@inkeep/agents-api 0.43.0 → 0.45.0

package/dist/domains/manage/routes/mcpToolGithubAccess.js

@@ -0,0 +1,205 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import runDbClient_default from "../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../middleware/projectAccess.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { TenantProjectParamsSchema, WorkAppGitHubAccessModeSchema, WorkAppGitHubAccessSetRequestSchema, WorkAppGitHubAccessSetResponseSchema, WorkAppGitHubRepositorySelectSchema, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, getMcpToolAccessMode, getMcpToolRepositoryAccessWithDetails, getToolById, setMcpToolAccessMode, setMcpToolRepositoryAccess, validateRepositoryOwnership } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/mcpToolGithubAccess.ts
+const logger = getLogger$1("mcp-tool-github-access");
+const app = new OpenAPIHono();
+const TenantProjectToolParamsSchema = TenantProjectParamsSchema.extend({ toolId: z.string().min(1).describe("The tool ID") });
+const McpToolGitHubAccessModeSchema = WorkAppGitHubAccessModeSchema.describe("Access mode: \"all\" means the MCP tool has access to all project repositories, \"selected\" means the tool is scoped to specific repositories");
+const SetGitHubAccessRequestSchema = WorkAppGitHubAccessSetRequestSchema.extend({ mode: McpToolGitHubAccessModeSchema });
+const GetGitHubAccessResponseSchema = z.object({
+	mode: McpToolGitHubAccessModeSchema,
+	repositories: z.array(WorkAppGitHubRepositorySelectSchema.extend({ installationAccountLogin: z.string().describe("The GitHub account login for the installation") })).describe("List of repositories the MCP tool has access to (only populated when mode=\"selected\")")
+});
+const SetGitHubAccessResponseSchema = WorkAppGitHubAccessSetResponseSchema.extend({
+	mode: McpToolGitHubAccessModeSchema,
+	repositoryCount: z.number().describe("Number of repositories the MCP tool now has access to (0 when mode=\"all\")")
+});
+async function validateGitHubWorkappTool(db, tenantId, projectId, toolId) {
+	const tool = await getToolById(db)({
+		scopes: {
+			tenantId,
+			projectId
+		},
+		toolId
+	});
+	if (!tool) throw createApiError({
+		code: "not_found",
+		message: `Tool not found: ${toolId}`
+	});
+	if (!tool.isWorkApp) throw createApiError({
+		code: "bad_request",
+		message: "GitHub access can only be configured for workapp MCP tools"
+	});
+	if (!tool.config.mcp.server.url?.includes("/github")) throw createApiError({
+		code: "bad_request",
+		message: "GitHub access can only be configured for GitHub MCP tools"
+	});
+}
+app.use("/", requireProjectPermission("edit"));
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "Get MCP tool GitHub repository access",
+	operationId: "get-mcp-tool-github-access",
+	tags: ["Tools"],
+	description: "Returns the current GitHub repository access configuration for an MCP tool. If mode is \"all\", the tool has access to all repositories the project can access. If mode is \"selected\", the tool is scoped to specific repositories. ",
+	request: { params: TenantProjectToolParamsSchema },
+	responses: {
+		200: {
+			description: "GitHub access configuration retrieved successfully",
+			content: { "application/json": { schema: GetGitHubAccessResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId, toolId } = c.req.valid("param");
+	const db = c.get("db");
+	logger.info({
+		tenantId,
+		projectId,
+		toolId
+	}, "Getting MCP tool GitHub access configuration");
+	await validateGitHubWorkappTool(db, tenantId, projectId, toolId);
+	if (await getMcpToolAccessMode(runDbClient_default)(toolId) === "all") {
+		logger.info({
+			tenantId,
+			projectId,
+			toolId
+		}, "MCP tool has access to all project repositories (mode=all)");
+		return c.json({
+			mode: "all",
+			repositories: []
+		}, 200);
+	}
