@inkeep/agents-core 0.68.4 → 0.70.0

package/dist/auth/auth.d.ts

@@ -4,7 +4,7 @@ import * as jose0 from "jose";
 import * as zod0 from "zod";
 import * as better_auth0 from "better-auth";
 import * as _better_auth_oauth_provider0 from "@better-auth/oauth-provider";
-import * as better_auth_plugins0 from "better-auth/plugins";
+import * as better_auth_plugins20 from "better-auth/plugins";
 
 //#region src/auth/auth.d.ts
 
@@ -40,10 +40,10 @@ declare function _inferAuthType(): better_auth0.Auth<{
         handler: (inputContext: better_auth0.MiddlewareInputContext<better_auth0.MiddlewareOptions>) => Promise<void>;
       }[];
     };
-    options: better_auth_plugins0.BearerOptions | undefined;
+    options: better_auth_plugins20.BearerOptions | undefined;
   }, {
     id: "oauth-proxy";
-    options: NoInfer<better_auth_plugins0.OAuthProxyOptions>;
+    options: NoInfer<better_auth_plugins20.OAuthProxyOptions>;
     endpoints: {
       oAuthProxy: better_auth0.StrictEndpoint<"/oauth-proxy-callback", {
         method: "GET";
@@ -97,7 +97,7 @@ declare function _inferAuthType(): better_auth0.Auth<{
     };
   }, {
     id: "jwt";
-    options: NoInfer<better_auth_plugins0.JwtOptions>;
+    options: NoInfer<better_auth_plugins20.JwtOptions>;
     endpoints: {
       getJwks: better_auth0.StrictEndpoint<string, {
         method: "GET";
@@ -234,7 +234,7 @@ declare function _inferAuthType(): better_auth0.Auth<{
           $Infer: {
             body: {
               payload: jose0.JWTPayload;
-              overrideOptions?: better_auth_plugins0.JwtOptions | undefined;
+              overrideOptions?: better_auth_plugins20.JwtOptions | undefined;
             };
           };
         };
@@ -331,7 +331,7 @@ declare function _inferAuthType(): better_auth0.Auth<{
           SERVER_ONLY: true;
         };
       }, Omit<_better_auth_oauth_provider0.OIDCMetadata, "id_token_signing_alg_values_supported"> & {
-        id_token_signing_alg_values_supported: better_auth_plugins0.JWSAlgorithms[] | ["HS256"];
+        id_token_signing_alg_values_supported: better_auth_plugins20.JWSAlgorithms[] | ["HS256"];
       }>;
       oauth2Authorize: better_auth0.StrictEndpoint<"/oauth2/authorize", {
         method: "GET";
@@ -2324,7 +2324,7 @@ declare function _inferAuthType(): better_auth0.Auth<{
       window: number;
       max: number;
     })[];
-  }, better_auth_plugins0.DefaultOrganizationPlugin<{
+  }, better_auth_plugins20.DefaultOrganizationPlugin<{
     schema: {
       invitation: {
         additionalFields: {
@@ -2687,8 +2687,8 @@ declare function _inferAuthType(): better_auth0.Auth<{
       AUTHENTICATION_REQUIRED: better_auth0.RawError<"AUTHENTICATION_REQUIRED">;
     };
     options: Partial<{
-      expiresIn: better_auth_plugins0.TimeString;
-      interval: better_auth_plugins0.TimeString;
+      expiresIn: better_auth_plugins20.TimeString;
+      interval: better_auth_plugins20.TimeString;
       deviceCodeLength: number;
       userCodeLength: number;
       schema: {

