@inkeep/agents-core 0.50.0 → 0.50.3

package/dist/auth/auth.d.ts

@@ -880,25 +880,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -947,7 +947,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterRemoveMember: ({
+        beforeRemoveMember: ({
           member,
           organization: org
         }: {
@@ -1203,25 +1203,25 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1270,7 +1270,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth0.Auth<{
           user: better_auth0.User & Record<string, any>;
           organization: better_auth_plugins0.Organization & Record<string, any>;
         }) => Promise<void>;
-        afterRemoveMember: ({
+        beforeRemoveMember: ({
           member,
           organization: org
         }: {

package/dist/auth/auth.js

@@ -117,7 +117,7 @@ function createAuth(config) {
 			updateAge: 3600 * 24,
 			cookieCache: {
 				enabled: true,
-				maxAge: 300,
+				maxAge: 30,
 				strategy: "compact"
 			}
 		},
@@ -209,18 +209,17 @@ function createAuth(config) {
 							console.log(`🔐 SpiceDB: Revoked all project memberships for ${member$1.userId} (promoted to ${targetRole})`);
 						}
 					},
-					afterRemoveMember: async ({ member: member$1, organization: org }) => {
+					beforeRemoveMember: async ({ member: member$1, organization: org }) => {
 						try {
-							const { syncOrgMemberToSpiceDb } = await import("./authz/sync.js");
-							await syncOrgMemberToSpiceDb({
+							const { revokeAllUserRelationships } = await import("./authz/sync.js");
+							await revokeAllUserRelationships({
 								tenantId: org.id,
-								userId: member$1.userId,
-								role: member$1.role,
-								action: "remove"
+								userId: member$1.userId
 							});
-							console.log(`🔐 SpiceDB: Removed member ${member$1.userId} from org ${org.name}`);
+							console.log(`🔐 SpiceDB: Preparing to remove member ${member$1.userId} - revoked all relationships in org ${org.name}`);
 						} catch (error) {
-							console.error("❌ SpiceDB sync failed for member removal:", error);
+							console.error("❌ SpiceDB cleanup failed before member removal:", error);
+							throw new Error(`Failed to clean up user permissions: ${error instanceof Error ? error.message : "Unknown error"}`);
 						}
 					}
 				}

package/dist/auth/authz/sync.d.ts

@@ -73,6 +73,9 @@ declare function removeProjectFromSpiceDb(params: {
 /**
  * List all explicit project members from SpiceDB.
  * Returns users with project_admin, project_member, or project_viewer roles.
+ *
+ * NOTE: This is an appropriate use of readRelationships for data introspection,
+ * not permission logic (per SpiceDB best practices).
  */
 declare function listProjectMembers(params: {
   tenantId: string;
@@ -84,6 +87,9 @@ declare function listProjectMembers(params: {
 /**
  * List all project memberships for a specific user.
  * Returns projects where the user has explicit project_admin, project_member, or project_viewer roles.
+ *
+ * NOTE: This is an appropriate use of readRelationships for data introspection,
+ * not permission logic (per SpiceDB best practices).
  */
 declare function listUserProjectMembershipsInSpiceDb(params: {
   tenantId: string;
@@ -102,5 +108,20 @@ declare function revokeAllProjectMemberships(params: {
   tenantId: string;
   userId: string;
 }): Promise<void>;
+/**
+ * Revoke ALL user relationships within an organization.
+ * Call when: user is being removed from an organization.
+ *
+ * This removes:
+ * 1. Organization-level relationships (owner, admin, member)
+ * 2. All project-level relationships within the organization
+ *
+ * Uses the most efficient approach: filters by subject without specifying relation.
+ * This is much more efficient than individual relation-specific deletions.
+ */
+declare function revokeAllUserRelationships(params: {
+  tenantId: string;
+  userId: string;
+}): Promise<void>;
 //#endregion
-export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeAllUserRelationships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/authz/sync.js

@@ -1,6 +1,6 @@
 import { SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
 import { fromSpiceDbProjectId, toSpiceDbProjectId } from "./config.js";
-import { RelationshipOperation, deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
+import { RelationshipOperation, checkBulkPermissions, deleteRelationship, getSpiceClient, readRelationships, writeRelationship } from "./client.js";
 
