npm - @inkeep/agents-api - Versions diffs - 0.0.1 - Mend

@inkeep/agents-api 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (352) hide show

package/LICENSE.md +56 -0
package/SUPPLEMENTAL_TERMS.md +40 -0
package/dist/.well-known/workflow/v1/flow.cjs +46446 -0
package/dist/.well-known/workflow/v1/flow.cjs.debug.json +8 -0
package/dist/.well-known/workflow/v1/manifest.debug.json +93 -0
package/dist/.well-known/workflow/v1/step.cjs +219923 -0
package/dist/.well-known/workflow/v1/step.cjs.debug.json +8 -0
package/dist/.well-known/workflow/v1/webhook.mjs +29 -0
package/dist/createApp.d.ts +10 -0
package/dist/createApp.js +170 -0
package/dist/data/db/index.d.ts +4 -0
package/dist/data/db/index.js +5 -0
package/dist/data/db/manageDbClient.d.ts +6 -0
package/dist/data/db/manageDbClient.js +9 -0
package/dist/data/db/manageDbPool.d.ts +6 -0
package/dist/data/db/manageDbPool.js +9 -0
package/dist/data/db/runDbClient.d.ts +6 -0
package/dist/data/db/runDbClient.js +9 -0
package/dist/domains/evals/index.d.ts +13 -0
package/dist/domains/evals/index.js +13 -0
package/dist/domains/evals/routes/datasetTriggers.d.ts +7 -0
package/dist/domains/evals/routes/datasetTriggers.js +65 -0
package/dist/domains/evals/routes/evaluationTriggers.d.ts +11 -0
package/dist/domains/evals/routes/evaluationTriggers.js +311 -0
package/dist/domains/evals/routes/index.d.ts +7 -0
package/dist/domains/evals/routes/index.js +12 -0
package/dist/domains/evals/scripts/build-workflow.d.ts +1 -0
package/dist/domains/evals/scripts/build-workflow.js +31 -0
package/dist/domains/evals/services/EvaluationService.d.ts +96 -0
package/dist/domains/evals/services/EvaluationService.js +863 -0
package/dist/domains/evals/services/conversationEvaluation.d.ts +15 -0
package/dist/domains/evals/services/conversationEvaluation.js +102 -0
package/dist/domains/evals/services/datasetRun.d.ts +16 -0
package/dist/domains/evals/services/datasetRun.js +43 -0
package/dist/domains/evals/services/evaluationJob.d.ts +17 -0
package/dist/domains/evals/services/evaluationJob.js +65 -0
package/dist/domains/evals/services/startEvaluation.d.ts +19 -0
package/dist/domains/evals/services/startEvaluation.js +18 -0
package/dist/domains/evals/workflow/functions/evaluateConversation.d.ts +28 -0
package/dist/domains/evals/workflow/functions/evaluateConversation.js +134 -0
package/dist/domains/evals/workflow/functions/runDatasetItem.d.ts +36 -0
package/dist/domains/evals/workflow/functions/runDatasetItem.js +204 -0
package/dist/domains/evals/workflow/index.d.ts +4 -0
package/dist/domains/evals/workflow/index.js +5 -0
package/dist/domains/evals/workflow/routes.d.ts +7 -0
package/dist/domains/evals/workflow/routes.js +106 -0
package/dist/domains/evals/workflow/world.d.ts +4 -0
package/dist/domains/evals/workflow/world.js +36 -0
package/dist/domains/index.d.ts +4 -0
package/dist/domains/index.js +5 -0
package/dist/domains/manage/index.d.ts +12 -0
package/dist/domains/manage/index.js +31 -0
package/dist/domains/manage/routes/agent.d.ts +9 -0
package/dist/domains/manage/routes/agent.js +264 -0
package/dist/domains/manage/routes/agentFull.d.ts +9 -0
package/dist/domains/manage/routes/agentFull.js +207 -0
package/dist/domains/manage/routes/agentToolRelations.d.ts +9 -0
package/dist/domains/manage/routes/agentToolRelations.js +289 -0
package/dist/domains/manage/routes/apiKeys.d.ts +9 -0
package/dist/domains/manage/routes/apiKeys.js +217 -0
package/dist/domains/manage/routes/artifactComponents.d.ts +9 -0
package/dist/domains/manage/routes/artifactComponents.js +210 -0
package/dist/domains/manage/routes/branches.d.ts +9 -0
package/dist/domains/manage/routes/branches.js +182 -0
package/dist/domains/manage/routes/cliAuth.d.ts +9 -0
package/dist/domains/manage/routes/cliAuth.js +60 -0
package/dist/domains/manage/routes/contextConfigs.d.ts +9 -0
package/dist/domains/manage/routes/contextConfigs.js +189 -0
package/dist/domains/manage/routes/conversations.d.ts +7 -0
package/dist/domains/manage/routes/conversations.js +59 -0
package/dist/domains/manage/routes/credentialStores.d.ts +9 -0
package/dist/domains/manage/routes/credentialStores.js +86 -0
package/dist/domains/manage/routes/credentials.d.ts +9 -0
package/dist/domains/manage/routes/credentials.js +207 -0
package/dist/domains/manage/routes/dataComponents.d.ts +9 -0
package/dist/domains/manage/routes/dataComponents.js +192 -0
package/dist/domains/manage/routes/evals/datasetItems.d.ts +9 -0
package/dist/domains/manage/routes/evals/datasetItems.js +310 -0
package/dist/domains/manage/routes/evals/datasetRunConfigs.d.ts +9 -0
package/dist/domains/manage/routes/evals/datasetRunConfigs.js +402 -0
package/dist/domains/manage/routes/evals/datasetRuns.d.ts +9 -0
package/dist/domains/manage/routes/evals/datasetRuns.js +256 -0
package/dist/domains/manage/routes/evals/datasets.d.ts +9 -0
package/dist/domains/manage/routes/evals/datasets.js +238 -0
