@inkeep/agents-api 0.0.1 → 0.43.0

package/dist/domains/github/jwks.js

@@ -0,0 +1,85 @@
+import { getLogger } from "../../logger.js";
+import { createRemoteJWKSet } from "jose";
+
+//#region src/domains/github/jwks.ts
+const logger = getLogger("github-jwks");
+const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
+const CACHE_TTL_MS = 3600 * 1e3;
+let jwksCache = null;
+function createJwksWithLogging() {
+	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
+	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
+}
+function isCacheExpired() {
+	if (!jwksCache) return true;
+	return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
+}
+function getOrCreateJwksFunction() {
+	if (!jwksCache || isCacheExpired()) jwksCache = {
+		jwks: createJwksWithLogging(),
+		fetchedAt: Date.now()
+	};
+	return jwksCache.jwks;
+}
+async function getJwkForToken(header) {
+	const kid = header.kid;
+	if (!kid) return {
+		success: false,
+		error: "Token is missing key ID (kid) in header"
+	};
+	try {
+		const key = await getOrCreateJwksFunction()(header);
+		logger.debug({ kid }, "Successfully retrieved JWK for token");
+		return {
+			success: true,
+			key
+		};
+	} catch (error) {
+		const errorMessage = error instanceof Error ? error.message : "Unknown error";
+		if (errorMessage.includes("no applicable key found")) {
+			logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
+			jwksCache = null;
+			try {
+				const key = await getOrCreateJwksFunction()(header);
+				logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
+				return {
+					success: true,
+					key
+				};
+			} catch (retryError) {
+				const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
+				logger.error({
+					kid,
+					error: retryErrorMessage
+				}, "Failed to retrieve JWK after cache refresh");
+				return {
+					success: false,
+					error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
+				};
+			}
+		}
+		logger.error({
+			kid,
+			error: errorMessage
+		}, "Failed to fetch JWKS from GitHub");
+		return {
+			success: false,
+			error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
+		};
+	}
+}
+function clearJwksCache() {
+	jwksCache = null;
+	logger.debug({}, "JWKS cache cleared");
+}
+function getJwksCacheStatus() {
+	if (!jwksCache) return { cached: false };
+	const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
+	return {
+		cached: true,
+		expiresIn: Math.max(0, expiresIn)
+	};
+}
+
+//#endregion
+export { clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/oidcToken.d.ts

@@ -0,0 +1,22 @@
+//#region src/domains/github/oidcToken.d.ts
+interface GitHubOidcClaims {
+  repository: string;
+  repository_owner: string;
+  repository_id: string;
+  workflow: string;
+  actor: string;
+  ref: string;
+}
+interface ValidateTokenResult {
+  success: true;
+  claims: GitHubOidcClaims;
+}
+interface ValidateTokenError {
+  success: false;
+  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
+  message: string;
+}
+type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
+declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
+//#endregion
+export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };

package/dist/domains/github/oidcToken.js

@@ -0,0 +1,140 @@
+import { getLogger } from "../../logger.js";
+import { getJwkForToken } from "./jwks.js";
+import { decodeProtectedHeader, errors, jwtVerify } from "jose";
+
+//#region src/domains/github/oidcToken.ts
+const logger = getLogger("github-oidc-token");
+const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
+const EXPECTED_AUDIENCE = "inkeep-agents-action";
+async function validateOidcToken(token) {
+	let header;
+	try {
+		header = decodeProtectedHeader(token);
+	} catch (error) {
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.warn({ error: message }, "Failed to decode JWT header");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: "Invalid JWT format: unable to decode token header"
+		};
+	}
+	if (header.alg !== "RS256") {
+		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
+		};
+	}
+	const jwkResult = await getJwkForToken(header);
+	if (!jwkResult.success) {
+		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
+		return {
+			success: false,
+			errorType: "jwks_error",
+			message: jwkResult.error
+		};
+	}
+	try {
+		const { payload } = await jwtVerify(token, jwkResult.key, {
+			issuer: GITHUB_OIDC_ISSUER,
+			audience: EXPECTED_AUDIENCE
+		});
+		const repository = payload.repository;
+		const repositoryOwner = payload.repository_owner;
+		const repositoryId = payload.repository_id;
+		const workflow = payload.workflow;
+		const actor = payload.actor;
+		const ref = payload.ref;
+		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
+			logger.warn({ payload }, "OIDC token missing required claims");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
+			};
+		}
+		logger.info({
+			repository,
+			actor
+		}, "Successfully validated OIDC token");
+		return {
+			success: true,
+			claims: {
+				repository,
+				repository_owner: repositoryOwner,
+				repository_id: repositoryId,
+				workflow,
+				actor,
+				ref
+			}
+		};
+	} catch (error) {
+		if (error instanceof errors.JWTExpired) {
+			logger.warn({}, "OIDC token has expired");
+			return {
+				success: false,
+				errorType: "expired",
+				message: "OIDC token has expired"
+			};
+		}
+		if (error instanceof errors.JWTClaimValidationFailed) {
+			const claimError = error;
+			if (claimError.claim === "iss") {
+				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
+				return {
+					success: false,
+					errorType: "wrong_issuer",
+					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
+				};
+			}
+			if (claimError.claim === "aud") {
+				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
+				return {
+					success: false,
+					errorType: "wrong_audience",
+					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
+				};
+			}
+			logger.warn({
+				claim: claimError.claim,
+				reason: claimError.reason
+			}, "JWT claim validation failed");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
+			};
+		}
+		if (error instanceof errors.JWSSignatureVerificationFailed) {
+			logger.warn({}, "Invalid OIDC token signature");
+			return {
+				success: false,
+				errorType: "invalid_signature",
+				message: "Invalid token signature"
+			};
+		}
+		if (error instanceof errors.JOSEError) {
+			logger.error({
+				error: error.message,
+				code: error.code
+			}, "JOSE error during token validation");
+			return {
+				success: false,
+				errorType: "malformed",
+				message: `Token validation error: ${error.message}`
+			};
+		}
+		const message = error instanceof Error ? error.message : "Unknown error";
+		logger.error({ error: message }, "Unexpected error during token validation");
+		return {
+			success: false,
+			errorType: "malformed",
+			message: `Token validation error: ${message}`
+		};
+	}
+}
+
+//#endregion
+export { validateOidcToken };

package/dist/domains/github/routes/tokenExchange.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types13 from "hono/types";
+
+//#region src/domains/github/routes/tokenExchange.d.ts
+declare const app: Hono<hono_types13.BlankEnv, hono_types13.BlankSchema, "/">;
+//#endregion
+export { app as default };

