@inkeep/agents-api 0.44.0 → 0.45.0

package/dist/domains/evals/routes/datasetTriggers.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono17 from "hono";
+import * as hono2 from "hono";
 
 //#region src/domains/evals/routes/datasetTriggers.d.ts
-declare const app: OpenAPIHono<hono17.Env, {}, "/">;
+declare const app: OpenAPIHono<hono2.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/evals/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono0 from "hono";
+import * as hono3 from "hono";
 
 //#region src/domains/evals/routes/index.d.ts
-declare const app: OpenAPIHono<hono0.Env, {}, "/">;
+declare const app: OpenAPIHono<hono3.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/index.js

@@ -1,3 +1,4 @@
+import availableAgents_default from "./routes/availableAgents.js";
 import cliAuth_default from "./routes/cliAuth.js";
 import github_default from "./routes/github.js";
 import routes_default from "./routes/index.js";
@@ -27,6 +28,7 @@ function createManageRoutes() {
 	app.route("/tenants/:tenantId", projectFull_default);
 	app.route("/oauth", oauth_default);
 	app.route("/mcp", mcp_default);
+	app.route("/available-agents", availableAgents_default);
 	return app;
 }
 const manageRoutes = createManageRoutes();

package/dist/domains/manage/routes/availableAgents.d.ts

@@ -0,0 +1,7 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import * as hono1 from "hono";
+
+//#region src/domains/manage/routes/availableAgents.d.ts
+declare const app: OpenAPIHono<hono1.Env, {}, "/">;
+//#endregion
+export { app as default };

package/dist/domains/manage/routes/availableAgents.js

@@ -0,0 +1,94 @@
+import { getLogger as getLogger$1 } from "../../../logger.js";
+import { env } from "../../../env.js";
+import manageDbClient_default from "../../../data/db/manageDbClient.js";
+import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
+import { createApiError, listAgentsAcrossProjectBranches, listUsableProjectIds, verifyTempToken } from "@inkeep/agents-core";
+
+//#region src/domains/manage/routes/availableAgents.ts
+const logger = getLogger$1("availableAgents");
+const app = new OpenAPIHono();
+async function tryTempTokenAuth(token) {
+	if (!env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) return null;
+	try {
+		const payload = await verifyTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString("utf-8"), token);
+		return {
+			userId: payload.sub,
+			tenantId: payload.tenantId,
+			tokenType: "temp-jwt"
+		};
+	} catch (error) {
+		logger.warn({
+			token,
+			error
+		}, "Failed to verify temp token");
+		return null;
+	}
+}
+/**
+* Identify user from any supported token type
+* Add new token types by adding them to this function
+*/
+async function identifyUserFromToken(token) {
+	const tempResult = await tryTempTokenAuth(token);
+	if (tempResult) return tempResult;
+	return null;
+}
+const AvailableAgentSchema = z.object({
+	agentId: z.string(),
+	agentName: z.string(),
+	projectId: z.string()
+});
+const AvailableAgentsResponseSchema = z.object({ data: z.array(AvailableAgentSchema) });
+app.openapi(createRoute({
+	method: "get",
+	path: "/",
+	summary: "List available agents",
+	operationId: "list-available-agents",
+	tags: ["Agents"],
+	description: "List all agents the user can invoke. Requires a valid JWT token.",
+	security: [{ bearerAuth: [] }],
+	responses: {
+		200: {
+			description: "List of available agents",
+			content: { "application/json": { schema: AvailableAgentsResponseSchema } }
+		},
+		401: { description: "Unauthorized - invalid or missing JWT token" },
+		500: { description: "Internal server error" }
+	}
+}), async (c) => {
+	const authHeader = c.req.header("Authorization");
+	if (!authHeader?.startsWith("Bearer ")) throw createApiError({
+		code: "unauthorized",
+		message: "Missing or invalid authorization header. Expected: Bearer <jwt_token>"
+	});
+	const token = authHeader.substring(7);
+	if (!token.startsWith("eyJ")) throw createApiError({
+		code: "unauthorized",
+		message: "Invalid token format. Expected a JWT token."
+	});
+	const user = await identifyUserFromToken(token);
+	if (!user) {
+		logger.warn({}, "Token verification failed - no valid auth method found");
+		throw createApiError({
+			code: "unauthorized",
+			message: "Invalid or expired token"
+		});
+	}
+	const { userId, tenantId } = user;
+	const projectIds = await listUsableProjectIds({ userId });
+	if (projectIds.length === 0) return c.json({ data: [] });
+	const agents = await listAgentsAcrossProjectBranches(manageDbClient_default, {
+		tenantId,
+		projectIds
+	});
+	logger.info({
+		userId,
+		tenantId,
+		agentCount: agents.length
+	}, "Returning usable agents");
+	return c.json({ data: agents });
+});
+var availableAgents_default = app;
+
+//#endregion
+export { availableAgents_default as default };

