@inkeep/agents-core 0.58.21 → 0.59.0

package/dist/data-access/runtime/conversations.d.ts

@@ -24,12 +24,12 @@ declare const createConversation: (db: AgentsRunDatabaseClient) => (params: Conv
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
+  userId: string | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -93,12 +93,12 @@ declare const getConversation: (db: AgentsRunDatabaseClient) => (params: {
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
+  userId: string | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;
@@ -129,12 +129,12 @@ declare const createOrGetConversation: (db: AgentsRunDatabaseClient) => (input:
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
+  userId: string | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -161,12 +161,12 @@ declare const getActiveAgentForConversation: (db: AgentsRunDatabaseClient) => (p
   createdAt: string;
   updatedAt: string;
   metadata: ConversationMetadata | null;
+  userId: string | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;

package/dist/data-access/runtime/messages.d.ts

@@ -18,18 +18,18 @@ declare const getMessageById: (db: AgentsRunDatabaseClient) => (params: {
   metadata: MessageMetadata | null;
   content: MessageContent;
   role: string;
-  conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
   fromExternalAgentId: string | null;
   toExternalAgentId: string | null;
+  taskId: string | null;
+  a2aTaskId: string | null;
+  conversationId: string;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
   visibility: string;
   messageType: string;
-  taskId: string | null;
   parentMessageId: string | null;
-  a2aTaskId: string | null;
   a2aSessionId: string | null;
 } | undefined>;
 declare const listMessages: (db: AgentsRunDatabaseClient) => (params: {
@@ -152,18 +152,18 @@ declare const createMessage: (db: AgentsRunDatabaseClient) => (params: {
   metadata: MessageMetadata | null;
   content: MessageContent;
   role: string;
-  conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
   fromExternalAgentId: string | null;
   toExternalAgentId: string | null;
+  taskId: string | null;
+  a2aTaskId: string | null;
+  conversationId: string;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
   visibility: string;
   messageType: string;
-  taskId: string | null;
   parentMessageId: string | null;
-  a2aTaskId: string | null;
   a2aSessionId: string | null;
 }>;
 declare const updateMessage: (db: AgentsRunDatabaseClient) => (params: {
@@ -205,18 +205,18 @@ declare const deleteMessage: (db: AgentsRunDatabaseClient) => (params: {
   metadata: MessageMetadata | null;
   content: MessageContent;
   role: string;
-  conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
   fromExternalAgentId: string | null;
   toExternalAgentId: string | null;
+  taskId: string | null;
+  a2aTaskId: string | null;
+  conversationId: string;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
   visibility: string;
   messageType: string;
-  taskId: string | null;
   parentMessageId: string | null;
-  a2aTaskId: string | null;
   a2aSessionId: string | null;
 }>;
 declare const countMessagesByConversation: (db: AgentsRunDatabaseClient) => (params: {

package/dist/data-access/runtime/organizations.d.ts

@@ -1,4 +1,5 @@
 import { AgentsRunDatabaseClient } from "../../db/runtime/runtime-client.js";
+import { AllowedAuthMethod, MethodOption, OrgAuthInfo } from "../../auth/auth-types.js";
 import { UserOrganization } from "../../auth/auth-validation-schemas.js";
 
