@inkeep/agents-api 0.0.0-dev-20260126093157 → 0.0.0-dev-20260126174131

package/dist/.well-known/workflow/v1/manifest.debug.json

@@ -1,17 +1,14 @@
 {
   "steps": {
-    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
-      "callChatApiStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//callChatApiStep"
-      },
-      "createRelationStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//createRelationStep"
+    "node_modules/.pnpm/workflow@4.0.1-beta.33_@aws-sdk+client-sts@3.970.0_@opentelemetry+api@1.9.0_@types+reac_d0e39273ec53983ee1a59c0952eb17f2/node_modules/workflow/dist/internal/builtins.js": {
+      "__builtin_response_array_buffer": {
+        "stepId": "__builtin_response_array_buffer"
       },
-      "executeEvaluatorStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//executeEvaluatorStep"
+      "__builtin_response_json": {
+        "stepId": "__builtin_response_json"
       },
-      "logStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//logStep"
+      "__builtin_response_text": {
+        "stepId": "__builtin_response_text"
       }
     },
     "src/domains/evals/workflow/functions/evaluateConversation.ts": {
@@ -28,28 +25,31 @@
         "stepId": "step//src/domains/evals/workflow/functions/evaluateConversation.ts//logStep"
       }
     },
-    "node_modules/.pnpm/workflow@4.0.1-beta.33_@aws-sdk+client-sts@3.970.0_@opentelemetry+api@1.9.0_@types+reac_d0e39273ec53983ee1a59c0952eb17f2/node_modules/workflow/dist/internal/builtins.js": {
-      "__builtin_response_array_buffer": {
-        "stepId": "__builtin_response_array_buffer"
+    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
+      "callChatApiStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//callChatApiStep"
       },
-      "__builtin_response_json": {
-        "stepId": "__builtin_response_json"
+      "createRelationStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//createRelationStep"
       },
-      "__builtin_response_text": {
-        "stepId": "__builtin_response_text"
+      "executeEvaluatorStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//executeEvaluatorStep"
+      },
+      "logStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//logStep"
       }
     }
   },
   "workflows": {
-    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
-      "_evaluateConversationWorkflow": {
-        "workflowId": "workflow//src/domains/evals/workflow/functions/evaluateConversation.ts//_evaluateConversationWorkflow"
-      }
-    },
     "src/domains/evals/workflow/functions/runDatasetItem.ts": {
       "_runDatasetItemWorkflow": {
         "workflowId": "workflow//src/domains/evals/workflow/functions/runDatasetItem.ts//_runDatasetItemWorkflow"
       }
+    },
+    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
+      "_evaluateConversationWorkflow": {
+        "workflowId": "workflow//src/domains/evals/workflow/functions/evaluateConversation.ts//_evaluateConversationWorkflow"
+      }
     }
   }
 }

package/dist/createApp.js

@@ -2,6 +2,7 @@ import { getLogger } from "./logger.js";
 import { env } from "./env.js";
 import { evalRoutes } from "./domains/evals/index.js";
 import { workflowRoutes } from "./domains/evals/workflow/routes.js";
+import { githubRoutes } from "./domains/github/index.js";
 import { sessionAuth, sessionContext } from "./middleware/sessionAuth.js";
 import { manageRoutes } from "./domains/manage/index.js";
 import { flushBatchProcessor } from "./instrumentation.js";
@@ -53,6 +54,7 @@ function createAgentsHono(config) {
 		if (c.req.path.startsWith("/run/")) return next();
 		if (c.req.path.includes("/playground/token")) return next();
 		if (c.req.path.includes("/signoz/")) return next();
+		if (c.req.path.includes("/api/github/")) return next();
 		return cors(defaultCorsConfig)(c, next);
 	});
 	app.use("*", async (c, next) => {
@@ -187,6 +189,7 @@ function createAgentsHono(config) {
 		return fetch(forwardedRequest);
 	});
 	app.route("/evals", evalRoutes);
+	app.route("/api/github", githubRoutes);
 	setupOpenAPIRoutes(app);
 	app.use("/run/*", async (_c, next) => {
 		await next();

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono17 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono17.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono15 from "hono";
+import * as hono0 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono15.Env, {}, "/">;
+declare const app: OpenAPIHono<hono0.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/github/config.d.ts