package/dist/domains/github/routes/tokenExchange.js

@@ -0,0 +1,130 @@
+import { getLogger } from "../../../logger.js";
+import { isGitHubAppConfigured } from "../config.js";
+import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
+import { validateOidcToken } from "../oidcToken.js";
+import { Hono } from "hono";
+import { z } from "zod";
+
+//#region src/domains/github/routes/tokenExchange.ts
+const logger = getLogger("github-token-exchange");
+const TokenExchangeRequestSchema = z.object({ oidc_token: z.string() });
+const app = new Hono();
+/**
+* Exchange GitHub OIDC token for installation token.
+*
+* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
+* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
+* Not included in the public OpenAPI spec.
+*/
+app.post("/", async (c) => {
+	const rawBody = await c.req.json().catch(() => null);
+	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
+	if (!parseResult.success) {
+		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: errorMessage,
+			error: errorMessage
+		}, 400);
+	}
+	const body = parseResult.data;
+	logger.info({}, "Processing token exchange request");
+	if (!isGitHubAppConfigured()) {
+		logger.error({}, "GitHub App credentials not configured");
+		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "GitHub App Not Configured",
+			status: 500,
+			detail: errorMessage,
+			error: errorMessage
+		}, 500);
+	}
+	const validationResult = await validateOidcToken(body.oidc_token);
+	if (!validationResult.success) {
+		const errorType = validationResult.errorType;
+		logger.warn({
+			errorType,
+			message: validationResult.message
+		}, "OIDC token validation failed");
+		c.header("Content-Type", "application/problem+json");
+		if (errorType === "malformed") return c.json({
+			title: "Bad Request",
+			status: 400,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 400);
+		return c.json({
+			title: "Token Validation Failed",
+			status: 401,
+			detail: validationResult.message,
+			error: validationResult.message
+		}, 401);
+	}
+	const { claims } = validationResult;
+	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
+	if (!installationResult.success) {
+		const { errorType, message } = installationResult;
+		if (errorType === "not_installed") {
+			c.header("Content-Type", "application/problem+json");
+			return c.json({
+				title: "GitHub App Not Installed",
+				status: 403,
+				detail: message,
+				error: message
+			}, 403);
+		}
+		logger.error({
+			errorType,
+			message,
+			repository: claims.repository
+		}, "Failed to look up GitHub App installation");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Installation Lookup Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { installation } = installationResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository
+	}, "Found GitHub App installation");
+	const tokenResult = await generateInstallationAccessToken(installation.installationId);
+	if (!tokenResult.success) {
+		const { errorType, message } = tokenResult;
+		logger.error({
+			errorType,
+			message,
+			installationId: installation.installationId,
+			repository: claims.repository
+		}, "Failed to generate installation access token");
+		c.header("Content-Type", "application/problem+json");
+		return c.json({
+			title: "Token Generation Failed",
+			status: 500,
+			detail: message,
+			error: message
+		}, 500);
+	}
+	const { accessToken } = tokenResult;
+	logger.info({
+		installationId: installation.installationId,
+		repository: claims.repository,
+		expiresAt: accessToken.expiresAt
+	}, "Token exchange completed successfully");
+	return c.json({
+		token: accessToken.token,
+		expires_at: accessToken.expiresAt,
+		repository: claims.repository,
+		installation_id: installation.installationId
+	}, 200);
+});
+var tokenExchange_default = app;
+
+//#endregion
+export { tokenExchange_default as default };

package/dist/domains/manage/index.js

@@ -1,5 +1,4 @@
 import cliAuth_default from "./routes/cliAuth.js";
-import evals_default from "./routes/evals/index.js";
 import routes_default from "./routes/index.js";
 import invitations_default from "./routes/invitations.js";
 import mcp_default from "./routes/mcp.js";
@@ -20,7 +19,6 @@ function createManageRoutes() {
 	app.route("/tenants/:tenantId/playground/token", playgroundToken_default);
 	app.route("/tenants/:tenantId/signoz", signoz_default);
 	app.route("/tenants/:tenantId", projectFull_default);
-	app.route("/tenants/:tenantId/projects/:projectId/evals", evals_default);
 	app.route("/oauth", oauth_default);
 	app.route("/mcp", mcp_default);
 	return app;

package/dist/domains/manage/routes/agent.js

@@ -11,8 +11,11 @@ app.use("/", async (c, next) => {
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
-	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	if ([
+		"PUT",
+		"PATCH",
+		"DELETE"
+	].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({
@@ -82,7 +85,7 @@ app.openapi(createRoute({
 	path: "/{agentId}/sub-agents/{subAgentId}/related",
 	summary: "Get Related Agent Infos",
 	operationId: "get-related-agent-infos",
-	tags: ["Agent"],
+	tags: ["Agents"],
 	request: { params: TenantProjectAgentSubAgentParamsSchema },
 	responses: {
 		200: {
@@ -116,7 +119,7 @@ app.openapi(createRoute({
 	path: "/{agentId}/full",
 	summary: "Get Full Agent Definition",
 	operationId: "get-full-agent-definition",
-	tags: ["Agent"],
+	tags: ["Agents"],
 	request: { params: TenantProjectAgentParamsSchema },
 	responses: {
 		200: {
@@ -206,6 +209,8 @@ app.openapi(createRoute({
 			agentId: id
 		},
 		data: {
+			name: validatedBody.name,
+			description: validatedBody.description,
 			defaultSubAgentId: validatedBody.defaultSubAgentId,
 			contextConfigId: validatedBody.contextConfigId ?? void 0
 		}

