@inkeep/agents-api 0.43.0 → 0.45.0

package/dist/createApp.js

@@ -1,8 +1,7 @@
-import { getLogger } from "./logger.js";
+import { getLogger as getLogger$1 } from "./logger.js";
 import { env } from "./env.js";
 import { evalRoutes } from "./domains/evals/index.js";
 import { workflowRoutes } from "./domains/evals/workflow/routes.js";
-import { githubRoutes } from "./domains/github/index.js";
 import { sessionAuth, sessionContext } from "./middleware/sessionAuth.js";
 import { manageRoutes } from "./domains/manage/index.js";
 import mcp_default from "./domains/mcp/routes/mcp.js";
@@ -22,13 +21,15 @@ import { executionBaggageMiddleware } from "./middleware/tracing.js";
 import { setupOpenAPIRoutes } from "./openapi.js";
 import { healthChecksHandler } from "./routes/healthChecks.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { OrgRoles } from "@inkeep/agents-core";
+import { githubRoutes } from "@inkeep/agents-work-apps/github";
 import { Hono } from "hono";
 import { cors } from "hono/cors";
 import { requestId } from "hono/request-id";
 import { pinoLogger } from "hono-pino";
 
 //#region src/createApp.ts
-const logger = getLogger("agents-api");
+const logger = getLogger$1("agents-api");
 const isTestEnvironment = () => env.ENVIRONMENT === "test";
 const isWebhookRoute = (path) => {
 	return path.includes("/triggers/") && !path.endsWith("/triggers") && !path.endsWith("/triggers/");
@@ -56,7 +57,7 @@ function createAgentsHono(config) {
 		if (c.req.path.startsWith("/run/")) return next();
 		if (c.req.path.includes("/playground/token")) return next();
 		if (c.req.path.includes("/signoz/")) return next();
-		if (c.req.path.includes("/api/github/")) return next();
+		if (c.req.path.includes("/work-apps/github/")) return next();
 		return cors(defaultCorsConfig)(c, next);
 	});
 	app.use("*", async (c, next) => {
@@ -82,7 +83,7 @@ function createAgentsHono(config) {
 		return next();
 	});
 	app.use(pinoLogger({
-		pino: getLogger("agents-api").getPinoInstance(),
+		pino: getLogger$1("agents-api").getPinoInstance(),
 		http: { onResLevel(c) {
 			if (c.res.status >= 500) return "error";
 			if (c.req.path.includes("/signoz/")) return "debug";
@@ -107,7 +108,7 @@ function createAgentsHono(config) {
 		});
 	});
 	app.use("/manage/tenants/*", async (c, next) => {
-		if (env.DISABLE_AUTH || isTestEnvironment()) {
+		if (isTestEnvironment()) {
 			await next();
 			return;
 		}
@@ -115,7 +116,7 @@ function createAgentsHono(config) {
 		return sessionAuth()(c, next);
 	});
 	app.use("/manage/capabilities", async (c, next) => {
-		if (!auth || env.DISABLE_AUTH || isTestEnvironment()) {
+		if (!auth || isTestEnvironment()) {
 			await next();
 			return;
 		}
@@ -140,11 +141,12 @@ function createAgentsHono(config) {
 			runtime: sandboxConfig.runtime
 		} });
 	});
-	if (env.DISABLE_AUTH || isTestEnvironment()) app.use("/manage/tenants/:tenantId/*", async (c, next) => {
+	if (isTestEnvironment()) app.use("/manage/tenants/:tenantId/*", async (c, next) => {
 		const tenantId = c.req.param("tenantId");
 		if (tenantId) {
 			c.set("tenantId", tenantId);
 			c.set("userId", "anonymous");
+			c.set("tenantRole", OrgRoles.OWNER);
 		}
 		await next();
 	});
@@ -182,7 +184,7 @@ function createAgentsHono(config) {
 		return fetch(forwardedRequest);
 	});
 	app.route("/evals", evalRoutes);
-	app.route("/api/github", githubRoutes);
+	app.route("/work-apps/github", githubRoutes);
 	app.route("/mcp", mcp_default);
 	setupOpenAPIRoutes(app);
 	app.use("/run/*", async (_c, next) => {

