@inkeep/agents-api 0.0.0-dev-20260123094230 → 0.0.0-dev-20260123205017

package/dist/.well-known/workflow/v1/step.cjs.debug.json

@@ -1,6 +1,6 @@
 {
   "stepFiles": [
-    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/runDatasetItem.ts",
-    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/evaluateConversation.ts"
+    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/evaluateConversation.ts",
+    "/home/runner/work/agents/agents/agents-api/src/domains/evals/workflow/functions/runDatasetItem.ts"
   ]
 }

package/dist/data/db/runDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core3 from "@inkeep/agents-core";
+import * as _inkeep_agents_core0 from "@inkeep/agents-core";
 
 //#region src/data/db/runDbClient.d.ts
-declare const runDbClient: _inkeep_agents_core3.AgentsRunDatabaseClient;
+declare const runDbClient: _inkeep_agents_core0.AgentsRunDatabaseClient;
 //#endregion
 export { runDbClient as default };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono12 from "hono";
+import * as hono14 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono12.Env, {}, "/">;
+declare const app: OpenAPIHono<hono14.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono13 from "hono";
+import * as hono15 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono13.Env, {}, "/">;
+declare const app: OpenAPIHono<hono15.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono0 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono0.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono14 from "hono";
+import * as hono17 from "hono";
 
 //#region src/domains/manage/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono14.Env, {}, "/">;
+declare const app: OpenAPIHono<hono17.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono9 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono9.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types7 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const app: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/triggers.js

@@ -4,21 +4,11 @@ import runDbClient_default from "../../../data/db/runDbClient.js";
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { speakeasyOffsetLimitPagination } from "../../../utils/speakeasy.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiSelectSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
+import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, TriggerWithWebhookUrlListResponse, TriggerWithWebhookUrlResponse, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getCredentialReference, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/triggers.ts
 const logger = getLogger$1("triggers");
 const app = new OpenAPIHono();
-const TriggerResponse = z.object({ data: TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") }) });
-const TriggerListResponse = z.object({
-	data: z.array(TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") })),
-	pagination: z.object({
-		page: z.number(),
-		limit: z.number(),
-		total: z.number(),
-		pages: z.number()
-	})
-});
 app.use("/", async (c, next) => {
 	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
@@ -51,7 +41,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "List of triggers retrieved successfully",
-			content: { "application/json": { schema: TriggerListResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlListResponse } }
 		},
 		...commonGetErrorResponses
 	},
@@ -103,7 +93,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger found",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -151,7 +141,7 @@ app.openapi(createRoute({
 	responses: {
 		201: {
 			description: "Trigger created successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -161,12 +151,29 @@ app.openapi(createRoute({
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
 	const id = body.id || generateId();
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Creating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) hashedAuthentication = { headers: await hashAuthenticationHeaders(authInput.headers) };
@@ -182,7 +189,8 @@ app.openapi(createRoute({
 		outputTransform: body.outputTransform,
 		messageTemplate: body.messageTemplate,
 		authentication: hashedAuthentication,
-		signingSecret: body.signingSecret
+		signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+		signatureVerification: body.signatureVerification
 	});
 	const { tenantId: _tid, projectId: _pid, agentId: _aid, ...triggerWithoutScopes } = trigger;
 	return c.json({ data: {
@@ -212,7 +220,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger updated successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -221,16 +229,33 @@ app.openapi(createRoute({
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
-	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecret !== void 0 || body.keepExistingSigningSecret !== void 0)) throw createApiError({
+	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecretCredentialReferenceId !== void 0 || body.signatureVerification !== void 0)) throw createApiError({
 		code: "bad_request",
 		message: "No fields to update"
 	});
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Updating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) {
@@ -259,7 +284,6 @@ app.openapi(createRoute({
 		}
 		hashedAuthentication = hashedHeaders.length > 0 ? { headers: hashedHeaders } : void 0;
 	} else if (body.authentication !== void 0) hashedAuthentication = body.authentication;
-	const signingSecretUpdate = body.keepExistingSigningSecret ? void 0 : body.signingSecret;
 	const updatedTrigger = await updateTrigger(db)({
 		scopes: {
 			tenantId,
@@ -275,7 +299,8 @@ app.openapi(createRoute({
 			outputTransform: body.outputTransform,
 			messageTemplate: body.messageTemplate,
 			authentication: hashedAuthentication,
-			signingSecret: signingSecretUpdate
+			signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+			signatureVerification: body.signatureVerification
 		}
 	});
 	if (!updatedTrigger) throw createApiError({
@@ -311,7 +336,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const db = c.get("db");
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -372,7 +397,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId } = c.req.valid("param");
 	const { page, limit, status, from, to } = c.req.valid("query");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -426,7 +451,7 @@ app.openapi(createRoute({
 	}
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId, invocationId } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,

