@inkeep/agents-core 0.58.21 → 0.59.0

package/dist/auth/auth-schema.js

@@ -63,6 +63,7 @@ const organization = pgTable("organization", {
 	createdAt: timestamp("created_at").notNull(),
 	metadata: text("metadata"),
 	preferredAuthMethod: text("preferred_auth_method"),
+	allowedAuthMethods: text("allowed_auth_methods"),
 	serviceAccountUserId: text("service_account_user_id")
 }, (table) => [uniqueIndex("organization_slug_uidx").on(table.slug)]);
 const member = pgTable("member", {

package/dist/auth/auth-types.d.ts

@@ -0,0 +1,170 @@
+import { AgentsRunDatabaseClient } from "../db/runtime/runtime-client.js";
+import * as pg0 from "pg";
+import { z } from "zod";
+import { BetterAuthAdvancedOptions } from "better-auth";
+import { GoogleOptions } from "better-auth/social-providers";
+
+//#region src/auth/auth-types.d.ts
+type AuthMethodType = 'email-password' | 'google' | 'sso';
+declare const authMethodTypeSchema: z.ZodEnum<{
+  "email-password": "email-password";
+  google: "google";
+  sso: "sso";
+}>;
+declare const methodOptionSchema: z.ZodObject<{
+  method: z.ZodEnum<{
+    "email-password": "email-password";
+    google: "google";
+    sso: "sso";
+  }>;
+  providerId: z.ZodOptional<z.ZodString>;
+  providerType: z.ZodOptional<z.ZodEnum<{
+    oidc: "oidc";
+    saml: "saml";
+  }>>;
+  displayName: z.ZodOptional<z.ZodString>;
+}, z.core.$strip>;
+type MethodOption = z.infer<typeof methodOptionSchema>;
+declare const orgAuthInfoSchema: z.ZodObject<{
+  organizationId: z.ZodString;
+  organizationName: z.ZodString;
+  organizationSlug: z.ZodOptional<z.ZodString>;
+  methods: z.ZodArray<z.ZodObject<{
+    method: z.ZodEnum<{
+      "email-password": "email-password";
+      google: "google";
+      sso: "sso";
+    }>;
+    providerId: z.ZodOptional<z.ZodString>;
+    providerType: z.ZodOptional<z.ZodEnum<{
+      oidc: "oidc";
+      saml: "saml";
+    }>>;
+    displayName: z.ZodOptional<z.ZodString>;
+  }, z.core.$strip>>;
+}, z.core.$strip>;
+type OrgAuthInfo = z.infer<typeof orgAuthInfoSchema>;
+declare const authLookupResponseSchema: z.ZodObject<{
+  organizations: z.ZodArray<z.ZodObject<{
+    organizationId: z.ZodString;
+    organizationName: z.ZodString;
+    organizationSlug: z.ZodOptional<z.ZodString>;
+    methods: z.ZodArray<z.ZodObject<{
+      method: z.ZodEnum<{
+        "email-password": "email-password";
+        google: "google";
+        sso: "sso";
+      }>;
+      providerId: z.ZodOptional<z.ZodString>;
+      providerType: z.ZodOptional<z.ZodEnum<{
+        oidc: "oidc";
+        saml: "saml";
+      }>>;
+      displayName: z.ZodOptional<z.ZodString>;
+    }, z.core.$strip>>;
+  }, z.core.$strip>>;
+}, z.core.$strip>;
+type AuthLookupResponse = z.infer<typeof authLookupResponseSchema>;
+interface OIDCProviderConfig {
+  clientId: string;
+  clientSecret: string;
+  authorizationEndpoint?: string;
+  tokenEndpoint?: string;
+  userinfoEndpoint?: string;
+  jwksEndpoint?: string;
+  discoveryEndpoint?: string;
+  scopes?: string[];
+  pkce?: boolean;
+  mapping?: {
+    id?: string;
+    email?: string;
+    emailVerified?: string;
+    name?: string;
+    image?: string;
+    extraFields?: Record<string, string>;
+  };
+}
+interface SAMLProviderConfig {
+  entryPoint: string;
+  cert: string;
+  callbackUrl: string;
+  audience?: string;
+  wantAssertionsSigned?: boolean;
+  signatureAlgorithm?: string;
+  digestAlgorithm?: string;
+  identifierFormat?: string;
+  mapping?: {
+    id?: string;
+    email?: string;
+    name?: string;
+    firstName?: string;
+    lastName?: string;
+    emailVerified?: string;
+    extraFields?: Record<string, string>;
+  };
+}
+interface SSOProviderConfig {
+  providerId: string;
+  issuer: string;
+  domain: string;
+  organizationId?: string;
+  oidcConfig?: OIDCProviderConfig;
+  samlConfig?: SAMLProviderConfig;
+}
+declare const allowedAuthMethodSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+  method: z.ZodLiteral<"email-password">;
+}, z.core.$strip>, z.ZodObject<{
+  method: z.ZodLiteral<"google">;
+}, z.core.$strip>, z.ZodObject<{
+  method: z.ZodLiteral<"sso">;
+  providerId: z.ZodString;
+  displayName: z.ZodString;
+  autoProvision: z.ZodBoolean;
+  enabled: z.ZodBoolean;
+}, z.core.$strip>], "method">;
+type AllowedAuthMethod = z.infer<typeof allowedAuthMethodSchema>;
+declare function parseAllowedAuthMethods(raw: string | null | undefined): AllowedAuthMethod[];
+declare function serializeAllowedAuthMethods(methods: AllowedAuthMethod[]): string;
+interface EmailServiceConfig {
+  sendInvitationEmail(data: {
+    to: string;
+    inviterName: string;
+    organizationName: string;
+    role: string;
+    invitationUrl: string;
+    authMethod?: string;
+    expiresInDays?: number;
+  }): Promise<{
+    emailSent: boolean;
+    error?: string;
+  }>;
+  sendPasswordResetEmail(data: {
+    to: string;
+    resetUrl: string;
+    expiresInMinutes?: number;
+  }): Promise<{
+    emailSent: boolean;
+    error?: string;
+  }>;
+  isConfigured: boolean;
+}
+interface BetterAuthConfig {
+  baseURL: string;
+  secret: string;
+  dbClient: AgentsRunDatabaseClient;
+  manageDbPool?: pg0.Pool;
+  cookieDomain?: string;
+  socialProviders?: {
+    google?: GoogleOptions;
+  };
+  advanced?: BetterAuthAdvancedOptions;
+  emailService?: EmailServiceConfig;
+}
+interface UserAuthConfig {
+  socialProviders?: {
+    google?: GoogleOptions;
+  };
+  advanced?: BetterAuthAdvancedOptions;
+}
+//#endregion
+export { AllowedAuthMethod, AuthLookupResponse, AuthMethodType, BetterAuthConfig, EmailServiceConfig, MethodOption, OIDCProviderConfig, OrgAuthInfo, SAMLProviderConfig, SSOProviderConfig, UserAuthConfig, authLookupResponseSchema, authMethodTypeSchema, methodOptionSchema, orgAuthInfoSchema, parseAllowedAuthMethods, serializeAllowedAuthMethods };

