@inkeep/agents-core 0.58.21 → 0.59.1

package/dist/data-access/manage/tools.d.ts

@@ -20,14 +20,14 @@ declare const getToolById: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   toolId: string;
 }) => Promise<{
-  id: string;
+  headers: Record<string, string> | null;
   name: string;
-  description: string | null;
-  tenantId: string;
-  projectId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
-  headers: Record<string, string> | null;
+  tenantId: string;
+  projectId: string;
+  description: string | null;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;
@@ -78,14 +78,14 @@ declare const listTools: (db: AgentsManageDatabaseClient) => (params: {
   };
 }>;
 declare const createTool: (db: AgentsManageDatabaseClient) => (params: ToolInsert) => Promise<{
-  id: string;
+  headers: Record<string, string> | null;
   name: string;
-  description: string | null;
-  tenantId: string;
-  projectId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
-  headers: Record<string, string> | null;
+  tenantId: string;
+  projectId: string;
+  description: string | null;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;
@@ -135,38 +135,38 @@ declare const addToolToAgent: (db: AgentsManageDatabaseClient) => (params: {
     needsApproval?: boolean;
   }> | null;
 }) => Promise<{
+  headers: Record<string, string> | null;
   id: string;
+  createdAt: string;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
+  subAgentId: string;
   toolId: string;
-  headers: Record<string, string> | null;
+  selectedTools: string[] | null;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
-  subAgentId: string;
-  selectedTools: string[] | null;
 }>;
 declare const removeToolFromAgent: (db: AgentsManageDatabaseClient) => (params: {
   scopes: AgentScopeConfig;
   subAgentId: string;
   toolId: string;
 }) => Promise<{
+  headers: Record<string, string> | null;
   id: string;
+  createdAt: string;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
+  subAgentId: string;
   toolId: string;
-  headers: Record<string, string> | null;
+  selectedTools: string[] | null;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
-  subAgentId: string;
-  selectedTools: string[] | null;
 }>;
 /**
  * Upsert agent-tool relation (create if it doesn't exist, update if it does)
@@ -182,19 +182,19 @@ declare const upsertSubAgentToolRelation: (db: AgentsManageDatabaseClient) => (p
   }> | null;
   relationId?: string;
 }) => Promise<{
+  headers: Record<string, string> | null;
   id: string;
+  createdAt: string;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
+  subAgentId: string;
   toolId: string;
-  headers: Record<string, string> | null;
+  selectedTools: string[] | null;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
-  subAgentId: string;
-  selectedTools: string[] | null;
 }>;
 /**
  * Upsert a tool (create if it doesn't exist, update if it does)
@@ -202,14 +202,14 @@ declare const upsertSubAgentToolRelation: (db: AgentsManageDatabaseClient) => (p
 declare const upsertTool: (db: AgentsManageDatabaseClient) => (params: {
   data: ToolInsert;
 }) => Promise<{
-  id: string;
+  headers: Record<string, string> | null;
   name: string;
-  description: string | null;
-  tenantId: string;
-  projectId: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
-  headers: Record<string, string> | null;
+  tenantId: string;
+  projectId: string;
+  description: string | null;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;

