@inkeep/agents-core 0.0.0-dev-20260202155313 → 0.0.0-dev-20260203023016

package/dist/db/runtime/runtime-schema.js

@@ -1,7 +1,7 @@
 import { __exportAll } from "../../_virtual/rolldown_runtime.js";
 import { account, deviceCode, invitation, member, organization, session, ssoProvider, user, verification } from "../../auth/auth-schema.js";
 import { relations } from "drizzle-orm";
-import { foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
+import { boolean, foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
 
 //#region src/db/runtime/runtime-schema.ts
 var runtime_schema_exports = /* @__PURE__ */ __exportAll({
@@ -31,11 +31,24 @@ var runtime_schema_exports = /* @__PURE__ */ __exportAll({
 	tasksRelations: () => tasksRelations,
 	triggerInvocations: () => triggerInvocations,
 	user: () => user,
-	verification: () => verification
+	verification: () => verification,
+	workAppGitHubInstallations: () => workAppGitHubInstallations,
+	workAppGitHubInstallationsRelations: () => workAppGitHubInstallationsRelations,
+	workAppGitHubMcpToolAccessMode: () => workAppGitHubMcpToolAccessMode,
+	workAppGitHubMcpToolRepositoryAccess: () => workAppGitHubMcpToolRepositoryAccess,
+	workAppGitHubMcpToolRepositoryAccessRelations: () => workAppGitHubMcpToolRepositoryAccessRelations,
+	workAppGitHubProjectAccessMode: () => workAppGitHubProjectAccessMode,
+	workAppGitHubProjectRepositoryAccess: () => workAppGitHubProjectRepositoryAccess,
+	workAppGitHubProjectRepositoryAccessRelations: () => workAppGitHubProjectRepositoryAccessRelations,
+	workAppGitHubRepositories: () => workAppGitHubRepositories,
+	workAppGitHubRepositoriesRelations: () => workAppGitHubRepositoriesRelations
 });
-const projectScoped = {
+const tenantScoped = {
 	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
-	id: varchar("id", { length: 256 }).notNull(),
+	id: varchar("id", { length: 256 }).notNull()
+};
+const projectScoped = {
+	...tenantScoped,
 	projectId: varchar("project_id", { length: 256 }).notNull()
 };
 const agentScoped = {
@@ -478,6 +491,161 @@ const ledgerArtifactsRelations = relations(ledgerArtifacts, ({ one }) => ({ task
 	fields: [ledgerArtifacts.taskId],
 	references: [tasks.id]
 }) }));
+/**
+* Tracks GitHub App installations linked to tenants.
+* One tenant can have multiple installations (e.g., multiple orgs).
+* The installation_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubInstallations = pgTable("work_app_github_installations", {
+	...tenantScoped,
+	installationId: text("installation_id").notNull().unique(),
+	accountLogin: varchar("account_login", { length: 256 }).notNull(),
+	accountId: text("account_id").notNull(),
+	accountType: varchar("account_type", { length: 20 }).$type().notNull(),
+	status: varchar("status", { length: 20 }).$type().notNull().default("active"),
+	...timestamps
+}, (table) => [
+	index("work_app_github_installations_tenant_idx").on(table.tenantId),
+	index("work_app_github_installations_installation_id_idx").on(table.installationId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_installations_organization_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Repositories accessible through a GitHub App installation.
+* These are synced from GitHub when the app is installed or updated.
+* The repository_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubRepositories = pgTable("work_app_github_repositories", {
+	id: varchar("id", { length: 256 }).primaryKey(),
+	installationDbId: varchar("installation_db_id", { length: 256 }).notNull(),
+	repositoryId: text("repository_id").notNull(),
+	repositoryName: varchar("repository_name", { length: 256 }).notNull(),
+	repositoryFullName: varchar("repository_full_name", { length: 512 }).notNull(),
+	private: boolean("private").notNull().default(false),
+	...timestamps
+}, (table) => [
+	index("work_app_github_repositories_installation_idx").on(table.installationDbId),
+	index("work_app_github_repositories_full_name_idx").on(table.repositoryFullName),
+	unique("work_app_github_repositories_repo_installation_unique").on(table.installationDbId, table.repositoryId),
+	foreignKey({
+		columns: [table.installationDbId],
+		foreignColumns: [workAppGitHubInstallations.id],
+		name: "work_app_github_repositories_installation_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links projects to specific GitHub repositories for fine-grained access control.
