@inkeep/agents-api 0.0.0-dev-20260126093157 → 0.0.0-dev-20260126181806

package/dist/.well-known/workflow/v1/manifest.debug.json

@@ -1,17 +1,14 @@
 {
   "steps": {
-    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
-      "callChatApiStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//callChatApiStep"
-      },
-      "createRelationStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//createRelationStep"
+    "node_modules/.pnpm/workflow@4.0.1-beta.33_@aws-sdk+client-sts@3.970.0_@opentelemetry+api@1.9.0_@types+reac_d0e39273ec53983ee1a59c0952eb17f2/node_modules/workflow/dist/internal/builtins.js": {
+      "__builtin_response_array_buffer": {
+        "stepId": "__builtin_response_array_buffer"
       },
-      "executeEvaluatorStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//executeEvaluatorStep"
+      "__builtin_response_json": {
+        "stepId": "__builtin_response_json"
       },
-      "logStep": {
-        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//logStep"
+      "__builtin_response_text": {
+        "stepId": "__builtin_response_text"
       }
     },
     "src/domains/evals/workflow/functions/evaluateConversation.ts": {
@@ -28,15 +25,18 @@
         "stepId": "step//src/domains/evals/workflow/functions/evaluateConversation.ts//logStep"
       }
     },
-    "node_modules/.pnpm/workflow@4.0.1-beta.33_@aws-sdk+client-sts@3.970.0_@opentelemetry+api@1.9.0_@types+reac_d0e39273ec53983ee1a59c0952eb17f2/node_modules/workflow/dist/internal/builtins.js": {
-      "__builtin_response_array_buffer": {
-        "stepId": "__builtin_response_array_buffer"
+    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
+      "callChatApiStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//callChatApiStep"
       },
-      "__builtin_response_json": {
-        "stepId": "__builtin_response_json"
+      "createRelationStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//createRelationStep"
       },
-      "__builtin_response_text": {
-        "stepId": "__builtin_response_text"
+      "executeEvaluatorStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//executeEvaluatorStep"
+      },
+      "logStep": {
+        "stepId": "step//src/domains/evals/workflow/functions/runDatasetItem.ts//logStep"
       }
     }
   },

package/dist/.well-known/workflow/v1/step.cjs

@@ -101700,7 +101700,8 @@ var TOOL_STATUS_VALUES = [
   "healthy",
   "unhealthy",
   "unknown",
-  "needs_auth"
+  "needs_auth",
+  "unavailable"
 ];
 var VALID_RELATION_TYPES = [
   "transfer",
@@ -148101,7 +148102,7 @@ var { RelationshipUpdate_Operation: RelationshipUpdate_Operation2, CheckPermissi
 
 // ../packages/agents-core/dist/constants/execution-limits-shared/defaults.js
 var executionLimitsSharedDefaults = {
-  MCP_TOOL_CONNECTION_TIMEOUT_MS: 3e3,
+  MCP_TOOL_CONNECTION_TIMEOUT_MS: 1e4,
   MCP_TOOL_MAX_RETRIES: 3,
   MCP_TOOL_MAX_RECONNECTION_DELAY_MS: 3e4,
   MCP_TOOL_INITIAL_RECONNECTION_DELAY_MS: 1e3,

package/dist/createApp.js

@@ -2,6 +2,7 @@ import { getLogger } from "./logger.js";
 import { env } from "./env.js";
 import { evalRoutes } from "./domains/evals/index.js";
 import { workflowRoutes } from "./domains/evals/workflow/routes.js";
+import { githubRoutes } from "./domains/github/index.js";
 import { sessionAuth, sessionContext } from "./middleware/sessionAuth.js";
 import { manageRoutes } from "./domains/manage/index.js";
 import { flushBatchProcessor } from "./instrumentation.js";
@@ -53,6 +54,7 @@ function createAgentsHono(config) {
 		if (c.req.path.startsWith("/run/")) return next();
 		if (c.req.path.includes("/playground/token")) return next();
 		if (c.req.path.includes("/signoz/")) return next();
+		if (c.req.path.includes("/api/github/")) return next();
 		return cors(defaultCorsConfig)(c, next);
 	});
 	app.use("*", async (c, next) => {
@@ -187,6 +189,7 @@ function createAgentsHono(config) {
 		return fetch(forwardedRequest);
 	});
 	app.route("/evals", evalRoutes);
+	app.route("/api/github", githubRoutes);
 	setupOpenAPIRoutes(app);
 	app.use("/run/*", async (_c, next) => {
 		await next();

