@inkeep/agents-api 0.0.0-dev-20260219033751 → 0.0.0-dev-20260219045007

package/dist/.well-known/workflow/v1/manifest.json

@@ -1,6 +1,20 @@
 {
   "version": "1.0.0",
   "steps": {
+    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
+      "executeEvaluatorStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//executeEvaluatorStep"
+      },
+      "getConversationStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//getConversationStep"
+      },
+      "getEvaluatorsStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//getEvaluatorsStep"
+      },
+      "logStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//logStep"
+      }
+    },
     "node_modules/.pnpm/workflow@4.1.0-beta.54_@aws-sdk+client-sts@3.970.0_@nestjs+common@11.1.13_reflect-metad_f85281f2580d7065fc514e637f5f5e1f/node_modules/workflow/dist/internal/builtins.js": {
       "__builtin_response_array_buffer": {
         "stepId": "__builtin_response_array_buffer"
@@ -12,39 +26,11 @@
         "stepId": "__builtin_response_text"
       }
     },
-    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
-      "callChatApiStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//callChatApiStep"
-      },
-      "createRelationStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//createRelationStep"
-      },
-      "executeEvaluatorStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//executeEvaluatorStep"
-      },
-      "logStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//logStep"
-      }
-    },
     "node_modules/.pnpm/workflow@4.1.0-beta.54_@aws-sdk+client-sts@3.970.0_@nestjs+common@11.1.13_reflect-metad_f85281f2580d7065fc514e637f5f5e1f/node_modules/workflow/dist/stdlib.js": {
       "fetch": {
         "stepId": "step//workflow@4.1.0-beta.54//fetch"
       }
     },
-    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
-      "executeEvaluatorStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//executeEvaluatorStep"
-      },
-      "getConversationStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//getConversationStep"
-      },
-      "getEvaluatorsStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//getEvaluatorsStep"
-      },
-      "logStep": {
-        "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//logStep"
-      }
-    },
     "src/domains/run/workflow/steps/scheduledTriggerSteps.ts": {
       "addConversationIdStep": {
         "stepId": "step//./src/domains/run/workflow/steps/scheduledTriggerSteps//addConversationIdStep"
@@ -88,21 +74,35 @@
       "markRunningStep": {
         "stepId": "step//./src/domains/run/workflow/steps/scheduledTriggerSteps//markRunningStep"
       }
+    },
+    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
+      "callChatApiStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//callChatApiStep"
+      },
+      "createRelationStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//createRelationStep"
+      },
+      "executeEvaluatorStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//executeEvaluatorStep"
+      },
+      "logStep": {
+        "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//logStep"
+      }
     }
   },
   "workflows": {
-    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
-      "_runDatasetItemWorkflow": {
-        "workflowId": "workflow//./src/domains/evals/workflow/functions/runDatasetItem//_runDatasetItemWorkflow",
+    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
+      "_evaluateConversationWorkflow": {
+        "workflowId": "workflow//./src/domains/evals/workflow/functions/evaluateConversation//_evaluateConversationWorkflow",
         "graph": {
           "nodes": [],
           "edges": []
         }
       }
     },
-    "src/domains/evals/workflow/functions/evaluateConversation.ts": {
-      "_evaluateConversationWorkflow": {
-        "workflowId": "workflow//./src/domains/evals/workflow/functions/evaluateConversation//_evaluateConversationWorkflow",
+    "src/domains/evals/workflow/functions/runDatasetItem.ts": {
+      "_runDatasetItemWorkflow": {
+        "workflowId": "workflow//./src/domains/evals/workflow/functions/runDatasetItem//_runDatasetItemWorkflow",
         "graph": {
           "nodes": [],
           "edges": []

