@inkeep/agents-api 0.0.0-dev-20260202060901 → 0.0.0-dev-20260203023016

package/dist/middleware/evalsAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono0 from "hono";
+import * as hono4 from "hono";
 
 //#region src/middleware/evalsAuth.d.ts
 
@@ -7,7 +7,7 @@ import * as hono0 from "hono";
  * Middleware to authenticate API requests using Bearer token authentication
  * First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
  */
-declare const evalApiKeyAuth: () => hono0.MiddlewareHandler<{
+declare const evalApiKeyAuth: () => hono4.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono1 from "hono";
+import * as hono16 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono1.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono16.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/projectAccess.d.ts

@@ -1,6 +1,6 @@
 import { ManageAppVariables } from "../types/app.js";
 import { ProjectPermissionLevel } from "@inkeep/agents-core";
-import * as hono2 from "hono";
+import * as hono17 from "hono";
 
 //#region src/middleware/projectAccess.d.ts
 /**
@@ -10,6 +10,6 @@ declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermissionLevel) => hono2.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => hono17.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
-import * as hono3 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono3.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono3.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono3.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono5 from "hono";
+import * as hono8 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono5.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono8.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono6 from "hono";
+import * as hono11 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono6.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono11.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono6.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono6.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono11.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono6.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono11.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono9 from "hono";
+import * as hono5 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono9 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono9.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono5.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono9.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono5.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono11 from "hono";
+import * as hono2 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono11 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono11.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono2.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono12 from "hono";
+import * as hono14 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono14.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono14.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/openapi.d.ts

@@ -19,6 +19,7 @@ declare const TagToDescription: {
   'External Agents': string;
   'Function Tools': string;
   Functions: string;
+  GitHub: string;
   Invitations: string;
   MCP: string;
   'MCP Catalog': string;

package/dist/openapi.js

@@ -18,6 +18,7 @@ const TagToDescription = {
 	"External Agents": "Operations for managing external agents",
 	"Function Tools": "Operations for managing function tools",
 	Functions: "Operations for managing functions",
+	GitHub: "GitHub App integration endpoints",
 	Invitations: "Operations for managing invitations",
 	MCP: "MCP (Model Context Protocol) endpoints",
 	"MCP Catalog": "Operations for MCP catalog",

package/dist/types/runExecutionContext.js

@@ -1,3 +1,5 @@
+import { env } from "../env.js";
+
 //#region src/types/runExecutionContext.ts
 /**
 * Extract userId from execution context metadata (when available)
@@ -16,7 +18,7 @@ function createBaseExecutionContext(params) {
 		tenantId: params.tenantId,
 		projectId: params.projectId,
 		agentId: params.agentId,
-		baseUrl: params.baseUrl || process.env.API_URL || "http://localhost:3003",
+		baseUrl: params.baseUrl || env.INKEEP_AGENTS_API_URL,
 		apiKeyId: params.apiKeyId,
 		subAgentId: params.subAgentId,
 		ref: params.ref,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260202060901",
+  "version": "0.0.0-dev-20260203023016",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -66,9 +66,10 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260202060901",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260202060901",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260202060901"
+    "@inkeep/agents-core": "^0.0.0-dev-20260203023016",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260203023016",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260203023016",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260203023016"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",

package/dist/domains/github/config.d.ts

@@ -1,14 +0,0 @@
-import { z } from "@hono/zod-openapi";
-
-//#region src/domains/github/config.d.ts
-declare const GitHubAppConfigSchema: z.ZodObject<{
-  appId: z.ZodString;
-  privateKey: z.ZodString;
-}, z.core.$strip>;
-type GitHubAppConfig = z.infer<typeof GitHubAppConfigSchema>;
-declare function getGitHubAppConfig(): GitHubAppConfig;
-declare function isGitHubAppConfigured(): boolean;
-declare function validateGitHubAppConfigOnStartup(): void;
-declare function clearConfigCache(): void;
-//#endregion
-export { GitHubAppConfig, clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/config.js