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono15 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono15.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types12 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types12.BlankEnv, hono_types12.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/github/config.d.ts

@@ -0,0 +1,14 @@
+import { z } from "@hono/zod-openapi";
+
+//#region src/domains/github/config.d.ts
+declare const GitHubAppConfigSchema: z.ZodObject<{
+  appId: z.ZodString;
+  privateKey: z.ZodString;
+}, z.core.$strip>;
+type GitHubAppConfig = z.infer<typeof GitHubAppConfigSchema>;
+declare function getGitHubAppConfig(): GitHubAppConfig;
+declare function isGitHubAppConfigured(): boolean;
+declare function validateGitHubAppConfigOnStartup(): void;
+declare function clearConfigCache(): void;
+//#endregion
+export { GitHubAppConfig, clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/config.js

@@ -0,0 +1,47 @@
+import { getLogger } from "../../logger.js";
+import { z } from "@hono/zod-openapi";
+
+//#region src/domains/github/config.ts
+const logger = getLogger("github-config");
+const GitHubAppConfigSchema = z.object({
+	appId: z.string().min(1, "GITHUB_APP_ID is required"),
+	privateKey: z.string().min(1, "GITHUB_APP_PRIVATE_KEY is required")
+});
+let cachedConfig = null;
+function getGitHubAppConfig() {
+	if (cachedConfig) return cachedConfig;
+	const appId = process.env.GITHUB_APP_ID;
+	const privateKey = process.env.GITHUB_APP_PRIVATE_KEY?.replace(/\\n/g, "\n");
+	const result = GitHubAppConfigSchema.safeParse({
+		appId,
+		privateKey
+	});
+	if (!result.success) {
+		const errorMessage = `GitHub App credentials are not configured. ${result.error.issues.map((issue) => issue.message).join(". ")}. Please set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY environment variables.`;
+		logger.error({}, errorMessage);
+		throw new Error(errorMessage);
+	}
+	cachedConfig = result.data;
+	logger.info({}, "GitHub App credentials loaded successfully");
+	return cachedConfig;
+}
+function isGitHubAppConfigured() {
+	return Boolean(process.env.GITHUB_APP_ID && process.env.GITHUB_APP_PRIVATE_KEY);
+}
+function validateGitHubAppConfigOnStartup() {
+	if (!isGitHubAppConfigured()) {
+		logger.warn({}, "GitHub App credentials not configured. Token exchange endpoint will return 500 errors. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY to enable the feature.");
+		return;
+	}
+	try {
+		getGitHubAppConfig();
+	} catch (error) {
+		logger.error({ error }, "GitHub App credentials are invalid. Token exchange endpoint will return 500 errors.");
+	}
+}
+function clearConfigCache() {
+	cachedConfig = null;
+}
+
+//#endregion
+export { clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/index.d.ts

@@ -0,0 +1,12 @@
+import { GitHubAppConfig, getGitHubAppConfig, isGitHubAppConfigured } from "./config.js";
+import { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
+import { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
+import { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken } from "./oidcToken.js";
+import { Hono } from "hono";
+import * as hono_types5 from "hono/types";
+
+//#region src/domains/github/index.d.ts
+declare function createGithubRoutes(): Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const githubRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+//#endregion
+export { type GenerateInstallationAccessTokenResult, type GenerateTokenError, type GenerateTokenResult, type GetJwkResult, type GitHubAppConfig, type GitHubOidcClaims, type InstallationAccessToken, type InstallationInfo, type JwksError, type JwksResult, type LookupInstallationError, type LookupInstallationForRepoResult, type LookupInstallationResult, type ValidateOidcTokenResult, type ValidateTokenError, type ValidateTokenResult, clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/index.js

