@inkeep/agents-manage-api 0.0.0-dev-20260118155108 → 0.0.0-dev-20260119163620

package/dist/data/db/dbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 
 //#region src/data/db/dbClient.d.ts
-declare const manageDbClient: _inkeep_agents_core0.AgentsManageDatabaseClient;
+declare const manageDbClient: _inkeep_agents_core1.AgentsManageDatabaseClient;
 //#endregion
 export { manageDbClient as default };

package/dist/data/db/runDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+import * as _inkeep_agents_core0 from "@inkeep/agents-core";
 
 //#region src/data/db/runDbClient.d.ts
-declare const runDbClient: _inkeep_agents_core1.AgentsRunDatabaseClient;
+declare const runDbClient: _inkeep_agents_core0.AgentsRunDatabaseClient;
 //#endregion
 export { runDbClient as default };

package/dist/factory.d.ts

@@ -1,7 +1,7 @@
 import { createManagementHono } from "./create-app.js";
 import { initializeDefaultUser } from "./initialization.js";
 import { createAuth0Provider, createOIDCProvider } from "./sso-helpers.js";
-import * as hono0 from "hono";
+import * as hono2 from "hono";
 import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
 import * as hono_types1 from "hono/types";
@@ -12,6 +12,6 @@ declare function createManagementApp(config?: {
   credentialStores?: CredentialStore[];
   auth?: UserAuthConfig;
   skipInitialization?: boolean;
-}): hono0.Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
+}): hono2.Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
 //#endregion
 export { type SSOProviderConfig, type UserAuthConfig, createAuth0Provider, createManagementApp, createManagementHono, createOIDCProvider, initializeDefaultUser };

package/dist/index.d.ts

@@ -785,25 +785,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -819,6 +819,36 @@ declare const auth: better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      organizationHooks: {
+        afterAcceptInvitation: ({
+          member,
+          user,
+          organization: org
+        }: {
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterUpdateMemberRole: ({
+          member,
+          organization: org,
+          previousRole
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          previousRole: string;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterRemoveMember: ({
+          member,
+          organization: org
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+      };
     }>;
     schema: {
       organization: {
@@ -947,7 +977,7 @@ declare const auth: better_auth0.Auth<{
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         status: better_auth_plugins0.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -956,7 +986,7 @@ declare const auth: better_auth0.Auth<{
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         createdAt: Date;
         userId: string;
         user: {
@@ -972,7 +1002,7 @@ declare const auth: better_auth0.Auth<{
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           createdAt: Date;
           userId: string;
           user: {
@@ -986,7 +1016,7 @@ declare const auth: better_auth0.Auth<{
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           status: better_auth_plugins0.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1064,25 +1094,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"function" | "agent" | "organization" | "member" | "invitation" | "ac" | "project" | "sub_agent" | "tool" | "api_key" | "credential" | "data_component" | "artifact_component" | "external_agent" | "context_config" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -1098,6 +1128,36 @@ declare const auth: better_auth0.Auth<{
           user: better_auth0.User;
         };
       }): Promise<void>;
+      organizationHooks: {
+        afterAcceptInvitation: ({
+          member,
+          user,
+          organization: org
+        }: {
+          invitation: better_auth_plugins0.Invitation & Record<string, any>;
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterUpdateMemberRole: ({
+          member,
+          organization: org,
+          previousRole
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          previousRole: string;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+        afterRemoveMember: ({
+          member,
+          organization: org
+        }: {
+          member: better_auth_plugins0.Member & Record<string, any>;
+          user: better_auth0.User & Record<string, any>;
+          organization: better_auth_plugins0.Organization & Record<string, any>;
+        }) => Promise<void>;
+      };
     }>;
   }, {
     id: "device-authorization";

package/dist/middleware/auth.d.ts

@@ -1,4 +1,4 @@
-import * as hono2 from "hono";
+import * as hono1 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
 import { createAuth } from "@inkeep/agents-core/auth";
 
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const apiKeyAuth: () => hono2.MiddlewareHandler<{
+declare const apiKeyAuth: () => hono1.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/project-access.d.ts

@@ -0,0 +1,31 @@
+import { BaseAppVariables } from "../types/app.js";
+import * as hono0 from "hono";
+
+//#region src/middleware/project-access.d.ts
+
+/**
+ * Permission levels for project access
+ *
+ * - view: Can see project and resources (read-only)
+ * - use: Can invoke agents, create API keys, view traces
+ * - edit: Can modify configurations and manage members
+ */
+type ProjectPermission = 'view' | 'use' | 'edit';
+/**
+ * Middleware to check project-level access.
+ *
+ * When ENABLE_AUTHZ is false:
+ * - 'view' permission: all org members can view
+ * - 'edit': only org owner/admin
+ *
+ * When ENABLE_AUTHZ is true:
+ * - Uses SpiceDB to check permissions
+ * - Org owner/admin bypass (handled in canViewProject etc.)
+ */
+declare const requireProjectPermission: <Env$1 extends {
+  Variables: BaseAppVariables;
+} = {
+  Variables: BaseAppVariables;
+}>(permission?: ProjectPermission) => hono0.MiddlewareHandler<Env$1, string, {}, Response>;
+//#endregion
+export { ProjectPermission, requireProjectPermission };