@@ -0,0 +1,14 @@
+import { z } from "@hono/zod-openapi";
+
+//#region src/domains/github/config.d.ts
+declare const GitHubAppConfigSchema: z.ZodObject<{
+  appId: z.ZodString;
+  privateKey: z.ZodString;
+}, z.core.$strip>;
+type GitHubAppConfig = z.infer<typeof GitHubAppConfigSchema>;
+declare function getGitHubAppConfig(): GitHubAppConfig;
+declare function isGitHubAppConfigured(): boolean;
+declare function validateGitHubAppConfigOnStartup(): void;
+declare function clearConfigCache(): void;
+//#endregion
+export { GitHubAppConfig, clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/config.js

@@ -0,0 +1,47 @@
+import { getLogger } from "../../logger.js";
+import { z } from "@hono/zod-openapi";
+
+//#region src/domains/github/config.ts
+const logger = getLogger("github-config");
+const GitHubAppConfigSchema = z.object({
+	appId: z.string().min(1, "GITHUB_APP_ID is required"),
+	privateKey: z.string().min(1, "GITHUB_APP_PRIVATE_KEY is required")
+});
+let cachedConfig = null;
+function getGitHubAppConfig() {
+	if (cachedConfig) return cachedConfig;
+	const appId = process.env.GITHUB_APP_ID;
+	const privateKey = process.env.GITHUB_APP_PRIVATE_KEY?.replace(/\\n/g, "\n");
+	const result = GitHubAppConfigSchema.safeParse({
+		appId,
+		privateKey
+	});
+	if (!result.success) {
+		const errorMessage = `GitHub App credentials are not configured. ${result.error.issues.map((issue) => issue.message).join(". ")}. Please set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY environment variables.`;
+		logger.error({}, errorMessage);
+		throw new Error(errorMessage);
+	}
+	cachedConfig = result.data;
+	logger.info({}, "GitHub App credentials loaded successfully");
+	return cachedConfig;
+}
+function isGitHubAppConfigured() {
+	return Boolean(process.env.GITHUB_APP_ID && process.env.GITHUB_APP_PRIVATE_KEY);
+}
+function validateGitHubAppConfigOnStartup() {
+	if (!isGitHubAppConfigured()) {
+		logger.warn({}, "GitHub App credentials not configured. Token exchange endpoint will return 500 errors. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY to enable the feature.");
+		return;
+	}
+	try {
+		getGitHubAppConfig();
+	} catch (error) {
+		logger.error({ error }, "GitHub App credentials are invalid. Token exchange endpoint will return 500 errors.");
+	}
+}
+function clearConfigCache() {
+	cachedConfig = null;
+}
+
+//#endregion
+export { clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/index.d.ts

@@ -0,0 +1,12 @@
+import { GitHubAppConfig, getGitHubAppConfig, isGitHubAppConfigured } from "./config.js";
+import { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
+import { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
+import { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken } from "./oidcToken.js";
+import { Hono } from "hono";
+import * as hono_types9 from "hono/types";
+
+//#region src/domains/github/index.d.ts
+declare function createGithubRoutes(): Hono<hono_types9.BlankEnv, hono_types9.BlankSchema, "/">;
+declare const githubRoutes: Hono<hono_types9.BlankEnv, hono_types9.BlankSchema, "/">;
+//#endregion
+export { type GenerateInstallationAccessTokenResult, type GenerateTokenError, type GenerateTokenResult, type GetJwkResult, type GitHubAppConfig, type GitHubOidcClaims, type InstallationAccessToken, type InstallationInfo, type JwksError, type JwksResult, type LookupInstallationError, type LookupInstallationForRepoResult, type LookupInstallationResult, type ValidateOidcTokenResult, type ValidateTokenError, type ValidateTokenResult, clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/index.js

@@ -0,0 +1,18 @@
+import { getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup } from "./config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
+import { clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
+import { validateOidcToken } from "./oidcToken.js";
+import tokenExchange_default from "./routes/tokenExchange.js";
+import { Hono } from "hono";
+
+//#region src/domains/github/index.ts
+function createGithubRoutes() {
+	validateGitHubAppConfigOnStartup();
+	const app = new Hono();
+	app.route("/token-exchange", tokenExchange_default);
+	return app;
+}
+const githubRoutes = createGithubRoutes();
+
+//#endregion
+export { clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/installation.d.ts