@@ -0,0 +1,18 @@
+import { getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup } from "./config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
+import { clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
+import { validateOidcToken } from "./oidcToken.js";
+import tokenExchange_default from "./routes/tokenExchange.js";
+import { Hono } from "hono";
+
+//#region src/domains/github/index.ts
+function createGithubRoutes() {
+	validateGitHubAppConfigOnStartup();
+	const app = new Hono();
+	app.route("/token-exchange", tokenExchange_default);
+	return app;
+}
+const githubRoutes = createGithubRoutes();
+
+//#endregion
+export { clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/installation.d.ts

@@ -0,0 +1,34 @@
+//#region src/domains/github/installation.d.ts
+interface InstallationInfo {
+  installationId: number;
+  accountLogin: string;
+  accountType: 'User' | 'Organization';
+}
+interface LookupInstallationResult {
+  success: true;
+  installation: InstallationInfo;
+}
+interface LookupInstallationError {
+  success: false;
+  errorType: 'not_installed' | 'api_error' | 'jwt_error';
+  message: string;
+}
+type LookupInstallationForRepoResult = LookupInstallationResult | LookupInstallationError;
+interface InstallationAccessToken {
+  token: string;
+  expiresAt: string;
+}
+interface GenerateTokenResult {
+  success: true;
+  accessToken: InstallationAccessToken;
+}
+interface GenerateTokenError {
+  success: false;
+  errorType: 'api_error' | 'jwt_error';
+  message: string;
+}
+type GenerateInstallationAccessTokenResult = GenerateTokenResult | GenerateTokenError;
+declare function lookupInstallationForRepo(repositoryOwner: string, repositoryName: string): Promise<LookupInstallationForRepoResult>;
+declare function generateInstallationAccessToken(installationId: number): Promise<GenerateInstallationAccessTokenResult>;
+//#endregion
+export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/installation.js

@@ -0,0 +1,172 @@
+import { getLogger } from "../../logger.js";
+import { getGitHubAppConfig } from "./config.js";
+import { createPrivateKey } from "node:crypto";
+import { SignJWT } from "jose";
+
+//#region src/domains/github/installation.ts
+const logger = getLogger("github-installation");
+const GITHUB_API_BASE = "https://api.github.com";
+async function createAppJwt() {
+	const config = getGitHubAppConfig();
+	const privateKey = createPrivateKey({
+		key: config.privateKey,
+		format: "pem"
+	});
+	const now = Math.floor(Date.now() / 1e3);
+	return await new SignJWT({}).setProtectedHeader({ alg: "RS256" }).setIssuedAt(now - 60).setExpirationTime(now + 600).setIssuer(config.appId).sign(privateKey);
+}
+async function lookupInstallationForRepo(repositoryOwner, repositoryName) {
+	let appJwt;
+	try {
+		appJwt = await createAppJwt();
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Failed to create GitHub App JWT");
+		return {
+			success: false,
+			errorType: "jwt_error",
+			message: `Failed to create GitHub App authentication: ${message}`
+		};
+	}
+	const url = `${GITHUB_API_BASE}/repos/${repositoryOwner}/${repositoryName}/installation`;
+	try {
+		const response = await fetch(url, {
+			method: "GET",
+			headers: {
+				Authorization: `Bearer ${appJwt}`,
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				"User-Agent": "inkeep-agents-api"
+			}
+		});
+		if (response.status === 404) return {
+			success: false,
+			errorType: "not_installed",
+			message: `GitHub App is not installed on repository ${repositoryOwner}/${repositoryName}. Please install the Inkeep Agents GitHub App on the repository to enable token exchange.`
+		};
+		if (!response.ok) {
+			const errorText = await response.text();
+			logger.error({
+				status: response.status,
+				error: errorText,
+				repositoryOwner,
+				repositoryName
+			}, "GitHub API error looking up installation");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: `GitHub API error (${response.status}): Failed to look up installation for repository`
+			};
+		}
+		const data = await response.json();
+		const installationId = data.id;
+		const accountLogin = data.account?.login;
+		const accountType = data.account?.type;
+		if (typeof installationId !== "number" || typeof accountLogin !== "string") {
+			logger.error({ data }, "Unexpected response format from GitHub API");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: "Unexpected response format from GitHub API"
+			};
+		}
+		logger.info({
+			installationId,
+			accountLogin,
+			accountType,
+			repositoryOwner,
+			repositoryName
+		}, "Found GitHub App installation for repository");
+		return {
+			success: true,
+			installation: {
+				installationId,
+				accountLogin,
+				accountType: accountType === "Organization" ? "Organization" : "User"
+			}
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({
+			error: message,
+			repositoryOwner,
+			repositoryName
+		}, "Error calling GitHub API to look up installation");
+		return {
+			success: false,
+			errorType: "api_error",
+			message: `Failed to connect to GitHub API: ${message}`
+		};
+	}
+}
+async function generateInstallationAccessToken(installationId) {
+	let appJwt;
+	try {
+		appJwt = await createAppJwt();
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Failed to create GitHub App JWT for token generation");
+		return {
+			success: false,
+			errorType: "jwt_error",
+			message: `Failed to create GitHub App authentication: ${message}`
+		};
+	}
+	const url = `${GITHUB_API_BASE}/app/installations/${installationId}/access_tokens`;
+	try {
+		const response = await fetch(url, {
+			method: "POST",
+			headers: {
+				Authorization: `Bearer ${appJwt}`,
+				Accept: "application/vnd.github+json",
+				"X-GitHub-Api-Version": "2022-11-28",
+				"User-Agent": "inkeep-agents-api"
+			}
+		});
+		if (!response.ok) {
+			const errorText = await response.text();
+			logger.error({
+				status: response.status,
+				error: errorText,
+				installationId
+			}, "GitHub API error generating installation access token");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: `GitHub API error (${response.status}): Failed to generate installation access token`
+			};
+		}
+		const data = await response.json();
+		const token = data.token;
+		const expiresAt = data.expires_at;
+		if (typeof token !== "string" || typeof expiresAt !== "string") {
+			logger.error({ data }, "Unexpected response format from GitHub API for token generation");
+			return {
+				success: false,
+				errorType: "api_error",
+				message: "Unexpected response format from GitHub API"
+			};
+		}
+		return {
+			success: true,
+			accessToken: {
+				token,
+				expiresAt
+			}
+		};
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({
+			error: message,
+			installationId
+		}, "Error calling GitHub API to generate installation access token");
+		return {
+			success: false,
+			errorType: "api_error",
+			message: `Failed to connect to GitHub API: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/jwks.d.ts