package/dist/middleware/project-access.js

@@ -0,0 +1,118 @@
+import { env } from "../env.js";
+import { canEditProject, canUseProject, canViewProject, createApiError, isAuthzEnabled } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+
+//#region src/middleware/project-access.ts
+/**
+* Middleware to check project-level access.
+*
+* When ENABLE_AUTHZ is false:
+* - 'view' permission: all org members can view
+* - 'edit': only org owner/admin
+*
+* When ENABLE_AUTHZ is true:
+* - Uses SpiceDB to check permissions
+* - Org owner/admin bypass (handled in canViewProject etc.)
+*/
+const requireProjectPermission = (permission = "view") => createMiddleware(async (c, next) => {
+	const isTestEnvironment = process.env.ENVIRONMENT === "test";
+	if (env.DISABLE_AUTH || isTestEnvironment) {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	const projectId = c.req.param("projectId") || c.req.param("id");
+	if (!userId || !tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "User or organization context not found",
+		instance: c.req.path
+	});
+	if (!projectId) throw createApiError({
+		code: "bad_request",
+		message: "Project ID is required",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	try {
+		let hasAccess = false;
+		switch (permission) {
+			case "view":
+				hasAccess = await canViewProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+			case "use":
+				hasAccess = await canUseProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+			case "edit":
+				hasAccess = await canEditProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+		}
+		if (!hasAccess) {
+			if (isAuthzEnabled(tenantId) && permission !== "view") {
+				if (await canViewProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				})) throw createApiError({
+					code: "forbidden",
+					message: `Permission denied. Required: project:${permission}`,
+					instance: c.req.path,
+					extensions: { requiredPermissions: [`project:${permission}`] }
+				});
+			}
+			if (isAuthzEnabled(tenantId)) throw createApiError({
+				code: "not_found",
+				message: "Project not found",
+				instance: c.req.path
+			});
+			throw createApiError({
+				code: "forbidden",
+				message: `Permission denied. Required: project:${permission}`,
+				instance: c.req.path,
+				extensions: {
+					requiredPermissions: [`project:${permission}`],
+					context: {
+						userId,
+						organizationId: tenantId,
+						projectId,
+						currentRole: tenantRole
+					}
+				}
+			});
+		}
+		await next();
+	} catch (error) {
+		if (error instanceof HTTPException) throw error;
+		const errorMessage = error instanceof Error ? error.message : "Unknown error";
+		throw createApiError({
+			code: "internal_server_error",
+			message: "Failed to verify project access",
+			instance: c.req.path,
+			extensions: { internalError: errorMessage }
+		});
+	}
+});
+
+//#endregion
+export { requireProjectPermission };

package/dist/routes/agent.js

@@ -1,5 +1,5 @@
 import runDbClient_default from "../data/db/runDbClient.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { AgentApiInsertSchema, AgentApiUpdateSchema, AgentListResponse, AgentResponse, AgentWithinContextOfProjectResponse, ErrorResponseSchema, PaginationQueryParamsSchema, RelatedAgentInfoListResponse, TenantProjectAgentParamsSchema, TenantProjectAgentSubAgentParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, cascadeDeleteByAgent, commonGetErrorResponses, createAgent, createApiError, deleteAgent, generateId, getAgentById, getAgentSubAgentInfos, getFullAgentDefinition, listAgentsPaginated, listSubAgents, updateAgent } from "@inkeep/agents-core";
@@ -7,12 +7,12 @@ import { AgentApiInsertSchema, AgentApiUpdateSchema, AgentListResponse, AgentRes
 //#region src/routes/agent.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ agent: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ agent: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/agentFull.js

@@ -1,6 +1,6 @@
 import { getLogger as getLogger$1 } from "../logger.js";
 import runDbClient_default from "../data/db/runDbClient.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { AgentWithinContextOfProjectResponse, AgentWithinContextOfProjectSchema, ErrorResponseSchema, TenantProjectAgentParamsSchema, TenantProjectParamsSchema, cascadeDeleteByAgent, commonGetErrorResponses, createApiError, createFullAgentServerSide, deleteFullAgent, getFullAgent, listSubAgents, updateFullAgentServerSide } from "@inkeep/agents-core";
 
