@inkeep/agents-core 0.37.2 → 0.38.1

package/dist/auth/auth-validation-schemas.js

@@ -1,6 +1,6 @@
 import { user, session, account, organization, member, invitation, verification } from '../chunk-GENLXHZ4.js';
-import { createSelectSchema, createInsertSchema } from 'drizzle-zod';
 import { z } from '@hono/zod-openapi';
+import { createSelectSchema, createInsertSchema } from 'drizzle-zod';
 
 var UserSelectSchema = createSelectSchema(user);
 var UserInsertSchema = createInsertSchema(user);

package/dist/auth/auth.d.ts

@@ -4,13 +4,13 @@ import * as zod from 'zod';
 import * as better_auth from 'better-auth';
 import { BetterAuthAdvancedOptions } from 'better-auth';
 import { GoogleOptions } from 'better-auth/social-providers';
-import { D as DatabaseClient } from '../client-B3nwdklT.js';
+import { D as DatabaseClient } from '../client-DG_xZdlN.js';
 import 'drizzle-orm/node-postgres';
 import 'drizzle-orm/pglite';
-import '../schema-BhYTubhP.js';
+import '../schema-DA6PfmoP.js';
 import 'drizzle-orm';
 import 'drizzle-orm/pg-core';
-import '../utility-5USfJ5Xd.js';
+import '../utility-dsfXkYTu.js';
 import '@hono/zod-openapi';
 import 'drizzle-zod';
 import './auth-schema.js';
@@ -122,6 +122,7 @@ declare function createAuth(config: BetterAuthConfig): better_auth.Auth<{
             useNumberId?: boolean;
             generateId?: better_auth.GenerateIdFn | false | "serial" | "uuid";
         } | undefined;
+        trustedProxyHeaders?: boolean | undefined;
     };
     trustedOrigins: string[];
     plugins: [{

package/dist/auth/auth.js

@@ -1,5 +1,5 @@
-import { generateId } from '../chunk-3HACEHXF.js';
-import { env } from '../chunk-RUTYLJB7.js';
+import { generateId } from '../chunk-VXHL7CJY.js';
+import { env } from '../chunk-ZIXAWYZI.js';
 import { ssoProvider } from '../chunk-GENLXHZ4.js';
 import { ownerRole, adminRole, memberRole, ac } from '../chunk-JNBVHWXX.js';
 import { sso } from '@better-auth/sso';

package/dist/{auth-detection-7G0Dxt55.d.ts → auth-detection-B8jOnR88.d.ts}

@@ -55,6 +55,8 @@ declare const SPAN_KEYS: {
     readonly AI_TOOL_CALL_ARGS: "ai.toolCall.args";
     readonly AI_TOOL_CALL_ID: "ai.toolCall.id";
     readonly AI_TOOL_TYPE: "ai.toolType";
+    readonly AI_TOOL_CALL_MCP_SERVER_ID: "ai.toolCall.mcpServerId";
+    readonly AI_TOOL_CALL_MCP_SERVER_NAME: "ai.toolCall.mcpServerName";
     readonly TOOL_PURPOSE: "tool.purpose";
     readonly TOOL_NAME: "tool.name";
     readonly TOOL_CALL_ID: "tool.callId";
@@ -106,6 +108,7 @@ declare const ACTIVITY_STATUS: {
     readonly SUCCESS: "success";
     readonly ERROR: "error";
     readonly PENDING: "pending";
+    readonly WARNING: "warning";
 };
 /** Agent IDs */
 declare const AGENT_IDS: {

package/dist/chunk-3OPS2LN5.js

@@ -0,0 +1,4 @@
+// src/credential-stores/default-constants.ts
+var DEFAULT_NANGO_STORE_ID = "nango-default";
+
+export { DEFAULT_NANGO_STORE_ID };

