@inkeep/agents-core 0.58.14 → 0.58.16

package/dist/data-access/runtime/apiKeys.d.ts

@@ -10,30 +10,30 @@ declare const getApiKeyById: (db: AgentsRunDatabaseClient) => (params: {
 }) => Promise<{
   id: string;
   name: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
-  projectId: string;
-  tenantId: string;
-  agentId: string;
+  lastUsedAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
-  lastUsedAt: string | null;
 } | undefined>;
 declare const getApiKeyByPublicId: (db: AgentsRunDatabaseClient) => (publicId: string) => Promise<{
   id: string;
   name: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
-  projectId: string;
-  tenantId: string;
-  agentId: string;
+  lastUsedAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
-  lastUsedAt: string | null;
 } | undefined>;
 declare const listApiKeys: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -41,16 +41,16 @@ declare const listApiKeys: (db: AgentsRunDatabaseClient) => (params: {
 }) => Promise<{
   id: string;
   name: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
-  projectId: string;
-  tenantId: string;
-  agentId: string;
+  lastUsedAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
-  lastUsedAt: string | null;
 }[]>;
 declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -68,16 +68,16 @@ declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
 declare const createApiKey: (db: AgentsRunDatabaseClient) => (params: ApiKeyInsert) => Promise<{
   id: string;
   name: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string;
   createdAt: string;
   updatedAt: string;
   expiresAt: string | null;
-  projectId: string;
-  tenantId: string;
-  agentId: string;
+  lastUsedAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
-  lastUsedAt: string | null;
 }>;
 declare const updateApiKey: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -105,7 +105,10 @@ declare const hasApiKey: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   id: string;
 }) => Promise<boolean>;
-declare const updateApiKeyLastUsed: (db: AgentsRunDatabaseClient) => (id: string) => Promise<void>;
+declare const updateApiKeyLastUsed: (db: AgentsRunDatabaseClient) => (params: {
+  id: string;
+  scopes: ProjectScopeConfig;
+}) => Promise<void>;
 declare const countApiKeys: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   agentId?: string;
@@ -115,9 +118,6 @@ declare const countApiKeys: (db: AgentsRunDatabaseClient) => (params: {
  * Returns both the API key record and the full key (which should be shown to the user only once)
  */
 declare const generateAndCreateApiKey: (params: CreateApiKeyParams, db: AgentsRunDatabaseClient) => Promise<ApiKeyCreateResult>;
-/**
- * Validate an API key and return the associated record if valid
- */
 declare const validateAndGetApiKey: (key: string, db: AgentsRunDatabaseClient) => Promise<ApiKeySelect | null>;
 //#endregion
 export { countApiKeys, createApiKey, deleteApiKey, generateAndCreateApiKey, getApiKeyById, getApiKeyByPublicId, hasApiKey, listApiKeys, listApiKeysPaginated, updateApiKey, updateApiKeyLastUsed, validateAndGetApiKey };

package/dist/data-access/runtime/apiKeys.js

@@ -1,16 +1,17 @@
 import { apiKeys } from "../../db/runtime/runtime-schema.js";
+import { projectScopedWhere } from "../manage/scope-helpers.js";
 import { extractPublicId, generateApiKey, isApiKeyExpired, validateApiKey } from "../../utils/apiKeys.js";
 import { and, count, desc, eq } from "drizzle-orm";
 