package/dist/data-access/manage/tools.js

@@ -3,6 +3,8 @@ import { CredentialStoreType, MCPServerType, MCPTransportType } from "../../type
 import { detectAuthenticationRequired } from "../../utils/auth-detection.js";
 import { env } from "../../env.js";
 import { getLogger } from "../../utils/logger.js";
+import { configureComposioMCPServer } from "../../utils/third-party-mcp-servers/composio-client.js";
+import { isThirdPartyMCPServerAuthenticated } from "../../utils/third-party-mcp-servers/third-party-check.js";
 import { getCredentialStoreLookupKeyFromRetrievalParams } from "../../utils/credential-store-utils.js";
 import { CredentialStuffer } from "../../credential-stuffer/CredentialStuffer.js";
 import "../../credential-stuffer/index.js";
@@ -16,8 +18,6 @@ import { updateAgentToolRelation } from "./subAgentRelations.js";
 import { isSerializationError } from "../../retry/retryable-errors.js";
 import { toISODateString } from "../../utils/date.js";
 import { McpClient } from "../../utils/mcp-client.js";
-import { configureComposioMCPServer } from "../../utils/third-party-mcp-servers/composio-client.js";
-import { isThirdPartyMCPServerAuthenticated } from "../../utils/third-party-mcp-servers/third-party-check.js";
 import { TRUSTED_WORK_APP_MCP_PATHS, isTrustedWorkAppMcpUrl } from "../../utils/work-app-mcp.js";
 import "../../utils/index.js";
 import { isGithubWorkAppTool } from "../runtime/github-work-app-installations.js";
@@ -122,7 +122,12 @@ const discoverToolsFromServer = async (tool, credentialReference, credentialStor
 			reconnectionOptions: tool.config.mcp.transport?.reconnectionOptions,
 			sessionId: tool.config.mcp.transport?.sessionId
 		};
-		configureComposioMCPServer(serverConfig, tool.tenantId, tool.projectId, tool.credentialScope === "user" ? "user" : "project", userId);
+		const composioConnectedAccountId = credentialReference?.retrievalParams?.connectedAccountId;
+		if (composioConnectedAccountId) configureComposioMCPServer(serverConfig, tool.tenantId, tool.projectId, tool.credentialScope === "user" ? "user" : "project", userId, composioConnectedAccountId);
+		else if (serverConfig.url?.toString().includes("composio.dev")) logger.warn({
+			toolName: tool.name,
+			toolId: tool.id
+		}, "Composio tool missing connectedAccountId — skipping auth injection to prevent credential leakage");
 		const urlString = String(serverConfig.url);
 		if (isGithubWorkAppTool(tool) && isTrustedWorkAppMcpUrl(urlString, TRUSTED_WORK_APP_MCP_PATHS.github, env.INKEEP_AGENTS_API_URL)) serverConfig.headers = {
 			...serverConfig.headers,
@@ -248,11 +253,18 @@ const dbResultToMcpTool = async (dbResult, dbClient, credentialStoreRegistry, re
 			lastErrorComputed = toolNeedsAuth ? `Authentication required - OAuth login needed. ${errorMessage}` : errorMessage;
 		}
 	}
-	if (dbResult.config.mcp.server.url.includes("composio.dev")) {
+	if (dbResult.config.mcp.server.url.includes("composio.dev")) if (!!!credentialReference?.retrievalParams?.connectedAccountId) {
+		status = "needs_auth";
+		lastErrorComputed = "Third-party authentication required. Connect your account to pin a specific credential.";
+	} else {
 		const credentialScope = dbResult.credentialScope || "project";
-		if (!await isThirdPartyMCPServerAuthenticated(dbResult.tenantId, dbResult.projectId, mcpServerUrl, credentialScope, userId)) {
+		const authResult = await isThirdPartyMCPServerAuthenticated(dbResult.tenantId, dbResult.projectId, mcpServerUrl, credentialScope, userId);
+		if (!authResult.authenticated && !authResult.error) {
 			status = "needs_auth";
 			lastErrorComputed = "Third-party authentication required. Try authenticating again.";
+		} else if (authResult.error) {
+			status = "unavailable";
+			lastErrorComputed = "Could not verify third-party authentication status. The service may be temporarily unavailable.";
 		}
 	}
 	const now = (/* @__PURE__ */ new Date()).toISOString();

package/dist/data-access/manage/triggers.d.ts

@@ -40,7 +40,7 @@ declare const listTriggersPaginated: (db: AgentsManageDatabaseClient) => (params
       algorithm: "sha256" | "sha512" | "sha384" | "sha1" | "md5";
       encoding: "hex" | "base64";
       signature: {
-        source: "query" | "body" | "header";
+        source: "body" | "query" | "header";
         key: string;
         prefix?: string | undefined;
         regex?: string | undefined;

package/dist/data-access/runtime/apiKeys.d.ts

@@ -8,28 +8,28 @@ declare const getApiKeyById: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   id: string;
 }) => Promise<{
-  id: string;
   name: string | null;
+  id: string;
+  createdAt: string;
+  expiresAt: string | null;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
-  expiresAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
   lastUsedAt: string | null;
 } | undefined>;
 declare const getApiKeyByPublicId: (db: AgentsRunDatabaseClient) => (publicId: string) => Promise<{
-  id: string;
   name: string | null;
+  id: string;
+  createdAt: string;
+  expiresAt: string | null;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
-  expiresAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
@@ -39,14 +39,14 @@ declare const listApiKeys: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   agentId?: string;
 }) => Promise<{
-  id: string;
   name: string | null;
+  id: string;
+  createdAt: string;
+  expiresAt: string | null;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
-  expiresAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
@@ -66,14 +66,14 @@ declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
   };
 }>;
 declare const createApiKey: (db: AgentsRunDatabaseClient) => (params: ApiKeyInsert) => Promise<{
-  id: string;
   name: string | null;
+  id: string;
+  createdAt: string;
+  expiresAt: string | null;
+  updatedAt: string;
   tenantId: string;
   projectId: string;
   agentId: string;
-  createdAt: string;
-  updatedAt: string;
-  expiresAt: string | null;
   publicId: string;
   keyHash: string;
   keyPrefix: string;

package/dist/data-access/runtime/apps.d.ts

@@ -5,15 +5,15 @@ import { AppInsert, AppSelect, AppUpdate } from "../../types/entities.js";
 
