@inkeep/agents-api 0.0.0-dev-20260204175538 → 0.0.0-dev-20260204182014

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono18 from "hono";
+import * as hono13 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono18.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono13.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/manageAuth.js

@@ -1,6 +1,6 @@
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
-import { getLogger, isInternalServiceToken, validateAndGetApiKey, verifyInternalServiceAuthHeader } from "@inkeep/agents-core";
+import { getLogger, isInternalServiceToken, isSlackUserToken, validateAndGetApiKey, verifyInternalServiceAuthHeader, verifySlackUserToken } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -58,6 +58,21 @@ const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
 		await next();
 		return;
 	}
+	if (isSlackUserToken(token)) {
+		const result = await verifySlackUserToken(token);
+		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid Slack user token" });
+		logger.info({
+			inkeepUserId: result.payload.sub,
+			tenantId: result.payload.tenantId,
+			slackTeamId: result.payload.slack.teamId,
+			slackUserId: result.payload.slack.userId
+		}, "Slack user JWT authenticated successfully");
+		c.set("userId", result.payload.sub);
+		if (result.payload.slack.email) c.set("userEmail", result.payload.slack.email);
+		c.set("tenantId", result.payload.tenantId);
+		await next();
+		return;
+	}
 	if (isInternalServiceToken(token)) {
 		const result = await verifyInternalServiceAuthHeader(authHeader);
 		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });

package/dist/middleware/projectAccess.d.ts

@@ -1,6 +1,6 @@
 import { ManageAppVariables } from "../types/app.js";
 import { ProjectPermissionLevel } from "@inkeep/agents-core";
-import * as hono2 from "hono";
+import * as hono14 from "hono";
 
 //#region src/middleware/projectAccess.d.ts
 /**
@@ -10,6 +10,6 @@ declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermissionLevel) => hono2.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => hono14.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
-import * as hono8 from "hono";
+import * as hono16 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono8.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono16.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono8.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono8.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono16.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono13 from "hono";
+import * as hono0 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono13.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono0.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono10 from "hono";
+import * as hono2 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono10.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono2.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono10.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono10.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono2.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono10.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono2.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/runAuth.js

@@ -2,7 +2,7 @@ import { getLogger as getLogger$1 } from "../logger.js";
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
 import { createBaseExecutionContext } from "../types/runExecutionContext.js";
-import { canUseProjectStrict, validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
+import { canUseProjectStrict, isSlackUserToken, validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifySlackUserToken, verifyTempToken } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -125,6 +125,50 @@ async function tryApiKeyAuth(apiKey) {
 	};
 }
 /**
+* Authenticate using a Slack user JWT token (for Slack work app delegation)
+*/
+async function trySlackUserJwtAuth(token, reqData) {
+	if (!isSlackUserToken(token)) return { authResult: null };
+	const result = await verifySlackUserToken(token);
+	if (!result.valid || !result.payload) {
+		logger.warn({ error: result.error }, "Invalid Slack user JWT token");
+		return {
+			authResult: null,
+			failureMessage: `Invalid Slack user token: ${result.error || "Invalid token"}`
+		};
+	}
+	const payload = result.payload;
+	if (!reqData.projectId || !reqData.agentId) {
+		logger.warn({
+			hasProjectId: !!reqData.projectId,
+			hasAgentId: !!reqData.agentId
+		}, "Slack user JWT requires x-inkeep-project-id and x-inkeep-agent-id headers");
+		return {
+			authResult: null,
+			failureMessage: "Slack user token requires x-inkeep-project-id and x-inkeep-agent-id headers"
+		};
+	}
+	logger.info({
+		inkeepUserId: payload.sub,
+		tenantId: payload.tenantId,
+		slackTeamId: payload.slack.teamId,
+		slackUserId: payload.slack.userId,
+		projectId: reqData.projectId,
+		agentId: reqData.agentId
+	}, "Slack user JWT token authenticated successfully");
+	return { authResult: {
+		apiKey: "slack-user-jwt",
+		tenantId: payload.tenantId,
+		projectId: reqData.projectId,
+		agentId: reqData.agentId,
+		apiKeyId: "slack-user-token",
+		metadata: { initiatedBy: {
+			type: "user",
+			id: payload.sub
+		} }
+	} };
+}
+/**
 * Authenticate using a team agent JWT token (for intra-tenant delegation)
 */
 async function tryTeamAgentAuth(token, expectedSubAgentId) {
@@ -210,6 +254,9 @@ async function authenticateRequest(reqData) {
 	if (jwtResult) return { authResult: jwtResult };
 	const bypassResult = tryBypassAuth(apiKey, reqData);
 	if (bypassResult) return { authResult: bypassResult };
+	const slackAttempt = await trySlackUserJwtAuth(apiKey, reqData);
+	if (slackAttempt.authResult) return { authResult: slackAttempt.authResult };
+	if (slackAttempt.failureMessage) return slackAttempt;
 	const apiKeyResult = await tryApiKeyAuth(apiKey);
 	if (apiKeyResult) return { authResult: apiKeyResult };
 	const teamAttempt = await tryTeamAgentAuth(apiKey, subAgentId);