 //#region src/data-access/runtime/apiKeys.ts
 const getApiKeyById = (db) => async (params) => {
-	return await db.query.apiKeys.findFirst({ where: and(eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId), eq(apiKeys.id, params.id)) });
+	return await db.query.apiKeys.findFirst({ where: and(projectScopedWhere(apiKeys, params.scopes), eq(apiKeys.id, params.id)) });
 };
 const getApiKeyByPublicId = (db) => async (publicId) => {
 	return await db.query.apiKeys.findFirst({ where: eq(apiKeys.publicId, publicId) });
 };
 const listApiKeys = (db) => async (params) => {
-	const conditions = [eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId)];
+	const conditions = [projectScopedWhere(apiKeys, params.scopes)];
 	if (params.agentId) conditions.push(eq(apiKeys.agentId, params.agentId));
 	return await db.query.apiKeys.findMany({
 		where: and(...conditions),
@@ -21,7 +22,7 @@ const listApiKeysPaginated = (db) => async (params) => {
 	const page = params.pagination?.page || 1;
 	const limit = Math.min(params.pagination?.limit || 10, 100);
 	const offset = (page - 1) * limit;
-	const conditions = [eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId)];
+	const conditions = [projectScopedWhere(apiKeys, params.scopes)];
 	if (params.agentId) conditions.push(eq(apiKeys.agentId, params.agentId));
 	const whereClause = and(...conditions);
 	const [data, totalResult] = await Promise.all([db.select().from(apiKeys).where(whereClause).limit(limit).offset(offset).orderBy(desc(apiKeys.createdAt)), db.select({ count: count() }).from(apiKeys).where(whereClause)]);
@@ -60,7 +61,7 @@ const updateApiKey = (db) => async (params) => {
 		name: params.data.name,
 		expiresAt: params.data.expiresAt,
 		updatedAt: now
-	}).where(and(eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId), eq(apiKeys.id, params.id))).returning();
+	}).where(and(projectScopedWhere(apiKeys, params.scopes), eq(apiKeys.id, params.id))).returning();
 	return updatedKey;
 };
 const deleteApiKey = (db) => async (params) => {
@@ -72,7 +73,7 @@ const deleteApiKey = (db) => async (params) => {
 			console.error("API key not found", { params });
 			return false;
 		}
-		await db.delete(apiKeys).where(and(eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId), eq(apiKeys.id, params.id)));
+		await db.delete(apiKeys).where(and(projectScopedWhere(apiKeys, params.scopes), eq(apiKeys.id, params.id)));
 		return true;
 	} catch (error) {
 		console.error("Error deleting API key:", error);
@@ -82,11 +83,11 @@ const deleteApiKey = (db) => async (params) => {
 const hasApiKey = (db) => async (params) => {
 	return await getApiKeyById(db)(params) !== null;
 };
-const updateApiKeyLastUsed = (db) => async (id) => {
-	await db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq(apiKeys.id, id));
+const updateApiKeyLastUsed = (db) => async (params) => {
+	await db.update(apiKeys).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(and(projectScopedWhere(apiKeys, params.scopes), eq(apiKeys.id, params.id)));
 };
 const countApiKeys = (db) => async (params) => {
-	const conditions = [eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId)];
+	const conditions = [projectScopedWhere(apiKeys, params.scopes)];
 	if (params.agentId) conditions.push(eq(apiKeys.agentId, params.agentId));
 	const total = (await db.select({ count: count() }).from(apiKeys).where(and(...conditions)))[0]?.count || 0;
 	return typeof total === "string" ? Number.parseInt(total, 10) : total;
@@ -110,9 +111,6 @@ const generateAndCreateApiKey = async (params, db) => {
 		key: keyData.key
 	};
 };
-/**
-* Validate an API key and return the associated record if valid
-*/
 const validateAndGetApiKey = async (key, db) => {
 	const publicId = extractPublicId(key);
 	if (!publicId) return null;
@@ -120,7 +118,13 @@ const validateAndGetApiKey = async (key, db) => {
 	if (!apiKey) return null;
 	if (!await validateApiKey(key, apiKey.keyHash)) return null;
 	if (isApiKeyExpired(apiKey.expiresAt)) return null;
-	await updateApiKeyLastUsed(db)(apiKey.id);
+	await updateApiKeyLastUsed(db)({
+		id: apiKey.id,
+		scopes: {
+			tenantId: apiKey.tenantId,
+			projectId: apiKey.projectId
+		}
+	});
 	return apiKey;
 };
 

package/dist/data-access/runtime/apps.d.ts

@@ -8,11 +8,11 @@ declare const getAppById: (db: AgentsRunDatabaseClient) => (id: string) => Promi
   type: AppType;
   id: string;
   name: string;
-  createdAt: string;
-  updatedAt: string;
   description: string | null;
-  projectId: string | null;
   tenantId: string | null;
+  projectId: string | null;
+  createdAt: string;
+  updatedAt: string;
   enabled: boolean;
   config: {
     type: "web_client";
@@ -23,9 +23,9 @@ declare const getAppById: (db: AgentsRunDatabaseClient) => (id: string) => Promi
     type: "api";
     api: Record<string, never>;
   };
-  lastUsedAt: string | null;
-  defaultProjectId: string | null;
   defaultAgentId: string | null;
+  defaultProjectId: string | null;
+  lastUsedAt: string | null;
 } | undefined>;
 declare const updateAppLastUsed: (db: AgentsRunDatabaseClient) => (id: string) => Promise<void>;
 declare const getAppByIdForTenant: (db: AgentsRunDatabaseClient) => (params: {
@@ -51,11 +51,11 @@ declare const createApp: (db: AgentsRunDatabaseClient) => (params: AppInsert) =>
   type: AppType;
   id: string;
   name: string;
-  createdAt: string;
-  updatedAt: string;
   description: string | null;
-  projectId: string | null;
   tenantId: string | null;
+  projectId: string | null;
+  createdAt: string;
+  updatedAt: string;
   enabled: boolean;
   config: {
     type: "web_client";
@@ -66,9 +66,9 @@ declare const createApp: (db: AgentsRunDatabaseClient) => (params: AppInsert) =>
     type: "api";
     api: Record<string, never>;
   };
-  lastUsedAt: string | null;
-  defaultProjectId: string | null;
   defaultAgentId: string | null;
+  defaultProjectId: string | null;
+  lastUsedAt: string | null;
 }>;
 declare const updateAppForTenant: (db: AgentsRunDatabaseClient) => (params: {
   scopes: TenantScopeConfig;

