@inkeep/agents-api 0.0.0-dev-20260122151138 → 0.0.0-dev-20260122153611

package/dist/createApp.d.ts

@@ -1,10 +1,10 @@
 import { AppConfig } from "./types/app.js";
 import "./types/index.js";
 import { Hono } from "hono";
-import * as hono_types0 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/createApp.d.ts
 declare const isWebhookRoute: (path: string) => boolean;
-declare function createAgentsHono(config: AppConfig): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+declare function createAgentsHono(config: AppConfig): Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
 //#endregion
 export { createAgentsHono, isWebhookRoute };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono0 from "hono";
+import * as hono17 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono0.Env, {}, "/">;
+declare const app: OpenAPIHono<hono17.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono15 from "hono";
+import * as hono0 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono15.Env, {}, "/">;
+declare const app: OpenAPIHono<hono0.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types3 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono3 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono3.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono17 from "hono";
+import * as hono12 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono17.Env, {}, "/">;
+declare const app: OpenAPIHono<hono12.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types7 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types9 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types7.BlankSchema, "/">;
+}, hono_types9.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.js

@@ -1,6 +1,6 @@
 import { getLogger as getLogger$1 } from "../../../logger.js";
 import { env } from "../../../env.js";
-import { enforceProjectFilter } from "../../../utils/signozHelpers.js";
+import { enforceSecurityFilters } from "../../../utils/signozHelpers.js";
 import { Hono } from "hono";
 import { createApiError, projectExists } from "@inkeep/agents-core";
 import axios from "axios";
@@ -36,9 +36,12 @@ app.post("/query", async (c) => {
 				message: "You do not have access to this project"
 			}, 403);
 		}
-		payload = enforceProjectFilter(payload, requestedProjectId);
-		logger.debug({ projectId: requestedProjectId }, "Project filter enforced");
 	}
+	payload = enforceSecurityFilters(payload, tenantId, requestedProjectId);
+	logger.debug({
+		tenantId,
+		projectId: requestedProjectId
+	}, "Security filters enforced");
 	const signozUrl = env.SIGNOZ_URL || env.PUBLIC_SIGNOZ_URL;
 	const signozApiKey = env.SIGNOZ_API_KEY;
 	if (!signozUrl || !signozApiKey) {

package/dist/domains/run/agents/relationTools.d.ts

@@ -1,6 +1,6 @@
 import { AgentConfig, DelegateRelation } from "./Agent.js";
 import { InternalRelation } from "../utils/project.js";
-import * as _inkeep_agents_core2 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 import { CredentialStoreRegistry, FullExecutionContext } from "@inkeep/agents-core";
 import * as ai0 from "ai";
 
@@ -44,7 +44,7 @@ declare function createDelegateToAgentTool({
   message: string;
 }, {
   toolCallId: any;
-  result: _inkeep_agents_core2.Message | _inkeep_agents_core2.Task;
+  result: _inkeep_agents_core1.Message | _inkeep_agents_core1.Task;
 }>;
 /**
  * Parameters for building a transfer relation config

package/dist/domains/run/services/TriggerService.js

@@ -5,7 +5,7 @@ import runDbClient_default from "../../../data/db/runDbClient.js";
 import { createSSEStreamHelper } from "../utils/stream-helpers.js";
 import { ExecutionHandler } from "../handlers/executionHandler.js";
 import { JsonTransformer, createMessage, createOrGetConversation, createTriggerInvocation, generateId, getConversationId, getFullProjectWithRelationIds, getTriggerById, interpolateTemplate, setActiveAgentForConversation, updateTriggerInvocationStatus, verifySigningSecret, verifyTriggerAuth, withRef } from "@inkeep/agents-core";
-import { SpanStatusCode, trace } from "@opentelemetry/api";
+import { ROOT_CONTEXT, SpanStatusCode, propagation, trace } from "@opentelemetry/api";
 import Ajv from "ajv";
 
 //#region src/domains/run/services/TriggerService.ts
@@ -250,7 +250,10 @@ async function dispatchExecution(params) {
 */
 async function executeAgentAsync(params) {
 	const { tenantId, projectId, agentId, triggerId, invocationId, conversationId, userMessage, messageParts, resolvedRef } = params;
-	return trace.getTracer("trigger-service").startActiveSpan("trigger.execute_async", { attributes: {
+	const tracer = trace.getTracer("trigger-service");
+	const baggage = propagation.createBaggage().setEntry("tenant.id", { value: tenantId }).setEntry("project.id", { value: projectId }).setEntry("agent.id", { value: agentId }).setEntry("conversation.id", { value: conversationId });
+	const contextWithBaggage = propagation.setBaggage(ROOT_CONTEXT, baggage);
+	return tracer.startActiveSpan("trigger.execute_async", { attributes: {
 		"tenant.id": tenantId,
 		"project.id": projectId,
 		"agent.id": agentId,
@@ -258,7 +261,7 @@ async function executeAgentAsync(params) {
 		"trigger.invocation.id": invocationId,
 		"conversation.id": conversationId,
 		"invocation.type": "trigger"
-	} }, async (span) => {
+	} }, contextWithBaggage, async (span) => {
 		logger.info({
 			tenantId,
 			projectId,

