@inkeep/agents-api 0.44.0 → 0.45.1

package/dist/domains/manage/routes/userOrganizations.js

@@ -1,57 +1,28 @@
 import runDbClient_default from "../../../data/db/runDbClient.js";
-import { OpenAPIHono, createRoute, z } from "@hono/zod-openapi";
-import { addUserToOrganization, getUserOrganizationsFromDb } from "@inkeep/agents-core";
-import { AddUserToOrganizationRequestSchema, AddUserToOrganizationResponseSchema, UserOrganizationsResponseSchema } from "@inkeep/agents-core/auth/validation";
+import { sessionAuth } from "../../../middleware/sessionAuth.js";
+import { createApiError, getUserOrganizationsFromDb } from "@inkeep/agents-core";
+import { Hono } from "hono";
 
 //#region src/domains/manage/routes/userOrganizations.ts
-const userOrganizationsRoutes = new OpenAPIHono();
-userOrganizationsRoutes.openapi(createRoute({
-	method: "get",
-	path: "/",
-	tags: ["User Organizations"],
-	summary: "List user organizations",
-	description: "Get all organizations associated with a user",
-	request: { params: z.object({ userId: z.string().describe("User ID") }) },
-	responses: { 200: {
-		description: "List of user organizations",
-		content: { "application/json": { schema: UserOrganizationsResponseSchema } }
-	} }
-}), async (c) => {
-	const { userId } = c.req.valid("param");
+const userOrganizationsRoutes = new Hono();
+userOrganizationsRoutes.use("*", sessionAuth());
+userOrganizationsRoutes.get("/", async (c) => {
+	const userId = c.req.param("userId");
+	const authenticatedUserId = c.get("userId");
+	if (!userId) throw createApiError({
+		code: "bad_request",
+		message: "User ID is required"
+	});
+	if (userId !== authenticatedUserId) throw createApiError({
+		code: "forbidden",
+		message: "Cannot access another user's organizations"
+	});
 	const userOrganizations = (await getUserOrganizationsFromDb(runDbClient_default)(userId)).map((org) => ({
 		...org,
 		createdAt: org.createdAt.toISOString()
 	}));
 	return c.json(userOrganizations);
 });
-userOrganizationsRoutes.openapi(createRoute({
-	method: "post",
-	path: "/",
-	tags: ["User Organizations"],
-	summary: "Add user to organization",
-	description: "Associate a user with an organization",
-	request: {
-		params: z.object({ userId: z.string().describe("User ID") }),
-		body: { content: { "application/json": { schema: AddUserToOrganizationRequestSchema } } }
-	},
-	responses: { 201: {
-		description: "User added to organization",
-		content: { "application/json": { schema: AddUserToOrganizationResponseSchema } }
-	} }
-}), async (c) => {
-	const { userId } = c.req.valid("param");
-	const { organizationId, role } = c.req.valid("json");
-	await addUserToOrganization(runDbClient_default)({
-		userId,
-		organizationId,
-		role
-	});
-	return c.json({
-		organizationId,
-		role,
-		createdAt: (/* @__PURE__ */ new Date()).toISOString()
-	}, 201);
-});
 var userOrganizations_default = userOrganizationsRoutes;
 
 //#endregion

package/dist/domains/mcp/routes/mcp.d.ts

@@ -1,7 +1,7 @@
 import { Hono } from "hono";
-import * as hono_types8 from "hono/types";
+import * as hono_types10 from "hono/types";
 
 //#region src/domains/mcp/routes/mcp.d.ts
-declare const app: Hono<hono_types8.BlankEnv, hono_types8.BlankSchema, "/">;
+declare const app: Hono<hono_types10.BlankEnv, hono_types10.BlankSchema, "/">;
 //#endregion
 export { app as default };

package/dist/domains/run/agents/relationTools.d.ts

@@ -1,6 +1,6 @@
 import { AgentConfig, DelegateRelation } from "./Agent.js";
 import { InternalRelation } from "../utils/project.js";
-import * as _inkeep_agents_core2 from "@inkeep/agents-core";
+import * as _inkeep_agents_core1 from "@inkeep/agents-core";
 import { CredentialStoreRegistry, FullExecutionContext } from "@inkeep/agents-core";
 import * as ai0 from "ai";
 