 //#region src/data-access/runtime/organizations.d.ts
@@ -39,6 +40,7 @@ declare const addUserToOrganization: (db: AgentsRunDatabaseClient) => (data: {
   userId: string;
   organizationId: string;
   role: string;
+  isServiceAccount?: boolean;
 }) => Promise<void>;
 declare const upsertOrganization: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
@@ -55,19 +57,41 @@ interface UserProviderInfo {
 }
 /**
  * Get authentication providers for a list of users.
- * Returns which providers each user has linked (e.g., 'credential', 'google', 'auth0').
+ * Returns which providers each user has linked (e.g., 'credential', 'google').
  */
 declare const getUserProvidersFromDb: (db: AgentsRunDatabaseClient) => (userIds: string[]) => Promise<UserProviderInfo[]>;
+declare const getAllowedAuthMethods: (db: AgentsRunDatabaseClient) => (organizationId: string) => Promise<AllowedAuthMethod[]>;
 /**
- * Create an invitation directly in db
- * Used when shouldAllowJoinFromWorkspace is enabled for a work_app_slack_workspaces
+ * Create an invitation directly in db.
+ * Accepts an optional explicit authMethod; defaults to email-password.
  */
 declare const createInvitationInDb: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
   email: string;
+  authMethod?: string;
 }) => Promise<{
   id: string;
   authMethod: string;
 }>;
+interface SSOProviderLookupResult {
+  providerId: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  providerType: 'oidc' | 'saml';
+}
+declare const getSSOProvidersByDomain: (db: AgentsRunDatabaseClient) => (domain: string) => Promise<SSOProviderLookupResult[]>;
+/**
+ * Filters org-allowed auth methods by email domain.
+ * SSO providers are only included if their domain matches the user's email domain.
+ * Non-SSO methods (email-password, google) pass through unfiltered.
+ */
+declare const getFilteredAuthMethodsForEmail: (db: AgentsRunDatabaseClient) => (organizationId: string, email: string) => Promise<MethodOption[]>;
+declare function allowedMethodsToMethodOptions(methods: AllowedAuthMethod[], ssoProviders: SSOProviderLookupResult[]): MethodOption[];
+/**
+ * Main auth-lookup query for the login flow.
+ * Returns org-grouped methods based on SSO domain match and/or user org membership.
+ */
+declare const getAuthLookupForEmail: (db: AgentsRunDatabaseClient) => (email: string) => Promise<OrgAuthInfo[]>;
 //#endregion
-export { UserProviderInfo, addUserToOrganization, createInvitationInDb, getPendingInvitationsByEmail, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };
+export { type MethodOption, type OrgAuthInfo, SSOProviderLookupResult, UserProviderInfo, addUserToOrganization, allowedMethodsToMethodOptions, createInvitationInDb, getAllowedAuthMethods, getAuthLookupForEmail, getFilteredAuthMethodsForEmail, getPendingInvitationsByEmail, getSSOProvidersByDomain, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };

package/dist/data-access/runtime/organizations.js

@@ -1,4 +1,5 @@
-import { account, invitation, member, organization } from "../../auth/auth-schema.js";
+import { account, invitation, member, organization, ssoProvider, user } from "../../auth/auth-schema.js";
+import { parseAllowedAuthMethods } from "../../auth/auth-types.js";
 import { and, desc, eq, inArray, or } from "drizzle-orm";
 import { generateId } from "better-auth";
 