 //#region src/data-access/runtime/apps.d.ts
 declare const getAppById: (db: AgentsRunDatabaseClient) => (id: string) => Promise<{
-  id: string;
-  name: string;
-  description: string | null;
-  tenantId: string | null;
-  projectId: string | null;
+  enabled: boolean;
   type: AppType;
+  name: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
-  enabled: boolean;
+  tenantId: string | null;
+  projectId: string | null;
+  description: string | null;
   config: {
     type: "web_client";
     webClient: {
@@ -52,15 +52,15 @@ declare const listAppsPaginated: (db: AgentsRunDatabaseClient) => (params: {
   };
 }>;
 declare const createApp: (db: AgentsRunDatabaseClient) => (params: AppInsert) => Promise<{
-  id: string;
-  name: string;
-  description: string | null;
-  tenantId: string | null;
-  projectId: string | null;
+  enabled: boolean;
   type: AppType;
+  name: string;
+  id: string;
   createdAt: string;
   updatedAt: string;
-  enabled: boolean;
+  tenantId: string | null;
+  projectId: string | null;
+  description: string | null;
   config: {
     type: "web_client";
     webClient: {

package/dist/data-access/runtime/auth.d.ts

@@ -5,14 +5,14 @@ declare const getInitialOrganization: (db: AgentsRunDatabaseClient) => (userId:
   id: string;
 } | null>;
 declare const queryHasCredentialAccount: (db: AgentsRunDatabaseClient) => (userId: string) => Promise<boolean>;
-interface SSOProviderRegistration {
-  providerId: string;
+declare const querySsoProviderIssuers: (db: AgentsRunDatabaseClient) => () => Promise<{
   issuer: string;
-  domain: string;
-  organizationId?: string;
-  oidcConfig?: object;
-  samlConfig?: object;
-}
-declare const registerSSOProvider: (db: AgentsRunDatabaseClient) => (provider: SSOProviderRegistration) => Promise<void>;
+}[]>;
+declare const querySsoProviderIds: (db: AgentsRunDatabaseClient) => () => Promise<string[]>;
+declare const queryOrgAllowedAuthMethods: (db: AgentsRunDatabaseClient) => (orgId: string) => Promise<{
+  allowedAuthMethods: string | null;
+} | undefined>;
+declare const queryMemberExists: (db: AgentsRunDatabaseClient) => (userId: string, organizationId: string) => Promise<boolean>;
+declare const queryPendingInvitationExists: (db: AgentsRunDatabaseClient) => (email: string, organizationId: string) => Promise<boolean>;
 //#endregion
-export { SSOProviderRegistration, getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };
+export { getInitialOrganization, queryHasCredentialAccount, queryMemberExists, queryOrgAllowedAuthMethods, queryPendingInvitationExists, querySsoProviderIds, querySsoProviderIssuers };

package/dist/data-access/runtime/auth.js

@@ -1,6 +1,4 @@
-import { account, member, ssoProvider } from "../../auth/auth-schema.js";
-import { generateId } from "../../utils/conversations.js";
-import "../../utils/index.js";
+import { account, invitation, member, organization, ssoProvider } from "../../auth/auth-schema.js";
 import { and, eq } from "drizzle-orm";
 