@@ -44,7 +44,7 @@ declare function createDelegateToAgentTool({
   message: string;
 }, {
   toolCallId: any;
-  result: _inkeep_agents_core2.Message | _inkeep_agents_core2.Task;
+  result: _inkeep_agents_core1.Message | _inkeep_agents_core1.Task;
 }>;
 /**
  * Parameters for building a transfer relation config

package/dist/domains/run/agents/relationTools.js

@@ -140,7 +140,8 @@ function createDelegateToAgentTool({ delegateConfig, callingAgentId, executionCo
 			if (activeSpan) activeSpan.setAttributes({
 				[SPAN_KEYS.DELEGATION_FROM_SUB_AGENT_ID]: callingAgentId,
 				[SPAN_KEYS.DELEGATION_TO_SUB_AGENT_ID]: delegateConfig.config.id ?? "unknown",
-				[SPAN_KEYS.DELEGATION_ID]: delegationId
+				[SPAN_KEYS.DELEGATION_ID]: delegationId,
+				[SPAN_KEYS.DELEGATION_TYPE]: delegateConfig.type
 			});
 			if (metadata.streamRequestId) agentSessionManager.recordEvent(metadata.streamRequestId, "delegation_sent", callingAgentId, {
 				delegationId,

package/dist/domains/run/utils/token-estimator.d.ts

@@ -1,4 +1,4 @@
-import * as _inkeep_agents_core1 from "@inkeep/agents-core";
+import * as _inkeep_agents_core3 from "@inkeep/agents-core";
 import { BreakdownComponentDef, ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown } from "@inkeep/agents-core";
 
 //#region src/domains/run/utils/token-estimator.d.ts
@@ -17,7 +17,7 @@ interface AssembleResult {
   /** The assembled prompt string */
   prompt: string;
   /** Token breakdown for each component */
-  breakdown: _inkeep_agents_core1.ContextBreakdown;
+  breakdown: _inkeep_agents_core3.ContextBreakdown;
 }
 //#endregion
 export { AssembleResult, type BreakdownComponentDef, type ContextBreakdown, calculateBreakdownTotal, createEmptyBreakdown, estimateTokens };

package/dist/env.js

@@ -46,11 +46,11 @@ const envSchema = z.object({
 	ANTHROPIC_API_KEY: z.string().describe("Anthropic API key for Claude models (required for agent execution). Get from https://console.anthropic.com/"),
 	OPENAI_API_KEY: z.string().optional().describe("OpenAI API key for GPT models. Get from https://platform.openai.com/"),
 	GOOGLE_GENERATIVE_AI_API_KEY: z.string().optional().describe("Google Generative AI API key for Gemini models"),
-	GITHUB_APP_ID: z.string().optional(),
-	GITHUB_APP_PRIVATE_KEY: z.string().optional(),
-	GITHUB_WEBHOOK_SECRET: z.string().optional(),
-	GITHUB_STATE_SIGNING_SECRET: z.string().min(32, "GITHUB_STATE_SIGNING_SECRET must be at least 32 characters").optional(),
-	GITHUB_APP_NAME: z.string().optional(),
+	GITHUB_APP_ID: z.string().optional().describe("GitHub App ID for GitHub integration"),
+	GITHUB_APP_PRIVATE_KEY: z.string().optional().describe("GitHub App private key for authentication"),
+	GITHUB_WEBHOOK_SECRET: z.string().optional().describe("Secret for validating GitHub webhook payloads"),
+	GITHUB_STATE_SIGNING_SECRET: z.string().min(32, "GITHUB_STATE_SIGNING_SECRET must be at least 32 characters").optional().describe("Secret for signing GitHub OAuth state (minimum 32 characters)"),
+	GITHUB_APP_NAME: z.string().optional().describe("Name of the GitHub App"),
 	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP"),
 	WORKFLOW_TARGET_WORLD: z.string().optional().describe("Target world for workflow execution"),
 	WORKFLOW_POSTGRES_URL: z.string().optional().describe("PostgreSQL connection URL for workflow job queue"),