package/dist/domains/run/agents/Agent.js

@@ -819,10 +819,12 @@ var Agent = class {
 					continue;
 				}
 				const zodSchema = jsonSchemaToZod(functionData.inputSchema);
+				const toolPolicies = functionToolDef.toolPolicies;
+				const needsApproval = !!toolPolicies?.["*"]?.needsApproval || !!toolPolicies?.[functionToolDef.name]?.needsApproval;
 				const aiTool = tool({
 					description: functionToolDef.description || functionToolDef.name,
 					inputSchema: zodSchema,
-					execute: async (args, { toolCallId }) => {
+					execute: async (args, { toolCallId, providerMetadata }) => {
 						let processedArgs;
 						try {
 							processedArgs = parseEmbeddedJson(args);
@@ -839,6 +841,95 @@ var Agent = class {
 							processedArgs = args;
 						}
 						const finalArgs = processedArgs;
+						if (needsApproval) {
+							logger.info({
+								toolName: functionToolDef.name,
+								toolCallId,
+								args: finalArgs
+							}, "Function tool requires approval - waiting for user response");
+							const currentSpan = trace.getActiveSpan();
+							if (currentSpan) currentSpan.addEvent("tool.approval.requested", {
+								"tool.name": functionToolDef.name,
+								"tool.callId": toolCallId,
+								"subAgent.id": this.config.id
+							});
+							tracer.startActiveSpan("tool.approval_requested", { attributes: {
+								"tool.name": functionToolDef.name,
+								"tool.callId": toolCallId,
+								"subAgent.id": this.config.id,
+								"subAgent.name": this.config.name
+							} }, (requestSpan) => {
+								requestSpan.setStatus({ code: SpanStatusCode.OK });
+								requestSpan.end();
+							});
+							const streamHelper = this.getStreamingHelper();
+							if (streamHelper) await streamHelper.writeToolApprovalRequest({
+								approvalId: `aitxt-${toolCallId}`,
+								toolCallId
+							});
+							else if (this.isDelegatedAgent) {
+								const streamRequestId$1 = this.getStreamRequestId();
+								if (streamRequestId$1) await toolApprovalUiBus.publish(streamRequestId$1, {
+									type: "approval-needed",
+									toolCallId,
+									toolName: functionToolDef.name,
+									input: finalArgs,
+									providerMetadata,
+									approvalId: `aitxt-${toolCallId}`
+								});
+							}
+							const approvalResult = await pendingToolApprovalManager.waitForApproval(toolCallId, functionToolDef.name, args, this.conversationId || "unknown", this.config.id);
+							if (!approvalResult.approved) {
+								if (!streamHelper && this.isDelegatedAgent) {
+									const streamRequestId$1 = this.getStreamRequestId();
+									if (streamRequestId$1) await toolApprovalUiBus.publish(streamRequestId$1, {
+										type: "approval-resolved",
+										toolCallId,
+										approved: false
+									});
+								}
+								return tracer.startActiveSpan("tool.approval_denied", { attributes: {
+									"tool.name": functionToolDef.name,
+									"tool.callId": toolCallId,
+									"subAgent.id": this.config.id,
+									"subAgent.name": this.config.name
+								} }, (denialSpan) => {
+									logger.info({
+										toolName: functionToolDef.name,
+										toolCallId,
+										reason: approvalResult.reason
+									}, "Function tool execution denied by user");
+									denialSpan.setStatus({ code: SpanStatusCode.OK });
+									denialSpan.end();
+									return {
+										__inkeepToolDenied: true,
+										toolCallId,
+										reason: approvalResult.reason
+									};
+								});
+							}
+							tracer.startActiveSpan("tool.approval_approved", { attributes: {
+								"tool.name": functionToolDef.name,
+								"tool.callId": toolCallId,
+								"subAgent.id": this.config.id,
+								"subAgent.name": this.config.name
+							} }, (approvedSpan) => {
+								logger.info({
+									toolName: functionToolDef.name,
+									toolCallId
+								}, "Function tool approved, continuing with execution");
+								approvedSpan.setStatus({ code: SpanStatusCode.OK });
+								approvedSpan.end();
+							});
+							if (!streamHelper && this.isDelegatedAgent) {
+								const streamRequestId$1 = this.getStreamRequestId();
+								if (streamRequestId$1) await toolApprovalUiBus.publish(streamRequestId$1, {
+									type: "approval-resolved",
+									toolCallId,
+									approved: true
+								});
+							}
+						}
 						logger.debug({
 							toolName: functionToolDef.name,
 							toolCallId,
@@ -876,7 +967,7 @@ var Agent = class {
 						}
 					}
 				});
-				functionTools[functionToolDef.name] = this.wrapToolWithStreaming(functionToolDef.name, aiTool, streamRequestId || "", "tool");
+				functionTools[functionToolDef.name] = this.wrapToolWithStreaming(functionToolDef.name, aiTool, streamRequestId || "", "tool", { needsApproval });
 			}
 		} catch (error) {
 			logger.error({ error }, "Failed to load function tools from database");