package/dist/auth/authz/config.d.ts

@@ -13,23 +13,49 @@ declare function getSpiceDbConfig(): {
   tlsEnabled: boolean;
 };
 /**
- * Compose a tenant-scoped SpiceDB project object ID.
+ * Branded SpiceDB object ID types.
+ *
+ * SpiceDB object IDs are global — `credential_reference:cred_foo` refers to one
+ * object regardless of who wrote the tuple. To prevent cross-tenant collisions we
+ * namespace composite-PK resources under their scope (`{tenantId}/{projectId}/...`).
  *
- * SpiceDB object IDs are global, so we namespace projects under their tenant
- * to prevent cross-tenant collisions (e.g. two orgs with a project called "default").
+ * The brand is enforcement, not decoration: downstream helpers accept only the
+ * branded type, so a raw DB ID can never be passed to a SpiceDB call without
+ * going through the appropriate `toSpiceDb*Id` constructor. This catches at
+ * compile time the "forgot to tenant-prefix" bug class.
+ */
+type SpiceDbProjectId = string & {
+  readonly __brand: 'SpiceDbProjectId';
+};
+type SpiceDbCredentialReferenceId = string & {
+  readonly __brand: 'SpiceDbCredentialReferenceId';
+};
+/**
+ * Compose a tenant-scoped SpiceDB project object ID.
  *
- * Format: `{tenantId}/{projectId}`
+ * Format: `{tenantId}/{projectId}` — projects' backing-store PK is
+ * `(tenantId, projectId)`, so this mirrors that composite key verbatim.
  */
-declare function toSpiceDbProjectId(tenantId: string, projectId: string): string;
+declare function toSpiceDbProjectId(tenantId: string, projectId: string): SpiceDbProjectId;
 /**
  * Parse a tenant-scoped SpiceDB project object ID back into its parts.
  *
  * @returns `{ tenantId, projectId }` extracted from the composite ID.
  * @throws if the ID does not contain the separator.
  */
-declare function fromSpiceDbProjectId(spiceDbProjectId: string): {
+declare function fromSpiceDbProjectId(spiceDbProjectId: SpiceDbProjectId | string): {
   tenantId: string;
   projectId: string;
 };
+/**
+ * Compose a tenant+project-scoped SpiceDB credential_reference object ID.
+ *
+ * Format: `{tenantId}/{projectId}/{credentialReferenceId}` — credentials' backing-store
+ * PK is `(tenantId, projectId, id)`, so this mirrors that composite key verbatim.
+ * Without this scoping, two tenants that each define a credential with the same
+ * slug (e.g. `cred_helpscout`) would share the same SpiceDB object and any grant
+ * on one would appear to grant the other.
+ */
+declare function toSpiceDbCredentialReferenceId(tenantId: string, projectId: string, credentialReferenceId: string): SpiceDbCredentialReferenceId;
 //#endregion
-export { fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbProjectId };
+export { SpiceDbCredentialReferenceId, SpiceDbProjectId, fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbCredentialReferenceId, toSpiceDbProjectId };

package/dist/auth/authz/config.js

@@ -19,17 +19,15 @@ function getSpiceDbConfig() {
 		tlsEnabled: env.SPICEDB_TLS_ENABLED ?? !isLocalhostEndpoint(endpoint)
 	};
 }
-const SPICEDB_PROJECT_ID_SEPARATOR = "/";
+const SPICEDB_ID_SEPARATOR = "/";
 /**
 * Compose a tenant-scoped SpiceDB project object ID.
 *
-* SpiceDB object IDs are global, so we namespace projects under their tenant
-* to prevent cross-tenant collisions (e.g. two orgs with a project called "default").
-*
-* Format: `{tenantId}/{projectId}`
+* Format: `{tenantId}/{projectId}` — projects' backing-store PK is
+* `(tenantId, projectId)`, so this mirrors that composite key verbatim.
 */
 function toSpiceDbProjectId(tenantId, projectId) {
-	return `${tenantId}${SPICEDB_PROJECT_ID_SEPARATOR}${projectId}`;
+	return `${tenantId}${SPICEDB_ID_SEPARATOR}${projectId}`;
 }
 /**
 * Parse a tenant-scoped SpiceDB project object ID back into its parts.
@@ -38,13 +36,25 @@ function toSpiceDbProjectId(tenantId, projectId) {
 * @throws if the ID does not contain the separator.
 */
 function fromSpiceDbProjectId(spiceDbProjectId) {
-	const separatorIndex = spiceDbProjectId.indexOf(SPICEDB_PROJECT_ID_SEPARATOR);
+	const separatorIndex = spiceDbProjectId.indexOf(SPICEDB_ID_SEPARATOR);
 	if (separatorIndex === -1) throw new Error(`Invalid SpiceDB project ID format: ${spiceDbProjectId}`);
 	return {
 		tenantId: spiceDbProjectId.substring(0, separatorIndex),
 		projectId: spiceDbProjectId.substring(separatorIndex + 1)
 	};
 }
+/**
+* Compose a tenant+project-scoped SpiceDB credential_reference object ID.
+*
+* Format: `{tenantId}/{projectId}/{credentialReferenceId}` — credentials' backing-store
+* PK is `(tenantId, projectId, id)`, so this mirrors that composite key verbatim.
+* Without this scoping, two tenants that each define a credential with the same
+* slug (e.g. `cred_helpscout`) would share the same SpiceDB object and any grant
+* on one would appear to grant the other.
+*/
+function toSpiceDbCredentialReferenceId(tenantId, projectId, credentialReferenceId) {
+	return `${tenantId}${SPICEDB_ID_SEPARATOR}${projectId}${SPICEDB_ID_SEPARATOR}${credentialReferenceId}`;
+}
 