 //#region src/auth/authz/sync.ts
 /**
@@ -82,12 +82,13 @@ async function changeOrgRole(params) {
 */
 async function syncProjectToSpiceDb(params) {
 	const spice = getSpiceClient();
-	const isOrgAdminOrOwner = (await readRelationships({
+	const isOrgAdminOrOwner = (await checkBulkPermissions({
 		resourceType: SpiceDbResourceTypes.ORGANIZATION,
 		resourceId: params.tenantId,
+		permissions: ["manage"],
 		subjectType: SpiceDbResourceTypes.USER,
 		subjectId: params.creatorUserId
-	})).some((r) => r.relation === SpiceDbRelations.ADMIN || r.relation === SpiceDbRelations.OWNER);
+	})).manage;
 	const spiceProjectId = toSpiceDbProjectId(params.tenantId, params.projectId);
 	const updates = [{
 		operation: RelationshipOperation.TOUCH,
@@ -224,6 +225,9 @@ async function removeProjectFromSpiceDb(params) {
 /**
 * List all explicit project members from SpiceDB.
 * Returns users with project_admin, project_member, or project_viewer roles.
+*
+* NOTE: This is an appropriate use of readRelationships for data introspection,
+* not permission logic (per SpiceDB best practices).
 */
 async function listProjectMembers(params) {
 	return (await readRelationships({
@@ -237,6 +241,9 @@ async function listProjectMembers(params) {
 /**
 * List all project memberships for a specific user.
 * Returns projects where the user has explicit project_admin, project_member, or project_viewer roles.
+*
+* NOTE: This is an appropriate use of readRelationships for data introspection,
+* not permission logic (per SpiceDB best practices).
 */
 async function listUserProjectMembershipsInSpiceDb(params) {
 	return (await readRelationships({
@@ -319,6 +326,54 @@ async function revokeAllProjectMemberships(params) {
 		})
 	]);
 }
+/**
+* Revoke ALL user relationships within an organization.
+* Call when: user is being removed from an organization.
+*
+* This removes:
+* 1. Organization-level relationships (owner, admin, member)
+* 2. All project-level relationships within the organization
+*
+* Uses the most efficient approach: filters by subject without specifying relation.
+* This is much more efficient than individual relation-specific deletions.
+*/
+async function revokeAllUserRelationships(params) {
+	const spice = getSpiceClient();
+	const tenantPrefix = `${params.tenantId}/`;
+	await Promise.all([spice.promises.deleteRelationships({
+		relationshipFilter: {
+			resourceType: SpiceDbResourceTypes.ORGANIZATION,
+			optionalResourceId: params.tenantId,
+			optionalResourceIdPrefix: "",
+			optionalRelation: "",
+			optionalSubjectFilter: {
+				subjectType: SpiceDbResourceTypes.USER,
+				optionalSubjectId: params.userId,
+				optionalRelation: void 0
+			}
+		},
+		optionalPreconditions: [],
+		optionalLimit: 0,
+		optionalAllowPartialDeletions: false,
+		optionalTransactionMetadata: void 0
+	}), spice.promises.deleteRelationships({
+		relationshipFilter: {
+			resourceType: SpiceDbResourceTypes.PROJECT,
+			optionalResourceId: "",
+			optionalResourceIdPrefix: tenantPrefix,
+			optionalRelation: "",
+			optionalSubjectFilter: {
+				subjectType: SpiceDbResourceTypes.USER,
+				optionalSubjectId: params.userId,
+				optionalRelation: void 0
+			}
+		},
+		optionalPreconditions: [],
+		optionalLimit: 0,
+		optionalAllowPartialDeletions: false,
+		optionalTransactionMetadata: void 0
+	})]);
+}
 
 //#endregion
-export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };
+export { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeAllUserRelationships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb };

package/dist/auth/permissions.d.ts

@@ -5,25 +5,25 @@ import { organizationClient } from "better-auth/client/plugins";
 //#region src/auth/permissions.d.ts
 declare const ac: AccessControl;
 declare const memberRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
 };
 declare const adminRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
 };
 declare const ownerRole: {
-  authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+  authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+    actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
     connector: "OR" | "AND";
   } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+  statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
 };
 //#endregion
 export { ac, adminRole, memberRole, organizationClient, ownerRole };