@@ -0,0 +1,34 @@
+//#region src/domains/github/installation.d.ts
+interface InstallationInfo {
+  installationId: number;
+  accountLogin: string;
+  accountType: 'User' | 'Organization';
+}
+interface LookupInstallationResult {
+  success: true;
+  installation: InstallationInfo;
+}
+interface LookupInstallationError {
+  success: false;
+  errorType: 'not_installed' | 'api_error' | 'jwt_error';
+  message: string;
+}
+type LookupInstallationForRepoResult = LookupInstallationResult | LookupInstallationError;
+interface InstallationAccessToken {
+  token: string;
+  expiresAt: string;
+}
+interface GenerateTokenResult {
+  success: true;
+  accessToken: InstallationAccessToken;
+}
+interface GenerateTokenError {
+  success: false;
+  errorType: 'api_error' | 'jwt_error';
+  message: string;
+}
+type GenerateInstallationAccessTokenResult = GenerateTokenResult | GenerateTokenError;
+declare function lookupInstallationForRepo(repositoryOwner: string, repositoryName: string): Promise<LookupInstallationForRepoResult>;
+declare function generateInstallationAccessToken(installationId: number): Promise<GenerateInstallationAccessTokenResult>;
+//#endregion
+export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/installation.js

@@ -0,0 +1,172 @@
+import { getLogger } from "../../logger.js";
+import { getGitHubAppConfig } from "./config.js";
+import { createPrivateKey } from "node:crypto";
+import { SignJWT } from "jose";
+
+//#region src/domains/github/installation.ts
+const logger = getLogger("github-installation");
+const GITHUB_API_BASE = "https://api.github.com";
+async function createAppJwt() {
+	const config = getGitHubAppConfig();
+	const privateKey = createPrivateKey({
+		key: config.privateKey,
+		format: "pem"
+	});
+	const now = Math.floor(Date.now() / 1e3);
+	return await new SignJWT({}).setProtectedHeader({ alg: "RS256" }).setIssuedAt(now - 60).setExpirationTime(now + 600).setIssuer(config.appId).sign(privateKey);
+}
+async function lookupInstallationForRepo(repositoryOwner, repositoryName) {
+	let appJwt;
+	try {
+		appJwt = await createAppJwt();
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Failed to create GitHub App JWT");
+		return {
+			success: false,
+			errorType: "jwt_error",
+			message: `Failed to create GitHub App authentication: ${message}`
+		};
+	}
+	const url = `${GITHUB_API_BASE}/repos/${repositoryOwner}/${repositoryName}/installation`;
+	try {
+		const response = await fetch(url, {
+			method: "GET",
+			headers: {
+				Authorization: `Bearer ${appJwt}`,
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				"User-Agent": "inkeep-agents-api"
+			}
+		});
+		if (response.status === 404) return {
+			success: false,
+			errorType: "not_installed",
+			message: `GitHub App is not installed on repository ${repositoryOwner}/${repositoryName}. Please install the Inkeep Agents GitHub App on the repository to enable token exchange.`
+		};
+		if (!response.ok) {
+			const errorText = await response.text();
+			logger.error({
+				status: response.status,
+				error: errorText,
+				repositoryOwner,
+				repositoryName
+			}, "GitHub API error looking up installation");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: `GitHub API error (${response.status}): Failed to look up installation for repository`
+			};
+		}
+		const data = await response.json();
+		const installationId = data.id;
+		const accountLogin = data.account?.login;
+		const accountType = data.account?.type;
+		if (typeof installationId !== "number" || typeof accountLogin !== "string") {
+			logger.error({ data }, "Unexpected response format from GitHub API");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: "Unexpected response format from GitHub API"
+			};
+		}
+		logger.info({
+			installationId,
+			accountLogin,
+			accountType,
+			repositoryOwner,
+			repositoryName
+		}, "Found GitHub App installation for repository");
+		return {
+			success: true,
+			installation: {
+				installationId,
+				accountLogin,
+				accountType: accountType === "Organization" ? "Organization" : "User"
+			}
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({
+			error: message,
+			repositoryOwner,
+			repositoryName
+		}, "Error calling GitHub API to look up installation");
+		return {
+			success: false,
+			errorType: "api_error",
+			message: `Failed to connect to GitHub API: ${message}`
+		};
+	}
+}
+async function generateInstallationAccessToken(installationId) {
+	let appJwt;
+	try {
+		appJwt = await createAppJwt();
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Failed to create GitHub App JWT for token generation");
+		return {
+			success: false,
+			errorType: "jwt_error",
+			message: `Failed to create GitHub App authentication: ${message}`
+		};
+	}
+	const url = `${GITHUB_API_BASE}/app/installations/${installationId}/access_tokens`;
+	try {
+		const response = await fetch(url, {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${appJwt}`,
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				"User-Agent": "inkeep-agents-api"
+			}
+		});
+		if (!response.ok) {
+			const errorText = await response.text();
+			logger.error({
+				status: response.status,
+				error: errorText,
+				installationId
+			}, "GitHub API error generating installation access token");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: `GitHub API error (${response.status}): Failed to generate installation access token`
+			};
+		}
+		const data = await response.json();
+		const token = data.token;
+		const expiresAt = data.expires_at;
+		if (typeof token !== "string" || typeof expiresAt !== "string") {
+			logger.error({ data }, "Unexpected response format from GitHub API for token generation");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: "Unexpected response format from GitHub API"
+			};
+		}
+		return {
+			success: true,
+			accessToken: {
+				token,
+				expiresAt
+			}
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({
+			error: message,
+			installationId
+		}, "Error calling GitHub API to generate installation access token");
+		return {
+			success: false,
+			errorType: "api_error",
+			message: `Failed to connect to GitHub API: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/jwks.d.ts