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono12 from "hono";
+import * as hono2 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono12.Env, {}, "/">;
+declare const app: OpenAPIHono<hono2.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono13 from "hono";
+import * as hono3 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono13.Env, {}, "/">;
+declare const app: OpenAPIHono<hono3.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/workflow/routes.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types9 from "hono/types";
+import * as hono_types5 from "hono/types";
 
 //#region src/domains/evals/workflow/routes.d.ts
-declare const workflowRoutes: Hono<hono_types9.BlankEnv, hono_types9.BlankSchema, "/">;
+declare const workflowRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
 //#endregion
 export { workflowRoutes };

package/dist/domains/manage/index.js

@@ -1,10 +1,14 @@
+import availableAgents_default from "./routes/availableAgents.js";
 import cliAuth_default from "./routes/cliAuth.js";
+import github_default from "./routes/github.js";
 import routes_default from "./routes/index.js";
 import invitations_default from "./routes/invitations.js";
 import mcp_default from "./routes/mcp.js";
+import mcpToolGithubAccess_default from "./routes/mcpToolGithubAccess.js";
 import oauth_default from "./routes/oauth.js";
 import playgroundToken_default from "./routes/playgroundToken.js";
 import projectFull_default from "./routes/projectFull.js";
+import projectGithubAccess_default from "./routes/projectGithubAccess.js";
 import signoz_default from "./routes/signoz.js";
 import userOrganizations_default from "./routes/userOrganizations.js";
 import { OpenAPIHono } from "@hono/zod-openapi";
@@ -18,9 +22,13 @@ function createManageRoutes() {
 	app.route("/tenants/:tenantId", routes_default);
 	app.route("/tenants/:tenantId/playground/token", playgroundToken_default);
 	app.route("/tenants/:tenantId/signoz", signoz_default);
+	app.route("/tenants/:tenantId/github", github_default);
+	app.route("/tenants/:tenantId/projects/:projectId/github-access", projectGithubAccess_default);
+	app.route("/tenants/:tenantId/projects/:projectId/tools/:toolId/github-access", mcpToolGithubAccess_default);
 	app.route("/tenants/:tenantId", projectFull_default);
 	app.route("/oauth", oauth_default);
 	app.route("/mcp", mcp_default);
+	app.route("/available-agents", availableAgents_default);
 	return app;
 }
 const manageRoutes = createManageRoutes();

package/dist/domains/manage/routes/availableAgents.d.ts

@@ -0,0 +1,7 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import * as hono1 from "hono";
+
+//#region src/domains/manage/routes/availableAgents.d.ts
+declare const app: OpenAPIHono<hono1.Env, {}, "/">;
+//#endregion
+export { app as default };

