@inkeep/agents-api 0.0.0-dev-20260302213646 → 0.0.0-dev-20260303010841

package/dist/.well-known/workflow/v1/manifest.json

@@ -15,6 +15,11 @@
         "stepId": "step//./src/domains/evals/workflow/functions/runDatasetItem//logStep"
       }
     },
+    "node_modules/.pnpm/workflow@4.1.0-beta.54_@aws-sdk+client-sts@3.970.0_@nestjs+common@11.1.13_reflect-metad_f85281f2580d7065fc514e637f5f5e1f/node_modules/workflow/dist/stdlib.js": {
+      "fetch": {
+        "stepId": "step//workflow@4.1.0-beta.54//fetch"
+      }
+    },
     "node_modules/.pnpm/workflow@4.1.0-beta.54_@aws-sdk+client-sts@3.970.0_@nestjs+common@11.1.13_reflect-metad_f85281f2580d7065fc514e637f5f5e1f/node_modules/workflow/dist/internal/builtins.js": {
       "__builtin_response_array_buffer": {
         "stepId": "__builtin_response_array_buffer"
@@ -26,11 +31,6 @@
         "stepId": "__builtin_response_text"
       }
     },
-    "node_modules/.pnpm/workflow@4.1.0-beta.54_@aws-sdk+client-sts@3.970.0_@nestjs+common@11.1.13_reflect-metad_f85281f2580d7065fc514e637f5f5e1f/node_modules/workflow/dist/stdlib.js": {
-      "fetch": {
-        "stepId": "step//workflow@4.1.0-beta.54//fetch"
-      }
-    },
     "src/domains/evals/workflow/functions/evaluateConversation.ts": {
       "executeEvaluatorStep": {
         "stepId": "step//./src/domains/evals/workflow/functions/evaluateConversation//executeEvaluatorStep"

package/dist/createApp.js

@@ -5,7 +5,7 @@ import { workflowRoutes } from "./domains/evals/workflow/routes.js";
 import { authCorsConfig, defaultCorsConfig, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./middleware/cors.js";
 import { errorHandler } from "./middleware/errorHandler.js";
 import { sessionContext } from "./middleware/sessionAuth.js";
-import { manageApiKeyOrSessionAuth } from "./middleware/manageAuth.js";
+import { manageBearerOrSessionAuth } from "./middleware/manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept } from "./middleware/runAuth.js";
 import { requireTenantAccess } from "./middleware/tenantAccess.js";
 import { workAppsAuth } from "./middleware/workAppsAuth.js";
@@ -112,7 +112,7 @@ function createAgentsHono(config) {
 	app.use("*", sessionContext());
 	app.route("/", healthChecksHandler);
 	app.route("/", workflowProcessHandler);
-	app.use("/manage/tenants/*", manageApiKeyOrSessionAuth());
+	app.use("/manage/tenants/*", manageBearerOrSessionAuth());
 	app.use("/manage/tenants/:tenantId/*", requireTenantAccess());
 	app.use("*", async (_c, next) => {
 		await next();

package/dist/data/db/manageDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 
 //#region src/data/db/manageDbClient.d.ts
-declare const manageDbClient: _inkeep_agents_core0.AgentsManageDatabaseClient;
+declare const manageDbClient: _inkeep_agents_core1.AgentsManageDatabaseClient;
 //#endregion
 export { manageDbClient as default };

package/dist/data/db/runDbClient.d.ts

@@ -1,6 +1,6 @@
-import * as _inkeep_agents_core0 from "@inkeep/agents-core";
+import * as _inkeep_agents_core2 from "@inkeep/agents-core";
 
 //#region src/data/db/runDbClient.d.ts
-declare const runDbClient: _inkeep_agents_core0.AgentsRunDatabaseClient;
+declare const runDbClient: _inkeep_agents_core2.AgentsRunDatabaseClient;
 //#endregion
 export { runDbClient as default };

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono6 from "hono";
+import * as hono4 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono6.Env, {}, "/">;
+declare const app: OpenAPIHono<hono4.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono12 from "hono";
+import * as hono8 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono12.Env, {}, "/">;
+declare const app: OpenAPIHono<hono8.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types11 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types11.BlankEnv, hono_types11.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/routes/availableAgents.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono17 from "hono";
+import * as hono0 from "hono";
 