package/dist/data-access/runtime/apps.js

@@ -1,4 +1,5 @@
 import { apps } from "../../db/runtime/runtime-schema.js";
+import { tenantScopedWhere } from "../manage/scope-helpers.js";
 import { and, count, desc, eq } from "drizzle-orm";
 
 //#region src/data-access/runtime/apps.ts
@@ -9,13 +10,13 @@ const updateAppLastUsed = (db) => async (id) => {
 	await db.update(apps).set({ lastUsedAt: (/* @__PURE__ */ new Date()).toISOString() }).where(eq(apps.id, id));
 };
 const getAppByIdForTenant = (db) => async (params) => {
-	return db.query.apps.findFirst({ where: and(eq(apps.id, params.id), eq(apps.tenantId, params.scopes.tenantId)) });
+	return db.query.apps.findFirst({ where: and(eq(apps.id, params.id), tenantScopedWhere(apps, params.scopes)) });
 };
 const listAppsPaginated = (db) => async (params) => {
 	const page = params.pagination?.page || 1;
 	const limit = Math.min(params.pagination?.limit || 10, 100);
 	const offset = (page - 1) * limit;
-	const conditions = [eq(apps.tenantId, params.scopes.tenantId)];
+	const conditions = [tenantScopedWhere(apps, params.scopes)];
 	if (params.scopes.projectId) conditions.push(eq(apps.projectId, params.scopes.projectId));
 	if (params.type) conditions.push(eq(apps.type, params.type));
 	const whereClause = and(...conditions);
@@ -46,27 +47,27 @@ const updateAppForTenant = (db) => async (params) => {
 	const [updatedApp] = await db.update(apps).set({
 		...params.data,
 		updatedAt: now
-	}).where(and(eq(apps.id, params.id), eq(apps.tenantId, params.scopes.tenantId))).returning();
+	}).where(and(eq(apps.id, params.id), tenantScopedWhere(apps, params.scopes))).returning();
 	return updatedApp;
 };
 const deleteAppForTenant = (db) => async (params) => {
-	return (await db.delete(apps).where(and(eq(apps.id, params.id), eq(apps.tenantId, params.scopes.tenantId))).returning()).length > 0;
+	return (await db.delete(apps).where(and(eq(apps.id, params.id), tenantScopedWhere(apps, params.scopes))).returning()).length > 0;
 };
 const deleteAppsByProject = (db) => async (tenantId, projectId) => {
-	return (await db.delete(apps).where(and(eq(apps.tenantId, tenantId), eq(apps.projectId, projectId))).returning()).length;
+	return (await db.delete(apps).where(and(tenantScopedWhere(apps, { tenantId }), eq(apps.projectId, projectId))).returning()).length;
 };
 const clearAppDefaultsByProject = (db) => async (tenantId, projectId) => {
 	return (await db.update(apps).set({
 		defaultProjectId: null,
 		defaultAgentId: null,
 		updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-	}).where(and(eq(apps.tenantId, tenantId), eq(apps.defaultProjectId, projectId))).returning()).length;
+	}).where(and(tenantScopedWhere(apps, { tenantId }), eq(apps.defaultProjectId, projectId))).returning()).length;
 };
 const clearAppDefaultsByAgent = (db) => async (tenantId, agentId) => {
 	return (await db.update(apps).set({
 		defaultAgentId: null,
 		updatedAt: (/* @__PURE__ */ new Date()).toISOString()
-	}).where(and(eq(apps.tenantId, tenantId), eq(apps.defaultAgentId, agentId))).returning()).length;
+	}).where(and(tenantScopedWhere(apps, { tenantId }), eq(apps.defaultAgentId, agentId))).returning()).length;
 };
 const updateApp = (db) => async (params) => {
 	const now = (/* @__PURE__ */ new Date()).toISOString();

package/dist/data-access/runtime/audit-queries.js

@@ -1,36 +1,36 @@
 import { apiKeys, contextCache, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppSlackChannelAgentConfigs, workAppSlackMcpToolAccessConfig } from "../../db/runtime/runtime-schema.js";
-import { and, eq } from "drizzle-orm";
+import { projectScopedWhere } from "../manage/scope-helpers.js";
 