package/dist/domains/manage/routes/branches.js

@@ -1,9 +1,18 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute } from "@hono/zod-openapi";
 import { BranchListResponseSchema, BranchNameParamsSchema, BranchResponseSchema, CreateBranchRequestSchema, ErrorResponseSchema, TenantProjectAgentParamsSchema, TenantProjectParamsSchema, cascadeDeleteByBranch, commonGetErrorResponses, createApiError, createBranch, deleteBranch, getBranch, listBranches, listBranchesForAgent } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/branches.ts
 const app = new OpenAPIHono();
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:branchName", async (c, next) => {
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/conversations.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono7 from "hono";
+import * as hono8 from "hono";
 
 //#region src/domains/manage/routes/conversations.d.ts
-declare const app: OpenAPIHono<hono7.Env, {}, "/">;
+declare const app: OpenAPIHono<hono8.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/datasetItems.js

@@ -1,10 +1,23 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { DatasetItemApiInsertSchema, DatasetItemApiSelectSchema, DatasetItemApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDatasetItem, createDatasetItems, deleteDatasetItem, generateId, getDatasetItemById, listDatasetItems, updateDatasetItem } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/datasetItems.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("datasetItems");
+app.use("/:datasetId/items", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId/items/bulk", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId/items/:itemId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{datasetId}",

package/dist/domains/manage/routes/evals/datasets.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { DatasetApiInsertSchema, DatasetApiSelectSchema, DatasetApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createDataset, deleteDataset, generateId, getDatasetById, listDatasets, updateDataset } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/datasets.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("datasets");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:datasetId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.js

@@ -1,10 +1,15 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationJobConfigEvaluatorRelation, deleteEvaluationJobConfigEvaluatorRelation, generateId, getEvaluationJobConfigEvaluatorRelations } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationJobConfigEvaluatorRelations.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationJobConfigEvaluatorRelations");
+app.use("/:configId/evaluators/:evaluatorId", async (c, next) => {
+	if (["POST", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{configId}/evaluators",

package/dist/domains/manage/routes/evals/evaluationJobConfigs.js

@@ -1,12 +1,21 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
 import { queueEvaluationJobConversations } from "../../../evals/services/evaluationJob.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationJobConfigApiInsertSchema, EvaluationJobConfigApiSelectSchema, EvaluationResultApiSelectSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationJobConfig, createEvaluationJobConfigEvaluatorRelation, deleteEvaluationJobConfig, generateId, getConversation, getEvaluationJobConfigById, getMessagesByConversation, listEvaluationJobConfigs, listEvaluationResultsByRun, listEvaluationRuns } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationJobConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationJobConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (c.req.method === "DELETE") return requireProjectPermission("edit")(c, next);
+	return next();
+});
 /**
 * Extract plain filter criteria from a potential Filter wrapper.
 * Returns null if the filter is a complex and/or combinator.

package/dist/domains/manage/routes/evals/evaluationResults.d.ts

@@ -1,7 +1,9 @@
+import { ManageAppVariables } from "../../../../types/app.js";
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/evals/evaluationResults.d.ts
-declare const app: OpenAPIHono<hono18.Env, {}, "/">;
+declare const app: OpenAPIHono<{
+  Variables: ManageAppVariables;
+}, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/evals/evaluationResults.js

