@inkeep/agents-api 0.0.0-dev-20260205195256 → 0.0.0-dev-20260205205159

package/dist/.well-known/workflow/v1/manifest.debug.json

@@ -41,15 +41,15 @@
     }
   },
   "workflows": {
-    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
-      "_evaluateConversationWorkflow": {
-        "workflowId": "workflow//src/domains/evals/workflow/functions/evaluateConversation.ts//_evaluateConversationWorkflow"
-      }
-    },
     "src/domains/evals/workflow/functions/runDatasetItem.ts": {
       "_runDatasetItemWorkflow": {
         "workflowId": "workflow//src/domains/evals/workflow/functions/runDatasetItem.ts//_runDatasetItemWorkflow"
       }
+    },
+    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
+      "_evaluateConversationWorkflow": {
+        "workflowId": "workflow//src/domains/evals/workflow/functions/evaluateConversation.ts//_evaluateConversationWorkflow"
+      }
     }
   }
 }

package/dist/.well-known/workflow/v1/step.cjs

@@ -147101,6 +147101,7 @@ var envSchema = external_exports.object({
   OAUTH_PROXY_PRODUCTION_URL: external_exports.string().optional().describe("OAuth proxy URL for production environment (used in local/preview environments)"),
   INKEEP_AGENTS_MANAGE_UI_URL: external_exports.string().optional().describe("URL where the management UI is hosted"),
   INKEEP_AGENTS_API_URL: external_exports.string().optional().describe("URL where the agents management API is running"),
+  AUTH_COOKIE_DOMAIN: external_exports.string().optional().describe("Explicit cookie domain for cross-subdomain auth (e.g., .inkeep.com). Required when the API and UI do not share a common 3-part parent domain."),
   GITHUB_MCP_API_KEY: external_exports.string().optional().describe("API key for the GitHub MCP")
 });
 var parseEnv = /* @__PURE__ */ __name(() => {
@@ -228778,6 +228779,7 @@ var envSchema2 = external_exports.object({
   INKEEP_AGENTS_RUN_DATABASE_URL: external_exports.string().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
   INKEEP_AGENTS_MANAGE_UI_URL: external_exports.string().optional().describe("URL where the management UI is hosted"),
   INKEEP_AGENTS_API_URL: external_exports.string().optional().default("http://localhost:3002").describe("URL where the agents management API is running"),
+  AUTH_COOKIE_DOMAIN: external_exports.string().optional().describe("Explicit cookie domain for cross-subdomain auth (e.g., .inkeep.com). Required when the API and UI do not share a common 3-part parent domain."),
   // Authentication
   BETTER_AUTH_SECRET: external_exports.string().optional().describe("Secret key for Better Auth session encryption (change in production)"),
   INKEEP_AGENTS_MANAGE_UI_USERNAME: external_exports.string().optional().refine((val) => !val || /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(val), {

package/dist/createApp.d.ts

@@ -1,10 +1,10 @@
 import { AppConfig } from "./types/app.js";
 import "./types/index.js";
 import { Hono } from "hono";
-import * as hono_types1 from "hono/types";
+import * as hono_types0 from "hono/types";
 
 //#region src/createApp.d.ts
 declare const isWebhookRoute: (path: string) => boolean;
-declare function createAgentsHono(config: AppConfig): Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
+declare function createAgentsHono(config: AppConfig): Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { createAgentsHono, isWebhookRoute };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types12 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types7.BlankEnv, hono_types7.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types12.BlankEnv, hono_types12.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/routes/availableAgents.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono14 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/availableAgents.d.ts
-declare const app: OpenAPIHono<hono14.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono15 from "hono";
+import * as hono5 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono15.Env, {}, "/">;
+declare const app: OpenAPIHono<hono5.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono6 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono6.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/invitations.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types3 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/domains/manage/routes/invitations.d.ts
 declare const invitationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, hono_types3.BlankSchema, "/">;
+}, hono_types5.BlankSchema, "/">;
 //#endregion
 export { invitationsRoutes as default };