 //#region src/data-access/runtime/audit-queries.ts
 const listGitHubToolAccessByProject = (db) => async (params) => {
 	return db.select({
 		id: workAppGitHubMcpToolRepositoryAccess.id,
 		toolId: workAppGitHubMcpToolRepositoryAccess.toolId
-	}).from(workAppGitHubMcpToolRepositoryAccess).where(and(eq(workAppGitHubMcpToolRepositoryAccess.tenantId, params.scopes.tenantId), eq(workAppGitHubMcpToolRepositoryAccess.projectId, params.scopes.projectId)));
+	}).from(workAppGitHubMcpToolRepositoryAccess).where(projectScopedWhere(workAppGitHubMcpToolRepositoryAccess, params.scopes));
 };
 const listGitHubToolAccessModeByProject = (db) => async (params) => {
-	return db.select({ toolId: workAppGitHubMcpToolAccessMode.toolId }).from(workAppGitHubMcpToolAccessMode).where(and(eq(workAppGitHubMcpToolAccessMode.tenantId, params.scopes.tenantId), eq(workAppGitHubMcpToolAccessMode.projectId, params.scopes.projectId)));
+	return db.select({ toolId: workAppGitHubMcpToolAccessMode.toolId }).from(workAppGitHubMcpToolAccessMode).where(projectScopedWhere(workAppGitHubMcpToolAccessMode, params.scopes));
 };
 const listSlackToolAccessConfigByProject = (db) => async (params) => {
-	return db.select({ toolId: workAppSlackMcpToolAccessConfig.toolId }).from(workAppSlackMcpToolAccessConfig).where(and(eq(workAppSlackMcpToolAccessConfig.tenantId, params.scopes.tenantId), eq(workAppSlackMcpToolAccessConfig.projectId, params.scopes.projectId)));
+	return db.select({ toolId: workAppSlackMcpToolAccessConfig.toolId }).from(workAppSlackMcpToolAccessConfig).where(projectScopedWhere(workAppSlackMcpToolAccessConfig, params.scopes));
 };
 const listContextCacheByProject = (db) => async (params) => {
 	return db.select({
 		id: contextCache.id,
 		contextConfigId: contextCache.contextConfigId
-	}).from(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId)));
+	}).from(contextCache).where(projectScopedWhere(contextCache, params.scopes));
 };
 const listApiKeysByProject = (db) => async (params) => {
 	return db.select({
 		id: apiKeys.id,
 		agentId: apiKeys.agentId
-	}).from(apiKeys).where(and(eq(apiKeys.tenantId, params.scopes.tenantId), eq(apiKeys.projectId, params.scopes.projectId)));
+	}).from(apiKeys).where(projectScopedWhere(apiKeys, params.scopes));
 };
 const listSlackChannelAgentConfigsByProject = (db) => async (params) => {
 	return db.select({
 		id: workAppSlackChannelAgentConfigs.id,
 		agentId: workAppSlackChannelAgentConfigs.agentId
-	}).from(workAppSlackChannelAgentConfigs).where(and(eq(workAppSlackChannelAgentConfigs.tenantId, params.scopes.tenantId), eq(workAppSlackChannelAgentConfigs.projectId, params.scopes.projectId)));
+	}).from(workAppSlackChannelAgentConfigs).where(projectScopedWhere(workAppSlackChannelAgentConfigs, params.scopes));
 };
 