@@ -0,0 +1,20 @@
+import { CryptoKey, JWSHeaderParameters } from "jose";
+
+//#region src/domains/github/jwks.d.ts
+interface JwksResult {
+  success: true;
+  key: CryptoKey;
+}
+interface JwksError {
+  success: false;
+  error: string;
+}
+type GetJwkResult = JwksResult | JwksError;
+declare function getJwkForToken(header: JWSHeaderParameters): Promise<GetJwkResult>;
+declare function clearJwksCache(): void;
+declare function getJwksCacheStatus(): {
+  cached: boolean;
+  expiresIn?: number;
+};
+//#endregion
+export { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/jwks.js

@@ -0,0 +1,85 @@
+import { getLogger } from "../../logger.js";
+import { createRemoteJWKSet } from "jose";
+
+//#region src/domains/github/jwks.ts
+const logger = getLogger("github-jwks");
+const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
+const CACHE_TTL_MS = 3600 * 1e3;
+let jwksCache = null;
+function createJwksWithLogging() {
+	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
+	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
+}
+function isCacheExpired() {
+	if (!jwksCache) return true;
+	return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
+}
+function getOrCreateJwksFunction() {
+	if (!jwksCache || isCacheExpired()) jwksCache = {
+		jwks: createJwksWithLogging(),
+		fetchedAt: Date.now()
+	};
+	return jwksCache.jwks;
+}
+async function getJwkForToken(header) {
+	const kid = header.kid;
+	if (!kid) return {
+		success: false,
+		error: "Token is missing key ID (kid) in header"
+	};
+	try {
+		const key = await getOrCreateJwksFunction()(header);
+		logger.debug({ kid }, "Successfully retrieved JWK for token");
+		return {
+			success: true,
+			key
+		};
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : "Unknown error";
+		if (errorMessage.includes("no applicable key found")) {
+			logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
+			jwksCache = null;
+			try {
+				const key = await getOrCreateJwksFunction()(header);
+				logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
+				return {
+					success: true,
+					key
+				};
+			} catch (retryError) {
+				const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
+				logger.error({
+					kid,
+					error: retryErrorMessage
+				}, "Failed to retrieve JWK after cache refresh");
+				return {
+					success: false,
+					error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
+				};
+			}
+		}
+		logger.error({
+			kid,
+			error: errorMessage
+		}, "Failed to fetch JWKS from GitHub");
+		return {
+			success: false,
+			error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
+		};
+	}
+}
+function clearJwksCache() {
+	jwksCache = null;
+	logger.debug({}, "JWKS cache cleared");
+}
+function getJwksCacheStatus() {
+	if (!jwksCache) return { cached: false };
+	const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
+	return {
+		cached: true,
+		expiresIn: Math.max(0, expiresIn)
+	};
+}
+
+//#endregion
+export { clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/oidcToken.d.ts