package/dist/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.js +146 -0
package/dist/domains/manage/routes/evals/evaluationJobConfigs.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluationJobConfigs.js +364 -0
package/dist/domains/manage/routes/evals/evaluationResults.d.ts +7 -0
package/dist/domains/manage/routes/evals/evaluationResults.js +192 -0
package/dist/domains/manage/routes/evals/evaluationRunConfigs.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluationRunConfigs.js +403 -0
package/dist/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.js +146 -0
package/dist/domains/manage/routes/evals/evaluationSuiteConfigs.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluationSuiteConfigs.js +246 -0
package/dist/domains/manage/routes/evals/evaluators.d.ts +9 -0
package/dist/domains/manage/routes/evals/evaluators.js +281 -0
package/dist/domains/manage/routes/evals/index.d.ts +9 -0
package/dist/domains/manage/routes/evals/index.js +26 -0
package/dist/domains/manage/routes/externalAgents.d.ts +9 -0
package/dist/domains/manage/routes/externalAgents.js +199 -0
package/dist/domains/manage/routes/functionTools.d.ts +9 -0
package/dist/domains/manage/routes/functionTools.js +256 -0
package/dist/domains/manage/routes/functions.d.ts +9 -0
package/dist/domains/manage/routes/functions.js +285 -0
package/dist/domains/manage/routes/index.d.ts +7 -0
package/dist/domains/manage/routes/index.js +68 -0
package/dist/domains/manage/routes/invitations.d.ts +9 -0
package/dist/domains/manage/routes/invitations.js +41 -0
package/dist/domains/manage/routes/mcp.d.ts +7 -0
package/dist/domains/manage/routes/mcp.js +45 -0
package/dist/domains/manage/routes/mcpCatalog.d.ts +9 -0
package/dist/domains/manage/routes/mcpCatalog.js +454 -0
package/dist/domains/manage/routes/oauth.d.ts +10 -0
package/dist/domains/manage/routes/oauth.js +327 -0
package/dist/domains/manage/routes/playgroundToken.d.ts +9 -0
package/dist/domains/manage/routes/playgroundToken.js +127 -0
package/dist/domains/manage/routes/projectFull.d.ts +9 -0
package/dist/domains/manage/routes/projectFull.js +304 -0
package/dist/domains/manage/routes/projectMembers.d.ts +9 -0
package/dist/domains/manage/routes/projectMembers.js +201 -0
package/dist/domains/manage/routes/projectPermissions.d.ts +9 -0
package/dist/domains/manage/routes/projectPermissions.js +68 -0
package/dist/domains/manage/routes/projects.d.ts +9 -0
package/dist/domains/manage/routes/projects.js +279 -0
package/dist/domains/manage/routes/ref.d.ts +9 -0
package/dist/domains/manage/routes/ref.js +33 -0
package/dist/domains/manage/routes/signoz.d.ts +10 -0
package/dist/domains/manage/routes/signoz.js +159 -0
package/dist/domains/manage/routes/subAgentArtifactComponents.d.ts +9 -0
package/dist/domains/manage/routes/subAgentArtifactComponents.js +202 -0
package/dist/domains/manage/routes/subAgentDataComponents.d.ts +9 -0
package/dist/domains/manage/routes/subAgentDataComponents.js +201 -0
package/dist/domains/manage/routes/subAgentExternalAgentRelations.d.ts +9 -0
package/dist/domains/manage/routes/subAgentExternalAgentRelations.js +216 -0
package/dist/domains/manage/routes/subAgentFunctionTools.d.ts +9 -0
package/dist/domains/manage/routes/subAgentFunctionTools.js +205 -0
package/dist/domains/manage/routes/subAgentRelations.d.ts +9 -0
package/dist/domains/manage/routes/subAgentRelations.js +263 -0
package/dist/domains/manage/routes/subAgentTeamAgentRelations.d.ts +9 -0
package/dist/domains/manage/routes/subAgentTeamAgentRelations.js +216 -0
package/dist/domains/manage/routes/subAgentToolRelations.d.ts +9 -0
package/dist/domains/manage/routes/subAgentToolRelations.js +289 -0
package/dist/domains/manage/routes/subAgents.d.ts +9 -0
package/dist/domains/manage/routes/subAgents.js +220 -0
package/dist/domains/manage/routes/thirdPartyMCPServers.d.ts +9 -0
package/dist/domains/manage/routes/thirdPartyMCPServers.js +72 -0
package/dist/domains/manage/routes/tools.d.ts +9 -0
package/dist/domains/manage/routes/tools.js +261 -0
package/dist/domains/manage/routes/triggers.d.ts +9 -0
package/dist/domains/manage/routes/triggers.js +423 -0
package/dist/domains/manage/routes/userOrganizations.d.ts +9 -0
package/dist/domains/manage/routes/userOrganizations.js +58 -0
package/dist/domains/run/a2a/client.d.ts +186 -0
package/dist/domains/run/a2a/client.js +524 -0
package/dist/domains/run/a2a/handlers.d.ts +7 -0
package/dist/domains/run/a2a/handlers.js +582 -0
package/dist/domains/run/a2a/transfer.d.ts +27 -0
package/dist/domains/run/a2a/transfer.js +50 -0
package/dist/domains/run/a2a/types.d.ts +79 -0
package/dist/domains/run/a2a/types.js +22 -0
package/dist/domains/run/agents/Agent.d.ts +273 -0
package/dist/domains/run/agents/Agent.js +2104 -0
package/dist/domains/run/agents/ModelFactory.d.ts +63 -0
package/dist/domains/run/agents/ModelFactory.js +194 -0
package/dist/domains/run/agents/SystemPromptBuilder.d.ts +21 -0
package/dist/domains/run/agents/SystemPromptBuilder.js +48 -0