@@ -1,47 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { z } from "@hono/zod-openapi";
-
-//#region src/domains/github/config.ts
-const logger = getLogger("github-config");
-const GitHubAppConfigSchema = z.object({
-	appId: z.string().min(1, "GITHUB_APP_ID is required"),
-	privateKey: z.string().min(1, "GITHUB_APP_PRIVATE_KEY is required")
-});
-let cachedConfig = null;
-function getGitHubAppConfig() {
-	if (cachedConfig) return cachedConfig;
-	const appId = process.env.GITHUB_APP_ID;
-	const privateKey = process.env.GITHUB_APP_PRIVATE_KEY?.replace(/\\n/g, "\n");
-	const result = GitHubAppConfigSchema.safeParse({
-		appId,
-		privateKey
-	});
-	if (!result.success) {
-		const errorMessage = `GitHub App credentials are not configured. ${result.error.issues.map((issue) => issue.message).join(". ")}. Please set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY environment variables.`;
-		logger.error({}, errorMessage);
-		throw new Error(errorMessage);
-	}
-	cachedConfig = result.data;
-	logger.info({}, "GitHub App credentials loaded successfully");
-	return cachedConfig;
-}
-function isGitHubAppConfigured() {
-	return Boolean(process.env.GITHUB_APP_ID && process.env.GITHUB_APP_PRIVATE_KEY);
-}
-function validateGitHubAppConfigOnStartup() {
-	if (!isGitHubAppConfigured()) {
-		logger.warn({}, "GitHub App credentials not configured. Token exchange endpoint will return 500 errors. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY to enable the feature.");
-		return;
-	}
-	try {
-		getGitHubAppConfig();
-	} catch (error) {
-		logger.error({ error }, "GitHub App credentials are invalid. Token exchange endpoint will return 500 errors.");
-	}
-}
-function clearConfigCache() {
-	cachedConfig = null;
-}
-
-//#endregion
-export { clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/index.d.ts

@@ -1,12 +0,0 @@
-import { GitHubAppConfig, getGitHubAppConfig, isGitHubAppConfigured } from "./config.js";
-import { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
-import { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
-import { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken } from "./oidcToken.js";
-import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
-
-//#region src/domains/github/index.d.ts
-declare function createGithubRoutes(): Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
-declare const githubRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
-//#endregion
-export { type GenerateInstallationAccessTokenResult, type GenerateTokenError, type GenerateTokenResult, type GetJwkResult, type GitHubAppConfig, type GitHubOidcClaims, type InstallationAccessToken, type InstallationInfo, type JwksError, type JwksResult, type LookupInstallationError, type LookupInstallationForRepoResult, type LookupInstallationResult, type ValidateOidcTokenResult, type ValidateTokenError, type ValidateTokenResult, clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/index.js

@@ -1,18 +0,0 @@
-import { getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup } from "./config.js";
-import { generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
-import { clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
-import { validateOidcToken } from "./oidcToken.js";
-import tokenExchange_default from "./routes/tokenExchange.js";
-import { Hono } from "hono";
-
-//#region src/domains/github/index.ts
-function createGithubRoutes() {
-	validateGitHubAppConfigOnStartup();
-	const app = new Hono();
-	app.route("/token-exchange", tokenExchange_default);
-	return app;
-}
-const githubRoutes = createGithubRoutes();
-
-//#endregion
-export { clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/installation.d.ts

@@ -1,34 +0,0 @@
-//#region src/domains/github/installation.d.ts
-interface InstallationInfo {
-  installationId: number;
-  accountLogin: string;
-  accountType: 'User' | 'Organization';
-}
-interface LookupInstallationResult {
-  success: true;
-  installation: InstallationInfo;
-}
-interface LookupInstallationError {
-  success: false;
-  errorType: 'not_installed' | 'api_error' | 'jwt_error';
-  message: string;
-}
-type LookupInstallationForRepoResult = LookupInstallationResult | LookupInstallationError;
-interface InstallationAccessToken {
-  token: string;
-  expiresAt: string;
-}
-interface GenerateTokenResult {
-  success: true;
-  accessToken: InstallationAccessToken;
-}
-interface GenerateTokenError {
-  success: false;
-  errorType: 'api_error' | 'jwt_error';
-  message: string;
-}
-type GenerateInstallationAccessTokenResult = GenerateTokenResult | GenerateTokenError;
-declare function lookupInstallationForRepo(repositoryOwner: string, repositoryName: string): Promise<LookupInstallationForRepoResult>;
-declare function generateInstallationAccessToken(installationId: number): Promise<GenerateInstallationAccessTokenResult>;
-//#endregion
-export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/installation.js