 //#region src/domains/manage/routes/availableAgents.d.ts
-declare const app: OpenAPIHono<hono17.Env, {}, "/">;
+declare const app: OpenAPIHono<hono0.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
+import * as hono2 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<hono2.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono1 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono1.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/invitations.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types6 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/domains/manage/routes/invitations.d.ts
 declare const invitationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, hono_types6.BlankSchema, "/">;
+}, hono_types10.BlankSchema, "/">;
 //#endregion
 export { invitationsRoutes as default };

package/dist/domains/manage/routes/users.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types12 from "hono/types";
+import * as hono_types6 from "hono/types";
 
 //#region src/domains/manage/routes/users.d.ts
 declare const usersRoutes: Hono<{
   Variables: ManageAppVariables;
-}, hono_types12.BlankSchema, "/">;
+}, hono_types6.BlankSchema, "/">;
 //#endregion
 export { usersRoutes as default };

package/dist/domains/mcp/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types10 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/domains/mcp/routes/mcp.d.ts
-declare const app: Hono<hono_types10.BlankEnv, hono_types10.BlankSchema, "/">;
+declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/run/agents/relationTools.d.ts

@@ -1,6 +1,6 @@
 import { AgentConfig, DelegateRelation } from "./Agent.js";
 import { InternalRelation } from "../utils/project.js";
-import * as _inkeep_agents_core2 from "@inkeep/agents-core";
+import * as _inkeep_agents_core0 from "@inkeep/agents-core";
 import { CredentialStoreRegistry, FullExecutionContext } from "@inkeep/agents-core";
 import * as ai0 from "ai";
 
@@ -44,7 +44,7 @@ declare function createDelegateToAgentTool({
   message: string;
 }, {
   toolCallId: any;
-  result: _inkeep_agents_core2.Message | _inkeep_agents_core2.Task;
+  result: _inkeep_agents_core0.Message | _inkeep_agents_core0.Task;
 }>;
 /**
  * Parameters for building a transfer relation config

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core1.ContextBreakdown;
+  breakdown: _inkeep_agents_core3.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/domains/run/workflow/steps/scheduledTriggerSteps.d.ts

@@ -107,7 +107,7 @@ declare function createInvocationIdempotentStep(params: {
     projectId: string;
     tenantId: string;
     id: string;
-    status: "pending" | "failed" | "running" | "completed" | "cancelled";
+    status: "pending" | "completed" | "failed" | "running" | "cancelled";
     resolvedPayload?: Record<string, unknown> | null | undefined;
   };
   alreadyExists: boolean;
@@ -147,7 +147,7 @@ declare function markRunningStep(params: {
   projectId: string;
   tenantId: string;
   id: string;
-  status: "pending" | "failed" | "running" | "completed" | "cancelled";
+  status: "pending" | "completed" | "failed" | "running" | "cancelled";
   resolvedPayload?: Record<string, unknown> | null | undefined;
 }>;
 /**
@@ -174,7 +174,7 @@ declare function addConversationIdStep(params: {
   projectId: string;
   tenantId: string;
   id: string;
-  status: "pending" | "failed" | "running" | "completed" | "cancelled";
+  status: "pending" | "completed" | "failed" | "running" | "cancelled";
   resolvedPayload?: Record<string, unknown> | null | undefined;
 } | undefined>;
 /**
@@ -199,7 +199,7 @@ declare function markCompletedStep(params: {
   projectId: string;
   tenantId: string;
   id: string;
-  status: "pending" | "failed" | "running" | "completed" | "cancelled";
+  status: "pending" | "completed" | "failed" | "running" | "cancelled";
   resolvedPayload?: Record<string, unknown> | null | undefined;
 } | undefined>;
 /**
@@ -224,7 +224,7 @@ declare function markFailedStep(params: {
   projectId: string;
   tenantId: string;
   id: string;
-  status: "pending" | "failed" | "running" | "completed" | "cancelled";
+  status: "pending" | "completed" | "failed" | "running" | "cancelled";
   resolvedPayload?: Record<string, unknown> | null | undefined;
 } | undefined>;
 /**