package/dist/domains/run/agents/ToolSessionManager.d.ts +63 -0
package/dist/domains/run/agents/ToolSessionManager.js +146 -0
package/dist/domains/run/agents/generateTaskHandler.d.ts +44 -0
package/dist/domains/run/agents/generateTaskHandler.js +384 -0
package/dist/domains/run/agents/relationTools.d.ts +64 -0
package/dist/domains/run/agents/relationTools.js +365 -0
package/dist/domains/run/agents/types.d.ts +31 -0
package/dist/domains/run/agents/types.js +1 -0
package/dist/domains/run/agents/versions/v1/Phase1Config.d.ts +29 -0
package/dist/domains/run/agents/versions/v1/Phase1Config.js +458 -0
package/dist/domains/run/agents/versions/v1/Phase2Config.d.ts +33 -0
package/dist/domains/run/agents/versions/v1/Phase2Config.js +341 -0
package/dist/domains/run/constants/execution-limits/defaults.d.ts +51 -0
package/dist/domains/run/constants/execution-limits/defaults.js +52 -0
package/dist/domains/run/constants/execution-limits/index.d.ts +6 -0
package/dist/domains/run/constants/execution-limits/index.js +21 -0
package/dist/domains/run/context/ContextFetcher.d.ts +68 -0
package/dist/domains/run/context/ContextFetcher.js +276 -0
package/dist/domains/run/context/ContextResolver.d.ts +56 -0
package/dist/domains/run/context/ContextResolver.js +273 -0
package/dist/domains/run/context/context.d.ts +19 -0
package/dist/domains/run/context/context.js +108 -0
package/dist/domains/run/context/contextCache.d.ts +56 -0
package/dist/domains/run/context/contextCache.js +174 -0
package/dist/domains/run/context/index.d.ts +6 -0
package/dist/domains/run/context/index.js +7 -0
package/dist/domains/run/context/validation.d.ts +39 -0
package/dist/domains/run/context/validation.js +255 -0
package/dist/domains/run/data/agent.d.ts +7 -0
package/dist/domains/run/data/agent.js +67 -0
package/dist/domains/run/data/agents.d.ts +34 -0
package/dist/domains/run/data/agents.js +131 -0
package/dist/domains/run/data/conversations.d.ts +129 -0
package/dist/domains/run/data/conversations.js +517 -0
package/dist/domains/run/handlers/executionHandler.d.ts +42 -0
package/dist/domains/run/handlers/executionHandler.js +484 -0
package/dist/domains/run/index.d.ts +13 -0
package/dist/domains/run/index.js +21 -0
package/dist/domains/run/routes/agents.d.ts +13 -0
package/dist/domains/run/routes/agents.js +141 -0
package/dist/domains/run/routes/chat.d.ts +14 -0
package/dist/domains/run/routes/chat.js +300 -0
package/dist/domains/run/routes/chatDataStream.d.ts +14 -0
package/dist/domains/run/routes/chatDataStream.js +381 -0
package/dist/domains/run/routes/mcp.d.ts +14 -0
package/dist/domains/run/routes/mcp.js +483 -0
package/dist/domains/run/routes/webhooks.d.ts +15 -0
package/dist/domains/run/routes/webhooks.js +396 -0
package/dist/domains/run/services/AgentSession.d.ts +354 -0
package/dist/domains/run/services/AgentSession.js +1203 -0
package/dist/domains/run/services/ArtifactParser.d.ts +105 -0
package/dist/domains/run/services/ArtifactParser.js +338 -0
package/dist/domains/run/services/ArtifactService.d.ts +122 -0
package/dist/domains/run/services/ArtifactService.js +629 -0
package/dist/domains/run/services/BaseCompressor.d.ts +183 -0
package/dist/domains/run/services/BaseCompressor.js +500 -0
package/dist/domains/run/services/ConversationCompressor.d.ts +32 -0
package/dist/domains/run/services/ConversationCompressor.js +91 -0
package/dist/domains/run/services/IncrementalStreamParser.d.ts +98 -0
package/dist/domains/run/services/IncrementalStreamParser.js +327 -0
package/dist/domains/run/services/MidGenerationCompressor.d.ts +63 -0
package/dist/domains/run/services/MidGenerationCompressor.js +104 -0
package/dist/domains/run/services/PendingToolApprovalManager.d.ts +62 -0
package/dist/domains/run/services/PendingToolApprovalManager.js +133 -0
package/dist/domains/run/services/ResponseFormatter.d.ts +39 -0
package/dist/domains/run/services/ResponseFormatter.js +152 -0
package/dist/domains/run/services/evaluationRunConfigMatcher.d.ts +4 -0
package/dist/domains/run/services/evaluationRunConfigMatcher.js +7 -0
package/dist/domains/run/tools/NativeSandboxExecutor.d.ts +38 -0
package/dist/domains/run/tools/NativeSandboxExecutor.js +432 -0
package/dist/domains/run/tools/SandboxExecutorFactory.d.ts +36 -0
package/dist/domains/run/tools/SandboxExecutorFactory.js +80 -0
package/dist/domains/run/tools/VercelSandboxExecutor.d.ts +71 -0
package/dist/domains/run/tools/VercelSandboxExecutor.js +340 -0
package/dist/domains/run/tools/distill-conversation-history-tool.d.ts +62 -0
package/dist/domains/run/tools/distill-conversation-history-tool.js +206 -0
package/dist/domains/run/tools/distill-conversation-tool.d.ts +41 -0
package/dist/domains/run/tools/distill-conversation-tool.js +141 -0
package/dist/domains/run/tools/sandbox-utils.d.ts +18 -0
package/dist/domains/run/tools/sandbox-utils.js +53 -0
package/dist/domains/run/types/chat.d.ts +27 -0
package/dist/domains/run/types/chat.js +1 -0