package/dist/createApp.js

@@ -3,28 +3,28 @@ import { env } from "./env.js";
 import { getInProcessFetch, registerAppFetch } from "./utils/in-process-fetch.js";
 import { evalRoutes } from "./domains/evals/index.js";
 import { workflowRoutes } from "./domains/evals/workflow/routes.js";
-import { sessionAuth, sessionContext } from "./middleware/sessionAuth.js";
-import { flushBatchProcessor } from "./instrumentation.js";
-import { manageRoutes } from "./domains/manage/index.js";
-import mcp_default from "./domains/mcp/routes/mcp.js";
-import { runRoutes } from "./domains/run/index.js";
-import { workAppsRoutes } from "./domains/work-apps/index.js";
 import { authCorsConfig, defaultCorsConfig, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./middleware/cors.js";
 import { errorHandler } from "./middleware/errorHandler.js";
-import { manageApiKeyAuth } from "./middleware/manageAuth.js";
-import { manageRefMiddleware, oauthRefMiddleware, runRefMiddleware, writeProtectionMiddleware } from "./middleware/ref.js";
+import { sessionContext } from "./middleware/sessionAuth.js";
+import { manageApiKeyOrSessionAuth } from "./middleware/manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept } from "./middleware/runAuth.js";
 import { requireTenantAccess } from "./middleware/tenantAccess.js";
 import { workAppsAuth } from "./middleware/workAppsAuth.js";
 import "./middleware/index.js";
+import { flushBatchProcessor } from "./instrumentation.js";
+import { manageRoutes } from "./domains/manage/index.js";
+import mcp_default from "./domains/mcp/routes/mcp.js";
+import { runRoutes } from "./domains/run/index.js";
+import { workAppsRoutes } from "./domains/work-apps/index.js";
 import { branchScopedDbMiddleware } from "./middleware/branchScopedDb.js";
-import { evalApiKeyAuth } from "./middleware/evalsAuth.js";
 import { projectConfigMiddleware, projectConfigMiddlewareExcept } from "./middleware/projectConfig.js";
+import { manageRefMiddleware, runRefMiddleware, writeProtectionMiddleware } from "./middleware/ref.js";
 import { executionBaggageMiddleware } from "./middleware/tracing.js";
 import { setupOpenAPIRoutes } from "./openapi.js";
 import { healthChecksHandler } from "./routes/healthChecks.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { OrgRoles, getWaitUntil } from "@inkeep/agents-core";
+import { workflowProcessHandler } from "./routes/workflowProcess.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { getWaitUntil } from "@inkeep/agents-core";
 import { githubRoutes } from "@inkeep/agents-work-apps/github";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
@@ -33,21 +33,15 @@ import { pinoLogger } from "hono-pino";
 