package/dist/factory.d.ts

@@ -6,7 +6,7 @@ import { CredentialStore, ServerConfig } from "@inkeep/agents-core";
 import * as hono0 from "hono";
 import * as zod0 from "zod";
 import { SSOProviderConfig, UserAuthConfig } from "@inkeep/agents-core/auth";
-import * as hono_types1 from "hono/types";
+import * as hono_types0 from "hono/types";
 import * as better_auth0 from "better-auth";
 import * as better_auth_plugins0 from "better-auth/plugins";
 import * as _better_auth_sso0 from "@better-auth/sso";
@@ -794,25 +794,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -987,7 +987,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         status: better_auth_plugins0.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -996,7 +996,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         createdAt: Date;
         userId: string;
         user: {
@@ -1012,7 +1012,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           createdAt: Date;
           userId: string;
           user: {
@@ -1026,7 +1026,7 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           status: better_auth_plugins0.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1104,25 +1104,25 @@ declare function createAgentsAuth(userAuthConfig?: UserAuthConfig): better_auth0
       ac: better_auth_plugins0.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key] | {
-            actions: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key] | {
+            actions: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins0.AuthorizeResponse;
-          statements: better_auth_plugins0.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins0.Statements>;
+          statements: better_auth_plugins0.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins0.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1536,6 +1536,6 @@ declare function createAgentsApp(config?: {
   credentialStores?: CredentialStore[];
   auth?: UserAuthConfig;
   sandboxConfig?: SandboxConfig;
-}): hono0.Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
+}): hono0.Hono<hono_types0.BlankEnv, hono_types0.BlankSchema, "/">;
 //#endregion
 export { type SSOProviderConfig, type UserAuthConfig, createAgentsApp, createAgentsAuth, createAgentsHono, createAuth0Provider, createOIDCProvider };

package/dist/index.d.ts

@@ -7,7 +7,7 @@ import { createAuth0Provider, createOIDCProvider } from "./ssoHelpers.js";
 import { SSOProviderConfig, UserAuthConfig, createAgentsApp } from "./factory.js";
 import { Hono } from "hono";
 import * as zod205 from "zod";
-import * as hono_types3 from "hono/types";
+import * as hono_types1 from "hono/types";
 import * as better_auth78 from "better-auth";
 import * as better_auth_plugins69 from "better-auth/plugins";
 import * as _better_auth_sso10 from "@better-auth/sso";
@@ -795,25 +795,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -988,7 +988,7 @@ declare const auth: better_auth78.Auth<{
         id: string;
         organizationId: string;
         email: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         status: better_auth_plugins69.InvitationStatus;
         inviterId: string;
         expiresAt: Date;
@@ -997,7 +997,7 @@ declare const auth: better_auth78.Auth<{
       Member: {
         id: string;
         organizationId: string;
-        role: "member" | "admin" | "owner";
+        role: "member" | "owner" | "admin";
         createdAt: Date;
         userId: string;
         user: {
@@ -1013,7 +1013,7 @@ declare const auth: better_auth78.Auth<{
         members: {
           id: string;
           organizationId: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           createdAt: Date;
           userId: string;
           user: {
@@ -1027,7 +1027,7 @@ declare const auth: better_auth78.Auth<{
           id: string;
           organizationId: string;
           email: string;
-          role: "member" | "admin" | "owner";
+          role: "member" | "owner" | "admin";
           status: better_auth_plugins69.InvitationStatus;
           inviterId: string;
           expiresAt: Date;
@@ -1105,25 +1105,25 @@ declare const auth: better_auth78.Auth<{
       ac: better_auth_plugins69.AccessControl;
       roles: {
         member: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
         admin: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
         owner: {
-          authorize<K_1 extends "organization" | "member" | "invitation" | "ac" | "project" | "team">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key] | {
-            actions: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>[key];
+          authorize<K_1 extends "invitation" | "member" | "organization" | "project" | "team" | "ac">(request: K_1 extends infer T extends K ? { [key in T]?: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key] | {
+            actions: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>[key];
             connector: "OR" | "AND";
           } | undefined } : never, connector?: "OR" | "AND"): better_auth_plugins69.AuthorizeResponse;
-          statements: better_auth_plugins69.Subset<"organization" | "member" | "invitation" | "ac" | "project" | "team", better_auth_plugins69.Statements>;
+          statements: better_auth_plugins69.Subset<"invitation" | "member" | "organization" | "project" | "team" | "ac", better_auth_plugins69.Statements>;
         };
       };
       creatorRole: "admin";
@@ -1532,6 +1532,6 @@ declare const auth: better_auth78.Auth<{
     }>;
   }];
 }>;
-declare const app: Hono<hono_types3.BlankEnv, hono_types3.BlankSchema, "/">;
+declare const app: Hono<hono_types1.BlankEnv, hono_types1.BlankSchema, "/">;
 //#endregion
 export { type AppConfig, type AppVariables, Hono, type NativeSandboxConfig, type SSOProviderConfig, type SandboxConfig, type UserAuthConfig, type VercelSandboxConfig, auth, createAgentsApp, createAgentsHono, createAuth0Provider, createOIDCProvider, app as default };

package/dist/middleware/evalsAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono2 from "hono";
+import * as hono1 from "hono";
 