package/dist/auth/auth-types.js

@@ -0,0 +1,53 @@
+import { z } from "zod";
+
+//#region src/auth/auth-types.ts
+const authMethodTypeSchema = z.enum([
+	"email-password",
+	"google",
+	"sso"
+]);
+const methodOptionSchema = z.object({
+	method: authMethodTypeSchema,
+	providerId: z.string().optional(),
+	providerType: z.enum(["oidc", "saml"]).optional(),
+	displayName: z.string().optional()
+});
+const orgAuthInfoSchema = z.object({
+	organizationId: z.string(),
+	organizationName: z.string(),
+	organizationSlug: z.string().optional(),
+	methods: z.array(methodOptionSchema)
+});
+const authLookupResponseSchema = z.object({ organizations: z.array(orgAuthInfoSchema) });
+const allowedAuthMethodSchema = z.discriminatedUnion("method", [
+	z.object({ method: z.literal("email-password") }),
+	z.object({ method: z.literal("google") }),
+	z.object({
+		method: z.literal("sso"),
+		providerId: z.string(),
+		displayName: z.string(),
+		autoProvision: z.boolean(),
+		enabled: z.boolean()
+	})
+]);
+const DEFAULT_AUTH_METHODS = [{ method: "email-password" }];
+function parseAllowedAuthMethods(raw) {
+	if (!raw) return DEFAULT_AUTH_METHODS;
+	try {
+		const parsed = JSON.parse(raw);
+		if (!Array.isArray(parsed)) return DEFAULT_AUTH_METHODS;
+		const valid = parsed.flatMap((item) => {
+			const result = allowedAuthMethodSchema.safeParse(item);
+			return result.success ? [result.data] : [];
+		});
+		return valid.length > 0 ? valid : DEFAULT_AUTH_METHODS;
+	} catch {
+		return DEFAULT_AUTH_METHODS;
+	}
+}
+function serializeAllowedAuthMethods(methods) {
+	return JSON.stringify(methods);
+}
+
+//#endregion
+export { authLookupResponseSchema, authMethodTypeSchema, methodOptionSchema, orgAuthInfoSchema, parseAllowedAuthMethods, serializeAllowedAuthMethods };