 //#endregion
-export { fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbProjectId };
+export { fromSpiceDbProjectId, getSpiceDbConfig, isLocalhostEndpoint, toSpiceDbCredentialReferenceId, toSpiceDbProjectId };

package/dist/auth/authz/credential-gateway.d.ts

@@ -0,0 +1,57 @@
+//#region src/auth/authz/credential-gateway.d.ts
+/**
+ * Grant an app permission to read a credential.
+ *
+ * Requires the full credential scope (tenantId + projectId + credentialReferenceId)
+ * because credential_reference IDs are only unique within a project; the SpiceDB
+ * object ID is constructed via {@link toSpiceDbCredentialReferenceId}.
+ */
+declare function grantAppCredentialAccess(params: {
+  tenantId: string;
+  projectId: string;
+  credentialReferenceId: string;
+  appId: string;
+}): Promise<void>;
+/**
+ * Revoke an app's permission to read a credential.
+ */
+declare function revokeAppCredentialAccess(params: {
+  tenantId: string;
+  projectId: string;
+  credentialReferenceId: string;
+  appId: string;
+}): Promise<void>;
+/**
+ * Check whether an app has permission to read a credential.
+ */
+declare function canAppReadCredential(params: {
+  tenantId: string;
+  projectId: string;
+  credentialReferenceId: string;
+  appId: string;
+}): Promise<boolean>;
+/**
+ * Atomically reconcile the credential an app is granted read access to.
+ *
+ * One call covers all transitions:
+ *   - prior=∅, next=∅              → no-op
+ *   - prior=∅, next=Y              → TOUCH new
+ *   - prior=X, next=∅              → DELETE old  (fixes the "user cleared the credential" case)
+ *   - prior=X, next=X              → idempotent TOUCH (collapsed, safe no-op in practice)
+ *   - prior=X, next=Y (X≠Y)        → DELETE old + TOUCH new in a single writeRelationships batch
+ *
+ * All mutations are issued via `WriteRelationships.updates[]`, so any transition
+ * involving both a delete and a write is observed atomically by readers (one
+ * zedtoken, no window where neither the old nor the new tuple is valid).
+ *
+ * Mirrors the pattern used by `changeOrgRole` / `changeProjectRole` in sync.ts.
+ */
+declare function rewriteAppCredentialAccess(params: {
+  tenantId: string;
+  projectId: string;
+  priorCredentialReferenceId?: string;
+  nextCredentialReferenceId?: string;
+  appId: string;
+}): Promise<void>;
+//#endregion
+export { canAppReadCredential, grantAppCredentialAccess, revokeAppCredentialAccess, rewriteAppCredentialAccess };