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono0 from "hono";
+import * as hono11 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono0 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono0.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono0.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono3 from "hono";
+import * as hono1 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono3 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono3.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono1.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono4 from "hono";
+import * as hono7 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono4.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono4.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono7.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono7.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/openapi.d.ts

@@ -8,6 +8,7 @@ declare const TagToDescription: {
   Agents: string;
   'Artifact Components': string;
   Branches: string;
+  Channels: string;
   CLI: string;
   Chat: string;
   'Context Configs': string;
@@ -20,6 +21,7 @@ declare const TagToDescription: {
   'Function Tools': string;
   Functions: string;
   GitHub: string;
+  Invitations: string;
   MCP: string;
   'MCP Catalog': string;
   OAuth: string;
@@ -27,13 +29,19 @@ declare const TagToDescription: {
   'Project Permissions': string;
   Projects: string;
   Refs: string;
+  Resources: string;
+  Slack: string;
   SubAgents: string;
   'Third-Party MCP Servers': string;
   Tools: string;
   Triggers: string;
+  'User Organizations': string;
   'User Project Memberships': string;
+  Users: string;
   Webhooks: string;
+  'Work Apps': string;
   Workflows: string;
+  Workspaces: string;
 };
 declare function setupOpenAPIRoutes<E extends Env = Env>(app: OpenAPIHono<E>): void;
 //#endregion

package/dist/openapi.js

@@ -7,6 +7,7 @@ const TagToDescription = {
 	Agents: "Operations for managing agents",
 	"Artifact Components": "Operations for managing artifact components",
 	Branches: "Operations for managing branches",
+	Channels: "Operations for managing Slack channels",
 	CLI: "CLI authentication endpoints",
 	Chat: "Chat completions endpoints",
 	"Context Configs": "Operations for managing context configurations",
@@ -19,6 +20,7 @@ const TagToDescription = {
 	"Function Tools": "Operations for managing function tools",
 	Functions: "Operations for managing functions",
 	GitHub: "GitHub App integration endpoints",
+	Invitations: "Operations for managing invitations",
 	MCP: "MCP (Model Context Protocol) endpoints",
 	"MCP Catalog": "Operations for MCP catalog",
 	OAuth: "OAuth authentication endpoints",
@@ -26,13 +28,19 @@ const TagToDescription = {
 	"Project Permissions": "Operations for managing project permissions",
 	Projects: "Operations for managing projects",
 	Refs: "Operations for the resolved ref (branch name, tag name, or commit hash)",
+	Resources: "Operations for fetching resources and data",
+	Slack: "Slack App integration endpoints",
 	SubAgents: "Operations for managing sub agents",
 	"Third-Party MCP Servers": "Operations for managing third-party MCP servers",
 	Tools: "Operations for managing MCP tools",
 	Triggers: "Operations for managing triggers",
+	"User Organizations": "Operations for managing user organizations",
 	"User Project Memberships": "Operations for managing user project memberships",
+	Users: "Operations for managing users",
 	Webhooks: "Webhook endpoints",
-	Workflows: "Workflow trigger endpoints"
+	"Work Apps": "Work app integrations (Slack, Teams, etc.)",
+	Workflows: "Workflow trigger endpoints",
+	Workspaces: "Operations for managing Slack workspaces"
 };
 function setupOpenAPIRoutes(app) {
 	app.get("/openapi.json", (c) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260204175538",
+  "version": "0.0.0-dev-20260204182014",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -37,6 +37,7 @@
     "@hono/swagger-ui": "^0.5.1",
     "@hono/zod-openapi": "^1.1.5",
     "@modelcontextprotocol/sdk": "^1.25.2",
+    "@nangohq/node": "^0.69.20",
     "@opentelemetry/api": "^1.9.0",
     "@opentelemetry/auto-instrumentations-node": "^0.64.1",
     "@opentelemetry/baggage-span-processor": "^0.4.0",
@@ -47,6 +48,8 @@
     "@opentelemetry/sdk-node": "^0.205.0",
     "@opentelemetry/sdk-trace-base": "^2.1.0",
     "@opentelemetry/semantic-conventions": "^1.37.0",
+    "@slack/bolt": "^4.6.0",
+    "@slack/web-api": "^7.13.0",
     "@vercel/functions": "^1.4.0",
     "@vercel/sandbox": "^0.0.24",
     "@workflow/builders": "4.0.1-beta.27",
@@ -65,11 +68,12 @@
     "llm-info": "^1.0.69",
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
+    "slack-block-builder": "^2.8.0",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260204175538",
-    "@inkeep/agents-work-apps": "^0.0.0-dev-20260204175538",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260204175538",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260204175538"
+    "@inkeep/agents-core": "^0.0.0-dev-20260204182014",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260204182014",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260204182014",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260204182014"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",
@@ -79,6 +83,7 @@
     "@hono/vite-dev-server": "^0.20.1",
     "@opentelemetry/exporter-trace-otlp-proto": "^0.203.0",
     "@opentelemetry/sdk-metrics": "^2.1.0",
+    "@slack/types": "^2.19.0",
     "@types/jmespath": "^0.15.2",
     "@types/node": "^20.11.24",
     "@types/pg": "^8.15.6",