 //#region src/createApp.ts
 const logger = getLogger$1("agents-api");
-const isTestEnvironment = () => env.ENVIRONMENT === "test";
 const isWebhookRoute = (path) => {
 	return path.includes("/triggers/") && !path.endsWith("/triggers") && !path.endsWith("/triggers/");
 };
 function createAgentsHono(config) {
 	const { serverConfig, credentialStores, auth, sandboxConfig } = config;
 	const app = new OpenAPIHono();
-	const CapabilitiesResponseSchema = z.object({ sandbox: z.object({
-		configured: z.boolean().describe("Whether a sandbox provider is configured. Required for Function Tools execution."),
-		provider: z.enum(["native", "vercel"]).optional().describe("The configured sandbox provider, if enabled."),
-		runtime: z.enum(["node22", "typescript"]).optional().describe("The configured sandbox runtime, if enabled.")
-	}).describe("Sandbox execution capabilities (used by Function Tools).") }).describe("Optional server capabilities and configuration.").openapi("CapabilitiesResponseSchema");
 	app.use("*", requestId());
+	app.use("/api/auth/*", cors(authCorsConfig));
 	if (auth) {
-		app.use("/api/auth/*", cors(authCorsConfig));
 		if (env.ENVIRONMENT === "development") app.post("/api/auth/dev-session", async (c) => {
 			const bypassSecret = env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET;
 			const authHeader = c.req.header("Authorization");
@@ -82,7 +76,7 @@ function createAgentsHono(config) {
 	app.use("/manage/tenants/*/signoz/*", cors(signozCorsConfig));
 	app.use("/work-apps/*", cors(workAppsCorsConfig));
 	app.use("*", async (c, next) => {
-		if (auth && c.req.path.startsWith("/api/auth/")) return next();
+		if (c.req.path.startsWith("/api/auth/")) return next();
 		if (c.req.path.startsWith("/run/")) return next();
 		if (c.req.path.startsWith("/work-apps/")) return next();
 		if (c.req.path.includes("/playground/token")) return next();
@@ -93,17 +87,7 @@ function createAgentsHono(config) {
 	app.use("*", async (c, next) => {
 		c.set("serverConfig", serverConfig);
 		c.set("credentialStores", credentialStores);
-		await next();
-	});
-	app.use("/manage/*", async (c, next) => {
-		c.set("auth", auth);
-		await next();
-	});
-	app.use("/work-apps/*", async (c, next) => {
 		c.set("auth", auth);
-		await next();
-	});
-	app.use("/run/*", async (c, next) => {
 		if (sandboxConfig) c.set("sandboxConfig", sandboxConfig);
 		await next();
 	});
@@ -128,64 +112,9 @@ function createAgentsHono(config) {
 	app.onError(errorHandler);
 	app.use("*", sessionContext());
 	app.route("/", healthChecksHandler);
-	app.openapi(createRoute({
-		method: "get",
-		path: "/api/workflow/process",
-		tags: ["Workflows"],
-		summary: "Process workflow jobs",
-		description: "Keeps the workflow worker active to process queued jobs (called by cron)",
-		responses: { 200: { description: "Processing complete" } }
-	}), async (c) => {
-		await new Promise((resolve) => setTimeout(resolve, 5e4));
-		return c.json({
-			processed: true,
-			timestamp: (/* @__PURE__ */ new Date()).toISOString()
-		});
-	});
-	app.use("/manage/tenants/*", async (c, next) => {
-		if (isTestEnvironment()) {
-			await next();
-			return;
-		}
-		if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageApiKeyAuth()(c, next);
-		return sessionAuth()(c, next);
-	});
-	app.use("/manage/capabilities", async (c, next) => {
-		if (!auth || isTestEnvironment()) {
-			await next();
-			return;
-		}
-		if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageApiKeyAuth()(c, next);
-		return sessionAuth()(c, next);
-	});
-	app.openapi(createRoute({
-		method: "get",
-		path: "/manage/capabilities",
-		operationId: "capabilities",
-		summary: "Get server capabilities",
-		description: "Get information about optional server-side capabilities and configuration.",
-		responses: { 200: {
-			description: "Server capabilities",
-			content: { "application/json": { schema: CapabilitiesResponseSchema } }
-		} }
-	}), (c) => {
-		if (!sandboxConfig) return c.json({ sandbox: { configured: false } });
-		return c.json({ sandbox: {
-			configured: true,
-			provider: sandboxConfig.provider,
-			runtime: sandboxConfig.runtime
-		} });
-	});
-	if (isTestEnvironment()) app.use("/manage/tenants/:tenantId/*", async (c, next) => {
-		const tenantId = c.req.param("tenantId");
-		if (tenantId) {
-			c.set("tenantId", tenantId);
-			c.set("userId", "anonymous");
-			c.set("tenantRole", OrgRoles.OWNER);
-		}
-		await next();
-	});
-	else app.use("/manage/tenants/:tenantId/*", requireTenantAccess());
+	app.route("/", workflowProcessHandler);
+	app.use("/manage/tenants/*", manageApiKeyOrSessionAuth());
+	app.use("/manage/tenants/:tenantId/*", requireTenantAccess());
 	app.use("*", async (_c, next) => {
 		await next();
 		const waitUntil = await getWaitUntil();
@@ -196,12 +125,9 @@ function createAgentsHono(config) {
 	app.use("/run/agents/*", runApiKeyAuth());
 	app.use("/run/v1/*", runApiKeyAuth());
 	app.use("/run/api/*", runApiKeyAuth());
-	app.use("/evals/tenants/*", evalApiKeyAuth());
 	app.use("/manage/tenants/*", async (c, next) => manageRefMiddleware(c, next));
 	app.use("/manage/tenants/*", (c, next) => writeProtectionMiddleware(c, next));
 	app.use("/manage/tenants/*", async (c, next) => branchScopedDbMiddleware(c, next));
-	app.use("/manage/oauth/login", async (c, next) => oauthRefMiddleware(c, next));
-	app.use("/manage/oauth/login", async (c, next) => branchScopedDbMiddleware(c, next));
 	app.use("/run/*", async (c, next) => runRefMiddleware(c, next));
 	app.use("/run/tenants/*", projectConfigMiddlewareExcept(isWebhookRoute));
 	app.use("/run/agents/*", projectConfigMiddleware);

