@inkeep/agents-api 0.43.0 → 0.45.0

package/dist/domains/github/installation.js

@@ -1,172 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { getGitHubAppConfig } from "./config.js";
-import { createPrivateKey } from "node:crypto";
-import { SignJWT } from "jose";
-
-//#region src/domains/github/installation.ts
-const logger = getLogger("github-installation");
-const GITHUB_API_BASE = "https://api.github.com";
-async function createAppJwt() {
-	const config = getGitHubAppConfig();
-	const privateKey = createPrivateKey({
-		key: config.privateKey,
-		format: "pem"
-	});
-	const now = Math.floor(Date.now() / 1e3);
-	return await new SignJWT({}).setProtectedHeader({ alg: "RS256" }).setIssuedAt(now - 60).setExpirationTime(now + 600).setIssuer(config.appId).sign(privateKey);
-}
-async function lookupInstallationForRepo(repositoryOwner, repositoryName) {
-	let appJwt;
-	try {
-		appJwt = await createAppJwt();
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Failed to create GitHub App JWT");
-		return {
-			success: false,
-			errorType: "jwt_error",
-			message: `Failed to create GitHub App authentication: ${message}`
-		};
-	}
-	const url = `${GITHUB_API_BASE}/repos/${repositoryOwner}/${repositoryName}/installation`;
-	try {
-		const response = await fetch(url, {
-			method: "GET",
-			headers: {
-				Authorization: `Bearer ${appJwt}`,
-				Accept: "application/vnd.github+json",
-				"X-GitHub-Api-Version": "2022-11-28",
-				"User-Agent": "inkeep-agents-api"
-			}
-		});
-		if (response.status === 404) return {
-			success: false,
-			errorType: "not_installed",
-			message: `GitHub App is not installed on repository ${repositoryOwner}/${repositoryName}. Please install the Inkeep Agents GitHub App on the repository to enable token exchange.`
-		};
-		if (!response.ok) {
-			const errorText = await response.text();
-			logger.error({
-				status: response.status,
-				error: errorText,
-				repositoryOwner,
-				repositoryName
-			}, "GitHub API error looking up installation");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: `GitHub API error (${response.status}): Failed to look up installation for repository`
-			};
-		}
-		const data = await response.json();
-		const installationId = data.id;
-		const accountLogin = data.account?.login;
-		const accountType = data.account?.type;
-		if (typeof installationId !== "number" || typeof accountLogin !== "string") {
-			logger.error({ data }, "Unexpected response format from GitHub API");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: "Unexpected response format from GitHub API"
-			};
-		}
-		logger.info({
-			installationId,
-			accountLogin,
-			accountType,
-			repositoryOwner,
-			repositoryName
-		}, "Found GitHub App installation for repository");
-		return {
-			success: true,
-			installation: {
-				installationId,
-				accountLogin,
-				accountType: accountType === "Organization" ? "Organization" : "User"
-			}
-		};
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({
-			error: message,
-			repositoryOwner,
-			repositoryName
-		}, "Error calling GitHub API to look up installation");
-		return {
-			success: false,
-			errorType: "api_error",
-			message: `Failed to connect to GitHub API: ${message}`
-		};
-	}
-}
-async function generateInstallationAccessToken(installationId) {
-	let appJwt;
-	try {
-		appJwt = await createAppJwt();
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Failed to create GitHub App JWT for token generation");
-		return {
-			success: false,
-			errorType: "jwt_error",
-			message: `Failed to create GitHub App authentication: ${message}`
-		};
-	}
-	const url = `${GITHUB_API_BASE}/app/installations/${installationId}/access_tokens`;
-	try {
-		const response = await fetch(url, {
-			method: "POST",
-			headers: {
-				Authorization: `Bearer ${appJwt}`,
-				Accept: "application/vnd.github+json",
-				"X-GitHub-Api-Version": "2022-11-28",
-				"User-Agent": "inkeep-agents-api"
-			}
-		});
-		if (!response.ok) {
-			const errorText = await response.text();
-			logger.error({
-				status: response.status,
-				error: errorText,
-				installationId
-			}, "GitHub API error generating installation access token");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: `GitHub API error (${response.status}): Failed to generate installation access token`
-			};
-		}
-		const data = await response.json();
-		const token = data.token;
-		const expiresAt = data.expires_at;
-		if (typeof token !== "string" || typeof expiresAt !== "string") {
-			logger.error({ data }, "Unexpected response format from GitHub API for token generation");
-			return {
-				success: false,
-				errorType: "api_error",
-				message: "Unexpected response format from GitHub API"
-			};
-		}
-		return {
-			success: true,
-			accessToken: {
-				token,
-				expiresAt
-			}
-		};
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({
-			error: message,
-			installationId
-		}, "Error calling GitHub API to generate installation access token");
-		return {
-			success: false,
-			errorType: "api_error",
-			message: `Failed to connect to GitHub API: ${message}`
-		};
-	}
-}
-
-//#endregion
-export { generateInstallationAccessToken, lookupInstallationForRepo };