@@ -0,0 +1,22 @@
+//#region src/domains/github/oidcToken.d.ts
+interface GitHubOidcClaims {
+  repository: string;
+  repository_owner: string;
+  repository_id: string;
+  workflow: string;
+  actor: string;
+  ref: string;
+}
+interface ValidateTokenResult {
+  success: true;
+  claims: GitHubOidcClaims;
+}
+interface ValidateTokenError {
+  success: false;
+  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
+  message: string;
+}
+type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
+declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
+//#endregion
+export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };

package/dist/domains/github/oidcToken.js

@@ -0,0 +1,140 @@
+import { getLogger } from "../../logger.js";
+import { getJwkForToken } from "./jwks.js";
+import { decodeProtectedHeader, errors, jwtVerify } from "jose";
+
+//#region src/domains/github/oidcToken.ts
+const logger = getLogger("github-oidc-token");
+const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+const EXPECTED_AUDIENCE = "inkeep-agents-action";
+async function validateOidcToken(token) {
+	let header;
+	try {
+		header = decodeProtectedHeader(token);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.warn({ error: message }, "Failed to decode JWT header");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: "Invalid JWT format: unable to decode token header"
+		};
+	}
+	if (header.alg !== "RS256") {
+		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
+		};
+	}
+	const jwkResult = await getJwkForToken(header);
+	if (!jwkResult.success) {
+		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
+		return {
+			success: false,
+			errorType: "jwks_error",
+			message: jwkResult.error
+		};
+	}
+	try {
+		const { payload } = await jwtVerify(token, jwkResult.key, {
+			issuer: GITHUB_OIDC_ISSUER,
+			audience: EXPECTED_AUDIENCE
+		});
+		const repository = payload.repository;
+		const repositoryOwner = payload.repository_owner;
+		const repositoryId = payload.repository_id;
+		const workflow = payload.workflow;
+		const actor = payload.actor;
+		const ref = payload.ref;
+		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
+			logger.warn({ payload }, "OIDC token missing required claims");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
+			};
+		}
+		logger.info({
+			repository,
+			actor
+		}, "Successfully validated OIDC token");
+		return {
+			success: true,
+			claims: {
+				repository,
+				repository_owner: repositoryOwner,
+				repository_id: repositoryId,
+				workflow,
+				actor,
+				ref
+			}
+		};
+	} catch (error) {
+		if (error instanceof errors.JWTExpired) {
+			logger.warn({}, "OIDC token has expired");
+			return {
+				success: false,
+				errorType: "expired",
+				message: "OIDC token has expired"
+			};
+		}
+		if (error instanceof errors.JWTClaimValidationFailed) {
+			const claimError = error;
+			if (claimError.claim === "iss") {
+				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
+				return {
+					success: false,
+					errorType: "wrong_issuer",
+					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
+				};
+			}
+			if (claimError.claim === "aud") {
+				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
+				return {
+					success: false,
+					errorType: "wrong_audience",
+					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
+				};
+			}
+			logger.warn({
+				claim: claimError.claim,
+				reason: claimError.reason
+			}, "JWT claim validation failed");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
+			};
+		}
+		if (error instanceof errors.JWSSignatureVerificationFailed) {
+			logger.warn({}, "Invalid OIDC token signature");
+			return {
+				success: false,
+				errorType: "invalid_signature",
+				message: "Invalid token signature"
+			};
+		}
+		if (error instanceof errors.JOSEError) {
+			logger.error({
+				error: error.message,
+				code: error.code
+			}, "JOSE error during token validation");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `Token validation error: ${error.message}`
+			};
+		}
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Unexpected error during token validation");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Token validation error: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { validateOidcToken };