 //#endregion

package/dist/data-access/runtime/auth.d.ts

@@ -0,0 +1,18 @@
+import { AgentsRunDatabaseClient } from "../../db/runtime/runtime-client.js";
+
+//#region src/data-access/runtime/auth.d.ts
+declare const getInitialOrganization: (db: AgentsRunDatabaseClient) => (userId: string) => Promise<{
+  id: string;
+} | null>;
+declare const queryHasCredentialAccount: (db: AgentsRunDatabaseClient) => (userId: string) => Promise<boolean>;
+interface SSOProviderRegistration {
+  providerId: string;
+  issuer: string;
+  domain: string;
+  organizationId?: string;
+  oidcConfig?: object;
+  samlConfig?: object;
+}
+declare const registerSSOProvider: (db: AgentsRunDatabaseClient) => (provider: SSOProviderRegistration) => Promise<void>;
+//#endregion
+export { SSOProviderRegistration, getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };

package/dist/data-access/runtime/auth.js

@@ -0,0 +1,35 @@
+import { account, member, ssoProvider } from "../../auth/auth-schema.js";
+import { generateId } from "../../utils/conversations.js";
+import "../../utils/index.js";
+import { and, eq } from "drizzle-orm";
+
+//#region src/data-access/runtime/auth.ts
+const getInitialOrganization = (db) => async (userId) => {
+	const [membership] = await db.select({ organizationId: member.organizationId }).from(member).where(eq(member.userId, userId)).orderBy(member.createdAt).limit(1);
+	return membership ? { id: membership.organizationId } : null;
+};
+const queryHasCredentialAccount = (db) => async (userId) => {
+	const [row] = await db.select({ id: account.id }).from(account).where(and(eq(account.userId, userId), eq(account.providerId, "credential"))).limit(1);
+	return !!row;
+};
+const registerSSOProvider = (db) => async (provider) => {
+	try {
+		if ((await db.select().from(ssoProvider).where(eq(ssoProvider.providerId, provider.providerId)).limit(1)).length > 0) return;
+		if (!provider.domain) throw new Error(`SSO provider '${provider.providerId}' must have a domain`);
+		await db.insert(ssoProvider).values({
+			id: generateId(),
+			providerId: provider.providerId,
+			issuer: provider.issuer,
+			domain: provider.domain,
+			oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,
+			samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,
+			userId: null,
+			organizationId: provider.organizationId || null
+		});
+	} catch (error) {
+		console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);
+	}
+};
+
+//#endregion
+export { getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };

package/dist/data-access/runtime/cascade-delete.js

@@ -1,4 +1,5 @@
 import { apiKeys, contextCache, conversations, tasks, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess } from "../../db/runtime/runtime-schema.js";
+import { projectScopedWhere } from "../manage/scope-helpers.js";
 import { clearAppDefaultsByAgent, clearAppDefaultsByProject, deleteAppsByProject } from "./apps.js";
 import { deleteSlackMcpToolAccessConfig } from "./slack-work-app-mcp.js";
 import { clearDevConfigWorkspaceDefaultsByAgent, clearDevConfigWorkspaceDefaultsByProject, clearWorkspaceDefaultsByAgent, clearWorkspaceDefaultsByProject, deleteWorkAppSlackChannelAgentConfigsByAgent, deleteWorkAppSlackChannelAgentConfigsByProject } from "./workAppSlack.js";
@@ -14,9 +15,9 @@ import { and, eq, inArray, sql } from "drizzle-orm";
 */
 const cascadeDeleteByBranch = (db) => async (params) => {
 	const { scopes, fullBranchName } = params;
-	const contextCacheResult = await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning();
-	const conversationsResult = await db.delete(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), sql`${conversations.ref}->>'name' = ${fullBranchName}`)).returning();
-	const tasksResult = await db.delete(tasks).where(and(eq(tasks.tenantId, scopes.tenantId), eq(tasks.projectId, scopes.projectId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
+	const contextCacheResult = await db.delete(contextCache).where(and(projectScopedWhere(contextCache, scopes), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning();
+	const conversationsResult = await db.delete(conversations).where(and(projectScopedWhere(conversations, scopes), sql`${conversations.ref}->>'name' = ${fullBranchName}`)).returning();
+	const tasksResult = await db.delete(tasks).where(and(projectScopedWhere(tasks, scopes), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
 	return {
 		conversationsDeleted: conversationsResult.length,
 		tasksDeleted: tasksResult.length,
@@ -38,10 +39,10 @@ const cascadeDeleteByBranch = (db) => async (params) => {
 */
 const cascadeDeleteByProject = (db) => async (params) => {
 	const { scopes, fullBranchName } = params;
-	const contextCacheResult = await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning();
-	const conversationsResult = await db.delete(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), sql`${conversations.ref}->>'name' = ${fullBranchName}`)).returning();
-	const tasksResult = await db.delete(tasks).where(and(eq(tasks.tenantId, scopes.tenantId), eq(tasks.projectId, scopes.projectId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
-	const apiKeysResult = await db.delete(apiKeys).where(and(eq(apiKeys.tenantId, scopes.tenantId), eq(apiKeys.projectId, scopes.projectId))).returning();
+	const contextCacheResult = await db.delete(contextCache).where(and(projectScopedWhere(contextCache, scopes), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning();
+	const conversationsResult = await db.delete(conversations).where(and(projectScopedWhere(conversations, scopes), sql`${conversations.ref}->>'name' = ${fullBranchName}`)).returning();
+	const tasksResult = await db.delete(tasks).where(and(projectScopedWhere(tasks, scopes), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
+	const apiKeysResult = await db.delete(apiKeys).where(projectScopedWhere(apiKeys, scopes)).returning();
 	await cascadeDeleteGitHubAccessByProject(db)({
 		tenantId: scopes.tenantId,
 		projectId: scopes.projectId
@@ -77,14 +78,14 @@ const cascadeDeleteByAgent = (db) => async (params) => {
 	let tasksDeleted = 0;
 	let apiKeysDeleted = 0;
 	if (subAgentIds.length > 0) {
-		const conversationIds = (await db.select({ id: conversations.id }).from(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), inArray(conversations.activeSubAgentId, subAgentIds), sql`${conversations.ref}->>'name' = ${fullBranchName}`))).map((c) => c.id);
+		const conversationIds = (await db.select({ id: conversations.id }).from(conversations).where(and(projectScopedWhere(conversations, scopes), inArray(conversations.activeSubAgentId, subAgentIds), sql`${conversations.ref}->>'name' = ${fullBranchName}`))).map((c) => c.id);
 		if (conversationIds.length > 0) {
-			contextCacheDeleted = (await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), inArray(contextCache.conversationId, conversationIds))).returning()).length;
-			conversationsDeleted = (await db.delete(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), inArray(conversations.id, conversationIds))).returning()).length;
+			contextCacheDeleted = (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, scopes), inArray(contextCache.conversationId, conversationIds))).returning()).length;
+			conversationsDeleted = (await db.delete(conversations).where(and(projectScopedWhere(conversations, scopes), inArray(conversations.id, conversationIds))).returning()).length;
 		}
 	}
-	tasksDeleted = (await db.delete(tasks).where(and(eq(tasks.tenantId, scopes.tenantId), eq(tasks.projectId, scopes.projectId), eq(tasks.agentId, scopes.agentId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning()).length;
-	apiKeysDeleted = (await db.delete(apiKeys).where(and(eq(apiKeys.tenantId, scopes.tenantId), eq(apiKeys.projectId, scopes.projectId), eq(apiKeys.agentId, scopes.agentId))).returning()).length;
+	tasksDeleted = (await db.delete(tasks).where(and(projectScopedWhere(tasks, scopes), eq(tasks.agentId, scopes.agentId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning()).length;
+	apiKeysDeleted = (await db.delete(apiKeys).where(and(projectScopedWhere(apiKeys, scopes), eq(apiKeys.agentId, scopes.agentId))).returning()).length;
 	const appDefaultsCleared = await clearAppDefaultsByAgent(db)(scopes.tenantId, scopes.agentId);
 	const slackChannelConfigsDeleted = await deleteWorkAppSlackChannelAgentConfigsByAgent(db)(scopes.tenantId, scopes.projectId, scopes.agentId);
