@inkeep/agents-api 0.0.0-dev-20260219033751 → 0.0.0-dev-20260219045007

package/dist/factory.d.ts

@@ -3,10 +3,10 @@ import "./types/index.js";
 import { createAgentsHono } from "./createApp.js";
 import { createAuth0Provider, createOIDCProvider } from "./ssoHelpers.js";
 import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
-import * as hono15 from "hono";
+import * as hono0 from "hono";
 import * as zod205 from "zod";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
-import * as hono_types8 from "hono/types";
+import * as hono_types3 from "hono/types";
 import * as better_auth79 from "better-auth";
 import * as better_auth_plugins69 from "better-auth/plugins";
 import * as _better_auth_sso10 from "@better-auth/sso";
@@ -804,25 +804,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth7
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1127,25 +1127,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth7
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1570,6 +1570,6 @@ declare function createAgentsApp(config?: {
   credentialStores?: CredentialStore[];
   auth?: UserAuthConfig;
   sandboxConfig?: SandboxConfig;
-}): hono15.Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+}): hono0.Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
 //#endregion
 export { type SSOProviderConfig, type UserAuthConfig, createAgentsApp, createAgentsAuth, createAgentsHono, createAuth0Provider, createOIDCProvider };

package/dist/index.d.ts

@@ -805,25 +805,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1128,25 +1128,25 @@ declare const auth: better_auth0.Auth<{
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";

package/dist/middleware/evalsAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono2 from "hono";
+import * as hono0 from "hono";
 
 //#region src/middleware/evalsAuth.d.ts
 
@@ -7,7 +7,7 @@ import * as hono2 from "hono";
  * Middleware to authenticate API requests using Bearer token authentication
  * First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
  */
-declare const evalApiKeyAuth: () => hono2.MiddlewareHandler<{
+declare const evalApiKeyAuth: () => hono0.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };

package/dist/middleware/evalsAuth.js

@@ -1,5 +1,6 @@
 import { env } from "../env.js";
 import { getLogger, isInternalServiceToken, verifyInternalServiceAuthHeader } from "@inkeep/agents-core";
+import { registerAuthzMeta } from "@inkeep/agents-core/middleware";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -9,44 +10,48 @@ const logger = getLogger("eval-auth");
 * Middleware to authenticate API requests using Bearer token authentication
 * First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
 */
-const evalApiKeyAuth = () => createMiddleware(async (c, next) => {
-	const authHeader = c.req.header("Authorization");
-	if (!authHeader || !authHeader.startsWith("Bearer ")) {
-		if (env.ENVIRONMENT === "development") {
-			await next();
-			return;
-		}
-		throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
-	}
-	const apiKey = authHeader.substring(7);
-	if (env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
+const evalApiKeyAuth = () => {
+	const mw = createMiddleware(async (c, next) => {
+		const authHeader = c.req.header("Authorization");
 		if (!authHeader || !authHeader.startsWith("Bearer ")) {
-			console.log("[AUTH DEBUG] Rejecting: No Bearer token provided");
+			if (env.ENVIRONMENT === "development") {
+				await next();
+				return;
+			}
 			throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
 		}
-		if (authHeader.substring(7) === env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
-			logger.info({}, "Bypass secret authenticated successfully");
+		const apiKey = authHeader.substring(7);
+		if (env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
+			if (!authHeader || !authHeader.startsWith("Bearer ")) {
+				console.log("[AUTH DEBUG] Rejecting: No Bearer token provided");
+				throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
+			}
+			if (authHeader.substring(7) === env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
+				logger.info({}, "Bypass secret authenticated successfully");
+				await next();
+				return;
+			}
+		}
+		if (isInternalServiceToken(apiKey)) {
+			const result = await verifyInternalServiceAuthHeader(authHeader);
+			if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });
+			logger.info({
+				serviceId: result.payload.sub,
+				tenantId: result.payload.tenantId,
+				projectId: result.payload.projectId
+			}, "Internal service authenticated");
+			await next();
+			return;
+		}
+		if (env.ENVIRONMENT === "development") {
 			await next();
 			return;
 		}
-	}
-	if (isInternalServiceToken(apiKey)) {
-		const result = await verifyInternalServiceAuthHeader(authHeader);
-		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });
-		logger.info({
-			serviceId: result.payload.sub,
-			tenantId: result.payload.tenantId,
-			projectId: result.payload.projectId
-		}, "Internal service authenticated");
-		await next();
-		return;
-	}
-	if (env.ENVIRONMENT === "development") {
-		await next();
-		return;
-	}
-	throw new HTTPException(401, { message: "Invalid Token" });
-});
+		throw new HTTPException(401, { message: "Invalid Token" });
+	});
+	registerAuthzMeta(mw, { description: "Requires eval API key (bypass secret or internal service token)" });
+	return mw;
+};
 