package/dist/domains/run/types/executionContext.d.ts +40 -0
package/dist/domains/run/types/executionContext.js +28 -0
package/dist/domains/run/types/xml.d.ts +9 -0
package/dist/domains/run/utils/SchemaProcessor.d.ts +52 -0
package/dist/domains/run/utils/SchemaProcessor.js +182 -0
package/dist/domains/run/utils/agent-operations.d.ts +62 -0
package/dist/domains/run/utils/agent-operations.js +53 -0
package/dist/domains/run/utils/artifact-component-schema.d.ts +42 -0
package/dist/domains/run/utils/artifact-component-schema.js +186 -0
package/dist/domains/run/utils/cleanup.d.ts +21 -0
package/dist/domains/run/utils/cleanup.js +59 -0
package/dist/domains/run/utils/data-component-schema.d.ts +2 -0
package/dist/domains/run/utils/data-component-schema.js +3 -0
package/dist/domains/run/utils/default-status-schemas.d.ts +20 -0
package/dist/domains/run/utils/default-status-schemas.js +24 -0
package/dist/domains/run/utils/json-postprocessor.d.ts +13 -0
package/dist/domains/run/utils/json-postprocessor.js +19 -0
package/dist/domains/run/utils/model-context-utils.d.ts +39 -0
package/dist/domains/run/utils/model-context-utils.js +181 -0
package/dist/domains/run/utils/model-resolver.d.ts +6 -0
package/dist/domains/run/utils/model-resolver.js +24 -0
package/dist/domains/run/utils/project.d.ts +207 -0
package/dist/domains/run/utils/project.js +315 -0
package/dist/domains/run/utils/schema-validation.d.ts +44 -0
package/dist/domains/run/utils/schema-validation.js +97 -0
package/dist/domains/run/utils/stream-helpers.d.ts +193 -0
package/dist/domains/run/utils/stream-helpers.js +510 -0
package/dist/domains/run/utils/stream-registry.d.ts +22 -0
package/dist/domains/run/utils/stream-registry.js +33 -0
package/dist/domains/run/utils/token-estimator.d.ts +23 -0
package/dist/domains/run/utils/token-estimator.js +17 -0
package/dist/domains/run/utils/tracer.d.ts +7 -0
package/dist/domains/run/utils/tracer.js +7 -0
package/dist/env.d.ts +89 -0
package/dist/env.js +69 -0
package/dist/factory.d.ts +1535 -0
package/dist/factory.js +42 -0
package/dist/index.d.ts +1530 -0
package/dist/index.js +44 -0
package/dist/initialization.d.ts +6 -0
package/dist/initialization.js +65 -0
package/dist/instrumentation.d.ts +17 -0
package/dist/instrumentation.js +68 -0
package/dist/logger.d.ts +2 -0
package/dist/logger.js +3 -0
package/dist/middleware/branchScopedDb.d.ts +31 -0
package/dist/middleware/branchScopedDb.js +137 -0
package/dist/middleware/cors.d.ts +36 -0
package/dist/middleware/cors.js +131 -0
package/dist/middleware/errorHandler.d.ts +12 -0
package/dist/middleware/errorHandler.js +88 -0
package/dist/middleware/evalsAuth.d.ts +16 -0
package/dist/middleware/evalsAuth.js +52 -0
package/dist/middleware/index.d.ts +8 -0
package/dist/middleware/index.js +9 -0
package/dist/middleware/manageAuth.d.ts +25 -0
package/dist/middleware/manageAuth.js +80 -0
package/dist/middleware/projectAccess.d.ts +31 -0
package/dist/middleware/projectAccess.js +118 -0
package/dist/middleware/projectConfig.d.ts +25 -0
package/dist/middleware/projectConfig.js +89 -0
package/dist/middleware/ref.d.ts +61 -0
package/dist/middleware/ref.js +239 -0
package/dist/middleware/requirePermission.d.ts +14 -0
package/dist/middleware/requirePermission.js +80 -0
package/dist/middleware/runAuth.d.ts +29 -0
package/dist/middleware/runAuth.js +253 -0
package/dist/middleware/sessionAuth.d.ts +17 -0
package/dist/middleware/sessionAuth.js +58 -0
package/dist/middleware/tenantAccess.d.ts +22 -0
package/dist/middleware/tenantAccess.js +63 -0
package/dist/middleware/tracing.d.ts +7 -0
package/dist/middleware/tracing.js +50 -0
package/dist/openapi.d.ts +7 -0
package/dist/openapi.js +156 -0
package/dist/ssoHelpers.d.ts +20 -0
package/dist/ssoHelpers.js +51 -0
package/dist/templates/v1/phase1/system-prompt.js +5 -0
package/dist/templates/v1/phase1/thinking-preparation.js +5 -0
package/dist/templates/v1/phase1/tool.js +5 -0
package/dist/templates/v1/phase2/data-component.js +5 -0
package/dist/templates/v1/phase2/data-components.js +5 -0
package/dist/templates/v1/phase2/system-prompt.js +5 -0
package/dist/templates/v1/shared/artifact-retrieval-guidance.js +5 -0
package/dist/templates/v1/shared/artifact.js +5 -0
package/dist/types/app.d.ts +64 -0
package/dist/types/app.js +1 -0
package/dist/types/index.d.ts +2 -0
package/dist/types/index.js +1 -0
package/dist/types/runExecutionContext.d.ts +25 -0
package/dist/types/runExecutionContext.js +28 -0
package/dist/utils/oauthService.d.ts +71 -0
package/dist/utils/oauthService.js +106 -0
package/dist/utils/signozHelpers.d.ts +9 -0
package/dist/utils/signozHelpers.js +33 -0
package/dist/utils/speakeasy.d.ts +93 -0
package/dist/utils/speakeasy.js +44 -0
package/dist/utils/tempApiKeys.d.ts +17 -0
package/dist/utils/tempApiKeys.js +26 -0
package/dist/utils/workflowApiHelpers.d.ts +1 -0
package/dist/utils/workflowApiHelpers.js +1 -0
package/package.json +126 -0