@@ -1,11 +1,20 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationResultApiInsertSchema, EvaluationResultApiSelectSchema, EvaluationResultApiUpdateSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationResult, deleteEvaluationResult, generateId, getEvaluationResultById, updateEvaluationResult } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationResults.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationResults");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:resultId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{resultId}",

package/dist/domains/manage/routes/evals/evaluationRunConfigs.js

@@ -1,11 +1,20 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
 import runDbClient_default from "../../../../data/db/runDbClient.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationResultApiSelectSchema, EvaluationRunConfigApiInsertSchema, EvaluationRunConfigApiUpdateSchema, EvaluationRunConfigWithSuiteConfigsApiSelectSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationRunConfig, createEvaluationRunConfigEvaluationSuiteConfigRelation, deleteEvaluationRunConfig, deleteEvaluationRunConfigEvaluationSuiteConfigRelation, generateId, getConversation, getEvaluationRunConfigById, getEvaluationRunConfigEvaluationSuiteConfigRelations, getMessagesByConversation, listEvaluationResultsByRun, listEvaluationRunConfigsWithSuiteConfigs, listEvaluationRuns, updateEvaluationRunConfig } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationRunConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationRunConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.js

@@ -1,10 +1,15 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationSuiteConfigEvaluatorRelation, deleteEvaluationSuiteConfigEvaluatorRelation, generateId, getEvaluationSuiteConfigEvaluatorRelations } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationSuiteConfigEvaluatorRelations.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationSuiteConfigEvaluatorRelations");
+app.use("/:configId/evaluators/:evaluatorId", async (c, next) => {
+	if (["POST", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/{configId}/evaluators",

package/dist/domains/manage/routes/evals/evaluationSuiteConfigs.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluationSuiteConfigApiInsertSchema, EvaluationSuiteConfigApiSelectSchema, EvaluationSuiteConfigApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluationSuiteConfig, createEvaluationSuiteConfigEvaluatorRelation, deleteEvaluationSuiteConfig, generateId, getEvaluationSuiteConfigById, listEvaluationSuiteConfigs, updateEvaluationSuiteConfig } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluationSuiteConfigs.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluationSuiteConfigs");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:configId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/evals/evaluators.js

@@ -1,10 +1,19 @@
 import { getLogger as getLogger$1 } from "../../../../logger.js";
+import { requireProjectPermission } from "../../../../middleware/projectAccess.js";
 import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
 import { EvaluatorApiInsertSchema, EvaluatorApiSelectSchema, EvaluatorApiUpdateSchema, ListResponseSchema, SingleResponseSchema, TenantProjectParamsSchema, commonGetErrorResponses, createApiError, createEvaluator, deleteEvaluator, generateId, getEvaluatorById, getEvaluatorsByIds, listEvaluators, updateEvaluator } from "@inkeep/agents-core";
 
 //#region src/domains/manage/routes/evals/evaluators.ts
 const app = new OpenAPIHono();
 const logger = getLogger$1("evaluators");
+app.use("/", async (c, next) => {
+	if (c.req.method === "POST") return requireProjectPermission("edit")(c, next);
+	return next();
+});
+app.use("/:evaluatorId", async (c, next) => {
+	if (["PATCH", "DELETE"].includes(c.req.method)) return requireProjectPermission("edit")(c, next);
+	return next();
+});
 app.openapi(createRoute({
 	method: "get",
 	path: "/",

package/dist/domains/manage/routes/index.d.ts

@@ -1,7 +1,7 @@
 import { OpenAPIHono } from "@hono/zod-openapi";
-import * as hono1 from "hono";
+import * as hono18 from "hono";
 
 //#region src/domains/manage/routes/index.d.ts
-declare const app: OpenAPIHono<hono1.Env, {}, "/">;
+declare const app: OpenAPIHono<hono18.Env, {}, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/invitations.d.ts

@@ -1,9 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
-import { OpenAPIHono } from "@hono/zod-openapi";
+import { Hono } from "hono";
+import * as hono_types7 from "hono/types";
 
 //#region src/domains/manage/routes/invitations.d.ts
-declare const invitationsRoutes: OpenAPIHono<{
+declare const invitationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, {}, "/">;
+}, hono_types7.BlankSchema, "/">;
 //#endregion
 export { invitationsRoutes as default };

package/dist/domains/manage/routes/invitations.js

@@ -1,34 +1,22 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { getPendingInvitationsByEmail } from "@inkeep/agents-core";
+import { sessionAuth } from "../../../middleware/sessionAuth.js";
+import { createApiError, getPendingInvitationsByEmail } from "@inkeep/agents-core";
+import { Hono } from "hono";
 