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types4 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types4.BlankEnv, hono_types4.BlankSchema, "/">;
+declare const app: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types9 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types9.BlankSchema, "/">;
+}, hono_types8.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/userOrganizations.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types6 from "hono/types";
+import * as hono_types9 from "hono/types";
 
 //#region src/domains/manage/routes/userOrganizations.d.ts
 declare const userOrganizationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, hono_types6.BlankSchema, "/">;
+}, hono_types9.BlankSchema, "/">;
 //#endregion
 export { userOrganizationsRoutes as default };

package/dist/domains/run/services/AgentSession.js

@@ -526,7 +526,7 @@ var AgentSession = class {
 				const previousSummaryContext = previousSummaries.length > 0 ? `\nPrevious updates sent to user:\n${previousSummaries.map((s, i) => `${i + 1}. ${s}`).join("\n")}\n` : "";
 				const selectionSchema = z.object({ updates: z.array(z.union([z.object({
 					type: z.literal("no_relevant_updates"),
-					data: z.object({ no_updates: z.boolean().default(true) }).describe("Use when nothing substantially new to report. Should only use on its own.")
+					data: z.object({ no_updates: z.boolean() }).describe("Use when nothing substantially new to report. Should only use on its own.")
 				}), ...statusComponents.map((component) => z.object({
 					type: z.literal(component.type),
 					data: this.getComponentSchema(component).describe(component.description || component.type)

package/dist/env.d.ts

@@ -14,16 +14,17 @@ declare const envSchema: z.ZodObject<{
     pentest: "pentest";
   }>>;
   LOG_LEVEL: z.ZodDefault<z.ZodEnum<{
-    error: "error";
     trace: "trace";
     debug: "debug";
     info: "info";
     warn: "warn";
+    error: "error";
   }>>;
   INKEEP_AGENTS_MANAGE_DATABASE_URL: z.ZodString;
   INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodString;
   INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
   INKEEP_AGENTS_API_URL: z.ZodDefault<z.ZodOptional<z.ZodString>>;
+  AUTH_COOKIE_DOMAIN: z.ZodOptional<z.ZodString>;
   BETTER_AUTH_SECRET: z.ZodOptional<z.ZodString>;
   INKEEP_AGENTS_MANAGE_UI_USERNAME: z.ZodOptional<z.ZodString>;
   INKEEP_AGENTS_MANAGE_UI_PASSWORD: z.ZodOptional<z.ZodString>;
@@ -58,7 +59,7 @@ declare const envSchema: z.ZodObject<{
 declare const env: {
   NODE_ENV: "development" | "production" | "test";
   ENVIRONMENT: "development" | "production" | "test" | "pentest";
-  LOG_LEVEL: "error" | "trace" | "debug" | "info" | "warn";
+  LOG_LEVEL: "trace" | "debug" | "info" | "warn" | "error";
   INKEEP_AGENTS_MANAGE_DATABASE_URL: string;
   INKEEP_AGENTS_RUN_DATABASE_URL: string;
   INKEEP_AGENTS_API_URL: string;
@@ -68,6 +69,7 @@ declare const env: {
   TENANT_ID: string;
   ANTHROPIC_API_KEY: string;
   INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
+  AUTH_COOKIE_DOMAIN?: string | undefined;
   BETTER_AUTH_SECRET?: string | undefined;
   INKEEP_AGENTS_MANAGE_UI_USERNAME?: string | undefined;
   INKEEP_AGENTS_MANAGE_UI_PASSWORD?: string | undefined;

package/dist/env.js

@@ -26,6 +26,7 @@ const envSchema = z.object({
 	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
 	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().describe("URL where the management UI is hosted"),
 	INKEEP_AGENTS_API_URL: z.string().optional().default("http://localhost:3002").describe("URL where the agents management API is running"),
+	AUTH_COOKIE_DOMAIN: z.string().optional().describe("Explicit cookie domain for cross-subdomain auth (e.g., .inkeep.com). Required when the API and UI do not share a common 3-part parent domain."),
 	BETTER_AUTH_SECRET: z.string().optional().describe("Secret key for Better Auth session encryption (change in production)"),
 	INKEEP_AGENTS_MANAGE_UI_USERNAME: z.string().optional().refine((val) => !val || /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(val), { message: "Invalid email address" }).describe("Admin email address for management UI login"),
 	INKEEP_AGENTS_MANAGE_UI_PASSWORD: z.string().optional().refine((val) => !val || val.length >= 8, { message: "Password must be at least 8 characters" }).describe("Admin password for management UI login (min 8 characters)"),