package/dist/client-exports.d.ts

@@ -19,10 +19,20 @@ declare const FullAgentDefinitionSchema: z.ZodObject<{
   defaultSubAgentId: z.ZodOptional<z.ZodString>;
   subAgents: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodObject<{
     id: z.ZodString;
-    createdAt: z.ZodOptional<z.ZodString>;
     name: z.ZodString;
+    createdAt: z.ZodOptional<z.ZodString>;
     updatedAt: z.ZodOptional<z.ZodString>;
     description: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    stopWhen: z.ZodOptional<z.ZodNullable<z.ZodType<{
+      stepCountIs?: number | undefined;
+    }, {
+      stepCountIs?: number | undefined;
+    }, z.core.$ZodTypeInternals<{
+      stepCountIs?: number | undefined;
+    }, {
+      stepCountIs?: number | undefined;
+    }>>>>;
+    conversationHistoryConfig: z.ZodOptional<z.ZodNullable<z.ZodType<ConversationHistoryConfig, ConversationHistoryConfig, z.core.$ZodTypeInternals<ConversationHistoryConfig, ConversationHistoryConfig>>>>;
     models: z.ZodOptional<z.ZodObject<{
       base: z.ZodOptional<z.ZodObject<{
         model: z.ZodOptional<z.ZodString>;
@@ -37,16 +47,6 @@ declare const FullAgentDefinitionSchema: z.ZodObject<{
         providerOptions: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodAny>>;
       }, z.core.$strip>>;
     }, z.core.$strip>>;
-    stopWhen: z.ZodOptional<z.ZodNullable<z.ZodType<{
-      stepCountIs?: number | undefined;
-    }, {
-      stepCountIs?: number | undefined;
-    }, z.core.$ZodTypeInternals<{
-      stepCountIs?: number | undefined;
-    }, {
-      stepCountIs?: number | undefined;
-    }>>>>;
-    conversationHistoryConfig: z.ZodOptional<z.ZodNullable<z.ZodType<ConversationHistoryConfig, ConversationHistoryConfig, z.core.$ZodTypeInternals<ConversationHistoryConfig, ConversationHistoryConfig>>>>;
     type: z.ZodLiteral<"internal">;
     canUse: z.ZodArray<z.ZodObject<{
       agentToolRelationId: z.ZodOptional<z.ZodString>;

package/dist/constants/models.d.ts

@@ -38,6 +38,7 @@ declare const OPENAI_MODELS: {
   readonly GPT_4_1_NANO_20250414: "openai/gpt-4.1-nano-2025-04-14";
 };
 declare const GOOGLE_MODELS: {
+  readonly GEMINI_3_1_PRO_PREVIEW: "google/gemini-3.1-pro-preview";
   readonly GEMINI_3_PRO_PREVIEW: "google/gemini-3-pro-preview";
   readonly GEMINI_3_FLASH_PREVIEW: "google/gemini-3-flash-preview";
   readonly GEMINI_2_5_PRO: "google/gemini-2.5-pro";

package/dist/constants/models.js

@@ -38,6 +38,7 @@ const OPENAI_MODELS = {
 	GPT_4_1_NANO_20250414: "openai/gpt-4.1-nano-2025-04-14"
 };
 const GOOGLE_MODELS = {
+	GEMINI_3_1_PRO_PREVIEW: "google/gemini-3.1-pro-preview",
 	GEMINI_3_PRO_PREVIEW: "google/gemini-3-pro-preview",
 	GEMINI_3_FLASH_PREVIEW: "google/gemini-3-flash-preview",
 	GEMINI_2_5_PRO: "google/gemini-2.5-pro",

package/dist/constants/otel-attributes.d.ts

@@ -93,6 +93,10 @@ declare const SPAN_KEYS: {
   readonly ARTIFACT_DATA: "artifact.data";
   readonly ARTIFACT_NAME: "artifact.name";
   readonly ARTIFACT_DESCRIPTION: "artifact.description";
+  readonly ARTIFACT_IS_OVERSIZED: "artifact.is_oversized";
+  readonly ARTIFACT_RETRIEVAL_BLOCKED: "artifact.retrieval_blocked";
+  readonly ARTIFACT_ORIGINAL_TOKEN_SIZE: "artifact.original_token_size";
+  readonly ARTIFACT_CONTEXT_WINDOW_SIZE: "artifact.context_window_size";
   readonly CONTEXT_BREAKDOWN_SYSTEM_TEMPLATE: "context.breakdown.system_template_tokens";
   readonly CONTEXT_BREAKDOWN_CORE_INSTRUCTIONS: "context.breakdown.core_instructions_tokens";
   readonly CONTEXT_BREAKDOWN_AGENT_PROMPT: "context.breakdown.agent_prompt_tokens";