package/dist/middleware/evalsAuth.js ADDED Viewed

@@ -0,0 +1,52 @@
+import { env } from "../env.js";
+import { getLogger, isInternalServiceToken, verifyInternalServiceAuthHeader } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+//#region src/middleware/evalsAuth.ts
+const logger = getLogger("eval-auth");
+/**
+* Middleware to authenticate API requests using Bearer token authentication
+* First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
+*/
+const evalApiKeyAuth = () => createMiddleware(async (c, next) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader || !authHeader.startsWith("Bearer ")) {
+		if (env.ENVIRONMENT === "development") {
+			await next();
+			return;
+		}
+		throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
+	}
+	const apiKey = authHeader.substring(7);
+	if (env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
+		if (!authHeader || !authHeader.startsWith("Bearer ")) {
+			console.log("[AUTH DEBUG] Rejecting: No Bearer token provided");
+			throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
+		}
+		if (authHeader.substring(7) === env.INKEEP_AGENTS_EVAL_API_BYPASS_SECRET) {
+			logger.info({}, "Bypass secret authenticated successfully");
+			await next();
+			return;
+		}
+	}
+	if (isInternalServiceToken(apiKey)) {
+		const result = await verifyInternalServiceAuthHeader(authHeader);
+		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });
+		logger.info({
+			serviceId: result.payload.sub,
+			tenantId: result.payload.tenantId,
+			projectId: result.payload.projectId
+		}, "Internal service authenticated");
+		await next();
+		return;
+	}
+	if (env.ENVIRONMENT === "development") {
+		await next();
+		return;
+	}
+	throw new HTTPException(401, { message: "Invalid Token" });
+});
+//#endregion
+export { evalApiKeyAuth };

package/dist/middleware/index.d.ts ADDED Viewed

@@ -0,0 +1,8 @@
+import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig } from "./cors.js";
+import { errorHandler } from "./errorHandler.js";
+import { manageApiKeyAuth } from "./manageAuth.js";
+import { oauthRefMiddleware } from "./ref.js";
+import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
+import { sessionAuth } from "./sessionAuth.js";
+import { requireTenantAccess } from "./tenantAccess.js";
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, oauthRefMiddleware, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig };

package/dist/middleware/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+import { sessionAuth } from "./sessionAuth.js";
+import { authCorsConfig, defaultCorsConfig, getBaseDomain, isOriginAllowed, playgroundCorsConfig, runCorsConfig, signozCorsConfig } from "./cors.js";
+import { errorHandler } from "./errorHandler.js";
+import { manageApiKeyAuth } from "./manageAuth.js";
+import { oauthRefMiddleware } from "./ref.js";
+import { runApiKeyAuth, runApiKeyAuthExcept, runOptionalAuth } from "./runAuth.js";
+import { requireTenantAccess } from "./tenantAccess.js";
+export { authCorsConfig, defaultCorsConfig, errorHandler, getBaseDomain, isOriginAllowed, manageApiKeyAuth, oauthRefMiddleware, playgroundCorsConfig, requireTenantAccess, runApiKeyAuth, runApiKeyAuthExcept, runCorsConfig, runOptionalAuth, sessionAuth, signozCorsConfig };