package/dist/data/db/manageDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 
 //#region src/data/db/manageDbClient.d.ts
-declare const manageDbClient: _inkeep_agents_core0.AgentsManageDatabaseClient;
+declare const manageDbClient: _inkeep_agents_core3.AgentsManageDatabaseClient;
 //#endregion
 export { manageDbClient as default };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
+import * as hono14 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<hono14.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/datasetTriggers.js

@@ -1,18 +1,21 @@
 import { getLogger as getLogger$1 } from "../../../logger.js";
+import { evalApiKeyAuth } from "../../../middleware/evalsAuth.js";
 import { queueDatasetRunItems } from "../services/datasetRun.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, TriggerDatasetRunSchema } from "@inkeep/agents-core";
+import { createProtectedRoute } from "@inkeep/agents-core/middleware";
 
 //#region src/domains/evals/routes/datasetTriggers.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("workflow-triggers");
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/run-dataset-items",
 	summary: "Run dataset items",
 	description: "Runs dataset items for processing through the chat API",
 	operationId: "run-dataset-items",
 	tags: ["Workflows"],
+	permission: evalApiKeyAuth(),
 	request: {
 		params: TenantProjectParamsSchema,
 		body: { content: { "application/json": { schema: TriggerDatasetRunSchema } } }

package/dist/domains/evals/routes/evaluationTriggers.js

@@ -1,23 +1,26 @@
 import { getLogger as getLogger$1 } from "../../../logger.js";
+import { evalApiKeyAuth } from "../../../middleware/evalsAuth.js";
 import manageDbPool_default from "../../../data/db/manageDbPool.js";
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { evaluateConversationWorkflow } from "../workflow/functions/evaluateConversation.js";
 import "../workflow/index.js";
 import { queueEvaluationJobConversations } from "../services/evaluationJob.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, TriggerEvaluationJobSchema, commonGetErrorResponses, createApiError, createEvaluationRun, generateId, getConversation, getEvaluationSuiteConfigById, getEvaluationSuiteConfigEvaluatorRelations, getEvaluatorsByIds, listEvaluationRunConfigsWithSuiteConfigs, withRef } from "@inkeep/agents-core";
+import { createProtectedRoute } from "@inkeep/agents-core/middleware";
 import { start } from "workflow/api";
 
 //#region src/domains/evals/routes/evaluationTriggers.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("ConversationEvaluations");
 const TriggerConversationSchema = z.object({ conversationId: z.string() });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/evaluate-conversation",
 	summary: "Trigger evaluation on a single conversation",
 	operationId: "evaluate-conversation",
 	tags: ["Evaluations"],
+	permission: evalApiKeyAuth(),
 	request: {
 		params: TenantProjectParamsSchema,
 		body: { content: { "application/json": { schema: TriggerConversationSchema } } }
@@ -143,12 +146,13 @@ app.openapi(createRoute({
 		}), 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/evaluate-conversations",
 	summary: "Trigger evaluations on conversations with specified evaluators",
 	operationId: "start-conversations-evaluations",
 	tags: ["Evaluations"],
+	permission: evalApiKeyAuth(),
 	request: {
 		params: TenantProjectParamsSchema,
 		body: { content: { "application/json": { schema: z.object({
@@ -236,10 +240,11 @@ app.openapi(createRoute({
 		}), 500);
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/evaluate-conversations-by-job",
 	summary: "Trigger evaluations on conversations by evaluation job config",
+	permission: evalApiKeyAuth(),
 	description: "Filters conversations based on job filters, creates an evaluation run, and enqueues workflows",
 	operationId: "evaluate-conversations-by-job",
 	tags: ["Workflows"],