package/dist/factory.d.ts

@@ -1170,25 +1170,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth9
     ac: better_auth_plugins35.AccessControl;
     roles: {
       member: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key] | {
-          actions: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key] | {
+          actions: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins35.AuthorizeResponse;
-        statements: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>;
+        statements: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>;
       };
       admin: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key] | {
-          actions: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key] | {
+          actions: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins35.AuthorizeResponse;
-        statements: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>;
+        statements: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>;
       };
       owner: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key] | {
-          actions: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key] | {
+          actions: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins35.AuthorizeResponse;
-        statements: better_auth_plugins35.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins35.Statements>;
+        statements: better_auth_plugins35.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins35.Statements>;
       };
     };
     creatorRole: "admin";

package/dist/index.d.ts

@@ -1170,25 +1170,25 @@ declare const auth: better_auth0.Auth<{
     ac: better_auth_plugins0.AccessControl;
     roles: {
       member: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
-          actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+          actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-        statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
+        statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
       };
       admin: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
-          actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+          actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-        statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
+        statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
       };
       owner: {
-        authorize<K_1 extends "project" | "organization" | "team" | "member" | "ac" | "invitation">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key] | {
-          actions: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>[key];
+        authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
+          actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
           connector: "OR" | "AND";
         } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-        statements: better_auth_plugins0.Subset<"project" | "organization" | "team" | "member" | "ac" | "invitation", better_auth_plugins0.Statements>;
+        statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
       };
     };
     creatorRole: "admin";

package/dist/middleware/evalsAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono0 from "hono";
+import * as hono5 from "hono";
 
 //#region src/middleware/evalsAuth.d.ts
 
@@ -7,7 +7,7 @@ import * as hono0 from "hono";
  * Middleware to authenticate API requests using Bearer token authentication
  * First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
  */
-declare const evalApiKeyAuth: () => hono0.MiddlewareHandler<{
+declare const evalApiKeyAuth: () => hono5.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };

package/dist/middleware/index.d.ts

@@ -1,8 +1,8 @@
 import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./cors.js";
 import { errorHandler } from "./errorHandler.js";
-import { manageApiKeyAuth, manageApiKeyOrSessionAuth } from "./manageAuth.js";
+import { manageBearerAuth, manageBearerOrSessionAuth } from "./manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
 import { sessionAuth } from "./sessionAuth.js";
 import { requireTenantAccess } from "./tenantAccess.js";
 import { workAppsAuth } from "./workAppsAuth.js";
-export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, manageApiKeyOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageBearerAuth, manageBearerOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };

package/dist/middleware/index.js

@@ -1,9 +1,9 @@
 import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig, workAppsCorsConfig } from "./cors.js";
 import { errorHandler } from "./errorHandler.js";
 import { sessionAuth } from "./sessionAuth.js";
-import { manageApiKeyAuth, manageApiKeyOrSessionAuth } from "./manageAuth.js";
+import { manageBearerAuth, manageBearerOrSessionAuth } from "./manageAuth.js";
 import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
 import { requireTenantAccess } from "./tenantAccess.js";
 import { workAppsAuth } from "./workAppsAuth.js";
 
-export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, manageApiKeyOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageBearerAuth, manageBearerOrSessionAuth, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig, workAppsAuth, workAppsCorsConfig };

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono4 from "hono";
+import * as hono6 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -9,10 +9,13 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * Authentication priority:
  * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
  * 2. Better-auth session token (from device authorization flow)
- * 3. Database API key
+ * 3. Slack user JWT token (for Slack work app delegation)
  * 4. Internal service token
+ *
+ * NOTE: Database API keys are intentionally NOT accepted on manage endpoints.
+ * API keys are restricted to the run domain only (chat, agent execution).
  */
-declare const manageApiKeyAuth: () => hono4.MiddlewareHandler<{
+declare const manageBearerAuth: () => hono6.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;
@@ -23,8 +26,9 @@ declare const manageApiKeyAuth: () => hono4.MiddlewareHandler<{
 }, string, {}, Response>;
 /**
  * Middleware that gates a route with manage-domain authentication.
- * Uses Bearer token → API key auth, otherwise falls back to session auth.
+ * Uses Bearer token → manage bearer auth (bypass secret, session, Slack JWT, internal service),
+ * otherwise falls back to session auth.
  */
-declare const manageApiKeyOrSessionAuth: () => hono4.MiddlewareHandler<any, string, {}, Response>;
+declare const manageBearerOrSessionAuth: () => hono6.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
-export { manageApiKeyAuth, manageApiKeyOrSessionAuth };
+export { manageBearerAuth, manageBearerOrSessionAuth };