 //#region src/middleware/evalsAuth.d.ts
 
@@ -7,7 +7,7 @@ import * as hono2 from "hono";
  * Middleware to authenticate API requests using Bearer token authentication
  * First checks if token matches INKEEP_AGENTS_EVAL_API_BYPASS_SECRET,
  */
-declare const evalApiKeyAuth: () => hono2.MiddlewareHandler<{
+declare const evalApiKeyAuth: () => hono1.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };

package/dist/middleware/manageAuth.d.ts

@@ -1,5 +1,5 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono3 from "hono";
+import * as hono2 from "hono";
 import { createAuth } from "@inkeep/agents-core/auth";
 
 //#region src/middleware/manageAuth.d.ts
@@ -12,7 +12,7 @@ import { createAuth } from "@inkeep/agents-core/auth";
  * 3. Database API key
  * 4. Internal service token
  */
-declare const manageApiKeyAuth: () => hono3.MiddlewareHandler<{
+declare const manageApiKeyAuth: () => hono2.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
     userId?: string;

package/dist/middleware/requirePermission.d.ts

@@ -1,5 +1,5 @@
 import { ManageAppVariables } from "../types/app.js";
-import * as hono8 from "hono";
+import * as hono7 from "hono";
 
 //#region src/middleware/requirePermission.d.ts
 type Permission = {
@@ -9,6 +9,6 @@ declare const requirePermission: <Env$1 extends {
   Variables: ManageAppVariables;
 } = {
   Variables: ManageAppVariables;
-}>(permissions: Permission) => hono8.MiddlewareHandler<Env$1, string, {}, Response>;
+}>(permissions: Permission) => hono7.MiddlewareHandler<Env$1, string, {}, Response>;
 //#endregion
 export { requirePermission };

package/dist/middleware/runAuth.d.ts

@@ -1,8 +1,8 @@
 import { BaseExecutionContext } from "@inkeep/agents-core";
-import * as hono9 from "hono";
+import * as hono8 from "hono";
 
 //#region src/middleware/runAuth.d.ts
-declare const runApiKeyAuth: () => hono9.MiddlewareHandler<{
+declare const runApiKeyAuth: () => hono8.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -11,7 +11,7 @@ declare const runApiKeyAuth: () => hono9.MiddlewareHandler<{
  * Creates a middleware that applies API key authentication except for specified route patterns
  * @param skipRouteCheck - Function that returns true if the route should skip authentication
  */
-declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono9.MiddlewareHandler<{
+declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) => hono8.MiddlewareHandler<{
   Variables: {
     executionContext: BaseExecutionContext;
   };
@@ -20,7 +20,7 @@ declare const runApiKeyAuthExcept: (skipRouteCheck: (path: string) => boolean) =
  * Helper middleware for endpoints that optionally support API key authentication
  * If no auth header is present, it continues without setting the executionContext
  */
-declare const runOptionalAuth: () => hono9.MiddlewareHandler<{
+declare const runOptionalAuth: () => hono8.MiddlewareHandler<{
   Variables: {
     executionContext?: BaseExecutionContext;
   };

package/dist/middleware/runAuth.js

@@ -2,7 +2,7 @@ import { getLogger as getLogger$1 } from "../logger.js";
 import { env } from "../env.js";
 import runDbClient_default from "../data/db/runDbClient.js";
 import { createBaseExecutionContext } from "../types/runExecutionContext.js";
-import { validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
+import { canUseProjectStrict, validateAndGetApiKey, validateTargetAgent, verifyServiceToken, verifyTempToken } from "@inkeep/agents-core";
 import { createMiddleware } from "hono/factory";
 import { HTTPException } from "hono/http-exception";
 