+	const repositoriesWithDetails = await getMcpToolRepositoryAccessWithDetails(runDbClient_default)(toolId);
+	logger.info({
+		tenantId,
+		projectId,
+		toolId,
+		repositoryCount: repositoriesWithDetails.length
+	}, "Got MCP tool GitHub access configuration (mode=selected)");
+	return c.json({
+		mode: "selected",
+		repositories: repositoriesWithDetails.map((repo) => ({
+			id: repo.id,
+			installationDbId: repo.installationDbId,
+			repositoryId: repo.repositoryId,
+			repositoryName: repo.repositoryName,
+			repositoryFullName: repo.repositoryFullName,
+			private: repo.private,
+			createdAt: repo.createdAt,
+			updatedAt: repo.updatedAt,
+			installationAccountLogin: repo.installationAccountLogin
+		}))
+	}, 200);
+});
+app.openapi(createRoute({
+	method: "put",
+	path: "/",
+	summary: "Set MCP tool GitHub repository access",
+	operationId: "set-mcp-tool-github-access",
+	tags: ["Tools"],
+	description: "Configures which GitHub repositories an MCP tool can access. When mode is \"all\", the tool has access to all repositories the project can access. When mode is \"selected\", the tool is scoped to specific repositories (repositoryIds required). This replaces any existing access configuration. This endpoint only works for GitHub workapp MCP tools (isWorkApp=true and URL contains /github).",
+	request: {
+		params: TenantProjectToolParamsSchema,
+		body: { content: { "application/json": { schema: SetGitHubAccessRequestSchema } } }
+	},
+	responses: {
+		200: {
+			description: "GitHub access configuration updated successfully",
+			content: { "application/json": { schema: SetGitHubAccessResponseSchema } }
+		},
+		...commonUpdateErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId, toolId } = c.req.valid("param");
+	const { mode, repositoryIds } = c.req.valid("json");
+	const db = c.get("db");
+	logger.info({
+		tenantId,
+		projectId,
+		toolId,
+		mode
+	}, "Setting MCP tool GitHub access configuration");
+	await validateGitHubWorkappTool(db, tenantId, projectId, toolId);
+	if (mode === "selected") {
+		if (!repositoryIds || repositoryIds.length === 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				toolId
+			}, "repositoryIds required when mode is selected");
+			throw createApiError({
+				code: "bad_request",
+				message: "repositoryIds is required when mode is \"selected\""
+			});
+		}
+		const invalidRepoIds = await validateRepositoryOwnership(runDbClient_default)({
+			tenantId,
+			repositoryIds
+		});
+		if (invalidRepoIds.length > 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				toolId,
+				invalidRepoIds
+			}, "Some repository IDs do not belong to tenant installations");
+			throw createApiError({
+				code: "bad_request",
+				message: `Invalid repository IDs: ${invalidRepoIds.join(", ")}. Repositories must belong to GitHub installations owned by this tenant.`
+			});
+		}
+		await setMcpToolAccessMode(runDbClient_default)({
+			toolId,
+			tenantId,
+			projectId,
+			mode: "selected"
+		});
+		await setMcpToolRepositoryAccess(runDbClient_default)({
+			toolId,
+			tenantId,
+			projectId,
+			repositoryIds
+		});
+		logger.info({
+			tenantId,
+			projectId,
+			toolId,
+			repositoryCount: repositoryIds.length
+		}, "MCP tool GitHub access set to selected repositories");
+		return c.json({
+			mode: "selected",
+			repositoryCount: repositoryIds.length
+		}, 200);
+	}
+	await setMcpToolAccessMode(runDbClient_default)({
+		toolId,
+		tenantId,
+		projectId,
+		mode: "all"
+	});
+	await setMcpToolRepositoryAccess(runDbClient_default)({
+		toolId,
+		tenantId,
+		projectId,
+		repositoryIds: []
+	});
+	logger.info({
+		tenantId,
+		projectId,
+		toolId
+	}, "MCP tool GitHub access set to all project repositories");
+	return c.json({
+		mode: "all",
+		repositoryCount: 0
+	}, 200);
+});
+var mcpToolGithubAccess_default = app;
+
+//#endregion
+export { mcpToolGithubAccess_default as default };