 //#region src/domains/manage/routes/invitations.ts
-const invitationsRoutes = new OpenAPIHono();
-const PendingInvitationSchema = z.object({
-	id: z.string(),
-	email: z.string(),
-	organizationId: z.string(),
-	organizationName: z.string().nullable(),
-	organizationSlug: z.string().nullable(),
-	role: z.string().nullable(),
-	status: z.string(),
-	expiresAt: z.number(),
-	inviterId: z.string()
-});
-const PendingInvitationsResponseSchema = z.array(PendingInvitationSchema);
-invitationsRoutes.openapi(createRoute({
-	method: "get",
-	path: "/pending",
-	tags: ["Invitations"],
-	summary: "Get pending invitations",
-	description: "Get all pending (non-expired) invitations for a given email address",
-	request: { query: z.object({ email: z.email().describe("Email address to check for invitations") }) },
-	responses: { 200: {
-		description: "List of pending invitations",
-		content: { "application/json": { schema: PendingInvitationsResponseSchema } }
-	} }
-}), async (c) => {
-	const { email } = c.req.valid("query");
+const invitationsRoutes = new Hono();
+invitationsRoutes.use("*", sessionAuth());
+invitationsRoutes.get("/pending", async (c) => {
+	const email = c.req.query("email");
+	const authenticatedEmail = c.get("userEmail");
+	if (!email) throw createApiError({
+		code: "bad_request",
+		message: "Email parameter is required"
+	});
+	if (email !== authenticatedEmail) throw createApiError({
+		code: "forbidden",
+		message: "Cannot access invitations for another email"
+	});
 	const response = (await getPendingInvitationsByEmail(runDbClient_default)(email)).map((inv) => ({
 		...inv,
 		expiresAt: inv.expiresAt instanceof Date ? inv.expiresAt.getTime() : inv.expiresAt

package/dist/domains/manage/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types10 from "hono/types";
+import * as hono_types8 from "hono/types";
 
 //#region src/domains/manage/routes/mcp.d.ts
-declare const app: Hono<hono_types10.BlankEnv, hono_types10.BlankSchema, "/">;
+declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/playgroundToken.js

@@ -109,8 +109,9 @@ app.openapi(createRoute({
 		initiatedBy: {
 			type: "user",
 			id: userId
-		}
-	}, userId);
+		},
+		sub: userId
+	});
 	logger.info({
 		userId,
 		expiresAt: result.expiresAt

package/dist/domains/manage/routes/signoz.d.ts

@@ -1,10 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
 import { Hono } from "hono";
-import * as hono_types7 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/domains/manage/routes/signoz.d.ts
 declare const app: Hono<{
   Variables: ManageAppVariables;
-}, hono_types7.BlankSchema, "/">;
+}, hono_types10.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/manage/routes/signoz.js

@@ -1,7 +1,7 @@
 import { getLogger as getLogger$1 } from "../../../logger.js";
 import { env } from "../../../env.js";
 import { enforceSecurityFilters } from "../../../utils/signozHelpers.js";
-import { createApiError, projectExists } from "@inkeep/agents-core";
+import { canViewProject, createApiError } from "@inkeep/agents-core";
 import { Hono } from "hono";
 import axios from "axios";
 
@@ -12,10 +12,12 @@ app.post("/query", async (c) => {
 	let payload = await c.req.json();
 	const requestedProjectId = payload.projectId;
 	const tenantId = c.get("tenantId");
-	const db = c.get("db");
-	if (!tenantId) throw createApiError({
+	const userId = c.get("userId");
+	const tenantRole = c.get("tenantRole");
+	if (!userId || !tenantId) throw createApiError({
 		code: "unauthorized",
-		message: "Tenant ID not found"
+		message: "User or organization context not found",
+		instance: c.req.path
 	});
 	logger.debug({
 		tenantId,
@@ -23,18 +25,22 @@ app.post("/query", async (c) => {
 		hasProjectId: !!requestedProjectId
 	}, "Processing SigNoz query request");
 	if (requestedProjectId) {
-		if (!await projectExists(db)({
-			tenantId,
-			projectId: requestedProjectId
-		})) {
-			logger.warn({
-				tenantId,
-				projectId: requestedProjectId
-			}, "Project not found or access denied");
-			return c.json({
-				error: "Forbidden",
-				message: "You do not have access to this project"
-			}, 403);
+		if (!(userId === "system" || userId?.startsWith("apikey:"))) {
+			if (!await canViewProject({
+				userId,
+				projectId: requestedProjectId,
+				orgRole: tenantRole
+			})) {
+				logger.warn({
+					tenantId,
+					projectId: requestedProjectId,
+					userId
+				}, "Project not found or access denied");
+				return c.json({
+					error: "Forbidden",
+					message: "You do not have access to this project"
+				}, 403);
+			}
 		}
 	}
 	payload = enforceSecurityFilters(payload, tenantId, requestedProjectId);

