@inkeep/agents-api 0.0.0-dev-20260327195114 → 0.0.0-dev-20260327225559

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono14 from "hono";
+import * as hono8 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono14.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono8.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono14.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono14.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono8.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono14.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono8.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/sessionAuth.d.ts

@@ -1,5 +1,5 @@
 import { AppVariables } from "../types/app.js";
-import * as hono2 from "hono";
+import * as hono4 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -8,12 +8,12 @@ import * as hono2 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono2.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono4.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono2.MiddlewareHandler<{
+declare const sessionContext: () => hono4.MiddlewareHandler<{
   Variables: AppVariables;
 }, string, {}, Response>;
 //#endregion

package/dist/middleware/tenantAccess.d.ts

@@ -1,4 +1,4 @@
-import * as hono4 from "hono";
+import * as hono7 from "hono";
 
 //#region src/middleware/tenantAccess.d.ts
 
@@ -12,7 +12,7 @@ import * as hono4 from "hono";
  * - API key user: Access only to the tenant associated with the API key
  * - Session user: Access based on organization membership
  */
-declare const requireTenantAccess: () => hono4.MiddlewareHandler<{
+declare const requireTenantAccess: () => hono7.MiddlewareHandler<{
   Variables: {
     userId: string;
     tenantId: string;

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono5 from "hono";
+import * as hono11 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono5.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono5.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono11.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/startup/playground-app.d.ts

@@ -1,4 +1,4 @@
 //#region src/startup/playground-app.d.ts
-declare function ensurePlaygroundAppKey(): Promise<void>;
+declare function ensurePlaygroundAppConfig(): Promise<void>;
 //#endregion
-export { ensurePlaygroundAppKey };
+export { ensurePlaygroundAppConfig };

package/dist/startup/playground-app.js

@@ -5,61 +5,114 @@ import { derivePlaygroundKid, getAppById, updateApp } from "@inkeep/agents-core"
 