+* When a project has entries here, only the listed repositories are accessible.
+* When no entries exist for a project, all tenant repositories are accessible (mode='all').
+* The tenant_id and project_id reference the projects table in the manage schema
+* (cross-schema, no FK constraint for project). tenant_id is included because
+* project IDs are only unique within a tenant.
+*/
+const workAppGitHubProjectRepositoryAccess = pgTable("work_app_github_project_repository_access", {
+	...projectScoped,
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_project_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_project_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_project_repository_access_unique").on(table.tenantId, table.projectId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_project_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_project_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links MCP tools to specific GitHub repositories for repository-scoped access.
+* When an MCP tool has entries here, only the listed repositories are accessible to that tool.
+* The tool_id, tenant_id, and project_id reference the tools table in the manage schema
+* (cross-schema, no FK constraint). These are denormalized here so all GitHub access
+* info can be queried from PostgreSQL alone.
+*/
+const workAppGitHubMcpToolRepositoryAccess = pgTable("work_app_github_mcp_tool_repository_access", {
+	...projectScoped,
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_mcp_tool_repository_access_tool_idx").on(table.toolId),
+	index("work_app_github_mcp_tool_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_mcp_tool_repository_access_unique").on(table.toolId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_mcp_tool_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Stores the explicit access mode for project-level GitHub repository access.
+* - 'all': Project has access to all repositories from tenant GitHub installations
+* - 'selected': Project only has access to repositories listed in work_app_github_project_repository_access
+* If no row exists for a project, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubProjectAccessMode = pgTable("work_app_github_project_access_mode", {
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [primaryKey({ columns: [table.tenantId, table.projectId] }), foreignKey({
+	columns: [table.tenantId],
+	foreignColumns: [organization.id],
+	name: "work_app_github_project_access_mode_tenant_fk"
+}).onDelete("cascade")]);
+/**
+* Stores the explicit access mode for MCP tool-level GitHub repository access.
+* - 'all': Tool has access to all repositories the project has access to
+* - 'selected': Tool only has access to repositories listed in work_app_github_mcp_tool_repository_access
+* If no row exists for a tool, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubMcpToolAccessMode = pgTable("work_app_github_mcp_tool_access_mode", {
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [
+	primaryKey({ columns: [table.toolId] }),
+	index("work_app_github_mcp_tool_access_mode_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_access_mode_project_idx").on(table.projectId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_access_mode_tenant_fk"
+	}).onDelete("cascade")
+]);
+const workAppGitHubInstallationsRelations = relations(workAppGitHubInstallations, ({ many }) => ({ repositories: many(workAppGitHubRepositories) }));
+const workAppGitHubRepositoriesRelations = relations(workAppGitHubRepositories, ({ one, many }) => ({
+	installation: one(workAppGitHubInstallations, {
+		fields: [workAppGitHubRepositories.installationDbId],
+		references: [workAppGitHubInstallations.id]
+	}),
+	projectAccess: many(workAppGitHubProjectRepositoryAccess),
+	mcpToolAccess: many(workAppGitHubMcpToolRepositoryAccess)
+}));
+const workAppGitHubProjectRepositoryAccessRelations = relations(workAppGitHubProjectRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubProjectRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
+const workAppGitHubMcpToolRepositoryAccessRelations = relations(workAppGitHubMcpToolRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubMcpToolRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
 