package/dist/domains/github/jwks.d.ts

@@ -1,20 +0,0 @@
-import { CryptoKey, JWSHeaderParameters } from "jose";
-
-//#region src/domains/github/jwks.d.ts
-interface JwksResult {
-  success: true;
-  key: CryptoKey;
-}
-interface JwksError {
-  success: false;
-  error: string;
-}
-type GetJwkResult = JwksResult | JwksError;
-declare function getJwkForToken(header: JWSHeaderParameters): Promise<GetJwkResult>;
-declare function clearJwksCache(): void;
-declare function getJwksCacheStatus(): {
-  cached: boolean;
-  expiresIn?: number;
-};
-//#endregion
-export { GetJwkResult, JwksError, JwksResult, clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/jwks.js

@@ -1,85 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { createRemoteJWKSet } from "jose";
-
-//#region src/domains/github/jwks.ts
-const logger = getLogger("github-jwks");
-const GITHUB_OIDC_JWKS_URL = "https://token.actions.githubusercontent.com/.well-known/jwks";
-const CACHE_TTL_MS = 3600 * 1e3;
-let jwksCache = null;
-function createJwksWithLogging() {
-	logger.info({}, "Creating new JWKS fetch function for GitHub OIDC");
-	return createRemoteJWKSet(new URL(GITHUB_OIDC_JWKS_URL), { cacheMaxAge: CACHE_TTL_MS });
-}
-function isCacheExpired() {
-	if (!jwksCache) return true;
-	return Date.now() - jwksCache.fetchedAt > CACHE_TTL_MS;
-}
-function getOrCreateJwksFunction() {
-	if (!jwksCache || isCacheExpired()) jwksCache = {
-		jwks: createJwksWithLogging(),
-		fetchedAt: Date.now()
-	};
-	return jwksCache.jwks;
-}
-async function getJwkForToken(header) {
-	const kid = header.kid;
-	if (!kid) return {
-		success: false,
-		error: "Token is missing key ID (kid) in header"
-	};
-	try {
-		const key = await getOrCreateJwksFunction()(header);
-		logger.debug({ kid }, "Successfully retrieved JWK for token");
-		return {
-			success: true,
-			key
-		};
-	} catch (error) {
-		const errorMessage = error instanceof Error ? error.message : "Unknown error";
-		if (errorMessage.includes("no applicable key found")) {
-			logger.warn({ kid }, "Key ID not found in JWKS, refreshing cache");
-			jwksCache = null;
-			try {
-				const key = await getOrCreateJwksFunction()(header);
-				logger.info({ kid }, "Successfully retrieved JWK after cache refresh");
-				return {
-					success: true,
-					key
-				};
-			} catch (retryError) {
-				const retryErrorMessage = retryError instanceof Error ? retryError.message : "Unknown error";
-				logger.error({
-					kid,
-					error: retryErrorMessage
-				}, "Failed to retrieve JWK after cache refresh");
-				return {
-					success: false,
-					error: `Key ID '${kid}' not found in GitHub OIDC JWKS`
-				};
-			}
-		}
-		logger.error({
-			kid,
-			error: errorMessage
-		}, "Failed to fetch JWKS from GitHub");
-		return {
-			success: false,
-			error: `Failed to fetch GitHub OIDC JWKS: ${errorMessage}`
-		};
-	}
-}
-function clearJwksCache() {
-	jwksCache = null;
-	logger.debug({}, "JWKS cache cleared");
-}
-function getJwksCacheStatus() {
-	if (!jwksCache) return { cached: false };
-	const expiresIn = CACHE_TTL_MS - (Date.now() - jwksCache.fetchedAt);
-	return {
-		cached: true,
-		expiresIn: Math.max(0, expiresIn)
-	};
-}
-
-//#endregion
-export { clearJwksCache, getJwkForToken, getJwksCacheStatus };