package/dist/constants/otel-attributes.js

@@ -93,6 +93,10 @@ const SPAN_KEYS = {
 	ARTIFACT_DATA: "artifact.data",
 	ARTIFACT_NAME: "artifact.name",
 	ARTIFACT_DESCRIPTION: "artifact.description",
+	ARTIFACT_IS_OVERSIZED: "artifact.is_oversized",
+	ARTIFACT_RETRIEVAL_BLOCKED: "artifact.retrieval_blocked",
+	ARTIFACT_ORIGINAL_TOKEN_SIZE: "artifact.original_token_size",
+	ARTIFACT_CONTEXT_WINDOW_SIZE: "artifact.context_window_size",
 	CONTEXT_BREAKDOWN_SYSTEM_TEMPLATE: "context.breakdown.system_template_tokens",
 	CONTEXT_BREAKDOWN_CORE_INSTRUCTIONS: "context.breakdown.core_instructions_tokens",
 	CONTEXT_BREAKDOWN_AGENT_PROMPT: "context.breakdown.agent_prompt_tokens",

package/dist/data-access/manage/agents.d.ts

@@ -9,14 +9,14 @@ declare const getAgentById: (db: AgentsManageDatabaseClient) => (params: {
   scopes: AgentScopeConfig;
 }) => Promise<{
   id: string;
-  createdAt: string;
   name: string;
+  createdAt: string;
   updatedAt: string;
-  projectId: string;
-  tenantId: string;
   description: string | null;
-  defaultSubAgentId: string | null;
-  contextConfigId: string | null;
+  stopWhen: {
+    transferCountIs?: number | undefined;
+  } | null;
+  prompt: string | null;
   models: {
     base?: {
       model?: string | undefined;
@@ -31,7 +31,10 @@ declare const getAgentById: (db: AgentsManageDatabaseClient) => (params: {
       providerOptions?: Record<string, any> | undefined;
     } | undefined;
   } | null;
-  prompt: string | null;
+  projectId: string;
+  tenantId: string;
+  defaultSubAgentId: string | null;
+  contextConfigId: string | null;
   statusUpdates: {
     enabled?: boolean | undefined;
     numEvents?: number | undefined;
@@ -47,22 +50,19 @@ declare const getAgentById: (db: AgentsManageDatabaseClient) => (params: {
       } | undefined;
     }[] | undefined;
   } | null;
-  stopWhen: {
-    transferCountIs?: number | undefined;
-  } | null;
 } | null>;
 declare const getAgentWithDefaultSubAgent: (db: AgentsManageDatabaseClient) => (params: {
   scopes: AgentScopeConfig;
 }) => Promise<{
   id: string;
-  createdAt: string;
   name: string;
+  createdAt: string;
   updatedAt: string;
-  projectId: string;
-  tenantId: string;
   description: string | null;
-  defaultSubAgentId: string | null;
-  contextConfigId: string | null;
+  stopWhen: {
+    transferCountIs?: number | undefined;
+  } | null;
+  prompt: string | null;
   models: {
     base?: {
       model?: string | undefined;
@@ -77,7 +77,10 @@ declare const getAgentWithDefaultSubAgent: (db: AgentsManageDatabaseClient) => (
       providerOptions?: Record<string, any> | undefined;
     } | undefined;
   } | null;
-  prompt: string | null;
+  projectId: string;
+  tenantId: string;
+  defaultSubAgentId: string | null;
+  contextConfigId: string | null;
   statusUpdates: {
     enabled?: boolean | undefined;
     numEvents?: number | undefined;
@@ -93,18 +96,17 @@ declare const getAgentWithDefaultSubAgent: (db: AgentsManageDatabaseClient) => (
       } | undefined;
     }[] | undefined;
   } | null;
-  stopWhen: {
-    transferCountIs?: number | undefined;
-  } | null;
   defaultSubAgent: {
     id: string;
-    createdAt: string;
     name: string;
+    createdAt: string;
     updatedAt: string;
-    agentId: string;
-    projectId: string;
-    tenantId: string;
     description: string | null;
+    stopWhen: {
+      stepCountIs?: number | undefined;
+    } | null;
+    prompt: string | null;
+    conversationHistoryConfig: ConversationHistoryConfig | null;
     models: {
       base?: {
         model?: string | undefined;
@@ -119,25 +121,23 @@ declare const getAgentWithDefaultSubAgent: (db: AgentsManageDatabaseClient) => (