package/dist/middleware/manageAuth.js

@@ -1,7 +1,6 @@
 import { env } from "../env.js";
-import runDbClient_default from "../data/db/runDbClient.js";
 import { sessionAuth } from "./sessionAuth.js";
-import { getLogger, isInternalServiceToken, isSlackUserToken, validateAndGetApiKey, verifyInternalServiceAuthHeader, verifySlackUserToken } from "@inkeep/agents-core";
+import { getLogger, isInternalServiceToken, isSlackUserToken, verifyInternalServiceAuthHeader, verifySlackUserToken } from "@inkeep/agents-core";
 import { registerAuthzMeta } from "@inkeep/agents-core/middleware";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
@@ -13,10 +12,13 @@ const logger = getLogger("env-key-auth");
 * Authentication priority:
 * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
 * 2. Better-auth session token (from device authorization flow)
-* 3. Database API key
+* 3. Slack user JWT token (for Slack work app delegation)
 * 4. Internal service token
+*
+* NOTE: Database API keys are intentionally NOT accepted on manage endpoints.
+* API keys are restricted to the run domain only (chat, agent execution).
 */
-const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
+const manageBearerAuth = () => createMiddleware(async (c, next) => {
 	const authHeader = c.req.header("Authorization");
 	if (!authHeader || !authHeader.startsWith("Bearer ")) throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
 	const token = authHeader.substring(7);
@@ -49,16 +51,7 @@ const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
 			return;
 		}
 	} catch (error) {
-		logger.debug({ error }, "Better-auth session validation failed, trying API key");
-	}
-	const validatedKey = await validateAndGetApiKey(token, runDbClient_default);
-	if (validatedKey) {
-		logger.info({ keyId: validatedKey.id }, "API key authenticated successfully");
-		c.set("userId", `apikey:${validatedKey.id}`);
-		c.set("userEmail", `apikey-${validatedKey.id}@internal`);
-		c.set("tenantId", validatedKey.tenantId);
-		await next();
-		return;
+		logger.debug({ error }, "Better-auth session validation failed, trying other auth methods");
 	}
 	if (isSlackUserToken(token)) {
 		const result = await verifySlackUserToken(token);
@@ -94,24 +87,25 @@ const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
 });
 /**
 * Middleware that gates a route with manage-domain authentication.
-* Uses Bearer token → API key auth, otherwise falls back to session auth.
+* Uses Bearer token → manage bearer auth (bypass secret, session, Slack JWT, internal service),
+* otherwise falls back to session auth.
 */
-const manageApiKeyOrSessionAuth = () => {
+const manageBearerOrSessionAuth = () => {
 	const mw = createMiddleware(async (c, next) => {
 		if (env.ENVIRONMENT === "test") {
 			await next();
 			return;
 		}
-		if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageApiKeyAuth()(c, next);
+		if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageBearerAuth()(c, next);
 		return sessionAuth()(c, next);
 	});
 	registerAuthzMeta(mw, {
 		resource: "organization",
 		permission: "member",
-		description: "Requires session cookie or API key authentication"
+		description: "Requires session cookie authentication"
 	});
 	return mw;
 };
 
 //#endregion
-export { manageApiKeyAuth, manageApiKeyOrSessionAuth };
+export { manageBearerAuth, manageBearerOrSessionAuth };

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
-import * as hono1 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono1.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono1.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono1.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono9.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono7 from "hono";
+import * as hono13 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono13.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono7.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono7.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono13.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono7.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono13.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/runAuth.js