package/dist/auth/authz/credential-gateway.js

@@ -0,0 +1,118 @@
+import { SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
+import { toSpiceDbCredentialReferenceId } from "./config.js";
+import { RelationshipOperation, checkPermission, deleteRelationship, getSpiceClient, writeRelationship } from "./client.js";
+
+//#region src/auth/authz/credential-gateway.ts
+/**
+* Grant an app permission to read a credential.
+*
+* Requires the full credential scope (tenantId + projectId + credentialReferenceId)
+* because credential_reference IDs are only unique within a project; the SpiceDB
+* object ID is constructed via {@link toSpiceDbCredentialReferenceId}.
+*/
+async function grantAppCredentialAccess(params) {
+	await writeRelationship({
+		resourceType: SpiceDbResourceTypes.CREDENTIAL_REFERENCE,
+		resourceId: toSpiceDbCredentialReferenceId(params.tenantId, params.projectId, params.credentialReferenceId),
+		relation: SpiceDbRelations.APP_READER,
+		subjectType: SpiceDbResourceTypes.APP,
+		subjectId: params.appId
+	});
+}
+/**
+* Revoke an app's permission to read a credential.
+*/
+async function revokeAppCredentialAccess(params) {
+	await deleteRelationship({
+		resourceType: SpiceDbResourceTypes.CREDENTIAL_REFERENCE,
+		resourceId: toSpiceDbCredentialReferenceId(params.tenantId, params.projectId, params.credentialReferenceId),
+		relation: SpiceDbRelations.APP_READER,
+		subjectType: SpiceDbResourceTypes.APP,
+		subjectId: params.appId
+	});
+}
+/**
+* Check whether an app has permission to read a credential.
+*/
+async function canAppReadCredential(params) {
+	return checkPermission({
+		resourceType: SpiceDbResourceTypes.CREDENTIAL_REFERENCE,
+		resourceId: toSpiceDbCredentialReferenceId(params.tenantId, params.projectId, params.credentialReferenceId),
+		permission: "read",
+		subjectType: SpiceDbResourceTypes.APP,
+		subjectId: params.appId
+	});
+}
+/**
+* Atomically reconcile the credential an app is granted read access to.
+*
+* One call covers all transitions:
+*   - prior=∅, next=∅              → no-op
+*   - prior=∅, next=Y              → TOUCH new
+*   - prior=X, next=∅              → DELETE old  (fixes the "user cleared the credential" case)
+*   - prior=X, next=X              → idempotent TOUCH (collapsed, safe no-op in practice)
+*   - prior=X, next=Y (X≠Y)        → DELETE old + TOUCH new in a single writeRelationships batch
+*
+* All mutations are issued via `WriteRelationships.updates[]`, so any transition
+* involving both a delete and a write is observed atomically by readers (one
+* zedtoken, no window where neither the old nor the new tuple is valid).
+*
+* Mirrors the pattern used by `changeOrgRole` / `changeProjectRole` in sync.ts.
+*/
+async function rewriteAppCredentialAccess(params) {
+	const { priorCredentialReferenceId, nextCredentialReferenceId, tenantId, projectId, appId } = params;
+	if (!priorCredentialReferenceId && !nextCredentialReferenceId) return;
+	const spice = getSpiceClient();
+	const updates = [];
+	if (priorCredentialReferenceId && priorCredentialReferenceId !== nextCredentialReferenceId) {
+		const priorId = toSpiceDbCredentialReferenceId(tenantId, projectId, priorCredentialReferenceId);
+		updates.push({
+			operation: RelationshipOperation.DELETE,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.CREDENTIAL_REFERENCE,
+					objectId: priorId
+				},
+				relation: SpiceDbRelations.APP_READER,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.APP,
+						objectId: appId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		});
+	}
+	if (nextCredentialReferenceId) {
+		const nextId = toSpiceDbCredentialReferenceId(tenantId, projectId, nextCredentialReferenceId);
+		updates.push({
+			operation: RelationshipOperation.TOUCH,
+			relationship: {
+				resource: {
+					objectType: SpiceDbResourceTypes.CREDENTIAL_REFERENCE,
+					objectId: nextId
+				},
+				relation: SpiceDbRelations.APP_READER,
+				subject: {
+					object: {
+						objectType: SpiceDbResourceTypes.APP,
+						objectId: appId
+					},
+					optionalRelation: ""
+				},
+				optionalCaveat: void 0
+			}
+		});
+	}
+	if (updates.length === 0) return;
+	await spice.promises.writeRelationships({
+		updates,
+		optionalPreconditions: [],
+		optionalTransactionMetadata: void 0
+	});
+}
+
+//#endregion
+export { canAppReadCredential, grantAppCredentialAccess, revokeAppCredentialAccess, rewriteAppCredentialAccess };

package/dist/auth/authz/index.d.ts

@@ -1,6 +1,7 @@
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
-import { fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbProjectId } from "./config.js";
-import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
+import { SpiceDbCredentialReferenceId, SpiceDbProjectId, fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbCredentialReferenceId, toSpiceDbProjectId } from "./config.js";
+import { canAppReadCredential, grantAppCredentialAccess, revokeAppCredentialAccess, rewriteAppCredentialAccess } from "./credential-gateway.js";
+import { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbCredentialReferencePermission, SpiceDbCredentialReferencePermissions, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
-export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbProjectId, writeRelationship };
+export { type OrgRole, OrgRoles, type ProjectPermissionLevel, type ProjectPermissions, type ProjectRole, ProjectRoles, type SpiceDbCredentialReferenceId, type SpiceDbCredentialReferencePermission, SpiceDbCredentialReferencePermissions, type SpiceDbOrgPermission, SpiceDbOrgPermissions, type SpiceDbProjectId, type SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canAppReadCredential, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantAppCredentialAccess, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeAppCredentialAccess, revokeProjectAccess, rewriteAppCredentialAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbCredentialReferenceId, toSpiceDbProjectId, writeRelationship };