package/dist/domains/manage/routes/userOrganizations.d.ts

@@ -1,9 +1,10 @@
 import { ManageAppVariables } from "../../../types/app.js";
-import { OpenAPIHono } from "@hono/zod-openapi";
+import { Hono } from "hono";
+import * as hono_types13 from "hono/types";
 
 //#region src/domains/manage/routes/userOrganizations.d.ts
-declare const userOrganizationsRoutes: OpenAPIHono<{
+declare const userOrganizationsRoutes: Hono<{
   Variables: ManageAppVariables;
-}, {}, "/">;
+}, hono_types13.BlankSchema, "/">;
 //#endregion
 export { userOrganizationsRoutes as default };

package/dist/domains/manage/routes/userOrganizations.js

@@ -1,57 +1,28 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { addUserToOrganization, getUserOrganizationsFromDb } from "@inkeep/agents-core";
-import { AddUserToOrganizationRequestSchema, AddUserToOrganizationResponseSchema, UserOrganizationsResponseSchema } from "@inkeep/agents-core/auth/validation";
+import { sessionAuth } from "../../../middleware/sessionAuth.js";
+import { createApiError, getUserOrganizationsFromDb } from "@inkeep/agents-core";
+import { Hono } from "hono";
 
 //#region src/domains/manage/routes/userOrganizations.ts
-const userOrganizationsRoutes = new OpenAPIHono();
-userOrganizationsRoutes.openapi(createRoute({
-	method: "get",
-	path: "/",
-	tags: ["User Organizations"],
-	summary: "List user organizations",
-	description: "Get all organizations associated with a user",
-	request: { params: z.object({ userId: z.string().describe("User ID") }) },
-	responses: { 200: {
-		description: "List of user organizations",
-		content: { "application/json": { schema: UserOrganizationsResponseSchema } }
-	} }
-}), async (c) => {
-	const { userId } = c.req.valid("param");
+const userOrganizationsRoutes = new Hono();
+userOrganizationsRoutes.use("*", sessionAuth());
+userOrganizationsRoutes.get("/", async (c) => {
+	const userId = c.req.param("userId");
+	const authenticatedUserId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "bad_request",
+		message: "User ID is required"
+	});
+	if (userId !== authenticatedUserId) throw createApiError({
+		code: "forbidden",
+		message: "Cannot access another user's organizations"
+	});
 	const userOrganizations = (await getUserOrganizationsFromDb(runDbClient_default)(userId)).map((org) => ({
 		...org,
 		createdAt: org.createdAt.toISOString()
 	}));
 	return c.json(userOrganizations);
 });
-userOrganizationsRoutes.openapi(createRoute({
-	method: "post",
-	path: "/",
-	tags: ["User Organizations"],
-	summary: "Add user to organization",
-	description: "Associate a user with an organization",
-	request: {
-		params: z.object({ userId: z.string().describe("User ID") }),
-		body: { content: { "application/json": { schema: AddUserToOrganizationRequestSchema } } }
-	},
-	responses: { 201: {
-		description: "User added to organization",
-		content: { "application/json": { schema: AddUserToOrganizationResponseSchema } }
-	} }
-}), async (c) => {
-	const { userId } = c.req.valid("param");
-	const { organizationId, role } = c.req.valid("json");
-	await addUserToOrganization(runDbClient_default)({
-		userId,
-		organizationId,
-		role
-	});
-	return c.json({
-		organizationId,
-		role,
-		createdAt: (/* @__PURE__ */ new Date()).toISOString()
-	}, 201);
-});
 var userOrganizations_default = userOrganizationsRoutes;
 
 //#endregion