 //#region src/startup/playground-app.ts
 const logger = getLogger$1("playground-app");
-async function ensurePlaygroundAppKey() {
-	const publicKeyB64 = env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY;
-	if (!publicKeyB64) {
-		logger.info({}, "INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY not set, skipping playground key registration");
-		return;
+function derivePlaygroundDomains() {
+	const manageUiUrl = env.INKEEP_AGENTS_MANAGE_UI_URL;
+	if (manageUiUrl) try {
+		const url = new URL(manageUiUrl);
+		if (url.hostname === "localhost" || url.hostname === "127.0.0.1") return ["localhost", "127.0.0.1"];
+		return [url.hostname];
+	} catch {
+		logger.warn({ manageUiUrl }, "Invalid INKEEP_AGENTS_MANAGE_UI_URL, falling back to environment defaults");
+	}
+	if (env.ENVIRONMENT === "production") {
+		logger.error({}, "INKEEP_AGENTS_MANAGE_UI_URL not set in production — cannot derive playground allowed domains");
+		return [];
 	}
+	return ["localhost", "127.0.0.1"];
+}
+async function ensurePlaygroundAppConfig() {
 	const appId = env.INKEEP_PLAYGROUND_APP_ID || "app_playground";
-	logger.info({ appId }, "Registering playground app public key");
+	logger.info({ appId }, "Checking playground app configuration");
 	const app = await getAppById(runDbClient_default)(appId);
 	if (!app) {
-		logger.info({ appId }, "Playground app not found, skipping key registration");
+		logger.info({ appId }, "Playground app not found, skipping configuration");
 		return;
 	}
 	if (app.config.type !== "web_client") {
-		logger.warn({ appId }, "Playground app is not a web_client app");
+		logger.warn({
+			appId,
+			type: app.config.type
+		}, "Playground app is not a web_client app");
 		return;
 	}
-	const publicKeyPem = Buffer.from(publicKeyB64, "base64").toString("utf-8");
-	const kid = await derivePlaygroundKid(publicKeyPem);
-	const webClient = app.config.webClient;
-	const auth = webClient.auth ?? {};
-	const existingKeys = auth.publicKeys ?? [];
-	if (existingKeys.some((k) => k.kid === kid)) {
+	const webClient = { ...app.config.webClient };
+	const auth = { ...webClient.auth ?? {} };
+	let configChanged = false;
+	const derivedDomains = derivePlaygroundDomains();
+	const currentDomains = webClient.allowedDomains ?? [];
+	const hasWildcard = currentDomains.includes("*");
+	const specificDomains = currentDomains.filter((d) => d !== "*");
+	const newDomains = derivedDomains.filter((d) => !specificDomains.includes(d));
+	if (hasWildcard && derivedDomains.length > 0) {
+		const mergedDomains = [...specificDomains, ...newDomains];
 		logger.info({
+			appId,
+			previousDomains: currentDomains,
+			removedWildcard: true,
+			mergedDomains
+		}, "Replacing wildcard with explicit domains on playground app");
+		webClient.allowedDomains = mergedDomains;
+		configChanged = true;
+	} else if (newDomains.length > 0) {
+		const mergedDomains = [...currentDomains, ...newDomains];
+		logger.info({
+			appId,
+			currentDomains,
+			addedDomains: newDomains,
+			mergedDomains
+		}, "Adding new domains to playground app allowed domains");
+		webClient.allowedDomains = mergedDomains;
+		configChanged = true;
+	} else if (derivedDomains.length === 0) logger.warn({
+		appId,
+		currentDomains
+	}, "No playground domains could be derived — allowedDomains not updated");
+	else logger.info({
+		appId,
+		domains: currentDomains
+	}, "Playground app domains are up to date");
+	const publicKeyB64 = env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY;
+	if (publicKeyB64) {
+		const publicKeyPem = Buffer.from(publicKeyB64, "base64").toString("utf-8");
+		const kid = await derivePlaygroundKid(publicKeyPem);
+		const existingKeys = auth.publicKeys ?? [];
+		if (!existingKeys.some((k) => k.kid === kid)) {
+			const newKey = {
+				kid,
+				publicKey: publicKeyPem,
+				algorithm: "RS256",
+				addedAt: (/* @__PURE__ */ new Date()).toISOString()
+			};
+			const updatedKeys = [...existingKeys, newKey];
+			webClient.auth = {
+				...auth,
+				publicKeys: updatedKeys
+			};
+			configChanged = true;
+			logger.info({
+				appId,
+				kid
+			}, "Registering playground public key");
+		} else logger.info({
 			appId,
 			kid
 		}, "Playground key already registered");
-		return;
 	}
-	const newKey = {
-		kid,
-		publicKey: publicKeyPem,
-		algorithm: "RS256",
-		addedAt: (/* @__PURE__ */ new Date()).toISOString()
-	};
-	const updatedKeys = [...existingKeys, newKey];
-	const updatedConfig = {
-		type: "web_client",
-		webClient: {
-			...webClient,
-			auth: {
-				...auth,
-				publicKeys: updatedKeys
-			}
-		}
-	};
-	await updateApp(runDbClient_default)({
-		id: appId,
-		data: { config: updatedConfig }
-	});
-	logger.info({
-		appId,
-		kid
-	}, "Registered playground public key");
+	if (configChanged) {
+		const updatedConfig = {
+			type: "web_client",
+			webClient
+		};
+		await updateApp(runDbClient_default)({
+			id: appId,
+			data: { config: updatedConfig }
+		});
+		logger.info({
+			appId,
+			allowedDomains: updatedConfig.webClient.allowedDomains
+		}, "Playground app configuration updated");
+	}
 }
 
 //#endregion
-export { ensurePlaygroundAppKey };
+export { ensurePlaygroundAppConfig };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.0.0-dev-20260327195114",
+  "version": "0.0.0-dev-20260327225559",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -73,10 +73,10 @@
     "pg": "^8.16.3",
     "undici": "^7.22.0",
     "workflow": "4.2.0-beta.67",
-    "@inkeep/agents-core": "^0.0.0-dev-20260327195114",
-    "@inkeep/agents-email": "^0.0.0-dev-20260327195114",
-    "@inkeep/agents-mcp": "^0.0.0-dev-20260327195114",
-    "@inkeep/agents-work-apps": "^0.0.0-dev-20260327195114"
+    "@inkeep/agents-core": "^0.0.0-dev-20260327225559",
+    "@inkeep/agents-email": "^0.0.0-dev-20260327225559",
+    "@inkeep/agents-mcp": "^0.0.0-dev-20260327225559",
+    "@inkeep/agents-work-apps": "^0.0.0-dev-20260327225559"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",