package/dist/domains/manage/routes/agentFull.js

@@ -12,8 +12,11 @@ app.use("/", async (c, next) => {
 	return next();
 });
 app.use("/:agentId", async (c, next) => {
-	if (c.req.method === "PUT") return requireProjectPermission("edit")(c, next);
-	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	if ([
+		"PUT",
+		"PATCH",
+		"DELETE"
+	].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({
@@ -21,7 +24,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "Create Full Agent",
 	operationId: "create-full-agent",
-	tags: ["Full Agent"],
+	tags: ["Agents"],
 	description: "Create a complete agent with all agents, tools, and relationships from JSON definition",
 	request: {
 		params: TenantProjectParamsSchema,
@@ -54,7 +57,7 @@ app.openapi(createRoute({
 	path: "/{agentId}",
 	summary: "Get Full Agent",
 	operationId: "get-full-agent",
-	tags: ["Full Agent"],
+	tags: ["Agents"],
 	description: "Retrieve a complete agent definition with all agents, tools, and relationships",
 	request: { params: TenantProjectAgentParamsSchema },
 	responses: {
@@ -94,7 +97,7 @@ app.openapi(createRoute({
 	path: "/{agentId}",
 	summary: "Update Full Agent",
 	operationId: "update-full-agent",
-	tags: ["Full Agent"],
+	tags: ["Agents"],
 	description: "Update or create a complete agent with all agents, tools, and relationships from JSON definition",
 	request: {
 		params: TenantProjectAgentParamsSchema,
@@ -155,7 +158,7 @@ app.openapi(createRoute({
 	path: "/{agentId}",
 	summary: "Delete Full Agent",
 	operationId: "delete-full-agent",
-	tags: ["Full Agent"],
+	tags: ["Agents"],
 	description: "Delete a complete agent and cascade to all related entities (relationships, not other agents/tools)",
 	request: { params: TenantProjectAgentParamsSchema },
 	responses: {

package/dist/domains/manage/routes/apiKeys.js

@@ -11,8 +11,7 @@ app.use("/", async (c, next) => {
 	return next();
 });
 app.use("/:id", async (c, next) => {
-	if (c.req.method === "PATCH") return requireProjectPermission("edit")(c, next);
-	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	if (c.req.method === "PUT" || c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
 	return next();
 });
 app.openapi(createRoute({

package/dist/domains/manage/routes/artifactComponents.js

@@ -19,7 +19,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "List Artifact Components",
 	operationId: "list-artifact-components",
-	tags: ["Artifact Component"],
+	tags: ["Artifact Components"],
 	request: {
 		params: TenantProjectParamsSchema,
 		query: PaginationQueryParamsSchema
@@ -54,7 +54,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Get Artifact Component",
 	operationId: "get-artifact-component-by-id",
-	tags: ["Artifact Component"],
+	tags: ["Artifact Components"],
 	request: { params: TenantProjectIdParamsSchema },
 	responses: {
 		200: {
@@ -84,7 +84,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "Create Artifact Component",
 	operationId: "create-artifact-component",
-	tags: ["Artifact Component"],
+	tags: ["Artifact Components"],
 	request: {
 		params: TenantProjectParamsSchema,
 		body: { content: { "application/json": { schema: ArtifactComponentApiInsertSchema } } }
@@ -133,7 +133,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Update Artifact Component",
 	operationId: "update-artifact-component",
-	tags: ["Artifact Component"],
+	tags: ["Artifact Components"],
 	request: {
 		params: TenantProjectIdParamsSchema,
 		body: { content: { "application/json": { schema: ArtifactComponentApiUpdateSchema } } }
@@ -180,7 +180,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Delete Artifact Component",
 	operationId: "delete-artifact-component",
-	tags: ["Artifact Component"],
+	tags: ["Artifact Components"],
 	request: { params: TenantProjectIdParamsSchema },
 	responses: {
 		204: { description: "Artifact component deleted successfully" },