package/dist/auth/authz/index.js

@@ -1,7 +1,8 @@
-import { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
-import { fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbProjectId } from "./config.js";
+import { OrgRoles, ProjectRoles, SpiceDbCredentialReferencePermissions, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes } from "./types.js";
+import { fromSpiceDbProjectId, getSpiceDbConfig, toSpiceDbCredentialReferenceId, toSpiceDbProjectId } from "./config.js";
 import { checkBulkPermissions, checkPermission, deleteRelationship, getSpiceClient, lookupResources, readRelationships, resetSpiceClient, writeRelationship } from "./client.js";
+import { canAppReadCredential, grantAppCredentialAccess, revokeAppCredentialAccess, rewriteAppCredentialAccess } from "./credential-gateway.js";
 import { canEditProject, canUseProject, canUseProjectStrict, canViewProject, listAccessibleProjectIds, listUsableProjectIds } from "./permissions.js";
 import { changeOrgRole, changeProjectRole, grantProjectAccess, listProjectMembers, listUserProjectMembershipsInSpiceDb, removeProjectFromSpiceDb, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb } from "./sync.js";
 
-export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeProjectAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbProjectId, writeRelationship };
+export { OrgRoles, ProjectRoles, SpiceDbCredentialReferencePermissions, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes, canAppReadCredential, canEditProject, canUseProject, canUseProjectStrict, canViewProject, changeOrgRole, changeProjectRole, checkBulkPermissions, checkPermission, deleteRelationship, fromSpiceDbProjectId, getSpiceClient, getSpiceDbConfig, grantAppCredentialAccess, grantProjectAccess, listAccessibleProjectIds, listProjectMembers, listUsableProjectIds, listUserProjectMembershipsInSpiceDb, lookupResources, readRelationships, removeProjectFromSpiceDb, resetSpiceClient, revokeAllProjectMemberships, revokeAppCredentialAccess, revokeProjectAccess, rewriteAppCredentialAccess, syncOrgMemberToSpiceDb, syncProjectToSpiceDb, toSpiceDbCredentialReferenceId, toSpiceDbProjectId, writeRelationship };

package/dist/auth/authz/types.d.ts

@@ -10,6 +10,8 @@ declare const SpiceDbResourceTypes: {
   readonly USER: "user";
   readonly ORGANIZATION: "organization";
   readonly PROJECT: "project";
+  readonly APP: "app";
+  readonly CREDENTIAL_REFERENCE: "credential_reference";
 };
 /**
  * SpiceDB relations used in the schema
@@ -25,6 +27,7 @@ declare const SpiceDbRelations: {
   readonly PROJECT_ADMIN: "project_admin";
   readonly PROJECT_MEMBER: "project_member";
   readonly PROJECT_VIEWER: "project_viewer";
+  readonly APP_READER: "app_reader";
 };
 /**
  * SpiceDB permissions for organization resources.
@@ -52,6 +55,10 @@ declare const SpiceDbProjectPermissions: {
   readonly EDIT: "edit";
 };
 type SpiceDbProjectPermission = (typeof SpiceDbProjectPermissions)[keyof typeof SpiceDbProjectPermissions];
+declare const SpiceDbCredentialReferencePermissions: {
+  readonly READ: "read";
+};
+type SpiceDbCredentialReferencePermission = (typeof SpiceDbCredentialReferencePermissions)[keyof typeof SpiceDbCredentialReferencePermissions];
 /**
  * Permission levels for project access checks.
  */
@@ -89,4 +96,4 @@ interface ProjectPermissions {
   canEdit: boolean;
 }
 //#endregion
-export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes };
+export { OrgRole, OrgRoles, ProjectPermissionLevel, ProjectPermissions, ProjectRole, ProjectRoles, SpiceDbCredentialReferencePermission, SpiceDbCredentialReferencePermissions, SpiceDbOrgPermission, SpiceDbOrgPermissions, SpiceDbProjectPermission, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes };

package/dist/auth/authz/types.js

@@ -9,7 +9,9 @@
 const SpiceDbResourceTypes = {
 	USER: "user",
 	ORGANIZATION: "organization",
-	PROJECT: "project"
+	PROJECT: "project",
+	APP: "app",
+	CREDENTIAL_REFERENCE: "credential_reference"
 };
 /**
 * SpiceDB relations used in the schema
@@ -24,7 +26,8 @@ const SpiceDbRelations = {
 	ORGANIZATION: "organization",
 	PROJECT_ADMIN: "project_admin",
 	PROJECT_MEMBER: "project_member",
-	PROJECT_VIEWER: "project_viewer"
+	PROJECT_VIEWER: "project_viewer",
+	APP_READER: "app_reader"
 };
 /**
 * SpiceDB permissions for organization resources.
@@ -50,6 +53,7 @@ const SpiceDbProjectPermissions = {
 	USE: "use",
 	EDIT: "edit"
 };
+const SpiceDbCredentialReferencePermissions = { READ: "read" };
 /**
 * Organization roles from SpiceDB schema.
 */
@@ -73,4 +77,4 @@ const ProjectRoles = {
 };
 
 //#endregion
-export { OrgRoles, ProjectRoles, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes };
+export { OrgRoles, ProjectRoles, SpiceDbCredentialReferencePermissions, SpiceDbOrgPermissions, SpiceDbProjectPermissions, SpiceDbRelations, SpiceDbResourceTypes };

package/dist/auth/entitlement-lock.js

@@ -1,11 +1,9 @@
-import { orgEntitlement } from "../db/runtime/runtime-schema.js";
-import { and, eq } from "drizzle-orm";
+import { dalSelectEntitlementForUpdate } from "../data-access/runtime/entitlements.js";
 
 //#region src/auth/entitlement-lock.ts
 async function withEntitlementLock(db, orgId, resourceType, fn) {
 	return db.transaction(async (tx) => {
-		const rows = await tx.select({ maxValue: orgEntitlement.maxValue }).from(orgEntitlement).where(and(eq(orgEntitlement.organizationId, orgId), eq(orgEntitlement.resourceType, resourceType))).for("update");
-		return fn(rows.length === 0 ? null : rows[0].maxValue, tx);
+		return fn(await dalSelectEntitlementForUpdate(tx, orgId, resourceType), tx);
 	});
 }
 

package/dist/auth/entitlements.js

@@ -1,7 +1,7 @@
 import { DEFAULT_MEMBERSHIP_LIMIT, SEAT_RESOURCE_TYPES } from "./entitlement-constants.js";
 import { getLogger } from "../utils/logger.js";
-import { withEntitlementLock } from "./entitlement-lock.js";
 import { dalCountMembersByRoleBucket, dalGetServiceAccountUserId, dalResolveEntitlement, dalSumSeatEntitlements } from "../data-access/runtime/entitlements.js";
+import { withEntitlementLock } from "./entitlement-lock.js";
 import { APIError } from "better-auth/api";
 
 //#region src/auth/entitlements.ts

package/dist/auth/permissions.d.ts

@@ -1,29 +1,29 @@
-import * as better_auth_plugins7 from "better-auth/plugins";
+import * as better_auth_plugins0 from "better-auth/plugins";
 import { AccessControl } from "better-auth/plugins/access";
 import { organizationClient } from "better-auth/client/plugins";
 
 //#region src/auth/permissions.d.ts
 declare const ac: AccessControl;
 declare const memberRole: {
-  authorize<K_1 extends "project" | "invitation" | "member" | "organization" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key] | {
-    actions: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key];
+  authorize<K_1 extends "organization" | "project" | "invitation" | "member" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+    actions: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins7.AuthorizeResponse;
-  statements: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+  statements: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>;
 };
 declare const adminRole: {
-  authorize<K_1 extends "project" | "invitation" | "member" | "organization" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key] | {
-    actions: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key];
+  authorize<K_1 extends "organization" | "project" | "invitation" | "member" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+    actions: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins7.AuthorizeResponse;
-  statements: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+  statements: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>;
 };
 declare const ownerRole: {
-  authorize<K_1 extends "project" | "invitation" | "member" | "organization" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key] | {
-    actions: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>[key];
+  authorize<K_1 extends "organization" | "project" | "invitation" | "member" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+    actions: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>[key];
     connector: "OR" | "AND";
-  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins7.AuthorizeResponse;
-  statements: better_auth_plugins7.Subset<"project" | "invitation" | "member" | "organization" | "team" | "ac", better_auth_plugins7.Statements>;
+  } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
+  statements: better_auth_plugins0.Subset<"organization" | "project" | "invitation" | "member" | "team" | "ac", better_auth_plugins0.Statements>;
 };
 //#endregion
 export { ac, adminRole, memberRole, organizationClient, ownerRole };