 //#endregion
 export { evalApiKeyAuth };

package/dist/middleware/index.d.ts

@@ -1,9 +1,8 @@
 import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./cors.js";
 import { errorHandler } from "./errorHandler.js";
-import { manageApiKeyAuth } from "./manageAuth.js";
-import { oauthRefMiddleware } from "./ref.js";
+import { manageApiKeyAuth, manageApiKeyOrSessionAuth } from "./manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
 import { sessionAuth } from "./sessionAuth.js";
 import { requireTenantAccess } from "./tenantAccess.js";
 import { workAppsAuth } from "./workAppsAuth.js";
-export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, oauthRefMiddleware, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, manageApiKeyOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };

package/dist/middleware/index.js

@@ -1,10 +1,9 @@
-import { sessionAuth } from "./sessionAuth.js";
 import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./cors.js";
 import { errorHandler } from "./errorHandler.js";
-import { manageApiKeyAuth } from "./manageAuth.js";
-import { oauthRefMiddleware } from "./ref.js";
+import { sessionAuth } from "./sessionAuth.js";
+import { manageApiKeyAuth, manageApiKeyOrSessionAuth } from "./manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
 import { requireTenantAccess } from "./tenantAccess.js";
 import { workAppsAuth } from "./workAppsAuth.js";
 
-export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, oauthRefMiddleware, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, manageApiKeyOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono6 from "hono";
+import * as hono1 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -12,14 +12,19 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono6.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono1.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;
     userEmail?: string;
     tenantId?: string;
-    auth: ReturnType<typeof createAuth> | null;
+    auth: ReturnType<typeof createAuth>;
   };
 }, string, {}, Response>;
+/**
+ * Middleware that gates a route with manage-domain authentication.
+ * Uses Bearer token → API key auth, otherwise falls back to session auth.
+ */
+declare const manageApiKeyOrSessionAuth: () => hono1.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
-export { manageApiKeyAuth };
+export { manageApiKeyAuth, manageApiKeyOrSessionAuth };

package/dist/middleware/manageAuth.js

@@ -1,6 +1,8 @@
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
+import { sessionAuth } from "./sessionAuth.js";
 import { getLogger, isInternalServiceToken, isSlackUserToken, validateAndGetApiKey, verifyInternalServiceAuthHeader, verifySlackUserToken } from "@inkeep/agents-core";
+import { registerAuthzMeta } from "@inkeep/agents-core/middleware";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -26,7 +28,7 @@ const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
 		return;
 	}
 	const auth = c.get("auth");
-	if (auth) try {
+	try {
 		const headers$1 = new Headers();
 		headers$1.set("Authorization", authHeader);
 		const forwardedCookie = c.req.header("x-forwarded-cookie");
@@ -90,6 +92,26 @@ const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
 	}
 	throw new HTTPException(401, { message: "Invalid Token" });
 });
+/**
+* Middleware that gates a route with manage-domain authentication.
+* Uses Bearer token → API key auth, otherwise falls back to session auth.
+*/
+const manageApiKeyOrSessionAuth = () => {
+	const mw = createMiddleware(async (c, next) => {
+		if (env.ENVIRONMENT === "test") {
+			await next();
+			return;
+		}
+		if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageApiKeyAuth()(c, next);
+		return sessionAuth()(c, next);
+	});
+	registerAuthzMeta(mw, {
+		resource: "organization",
+		permission: "member",
+		description: "Requires session cookie or API key authentication"
+	});
+	return mw;
+};
 
 //#endregion
-export { manageApiKeyAuth };
+export { manageApiKeyAuth, manageApiKeyOrSessionAuth };

package/dist/middleware/projectAccess.d.ts

@@ -1,15 +1,16 @@
 import { ManageAppVariables } from "../types/app.js";
 import { ProjectPermissionLevel } from "@inkeep/agents-core";
-import * as hono3 from "hono";
+import { ProjectScopedMiddleware } from "@inkeep/agents-core/middleware";
 
 //#region src/middleware/projectAccess.d.ts
+
 /**
  * Middleware to check project-level access.
  */
-declare const requireProjectPermission: <Env$1 extends {
+declare const requireProjectPermission: <Env extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermissionLevel) => hono3.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => ProjectScopedMiddleware;
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectAccess.js