package/dist/domains/manage/routes/cliAuth.js

@@ -1,7 +1,7 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { sessionAuth } from "../../../middleware/sessionAuth.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { getUserOrganizations } from "@inkeep/agents-core";
+import { getUserOrganizationsFromDb } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/cliAuth.ts
 const cliAuthRoutes = new OpenAPIHono();
@@ -21,7 +21,7 @@ const CLIMeResponseSchema = z.object({
 cliAuthRoutes.openapi(createRoute({
 	method: "get",
 	path: "/me",
-	tags: ["cli"],
+	tags: ["CLI"],
 	summary: "Get CLI user info",
 	description: "Get the current authenticated user and their organization for CLI usage",
 	middleware: [sessionAuth()],
@@ -37,7 +37,7 @@ cliAuthRoutes.openapi(createRoute({
 	const user = c.get("user");
 	const userId = c.get("userId");
 	if (!user || !userId) return c.json({ error: "Not authenticated" }, 401);
-	const organizations = await getUserOrganizations(runDbClient_default)(userId);
+	const organizations = await getUserOrganizationsFromDb(runDbClient_default)(userId);
 	if (organizations.length === 0) return c.json({ error: "User has no organization" }, 404);
 	const org = organizations[0];
 	return c.json({

package/dist/domains/manage/routes/contextConfigs.js

@@ -20,7 +20,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "List Context Configurations",
 	operationId: "list-context-configs",
-	tags: ["Context Config"],
+	tags: ["Context Configs"],
 	request: {
 		params: TenantProjectAgentParamsSchema,
 		query: PaginationQueryParamsSchema
@@ -56,7 +56,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Get Context Configuration",
 	operationId: "get-context-config-by-id",
-	tags: ["Context Config"],
+	tags: ["Context Configs"],
 	request: { params: TenantProjectAgentIdParamsSchema },
 	responses: {
 		200: {
@@ -87,7 +87,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "Create Context Configuration",
 	operationId: "create-context-config",
-	tags: ["Context Config"],
+	tags: ["Context Configs"],
 	request: {
 		params: TenantProjectAgentParamsSchema,
 		body: { content: { "application/json": { schema: ContextConfigApiInsertSchema } } }
@@ -116,7 +116,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Update Context Configuration",
 	operationId: "update-context-config",
-	tags: ["Context Config"],
+	tags: ["Context Configs"],
 	request: {
 		params: TenantProjectAgentIdParamsSchema,
 		body: { content: { "application/json": { schema: ContextConfigApiUpdateSchema } } }
@@ -152,7 +152,7 @@ app.openapi(createRoute({
 	path: "/{id}",
 	summary: "Delete Context Configuration",
 	operationId: "delete-context-config",
-	tags: ["Context Config"],
+	tags: ["Context Configs"],
 	request: { params: TenantProjectAgentIdParamsSchema },
 	responses: {
 		204: { description: "Context configuration deleted successfully" },

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono17 from "hono";
+import * as hono16 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono17.Env, {}, "/">;
+declare const app: OpenAPIHono<hono16.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/credentialStores.js

@@ -13,7 +13,7 @@ app.openapi(createRoute({
 	path: "/",
 	summary: "List Credential Stores",
 	operationId: "list-credential-stores",
-	tags: ["Credential Store"],
+	tags: ["Credential Stores"],
 	request: { params: TenantProjectParamsSchema },
 	responses: {
 		200: {
@@ -40,7 +40,7 @@ app.openapi(createRoute({
 	path: "/{id}/credentials",
 	summary: "Create Credential in Store",
 	operationId: "create-credential-in-store",
-	tags: ["Credential Store"],
+	tags: ["Credential Stores"],
 	request: {
 		params: TenantProjectIdParamsSchema,
 		body: { content: { "application/json": { schema: CreateCredentialInStoreRequestSchema } } }