@inkeep/agents-manage-api 0.0.0-dev-20260118170655 → 0.0.0-dev-20260119163620

package/dist/routes/credentials.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { CredentialReferenceApiInsertSchema, CredentialReferenceApiSelectSchema, CredentialReferenceApiUpdateSchema, CredentialReferenceListResponse, CredentialReferenceResponse, ErrorResponseSchema, ListResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createCredentialReference, deleteCredentialReference, getCredentialReferenceById, getCredentialReferenceWithResources, getCredentialStoreLookupKeyFromRetrievalParams, listCredentialReferencesPaginated, updateCredentialReference } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { CredentialReferenceApiInsertSchema, CredentialReferenceApiSelectSchema,
 //#region src/routes/credentials.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ credential: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ credential: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ credential: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/dataComponents.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { DataComponentApiInsertSchema, DataComponentApiUpdateSchema, DataComponentListResponse, DataComponentResponse, ErrorResponseSchema, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDataComponent, deleteDataComponent, getDataComponent, listDataComponentsPaginated, updateDataComponent, validatePropsAsJsonSchema } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { DataComponentApiInsertSchema, DataComponentApiUpdateSchema, DataCompone
 //#region src/routes/dataComponents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ data_component: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ data_component: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ data_component: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono6 from "hono";
+import * as hono7 from "hono";
 
 //#region src/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono6.Env, {}, "/">;
+declare const app: OpenAPIHono<hono7.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/routes/externalAgents.js

@@ -1,4 +1,4 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { ErrorResponseSchema, ExternalAgentApiInsertSchema, ExternalAgentApiUpdateSchema, ExternalAgentListResponse, ExternalAgentResponse, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createExternalAgent, deleteExternalAgent, generateId, getExternalAgent, listExternalAgentsPaginated, updateExternalAgent } from "@inkeep/agents-core";
@@ -6,12 +6,12 @@ import { ErrorResponseSchema, ExternalAgentApiInsertSchema, ExternalAgentApiUpda
 //#region src/routes/externalAgents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ external_agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ external_agent: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ external_agent: ["delete"] })(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/functionTools.js

@@ -1,5 +1,5 @@
 import { getLogger as getLogger$1 } from "../logger.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { FunctionToolApiInsertSchema, FunctionToolApiUpdateSchema, FunctionToolListResponse, FunctionToolResponse, PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, commonGetErrorResponses, createApiError, createFunctionTool, deleteFunctionTool, generateId, getFunctionToolById, listFunctionTools, updateFunctionTool } from "@inkeep/agents-core";
@@ -8,12 +8,12 @@ import { FunctionToolApiInsertSchema, FunctionToolApiUpdateSchema, FunctionToolL
 const logger = getLogger$1("functionTools");
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ function: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ function: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ function: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/functions.js

@@ -1,5 +1,5 @@
 import { getLogger as getLogger$1 } from "../logger.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { FunctionApiInsertSchema, FunctionApiUpdateSchema, FunctionListResponse, FunctionResponse, PaginationQueryParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, deleteFunction, generateId, getFunction, listFunctionsPaginated, upsertFunction } from "@inkeep/agents-core";
@@ -8,12 +8,12 @@ import { FunctionApiInsertSchema, FunctionApiUpdateSchema, FunctionListResponse,
 const logger = getLogger$1("functions");
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ function: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ function: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ function: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono4 from "hono";
+import * as hono5 from "hono";
 
 //#region src/routes/index.d.ts
-declare const app: OpenAPIHono<hono4.Env, {}, "/">;
+declare const app: OpenAPIHono<hono5.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/routes/index.js