 	const slackWorkspaceDefaultsCleared = await clearWorkspaceDefaultsByAgent(db)(scopes.tenantId, scopes.projectId, scopes.agentId);
@@ -108,14 +109,14 @@ const cascadeDeleteByAgent = (db) => async (params) => {
 */
 const cascadeDeleteBySubAgent = (db) => async (params) => {
 	const { scopes, subAgentId, fullBranchName } = params;
-	const conversationIds = (await db.select({ id: conversations.id }).from(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), eq(conversations.activeSubAgentId, subAgentId), sql`${conversations.ref}->>'name' = ${fullBranchName}`))).map((c) => c.id);
+	const conversationIds = (await db.select({ id: conversations.id }).from(conversations).where(and(projectScopedWhere(conversations, scopes), eq(conversations.activeSubAgentId, subAgentId), sql`${conversations.ref}->>'name' = ${fullBranchName}`))).map((c) => c.id);
 	let contextCacheDeleted = 0;
 	let conversationsDeleted = 0;
 	if (conversationIds.length > 0) {
-		contextCacheDeleted = (await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), inArray(contextCache.conversationId, conversationIds))).returning()).length;
-		conversationsDeleted = (await db.delete(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), inArray(conversations.id, conversationIds))).returning()).length;
+		contextCacheDeleted = (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, scopes), inArray(contextCache.conversationId, conversationIds))).returning()).length;
+		conversationsDeleted = (await db.delete(conversations).where(and(projectScopedWhere(conversations, scopes), inArray(conversations.id, conversationIds))).returning()).length;
 	}
-	const tasksResult = await db.delete(tasks).where(and(eq(tasks.tenantId, scopes.tenantId), eq(tasks.projectId, scopes.projectId), eq(tasks.subAgentId, subAgentId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
+	const tasksResult = await db.delete(tasks).where(and(projectScopedWhere(tasks, scopes), eq(tasks.subAgentId, subAgentId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
 	return {
 		conversationsDeleted,
 		tasksDeleted: tasksResult.length,
@@ -136,7 +137,7 @@ const cascadeDeleteBySubAgent = (db) => async (params) => {
 */
 const cascadeDeleteByContextConfig = (db) => async (params) => {
 	const { scopes, contextConfigId, fullBranchName } = params;
-	return { contextCacheDeleted: (await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), eq(contextCache.contextConfigId, contextConfigId), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning()).length };
+	return { contextCacheDeleted: (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, scopes), eq(contextCache.contextConfigId, contextConfigId), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning()).length };
 };
 /**
 * Delete all runtime entities for a specific MCP tool.
@@ -151,8 +152,12 @@ const cascadeDeleteByContextConfig = (db) => async (params) => {
 */
 const cascadeDeleteByTool = (db) => async (params) => {
 	const { toolId, tenantId, projectId } = params;
-	const repositoryAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(and(eq(workAppGitHubMcpToolRepositoryAccess.tenantId, tenantId), eq(workAppGitHubMcpToolRepositoryAccess.projectId, projectId), eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId))).returning();
-	const accessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(and(eq(workAppGitHubMcpToolAccessMode.tenantId, tenantId), eq(workAppGitHubMcpToolAccessMode.projectId, projectId), eq(workAppGitHubMcpToolAccessMode.toolId, toolId))).returning();
+	const scopes = {
+		tenantId,
+		projectId
+	};
+	const repositoryAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(and(projectScopedWhere(workAppGitHubMcpToolRepositoryAccess, scopes), eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId))).returning();
+	const accessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(and(projectScopedWhere(workAppGitHubMcpToolAccessMode, scopes), eq(workAppGitHubMcpToolAccessMode.toolId, toolId))).returning();
 	const slackMcpDeleted = await deleteSlackMcpToolAccessConfig(db)({
 		tenantId,
 		projectId,
@@ -178,11 +183,11 @@ const cascadeDeleteByTool = (db) => async (params) => {
 * @returns Function that performs the cascade delete
 */
 const cascadeDeleteGitHubAccessByProject = (db) => async (params) => {
-	const { tenantId, projectId } = params;
-	const projectRepoAccessResult = await db.delete(workAppGitHubProjectRepositoryAccess).where(and(eq(workAppGitHubProjectRepositoryAccess.tenantId, tenantId), eq(workAppGitHubProjectRepositoryAccess.projectId, projectId))).returning();
-	const projectAccessModeResult = await db.delete(workAppGitHubProjectAccessMode).where(and(eq(workAppGitHubProjectAccessMode.tenantId, tenantId), eq(workAppGitHubProjectAccessMode.projectId, projectId))).returning();
-	const mcpToolRepoAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(and(eq(workAppGitHubMcpToolRepositoryAccess.tenantId, tenantId), eq(workAppGitHubMcpToolRepositoryAccess.projectId, projectId))).returning();
-	const mcpToolAccessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(and(eq(workAppGitHubMcpToolAccessMode.tenantId, tenantId), eq(workAppGitHubMcpToolAccessMode.projectId, projectId))).returning();
+	const scopes = params;
+	const projectRepoAccessResult = await db.delete(workAppGitHubProjectRepositoryAccess).where(projectScopedWhere(workAppGitHubProjectRepositoryAccess, scopes)).returning();
+	const projectAccessModeResult = await db.delete(workAppGitHubProjectAccessMode).where(projectScopedWhere(workAppGitHubProjectAccessMode, scopes)).returning();
+	const mcpToolRepoAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(projectScopedWhere(workAppGitHubMcpToolRepositoryAccess, scopes)).returning();
+	const mcpToolAccessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(projectScopedWhere(workAppGitHubMcpToolAccessMode, scopes)).returning();
 	return {
 		projectRepositoryAccessDeleted: projectRepoAccessResult.length,
 		projectAccessModeDeleted: projectAccessModeResult.length > 0,