 //#region src/data-access/runtime/auth.ts
@@ -12,24 +10,24 @@ const queryHasCredentialAccount = (db) => async (userId) => {
 	const [row] = await db.select({ id: account.id }).from(account).where(and(eq(account.userId, userId), eq(account.providerId, "credential"))).limit(1);
 	return !!row;
 };
-const registerSSOProvider = (db) => async (provider) => {
-	try {
-		if ((await db.select().from(ssoProvider).where(eq(ssoProvider.providerId, provider.providerId)).limit(1)).length > 0) return;
-		if (!provider.domain) throw new Error(`SSO provider '${provider.providerId}' must have a domain`);
-		await db.insert(ssoProvider).values({
-			id: generateId(),
-			providerId: provider.providerId,
-			issuer: provider.issuer,
-			domain: provider.domain,
-			oidcConfig: provider.oidcConfig ? JSON.stringify(provider.oidcConfig) : null,
-			samlConfig: provider.samlConfig ? JSON.stringify(provider.samlConfig) : null,
-			userId: null,
-			organizationId: provider.organizationId || null
-		});
-	} catch (error) {
-		console.error(`❌ Failed to register SSO provider '${provider.providerId}':`, error);
-	}
+const querySsoProviderIssuers = (db) => async () => {
+	return db.select({ issuer: ssoProvider.issuer }).from(ssoProvider);
+};
+const querySsoProviderIds = (db) => async () => {
+	return (await db.select({ providerId: ssoProvider.providerId }).from(ssoProvider)).map((r) => r.providerId);
+};
+const queryOrgAllowedAuthMethods = (db) => async (orgId) => {
+	const [org] = await db.select({ allowedAuthMethods: organization.allowedAuthMethods }).from(organization).where(eq(organization.id, orgId)).limit(1);
+	return org;
+};
+const queryMemberExists = (db) => async (userId, organizationId) => {
+	const [row] = await db.select({ id: member.id }).from(member).where(and(eq(member.userId, userId), eq(member.organizationId, organizationId))).limit(1);
+	return !!row;
+};
+const queryPendingInvitationExists = (db) => async (email, organizationId) => {
+	const [row] = await db.select({ id: invitation.id }).from(invitation).where(and(eq(invitation.email, email), eq(invitation.organizationId, organizationId), eq(invitation.status, "pending"))).limit(1);
+	return !!row;
 };
 
 //#endregion
-export { getInitialOrganization, queryHasCredentialAccount, registerSSOProvider };
+export { getInitialOrganization, queryHasCredentialAccount, queryMemberExists, queryOrgAllowedAuthMethods, queryPendingInvitationExists, querySsoProviderIds, querySsoProviderIssuers };

package/dist/data-access/runtime/conversations.d.ts

@@ -16,20 +16,20 @@ declare const listConversations: (db: AgentsRunDatabaseClient) => (params: {
   total: number;
 }>;
 declare const createConversation: (db: AgentsRunDatabaseClient) => (params: ConversationInsert) => Promise<{
+  metadata: ConversationMetadata | null;
+  userId: string | null;
   id: string;
-  tenantId: string;
-  projectId: string;
-  agentId: string | null;
-  title: string | null;
   createdAt: string;
   updatedAt: string;
-  metadata: ConversationMetadata | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string | null;
+  title: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -85,20 +85,20 @@ declare const getConversation: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   conversationId: string;
 }) => Promise<{
+  metadata: ConversationMetadata | null;
+  userId: string | null;
   id: string;
-  tenantId: string;
-  projectId: string;
-  agentId: string | null;
-  title: string | null;
   createdAt: string;
   updatedAt: string;
-  metadata: ConversationMetadata | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string | null;
+  title: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;
@@ -121,20 +121,20 @@ declare const createOrGetConversation: (db: AgentsRunDatabaseClient) => (input:
   metadata?: ConversationMetadata | null | undefined;
   contextConfigId?: string | undefined;
 } | {
+  metadata: ConversationMetadata | null;
+  userId: string | null;
   id: string;
-  tenantId: string;
-  projectId: string;
-  agentId: string | null;
-  title: string | null;
   createdAt: string;
   updatedAt: string;
-  metadata: ConversationMetadata | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string | null;
+  title: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 }>;
@@ -153,20 +153,20 @@ declare const getActiveAgentForConversation: (db: AgentsRunDatabaseClient) => (p
   scopes: ProjectScopeConfig;
   conversationId: string;
 }) => Promise<{
+  metadata: ConversationMetadata | null;
+  userId: string | null;
   id: string;
-  tenantId: string;
-  projectId: string;
-  agentId: string | null;
-  title: string | null;
   createdAt: string;
   updatedAt: string;
-  metadata: ConversationMetadata | null;
   ref: {
     type: "commit" | "tag" | "branch";
     name: string;
     hash: string;
   } | null;
-  userId: string | null;
+  tenantId: string;
+  projectId: string;
+  agentId: string | null;
+  title: string | null;
   activeSubAgentId: string;
   lastContextResolution: string | null;
 } | undefined>;