@@ -51,7 +52,10 @@ const getPendingInvitationsByEmail = (db) => async (email) => {
 */
 const addUserToOrganization = (db) => async (data) => {
 	if ((await db.select().from(organization).where(eq(organization.id, data.organizationId)).limit(1)).length === 0) throw new Error(`Organization ${data.organizationId} does not exist`);
-	if ((await db.select().from(member).where(and(eq(member.userId, data.userId), eq(member.organizationId, data.organizationId))).limit(1)).length > 0) return;
+	if ((await db.select().from(member).where(and(eq(member.userId, data.userId), eq(member.organizationId, data.organizationId))).limit(1)).length > 0) {
+		if (data.isServiceAccount) await db.update(organization).set({ serviceAccountUserId: data.userId }).where(eq(organization.id, data.organizationId));
+		return;
+	}
 	await db.insert(member).values({
 		id: `${data.userId}_${data.organizationId}`,
 		userId: data.userId,
@@ -59,6 +63,7 @@ const addUserToOrganization = (db) => async (data) => {
 		role: data.role,
 		createdAt: /* @__PURE__ */ new Date()
 	});
+	if (data.isServiceAccount) await db.update(organization).set({ serviceAccountUserId: data.userId }).where(eq(organization.id, data.organizationId));
 };
 const upsertOrganization = (db) => async (data) => {
 	if ((await db.select().from(organization).where(or(eq(organization.id, data.organizationId), eq(organization.slug, data.slug))).limit(1)).length > 0) return { created: false };
@@ -74,7 +79,7 @@ const upsertOrganization = (db) => async (data) => {
 };
 /**
 * Get authentication providers for a list of users.
-* Returns which providers each user has linked (e.g., 'credential', 'google', 'auth0').
+* Returns which providers each user has linked (e.g., 'credential', 'google').
 */
 const getUserProvidersFromDb = (db) => async (userIds) => {
 	if (userIds.length === 0) return [];
@@ -93,17 +98,23 @@ const getUserProvidersFromDb = (db) => async (userIds) => {
 		providers: providerMap.get(userId) || []
 	}));
 };
+const getAllowedAuthMethods = (db) => async (organizationId) => {
+	const org = (await db.select({ allowedAuthMethods: organization.allowedAuthMethods }).from(organization).where(eq(organization.id, organizationId)).limit(1))[0];
+	if (!org) return [{ method: "email-password" }];
+	return parseAllowedAuthMethods(org.allowedAuthMethods);
+};
 /**
-* Create an invitation directly in db
-* Used when shouldAllowJoinFromWorkspace is enabled for a work_app_slack_workspaces
+* Create an invitation directly in db.
+* Accepts an optional explicit authMethod; defaults to email-password.
 */
 const createInvitationInDb = (db) => async (data) => {
 	const orgSettings = (await db.select({
 		serviceAccountUserId: organization.serviceAccountUserId,
+		allowedAuthMethods: organization.allowedAuthMethods,
 		preferredAuthMethod: organization.preferredAuthMethod
 	}).from(organization).where(eq(organization.id, data.organizationId)).limit(1))[0];
 	if (!orgSettings?.serviceAccountUserId) throw new Error(`Organization ${data.organizationId} does not have a serviceAccountUserId configured`);
-	if (!orgSettings?.preferredAuthMethod) throw new Error(`Organization ${data.organizationId} does not have a preferredAuthMethod configured`);
+	const resolvedMethod = data.authMethod || orgSettings.preferredAuthMethod || "email-password";
 	const inviteId = generateId();
 	const expiresAt = new Date(Date.now() + 3600 * 1e3);
 	await db.insert(invitation).values({
@@ -114,13 +125,124 @@ const createInvitationInDb = (db) => async (data) => {
 		status: "pending",
 		expiresAt,
 		inviterId: orgSettings.serviceAccountUserId,
-		authMethod: orgSettings.preferredAuthMethod
+		authMethod: resolvedMethod
 	});
 	return {
 		id: inviteId,
-		authMethod: orgSettings.preferredAuthMethod
+		authMethod: resolvedMethod
 	};
 };
+const getSSOProvidersByDomain = (db) => async (domain) => {
+	return (await db.select({
+		providerId: ssoProvider.providerId,
+		issuer: ssoProvider.issuer,
+		domain: ssoProvider.domain,
+		organizationId: ssoProvider.organizationId,
+		oidcConfig: ssoProvider.oidcConfig,
+		samlConfig: ssoProvider.samlConfig
+	}).from(ssoProvider).where(eq(ssoProvider.domain, domain))).map((provider) => ({
+		providerId: provider.providerId,
+		issuer: provider.issuer,
+		domain: provider.domain,
+		organizationId: provider.organizationId,
+		providerType: provider.samlConfig ? "saml" : "oidc"
+	}));
+};
+/**
+* Filters org-allowed auth methods by email domain.
+* SSO providers are only included if their domain matches the user's email domain.
+* Non-SSO methods (email-password, google) pass through unfiltered.
+*/