 //#endregion
-export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification };
+export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification, workAppGitHubInstallations, workAppGitHubInstallationsRelations, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubMcpToolRepositoryAccessRelations, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess, workAppGitHubProjectRepositoryAccessRelations, workAppGitHubRepositories, workAppGitHubRepositoriesRelations };

package/dist/dolt/branch.js

@@ -1,5 +1,5 @@
-import { doltHashOf } from "./commit.js";
 import { resolveRef } from "./ref-helpers.js";
+import { doltHashOf } from "./commit.js";
 import { sql } from "drizzle-orm";
 import { logger } from "@composio/core";
 

package/dist/dolt/branches-api.js

@@ -1,5 +1,5 @@
-import { SCHEMA_SOURCE_BRANCH, ensureSchemaSync, getSchemaDiff, syncSchemaFromMain } from "./schema-sync.js";
 import { doltBranch, doltCheckout, doltDeleteBranch, doltGetBranchNamespace, doltListBranches } from "./branch.js";
+import { SCHEMA_SOURCE_BRANCH, ensureSchemaSync, getSchemaDiff, syncSchemaFromMain } from "./schema-sync.js";
 import { sql } from "drizzle-orm";
 
 //#region src/dolt/branches-api.ts

package/dist/dolt/index.js

@@ -1,9 +1,9 @@
-import { doltAdd, doltAddAndCommit, doltCommit, doltDeleteTag, doltHashOf, doltListTags, doltLog, doltReset, doltStatus, doltTag } from "./commit.js";
-import { doltAbortMerge, doltConflicts, doltMerge, doltMergeStatus, doltResolveConflicts, doltSchemaConflicts, doltTableConflicts } from "./merge.js";
-import { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain } from "./schema-sync.js";
 import { MAIN_BRANCH_SUFFIX, checkoutBranch, createBranch, deleteBranch, getBranch, getTenantMainBranch, isProtectedBranchName, listBranches, listBranchesForAgent } from "./branches-api.js";
 import { checkoutRef, getCurrentBranchOrCommit, getProjectMainResolvedRef, getProjectScopedRef, getTenantScopedRef, isRefWritable, isValidCommitHash, resolveRef } from "./ref-helpers.js";
 import { doltActiveBranch, doltBranch, doltBranchExists, doltCheckout, doltDeleteBranch, doltGetBranchNamespace, doltListBranches, doltRenameBranch, ensureBranchExists } from "./branch.js";
+import { doltAdd, doltAddAndCommit, doltCommit, doltDeleteTag, doltHashOf, doltListTags, doltLog, doltReset, doltStatus, doltTag } from "./commit.js";
+import { doltAbortMerge, doltConflicts, doltMerge, doltMergeStatus, doltResolveConflicts, doltSchemaConflicts, doltTableConflicts } from "./merge.js";
+import { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain } from "./schema-sync.js";
 import { doltDiff, doltDiffSummary } from "./diff.js";
 import { createRefMiddleware, createWriteProtectionMiddleware, refMiddlewareFactory, writeProtectionMiddlewareFactory } from "./ref-middleware.js";
 import { NestedRefScopeError, getCurrentRefScope, getRefScopedDb, isInRefScope, withRef } from "./ref-scope.js";

package/dist/dolt/migrate-all-branches.js

@@ -1,7 +1,7 @@
 import { loadEnvironmentFiles } from "../env.js";
 import { createAgentsManageDatabaseClient } from "../db/manage/manage-client.js";
-import { syncSchemaFromMain } from "./schema-sync.js";
 import { doltCheckout, doltListBranches } from "./branch.js";
+import { syncSchemaFromMain } from "./schema-sync.js";
 import { confirmMigration } from "../db/utils.js";
 
 //#region src/dolt/migrate-all-branches.ts

package/dist/dolt/ref-helpers.js

@@ -1,6 +1,6 @@
-import { doltHashOf, doltListTags } from "./commit.js";
 import { checkoutBranch } from "./branches-api.js";
 import { doltListBranches } from "./branch.js";
+import { doltHashOf, doltListTags } from "./commit.js";
 import { sql } from "drizzle-orm";
 
 //#region src/dolt/ref-helpers.ts

package/dist/dolt/ref-middleware.js

@@ -1,7 +1,7 @@
 import { getLogger } from "../utils/logger.js";
-import { createApiError } from "../utils/error.js";
 import { isRefWritable, resolveRef } from "./ref-helpers.js";
 import { ensureBranchExists } from "./branch.js";
+import { createApiError } from "../utils/error.js";
 
 //#region src/dolt/ref-middleware.ts
 const logger = getLogger("ref-middleware");

package/dist/dolt/ref-scope.js

@@ -1,8 +1,8 @@
 import { manage_schema_exports } from "../db/manage/manage-schema.js";
 import { getLogger } from "../utils/logger.js";
 import { generateId } from "../utils/conversations.js";
-import { doltAddAndCommit, doltReset, doltStatus } from "./commit.js";
 import { checkoutBranch } from "./branches-api.js";
+import { doltAddAndCommit, doltReset, doltStatus } from "./commit.js";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { AsyncLocalStorage } from "node:async_hooks";
 

package/dist/env.d.ts

@@ -18,6 +18,7 @@ declare const envSchema: z.ZodObject<{
   BETTER_AUTH_SECRET: z.ZodOptional<z.ZodString>;
   TRUSTED_ORIGIN: z.ZodOptional<z.ZodString>;
   OAUTH_PROXY_PRODUCTION_URL: z.ZodOptional<z.ZodString>;
+  GITHUB_MCP_API_KEY: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const env: {
   ENVIRONMENT?: "development" | "production" | "pentest" | "test" | undefined;
@@ -30,6 +31,7 @@ declare const env: {
   BETTER_AUTH_SECRET?: string | undefined;
   TRUSTED_ORIGIN?: string | undefined;
   OAUTH_PROXY_PRODUCTION_URL?: string | undefined;
+  GITHUB_MCP_API_KEY?: string | undefined;
 };
 type Env = z.infer<typeof envSchema>;
 //#endregion

package/dist/env.js

@@ -46,7 +46,8 @@ const envSchema = z.object({
 	INKEEP_AGENTS_API_URL: z.string().optional(),
 	BETTER_AUTH_SECRET: z.string().optional(),
 	TRUSTED_ORIGIN: z.string().optional(),
-	OAUTH_PROXY_PRODUCTION_URL: z.string().optional()
+	OAUTH_PROXY_PRODUCTION_URL: z.string().optional(),
+	GITHUB_MCP_API_KEY: z.string().optional()
 });
 const parseEnv = () => {
 	try {