package/dist/data-access/runtime/messages.d.ts

@@ -10,14 +10,14 @@ declare const getMessageById: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   messageId: string;
 }) => Promise<{
+  metadata: MessageMetadata | null;
+  role: string;
   id: string;
-  tenantId: string;
-  projectId: string;
   createdAt: string;
   updatedAt: string;
-  metadata: MessageMetadata | null;
+  tenantId: string;
+  projectId: string;
   content: MessageContent;
-  role: string;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
@@ -144,14 +144,14 @@ declare const createMessage: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   data: Omit<MessageInsert, "tenantId" | "projectId">;
 }) => Promise<{
+  metadata: MessageMetadata | null;
+  role: string;
   id: string;
-  tenantId: string;
-  projectId: string;
   createdAt: string;
   updatedAt: string;
-  metadata: MessageMetadata | null;
+  tenantId: string;
+  projectId: string;
   content: MessageContent;
-  role: string;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
@@ -197,14 +197,14 @@ declare const deleteMessage: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   messageId: string;
 }) => Promise<{
+  metadata: MessageMetadata | null;
+  role: string;
   id: string;
-  tenantId: string;
-  projectId: string;
   createdAt: string;
   updatedAt: string;
-  metadata: MessageMetadata | null;
+  tenantId: string;
+  projectId: string;
   content: MessageContent;
-  role: string;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;

package/dist/data-access/runtime/organizations.d.ts

@@ -1,4 +1,5 @@
 import { AgentsRunDatabaseClient } from "../../db/runtime/runtime-client.js";
+import { AllowedAuthMethod, MethodOption, OrgAuthInfo } from "../../auth/auth-types.js";
 import { UserOrganization } from "../../auth/auth-validation-schemas.js";
 
 //#region src/data-access/runtime/organizations.d.ts
@@ -39,6 +40,7 @@ declare const addUserToOrganization: (db: AgentsRunDatabaseClient) => (data: {
   userId: string;
   organizationId: string;
   role: string;
+  isServiceAccount?: boolean;
 }) => Promise<void>;
 declare const upsertOrganization: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
@@ -55,19 +57,41 @@ interface UserProviderInfo {
 }
 /**
  * Get authentication providers for a list of users.
- * Returns which providers each user has linked (e.g., 'credential', 'google', 'auth0').
+ * Returns which providers each user has linked (e.g., 'credential', 'google').
  */
 declare const getUserProvidersFromDb: (db: AgentsRunDatabaseClient) => (userIds: string[]) => Promise<UserProviderInfo[]>;
+declare const getAllowedAuthMethods: (db: AgentsRunDatabaseClient) => (organizationId: string) => Promise<AllowedAuthMethod[]>;
 /**
- * Create an invitation directly in db
- * Used when shouldAllowJoinFromWorkspace is enabled for a work_app_slack_workspaces
+ * Create an invitation directly in db.
+ * Accepts an optional explicit authMethod; defaults to email-password.
  */
 declare const createInvitationInDb: (db: AgentsRunDatabaseClient) => (data: {
   organizationId: string;
   email: string;
+  authMethod?: string;
 }) => Promise<{
   id: string;
   authMethod: string;
 }>;
+interface SSOProviderLookupResult {
+  providerId: string;
+  issuer: string;
+  domain: string;
+  organizationId: string | null;
+  providerType: 'oidc' | 'saml';
+}
+declare const getSSOProvidersByDomain: (db: AgentsRunDatabaseClient) => (domain: string) => Promise<SSOProviderLookupResult[]>;
+/**
+ * Filters org-allowed auth methods by email domain.
+ * SSO providers are only included if their domain matches the user's email domain.
+ * Non-SSO methods (email-password, google) pass through unfiltered.
+ */
+declare const getFilteredAuthMethodsForEmail: (db: AgentsRunDatabaseClient) => (organizationId: string, email: string) => Promise<MethodOption[]>;
+declare function allowedMethodsToMethodOptions(methods: AllowedAuthMethod[], ssoProviders: SSOProviderLookupResult[]): MethodOption[];
+/**
+ * Main auth-lookup query for the login flow.
+ * Returns org-grouped methods based on SSO domain match and/or user org membership.
+ */
+declare const getAuthLookupForEmail: (db: AgentsRunDatabaseClient) => (email: string) => Promise<OrgAuthInfo[]>;
 //#endregion
-export { UserProviderInfo, addUserToOrganization, createInvitationInDb, getPendingInvitationsByEmail, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };
+export { type MethodOption, type OrgAuthInfo, SSOProviderLookupResult, UserProviderInfo, addUserToOrganization, allowedMethodsToMethodOptions, createInvitationInDb, getAllowedAuthMethods, getAuthLookupForEmail, getFilteredAuthMethodsForEmail, getPendingInvitationsByEmail, getSSOProvidersByDomain, getUserOrganizationsFromDb, getUserProvidersFromDb, upsertOrganization };