package/dist/domains/run/agents/relationTools.d.ts

@@ -1,6 +1,6 @@
 import { AgentConfig, DelegateRelation } from "./Agent.js";
 import { InternalRelation } from "../utils/project.js";
-import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 import { CredentialStoreRegistry, FullExecutionContext } from "@inkeep/agents-core";
 import * as ai0 from "ai";
 
@@ -44,7 +44,7 @@ declare function createDelegateToAgentTool({
   message: string;
 }, {
   toolCallId: any;
-  result: _inkeep_agents_core0.Message | _inkeep_agents_core0.Task;
+  result: _inkeep_agents_core1.Message | _inkeep_agents_core1.Task;
 }>;
 /**
  * Parameters for building a transfer relation config

package/dist/domains/run/routes/webhooks.js

@@ -55,6 +55,10 @@ const triggerWebhookRoute = createRoute({
 		422: {
 			description: "Payload transformation failed",
 			content: { "application/json": { schema: z.object({ error: z.string() }) } }
+		},
+		500: {
+			description: "Internal server error",
+			content: { "application/json": { schema: z.object({ error: z.string() }) } }
 		}
 	}
 });

package/dist/domains/run/services/TriggerService.d.ts

@@ -19,7 +19,7 @@ type TriggerWebhookResult = {
 } | {
   success: false;
   error: string;
-  status: 400 | 401 | 403 | 404 | 422;
+  status: 400 | 401 | 403 | 404 | 422 | 500;
   validationErrors?: string[];
 };
 /**