package/dist/domains/github/oidcToken.d.ts

@@ -1,22 +0,0 @@
-//#region src/domains/github/oidcToken.d.ts
-interface GitHubOidcClaims {
-  repository: string;
-  repository_owner: string;
-  repository_id: string;
-  workflow: string;
-  actor: string;
-  ref: string;
-}
-interface ValidateTokenResult {
-  success: true;
-  claims: GitHubOidcClaims;
-}
-interface ValidateTokenError {
-  success: false;
-  errorType: 'invalid_signature' | 'expired' | 'wrong_issuer' | 'wrong_audience' | 'malformed' | 'jwks_error';
-  message: string;
-}
-type ValidateOidcTokenResult = ValidateTokenResult | ValidateTokenError;
-declare function validateOidcToken(token: string): Promise<ValidateOidcTokenResult>;
-//#endregion
-export { GitHubOidcClaims, ValidateOidcTokenResult, ValidateTokenError, ValidateTokenResult, validateOidcToken };

package/dist/domains/github/oidcToken.js

@@ -1,140 +0,0 @@
-import { getLogger } from "../../logger.js";
-import { getJwkForToken } from "./jwks.js";
-import { decodeProtectedHeader, errors, jwtVerify } from "jose";
-
-//#region src/domains/github/oidcToken.ts
-const logger = getLogger("github-oidc-token");
-const GITHUB_OIDC_ISSUER = "https://token.actions.githubusercontent.com";
-const EXPECTED_AUDIENCE = "inkeep-agents-action";
-async function validateOidcToken(token) {
-	let header;
-	try {
-		header = decodeProtectedHeader(token);
-	} catch (error) {
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.warn({ error: message }, "Failed to decode JWT header");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: "Invalid JWT format: unable to decode token header"
-		};
-	}
-	if (header.alg !== "RS256") {
-		logger.warn({ algorithm: header.alg }, "Unexpected JWT algorithm");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: `Invalid JWT algorithm: expected RS256, got ${header.alg}`
-		};
-	}
-	const jwkResult = await getJwkForToken(header);
-	if (!jwkResult.success) {
-		logger.error({ error: jwkResult.error }, "Failed to get JWK for token");
-		return {
-			success: false,
-			errorType: "jwks_error",
-			message: jwkResult.error
-		};
-	}
-	try {
-		const { payload } = await jwtVerify(token, jwkResult.key, {
-			issuer: GITHUB_OIDC_ISSUER,
-			audience: EXPECTED_AUDIENCE
-		});
-		const repository = payload.repository;
-		const repositoryOwner = payload.repository_owner;
-		const repositoryId = payload.repository_id;
-		const workflow = payload.workflow;
-		const actor = payload.actor;
-		const ref = payload.ref;
-		if (typeof repository !== "string" || typeof repositoryOwner !== "string" || typeof repositoryId !== "string" || typeof workflow !== "string" || typeof actor !== "string" || typeof ref !== "string") {
-			logger.warn({ payload }, "OIDC token missing required claims");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: "OIDC token missing required claims: repository, repository_owner, repository_id, workflow, actor, or ref"
-			};
-		}
-		logger.info({
-			repository,
-			actor
-		}, "Successfully validated OIDC token");
-		return {
-			success: true,
-			claims: {
-				repository,
-				repository_owner: repositoryOwner,
-				repository_id: repositoryId,
-				workflow,
-				actor,
-				ref
-			}
-		};
-	} catch (error) {
-		if (error instanceof errors.JWTExpired) {
-			logger.warn({}, "OIDC token has expired");
-			return {
-				success: false,
-				errorType: "expired",
-				message: "OIDC token has expired"
-			};
-		}
-		if (error instanceof errors.JWTClaimValidationFailed) {
-			const claimError = error;
-			if (claimError.claim === "iss") {
-				logger.warn({ issuer: claimError.reason }, "Invalid OIDC token issuer");
-				return {
-					success: false,
-					errorType: "wrong_issuer",
-					message: `Invalid token issuer: expected ${GITHUB_OIDC_ISSUER}`
-				};
-			}
-			if (claimError.claim === "aud") {
-				logger.warn({ audience: claimError.reason }, "Invalid OIDC token audience");
-				return {
-					success: false,
-					errorType: "wrong_audience",
-					message: `Invalid token audience: expected ${EXPECTED_AUDIENCE}`
-				};
-			}
-			logger.warn({
-				claim: claimError.claim,
-				reason: claimError.reason
-			}, "JWT claim validation failed");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: `JWT claim validation failed: ${claimError.claim} ${claimError.reason}`
-			};
-		}
-		if (error instanceof errors.JWSSignatureVerificationFailed) {
-			logger.warn({}, "Invalid OIDC token signature");
-			return {
-				success: false,
-				errorType: "invalid_signature",
-				message: "Invalid token signature"
-			};
-		}
-		if (error instanceof errors.JOSEError) {
-			logger.error({
-				error: error.message,
-				code: error.code
-			}, "JOSE error during token validation");
-			return {
-				success: false,
-				errorType: "malformed",
-				message: `Token validation error: ${error.message}`
-			};
-		}
-		const message = error instanceof Error ? error.message : "Unknown error";
-		logger.error({ error: message }, "Unexpected error during token validation");
-		return {
-			success: false,
-			errorType: "malformed",
-			message: `Token validation error: ${message}`
-		};
-	}
-}
-
-//#endregion
-export { validateOidcToken };