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono5 from "hono";
+import * as hono15 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono5.Env, {}, "/">;
+declare const app: OpenAPIHono<hono15.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types10 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types10.BlankEnv, hono_types10.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types6.BlankEnv, hono_types6.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/index.js

@@ -1,3 +1,4 @@
+import { capabilitiesHandler } from "../../routes/capabilities.js";
 import availableAgents_default from "./routes/availableAgents.js";
 import cliAuth_default from "./routes/cliAuth.js";
 import github_default from "./routes/github.js";
@@ -10,6 +11,7 @@ import playgroundToken_default from "./routes/playgroundToken.js";
 import projectFull_default from "./routes/projectFull.js";
 import projectGithubAccess_default from "./routes/projectGithubAccess.js";
 import signoz_default from "./routes/signoz.js";
+import userProjectMemberships_default from "./routes/userProjectMemberships.js";
 import users_default from "./routes/users.js";
 import { OpenAPIHono } from "@hono/zod-openapi";
 
@@ -24,11 +26,13 @@ function createManageRoutes() {
 	app.route("/tenants/:tenantId/playground/token", playgroundToken_default);
 	app.route("/tenants/:tenantId/signoz", signoz_default);
 	app.route("/tenants/:tenantId/github", github_default);
+	app.route("/tenants/:tenantId/users/:userId/project-memberships", userProjectMemberships_default);
 	app.route("/tenants/:tenantId/projects/:projectId/github-access", projectGithubAccess_default);
 	app.route("/tenants/:tenantId/projects/:projectId/tools/:toolId/github-access", mcpToolGithubAccess_default);
 	app.route("/tenants/:tenantId", projectFull_default);
 	app.route("/oauth", oauth_default);
 	app.route("/available-agents", availableAgents_default);
+	app.route("/capabilities", capabilitiesHandler);
 	return app;
 }
 const manageRoutes = createManageRoutes();

package/dist/domains/manage/routes/agent.js

@@ -1,29 +1,19 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { speakeasyOffsetLimitPagination } from "../../../utils/speakeasy.js";
-import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
+import { OpenAPIHono } from "@hono/zod-openapi";
 import { AgentApiInsertSchema, AgentApiUpdateSchema, AgentListResponse, AgentResponse, AgentWithinContextOfProjectResponse, ErrorResponseSchema, PaginationQueryParamsSchema, RelatedAgentInfoListResponse, TenantProjectAgentParamsSchema, TenantProjectAgentSubAgentParamsSchema, TenantProjectIdParamsSchema, TenantProjectParamsSchema, cascadeDeleteByAgent, commonGetErrorResponses, createAgent, createApiError, deleteAgent, generateId, getAgentById, getAgentSubAgentInfos, getFullAgentDefinition, listAgentsPaginated, listSubAgents, updateAgent } from "@inkeep/agents-core";
+import { createProtectedRoute } from "@inkeep/agents-core/middleware";
 