@@ -1,172 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { getGitHubAppConfig } from "./config.js";
-import { createPrivateKey } from "node:crypto";
-import { SignJWT } from "jose";
-
-//#region src/domains/github/installation.ts
-const logger = getLogger("github-installation");
-const GITHUB_API_BASE = "https://api.github.com";
-async function createAppJwt() {
-	const config = getGitHubAppConfig();
-	const privateKey = createPrivateKey({
-		key: config.privateKey,
-		format: "pem"
-	});
-	const now = Math.floor(Date.now() / 1e3);
-	return await new SignJWT({}).setProtectedHeader({ alg: "RS256" }).setIssuedAt(now - 60).setExpirationTime(now + 600).setIssuer(config.appId).sign(privateKey);
-}
-async function lookupInstallationForRepo(repositoryOwner, repositoryName) {
-	let appJwt;
-	try {
-		appJwt = await createAppJwt();
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Failed to create GitHub App JWT");
-		return {
-			success: false,
-			errorType: "jwt_error",
-			message: `Failed to create GitHub App authentication: ${message}`
-		};
-	}
-	const url = `${GITHUB_API_BASE}/repos/${repositoryOwner}/${repositoryName}/installation`;
-	try {
-		const response = await fetch(url, {
-			method: "GET",
-			headers: {
-				Authorization: `Bearer ${appJwt}`,
-				Accept: "application/vnd.github+json",
-				"X-GitHub-Api-Version": "2022-11-28",
-				"User-Agent": "inkeep-agents-api"
-			}
-		});
-		if (response.status === 404) return {
-			success: false,
-			errorType: "not_installed",
-			message: `GitHub App is not installed on repository ${repositoryOwner}/${repositoryName}. Please install the Inkeep Agents GitHub App on the repository to enable token exchange.`
-		};
-		if (!response.ok) {
-			const errorText = await response.text();
-			logger.error({
-				status: response.status,
-				error: errorText,
-				repositoryOwner,
-				repositoryName
-			}, "GitHub API error looking up installation");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: `GitHub API error (${response.status}): Failed to look up installation for repository`
-			};
-		}
-		const data = await response.json();
-		const installationId = data.id;
-		const accountLogin = data.account?.login;
-		const accountType = data.account?.type;
-		if (typeof installationId !== "number" || typeof accountLogin !== "string") {
-			logger.error({ data }, "Unexpected response format from GitHub API");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: "Unexpected response format from GitHub API"
-			};
-		}
-		logger.info({
-			installationId,
-			accountLogin,
-			accountType,
-			repositoryOwner,
-			repositoryName
-		}, "Found GitHub App installation for repository");
-		return {
-			success: true,
-			installation: {
-				installationId,
-				accountLogin,
-				accountType: accountType === "Organization" ? "Organization" : "User"
-			}
-		};
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({
-			error: message,
-			repositoryOwner,
-			repositoryName
-		}, "Error calling GitHub API to look up installation");
-		return {
-			success: false,
-			errorType: "api_error",
-			message: `Failed to connect to GitHub API: ${message}`
-		};
-	}
-}
-async function generateInstallationAccessToken(installationId) {
-	let appJwt;
-	try {
-		appJwt = await createAppJwt();
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Failed to create GitHub App JWT for token generation");
-		return {
-			success: false,
-			errorType: "jwt_error",
-			message: `Failed to create GitHub App authentication: ${message}`
-		};
-	}
-	const url = `${GITHUB_API_BASE}/app/installations/${installationId}/access_tokens`;
-	try {
-		const response = await fetch(url, {
-			method: "POST",
-			headers: {
-				Authorization: `Bearer ${appJwt}`,
-				Accept: "application/vnd.github+json",
-				"X-GitHub-Api-Version": "2022-11-28",
-				"User-Agent": "inkeep-agents-api"
-			}
-		});
-		if (!response.ok) {
-			const errorText = await response.text();
-			logger.error({
-				status: response.status,
-				error: errorText,
-				installationId
-			}, "GitHub API error generating installation access token");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: `GitHub API error (${response.status}): Failed to generate installation access token`
-			};
-		}
-		const data = await response.json();
-		const token = data.token;
-		const expiresAt = data.expires_at;
-		if (typeof token !== "string" || typeof expiresAt !== "string") {
-			logger.error({ data }, "Unexpected response format from GitHub API for token generation");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: "Unexpected response format from GitHub API"
-			};
-		}
-		return {
-			success: true,
-			accessToken: {
-				token,
-				expiresAt
-			}
-		};
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({
-			error: message,
-			installationId
-		}, "Error calling GitHub API to generate installation access token");
-		return {
-			success: false,
-			errorType: "api_error",
-			message: `Failed to connect to GitHub API: ${message}`
-		};
-	}
-}
-
-//#endregion
-export { generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/jwks.d.ts