@@ -1,3 +1,4 @@
+import { requireProjectPermission } from "../middleware/project-access.js";
 import agent_default from "./agent.js";
 import agentFull_default from "./agentFull.js";
 import apiKeys_default from "./apiKeys.js";
@@ -12,6 +13,8 @@ import externalAgents_default from "./externalAgents.js";
 import functions_default from "./functions.js";
 import functionTools_default from "./functionTools.js";
 import mcpCatalog_default from "./mcpCatalog.js";
+import projectMembers_default from "./projectMembers.js";
+import projectPermissions_default from "./projectPermissions.js";
 import projects_default from "./projects.js";
 import ref_default from "./ref.js";
 import subAgentArtifactComponents_default from "./subAgentArtifactComponents.js";
@@ -29,8 +32,11 @@ import { OpenAPIHono } from "@hono/zod-openapi";
 //#region src/routes/index.ts
 const app = new OpenAPIHono();
 app.route("/projects", projects_default);
+app.use("/projects/:projectId/*", requireProjectPermission("view"));
 app.route("/projects/:projectId/branches", branches_default);
 app.route("/projects/:projectId/refs", ref_default);
+app.route("/projects/:projectId/members", projectMembers_default);
+app.route("/projects/:projectId/permissions", projectPermissions_default);
 app.route("/projects/:projectId/agents/:agentId/sub-agents", subAgents_default);
 app.route("/projects/:projectId/agents/:agentId/sub-agent-relations", subAgentRelations_default);
 app.route("/projects/:projectId/agents/:agentId/sub-agents/:subAgentId/external-agent-relations", subAgentExternalAgentRelations_default);

package/dist/routes/playgroundToken.js

@@ -1,13 +1,11 @@
 import { env } from "../env.js";
 import { getLogger as getLogger$1 } from "../logger.js";
-import { requirePermission } from "../middleware/require-permission.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { ErrorResponseSchema, TenantParamsSchema, createApiError, getAgentById, projectExists, signTempToken } from "@inkeep/agents-core";
+import { ErrorResponseSchema, TenantParamsSchema, canUseProject, createApiError, getAgentById, projectExists, signTempToken } from "@inkeep/agents-core";
 
 //#region src/routes/playgroundToken.ts
 const logger = getLogger$1("playgroundToken");
 const app = new OpenAPIHono();
-app.use("/", requirePermission({ agent: ["create"] }));
 const PlaygroundTokenRequestSchema = z.object({
 	projectId: z.string(),
 	agentId: z.string()
@@ -42,6 +40,7 @@ app.openapi(createRoute({
 	const db = c.get("db");
 	const userId = c.get("userId");
 	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole") || "member";
 	const { projectId, agentId } = c.req.valid("json");
 	logger.info({
 		userId,
@@ -49,6 +48,22 @@ app.openapi(createRoute({
 		projectId,
 		agentId
 	}, "Generating temporary JWT token for playground");
+	if (!await canUseProject({
+		tenantId,
+		userId,
+		projectId,
+		orgRole: tenantRole
+	})) {
+		logger.warn({
+			userId,
+			tenantId,
+			projectId
+		}, "User does not have use permission on project");
+		throw createApiError({
+			code: "not_found",
+			message: "Project not found"
+		});
+	}
 	if (!await projectExists(db)({
 		tenantId,
 		projectId

package/dist/routes/projectFull.js

@@ -1,6 +1,7 @@
 import { getLogger as getLogger$1 } from "../logger.js";
 import runDbClient_default from "../data/db/runDbClient.js";
 import dbClient_default from "../data/db/dbClient.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { requirePermission } from "../middleware/require-permission.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { ErrorResponseSchema, FullProjectDefinitionSchema, FullProjectSelectResponse, FullProjectSelectWithRelationIdsResponse, TenantParamsSchema, TenantProjectParamsSchema, cascadeDeleteByProject, checkoutBranch, commonGetErrorResponses, createApiError, createFullProjectServerSide, createProjectMetadataAndBranch, deleteFullProject, deleteProjectWithBranch, doltCheckout, getFullProject, getFullProjectWithRelationIds, getProjectMainBranchName, getProjectMetadata, updateFullProjectServerSide } from "@inkeep/agents-core";
@@ -13,8 +14,8 @@ app.use("/project-full", async (c, next) => {
 	return next();
 });
 app.use("/project-full/:projectId", async (c, next) => {
-	if (c.req.method === "PUT") return requirePermission({ project: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ project: ["delete"] })(c, next);
+	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/projectMembers.d.ts