package/dist/domains/github/routes/tokenExchange.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types14 from "hono/types";
+
+//#region src/domains/github/routes/tokenExchange.d.ts
+declare const app: Hono<hono_types14.BlankEnv, hono_types14.BlankSchema, "/">;
+//#endregion
+export { app as default };

package/dist/domains/github/routes/tokenExchange.js

@@ -0,0 +1,130 @@
+import { getLogger } from "../../../logger.js";
+import { isGitHubAppConfigured } from "../config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
+import { validateOidcToken } from "../oidcToken.js";
+import { Hono } from "hono";
+import { z } from "zod";
+
+//#region src/domains/github/routes/tokenExchange.ts
+const logger = getLogger("github-token-exchange");
+const TokenExchangeRequestSchema = z.object({ oidc_token: z.string() });
+const app = new Hono();
+/**
+* Exchange GitHub OIDC token for installation token.
+*
+* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
+* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
+* Not included in the public OpenAPI spec.
+*/
+app.post("/", async (c) => {
+	const rawBody = await c.req.json().catch(() => null);
+	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: errorMessage,
+			error: errorMessage
+		}, 400);
+	}
+	const body = parseResult.data;
+	logger.info({}, "Processing token exchange request");
+	if (!isGitHubAppConfigured()) {
+		logger.error({}, "GitHub App credentials not configured");
+		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "GitHub App Not Configured",
+			status: 500,
+			detail: errorMessage,
+			error: errorMessage
+		}, 500);
+	}
+	const validationResult = await validateOidcToken(body.oidc_token);
+	if (!validationResult.success) {
+		const errorType = validationResult.errorType;
+		logger.warn({
+			errorType,
+			message: validationResult.message
+		}, "OIDC token validation failed");
+		c.header("Content-Type", "application/problem+json");
+		if (errorType === "malformed") return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 400);
+		return c.json({
+			title: "Token Validation Failed",
+			status: 401,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 401);
+	}
+	const { claims } = validationResult;
+	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
+	if (!installationResult.success) {
+		const { errorType, message } = installationResult;
+		if (errorType === "not_installed") {
+			c.header("Content-Type", "application/problem+json");
+			return c.json({
+				title: "GitHub App Not Installed",
+				status: 403,
+				detail: message,
+				error: message
+			}, 403);
+		}
+		logger.error({
+			errorType,
+			message,
+			repository: claims.repository
+		}, "Failed to look up GitHub App installation");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Lookup Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { installation } = installationResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository
+	}, "Found GitHub App installation");
+	const tokenResult = await generateInstallationAccessToken(installation.installationId);
+	if (!tokenResult.success) {
+		const { errorType, message } = tokenResult;
+		logger.error({
+			errorType,
+			message,
+			installationId: installation.installationId,
+			repository: claims.repository
+		}, "Failed to generate installation access token");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Token Generation Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { accessToken } = tokenResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository,
+		expiresAt: accessToken.expiresAt
+	}, "Token exchange completed successfully");
+	return c.json({
+		token: accessToken.token,
+		expires_at: accessToken.expiresAt,
+		repository: claims.repository,
+		installation_id: installation.installationId
+	}, 200);
+});
+var tokenExchange_default = app;
+
+//#endregion
+export { tokenExchange_default as default };

package/dist/domains/index.d.ts

@@ -1,4 +1,5 @@
 import { createEvalRoutes, evalRoutes } from "./evals/index.js";
+import { createGithubRoutes, githubRoutes } from "./github/index.js";
 import { createManageRoutes, manageRoutes } from "./manage/index.js";
 import { createRunRoutes, runRoutes } from "./run/index.js";
-export { createEvalRoutes, createManageRoutes, createRunRoutes, evalRoutes, manageRoutes, runRoutes };
+export { createEvalRoutes, createGithubRoutes, createManageRoutes, createRunRoutes, evalRoutes, githubRoutes, manageRoutes, runRoutes };

package/dist/domains/index.js

@@ -1,5 +1,6 @@
 import { createEvalRoutes, evalRoutes } from "./evals/index.js";
+import { createGithubRoutes, githubRoutes } from "./github/index.js";
 import { createManageRoutes, manageRoutes } from "./manage/index.js";
 import { createRunRoutes, runRoutes } from "./run/index.js";
 
-export { createEvalRoutes, createManageRoutes, createRunRoutes, evalRoutes, manageRoutes, runRoutes };
+export { createEvalRoutes, createGithubRoutes, createManageRoutes, createRunRoutes, evalRoutes, githubRoutes, manageRoutes, runRoutes };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono14 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono14.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
+import * as hono15 from "hono";
 
 //#region src/domains/manage/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<hono15.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono6 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono6.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
+declare const app: Hono<hono_types10.BlankEnv, hono_types10.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/run/context/ContextResolver.js

@@ -1,8 +1,8 @@
 import { ContextCache } from "./contextCache.js";
 import { ContextFetcher, MissingRequiredVariableError } from "./ContextFetcher.js";
 import { getLogger, getTracer, setSpanWithError } from "@inkeep/agents-core";
-import { SpanStatusCode } from "@opentelemetry/api";
 import crypto from "node:crypto";
+import { SpanStatusCode } from "@opentelemetry/api";
 
 //#region src/domains/run/context/ContextResolver.ts
 const logger = getLogger("context-resolver");

package/dist/domains/run/services/BaseCompressor.js

@@ -5,8 +5,8 @@ import { getCompressionConfigForModel } from "../utils/model-context-utils.js";
 import { tracer } from "../utils/tracer.js";
 import { agentSessionManager } from "./AgentSession.js";
 import { getLedgerArtifacts } from "@inkeep/agents-core";
-import { SpanStatusCode } from "@opentelemetry/api";
 import { randomUUID } from "node:crypto";
+import { SpanStatusCode } from "@opentelemetry/api";
 
 //#region src/domains/run/services/BaseCompressor.ts
 const logger = getLogger$1("BaseCompressor");

package/dist/factory.d.ts

@@ -795,25 +795,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;
@@ -987,7 +987,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "owner" | "admin";
+        role: "member" | "admin" | "owner";
         status: better_auth_plugins0.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -996,7 +996,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "owner" | "admin";
+        role: "member" | "admin" | "owner";
         createdAt: Date;
         userId: string;
         user: {
@@ -1012,7 +1012,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "owner" | "admin";
+          role: "member" | "admin" | "owner";
           createdAt: Date;
           userId: string;
           user: {
@@ -1026,7 +1026,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "owner" | "admin";
+          role: "member" | "admin" | "owner";
           status: better_auth_plugins0.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       membershipLimit: number;

package/dist/index.d.ts

@@ -796,25 +796,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       membershipLimit: number;
@@ -988,7 +988,7 @@ declare const auth: better_auth78.Auth<{
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "owner" | "admin";
+        role: "member" | "admin" | "owner";
         status: better_auth_plugins69.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -997,7 +997,7 @@ declare const auth: better_auth78.Auth<{
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "owner" | "admin";
+        role: "member" | "admin" | "owner";
         createdAt: Date;
         userId: string;
         user: {
@@ -1013,7 +1013,7 @@ declare const auth: better_auth78.Auth<{
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "owner" | "admin";
+          role: "member" | "admin" | "owner";
           createdAt: Date;
           userId: string;
           user: {
@@ -1027,7 +1027,7 @@ declare const auth: better_auth78.Auth<{
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "owner" | "admin";
+          role: "member" | "admin" | "owner";
           status: better_auth_plugins69.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1105,25 +1105,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       membershipLimit: number;

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
-import * as hono7 from "hono";
+import * as hono6 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono6.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono7.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono6.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono7.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono6.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono12 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono12 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono12.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono9.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono13 from "hono";
+import * as hono12 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260126093157",
+  "version": "0.0.0-dev-20260126181806",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -67,12 +67,13 @@
     "hono": "^4.10.4",
     "hono-pino": "^0.10.1",
     "jmespath": "^0.16.0",
+    "jose": "^6.1.0",
     "llm-info": "^1.0.69",
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260126093157",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260126093157"
+    "@inkeep/agents-core": "^0.0.0-dev-20260126181806",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260126181806"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",