package/dist/domains/github/routes/tokenExchange.d.ts

@@ -1,7 +0,0 @@
-import { Hono } from "hono";
-import * as hono_types13 from "hono/types";
-
-//#region src/domains/github/routes/tokenExchange.d.ts
-declare const app: Hono<hono_types13.BlankEnv, hono_types13.BlankSchema, "/">;
-//#endregion
-export { app as default };

package/dist/domains/github/routes/tokenExchange.js

@@ -1,130 +0,0 @@
-import { getLogger } from "../../../logger.js";
-import { isGitHubAppConfigured } from "../config.js";
-import { generateInstallationAccessToken, lookupInstallationForRepo } from "../installation.js";
-import { validateOidcToken } from "../oidcToken.js";
-import { Hono } from "hono";
-import { z } from "zod";
-
-//#region src/domains/github/routes/tokenExchange.ts
-const logger = getLogger("github-token-exchange");
-const TokenExchangeRequestSchema = z.object({ oidc_token: z.string() });
-const app = new Hono();
-/**
-* Exchange GitHub OIDC token for installation token.
-*
-* This is an internal infrastructure endpoint called by the CLI from GitHub Actions.
-* It exchanges a GitHub Actions OIDC token for a GitHub App installation access token.
-* Not included in the public OpenAPI spec.
-*/
-app.post("/", async (c) => {
-	const rawBody = await c.req.json().catch(() => null);
-	const parseResult = TokenExchangeRequestSchema.safeParse(rawBody);
-	if (!parseResult.success) {
-		const errorMessage = parseResult.error.issues.map((issue) => `${issue.path.join(".")}: ${issue.message}`).join("; ");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Bad Request",
-			status: 400,
-			detail: errorMessage,
-			error: errorMessage
-		}, 400);
-	}
-	const body = parseResult.data;
-	logger.info({}, "Processing token exchange request");
-	if (!isGitHubAppConfigured()) {
-		logger.error({}, "GitHub App credentials not configured");
-		const errorMessage = "GitHub App credentials are not configured. Please contact the administrator to set up GITHUB_APP_ID and GITHUB_APP_PRIVATE_KEY.";
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "GitHub App Not Configured",
-			status: 500,
-			detail: errorMessage,
-			error: errorMessage
-		}, 500);
-	}
-	const validationResult = await validateOidcToken(body.oidc_token);
-	if (!validationResult.success) {
-		const errorType = validationResult.errorType;
-		logger.warn({
-			errorType,
-			message: validationResult.message
-		}, "OIDC token validation failed");
-		c.header("Content-Type", "application/problem+json");
-		if (errorType === "malformed") return c.json({
-			title: "Bad Request",
-			status: 400,
-			detail: validationResult.message,
-			error: validationResult.message
-		}, 400);
-		return c.json({
-			title: "Token Validation Failed",
-			status: 401,
-			detail: validationResult.message,
-			error: validationResult.message
-		}, 401);
-	}
-	const { claims } = validationResult;
-	const installationResult = await lookupInstallationForRepo(claims.repository_owner, claims.repository.split("/")[1]);
-	if (!installationResult.success) {
-		const { errorType, message } = installationResult;
-		if (errorType === "not_installed") {
-			c.header("Content-Type", "application/problem+json");
-			return c.json({
-				title: "GitHub App Not Installed",
-				status: 403,
-				detail: message,
-				error: message
-			}, 403);
-		}
-		logger.error({
-			errorType,
-			message,
-			repository: claims.repository
-		}, "Failed to look up GitHub App installation");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Installation Lookup Failed",
-			status: 500,
-			detail: message,
-			error: message
-		}, 500);
-	}
-	const { installation } = installationResult;
-	logger.info({
-		installationId: installation.installationId,
-		repository: claims.repository
-	}, "Found GitHub App installation");
-	const tokenResult = await generateInstallationAccessToken(installation.installationId);
-	if (!tokenResult.success) {
-		const { errorType, message } = tokenResult;
-		logger.error({
-			errorType,
-			message,
-			installationId: installation.installationId,
-			repository: claims.repository
-		}, "Failed to generate installation access token");
-		c.header("Content-Type", "application/problem+json");
-		return c.json({
-			title: "Token Generation Failed",
-			status: 500,
-			detail: message,
-			error: message
-		}, 500);
-	}
-	const { accessToken } = tokenResult;
-	logger.info({
-		installationId: installation.installationId,
-		repository: claims.repository,
-		expiresAt: accessToken.expiresAt
-	}, "Token exchange completed successfully");
-	return c.json({
-		token: accessToken.token,
-		expires_at: accessToken.expiresAt,
-		repository: claims.repository,
-		installation_id: installation.installationId
-	}, 200);
-});
-var tokenExchange_default = app;
-
-//#endregion
-export { tokenExchange_default as default };

package/dist/initialization.d.ts

@@ -1,6 +0,0 @@
-import { createAuth } from "@inkeep/agents-core/auth";
-
-//#region src/initialization.d.ts
-declare function initializeDefaultUser(authInstance?: ReturnType<typeof createAuth> | null): Promise<void>;
-//#endregion
-export { initializeDefaultUser };

package/dist/initialization.js

@@ -1,72 +0,0 @@
-import { getLogger as getLogger$1 } from "./logger.js";
-import { env } from "./env.js";
-import runDbClient_default from "./data/db/runDbClient.js";
-import { OrgRoles, addUserToOrganization, getUserByEmail, syncOrgMemberToSpiceDb, upsertOrganization } from "@inkeep/agents-core";
-
-//#region src/initialization.ts
-const logger = getLogger$1("initialization");
-async function initializeDefaultUser(authInstance) {
-	const { INKEEP_AGENTS_MANAGE_UI_USERNAME, INKEEP_AGENTS_MANAGE_UI_PASSWORD, DISABLE_AUTH } = env;
-	const hasCredentials = INKEEP_AGENTS_MANAGE_UI_USERNAME && INKEEP_AGENTS_MANAGE_UI_PASSWORD;
-	const orgId = env.TENANT_ID;
-	const { created } = await upsertOrganization(runDbClient_default)({
-		organizationId: orgId,
-		name: env.TENANT_ID,
-		slug: env.TENANT_ID,
-		logo: null,
-		metadata: null
-	});
-	if (created) logger.info({ organizationId: orgId }, "Created default organization");
-	else logger.info({ organizationId: orgId }, "Organization already exists");
-	if (!hasCredentials || DISABLE_AUTH || !authInstance) {
-		logger.info({ hasCredentials: false }, "Skipping default user creation");
-		return;
-	}
-	try {
-		let user = await getUserByEmail(runDbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
-		if (user) logger.info({
-			email: INKEEP_AGENTS_MANAGE_UI_USERNAME,
-			userId: user.id
-		}, "Default user already exists");
-		else {
-			logger.info({ email: INKEEP_AGENTS_MANAGE_UI_USERNAME }, "Creating default user with Better Auth...");
-			if (!(await authInstance.api.signUpEmail({ body: {
-				email: INKEEP_AGENTS_MANAGE_UI_USERNAME,
-				password: INKEEP_AGENTS_MANAGE_UI_PASSWORD,
-				name: INKEEP_AGENTS_MANAGE_UI_USERNAME.split("@")[0]
-			} })).user) throw new Error("signUpEmail returned no user");
-			user = await getUserByEmail(runDbClient_default)(INKEEP_AGENTS_MANAGE_UI_USERNAME);
-			if (!user) throw new Error("User was created but could not be retrieved from database");
-			logger.info({
-				email: user.email,
-				id: user.id
-			}, "Default user created from INKEEP_AGENTS_MANAGE_UI_USERNAME/INKEEP_AGENTS_MANAGE_UI_PASSWORD");
-		}
-		await addUserToOrganization(runDbClient_default)({
-			userId: user.id,
-			organizationId: orgId,
-			role: OrgRoles.ADMIN
-		});
-		await syncOrgMemberToSpiceDb({
-			tenantId: orgId,
-			userId: user.id,
-			role: OrgRoles.ADMIN,
-			action: "add"
-		});
-		console.log(`🔐 SpiceDB: Synced member ${user.email} as ${OrgRoles.ADMIN} to org ${orgId}`);
-		logger.info({
-			organizationId: orgId,
-			organizationSlug: env.TENANT_ID,
-			userId: user.id,
-			email: INKEEP_AGENTS_MANAGE_UI_USERNAME
-		}, "Initialization complete - login with these credentials");
-	} catch (error) {
-		logger.error({
-			error,
-			email: INKEEP_AGENTS_MANAGE_UI_USERNAME
-		}, "Failed to create default user");
-	}
-}
-
-//#endregion
-export { initializeDefaultUser };