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core1.ContextBreakdown;
+  breakdown: _inkeep_agents_core3.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/factory.d.ts

@@ -7,7 +7,7 @@ import * as hono0 from "hono";
 import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
 import * as zod0 from "zod";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
-import * as hono_types1 from "hono/types";
+import * as hono_types0 from "hono/types";
 import * as better_auth0 from "better-auth";
 import * as better_auth_plugins0 from "better-auth/plugins";
 import * as _better_auth_sso0 from "@better-auth/sso";
@@ -1536,6 +1536,6 @@ declare function createAgentsApp(config?: {
   auth?: UserAuthConfig;
   sandboxConfig?: SandboxConfig;
   skipInitialization?: boolean;
-}): hono0.Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
+}): hono0.Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { type SSOProviderConfig, type UserAuthConfig, createAgentsApp, createAgentsAuth, createAgentsHono, createAuth0Provider, createOIDCProvider, initializeDefaultUser };

package/dist/index.d.ts

@@ -8,7 +8,7 @@ import { createAuth0Provider, createOIDCProvider } from "./ssoHelpers.js";
 import { SSOProviderConfig, UserAuthConfig, createAgentsApp } from "./factory.js";
 import { Hono } from "hono";
 import * as zod205 from "zod";
-import * as hono_types3 from "hono/types";
+import * as hono_types1 from "hono/types";
 import * as better_auth78 from "better-auth";
 import * as better_auth_plugins69 from "better-auth/plugins";
 import * as _better_auth_sso10 from "@better-auth/sso";
@@ -1531,6 +1531,6 @@ declare const auth: better_auth78.Auth<{
     }>;
   }];
 }> | null;
-declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
+declare const app: Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
 //#endregion
 export { type AppConfig, type AppVariables, Hono, type NativeSandboxConfig, type SSOProviderConfig, type SandboxConfig, type UserAuthConfig, type VercelSandboxConfig, auth, createAgentsApp, createAgentsHono, createAuth0Provider, createOIDCProvider, app as default, initializeDefaultUser };

package/dist/middleware/projectAccess.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono3 from "hono";
+import * as hono4 from "hono";
 
 //#region src/middleware/projectAccess.d.ts
 
@@ -26,6 +26,6 @@ declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermission) => hono3.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermission) => hono4.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { ProjectPermission, requireProjectPermission };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
-import * as hono4 from "hono";
+import * as hono5 from "hono";
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono4.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono5.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono4.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono4.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono5.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono6 from "hono";
+import * as hono8 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono6.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono8.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
-import * as hono7 from "hono";
+import * as hono9 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono7.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono7.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono9.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono10 from "hono";
+import * as hono13 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono10 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono12 from "hono";
+import * as hono7 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono12 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono12.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono7.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono13 from "hono";
+import * as hono15 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono15.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono15.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/utils/signozHelpers.d.ts

@@ -4,6 +4,6 @@
  * This modifies the query payload to ensure all builder queries include
  * a server-side project.id filter, preventing client-side filter bypass.
  */
-declare function enforceProjectFilter(payload: any, projectId: string): any;
+declare function enforceSecurityFilters(payload: any, tenantId: string, projectId?: string): any;
 //#endregion
-export { enforceProjectFilter };
+export { enforceSecurityFilters };

package/dist/utils/signozHelpers.js

@@ -4,7 +4,7 @@
 * This modifies the query payload to ensure all builder queries include
 * a server-side project.id filter, preventing client-side filter bypass.
 */
-function enforceProjectFilter(payload, projectId) {
+function enforceSecurityFilters(payload, tenantId, projectId) {
 	const modifiedPayload = JSON.parse(JSON.stringify(payload));
 	if (modifiedPayload.compositeQuery?.builderQueries) for (const queryKey in modifiedPayload.compositeQuery.builderQueries) {
 		const query = modifiedPayload.compositeQuery.builderQueries[queryKey];
@@ -12,8 +12,20 @@ function enforceProjectFilter(payload, projectId) {
 			op: "AND",
 			items: []
 		};
-		query.filters.items = query.filters.items.filter((item) => item.key?.key !== "project.id");
+		query.filters.items = query.filters.items.filter((item) => item.key?.key !== "tenant.id" && item.key?.key !== "project.id");
 		query.filters.items.push({
+			key: {
+				key: "tenant.id",
+				dataType: "string",
+				type: "tag",
+				isColumn: false,
+				isJSON: false,
+				id: "false"
+			},
+			op: "=",
+			value: tenantId
+		});
+		if (projectId) query.filters.items.push({
 			key: {
 				key: "project.id",
 				dataType: "string",
@@ -30,4 +42,4 @@ function enforceProjectFilter(payload, projectId) {
 }
 
 //#endregion
-export { enforceProjectFilter };
+export { enforceSecurityFilters };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260122151138",
+  "version": "0.0.0-dev-20260122153611",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -71,8 +71,8 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260122151138",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260122151138"
+    "@inkeep/agents-core": "^0.0.0-dev-20260122153611",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260122153611"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",