				subject: {
@@ -182,7 +186,7 @@ async function changeProjectRole(params) {
 			relationship: {
 				resource: {
 					objectType: SpiceDbResourceTypes.PROJECT,
-					objectId: params.projectId
+					objectId: spiceProjectId
 				},
 				relation: params.newRole,
 				subject: {
@@ -207,7 +211,7 @@ async function removeProjectFromSpiceDb(params) {
 	await getSpiceClient().promises.deleteRelationships({
 		relationshipFilter: {
 			resourceType: SpiceDbResourceTypes.PROJECT,
-			optionalResourceId: params.projectId,
+			optionalResourceId: toSpiceDbProjectId(params.tenantId, params.projectId),
 			optionalResourceIdPrefix: "",
 			optionalRelation: ""
 		},
@@ -224,7 +228,7 @@ async function removeProjectFromSpiceDb(params) {
 async function listProjectMembers(params) {
 	return (await readRelationships({
 		resourceType: SpiceDbResourceTypes.PROJECT,
-		resourceId: params.projectId
+		resourceId: toSpiceDbProjectId(params.tenantId, params.projectId)
 	})).filter((rel) => rel.subjectType === SpiceDbResourceTypes.USER && (rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER)).map((rel) => ({
 		userId: rel.subjectId,
 		role: rel.relation
@@ -239,10 +243,18 @@ async function listUserProjectMembershipsInSpiceDb(params) {
 		resourceType: SpiceDbResourceTypes.PROJECT,
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.userId
-	})).filter((rel) => rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER).map((rel) => ({
-		projectId: rel.resourceId,
-		role: rel.relation
-	}));
+	})).filter((rel) => rel.relation === SpiceDbRelations.PROJECT_ADMIN || rel.relation === SpiceDbRelations.PROJECT_MEMBER || rel.relation === SpiceDbRelations.PROJECT_VIEWER).flatMap((rel) => {
+		try {
+			const parsed = fromSpiceDbProjectId(rel.resourceId);
+			if (parsed.tenantId !== params.tenantId) return [];
+			return [{
+				projectId: parsed.projectId,
+				role: rel.relation
+			}];
+		} catch {
+			return [];
+		}
+	});
 }
 /**
 * Revoke all project memberships for a user.
@@ -252,12 +264,13 @@ async function listUserProjectMembershipsInSpiceDb(params) {
 */
 async function revokeAllProjectMemberships(params) {
 	const spice = getSpiceClient();
+	const tenantPrefix = `${params.tenantId}/`;
 	await Promise.all([
 		spice.promises.deleteRelationships({
 			relationshipFilter: {
 				resourceType: SpiceDbResourceTypes.PROJECT,
 				optionalResourceId: "",
-				optionalResourceIdPrefix: "",
+				optionalResourceIdPrefix: tenantPrefix,
 				optionalRelation: SpiceDbRelations.PROJECT_ADMIN,
 				optionalSubjectFilter: {
 					subjectType: SpiceDbResourceTypes.USER,
@@ -274,7 +287,7 @@ async function revokeAllProjectMemberships(params) {
 			relationshipFilter: {
 				resourceType: SpiceDbResourceTypes.PROJECT,
 				optionalResourceId: "",
-				optionalResourceIdPrefix: "",
+				optionalResourceIdPrefix: tenantPrefix,
 				optionalRelation: SpiceDbRelations.PROJECT_MEMBER,
 				optionalSubjectFilter: {
 					subjectType: SpiceDbResourceTypes.USER,
@@ -291,7 +304,7 @@ async function revokeAllProjectMemberships(params) {
 			relationshipFilter: {
 				resourceType: SpiceDbResourceTypes.PROJECT,
 				optionalResourceId: "",
-				optionalResourceIdPrefix: "",
+				optionalResourceIdPrefix: tenantPrefix,
 				optionalRelation: SpiceDbRelations.PROJECT_VIEWER,
 				optionalSubjectFilter: {
 					subjectType: SpiceDbResourceTypes.USER,