package/dist/domains/manage/routes/availableAgents.js

@@ -0,0 +1,94 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import { env } from "../../../env.js";
+import manageDbClient_default from "../../../data/db/manageDbClient.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { createApiError, listAgentsAcrossProjectBranches, listUsableProjectIds, verifyTempToken } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/availableAgents.ts
+const logger = getLogger$1("availableAgents");
+const app = new OpenAPIHono();
+async function tryTempTokenAuth(token) {
+	if (!env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) return null;
+	try {
+		const payload = await verifyTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString("utf-8"), token);
+		return {
+			userId: payload.sub,
+			tenantId: payload.tenantId,
+			tokenType: "temp-jwt"
+		};
+	} catch (error) {
+		logger.warn({
+			token,
+			error
+		}, "Failed to verify temp token");
+		return null;
+	}
+}
+/**
+* Identify user from any supported token type
+* Add new token types by adding them to this function
+*/
+async function identifyUserFromToken(token) {
+	const tempResult = await tryTempTokenAuth(token);
+	if (tempResult) return tempResult;
+	return null;
+}
+const AvailableAgentSchema = z.object({
+	agentId: z.string(),
+	agentName: z.string(),
+	projectId: z.string()
+});
+const AvailableAgentsResponseSchema = z.object({ data: z.array(AvailableAgentSchema) });
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "List available agents",
+	operationId: "list-available-agents",
+	tags: ["Agents"],
+	description: "List all agents the user can invoke. Requires a valid JWT token.",
+	security: [{ bearerAuth: [] }],
+	responses: {
+		200: {
+			description: "List of available agents",
+			content: { "application/json": { schema: AvailableAgentsResponseSchema } }
+		},
+		401: { description: "Unauthorized - invalid or missing JWT token" },
+		500: { description: "Internal server error" }
+	}
+}), async (c) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader?.startsWith("Bearer ")) throw createApiError({
+		code: "unauthorized",
+		message: "Missing or invalid authorization header. Expected: Bearer <jwt_token>"
+	});
+	const token = authHeader.substring(7);
+	if (!token.startsWith("eyJ")) throw createApiError({
+		code: "unauthorized",
+		message: "Invalid token format. Expected a JWT token."
+	});
+	const user = await identifyUserFromToken(token);
+	if (!user) {
+		logger.warn({}, "Token verification failed - no valid auth method found");
+		throw createApiError({
+			code: "unauthorized",
+			message: "Invalid or expired token"
+		});
+	}
+	const { userId, tenantId } = user;
+	const projectIds = await listUsableProjectIds({ userId });
+	if (projectIds.length === 0) return c.json({ data: [] });
+	const agents = await listAgentsAcrossProjectBranches(manageDbClient_default, {
+		tenantId,
+		projectIds
+	});
+	logger.info({
+		userId,
+		tenantId,
+		agentCount: agents.length
+	}, "Returning usable agents");
+	return c.json({ data: agents });
+});
+var availableAgents_default = app;
+
+//#endregion
+export { availableAgents_default as default };

package/dist/domains/manage/routes/branches.js

@@ -1,9 +1,18 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { BranchListResponseSchema, BranchNameParamsSchema, BranchResponseSchema, CreateBranchRequestSchema, ErrorResponseSchema, TenantProjectAgentParamsSchema, TenantProjectParamsSchema, cascadeDeleteByBranch, commonGetErrorResponses, createApiError, createBranch, deleteBranch, getBranch, listBranches, listBranchesForAgent } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/branches.ts
 const app = new OpenAPIHono();
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:branchName", async (c, next) => {
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono16 from "hono";
+import * as hono8 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono16.Env, {}, "/">;
+declare const app: OpenAPIHono<hono8.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/datasetItems.js

@@ -1,10 +1,23 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { DatasetItemApiInsertSchema, DatasetItemApiSelectSchema, DatasetItemApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDatasetItem, createDatasetItems, deleteDatasetItem, generateId, getDatasetItemById, listDatasetItems, updateDatasetItem } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/datasetItems.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("datasetItems");
+app.use("/:datasetId/items", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId/items/bulk", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId/items/:itemId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{datasetId}",

package/dist/domains/manage/routes/evals/datasets.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { DatasetApiInsertSchema, DatasetApiSelectSchema, DatasetApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDataset, deleteDataset, generateId, getDatasetById, listDatasets, updateDataset } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/datasets.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("datasets");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.js