package/dist/factory.d.ts

@@ -6,7 +6,7 @@ import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
 import * as hono0 from "hono";
 import * as zod0 from "zod";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
-import * as hono_types0 from "hono/types";
+import * as hono_types1 from "hono/types";
 import * as better_auth0 from "better-auth";
 import * as better_auth_plugins0 from "better-auth/plugins";
 import * as _better_auth_sso0 from "@better-auth/sso";
@@ -794,25 +794,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1536,6 +1536,6 @@ declare function createAgentsApp(config?: {
   credentialStores?: CredentialStore[];
   auth?: UserAuthConfig;
   sandboxConfig?: SandboxConfig;
-}): hono0.Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
+}): hono0.Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
 //#endregion
 export { type SSOProviderConfig, type UserAuthConfig, createAgentsApp, createAgentsAuth, createAgentsHono, createAuth0Provider, createOIDCProvider };

package/dist/factory.js

@@ -19,6 +19,7 @@ function createAgentsAuth(userAuthConfig) {
 		baseURL: env.INKEEP_AGENTS_API_URL || `http://localhost:3002`,
 		secret: env.BETTER_AUTH_SECRET || "development-secret-change-in-production",
 		dbClient: runDbClient_default,
+		...env.AUTH_COOKIE_DOMAIN && { cookieDomain: env.AUTH_COOKIE_DOMAIN },
 		...userAuthConfig?.ssoProviders && { ssoProviders: userAuthConfig.ssoProviders },
 		...userAuthConfig?.socialProviders && { socialProviders: userAuthConfig.socialProviders }
 	});

package/dist/index.d.ts

@@ -7,7 +7,7 @@ import { createAuth0Provider, createOIDCProvider } from "./ssoHelpers.js";
 import { SSOProviderConfig, UserAuthConfig, createAgentsApp } from "./factory.js";
 import { Hono } from "hono";
 import * as zod205 from "zod";
-import * as hono_types12 from "hono/types";
+import * as hono_types3 from "hono/types";
 import * as better_auth78 from "better-auth";
 import * as better_auth_plugins69 from "better-auth/plugins";
 import * as _better_auth_sso10 from "@better-auth/sso";
@@ -795,25 +795,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1105,25 +1105,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "ac" | "member" | "project" | "team" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "ac" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "ac" | "member" | "project" | "team" | "invitation", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "ac" | "team", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1532,6 +1532,6 @@ declare const auth: better_auth78.Auth<{
     }>;
   }];
 }>;
-declare const app: Hono<hono_types12.BlankEnv, hono_types12.BlankSchema, "/">;
+declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { type AppConfig, type AppVariables, Hono, type NativeSandboxConfig, type SSOProviderConfig, type SandboxConfig, type UserAuthConfig, type VercelSandboxConfig, auth, createAgentsApp, createAgentsHono, createAuth0Provider, createOIDCProvider, app as default };

package/dist/middleware/cors.d.ts

@@ -6,10 +6,15 @@ type CorsOptions = Parameters<typeof cors>[0];
  * Extract the base domain from a hostname (e.g., 'app.preview.inkeep.com' -> 'preview.inkeep.com')
  */
 declare function getBaseDomain(hostname: string): string;
+/**
+ * Extract the registrable domain (eTLD+1) from a hostname.
+ * e.g., 'api.agents.inkeep.com' -> 'inkeep.com', 'app.inkeep.com' -> 'inkeep.com'
+ */
+declare function getRootDomain(hostname: string): string;
 /**
  * Check if a request origin is allowed for CORS
  * Development: Allow any localhost origin
- * Production: Allow same base domain or configured UI URL
+ * Production: Allow same base domain, same root domain (when UI URL is configured), or configured UI URL
  */
 declare function isOriginAllowed(origin: string | undefined): origin is string;
 /**
@@ -33,4 +38,4 @@ declare const runCorsConfig: CorsOptions;
  */
 declare const signozCorsConfig: CorsOptions;
 //#endregion
-export { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig };
+export { authCorsConfig, defaultCorsConfig, getBaseDomain, getRootDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig };

package/dist/middleware/cors.js

@@ -10,9 +10,18 @@ function getBaseDomain(hostname) {
 	return hostname;
 }
 /**
+* Extract the registrable domain (eTLD+1) from a hostname.
+* e.g., 'api.agents.inkeep.com' -> 'inkeep.com', 'app.inkeep.com' -> 'inkeep.com'
+*/
+function getRootDomain(hostname) {
+	const parts = hostname.split(".");
+	if (parts.length >= 2) return parts.slice(-2).join(".");
+	return hostname;
+}
+/**
 * Check if a request origin is allowed for CORS
 * Development: Allow any localhost origin
-* Production: Allow same base domain or configured UI URL
+* Production: Allow same base domain, same root domain (when UI URL is configured), or configured UI URL
 */
 function isOriginAllowed(origin) {
 	if (!origin) return false;
@@ -23,6 +32,12 @@ function isOriginAllowed(origin) {
 		if (requestUrl.hostname === "localhost" || requestUrl.hostname === "127.0.0.1") return true;
 		if (uiUrl && requestUrl.hostname === uiUrl.hostname) return true;
 		if (getBaseDomain(requestUrl.hostname) === getBaseDomain(apiUrl.hostname)) return true;
+		if (uiUrl) {
+			const requestRootDomain = getRootDomain(requestUrl.hostname);
+			const apiRootDomain = getRootDomain(apiUrl.hostname);
+			const uiRootDomain = getRootDomain(uiUrl.hostname);
+			if (requestRootDomain === apiRootDomain && apiRootDomain === uiRootDomain && requestRootDomain === uiRootDomain) return true;
+		}
 		return false;
 	} catch {
 		return false;
@@ -128,4 +143,4 @@ const signozCorsConfig = {
 };
 
 //#endregion
-export { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig };
+export { authCorsConfig, defaultCorsConfig, getBaseDomain, getRootDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig };

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono6 from "hono";
+import * as hono3 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono6.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono3.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/projectAccess.d.ts

@@ -1,6 +1,6 @@
 import { ManageAppVariables } from "../types/app.js";
 import { ProjectPermissionLevel } from "@inkeep/agents-core";
-import * as hono8 from "hono";
+import * as hono4 from "hono";
 
 //#region src/middleware/projectAccess.d.ts
 /**
@@ -10,6 +10,6 @@ declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermissionLevel) => hono8.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => hono4.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
-import * as hono4 from "hono";
+import * as hono7 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono4.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono7.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono4.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono4.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono7.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono7 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono7.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono9.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono1 from "hono";
+import * as hono10 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono1.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono10.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono1.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono1.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono10.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono1.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono10.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono12 from "hono";
+import * as hono13 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono12 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono9 from "hono";
+import * as hono15 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -11,7 +11,7 @@ import * as hono9 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono9.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono15.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono10 from "hono";
+import * as hono1 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono10.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono1.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono1.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260205195256",
+  "version": "0.0.0-dev-20260205205159",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -66,10 +66,10 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.0.0-dev-20260205195256",
-    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260205195256",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260205195256",
-    "@inkeep/agents-work-apps": "^0.0.0-dev-20260205195256"
+    "@inkeep/agents-core": "^0.0.0-dev-20260205205159",
+    "@inkeep/agents-manage-mcp": "^0.0.0-dev-20260205205159",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260205205159",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260205205159"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",