package/dist/domains/run/services/TriggerService.js

@@ -4,13 +4,15 @@ import manageDbPool_default from "../../../data/db/manageDbPool.js";
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { createSSEStreamHelper } from "../utils/stream-helpers.js";
 import { ExecutionHandler } from "../handlers/executionHandler.js";
-import { JsonTransformer, createMessage, createOrGetConversation, createTriggerInvocation, generateId, getConversationId, getFullProjectWithRelationIds, getTriggerById, interpolateTemplate, setActiveAgentForConversation, updateTriggerInvocationStatus, verifySigningSecret, verifyTriggerAuth, withRef } from "@inkeep/agents-core";
+import { JsonTransformer, createKeyChainStore, createMessage, createOrGetConversation, createTriggerInvocation, generateId, getConversationId, getCredentialReference, getCredentialStoreLookupKeyFromRetrievalParams, getFullProjectWithRelationIds, getTriggerById, interpolateTemplate, setActiveAgentForConversation, updateTriggerInvocationStatus, verifySignatureWithConfig, verifyTriggerAuth, withRef } from "@inkeep/agents-core";
 import { ROOT_CONTEXT, SpanStatusCode, propagation, trace } from "@opentelemetry/api";
 import Ajv from "ajv";
 
 //#region src/domains/run/services/TriggerService.ts
 const logger = getLogger$1("TriggerService");
 const ajv = new Ajv({ allErrors: true });
+const credentialCache = /* @__PURE__ */ new Map();
+const CACHE_TTL_MS = 300 * 1e3;
 /**
 * Process a trigger webhook request.
 * Handles validation, transformation, and dispatches async execution.
@@ -37,7 +39,14 @@ async function processWebhook(params) {
 	const payload = rawBody ? JSON.parse(rawBody) : {};
 	const authResult = await verifyAuthentication(trigger, honoContext);
 	if (!authResult.success) return authResult;
-	const signatureResult = verifySignature(trigger, honoContext, rawBody);
+	const signatureResult = await verifySignature({
+		trigger,
+		tenantId,
+		projectId,
+		resolvedRef,
+		honoContext,
+		rawBody
+	});
 	if (!signatureResult.success) return signatureResult;
 	const validationResult = validatePayload(trigger, payload);
 	if (!validationResult.success) return validationResult;
@@ -94,15 +103,106 @@ async function verifyAuthentication(trigger, honoContext) {
 	}
 	return { success: true };
 }
-function verifySignature(trigger, honoContext, rawBody) {
-	if (!trigger.signingSecret) return { success: true };
-	const signatureResult = verifySigningSecret(honoContext, trigger.signingSecret, rawBody);
-	if (!signatureResult.success) return {
-		success: false,
-		error: signatureResult.message || "Invalid signature",
-		status: 403
-	};
-	return { success: true };
+/**
+* Resolve signing secret from credential reference with caching
+*/
+async function resolveSigningSecret(params) {
+	const { tenantId, projectId, credentialReferenceId, resolvedRef } = params;
+	const cacheKey = `${tenantId}:${projectId}:${credentialReferenceId}`;
+	const cached = credentialCache.get(cacheKey);
+	if (cached && cached.expiresAt > Date.now()) return cached.secret;
+	const credentialRef = await withRef(manageDbPool_default, resolvedRef, (db) => getCredentialReference(db)({
+		scopes: {
+			tenantId,
+			projectId
+		},
+		id: credentialReferenceId
+	}));
+	if (!credentialRef) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId
+		}, "Credential reference not found");
+		return null;
+	}
+	const lookupKey = getCredentialStoreLookupKeyFromRetrievalParams({
+		retrievalParams: credentialRef.retrievalParams ?? {},
+		credentialStoreType: credentialRef.type
+	});
+	if (!lookupKey) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId,
+			retrievalParams: credentialRef.retrievalParams
+		}, "Could not determine lookup key from credential reference");
+		return null;
+	}
+	let secret = null;
+	if (credentialRef.type === "keychain" || credentialRef.credentialStoreId?.startsWith("keychain")) secret = await createKeyChainStore(credentialRef.credentialStoreId ?? "keychain-default").get(lookupKey);
+	else {
+		logger.warn({
+			credentialStoreType: credentialRef.type,
+			credentialStoreId: credentialRef.credentialStoreId
+		}, "Unsupported credential store type for signing secret");
+		return null;
+	}
+	if (!secret) {
+		logger.warn({
+			tenantId,
+			projectId,
+			credentialReferenceId,
+			lookupKey
+		}, "No secret found in credential store");
+		return null;
+	}
+	if (secret.startsWith("{")) try {
+		const parsed = JSON.parse(secret);
+		const extractedSecret = parsed.access_token || parsed.secret || parsed.value || parsed.token || parsed.key;
+		if (extractedSecret && typeof extractedSecret === "string") secret = extractedSecret;
+	} catch {}
+	credentialCache.set(cacheKey, {
+		secret,
+		expiresAt: Date.now() + CACHE_TTL_MS
+	});
+	return secret;
+}
+async function verifySignature(params) {
+	const { trigger, tenantId, projectId, resolvedRef, honoContext, rawBody } = params;
+	if (!trigger.signatureVerification || !trigger.signingSecretCredentialReferenceId) return { success: true };
+	try {
+		const secret = await resolveSigningSecret({
+			tenantId,
+			projectId,
+			credentialReferenceId: trigger.signingSecretCredentialReferenceId,
+			resolvedRef
+		});
+		if (!secret) return {
+			success: false,
+			error: "Failed to resolve signing secret from credential reference",
+			status: 500
+		};
+		const result = verifySignatureWithConfig(honoContext, trigger.signatureVerification, secret, rawBody);
+		if (!result.success) return {
+			success: false,
+			error: result.message || "Invalid signature",
+			status: 403
+		};
+		return { success: true };
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : String(error);
+		logger.error({
+			error: errorMessage,
+			tenantId,
+			projectId
+		}, "Error during signature verification");
+		return {
+			success: false,
+			error: "Signature verification failed",
+			status: 500
+		};
+	}
 }
 function validatePayload(trigger, payload) {
 	if (!trigger.inputSchema) return { success: true };