@@ -1,10 +1,15 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationJobConfigEvaluatorRelation, deleteEvaluationJobConfigEvaluatorRelation, generateId, getEvaluationJobConfigEvaluatorRelations } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationJobConfigEvaluatorRelations");
+app.use("/:configId/evaluators/:evaluatorId", async (c, next) => {
+	if (["POST", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{configId}/evaluators",

package/dist/domains/manage/routes/evals/evaluationJobConfigs.js

@@ -1,12 +1,21 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
 import { queueEvaluationJobConversations } from "../../../evals/services/evaluationJob.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationJobConfigApiInsertSchema, EvaluationJobConfigApiSelectSchema, EvaluationResultApiSelectSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationJobConfig, createEvaluationJobConfigEvaluatorRelation, deleteEvaluationJobConfig, generateId, getConversation, getEvaluationJobConfigById, getMessagesByConversation, listEvaluationJobConfigs, listEvaluationResultsByRun, listEvaluationRuns } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationJobConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationJobConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	return next();
+});
 /**
 * Extract plain filter criteria from a potential Filter wrapper.
 * Returns null if the filter is a complex and/or combinator.

package/dist/domains/manage/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,9 @@
+import { ManageAppVariables } from "../../../../types/app.js";
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/evaluationResults.js

@@ -1,11 +1,20 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationResultApiInsertSchema, EvaluationResultApiSelectSchema, EvaluationResultApiUpdateSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationResult, deleteEvaluationResult, generateId, getEvaluationResultById, updateEvaluationResult } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationResults.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationResults");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:resultId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{resultId}",

package/dist/domains/manage/routes/evals/evaluationRunConfigs.js

@@ -1,11 +1,20 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationResultApiSelectSchema, EvaluationRunConfigApiInsertSchema, EvaluationRunConfigApiUpdateSchema, EvaluationRunConfigWithSuiteConfigsApiSelectSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationRunConfig, createEvaluationRunConfigEvaluationSuiteConfigRelation, deleteEvaluationRunConfig, deleteEvaluationRunConfigEvaluationSuiteConfigRelation, generateId, getConversation, getEvaluationRunConfigById, getEvaluationRunConfigEvaluationSuiteConfigRelations, getMessagesByConversation, listEvaluationResultsByRun, listEvaluationRunConfigsWithSuiteConfigs, listEvaluationRuns, updateEvaluationRunConfig } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationRunConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationRunConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.js

@@ -1,10 +1,15 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationSuiteConfigEvaluatorRelation, deleteEvaluationSuiteConfigEvaluatorRelation, generateId, getEvaluationSuiteConfigEvaluatorRelations } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationSuiteConfigEvaluatorRelations");
+app.use("/:configId/evaluators/:evaluatorId", async (c, next) => {
+	if (["POST", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{configId}/evaluators",

package/dist/domains/manage/routes/evals/evaluationSuiteConfigs.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationSuiteConfigApiInsertSchema, EvaluationSuiteConfigApiSelectSchema, EvaluationSuiteConfigApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationSuiteConfig, createEvaluationSuiteConfigEvaluatorRelation, deleteEvaluationSuiteConfig, generateId, getEvaluationSuiteConfigById, listEvaluationSuiteConfigs, updateEvaluationSuiteConfig } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationSuiteConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationSuiteConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluators.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluatorApiInsertSchema, EvaluatorApiSelectSchema, EvaluatorApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluator, deleteEvaluator, generateId, getEvaluatorById, getEvaluatorsByIds, listEvaluators, updateEvaluator } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluators.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluators");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:evaluatorId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/github.d.ts

@@ -0,0 +1,16 @@
+import { ManageAppVariables } from "../../../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/domains/manage/routes/github.d.ts
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
+declare const STATE_JWT_ISSUER = "inkeep-agents-api";
+declare const STATE_JWT_AUDIENCE = "github-app-install";
+/**
+ * Signs a JWT state token for the GitHub App installation flow.
+ * The state contains the tenantId and expires after 10 minutes.
+ */
+declare function signStateToken(tenantId: string): Promise<string>;
+//#endregion
+export { STATE_JWT_AUDIENCE, STATE_JWT_ISSUER, app as default, signStateToken };