         providerOptions?: Record<string, any> | undefined;
       } | undefined;
     } | null;
-    prompt: string | null;
-    stopWhen: {
-      stepCountIs?: number | undefined;
-    } | null;
-    conversationHistoryConfig: ConversationHistoryConfig | null;
+    agentId: string;
+    projectId: string;
+    tenantId: string;
   } | null;
 } | null>;
 declare const listAgents: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
 }) => Promise<{
   id: string;
-  createdAt: string;
   name: string;
+  createdAt: string;
   updatedAt: string;
-  projectId: string;
-  tenantId: string;
   description: string | null;
-  defaultSubAgentId: string | null;
-  contextConfigId: string | null;
+  stopWhen: {
+    transferCountIs?: number | undefined;
+  } | null;
+  prompt: string | null;
   models: {
     base?: {
       model?: string | undefined;
@@ -152,7 +152,10 @@ declare const listAgents: (db: AgentsManageDatabaseClient) => (params: {
       providerOptions?: Record<string, any> | undefined;
     } | undefined;
   } | null;
-  prompt: string | null;
+  projectId: string;
+  tenantId: string;
+  defaultSubAgentId: string | null;
+  contextConfigId: string | null;
   statusUpdates: {
     enabled?: boolean | undefined;
     numEvents?: number | undefined;
@@ -168,9 +171,6 @@ declare const listAgents: (db: AgentsManageDatabaseClient) => (params: {
       } | undefined;
     }[] | undefined;
   } | null;
-  stopWhen: {
-    transferCountIs?: number | undefined;
-  } | null;
 }[]>;
 declare const listAgentsPaginated: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -246,14 +246,14 @@ declare function listAgentsAcrossProjectMainBranches(db: AgentsManageDatabaseCli
 }): Promise<AvailableAgentInfo[]>;
 declare const createAgent: (db: AgentsManageDatabaseClient) => (data: AgentInsert) => Promise<{
   id: string;
-  createdAt: string;
   name: string;
+  createdAt: string;
   updatedAt: string;
-  projectId: string;
-  tenantId: string;
   description: string | null;
-  defaultSubAgentId: string | null;
-  contextConfigId: string | null;
+  stopWhen: {
+    transferCountIs?: number | undefined;
+  } | null;
+  prompt: string | null;
   models: {
     base?: {
       model?: string | undefined;
@@ -268,7 +268,10 @@ declare const createAgent: (db: AgentsManageDatabaseClient) => (data: AgentInser
       providerOptions?: Record<string, any> | undefined;
     } | undefined;
   } | null;
-  prompt: string | null;
+  projectId: string;
+  tenantId: string;
+  defaultSubAgentId: string | null;
+  contextConfigId: string | null;
   statusUpdates: {
     enabled?: boolean | undefined;
     numEvents?: number | undefined;
@@ -284,9 +287,6 @@ declare const createAgent: (db: AgentsManageDatabaseClient) => (data: AgentInser
       } | undefined;
     }[] | undefined;
   } | null;
-  stopWhen: {
-    transferCountIs?: number | undefined;
-  } | null;
 }>;
 declare const updateAgent: (db: AgentsManageDatabaseClient) => (params: {
   scopes: AgentScopeConfig;
@@ -341,7 +341,7 @@ declare const deleteAgent: (db: AgentsManageDatabaseClient) => (params: {
 /**
  * Helper function to fetch component relationships using efficient joins
  */
-declare const fetchComponentRelationships: (db: AgentsManageDatabaseClient) => <T extends Record<string, unknown>>(scopes: ProjectScopeConfig, subAgentIds: string[], config: {
+declare const fetchComponentRelationships: (db: AgentsManageDatabaseClient) => <T extends Record<string, unknown>>(scopes: AgentScopeConfig, subAgentIds: string[], config: {
   relationTable: PgTable<any>;
   componentTable: PgTable<any>;
   relationIdField: unknown;