package/dist/domains/manage/routes/playgroundToken.js

@@ -109,8 +109,9 @@ app.openapi(createRoute({
 		initiatedBy: {
 			type: "user",
 			id: userId
-		}
-	}, userId);
+		},
+		sub: userId
+	});
 	logger.info({
 		userId,
 		expiresAt: result.expiresAt

package/dist/domains/manage/routes/projectGithubAccess.d.ts

@@ -0,0 +1,9 @@
+import { ManageAppVariables } from "../../../types/app.js";
+import { OpenAPIHono } from "@hono/zod-openapi";
+
+//#region src/domains/manage/routes/projectGithubAccess.d.ts
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
+//#endregion
+export { app as default };

package/dist/domains/manage/routes/projectGithubAccess.js

@@ -0,0 +1,167 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import runDbClient_default from "../../../data/db/runDbClient.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { TenantProjectParamsSchema, WorkAppGitHubAccessGetResponseSchema, WorkAppGitHubAccessModeSchema, WorkAppGitHubAccessSetRequestSchema, WorkAppGitHubAccessSetResponseSchema, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, getProjectAccessMode, getProjectRepositoryAccessWithDetails, setProjectAccessMode, setProjectRepositoryAccess, validateRepositoryOwnership } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/projectGithubAccess.ts
+const logger = getLogger$1("project-github-access");
+const app = new OpenAPIHono();
+const ProjectGitHubAccessModeSchema = WorkAppGitHubAccessModeSchema.describe("Access mode: \"all\" means project has access to all tenant repositories, \"selected\" means project is scoped to specific repositories");
+const SetGitHubAccessRequestSchema = WorkAppGitHubAccessSetRequestSchema.extend({ mode: ProjectGitHubAccessModeSchema });
+const GetGitHubAccessResponseSchema = WorkAppGitHubAccessGetResponseSchema.extend({ mode: ProjectGitHubAccessModeSchema }).describe("GitHub access configuration for a project");
+const SetGitHubAccessResponseSchema = WorkAppGitHubAccessSetResponseSchema.extend({
+	mode: ProjectGitHubAccessModeSchema,
+	repositoryCount: z.number().describe("Number of repositories the project now has access to (0 when mode=\"all\")")
+});
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "Get project GitHub repository access",
+	operationId: "get-project-github-access",
+	tags: ["Projects"],
+	description: "Returns the current GitHub repository access configuration for a project. If mode is \"all\", the project has access to all repositories from tenant GitHub installations. If mode is \"selected\", the project is scoped to specific repositories.",
+	request: { params: TenantProjectParamsSchema },
+	responses: {
+		200: {
+			description: "GitHub access configuration retrieved successfully",
+			content: { "application/json": { schema: GetGitHubAccessResponseSchema } }
+		},
+		...commonGetErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	logger.info({
+		tenantId,
+		projectId
+	}, "Getting project GitHub access configuration");
+	if (await getProjectAccessMode(runDbClient_default)({
+		tenantId,
+		projectId
+	}) === "all") {
+		logger.info({
+			tenantId,
+			projectId
+		}, "Project has access to all repositories (mode=all)");
+		return c.json({
+			mode: "all",
+			repositories: []
+		}, 200);
+	}
+	const repositoriesWithDetails = await getProjectRepositoryAccessWithDetails(runDbClient_default)({
+		tenantId,
+		projectId
+	});
+	logger.info({
+		tenantId,
+		projectId,
+		repositoryCount: repositoriesWithDetails.length
+	}, "Got project GitHub access configuration (mode=selected)");
+	return c.json({
+		mode: "selected",
+		repositories: repositoriesWithDetails.map((repo) => ({
+			id: repo.id,
+			installationDbId: repo.installationDbId,
+			repositoryId: repo.repositoryId,
+			repositoryName: repo.repositoryName,
+			repositoryFullName: repo.repositoryFullName,
+			private: repo.private,
+			createdAt: repo.createdAt,
+			updatedAt: repo.updatedAt
+		}))
+	}, 200);
+});
+app.openapi(createRoute({
+	method: "put",
+	path: "/",
+	summary: "Set project GitHub repository access",
+	operationId: "set-project-github-access",
+	tags: ["Projects"],
+	description: "Configures which GitHub repositories a project can access. When mode is \"all\", the project has access to all repositories from tenant GitHub installations. When mode is \"selected\", the project is scoped to specific repositories (repositoryIds required). This replaces any existing access configuration.",
+	request: {
+		params: TenantProjectParamsSchema,
+		body: { content: { "application/json": { schema: SetGitHubAccessRequestSchema } } }
+	},
+	responses: {
+		200: {
+			description: "GitHub access configuration updated successfully",
+			content: { "application/json": { schema: SetGitHubAccessResponseSchema } }
+		},
+		...commonUpdateErrorResponses
+	}
+}), async (c) => {
+	const { tenantId, projectId } = c.req.valid("param");
+	const { mode, repositoryIds } = c.req.valid("json");
+	logger.info({
+		tenantId,
+		projectId,
+		mode
+	}, "Setting project GitHub access configuration");
+	if (mode === "selected") {
+		if (!repositoryIds || repositoryIds.length === 0) {
+			logger.warn({
+				tenantId,
+				projectId
+			}, "repositoryIds required when mode is selected");
+			throw createApiError({
+				code: "bad_request",
+				message: "repositoryIds is required when mode is \"selected\""
+			});
+		}
+		const invalidRepoIds = await validateRepositoryOwnership(runDbClient_default)({
+			tenantId,
+			repositoryIds
+		});
+		if (invalidRepoIds.length > 0) {
+			logger.warn({
+				tenantId,
+				projectId,
+				invalidRepoIds
+			}, "Some repository IDs do not belong to tenant installations");
+			throw createApiError({
+				code: "bad_request",
+				message: `Invalid repository IDs: ${invalidRepoIds.join(", ")}. Repositories must belong to GitHub installations owned by this tenant.`
+			});
+		}
+		await setProjectAccessMode(runDbClient_default)({
+			tenantId,
+			projectId,
+			mode: "selected"
+		});
+		await setProjectRepositoryAccess(runDbClient_default)({
+			tenantId,
+			projectId,
+			repositoryIds
+		});
+		logger.info({
+			tenantId,
+			projectId,
+			repositoryCount: repositoryIds.length
+		}, "Project GitHub access set to selected repositories");
+		return c.json({
+			mode: "selected",
+			repositoryCount: repositoryIds.length
+		}, 200);
+	}
+	await setProjectAccessMode(runDbClient_default)({
+		tenantId,
+		projectId,
+		mode: "all"
+	});
+	await setProjectRepositoryAccess(runDbClient_default)({
+		tenantId,
+		projectId,
+		repositoryIds: []
+	});
+	logger.info({
+		tenantId,
+		projectId
+	}, "Project GitHub access set to all repositories");
+	return c.json({
+		mode: "all",
+		repositoryCount: 0
+	}, 200);
+});
+var projectGithubAccess_default = app;
+
+//#endregion
+export { projectGithubAccess_default as default };

package/dist/domains/manage/routes/projectMembers.js

@@ -1,6 +1,6 @@
 import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { ProjectRoles, changeProjectRole, commonGetErrorResponses, createApiError, grantProjectAccess, isAuthzEnabled, listProjectMembers, revokeProjectAccess } from "@inkeep/agents-core";
+import { ProjectRoles, changeProjectRole, commonGetErrorResponses, createApiError, grantProjectAccess, listProjectMembers, revokeProjectAccess } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/projectMembers.ts
 const app = new OpenAPIHono();
@@ -51,7 +51,6 @@ app.openapi(createRoute({
 	}
 }), async (c) => {
 	const { projectId, tenantId } = c.req.valid("param");
-	if (!isAuthzEnabled()) return c.json({ data: [] });
 	const members = await listProjectMembers({
 		tenantId,
 		projectId
@@ -83,10 +82,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, tenantId } = c.req.valid("param");
 	const { userId, role } = c.req.valid("json");
-	if (!isAuthzEnabled()) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	await grantProjectAccess({
 		tenantId,
 		projectId,
@@ -120,10 +115,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, userId, tenantId } = c.req.valid("param");
 	const { role: newRole, previousRole } = c.req.valid("json");
-	if (!isAuthzEnabled()) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	if (!previousRole) throw createApiError({
 		code: "bad_request",
 		message: "previousRole is required to update a member role"
@@ -164,10 +155,6 @@ app.openapi(createRoute({
 }), async (c) => {
 	const { projectId, userId, tenantId } = c.req.valid("param");
 	const { role } = c.req.valid("query");
-	if (!isAuthzEnabled()) throw createApiError({
-		code: "bad_request",
-		message: "Project member management requires authorization to be enabled (ENABLE_AUTHZ=true)"
-	});
 	await revokeProjectAccess({
 		tenantId,
 		projectId,

package/dist/domains/manage/routes/projectPermissions.js

@@ -1,6 +1,5 @@
-import { env } from "../../../env.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes, checkBulkPermissions, commonGetErrorResponses, createApiError, isAuthzEnabled } from "@inkeep/agents-core";
+import { OrgRoles, SpiceDbProjectPermissions, SpiceDbResourceTypes, checkBulkPermissions, commonGetErrorResponses, createApiError } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/projectPermissions.ts
 const app = new OpenAPIHono();
@@ -32,8 +31,7 @@ app.openapi(createRoute({
 	const { projectId } = c.req.valid("param");
 	const userId = c.get("userId");
 	const tenantRole = c.get("tenantRole");
-	const isTestEnvironment = process.env.ENVIRONMENT === "test";
-	if (env.DISABLE_AUTH || isTestEnvironment) return c.json({ data: {
+	if (process.env.ENVIRONMENT === "test") return c.json({ data: {
 		canView: true,
 		canUse: true,
 		canEdit: true
@@ -43,11 +41,6 @@ app.openapi(createRoute({
 		canUse: true,
 		canEdit: true
 	} });
-	if (!isAuthzEnabled()) return c.json({ data: {
-		canView: true,
-		canUse: true,
-		canEdit: false
-	} });
 	if (!userId) throw createApiError({
 		code: "unauthorized",
 		message: "User not found"

package/dist/domains/manage/routes/projects.js

@@ -4,7 +4,7 @@ import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { speakeasyOffsetLimitPagination } from "../../../utils/speakeasy.js";
 import { requirePermission } from "../../../middleware/requirePermission.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
-import { ErrorResponseSchema, PaginationQueryParamsSchema, ProjectApiInsertSchema, ProjectApiUpdateSchema, ProjectListResponse, ProjectResponse, TenantIdParamsSchema, TenantParamsSchema, cascadeDeleteByProject, commonGetErrorResponses, createApiError, createProject, createProjectMetadataAndBranch, deleteProject, deleteProjectWithBranch, doltCheckout, getProject, getProjectMainBranchName, isAuthzEnabled, listAccessibleProjectIds, listProjectsWithMetadataPaginated, removeProjectFromSpiceDb, syncProjectToSpiceDb, updateProject } from "@inkeep/agents-core";
+import { ErrorResponseSchema, PaginationQueryParamsSchema, ProjectApiInsertSchema, ProjectApiUpdateSchema, ProjectListResponse, ProjectResponse, TenantIdParamsSchema, TenantParamsSchema, cascadeDeleteByProject, commonGetErrorResponses, createApiError, createProject, createProjectMetadataAndBranch, deleteProject, deleteProjectWithBranch, doltCheckout, getProject, getProjectMainBranchName, listAccessibleProjectIds, listProjectsWithMetadataPaginated, removeProjectFromSpiceDb, syncProjectToSpiceDb, updateProject } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/projects.ts
 const app = new OpenAPIHono();
@@ -45,7 +45,7 @@ app.openapi(createRoute({
 	const page = Number(c.req.query("page")) || 1;
 	const limit = Math.min(Number(c.req.query("limit")) || 10, 100);
 	let accessibleIds;
-	if (isAuthzEnabled() && userId) {
+	if (userId) {
 		const result$1 = await listAccessibleProjectIds({
 			userId,
 			orgRole: tenantRole
@@ -148,20 +148,18 @@ app.openapi(createRoute({
 			tenantId,
 			...body
 		});
-		if (isAuthzEnabled()) {
-			if (!userId) throw createApiError({
-				code: "unauthorized",
-				message: "User not found"
+		if (!userId) throw createApiError({
+			code: "unauthorized",
+			message: "User not found"
+		});
+		try {
+			await syncProjectToSpiceDb({
+				tenantId,
+				projectId: body.id,
+				creatorUserId: userId
 			});
-			try {
-				await syncProjectToSpiceDb({
-					tenantId,
-					projectId: body.id,
-					creatorUserId: userId
-				});
-			} catch (syncError) {
-				console.warn("Failed to sync project to SpiceDB:", syncError);
-			}
+		} catch (syncError) {
+			console.warn("Failed to sync project to SpiceDB:", syncError);
 		}
 		return c.json({ data: {
 			...projectConfig,
@@ -255,7 +253,7 @@ app.openapi(createRoute({
 			code: "not_found",
 			message: "Project not found"
 		});
-		if (isAuthzEnabled()) try {
+		try {
 			await removeProjectFromSpiceDb({
 				tenantId,
 				projectId: id

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types17 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types17.BlankSchema, "/">;
+}, hono_types10.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.js

@@ -1,8 +1,8 @@
 import { getLogger as getLogger$1 } from "../../../logger.js";
 import { env } from "../../../env.js";
 import { enforceSecurityFilters } from "../../../utils/signozHelpers.js";
+import { canViewProject, createApiError } from "@inkeep/agents-core";
 import { Hono } from "hono";
-import { createApiError, projectExists } from "@inkeep/agents-core";
 import axios from "axios";
 
 //#region src/domains/manage/routes/signoz.ts
@@ -12,10 +12,12 @@ app.post("/query", async (c) => {
 	let payload = await c.req.json();
 	const requestedProjectId = payload.projectId;
 	const tenantId = c.get("tenantId");
-	const db = c.get("db");
-	if (!tenantId) throw createApiError({
+	const userId = c.get("userId");
+	const tenantRole = c.get("tenantRole");
+	if (!userId || !tenantId) throw createApiError({
 		code: "unauthorized",
-		message: "Tenant ID not found"
+		message: "User or organization context not found",
+		instance: c.req.path
 	});
 	logger.debug({
 		tenantId,
@@ -23,18 +25,22 @@ app.post("/query", async (c) => {
 		hasProjectId: !!requestedProjectId
 	}, "Processing SigNoz query request");
 	if (requestedProjectId) {
-		if (!await projectExists(db)({
-			tenantId,
-			projectId: requestedProjectId
-		})) {
-			logger.warn({
-				tenantId,
-				projectId: requestedProjectId
-			}, "Project not found or access denied");
-			return c.json({
-				error: "Forbidden",
-				message: "You do not have access to this project"
-			}, 403);
+		if (!(userId === "system" || userId?.startsWith("apikey:"))) {
+			if (!await canViewProject({
+				userId,
+				projectId: requestedProjectId,
+				orgRole: tenantRole
+			})) {
+				logger.warn({
+					tenantId,
+					projectId: requestedProjectId,
+					userId
+				}, "Project not found or access denied");
+				return c.json({
+					error: "Forbidden",
+					message: "You do not have access to this project"
+				}, 403);
+			}
 		}
 	}
 	payload = enforceSecurityFilters(payload, tenantId, requestedProjectId);

package/dist/domains/manage/routes/tools.js

@@ -161,7 +161,8 @@ app.openapi(createRoute({
 		credentialReferenceId: body.credentialReferenceId,
 		credentialScope: body.credentialScope,
 		imageUrl: body.imageUrl,
-		headers: body.headers
+		headers: body.headers,
+		isWorkApp: body.isWorkApp
 	});
 	return c.json({ data: await dbResultToMcpTool(tool, db, credentialStores, void 0, userId) }, 201);
 });
@@ -204,7 +205,8 @@ app.openapi(createRoute({
 			credentialReferenceId: body.credentialReferenceId,
 			credentialScope: body.credentialScope,
 			imageUrl: body.imageUrl,
-			headers: body.headers
+			headers: body.headers,
+			isWorkApp: body.isWorkApp
 		}
 	});
 	if (!updatedTool) throw createApiError({

package/dist/domains/manage/routes/userOrganizations.d.ts

@@ -1,9 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
-import { OpenAPIHono } from "@hono/zod-openapi";
+import { Hono } from "hono";
+import * as hono_types13 from "hono/types";
 
 //#region src/domains/manage/routes/userOrganizations.d.ts
-declare const userOrganizationsRoutes: OpenAPIHono<{
+declare const userOrganizationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, {}, "/">;
+}, hono_types13.BlankSchema, "/">;
 //#endregion
 export { userOrganizationsRoutes as default };