@inkeep/agents-api 0.0.0-dev-20260204075611 → 0.0.0-dev-20260204152302

package/dist/middleware/runAuth.js

@@ -2,7 +2,7 @@ import { getLogger as getLogger$1 } from "../logger.js";
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
 import { createBaseExecutionContext } from "../types/runExecutionContext.js";
-import { validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
+import { canUseProjectStrict, validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -51,21 +51,56 @@ function buildExecutionContext(authResult, reqData) {
 }
 /**
 * Attempts to authenticate using a JWT temporary token
+*
+* Throws HTTPException(403) if the JWT is valid but the user lacks permission.
+* Returns null if the token is not a temp JWT (allowing fallback to other auth methods).
 */
 async function tryTempJwtAuth(apiKey) {
 	if (!apiKey.startsWith("eyJ") || !env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) return null;
 	try {
 		const payload = await verifyTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString("utf-8"), apiKey);
-		logger.info({}, "JWT temp token authenticated successfully");
+		const userId = payload.sub;
+		const projectId = payload.projectId;
+		const agentId = payload.agentId;
+		if (!projectId || !agentId) {
+			logger.warn({ userId }, "Missing projectId or agentId in JWT");
+			throw new HTTPException(400, { message: "Invalid token: missing projectId or agentId" });
+		}
+		let canUse;
+		try {
+			canUse = await canUseProjectStrict({
+				userId,
+				projectId
+			});
+		} catch (error) {
+			logger.error({
+				error,
+				userId,
+				projectId
+			}, "SpiceDB permission check failed");
+			throw new HTTPException(503, { message: "Authorization service temporarily unavailable" });
+		}
+		if (!canUse) {
+			logger.warn({
+				userId,
+				projectId
+			}, "User does not have use permission on project");
+			throw new HTTPException(403, { message: "Access denied: insufficient permissions" });
+		}
+		logger.info({
+			projectId,
+			agentId
+		}, "JWT temp token authenticated successfully");
 		return {
 			apiKey,
 			tenantId: payload.tenantId,
-			projectId: payload.projectId,
-			agentId: payload.agentId,
+			projectId,
+			agentId,
 			apiKeyId: "temp-jwt",
 			metadata: { initiatedBy: payload.initiatedBy }
 		};
 	} catch (error) {
+		if (error instanceof HTTPException) throw error;
 		logger.debug({ error }, "JWT verification failed");
 		return null;
 	}

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono9 from "hono";
+import * as hono8 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono9 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono9.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono8.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono9.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono8.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono11 from "hono";
+import * as hono2 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono11 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono11.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono2.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono12 from "hono";
+import * as hono13 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260204075611",
+  "version": "0.0.0-dev-20260204152302",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -66,10 +66,10 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260204075611",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260204075611",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260204075611",
-    "@inkeep/agents-work-apps": "^0.0.0-dev-20260204075611"
+    "@inkeep/agents-core": "^0.0.0-dev-20260204152302",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260204152302",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260204152302",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260204152302"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",