@@ -1,20 +0,0 @@
-import { CryptoKey, JWSHeaderParameters } from "jose";
-
-//#region src/domains/github/jwks.d.ts
-interface JwksResult {
-  success: true;
-  key: CryptoKey;
-}
-interface JwksError {
-  success: false;
-  error: string;
-}
-type GetJwkResult = JwksResult | JwksError;
-declare function getJwkForToken(header: JWSHeaderParameters): Promise<GetJwkResult>;
-declare function clearJwksCache(): void;
-declare function getJwksCacheStatus(): {
-  cached: boolean;
-  expiresIn?: number;
-};
-//#endregion
-export { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/jwks.js

@@ -1,85 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { createRemoteJWKSet } from "jose";
-
-//#region src/domains/github/jwks.ts
-const logger = getLogger("github-jwks");
-const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
-const CACHE_TTL_MS = 3600 * 1e3;
-let jwksCache = null;
-function createJwksWithLogging() {
-	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
-	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
-}
-function isCacheExpired() {
-	if (!jwksCache) return true;
-	return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
-}
-function getOrCreateJwksFunction() {
-	if (!jwksCache || isCacheExpired()) jwksCache = {
-		jwks: createJwksWithLogging(),
-		fetchedAt: Date.now()
-	};
-	return jwksCache.jwks;
-}
-async function getJwkForToken(header) {
-	const kid = header.kid;
-	if (!kid) return {
-		success: false,
-		error: "Token is missing key ID (kid) in header"
-	};
-	try {
-		const key = await getOrCreateJwksFunction()(header);
-		logger.debug({ kid }, "Successfully retrieved JWK for token");
-		return {
-			success: true,
-			key
-		};
-	} catch (error) {
-		const errorMessage = error instanceof Error ? error.message : "Unknown error";
-		if (errorMessage.includes("no applicable key found")) {
-			logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
-			jwksCache = null;
-			try {
-				const key = await getOrCreateJwksFunction()(header);
-				logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
-				return {
-					success: true,
-					key
-				};
-			} catch (retryError) {
-				const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
-				logger.error({
-					kid,
-					error: retryErrorMessage
-				}, "Failed to retrieve JWK after cache refresh");
-				return {
-					success: false,
-					error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
-				};
-			}
-		}
-		logger.error({
-			kid,
-			error: errorMessage
-		}, "Failed to fetch JWKS from GitHub");
-		return {
-			success: false,
-			error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
-		};
-	}
-}
-function clearJwksCache() {
-	jwksCache = null;
-	logger.debug({}, "JWKS cache cleared");
-}
-function getJwksCacheStatus() {
-	if (!jwksCache) return { cached: false };
-	const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
-	return {
-		cached: true,
-		expiresIn: Math.max(0, expiresIn)
-	};
-}
-
-//#endregion
-export { clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/oidcToken.d.ts

@@ -1,22 +0,0 @@
-//#region src/domains/github/oidcToken.d.ts
-interface GitHubOidcClaims {
-  repository: string;
-  repository_owner: string;
-  repository_id: string;
-  workflow: string;
-  actor: string;
-  ref: string;
-}
-interface ValidateTokenResult {
-  success: true;
-  claims: GitHubOidcClaims;
-}
-interface ValidateTokenError {
-  success: false;
-  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
-  message: string;
-}
-type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
-declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
-//#endregion
-export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };