@inkeep/agents-api 0.43.0 → 0.45.0

package/dist/middleware/branchScopedDb.d.ts

@@ -1,5 +1,5 @@
-import { Context, Next } from "hono";
 import { AgentsManageDatabaseClient } from "@inkeep/agents-core";
+import { Context, Next } from "hono";
 import { Pool } from "pg";
 
 //#region src/middleware/branchScopedDb.d.ts

package/dist/middleware/evalsAuth.d.ts

@@ -1,5 +1,5 @@
-import * as hono0 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
+import * as hono0 from "hono";
 
 //#region src/middleware/evalsAuth.d.ts
 

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
-import * as hono4 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
+import * as hono4 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts

package/dist/middleware/projectAccess.d.ts

@@ -1,24 +1,15 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono3 from "hono";
 import { ProjectPermissionLevel } from "@inkeep/agents-core";
+import * as hono5 from "hono";
 
 //#region src/middleware/projectAccess.d.ts
-
 /**
  * Middleware to check project-level access.
- *
- * When ENABLE_AUTHZ is false:
- * - 'view' permission: all org members can view
- * - 'edit': only org owner/admin
- *
- * When ENABLE_AUTHZ is true:
- * - Uses SpiceDB to check permissions
- * - Org owner/admin bypass (handled in canViewProject etc.)
  */
 declare const requireProjectPermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permission?: ProjectPermissionLevel) => hono3.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permission?: ProjectPermissionLevel) => hono5.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requireProjectPermission };

package/dist/middleware/projectAccess.js

@@ -1,23 +1,13 @@
-import { env } from "../env.js";
-import { canEditProject, canUseProject, canViewProject, createApiError, isAuthzEnabled } from "@inkeep/agents-core";
+import { canEditProject, canUseProject, canViewProject, createApiError } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
 //#region src/middleware/projectAccess.ts
 /**
 * Middleware to check project-level access.
-*
-* When ENABLE_AUTHZ is false:
-* - 'view' permission: all org members can view
-* - 'edit': only org owner/admin
-*
-* When ENABLE_AUTHZ is true:
-* - Uses SpiceDB to check permissions
-* - Org owner/admin bypass (handled in canViewProject etc.)
 */
 const requireProjectPermission = (permission = "view") => createMiddleware(async (c, next) => {
-	const isTestEnvironment = process.env.ENVIRONMENT === "test";
-	if (env.DISABLE_AUTH || isTestEnvironment) {
+	if (process.env.ENVIRONMENT === "test") {
 		await next();
 		return;
 	}
@@ -64,27 +54,11 @@ const requireProjectPermission = (permission = "view") => createMiddleware(async
 				});
 				break;
 		}
-		if (!hasAccess) {
-			if (isAuthzEnabled()) throw createApiError({
-				code: "not_found",
-				message: "Project not found",
-				instance: c.req.path
-			});
-			throw createApiError({
-				code: "forbidden",
-				message: `Permission denied. Required: project:${permission}`,
-				instance: c.req.path,
-				extensions: {
-					requiredPermissions: [`project:${permission}`],
-					context: {
-						userId,
-						organizationId: tenantId,
-						projectId,
-						currentRole: tenantRole
-					}
-				}
-			});
-		}
+		if (!hasAccess) throw createApiError({
+			code: "not_found",
+			message: "Project not found",
+			instance: c.req.path
+		});
 		await next();
 	} catch (error) {
 		if (error instanceof HTTPException) throw error;

package/dist/middleware/projectConfig.d.ts

@@ -1,11 +1,11 @@
-import * as hono1 from "hono";
 import { BaseExecutionContext, ResolvedRef } from "@inkeep/agents-core";
+import * as hono6 from "hono";
 
 //#region src/middleware/projectConfig.d.ts
 /**
  * Middleware that fetches the full project definition from the Management API
  */
-declare const projectConfigMiddleware: hono1.MiddlewareHandler<{
+declare const projectConfigMiddleware: hono6.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;
@@ -15,7 +15,7 @@ declare const projectConfigMiddleware: hono1.MiddlewareHandler<{
  * Creates a middleware that applies project config fetching except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip the middleware
  */
-declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono1.MiddlewareHandler<{
+declare const projectConfigMiddlewareExcept: (skipRouteCheck: (path: string) => boolean) => hono6.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     resolvedRef: ResolvedRef;

package/dist/middleware/ref.d.ts

@@ -1,5 +1,5 @@
-import { Context, Next } from "hono";
 import { AgentsManageDatabaseClient, ResolvedRef } from "@inkeep/agents-core";
+import { Context, Next } from "hono";
 
 //#region src/middleware/ref.d.ts
 type RefContext = {

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono14 from "hono";
+import * as hono9 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono14.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono9.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/requirePermission.js

@@ -1,4 +1,3 @@
-import { env } from "../env.js";
 import { createApiError } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
@@ -15,7 +14,7 @@ function formatPermissionsForDisplay(permissions) {
 const requirePermission = (permissions) => createMiddleware(async (c, next) => {
 	const isTestEnvironment = process.env.ENVIRONMENT === "test";
 	const auth = c.get("auth");
-	if (env.DISABLE_AUTH || isTestEnvironment || !auth) {
+	if (isTestEnvironment || !auth) {
 		await next();
 		return;
 	}

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
-import * as hono5 from "hono";
 import { BaseExecutionContext } from "@inkeep/agents-core";
+import * as hono10 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono5.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono10.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono5.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono5.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono10.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono5.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono10.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/runAuth.js

@@ -2,7 +2,7 @@ import { getLogger as getLogger$1 } from "../logger.js";
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
 import { createBaseExecutionContext } from "../types/runExecutionContext.js";
-import { validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
+import { canUseProjectStrict, validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -51,21 +51,56 @@ function buildExecutionContext(authResult, reqData) {
 }
 /**
 * Attempts to authenticate using a JWT temporary token
+*
+* Throws HTTPException(403) if the JWT is valid but the user lacks permission.
+* Returns null if the token is not a temp JWT (allowing fallback to other auth methods).
 */
 async function tryTempJwtAuth(apiKey) {
 	if (!apiKey.startsWith("eyJ") || !env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) return null;
 	try {
 		const payload = await verifyTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString("utf-8"), apiKey);
-		logger.info({}, "JWT temp token authenticated successfully");
+		const userId = payload.sub;
+		const projectId = payload.projectId;
+		const agentId = payload.agentId;
+		if (!projectId || !agentId) {
+			logger.warn({ userId }, "Missing projectId or agentId in JWT");
+			throw new HTTPException(400, { message: "Invalid token: missing projectId or agentId" });
+		}
+		let canUse;
+		try {
+			canUse = await canUseProjectStrict({
+				userId,
+				projectId
+			});
+		} catch (error) {
+			logger.error({
+				error,
+				userId,
+				projectId
+			}, "SpiceDB permission check failed");
+			throw new HTTPException(503, { message: "Authorization service temporarily unavailable" });
+		}
+		if (!canUse) {
+			logger.warn({
+				userId,
+				projectId
+			}, "User does not have use permission on project");
+			throw new HTTPException(403, { message: "Access denied: insufficient permissions" });
+		}
+		logger.info({
+			projectId,
+			agentId
+		}, "JWT temp token authenticated successfully");
 		return {
 			apiKey,
 			tenantId: payload.tenantId,
-			projectId: payload.projectId,
-			agentId: payload.agentId,
+			projectId,
+			agentId,
 			apiKeyId: "temp-jwt",
 			metadata: { initiatedBy: payload.initiatedBy }
 		};
 	} catch (error) {
+		if (error instanceof HTTPException) throw error;
 		logger.debug({ error }, "JWT verification failed");
 		return null;
 	}

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono8 from "hono";
+import * as hono13 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono8 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono8.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono8.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono13.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/middleware/sessionAuth.js

@@ -1,4 +1,3 @@
-import { env } from "../env.js";
 import { createApiError } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
@@ -33,7 +32,7 @@ const sessionAuth = () => createMiddleware(async (c, next) => {
 */
 const sessionContext = () => createMiddleware(async (c, next) => {
 	const auth = c.get("auth");
-	if (env.DISABLE_AUTH || !auth) {
+	if (!auth) {
 		c.set("user", null);
 		c.set("session", null);
 		await next();

package/dist/middleware/tracing.d.ts

@@ -1,7 +1,7 @@
-import * as hono10 from "hono";
+import * as hono16 from "hono";
 
 //#region src/middleware/tracing.d.ts
-declare const otelBaggageMiddleware: () => hono10.MiddlewareHandler<any, string, {}, Response>;
-declare const executionBaggageMiddleware: () => hono10.MiddlewareHandler<any, string, {}, Response>;
+declare const otelBaggageMiddleware: () => hono16.MiddlewareHandler<any, string, {}, Response>;
+declare const executionBaggageMiddleware: () => hono16.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { executionBaggageMiddleware, otelBaggageMiddleware };

package/dist/openapi.d.ts

@@ -19,7 +19,7 @@ declare const TagToDescription: {
   'External Agents': string;
   'Function Tools': string;
   Functions: string;
-  Invitations: string;
+  GitHub: string;
   MCP: string;
   'MCP Catalog': string;
   OAuth: string;
@@ -31,7 +31,6 @@ declare const TagToDescription: {
   'Third-Party MCP Servers': string;
   Tools: string;
   Triggers: string;
-  'User Organizations': string;
   'User Project Memberships': string;
   Webhooks: string;
   Workflows: string;

package/dist/openapi.js

@@ -18,7 +18,7 @@ const TagToDescription = {
 	"External Agents": "Operations for managing external agents",
 	"Function Tools": "Operations for managing function tools",
 	Functions: "Operations for managing functions",
-	Invitations: "Operations for managing invitations",
+	GitHub: "GitHub App integration endpoints",
 	MCP: "MCP (Model Context Protocol) endpoints",
 	"MCP Catalog": "Operations for MCP catalog",
 	OAuth: "OAuth authentication endpoints",
@@ -30,7 +30,6 @@ const TagToDescription = {
 	"Third-Party MCP Servers": "Operations for managing third-party MCP servers",
 	Tools: "Operations for managing MCP tools",
 	Triggers: "Operations for managing triggers",
-	"User Organizations": "Operations for managing user organizations",
 	"User Project Memberships": "Operations for managing user project memberships",
 	Webhooks: "Webhook endpoints",
 	Workflows: "Workflow trigger endpoints"

package/dist/types/runExecutionContext.js

@@ -1,3 +1,5 @@
+import { env } from "../env.js";
+
 //#region src/types/runExecutionContext.ts
 /**
 * Extract userId from execution context metadata (when available)
@@ -16,7 +18,7 @@ function createBaseExecutionContext(params) {
 		tenantId: params.tenantId,
 		projectId: params.projectId,
 		agentId: params.agentId,
-		baseUrl: params.baseUrl || process.env.API_URL || "http://localhost:3003",
+		baseUrl: params.baseUrl || env.INKEEP_AGENTS_API_URL,
 		apiKeyId: params.apiKeyId,
 		subAgentId: params.subAgentId,
 		ref: params.ref,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@inkeep/agents-api",
-  "version": "0.43.0",
+  "version": "0.45.0",
   "description": "Unified Inkeep Agents API - combines management, runtime, and evaluation capabilities",
   "types": "dist/index.d.ts",
   "exports": {
@@ -66,9 +66,10 @@
     "openid-client": "^6.8.1",
     "pg": "^8.16.3",
     "workflow": "4.0.1-beta.33",
-    "@inkeep/agents-core": "^0.43.0",
-    "@inkeep/agents-mcp": "^0.43.0",
-    "@inkeep/agents-manage-mcp": "^0.43.0"
+    "@inkeep/agents-core": "^0.45.0",
+    "@inkeep/agents-manage-mcp": "^0.45.0",
+    "@inkeep/agents-mcp": "^0.45.0",
+    "@inkeep/agents-work-apps": "^0.45.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^1.1.5",

package/dist/domains/github/config.d.ts

@@ -1,14 +0,0 @@
-import { z } from "@hono/zod-openapi";
-
-//#region src/domains/github/config.d.ts
-declare const GitHubAppConfigSchema: z.ZodObject<{
-  appId: z.ZodString;
-  privateKey: z.ZodString;
-}, z.core.$strip>;
-type GitHubAppConfig = z.infer<typeof GitHubAppConfigSchema>;
-declare function getGitHubAppConfig(): GitHubAppConfig;
-declare function isGitHubAppConfigured(): boolean;
-declare function validateGitHubAppConfigOnStartup(): void;
-declare function clearConfigCache(): void;
-//#endregion
-export { GitHubAppConfig, clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/config.js

@@ -1,47 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { z } from "@hono/zod-openapi";
-
-//#region src/domains/github/config.ts
-const logger = getLogger("github-config");
-const GitHubAppConfigSchema = z.object({
-	appId: z.string().min(1, "GITHUB_APP_ID is required"),
-	privateKey: z.string().min(1, "GITHUB_APP_PRIVATE_KEY is required")
-});
-let cachedConfig = null;
-function getGitHubAppConfig() {
-	if (cachedConfig) return cachedConfig;
-	const appId = process.env.GITHUB_APP_ID;
-	const privateKey = process.env.GITHUB_APP_PRIVATE_KEY?.replace(/\\n/g, "\n");
-	const result = GitHubAppConfigSchema.safeParse({
-		appId,
-		privateKey
-	});
-	if (!result.success) {
-		const errorMessage = `GitHub App credentials are not configured. ${result.error.issues.map((issue) => issue.message).join(". ")}. Please set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY environment variables.`;
-		logger.error({}, errorMessage);
-		throw new Error(errorMessage);
-	}
-	cachedConfig = result.data;
-	logger.info({}, "GitHub App credentials loaded successfully");
-	return cachedConfig;
-}
-function isGitHubAppConfigured() {
-	return Boolean(process.env.GITHUB_APP_ID && process.env.GITHUB_APP_PRIVATE_KEY);
-}
-function validateGitHubAppConfigOnStartup() {
-	if (!isGitHubAppConfigured()) {
-		logger.warn({}, "GitHub App credentials not configured. Token exchange endpoint will return 500 errors. Set GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY to enable the feature.");
-		return;
-	}
-	try {
-		getGitHubAppConfig();
-	} catch (error) {
-		logger.error({ error }, "GitHub App credentials are invalid. Token exchange endpoint will return 500 errors.");
-	}
-}
-function clearConfigCache() {
-	cachedConfig = null;
-}
-
-//#endregion
-export { clearConfigCache, getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup };

package/dist/domains/github/index.d.ts

@@ -1,12 +0,0 @@
-import { GitHubAppConfig, getGitHubAppConfig, isGitHubAppConfigured } from "./config.js";
-import { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
-import { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
-import { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken } from "./oidcToken.js";
-import { Hono } from "hono";
-import * as hono_types5 from "hono/types";
-
-//#region src/domains/github/index.d.ts
-declare function createGithubRoutes(): Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
-declare const githubRoutes: Hono<hono_types5.BlankEnv, hono_types5.BlankSchema, "/">;
-//#endregion
-export { type GenerateInstallationAccessTokenResult, type GenerateTokenError, type GenerateTokenResult, type GetJwkResult, type GitHubAppConfig, type GitHubOidcClaims, type InstallationAccessToken, type InstallationInfo, type JwksError, type JwksResult, type LookupInstallationError, type LookupInstallationForRepoResult, type LookupInstallationResult, type ValidateOidcTokenResult, type ValidateTokenError, type ValidateTokenResult, clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/index.js

@@ -1,18 +0,0 @@
-import { getGitHubAppConfig, isGitHubAppConfigured, validateGitHubAppConfigOnStartup } from "./config.js";
-import { generateInstallationAccessToken, lookupInstallationForRepo } from "./installation.js";
-import { clearJwksCache, getJwkForToken, getJwksCacheStatus } from "./jwks.js";
-import { validateOidcToken } from "./oidcToken.js";
-import tokenExchange_default from "./routes/tokenExchange.js";
-import { Hono } from "hono";
-
-//#region src/domains/github/index.ts
-function createGithubRoutes() {
-	validateGitHubAppConfigOnStartup();
-	const app = new Hono();
-	app.route("/token-exchange", tokenExchange_default);
-	return app;
-}
-const githubRoutes = createGithubRoutes();
-
-//#endregion
-export { clearJwksCache, createGithubRoutes, generateInstallationAccessToken, getGitHubAppConfig, getJwkForToken, getJwksCacheStatus, githubRoutes, isGitHubAppConfigured, lookupInstallationForRepo, validateOidcToken };

package/dist/domains/github/installation.d.ts

@@ -1,34 +0,0 @@
-//#region src/domains/github/installation.d.ts
-interface InstallationInfo {
-  installationId: number;
-  accountLogin: string;
-  accountType: 'User' | 'Organization';
-}
-interface LookupInstallationResult {
-  success: true;
-  installation: InstallationInfo;
-}
-interface LookupInstallationError {
-  success: false;
-  errorType: 'not_installed' | 'api_error' | 'jwt_error';
-  message: string;
-}
-type LookupInstallationForRepoResult = LookupInstallationResult | LookupInstallationError;
-interface InstallationAccessToken {
-  token: string;
-  expiresAt: string;
-}
-interface GenerateTokenResult {
-  success: true;
-  accessToken: InstallationAccessToken;
-}
-interface GenerateTokenError {
-  success: false;
-  errorType: 'api_error' | 'jwt_error';
-  message: string;
-}
-type GenerateInstallationAccessTokenResult = GenerateTokenResult | GenerateTokenError;
-declare function lookupInstallationForRepo(repositoryOwner: string, repositoryName: string): Promise<LookupInstallationForRepoResult>;
-declare function generateInstallationAccessToken(installationId: number): Promise<GenerateInstallationAccessTokenResult>;
-//#endregion
-export { GenerateInstallationAccessTokenResult, GenerateTokenError, GenerateTokenResult, InstallationAccessToken, InstallationInfo, LookupInstallationError, LookupInstallationForRepoResult, LookupInstallationResult, generateInstallationAccessToken, lookupInstallationForRepo };