+const getFilteredAuthMethodsForEmail = (db) => async (organizationId, email) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain) return [];
+	const [allowed, domainProviders] = await Promise.all([getAllowedAuthMethods(db)(organizationId), getSSOProvidersByDomain(db)(emailDomain)]);
+	return allowedMethodsToMethodOptions(allowed, domainProviders.filter((p) => p.organizationId === organizationId));
+};
+function allowedMethodsToMethodOptions(methods, ssoProviders) {
+	const options = [];
+	for (const m of methods) if (m.method === "email-password") options.push({ method: "email-password" });
+	else if (m.method === "google") options.push({ method: "google" });
+	else if (m.method === "sso") {
+		if (!m.enabled) continue;
+		const provider = ssoProviders.find((p) => p.providerId === m.providerId);
+		if (!provider) continue;
+		options.push({
+			method: "sso",
+			providerId: m.providerId,
+			providerType: provider.providerType,
+			displayName: m.displayName
+		});
+	}
+	return options;
+}
+/**
+* Main auth-lookup query for the login flow.
+* Returns org-grouped methods based on SSO domain match and/or user org membership.
+*/
+const getAuthLookupForEmail = (db) => async (email) => {
+	const emailDomain = email.split("@")[1]?.toLowerCase();
+	if (!emailDomain) return [];
+	const orgMap = /* @__PURE__ */ new Map();
+	const domainProviders = await getSSOProvidersByDomain(db)(emailDomain);
+	const orgIdsFromSSO = [...new Set(domainProviders.map((p) => p.organizationId).filter(Boolean))];
+	for (const orgId of orgIdsFromSSO) {
+		const org = (await db.select({
+			id: organization.id,
+			name: organization.name,
+			slug: organization.slug,
+			allowedAuthMethods: organization.allowedAuthMethods,
+			preferredAuthMethod: organization.preferredAuthMethod
+		}).from(organization).where(eq(organization.id, orgId)).limit(1))[0];
+		if (!org) continue;
+		const allowed = parseAllowedAuthMethods(org.allowedAuthMethods);
+		const orgSSO = domainProviders.filter((p) => p.organizationId === orgId);
+		orgMap.set(orgId, {
+			organizationId: org.id,
+			organizationName: org.name,
+			organizationSlug: org.slug,
+			methods: allowedMethodsToMethodOptions(allowed, orgSSO)
+		});
+	}
+	const userRow = await db.select({ id: user.id }).from(user).where(eq(user.email, email.toLowerCase())).limit(1);
+	if (userRow[0]) {
+		const memberships = await db.select({
+			organizationId: member.organizationId,
+			orgName: organization.name,
+			orgSlug: organization.slug,
+			allowedAuthMethods: organization.allowedAuthMethods,
+			preferredAuthMethod: organization.preferredAuthMethod
+		}).from(member).innerJoin(organization, eq(member.organizationId, organization.id)).where(eq(member.userId, userRow[0].id));
+		for (const m of memberships) {
+			if (orgMap.has(m.organizationId)) continue;
+			const allowed = parseAllowedAuthMethods(m.allowedAuthMethods);
+			const orgSSO = domainProviders.filter((p) => p.organizationId === m.organizationId);
+			orgMap.set(m.organizationId, {
+				organizationId: m.organizationId,
+				organizationName: m.orgName,
+				organizationSlug: m.orgSlug,
+				methods: allowedMethodsToMethodOptions(allowed, orgSSO)
+			});
+		}
+		const serviceAccountOrgs = await db.select({
+			id: organization.id,
+			name: organization.name,
+			slug: organization.slug
+		}).from(organization).where(eq(organization.serviceAccountUserId, userRow[0].id));
+		for (const org of serviceAccountOrgs) {
+			const existing = orgMap.get(org.id);
+			if (existing) {
+				if (!existing.methods.some((m) => m.method === "email-password")) existing.methods.unshift({ method: "email-password" });
+			} else orgMap.set(org.id, {
+				organizationId: org.id,
+				organizationName: org.name,
+				organizationSlug: org.slug,
+				methods: [{ method: "email-password" }]
+			});
+		}
+	}
+	return [...orgMap.values()];
+};
 
 //#endregion
-export { addUserToOrganization, createInvitationInDb, getPendingInvitationsByEmail, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };
+export { addUserToOrganization, allowedMethodsToMethodOptions, createInvitationInDb, getAllowedAuthMethods, getAuthLookupForEmail, getFilteredAuthMethodsForEmail, getPendingInvitationsByEmail, getSSOProvidersByDomain, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };

package/dist/data-access/runtime/tasks.d.ts

@@ -14,13 +14,13 @@ declare const createTask: (db: AgentsRunDatabaseClient) => (params: TaskInsert)
   createdAt: string;
   updatedAt: string;
   metadata: TaskMetadataConfig | null;
+  status: string;
+  subAgentId: string;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  status: string;
-  subAgentId: string;
   contextId: string;
 }>;
 declare const getTask: (db: AgentsRunDatabaseClient) => (params: {