package/dist/middleware/manageAuth.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import * as hono0 from "hono";
+import { BaseExecutionContext } from "@inkeep/agents-core";
+import { createAuth } from "@inkeep/agents-core/auth";
+//#region src/middleware/manageAuth.d.ts
+/**
+ * Middleware to authenticate API requests using Bearer token authentication
+ * Authentication priority:
+ * 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
+ * 2. Better-auth session token (from device authorization flow)
+ * 3. Database API key
+ * 4. Internal service token
+ */
+declare const manageApiKeyAuth: () => hono0.MiddlewareHandler<{
+  Variables: {
+    executionContext: BaseExecutionContext;
+    userId?: string;
+    userEmail?: string;
+    tenantId?: string;
+    auth: ReturnType<typeof createAuth> | null;
+  };
+}, string, {}, Response>;
+//#endregion
+export { manageApiKeyAuth };

package/dist/middleware/manageAuth.js ADDED Viewed

@@ -0,0 +1,80 @@
+import { env } from "../env.js";
+import runDbClient_default from "../data/db/runDbClient.js";
+import { getLogger, isInternalServiceToken, validateAndGetApiKey, verifyInternalServiceAuthHeader } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+//#region src/middleware/manageAuth.ts
+const logger = getLogger("env-key-auth");
+/**
+* Middleware to authenticate API requests using Bearer token authentication
+* Authentication priority:
+* 1. Bypass secret (INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET)
+* 2. Better-auth session token (from device authorization flow)
+* 3. Database API key
+* 4. Internal service token
+*/
+const manageApiKeyAuth = () => createMiddleware(async (c, next) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader || !authHeader.startsWith("Bearer ")) throw new HTTPException(401, { message: "Missing or invalid authorization header. Expected: Bearer <api_key>" });
+	const token = authHeader.substring(7);
+	if (env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET && token === env.INKEEP_AGENTS_MANAGE_API_BYPASS_SECRET) {
+		logger.info({}, "Bypass secret authenticated successfully");
+		c.set("userId", "system");
+		c.set("userEmail", "system@internal");
+		await next();
+		return;
+	}
+	const auth = c.get("auth");
+	if (auth) try {
+		const headers$1 = new Headers();
+		headers$1.set("Authorization", authHeader);
+		const forwardedCookie = c.req.header("x-forwarded-cookie");
+		const cookie = c.req.header("cookie");
+		if (forwardedCookie) {
+			headers$1.set("cookie", forwardedCookie);
+			logger.debug({ source: "x-forwarded-cookie" }, "Using x-forwarded-cookie for session validation");
+		} else if (cookie) {
+			headers$1.set("cookie", cookie);
+			logger.debug({ source: "cookie" }, "Using cookie for session validation");
+		}
+		const session = await auth.api.getSession({ headers: headers$1 });
+		if (session?.user) {
+			logger.info({ userId: session.user.id }, "Better-auth session authenticated successfully");
+			c.set("userId", session.user.id);
+			c.set("userEmail", session.user.email);
+			await next();
+			return;
+		}
+	} catch (error) {
+		logger.debug({ error }, "Better-auth session validation failed, trying API key");
+	}
+	const validatedKey = await validateAndGetApiKey(token, runDbClient_default);
+	if (validatedKey) {
+		logger.info({ keyId: validatedKey.id }, "API key authenticated successfully");
+		c.set("userId", `apikey:${validatedKey.id}`);
+		c.set("userEmail", `apikey-${validatedKey.id}@internal`);
+		c.set("tenantId", validatedKey.tenantId);
+		await next();
+		return;
+	}
+	if (isInternalServiceToken(token)) {
+		const result = await verifyInternalServiceAuthHeader(authHeader);
+		if (!result.valid || !result.payload) throw new HTTPException(401, { message: result.error || "Invalid internal service token" });
+		logger.info({
+			serviceId: result.payload.sub,
+			tenantId: result.payload.tenantId,
+			projectId: result.payload.projectId,
+			userId: result.payload.userId
+		}, "Internal service authenticated");
+		c.set("userId", result.payload.userId || `system`);
+		c.set("userEmail", `${result.payload.sub}@internal.inkeep`);
+		if (result.payload.tenantId) c.set("tenantId", result.payload.tenantId);
+		await next();
+		return;
+	}
+	throw new HTTPException(401, { message: "Invalid Token" });
+});
+//#endregion
+export { manageApiKeyAuth };

package/dist/middleware/projectAccess.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+import { ManageAppVariables } from "../types/app.js";
+import * as hono8 from "hono";
+//#region src/middleware/projectAccess.d.ts
+/**
+ * Permission levels for project access
+ *
+ * - view: Can see project and resources (read-only)
+ * - use: Can invoke agents, create API keys, view traces
+ * - edit: Can modify configurations and manage members
+ */
+type ProjectPermission = 'view' | 'use' | 'edit';
+/**
+ * Middleware to check project-level access.
+ *
+ * When ENABLE_AUTHZ is false:
+ * - 'view' permission: all org members can view
+ * - 'edit': only org owner/admin
+ *
+ * When ENABLE_AUTHZ is true:
+ * - Uses SpiceDB to check permissions
+ * - Org owner/admin bypass (handled in canViewProject etc.)
+ */
+declare const requireProjectPermission: <Env$1 extends {
+  Variables: ManageAppVariables;
+} = {
+  Variables: ManageAppVariables;
+}>(permission?: ProjectPermission) => hono8.MiddlewareHandler<Env$1, string, {}, Response>;
+//#endregion
+export { ProjectPermission, requireProjectPermission };