@@ -51,21 +51,56 @@ function buildExecutionContext(authResult, reqData) {
 }
 /**
 * Attempts to authenticate using a JWT temporary token
+*
+* Throws HTTPException(403) if the JWT is valid but the user lacks permission.
+* Returns null if the token is not a temp JWT (allowing fallback to other auth methods).
 */
 async function tryTempJwtAuth(apiKey) {
 	if (!apiKey.startsWith("eyJ") || !env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY) return null;
 	try {
 		const payload = await verifyTempToken(Buffer.from(env.INKEEP_AGENTS_TEMP_JWT_PUBLIC_KEY, "base64").toString("utf-8"), apiKey);
-		logger.info({}, "JWT temp token authenticated successfully");
+		const userId = payload.sub;
+		const projectId = payload.projectId;
+		const agentId = payload.agentId;
+		if (!projectId || !agentId) {
+			logger.warn({ userId }, "Missing projectId or agentId in JWT");
+			throw new HTTPException(400, { message: "Invalid token: missing projectId or agentId" });
+		}
+		let canUse;
+		try {
+			canUse = await canUseProjectStrict({
+				userId,
+				projectId
+			});
+		} catch (error) {
+			logger.error({
+				error,
+				userId,
+				projectId
+			}, "SpiceDB permission check failed");
+			throw new HTTPException(503, { message: "Authorization service temporarily unavailable" });
+		}
+		if (!canUse) {
+			logger.warn({
+				userId,
+				projectId
+			}, "User does not have use permission on project");
+			throw new HTTPException(403, { message: "Access denied: insufficient permissions" });
+		}
+		logger.info({
+			projectId,
+			agentId
+		}, "JWT temp token authenticated successfully");
 		return {
 			apiKey,
 			tenantId: payload.tenantId,
-			projectId: payload.projectId,
-			agentId: payload.agentId,
+			projectId,
+			agentId,
 			apiKeyId: "temp-jwt",
 			metadata: { initiatedBy: payload.initiatedBy }
 		};
 	} catch (error) {
+		if (error instanceof HTTPException) throw error;
 		logger.debug({ error }, "JWT verification failed");
 		return null;
 	}

package/dist/middleware/sessionAuth.d.ts

@@ -1,4 +1,4 @@
-import * as hono12 from "hono";
+import * as hono11 from "hono";
 
 //#region src/middleware/sessionAuth.d.ts
 
@@ -7,11 +7,11 @@ import * as hono12 from "hono";
  * Requires that a user has already been authenticated via Better Auth session.
  * Used primarily for manage routes that require an active user session.
  */
-declare const sessionAuth: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionAuth: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 /**
  * Global session middleware - sets user and session in context for all routes
  * Used for all routes that require an active user session.
  */
-declare const sessionContext: () => hono12.MiddlewareHandler<any, string, {}, Response>;
+declare const sessionContext: () => hono11.MiddlewareHandler<any, string, {}, Response>;
 //#endregion
 export { sessionAuth, sessionContext };

package/dist/openapi.d.ts

@@ -20,7 +20,6 @@ declare const TagToDescription: {
   'Function Tools': string;
   Functions: string;
   GitHub: string;
-  Invitations: string;
   MCP: string;
   'MCP Catalog': string;
   OAuth: string;
@@ -32,7 +31,6 @@ declare const TagToDescription: {
   'Third-Party MCP Servers': string;
   Tools: string;
   Triggers: string;
-  'User Organizations': string;
   'User Project Memberships': string;
   Webhooks: string;
   Workflows: string;

package/dist/openapi.js

@@ -19,7 +19,6 @@ const TagToDescription = {
 	"Function Tools": "Operations for managing function tools",
 	Functions: "Operations for managing functions",
 	GitHub: "GitHub App integration endpoints",
-	Invitations: "Operations for managing invitations",
 	MCP: "MCP (Model Context Protocol) endpoints",
 	"MCP Catalog": "Operations for MCP catalog",
 	OAuth: "OAuth authentication endpoints",
@@ -31,7 +30,6 @@ const TagToDescription = {
 	"Third-Party MCP Servers": "Operations for managing third-party MCP servers",
 	Tools: "Operations for managing MCP tools",
 	Triggers: "Operations for managing triggers",
-	"User Organizations": "Operations for managing user organizations",
 	"User Project Memberships": "Operations for managing user project memberships",
 	Webhooks: "Webhook endpoints",
 	Workflows: "Workflow trigger endpoints"