@@ -0,0 +1,9 @@
+import { BaseAppVariables } from "../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/routes/projectMembers.d.ts
+declare const app: OpenAPIHono<{
+  Variables: BaseAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/routes/projectMembers.js

@@ -0,0 +1,201 @@
+import { requireProjectPermission } from "../middleware/project-access.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { changeProjectRole, commonGetErrorResponses, createApiError, grantProjectAccess, isAuthzEnabled, listProjectMembers, revokeProjectAccess } from "@inkeep/agents-core";
+
+//#region src/routes/projectMembers.ts
+const app = new OpenAPIHono();
+const ProjectMemberSchema = z.object({
+	userId: z.string().min(1),
+	role: z.enum([
+		"project_admin",
+		"project_member",
+		"project_viewer"
+	])
+});
+const ProjectMemberResponseSchema = z.object({ data: z.object({
+	userId: z.string(),
+	role: z.enum([
+		"project_admin",
+		"project_member",
+		"project_viewer"
+	]),
+	projectId: z.string()
+}) });
+const ProjectMemberParamsSchema = z.object({
+	tenantId: z.string(),
+	projectId: z.string()
+});
+const ProjectMemberUserParamsSchema = z.object({
+	tenantId: z.string(),
+	projectId: z.string(),
+	userId: z.string()
+});
+const UpdateRoleSchema = z.object({
+	role: z.enum([
+		"project_admin",
+		"project_member",
+		"project_viewer"
+	]),
+	previousRole: z.enum([
+		"project_admin",
+		"project_member",
+		"project_viewer"
+	]).optional()
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "List Project Members",
+	description: "List all users with explicit project access. Requires authz to be enabled.",
+	operationId: "list-project-members",
+	tags: ["Project Members"],
+	request: { params: ProjectMemberParamsSchema },
+	responses: {
+		200: {
+			description: "List of project members",
+			content: { "application/json": { schema: z.object({ data: z.array(z.object({
+				userId: z.string(),
+				role: z.enum([
+					"project_admin",
+					"project_member",
+					"project_viewer"
+				])
+			})) }) } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { projectId, tenantId } = c.req.valid("param");
+	if (!isAuthzEnabled(tenantId)) return c.json({ data: [] });
+	const members = await listProjectMembers({
+		tenantId,
+		projectId
+	});
+	return c.json({ data: members });
+});
+app.use("/*", async (c, next) => {
+	if (c.req.method === "GET") return next();
+	return requireProjectPermission("edit")(c, next);
+});
+app.openapi(createRoute({
+	method: "post",
+	path: "/",
+	summary: "Add Project Member",
+	description: "Add a user to a project with a specified role. Requires authz to be enabled.",
+	operationId: "add-project-member",
+	tags: ["Project Members"],
+	request: {
+		params: ProjectMemberParamsSchema,
+		body: { content: { "application/json": { schema: ProjectMemberSchema } } }
+	},
+	responses: {
+		201: {
+			description: "Member added successfully",
+			content: { "application/json": { schema: ProjectMemberResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { projectId, tenantId } = c.req.valid("param");
+	const { userId, role } = c.req.valid("json");
+	if (!isAuthzEnabled(tenantId)) throw createApiError({
+		code: "bad_request",
+		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
+	});
+	await grantProjectAccess({
+		tenantId,
+		projectId,
+		userId,
+		role
+	});
+	return c.json({ data: {
+		userId,
+		role,
+		projectId
+	} }, 201);
+});
+app.openapi(createRoute({
+	method: "patch",
+	path: "/{userId}",
+	summary: "Update Project Member Role",
+	description: "Update a project member's role. Requires authz to be enabled. Include previousRole to specify which role to revoke.",
+	operationId: "update-project-member",
+	tags: ["Project Members"],
+	request: {
+		params: ProjectMemberUserParamsSchema,
+		body: { content: { "application/json": { schema: UpdateRoleSchema } } }
+	},
+	responses: {
+		200: {
+			description: "Member role updated successfully",
+			content: { "application/json": { schema: ProjectMemberResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { projectId, userId, tenantId } = c.req.valid("param");
+	const { role: newRole, previousRole } = c.req.valid("json");
+	if (!isAuthzEnabled(tenantId)) throw createApiError({
+		code: "bad_request",
+		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
+	});
+	if (!previousRole) throw createApiError({
+		code: "bad_request",
+		message: "previousRole is required to update a member role"
+	});
+	if (previousRole === newRole) return c.json({ data: {
+		userId,
+		role: newRole,
+		projectId
+	} });
+	await changeProjectRole({
+		tenantId,
+		projectId,
+		userId,
+		oldRole: previousRole,
+		newRole
+	});
+	return c.json({ data: {
+		userId,
+		role: newRole,
+		projectId
+	} });
+});
+app.openapi(createRoute({
+	method: "delete",
+	path: "/{userId}",
+	summary: "Remove Project Member",
+	description: "Remove a user from a project. Requires authz to be enabled. Pass role as query param to specify which role to revoke.",
+	operationId: "remove-project-member",
+	tags: ["Project Members"],
+	request: {
+		params: ProjectMemberUserParamsSchema,
+		query: z.object({ role: z.enum([
+			"project_admin",
+			"project_member",
+			"project_viewer"
+		]) })
+	},
+	responses: {
+		204: { description: "Member removed successfully" },
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { projectId, userId, tenantId } = c.req.valid("param");
+	const { role } = c.req.valid("query");
+	if (!isAuthzEnabled(tenantId)) throw createApiError({
+		code: "bad_request",
+		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
+	});
+	await revokeProjectAccess({
+		tenantId,
+		projectId,
+		userId,
+		role
+	});
+	return c.body(null, 204);
+});
+var projectMembers_default = app;
+
+//#endregion
+export { projectMembers_default as default };