package/dist/middleware/projectAccess.js ADDED Viewed

@@ -0,0 +1,118 @@
+import { env } from "../env.js";
+import { canEditProject, canUseProject, canViewProject, createApiError, isAuthzEnabled } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+import { HTTPException } from "hono/http-exception";
+//#region src/middleware/projectAccess.ts
+/**
+* Middleware to check project-level access.
+*
+* When ENABLE_AUTHZ is false:
+* - 'view' permission: all org members can view
+* - 'edit': only org owner/admin
+*
+* When ENABLE_AUTHZ is true:
+* - Uses SpiceDB to check permissions
+* - Org owner/admin bypass (handled in canViewProject etc.)
+*/
+const requireProjectPermission = (permission = "view") => createMiddleware(async (c, next) => {
+	const isTestEnvironment = process.env.ENVIRONMENT === "test";
+	if (env.DISABLE_AUTH || isTestEnvironment) {
+		await next();
+		return;
+	}
+	const userId = c.get("userId");
+	const tenantId = c.get("tenantId");
+	const tenantRole = c.get("tenantRole");
+	const projectId = c.req.param("projectId") || c.req.param("id");
+	if (!userId || !tenantId) throw createApiError({
+		code: "unauthorized",
+		message: "User or organization context not found",
+		instance: c.req.path
+	});
+	if (!projectId) throw createApiError({
+		code: "bad_request",
+		message: "Project ID is required",
+		instance: c.req.path
+	});
+	if (userId === "system" || userId.startsWith("apikey:")) {
+		await next();
+		return;
+	}
+	try {
+		let hasAccess = false;
+		switch (permission) {
+			case "view":
+				hasAccess = await canViewProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+			case "use":
+				hasAccess = await canUseProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+			case "edit":
+				hasAccess = await canEditProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				});
+				break;
+		}
+		if (!hasAccess) {
+			if (isAuthzEnabled(tenantId) && permission !== "view") {
+				if (await canViewProject({
+					tenantId,
+					userId,
+					projectId,
+					orgRole: tenantRole
+				})) throw createApiError({
+					code: "forbidden",
+					message: `Permission denied. Required: project:${permission}`,
+					instance: c.req.path,
+					extensions: { requiredPermissions: [`project:${permission}`] }
+				});
+			}
+			if (isAuthzEnabled(tenantId)) throw createApiError({
+				code: "not_found",
+				message: "Project not found",
+				instance: c.req.path
+			});
+			throw createApiError({
+				code: "forbidden",
+				message: `Permission denied. Required: project:${permission}`,
+				instance: c.req.path,
+				extensions: {
+					requiredPermissions: [`project:${permission}`],
+					context: {
+						userId,
+						organizationId: tenantId,
+						projectId,
+						currentRole: tenantRole
+					}
+				}
+			});
+		}
+		await next();
+	} catch (error) {
+		if (error instanceof HTTPException) throw error;
+		const errorMessage = error instanceof Error ? error.message : "Unknown error";
+		throw createApiError({
+			code: "internal_server_error",
+			message: "Failed to verify project access",
+			instance: c.req.path,
+			extensions: { internalError: errorMessage }
+		});
+	}
+});
+//#endregion
+export { requireProjectPermission };

package/dist/middleware/projectConfig.d.ts ADDED Viewed

@@ -0,0 +1,25 @@
+import * as hono12 from "hono";
+import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
+//#region src/middleware/projectConfig.d.ts
+/**
+ * Middleware that fetches the full project definition from the Management API
+ */
+declare const projectConfigMiddleware: hono12.MiddlewareHandler<{
+  Variables: {
+    executionContext: BaseExecutionContext;
+    resolvedRef: ResolvedRef;
+  };
+}, string, {}, Response>;
+/**
+ * Creates a middleware that applies project config fetching except for specified route patterns
+ * @param skipRouteCheck - Function that returns true if the route should skip the middleware
+ */
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono12.MiddlewareHandler<{
+  Variables: {
+    executionContext: BaseExecutionContext;
+    resolvedRef: ResolvedRef;
+  };
+}, string, {}, Response>;
+//#endregion
+export { projectConfigMiddleware, projectConfigMiddlewareExcept };