 //#region src/domains/manage/routes/agent.ts
 const app = new OpenAPIHono();
-app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
-	return next();
-});
-app.use("/:id", async (c, next) => {
-	if ([
-		"PUT",
-		"PATCH",
-		"DELETE"
-	].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
-	return next();
-});
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/",
 	summary: "List Agents",
 	operationId: "list-agents",
 	tags: ["Agents"],
+	permission: requireProjectPermission("view"),
 	request: {
 		params: TenantProjectParamsSchema,
 		query: PaginationQueryParamsSchema
@@ -53,12 +43,13 @@ app.openapi(createRoute({
 	});
 	return c.json(result);
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{id}",
 	summary: "Get Agent",
 	operationId: "get-agent",
 	tags: ["Agents"],
+	permission: requireProjectPermission("view"),
 	request: { params: TenantProjectIdParamsSchema },
 	responses: {
 		200: {
@@ -80,12 +71,13 @@ app.openapi(createRoute({
 	});
 	return c.json({ data: agent });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{agentId}/sub-agents/{subAgentId}/related",
 	summary: "Get Related Agent Infos",
 	operationId: "get-related-agent-infos",
 	tags: ["Agents"],
+	permission: requireProjectPermission("view"),
 	request: { params: TenantProjectAgentSubAgentParamsSchema },
 	responses: {
 		200: {
@@ -114,12 +106,13 @@ app.openapi(createRoute({
 		}
 	});
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{agentId}/full",
 	summary: "Get Full Agent Definition",
 	operationId: "get-full-agent-definition",
 	tags: ["Agents"],
+	permission: requireProjectPermission("view"),
 	request: { params: TenantProjectAgentParamsSchema },
 	responses: {
 		200: {
@@ -141,12 +134,13 @@ app.openapi(createRoute({
 	});
 	return c.json({ data: fullAgent });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/",
 	summary: "Create Agent",
 	operationId: "create-agent",
 	tags: ["Agents"],
+	permission: requireProjectPermission("edit"),
 	request: {
 		params: TenantProjectParamsSchema,
 		body: { content: { "application/json": { schema: AgentApiInsertSchema } } }
@@ -181,12 +175,13 @@ app.openapi(createRoute({
 		throw error;
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "put",
 	path: "/{id}",
 	summary: "Update Agent",
 	operationId: "update-agent",
 	tags: ["Agents"],
+	permission: requireProjectPermission("edit"),
 	request: {
 		params: TenantProjectIdParamsSchema,
 		body: { content: { "application/json": { schema: AgentApiUpdateSchema } } }
@@ -221,12 +216,13 @@ app.openapi(createRoute({
 	});
 	return c.json({ data: updatedAgent });
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "delete",
 	path: "/{id}",
 	summary: "Delete Agent",
 	operationId: "delete-agent",
 	tags: ["Agents"],
+	permission: requireProjectPermission("edit"),
 	request: { params: TenantProjectIdParamsSchema },
 	responses: {
 		204: { description: "Agent deleted successfully" },

package/dist/domains/manage/routes/agentFull.js

@@ -2,27 +2,17 @@ import { getLogger as getLogger$1 } from "../../../logger.js";
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { onTriggerCreated, onTriggerDeleted, onTriggerUpdated } from "../../run/services/ScheduledTriggerService.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { AgentWithinContextOfProjectResponse, AgentWithinContextOfProjectSchema, ErrorResponseSchema, TenantProjectAgentParamsSchema, TenantProjectParamsSchema, cascadeDeleteByAgent, commonGetErrorResponses, createApiError, createFullAgentServerSide, deleteFullAgent, getFullAgent, listScheduledTriggers, listSubAgents, updateFullAgentServerSide } from "@inkeep/agents-core";
+import { createProtectedRoute } from "@inkeep/agents-core/middleware";
 
 //#region src/domains/manage/routes/agentFull.ts
 const logger = getLogger$1("agentFull");
 const app = new OpenAPIHono();
-app.use("/", async (c, next) => {
-	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
-	return next();
-});
-app.use("/:agentId", async (c, next) => {
-	if ([
-		"PUT",
-		"PATCH",
-		"DELETE"
-	].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
-	return next();
-});
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "post",
 	path: "/",
+	permission: requireProjectPermission("edit"),
 	summary: "Create Full Agent",
 	operationId: "create-full-agent",
 	tags: ["Agents"],
@@ -70,9 +60,10 @@ app.openapi(createRoute({
 	}
 	return c.json({ data: createdAgent }, 201);
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "get",
 	path: "/{agentId}",
+	permission: requireProjectPermission("view"),
 	summary: "Get Full Agent",
 	operationId: "get-full-agent",
 	tags: ["Agents"],
@@ -110,9 +101,10 @@ app.openapi(createRoute({
 		});
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "put",
 	path: "/{agentId}",
+	permission: requireProjectPermission("edit"),
 	summary: "Update Full Agent",
 	operationId: "update-full-agent",
 	tags: ["Agents"],
@@ -219,9 +211,10 @@ app.openapi(createRoute({
 		});
 	}
 });
-app.openapi(createRoute({
+app.openapi(createProtectedRoute({
 	method: "delete",
 	path: "/{agentId}",
+	permission: requireProjectPermission("edit"),
 	summary: "Delete Full Agent",
 	operationId: "delete-full-agent",
 	tags: ["Agents"],