package/dist/routes/projectPermissions.d.ts

@@ -0,0 +1,9 @@
+import { BaseAppVariables } from "../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/routes/projectPermissions.d.ts
+declare const app: OpenAPIHono<{
+  Variables: BaseAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/routes/projectPermissions.js

@@ -0,0 +1,64 @@
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { SpiceDbPermissions, SpiceDbResourceTypes, checkBulkPermissions, commonGetErrorResponses, isAuthzEnabled } from "@inkeep/agents-core";
+
+//#region src/routes/projectPermissions.ts
+const app = new OpenAPIHono();
+const ProjectPermissionsParamsSchema = z.object({
+	tenantId: z.string(),
+	projectId: z.string()
+});
+const ProjectPermissionsResponseSchema = z.object({ data: z.object({
+	canView: z.boolean(),
+	canUse: z.boolean(),
+	canEdit: z.boolean()
+}) });
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "Get Project Permissions",
+	description: "Get the current user's permissions for a project. Returns which actions the user can perform.",
+	operationId: "get-project-permissions",
+	tags: ["Project Permissions"],
+	request: { params: ProjectPermissionsParamsSchema },
+	responses: {
+		200: {
+			description: "Project permissions for the current user",
+			content: { "application/json": { schema: ProjectPermissionsResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { projectId, tenantId } = c.req.valid("param");
+	const userId = c.get("userId");
+	const tenantRole = c.get("tenantRole");
+	if (tenantRole === "owner" || tenantRole === "admin") return c.json({ data: {
+		canView: true,
+		canUse: true,
+		canEdit: true
+	} });
+	if (!isAuthzEnabled(tenantId)) return c.json({ data: {
+		canView: true,
+		canUse: true,
+		canEdit: false
+	} });
+	const permissions = await checkBulkPermissions({
+		resourceType: SpiceDbResourceTypes.PROJECT,
+		resourceId: projectId,
+		permissions: [
+			SpiceDbPermissions.VIEW,
+			SpiceDbPermissions.USE,
+			SpiceDbPermissions.EDIT
+		],
+		subjectType: SpiceDbResourceTypes.USER,
+		subjectId: userId
+	});
+	return c.json({ data: {
+		canView: permissions[SpiceDbPermissions.VIEW] ?? false,
+		canUse: permissions[SpiceDbPermissions.USE] ?? false,
+		canEdit: permissions[SpiceDbPermissions.EDIT] ?? false
+	} });
+});
+var projectPermissions_default = app;
+
+//#endregion
+export { projectPermissions_default as default };