@@ -40,6 +40,11 @@ function extractRequestData(c) {
 */
 function buildExecutionContext(authResult, reqData) {
 	const agentId = authResult.metadata?.teamDelegation && reqData.agentId ? reqData.agentId : authResult.agentId;
+	if (!authResult.metadata?.teamDelegation && reqData.agentId && reqData.agentId !== authResult.agentId && authResult.apiKeyId && !authResult.apiKeyId.startsWith("temp-") && authResult.apiKeyId !== "bypass" && authResult.apiKeyId !== "slack-user-token" && authResult.apiKeyId !== "team-agent-token" && authResult.apiKeyId !== "test-key") logger.warn({
+		requestedAgentId: reqData.agentId,
+		apiKeyAgentId: authResult.agentId,
+		apiKeyId: authResult.apiKeyId
+	}, "API key agent scope mismatch: ignoring x-inkeep-agent-id header, using key-bound agent");
 	return createBaseExecutionContext({
 		apiKey: authResult.apiKey,
 		tenantId: authResult.tenantId,

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono10 from "hono";
+import * as hono16 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono10 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono16.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono16.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono13 from "hono";
+import * as hono18 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -12,7 +12,7 @@ import * as hono13 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono13.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono18.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono14 from "hono";
+import * as hono11 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono14.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono14.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono11.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/middleware/workAppsAuth.js

@@ -1,20 +1,20 @@
 import { env } from "../env.js";
 import { sessionAuth } from "./sessionAuth.js";
-import { manageApiKeyAuth } from "./manageAuth.js";
+import { manageBearerAuth } from "./manageAuth.js";
 import { createApiError } from "@inkeep/agents-core";
 
 //#region src/middleware/workAppsAuth.ts
 /**
 * Work Apps Authentication Middleware
 *
-* Shared session/API key auth for protected work app routes (Slack, GitHub, etc.).
+* Shared session/bearer token auth for protected work app routes (Slack, GitHub, etc.).
 * Most work app routes are unauthenticated (events, commands, webhooks),
 * but workspace management and user endpoints require session auth.
 *
 * Auth flow:
 * 1. Test environment → bypass
 * 2. Dev localhost → bypass with dev-user context
-* 3. Bearer token → manageApiKeyAuth
+* 3. Bearer token → manageBearerAuth (bypass secret, session, Slack JWT, internal service)
 * 4. Session cookie → sessionAuth
 */
 const isTestEnvironment = () => env.ENVIRONMENT === "test";
@@ -45,7 +45,7 @@ const workAppsAuth = async (c, next) => {
 			}
 		} catch {}
 	}
-	if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageApiKeyAuth()(c, next);
+	if (c.req.header("Authorization")?.startsWith("Bearer ")) return manageBearerAuth()(c, next);
 	await sessionAuth()(c, async () => {
 		const session = c.get("session");
 		if (!session?.activeOrganizationId) throw createApiError({

package/dist/routes/capabilities.js

@@ -1,4 +1,4 @@
-import { manageApiKeyOrSessionAuth } from "../middleware/manageAuth.js";
+import { manageBearerOrSessionAuth } from "../middleware/manageAuth.js";
 import "../middleware/index.js";
 import { OpenAPIHono, z } from "@hono/zod-openapi";
 import { createProtectedRoute } from "@inkeep/agents-core/middleware";
@@ -16,7 +16,7 @@ capabilitiesHandler.openapi(createProtectedRoute({
 	operationId: "capabilities",
 	summary: "Get server capabilities",
 	description: "Get information about optional server-side capabilities and configuration.",
-	permission: manageApiKeyOrSessionAuth(),
+	permission: manageBearerOrSessionAuth(),
 	responses: { 200: {
 		description: "Server capabilities",
 		content: { "application/json": { schema: CapabilitiesResponseSchema } }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260302213646",
+  "version": "0.0.0-dev-20260303010841",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -70,9 +70,9 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "^4.1.0-beta.54",
-    "@inkeep/agents-core": "^0.0.0-dev-20260302213646",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260302213646",
-    "@inkeep/agents-work-apps": "^0.0.0-dev-20260302213646"
+    "@inkeep/agents-core": "^0.0.0-dev-20260303010841",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260303010841",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260303010841"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",