@@ -1,79 +1,93 @@
 import { canEditProject, canUseProject, canViewProject, createApiError } from "@inkeep/agents-core";
+import { registerAuthzMeta } from "@inkeep/agents-core/middleware";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
 //#region src/middleware/projectAccess.ts
+const projectPermissionDescriptions = {
+	view: "Requires project view permission (project_viewer+, or org admin/owner)",
+	use: "Requires project use permission (project_member+, or org admin/owner)",
+	edit: "Requires project edit permission (project_admin, or org admin/owner)"
+};
 /**
 * Middleware to check project-level access.
 */
-const requireProjectPermission = (permission = "view") => createMiddleware(async (c, next) => {
-	if (process.env.ENVIRONMENT === "test") {
-		await next();
-		return;
-	}
-	const userId = c.get("userId");
-	const tenantId = c.get("tenantId");
-	const tenantRole = c.get("tenantRole");
-	const projectId = c.req.param("projectId") || c.req.param("id");
-	if (!userId || !tenantId) throw createApiError({
-		code: "unauthorized",
-		message: "User or organization context not found",
-		instance: c.req.path
-	});
-	if (!projectId) throw createApiError({
-		code: "bad_request",
-		message: "Project ID is required",
-		instance: c.req.path
-	});
-	if (userId === "system" || userId.startsWith("apikey:")) {
-		await next();
-		return;
-	}
-	try {
-		let hasAccess = false;
-		switch (permission) {
-			case "view":
-				hasAccess = await canViewProject({
-					userId,
-					tenantId,
-					projectId,
-					orgRole: tenantRole
-				});
-				break;
-			case "use":
-				hasAccess = await canUseProject({
-					userId,
-					tenantId,
-					projectId,
-					orgRole: tenantRole
-				});
-				break;
-			case "edit":
-				hasAccess = await canEditProject({
-					userId,
-					tenantId,
-					projectId,
-					orgRole: tenantRole
-				});
-				break;
+const requireProjectPermission = (permission = "view") => {
+	const mw = createMiddleware(async (c, next) => {
+		if (process.env.ENVIRONMENT === "test") {
+			await next();
+			return;
 		}
-		if (!hasAccess) throw createApiError({
-			code: "not_found",
-			message: "Project not found",
+		const userId = c.get("userId");
+		const tenantId = c.get("tenantId");
+		const tenantRole = c.get("tenantRole");
+		const projectId = c.req.param("projectId") || c.req.param("id");
+		if (!userId || !tenantId) throw createApiError({
+			code: "unauthorized",
+			message: "User or organization context not found",
 			instance: c.req.path
 		});
-		await next();
-	} catch (error) {
-		if (error instanceof HTTPException) throw error;
-		const errorMessage = error instanceof Error ? error.message : "Unknown error";
-		throw createApiError({
-			code: "internal_server_error",
-			message: "Failed to verify project access",
-			instance: c.req.path,
-			extensions: { internalError: errorMessage }
+		if (!projectId) throw createApiError({
+			code: "bad_request",
+			message: "Project ID is required",
+			instance: c.req.path
 		});
-	}
-});
+		if (userId === "system" || userId.startsWith("apikey:")) {
+			await next();
+			return;
+		}
+		try {
+			let hasAccess = false;
+			switch (permission) {
+				case "view":
+					hasAccess = await canViewProject({
+						userId,
+						tenantId,
+						projectId,
+						orgRole: tenantRole
+					});
+					break;
+				case "use":
+					hasAccess = await canUseProject({
+						userId,
+						tenantId,
+						projectId,
+						orgRole: tenantRole
+					});
+					break;
+				case "edit":
+					hasAccess = await canEditProject({
+						userId,
+						tenantId,
+						projectId,
+						orgRole: tenantRole
+					});
+					break;
+			}
+			if (!hasAccess) throw createApiError({
+				code: "not_found",
+				message: "Project not found",
+				instance: c.req.path
+			});
+			await next();
+		} catch (error) {
+			if (error instanceof HTTPException) throw error;
+			const errorMessage = error instanceof Error ? error.message : "Unknown error";
+			throw createApiError({
+				code: "internal_server_error",
+				message: "Failed to verify project access",
+				instance: c.req.path,
+				extensions: { internalError: errorMessage }
+			});
+		}
+	});
+	registerAuthzMeta(mw, {
+		resource: "project",
+		permission,
+		description: projectPermissionDescriptions[permission] ?? `Requires project ${permission} permission`
+	});
+	return mw;
+};
 
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
-import * as hono7 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono7.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono7.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono7.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/ref.d.ts

@@ -53,9 +53,5 @@ declare const createRefMiddleware: (db: AgentsManageDatabaseClient, options?: Re
 declare const writeProtectionMiddleware: (c: Context, next: Next) => Promise<void>;
 declare const manageRefMiddleware: (c: Context, next: Next) => Promise<void>;
 declare const runRefMiddleware: (c: Context, next: Next) => Promise<void>;
-/**
- * Ref middleware for OAuth routes - extracts tenant/project from query params
- */
-declare const oauthRefMiddleware: (c: Context, next: Next) => Promise<void>;
 //#endregion
-export { RefContext, RefMiddlewareOptions, createRefMiddleware, manageRefMiddleware, oauthRefMiddleware, runRefMiddleware, writeProtectionMiddleware };
+export { RefContext, RefMiddlewareOptions, createRefMiddleware, manageRefMiddleware, runRefMiddleware, writeProtectionMiddleware };