package/dist/routes/projects.js

@@ -1,9 +1,10 @@
 import runDbClient_default from "../data/db/runDbClient.js";
 import dbClient_default from "../data/db/dbClient.js";
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { speakeasyOffsetLimitPagination } from "./shared.js";
+import { requirePermission } from "../middleware/require-permission.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
-import { ErrorResponseSchema, PaginationQueryParamsSchema, ProjectApiInsertSchema, ProjectApiUpdateSchema, ProjectListResponse, ProjectResponse, TenantIdParamsSchema, TenantParamsSchema, cascadeDeleteByProject, commonGetErrorResponses, createApiError, createProject, createProjectMetadataAndBranch, deleteProject, deleteProjectWithBranch, doltCheckout, getProject, getProjectMainBranchName, listProjectsWithMetadataPaginated, updateProject } from "@inkeep/agents-core";
+import { ErrorResponseSchema, PaginationQueryParamsSchema, ProjectApiInsertSchema, ProjectApiUpdateSchema, ProjectListResponse, ProjectResponse, TenantIdParamsSchema, TenantParamsSchema, cascadeDeleteByProject, commonGetErrorResponses, createApiError, createProject, createProjectMetadataAndBranch, deleteProject, deleteProjectWithBranch, doltCheckout, getProject, getProjectMainBranchName, isAuthzEnabled, listAccessibleProjectIds, listProjectsWithMetadataPaginated, removeProjectFromSpiceDb, syncProjectToSpiceDb, updateProject } from "@inkeep/agents-core";
 