package/dist/data-access/manage/agents.js

@@ -117,7 +117,7 @@ const deleteAgent = (db) => async (params) => {
 const fetchComponentRelationships = (db) => async (scopes, subAgentIds, config) => {
 	const componentsObject = {};
 	if (subAgentIds.length > 0) {
-		const results = await db.select(config.selectFields).from(config.relationTable).innerJoin(config.componentTable, eq(config.relationIdField, config.componentIdField)).where(and(eq(config.relationTable.tenantId, scopes.tenantId), eq(config.relationTable.projectId, scopes.projectId), inArray(config.subAgentIdField, subAgentIds)));
+		const results = await db.select(config.selectFields).from(config.relationTable).innerJoin(config.componentTable, eq(config.relationIdField, config.componentIdField)).where(and(eq(config.relationTable.tenantId, scopes.tenantId), eq(config.relationTable.projectId, scopes.projectId), eq(config.relationTable.agentId, scopes.agentId), inArray(config.subAgentIdField, subAgentIds)));
 		for (const component of results) componentsObject[component.id] = component;
 	}
 	return componentsObject;
@@ -260,8 +260,8 @@ const getFullAgentDefinitionInternal = (db) => async ({ scopes: { tenantId, proj
 			agentToolRelationId: subAgentFunctionToolRelations.id,
 			toolPolicies: subAgentFunctionToolRelations.toolPolicies
 		}).from(subAgentFunctionToolRelations).innerJoin(functionTools, and(eq(subAgentFunctionToolRelations.functionToolId, functionTools.id), eq(subAgentFunctionToolRelations.tenantId, functionTools.tenantId), eq(subAgentFunctionToolRelations.projectId, functionTools.projectId), eq(subAgentFunctionToolRelations.agentId, functionTools.agentId))).where(and(eq(subAgentFunctionToolRelations.tenantId, tenantId), eq(subAgentFunctionToolRelations.projectId, projectId), eq(subAgentFunctionToolRelations.agentId, agentId), eq(subAgentFunctionToolRelations.subAgentId, agent$1.id)));
-		const agentDataComponentIds = (await db.query.subAgentDataComponents.findMany({ where: and(eq(subAgentDataComponents.tenantId, tenantId), eq(subAgentDataComponents.subAgentId, agent$1.id)) })).map((rel) => rel.dataComponentId);
-		const agentArtifactComponentIds = (await db.query.subAgentArtifactComponents.findMany({ where: and(eq(subAgentArtifactComponents.tenantId, tenantId), eq(subAgentArtifactComponents.subAgentId, agent$1.id)) })).map((rel) => rel.artifactComponentId);
+		const agentDataComponentIds = (await db.query.subAgentDataComponents.findMany({ where: and(eq(subAgentDataComponents.tenantId, tenantId), eq(subAgentDataComponents.projectId, projectId), eq(subAgentDataComponents.agentId, agentId), eq(subAgentDataComponents.subAgentId, agent$1.id)) })).map((rel) => rel.dataComponentId);
+		const agentArtifactComponentIds = (await db.query.subAgentArtifactComponents.findMany({ where: and(eq(subAgentArtifactComponents.tenantId, tenantId), eq(subAgentArtifactComponents.projectId, projectId), eq(subAgentArtifactComponents.agentId, agentId), eq(subAgentArtifactComponents.subAgentId, agent$1.id)) })).map((rel) => rel.artifactComponentId);
 		const mcpToolCanUse = subAgentTools.map((tool) => ({
 			agentToolRelationId: tool.agentToolRelationId,
 			toolId: tool.id,
@@ -352,7 +352,8 @@ const getFullAgentDefinitionInternal = (db) => async ({ scopes: { tenantId, proj
 	try {
 		await fetchComponentRelationships(db)({
 			tenantId,
-			projectId
+			projectId,
+			agentId
 		}, subAgentIds, {
 			relationTable: subAgentDataComponents,
 			componentTable: dataComponents,
@@ -372,7 +373,8 @@ const getFullAgentDefinitionInternal = (db) => async ({ scopes: { tenantId, proj
 	try {
 		await fetchComponentRelationships(db)({
 			tenantId,
-			projectId
+			projectId,
+			agentId
 		}, subAgentIds, {
 			relationTable: subAgentArtifactComponents,
 			componentTable: artifactComponents,
@@ -429,7 +431,7 @@ const getFullAgentDefinitionInternal = (db) => async ({ scopes: { tenantId, proj
 								await db.update(subAgents).set({
 									stopWhen: agent$1.stopWhen,
 									updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-								}).where(and(eq(subAgents.tenantId, tenantId), eq(subAgents.projectId, projectId), eq(subAgents.id, subAgentId)));
+								}).where(and(eq(subAgents.tenantId, tenantId), eq(subAgents.projectId, projectId), eq(subAgents.agentId, agentId), eq(subAgents.id, subAgentId)));
 								result.subAgents[subAgentId] = {
 									...result.subAgents[subAgentId],
 									stopWhen: agent$1.stopWhen