package/dist/data-access/runtime/contextCache.d.ts

@@ -12,6 +12,7 @@ declare const getCacheEntry: (db: AgentsRunDatabaseClient) => (params: {
   contextConfigId: string;
   contextVariableKey: string;
   requestHash?: string;
+  scopes: ProjectScopeConfig;
 }) => Promise<ContextCacheSelect | null>;
 /**
  * Set cached context data for a conversation

package/dist/data-access/runtime/contextCache.js

@@ -1,5 +1,6 @@
 import { contextCache } from "../../db/runtime/runtime-schema.js";
 import { generateId } from "../../utils/conversations.js";
+import { projectScopedWhere } from "../manage/scope-helpers.js";
 import { and, eq } from "drizzle-orm";
 
 //#region src/data-access/runtime/contextCache.ts
@@ -8,7 +9,7 @@ import { and, eq } from "drizzle-orm";
 */
 const getCacheEntry = (db) => async (params) => {
 	try {
-		const cacheEntry = await db.query.contextCache.findFirst({ where: and(eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, params.contextVariableKey)) });
+		const cacheEntry = await db.query.contextCache.findFirst({ where: and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, params.contextVariableKey)) });
 		if (!cacheEntry) return null;
 		if (params.requestHash && cacheEntry.requestHash && cacheEntry.requestHash !== params.requestHash) return null;
 		return {
@@ -52,25 +53,25 @@ const setCacheEntry = (db) => async (entry) => {
 * Clear cache entries for a specific conversation
 */
 const clearConversationCache = (db) => async (params) => {
-	return (await db.delete(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.conversationId, params.conversationId))).returning()).length;
+	return (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.conversationId, params.conversationId))).returning()).length;
 };
 /**
 * Clear all cache entries for a specific context configuration
 */
 const clearContextConfigCache = (db) => async (params) => {
-	return (await db.delete(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.contextConfigId, params.contextConfigId))).returning()).length;
+	return (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.contextConfigId, params.contextConfigId))).returning()).length;
 };
 /**
 * Clean up all cache entries for a tenant
 */
 const cleanupTenantCache = (db) => async (params) => {
-	return (await db.delete(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId))).returning()).length;
+	return (await db.delete(contextCache).where(projectScopedWhere(contextCache, params.scopes)).returning()).length;
 };
 /**
 * Invalidate the headers cache for a conversation
 */
 const invalidateHeadersCache = (db) => async (params) => {
-	return (await db.delete(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, "headers"))).returning()).length;
+	return (await db.delete(contextCache).where(and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, "headers"))).returning()).length;
 };
 /**
 * Invalidate specific cache entries for invocation-trigger definitions
@@ -78,7 +79,7 @@ const invalidateHeadersCache = (db) => async (params) => {
 const invalidateInvocationDefinitionsCache = (db) => async (params) => {
 	let totalRowsAffected = 0;
 	for (const definitionId of params.invocationDefinitionIds) {
-		const result = await db.delete(contextCache).where(and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, definitionId))).returning();
+		const result = await db.delete(contextCache).where(and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.conversationId, params.conversationId), eq(contextCache.contextConfigId, params.contextConfigId), eq(contextCache.contextVariableKey, definitionId))).returning();
 		totalRowsAffected += result.length;
 	}
 	return totalRowsAffected;
@@ -87,7 +88,7 @@ const invalidateInvocationDefinitionsCache = (db) => async (params) => {
 * Get all cache entries for a conversation
 */
 const getConversationCacheEntries = (db) => async (params) => {
-	return (await db.query.contextCache.findMany({ where: and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.conversationId, params.conversationId)) })).map((entry) => ({
+	return (await db.query.contextCache.findMany({ where: and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.conversationId, params.conversationId)) })).map((entry) => ({
 		...entry,
 		value: entry.value
 	}));
@@ -96,7 +97,7 @@ const getConversationCacheEntries = (db) => async (params) => {
 * Get all cache entries for a context configuration
 */
 const getContextConfigCacheEntries = (db) => async (params) => {
-	return (await db.query.contextCache.findMany({ where: and(eq(contextCache.tenantId, params.scopes.tenantId), eq(contextCache.projectId, params.scopes.projectId), eq(contextCache.contextConfigId, params.contextConfigId)) })).map((entry) => ({
+	return (await db.query.contextCache.findMany({ where: and(projectScopedWhere(contextCache, params.scopes), eq(contextCache.contextConfigId, params.contextConfigId)) })).map((entry) => ({
 		...entry,
 		value: entry.value
 	}));