@@ -8,12 +8,12 @@ import { AgentWithinContextOfProjectResponse, AgentWithinContextOfProjectSchema,
 const logger = getLogger$1("agentFull");
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:agentId", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ agent: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ agent: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/agentToolRelations.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { ErrorResponseSchema, PaginationQueryParamsSchema, SubAgentToolRelationApiInsertSchema, SubAgentToolRelationApiUpdateSchema, SubAgentToolRelationListResponse, SubAgentToolRelationResponse, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, commonGetErrorResponses, createAgentToolRelation, createApiError, deleteAgentToolRelation, getAgentToolRelationByAgent, getAgentToolRelationById, getAgentToolRelationByTool, getAgentsForTool, listAgentToolRelations, updateAgentToolRelation } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { ErrorResponseSchema, PaginationQueryParamsSchema, SubAgentToolRelationA
 //#region src/routes/agentToolRelations.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ agent: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ agent: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/apiKeys.js

@@ -1,5 +1,5 @@
 import runDbClient_default from "../data/db/runDbClient.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, ApiKeyApiUpdateSchema, ApiKeyListResponse, ApiKeyResponse, ErrorResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createApiKey, deleteApiKey, generateApiKey, getApiKeyById, listApiKeysPaginated, updateApiKey } from "@inkeep/agents-core";
@@ -7,12 +7,12 @@ import { ApiKeyApiCreationResponseSchema, ApiKeyApiInsertSchema, ApiKeyApiUpdate
 //#region src/routes/apiKeys.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ api_key: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("use")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ api_key: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ api_key: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/artifactComponents.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { ArtifactComponentApiInsertSchema, ArtifactComponentApiUpdateSchema, ArtifactComponentListResponse, ArtifactComponentResponse, ErrorResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createArtifactComponent, deleteArtifactComponent, generateId, getArtifactComponentById, listArtifactComponentsPaginated, updateArtifactComponent, validatePropsAsJsonSchema } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { ArtifactComponentApiInsertSchema, ArtifactComponentApiUpdateSchema, Art
 //#region src/routes/artifactComponents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ artifact_component: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ artifact_component: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ artifact_component: ["delete"] })(c, next);
+	if (c.req.method === "PATCH" || c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/contextConfigs.js

@@ -1,5 +1,5 @@
 import runDbClient_default from "../data/db/runDbClient.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { ContextConfigApiInsertSchema, ContextConfigApiUpdateSchema, ContextConfigListResponse, ContextConfigResponse, PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, cascadeDeleteByContextConfig, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, createContextConfig, deleteContextConfig, getContextConfigById, listContextConfigsPaginated, updateContextConfig } from "@inkeep/agents-core";
@@ -7,12 +7,12 @@ import { ContextConfigApiInsertSchema, ContextConfigApiUpdateSchema, ContextConf
 //#region src/routes/contextConfigs.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ context_config: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ context_config: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ context_config: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/credentialStores.d.ts

@@ -1,9 +1,9 @@
-import { PublicAppVariables } from "../types/app.js";
+import { AppVariablesWithCredentials } from "../types/app.js";
 import { OpenAPIHono } from "@hono/zod-openapi";
 
 //#region src/routes/credentialStores.d.ts
 declare const app: OpenAPIHono<{
-  Variables: PublicAppVariables;
+  Variables: AppVariablesWithCredentials;
 }, {}, "/">;
 //#endregion
 export { app as default };

package/dist/routes/credentialStores.js

@@ -1,8 +1,13 @@
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { CreateCredentialInStoreRequestSchema, CreateCredentialInStoreResponseSchema, CredentialStoreListResponseSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError } from "@inkeep/agents-core";
 
 //#region src/routes/credentialStores.ts
 const app = new OpenAPIHono();
+app.use("/:id/credentials", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/routes/credentials.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { CredentialReferenceApiInsertSchema, CredentialReferenceApiSelectSchema, CredentialReferenceApiUpdateSchema, CredentialReferenceListResponse, CredentialReferenceResponse, ErrorResponseSchema, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createCredentialReference, deleteCredentialReference, getCredentialReferenceById, getCredentialReferenceWithResources, getCredentialStoreLookupKeyFromRetrievalParams, listCredentialReferencesPaginated, updateCredentialReference } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { CredentialReferenceApiInsertSchema, CredentialReferenceApiSelectSchema,
 //#region src/routes/credentials.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ credential: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ credential: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ credential: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/dataComponents.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { DataComponentApiInsertSchema, DataComponentApiUpdateSchema, DataComponentListResponse, DataComponentResponse, ErrorResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDataComponent, deleteDataComponent, getDataComponent, listDataComponentsPaginated, updateDataComponent, validatePropsAsJsonSchema } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { DataComponentApiInsertSchema, DataComponentApiUpdateSchema, DataCompone
 //#region src/routes/dataComponents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ data_component: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ data_component: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ data_component: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({