@@ -0,0 +1,20 @@
+import { CryptoKey, JWSHeaderParameters } from "jose";
+
+//#region src/domains/github/jwks.d.ts
+interface JwksResult {
+  success: true;
+  key: CryptoKey;
+}
+interface JwksError {
+  success: false;
+  error: string;
+}
+type GetJwkResult = JwksResult | JwksError;
+declare function getJwkForToken(header: JWSHeaderParameters): Promise<GetJwkResult>;
+declare function clearJwksCache(): void;
+declare function getJwksCacheStatus(): {
+  cached: boolean;
+  expiresIn?: number;
+};
+//#endregion
+export { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/jwks.js

@@ -0,0 +1,85 @@
+import { getLogger } from "../../logger.js";
+import { createRemoteJWKSet } from "jose";
+
+//#region src/domains/github/jwks.ts
+const logger = getLogger("github-jwks");
+const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
+const CACHE_TTL_MS = 3600 * 1e3;
+let jwksCache = null;
+function createJwksWithLogging() {
+	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
+	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
+}
+function isCacheExpired() {
+	if (!jwksCache) return true;
+	return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
+}
+function getOrCreateJwksFunction() {
+	if (!jwksCache || isCacheExpired()) jwksCache = {
+		jwks: createJwksWithLogging(),
+		fetchedAt: Date.now()
+	};
+	return jwksCache.jwks;
+}
+async function getJwkForToken(header) {
+	const kid = header.kid;
+	if (!kid) return {
+		success: false,
+		error: "Token is missing key ID (kid) in header"
+	};
+	try {
+		const key = await getOrCreateJwksFunction()(header);
+		logger.debug({ kid }, "Successfully retrieved JWK for token");
+		return {
+			success: true,
+			key
+		};
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : "Unknown error";
+		if (errorMessage.includes("no applicable key found")) {
+			logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
+			jwksCache = null;
+			try {
+				const key = await getOrCreateJwksFunction()(header);
+				logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
+				return {
+					success: true,
+					key
+				};
+			} catch (retryError) {
+				const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
+				logger.error({
+					kid,
+					error: retryErrorMessage
+				}, "Failed to retrieve JWK after cache refresh");
+				return {
+					success: false,
+					error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
+				};
+			}
+		}
+		logger.error({
+			kid,
+			error: errorMessage
+		}, "Failed to fetch JWKS from GitHub");
+		return {
+			success: false,
+			error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
+		};
+	}
+}
+function clearJwksCache() {
+	jwksCache = null;
+	logger.debug({}, "JWKS cache cleared");
+}
+function getJwksCacheStatus() {
+	if (!jwksCache) return { cached: false };
+	const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
+	return {
+		cached: true,
+		expiresIn: Math.max(0, expiresIn)
+	};
+}
+
+//#endregion
+export { clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/oidcToken.d.ts

@@ -0,0 +1,22 @@
+//#region src/domains/github/oidcToken.d.ts
+interface GitHubOidcClaims {
+  repository: string;
+  repository_owner: string;
+  repository_id: string;
+  workflow: string;
+  actor: string;
+  ref: string;
+}
+interface ValidateTokenResult {
+  success: true;
+  claims: GitHubOidcClaims;
+}
+interface ValidateTokenError {
+  success: false;
+  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
+  message: string;
+}
+type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
+declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
+//#endregion
+export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };