@inkeep/agents-api 0.42.0 → 0.44.0

package/dist/domains/manage/routes/triggers.js

@@ -4,21 +4,11 @@ import runDbClient_default from "../../../data/db/runDbClient.js";
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { speakeasyOffsetLimitPagination } from "../../../utils/speakeasy.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiSelectSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
+import { PaginationQueryParamsSchema, TenantProjectAgentIdParamsSchema, TenantProjectAgentParamsSchema, TriggerApiInsertSchema, TriggerApiUpdateSchema, TriggerInvocationListResponse, TriggerInvocationResponse, TriggerInvocationStatusEnum, TriggerWithWebhookUrlListResponse, TriggerWithWebhookUrlResponse, commonGetErrorResponses, createApiError, createTrigger, deleteTrigger, generateId, getCredentialReference, getTriggerById, getTriggerInvocationById, hashAuthenticationHeaders, listTriggerInvocationsPaginated, listTriggersPaginated, updateTrigger } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/triggers.ts
 const logger = getLogger$1("triggers");
 const app = new OpenAPIHono();
-const TriggerResponse = z.object({ data: TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") }) });
-const TriggerListResponse = z.object({
-	data: z.array(TriggerApiSelectSchema.extend({ webhookUrl: z.string().describe("Fully qualified webhook URL for this trigger") })),
-	pagination: z.object({
-		page: z.number(),
-		limit: z.number(),
-		total: z.number(),
-		pages: z.number()
-	})
-});
 app.use("/", async (c, next) => {
 	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
 	return next();
@@ -51,7 +41,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "List of triggers retrieved successfully",
-			content: { "application/json": { schema: TriggerListResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlListResponse } }
 		},
 		...commonGetErrorResponses
 	},
@@ -103,7 +93,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger found",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -151,7 +141,7 @@ app.openapi(createRoute({
 	responses: {
 		201: {
 			description: "Trigger created successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -161,12 +151,29 @@ app.openapi(createRoute({
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
 	const id = body.id || generateId();
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Creating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) hashedAuthentication = { headers: await hashAuthenticationHeaders(authInput.headers) };
@@ -182,7 +189,8 @@ app.openapi(createRoute({
 		outputTransform: body.outputTransform,
 		messageTemplate: body.messageTemplate,
 		authentication: hashedAuthentication,
-		signingSecret: body.signingSecret
+		signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+		signatureVerification: body.signatureVerification
 	});
 	const { tenantId: _tid, projectId: _pid, agentId: _aid, ...triggerWithoutScopes } = trigger;
 	return c.json({ data: {
@@ -212,7 +220,7 @@ app.openapi(createRoute({
 	responses: {
 		200: {
 			description: "Trigger updated successfully",
-			content: { "application/json": { schema: TriggerResponse } }
+			content: { "application/json": { schema: TriggerWithWebhookUrlResponse } }
 		},
 		...commonGetErrorResponses
 	}
@@ -221,16 +229,33 @@ app.openapi(createRoute({
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
 	const body = c.req.valid("json");
 	const apiBaseUrl = env.INKEEP_AGENTS_API_URL;
-	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecret !== void 0 || body.keepExistingSigningSecret !== void 0)) throw createApiError({
+	if (!(body.name !== void 0 || body.description !== void 0 || body.enabled !== void 0 || body.inputSchema !== void 0 || body.outputTransform !== void 0 || body.messageTemplate !== void 0 || body.authentication !== void 0 || body.signingSecretCredentialReferenceId !== void 0 || body.signatureVerification !== void 0)) throw createApiError({
 		code: "bad_request",
 		message: "No fields to update"
 	});
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
 		triggerId: id
 	}, "Updating trigger");
+	if (body.signingSecretCredentialReferenceId) {
+		const credentialRef = await getCredentialReference(db)({
+			scopes: {
+				tenantId,
+				projectId
+			},
+			id: body.signingSecretCredentialReferenceId
+		});
+		if (!credentialRef) throw createApiError({
+			code: "bad_request",
+			message: `Credential reference not found: ${body.signingSecretCredentialReferenceId}`
+		});
+		if (credentialRef.userId) throw createApiError({
+			code: "bad_request",
+			message: "Only project-scoped credentials can be attached to triggers. User-scoped credentials are not allowed."
+		});
+	}
 	let hashedAuthentication;
 	const authInput = body.authentication;
 	if (authInput?.headers && authInput.headers.length > 0) {
@@ -259,7 +284,6 @@ app.openapi(createRoute({
 		}
 		hashedAuthentication = hashedHeaders.length > 0 ? { headers: hashedHeaders } : void 0;
 	} else if (body.authentication !== void 0) hashedAuthentication = body.authentication;
-	const signingSecretUpdate = body.keepExistingSigningSecret ? void 0 : body.signingSecret;
 	const updatedTrigger = await updateTrigger(db)({
 		scopes: {
 			tenantId,
@@ -275,7 +299,8 @@ app.openapi(createRoute({
 			outputTransform: body.outputTransform,
 			messageTemplate: body.messageTemplate,
 			authentication: hashedAuthentication,
-			signingSecret: signingSecretUpdate
+			signingSecretCredentialReferenceId: body.signingSecretCredentialReferenceId,
+			signatureVerification: body.signatureVerification
 		}
 	});
 	if (!updatedTrigger) throw createApiError({
@@ -311,7 +336,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const db = c.get("db");
 	const { tenantId, projectId, agentId, id } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -372,7 +397,7 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId } = c.req.valid("param");
 	const { page, limit, status, from, to } = c.req.valid("query");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,
@@ -426,7 +451,7 @@ app.openapi(createRoute({
 	}
 }), async (c) => {
 	const { tenantId, projectId, agentId, id: triggerId, invocationId } = c.req.valid("param");
-	logger.info({
+	logger.debug({
 		tenantId,
 		projectId,
 		agentId,

package/dist/domains/manage/routes/userOrganizations.js

@@ -1,6 +1,6 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { addUserToOrganization, getUserOrganizations } from "@inkeep/agents-core";
+import { addUserToOrganization, getUserOrganizationsFromDb } from "@inkeep/agents-core";
 import { AddUserToOrganizationRequestSchema, AddUserToOrganizationResponseSchema, UserOrganizationsResponseSchema } from "@inkeep/agents-core/auth/validation";
 
 //#region src/domains/manage/routes/userOrganizations.ts
@@ -8,7 +8,7 @@ const userOrganizationsRoutes = new OpenAPIHono();
 userOrganizationsRoutes.openapi(createRoute({
 	method: "get",
 	path: "/",
-	tags: ["user-organizations"],
+	tags: ["User Organizations"],
 	summary: "List user organizations",
 	description: "Get all organizations associated with a user",
 	request: { params: z.object({ userId: z.string().describe("User ID") }) },
@@ -18,7 +18,7 @@ userOrganizationsRoutes.openapi(createRoute({
 	} }
 }), async (c) => {
 	const { userId } = c.req.valid("param");
-	const userOrganizations = (await getUserOrganizations(runDbClient_default)(userId)).map((org) => ({
+	const userOrganizations = (await getUserOrganizationsFromDb(runDbClient_default)(userId)).map((org) => ({
 		...org,
 		createdAt: org.createdAt.toISOString()
 	}));
@@ -27,7 +27,7 @@ userOrganizationsRoutes.openapi(createRoute({
 userOrganizationsRoutes.openapi(createRoute({
 	method: "post",
 	path: "/",
-	tags: ["user-organizations"],
+	tags: ["User Organizations"],
 	summary: "Add user to organization",
 	description: "Associate a user with an organization",
 	request: {

package/dist/domains/manage/routes/userProjectMemberships.d.ts

@@ -0,0 +1,9 @@
+import { ManageAppVariables } from "../../../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/domains/manage/routes/userProjectMemberships.d.ts
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/domains/manage/routes/userProjectMemberships.js

@@ -0,0 +1,44 @@
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { ProjectRoles, commonGetErrorResponses, listUserProjectMembershipsInSpiceDb } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/userProjectMemberships.ts
+const app = new OpenAPIHono();
+const projectRoleEnum = z.enum([
+	ProjectRoles.ADMIN,
+	ProjectRoles.MEMBER,
+	ProjectRoles.VIEWER
+]);
+const UserProjectMembershipParamsSchema = z.object({
+	tenantId: z.string(),
+	userId: z.string()
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "List User Project Memberships",
+	description: "List all projects a user has explicit access to and their role in each. Requires authz to be enabled.",
+	operationId: "list-user-project-memberships",
+	tags: ["User Project Memberships"],
+	request: { params: UserProjectMembershipParamsSchema },
+	responses: {
+		200: {
+			description: "List of project memberships for the user",
+			content: { "application/json": { schema: z.object({ data: z.array(z.object({
+				projectId: z.string(),
+				role: projectRoleEnum
+			})) }) } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, userId } = c.req.valid("param");
+	const memberships = await listUserProjectMembershipsInSpiceDb({
+		tenantId,
+		userId
+	});
+	return c.json({ data: memberships });
+});
+var userProjectMemberships_default = app;
+
+//#endregion
+export { userProjectMemberships_default as default };

package/dist/domains/mcp/routes/mcp.d.ts

@@ -0,0 +1,7 @@
+import { Hono } from "hono";
+import * as hono_types8 from "hono/types";
+
+//#region src/domains/mcp/routes/mcp.d.ts
+declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+//#endregion
+export { app as default };

package/dist/domains/mcp/routes/mcp.js

@@ -0,0 +1,45 @@
+import { env } from "../../../env.js";
+import { Hono } from "hono";
+import { StreamableHTTPTransport } from "@hono/mcp";
+import { HeaderForwardingHook, InkeepAgentsCore, SDKHooks, createConsoleLogger, createMCPServer } from "@inkeep/agents-mcp";
+
+//#region src/domains/mcp/routes/mcp.ts
+const app = new Hono();
+/**
+* Headers to forward from incoming requests to downstream API calls.
+* x-forwarded-cookie is mapped to cookie for browser compatibility
+* (browsers don't allow setting Cookie header directly).
+*/
+const FORWARDED_HEADERS = [
+	"x-forwarded-cookie",
+	"authorization",
+	"cookie"
+];
+app.all("/", async (c) => {
+	const transport = new StreamableHTTPTransport();
+	const noOpLogger = createConsoleLogger("error");
+	const headersToForward = {};
+	for (const headerName of FORWARDED_HEADERS) {
+		const value = c.req.header(headerName);
+		if (value) headersToForward[headerName] = value;
+	}
+	if (headersToForward["x-forwarded-cookie"] && !headersToForward.cookie) headersToForward.cookie = headersToForward["x-forwarded-cookie"];
+	const createSDKWithHeaders = () => {
+		const hooks = new SDKHooks();
+		hooks.registerBeforeRequestHook(new HeaderForwardingHook(headersToForward));
+		return new InkeepAgentsCore({
+			serverURL: env.INKEEP_AGENTS_API_URL,
+			hooks
+		});
+	};
+	await createMCPServer({
+		logger: noOpLogger,
+		serverURL: env.INKEEP_AGENTS_API_URL,
+		getSDK: createSDKWithHeaders
+	}).server.connect(transport);
+	return transport.handleRequest(c);
+});
+var mcp_default = app;
+
+//#endregion
+export { mcp_default as default };

package/dist/domains/run/agents/Agent.d.ts

@@ -99,6 +99,7 @@ declare class Agent {
   private mcpConnectionLocks;
   private currentCompressor;
   private executionContext;
+  private functionToolRelationshipIdByName;
   constructor(config: AgentConfig, executionContext: FullExecutionContext, credentialStoreRegistry?: CredentialStoreRegistry);
   /**
    * Get the maximum number of generation steps for this agent