package/dist/domains/run/tools/NativeSandboxExecutor.js

@@ -312,8 +312,6 @@ var NativeSandboxExecutor = class {
 			mkdirSync(runDir, { recursive: true });
 			writeFileSync(join(runDir, `index.${moduleType === "esm" ? "mjs" : "cjs"}`), executionCode, "utf8");
 			return await this.executeInSandbox(runDir, config.sandboxConfig?.timeout || FUNCTION_TOOL_EXECUTION_TIMEOUT_MS_DEFAULT, moduleType, config.sandboxConfig);
-		} catch (error) {
-			throw error;
 		} finally {
 			if (runDir) try {
 				rmSync(runDir, {

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core2 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core2.ContextBreakdown;
+  breakdown: _inkeep_agents_core3.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/env.d.ts

@@ -14,11 +14,11 @@ declare const envSchema: z.ZodObject<{
     pentest: "pentest";
   }>>;
   LOG_LEVEL: z.ZodDefault<z.ZodEnum<{
+    error: "error";
     trace: "trace";
     debug: "debug";
     info: "info";
     warn: "warn";
-    error: "error";
   }>>;
   INKEEP_AGENTS_MANAGE_DATABASE_URL: z.ZodString;
   INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodString;
@@ -53,7 +53,7 @@ declare const envSchema: z.ZodObject<{
 declare const env: {
   NODE_ENV: "development" | "production" | "test";
   ENVIRONMENT: "development" | "production" | "test" | "pentest";
-  LOG_LEVEL: "trace" | "debug" | "info" | "warn" | "error";
+  LOG_LEVEL: "error" | "trace" | "debug" | "info" | "warn";
   INKEEP_AGENTS_MANAGE_DATABASE_URL: string;
   INKEEP_AGENTS_RUN_DATABASE_URL: string;
   INKEEP_AGENTS_API_URL: string;