package/dist/middleware/projectConfig.js ADDED Viewed

@@ -0,0 +1,89 @@
+import { getLogger as getLogger$1 } from "../logger.js";
+import manageDbPool_default from "../data/db/manageDbPool.js";
+import { ManageApiError, getFullProjectWithRelationIds, withRef } from "@inkeep/agents-core";
+import { createMiddleware } from "hono/factory";
+//#region src/middleware/projectConfig.ts
+const logger = getLogger$1("projectConfigMiddleware");
+/**
+* Core handler that fetches the full project definition from the Management API
+* and adds it to the Hono context for use in route handlers.
+*
+* This handler should be applied after authentication middleware since it
+* requires the execution context to be set.
+*/
+async function projectConfigHandler(c, next) {
+	const executionContext = c.get("executionContext");
+	const resolvedRef = c.get("resolvedRef");
+	const { tenantId, projectId } = executionContext;
+	logger.debug({
+		tenantId,
+		projectId,
+		resolvedRef
+	}, "Fetching project config from Management API");
+	try {
+		if (!resolvedRef) throw new Error("Resolved ref not found");
+		if (resolvedRef.type !== "branch") throw new Error(`Runtime operations require a branch ref. Got ${resolvedRef.type} '${resolvedRef.name}'.`);
+		const projectConfig = await withRef(manageDbPool_default, resolvedRef, async (db) => {
+			return await getFullProjectWithRelationIds(db)({ scopes: {
+				tenantId,
+				projectId
+			} });
+		});
+		if (!projectConfig) throw new Error("Project not found");
+		c.set("executionContext", {
+			...executionContext,
+			project: projectConfig,
+			resolvedRef
+		});
+		logger.debug({
+			tenantId,
+			projectId,
+			resolvedRef,
+			agentCount: Object.keys(projectConfig.agents || {}).length,
+			toolCount: Object.keys(projectConfig.tools || {}).length
+		}, "Project config fetched successfully");
+		await next();
+	} catch (error) {
+		if (error instanceof ManageApiError) {
+			logger.error({
+				tenantId,
+				projectId,
+				statusCode: error.statusCode,
+				message: error.message
+			}, "Failed to fetch project config from Management API");
+			if (error.isNotFound) return c.json({
+				error: "Project not found",
+				message: `Project ${projectId} not found for tenant ${tenantId}`
+			}, 404);
+			if (error.isUnauthorized || error.isForbidden) return c.json({
+				error: "Access denied",
+				message: "Unable to access project configuration"
+			}, 403);
+		}
+		logger.error({
+			tenantId,
+			projectId,
+			error: error instanceof Error ? error.message : String(error)
+		}, "Unexpected error fetching project config");
+		return c.json({
+			error: "Internal server error",
+			message: "Failed to load project configuration"
+		}, 500);
+	}
+}
+/**
+* Middleware that fetches the full project definition from the Management API
+*/
+const projectConfigMiddleware = createMiddleware(projectConfigHandler);
+/**
+* Creates a middleware that applies project config fetching except for specified route patterns
+* @param skipRouteCheck - Function that returns true if the route should skip the middleware
+*/
+const projectConfigMiddlewareExcept = (skipRouteCheck) => createMiddleware(async (c, next) => {
+	if (skipRouteCheck(c.req.path)) return next();
+	return projectConfigHandler(c, next);
+});
+//#endregion
+export { projectConfigMiddleware, projectConfigMiddlewareExcept };

package/dist/middleware/ref.d.ts ADDED Viewed

@@ -0,0 +1,61 @@
+import { Context, Next } from "hono";
+import { AgentsManageDatabaseClient, ResolvedRef } from "@inkeep/agents-core";
+//#region src/middleware/ref.d.ts
+type RefContext = {
+  resolvedRef?: ResolvedRef;
+};
+interface RefMiddlewareOptions {
+  /**
+   * Extract tenantId from the request context.
+   * Default implementation extracts from path using /tenants/{tenantId} pattern.
+   */
+  extractTenantId?: (c: Context) => string | undefined;
+  /**
+   * Extract projectId from the request context.
+   * Default implementation extracts from path using /tenants/{tenantId}/projects/{projectId} pattern.
+   */
+  extractProjectId?: (c: Context) => string | undefined;
+  /**
+   * Whether to allow extracting projectId from request body for POST/PUT/PATCH.
+   * Default: true
+   */
+  allowProjectIdFromBody?: boolean;
+  /**
+   * Custom path patterns that should skip ref validation.
+   * Default: []
+   */
+  skipRefValidationPaths?: RegExp[];
+}
+/**
+ * Creates a ref resolution middleware factory.
+ *
+ * This middleware:
+ * 1. Extracts tenantId and projectId from the request
+ * 2. Resolves the `ref` query parameter to a ResolvedRef
+ * 3. Creates branches if needed (tenant_main, project_main)
+ * 4. Sets `resolvedRef` in the Hono context for downstream handlers
+ *
+ * @param db - The Doltgres database client to use for ref resolution
+ * @param options - Optional configuration for extraction and validation
+ * @returns Hono middleware function
+ *
+ * @example
+ * ```typescript
+ * import { createRefMiddleware } from '@inkeep/agents-core';
+ * import { manageDbClient } from './db';
+ *
+ * const refMiddleware = createRefMiddleware(manageDbClient);
+ * app.use('/tenants/*', refMiddleware);
+ * ```
+ */
+declare const createRefMiddleware: (db: AgentsManageDatabaseClient, options?: RefMiddlewareOptions) => (c: Context, next: Next) => Promise<void>;
+declare const writeProtectionMiddleware: (c: Context, next: Next) => Promise<void>;
+declare const manageRefMiddleware: (c: Context, next: Next) => Promise<void>;
+declare const runRefMiddleware: (c: Context, next: Next) => Promise<void>;
+/**
+ * Ref middleware for OAuth routes - extracts tenant/project from query params
+ */
+declare const oauthRefMiddleware: (c: Context, next: Next) => Promise<void>;
+//#endregion
+export { RefContext, RefMiddlewareOptions, createRefMiddleware, manageRefMiddleware, oauthRefMiddleware, runRefMiddleware, writeProtectionMiddleware };