 //#region src/routes/projects.ts
 const app = new OpenAPIHono();
@@ -12,15 +13,16 @@ app.use("/", async (c, next) => {
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requirePermission({ project: ["update"] })(c, next);
-	if (c.req.method === "DELETE") return requirePermission({ project: ["delete"] })(c, next);
+	if (c.req.method === "GET") return requireProjectPermission("view")(c, next);
+	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({
 	method: "get",
 	path: "/",
 	summary: "List Projects",
-	description: "List all projects within a tenant with pagination",
+	description: "List all projects within a tenant with pagination. When authorization is enabled, only returns projects the user has access to.",
 	operationId: "list-projects",
 	tags: ["Projects"],
 	request: {
@@ -38,14 +40,26 @@ app.openapi(createRoute({
 }), async (c) => {
 	const configDb = c.get("db");
 	const { tenantId } = c.req.valid("param");
+	const userId = c.get("userId");
+	const tenantRole = c.get("tenantRole") || "member";
 	const page = Number(c.req.query("page")) || 1;
 	const limit = Math.min(Number(c.req.query("limit")) || 10, 100);
+	let accessibleIds;
+	if (isAuthzEnabled(tenantId) && userId) {
+		const result$1 = await listAccessibleProjectIds({
+			tenantId,
+			userId,
+			orgRole: tenantRole
+		});
+		if (result$1 !== "all") accessibleIds = result$1;
+	}
 	const result = await listProjectsWithMetadataPaginated(runDbClient_default, configDb)({
 		tenantId,
 		pagination: {
 			page,
 			limit
-		}
+		},
+		projectIds: accessibleIds
 	});
 	const transformedData = result.data.map((project) => ({
 		id: project.id,
@@ -94,7 +108,7 @@ app.openapi(createRoute({
 	method: "post",
 	path: "/",
 	summary: "Create Project",
-	description: "Create a new project",
+	description: "Create a new project. When authorization is enabled, the creator is automatically granted admin role.",
 	operationId: "create-project",
 	tags: ["Projects"],
 	request: {
@@ -135,6 +149,15 @@ app.openapi(createRoute({
 			tenantId,
 			...body
 		});
+		if (isAuthzEnabled(tenantId)) try {
+			await syncProjectToSpiceDb({
+				tenantId,
+				projectId: body.id,
+				creatorUserId: userId
+			});
+		} catch (syncError) {
+			console.warn("Failed to sync project to SpiceDB:", syncError);
+		}
 		return c.json({ data: {
 			...projectConfig,
 			mainBranchName: runtimeProject.mainBranchName
@@ -227,6 +250,14 @@ app.openapi(createRoute({
 			code: "not_found",
 			message: "Project not found"
 		});
+		if (isAuthzEnabled(tenantId)) try {
+			await removeProjectFromSpiceDb({
+				tenantId,
+				projectId: id
+			});
+		} catch (syncError) {
+			console.warn("Failed to remove project from SpiceDB:", syncError);
+		}
 		return c.body(null, 204);
 	} catch (error) {
 		if (error.message?.includes("Cannot delete project with existing resources")) throw createApiError({

package/dist/routes/subAgentArtifactComponents.js

@@ -1,15 +1,15 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { ArtifactComponentArrayResponse, ComponentAssociationListResponse, ErrorResponseSchema, ExistsResponseSchema, RemovedResponseSchema, SubAgentArtifactComponentApiInsertSchema, SubAgentArtifactComponentResponse, TenantProjectAgentParamsSchema, TenantProjectAgentSubAgentParamsSchema, associateArtifactComponentWithAgent, commonGetErrorResponses, createApiError, getAgentsUsingArtifactComponent, getArtifactComponentById, getArtifactComponentsForAgent, getSubAgentById, isArtifactComponentAssociatedWithAgent, removeArtifactComponentFromAgent } from "@inkeep/agents-core";
 
 //#region src/routes/subAgentArtifactComponents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ sub_agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/agent/:subAgentId/component/:artifactComponentId", async (c, next) => {
-	if (c.req.method === "DELETE") return requirePermission({ sub_agent: ["delete"] })(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/routes/subAgentDataComponents.js

@@ -1,15 +1,15 @@
-import { requirePermission } from "../middleware/require-permission.js";
+import { requireProjectPermission } from "../middleware/project-access.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { ComponentAssociationListResponse, DataComponentArrayResponse, ErrorResponseSchema, ExistsResponseSchema, RemovedResponseSchema, SubAgentDataComponentApiInsertSchema, SubAgentDataComponentResponse, TenantProjectAgentParamsSchema, TenantProjectAgentSubAgentParamsSchema, associateDataComponentWithAgent, commonGetErrorResponses, createApiError, getAgentsUsingDataComponent, getDataComponent, getDataComponentsForAgent, getSubAgentById, isDataComponentAssociatedWithAgent, removeDataComponentFromAgent } from "@inkeep/agents-core";
 
 //#region src/routes/subAgentDataComponents.ts
 const app = new OpenAPIHono();
 app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requirePermission({ sub_agent: ["create"] })(c, next);
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.use("/agent/:subAgentId/component/:dataComponentId", async (c, next) => {
-	if (c.req.method === "DELETE") return requirePermission({ sub_agent: ["delete"] })(c, next);
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({