package/dist/{chunk-7CLFCY6J.js → chunk-7IQFIW44.js}

@@ -1,5 +1,7 @@
 // src/constants/models.ts
 var ANTHROPIC_MODELS = {
+  CLAUDE_OPUS_4_5: "anthropic/claude-opus-4-5",
+  CLAUDE_OPUS_4_5_20251101: "anthropic/claude-opus-4-5-20251101",
   CLAUDE_OPUS_4_1: "anthropic/claude-opus-4-1",
   CLAUDE_OPUS_4_1_20250805: "anthropic/claude-opus-4-1-20250805",
   CLAUDE_SONNET_4_5: "anthropic/claude-sonnet-4-5",

package/dist/{chunk-BJLC7EI4.js → chunk-AJCP2QYU.js}

@@ -1,5 +1,5 @@
 import { schemaValidationDefaults } from './chunk-Z64UK4CA.js';
-import { loadEnvironmentFiles } from './chunk-RUTYLJB7.js';
+import { loadEnvironmentFiles } from './chunk-ZIXAWYZI.js';
 import { z } from '@hono/zod-openapi';
 
 loadEnvironmentFiles();

package/dist/{chunk-6CYQZ5KX.js → chunk-AUGHKZEB.js}

@@ -2,6 +2,46 @@ import { getLogger } from './chunk-DN4B564Y.js';
 import { z } from '@hono/zod-openapi';
 
 var logger = getLogger("schema-conversion");
+function jsonSchemaToZod(jsonSchema) {
+  if (!jsonSchema || typeof jsonSchema !== "object") {
+    logger.warn({ jsonSchema }, "Invalid JSON schema provided, using string fallback");
+    return z.string();
+  }
+  const schemaType = jsonSchema.type;
+  switch (schemaType) {
+    case "object": {
+      const properties = jsonSchema.properties;
+      if (properties && typeof properties === "object") {
+        const shape = {};
+        for (const [key, prop] of Object.entries(properties)) {
+          shape[key] = jsonSchemaToZod(prop);
+        }
+        return z.object(shape);
+      }
+      return z.record(z.string(), z.string());
+    }
+    case "array": {
+      const items = jsonSchema.items;
+      const itemSchema = items ? jsonSchemaToZod(items) : z.string();
+      return z.array(itemSchema);
+    }
+    case "string":
+      return z.string();
+    case "number":
+    case "integer":
+      return z.number();
+    case "boolean":
+      return z.boolean();
+    case "null":
+      return z.null();
+    default:
+      logger.warn(
+        { unsupportedType: schemaType, schema: jsonSchema },
+        "Unsupported JSON schema type, using string fallback"
+      );
+      return z.string();
+  }
+}
 function convertZodToJsonSchema(zodSchema) {
   try {
     const jsonSchema = z.toJSONSchema(zodSchema);
@@ -60,4 +100,4 @@ function extractPreviewFields(schema) {
   return previewFields;
 }
 
-export { convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, extractPreviewFields, isZodSchema, preview };
+export { convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, extractPreviewFields, isZodSchema, jsonSchemaToZod, preview };

package/dist/{chunk-5QZSNATS.js → chunk-CWAFZVRI.js}

@@ -1,4 +1,4 @@
-import { AgentWithinContextOfProjectSchema, resourceIdSchema, MAX_ID_LENGTH } from './chunk-XHODTX4H.js';
+import { AgentWithinContextOfProjectSchema, resourceIdSchema, MAX_ID_LENGTH } from './chunk-UK63CULA.js';
 import { z } from '@hono/zod-openapi';
 
 // src/validation/cycleDetection.ts

package/dist/{chunk-ZSYMSL55.js → chunk-DW4DNYUS.js}

@@ -1,4 +1,4 @@
-import { schema_exports, projects } from './chunk-DEYPSEXR.js';
+import { schema_exports, projects } from './chunk-LH6OJIIM.js';
 import { organization } from './chunk-GENLXHZ4.js';
 import { dirname, join } from 'path';
 import { fileURLToPath } from 'url';

package/dist/{chunk-4JZT4QEE.js → chunk-KVVL5WLM.js}

@@ -10,7 +10,7 @@ function discoverScopes(resourceMetadata, metadata) {
 async function discoverMcpMetadata(mcpServerUrl, logger) {
   try {
     let resourceMetadata = null;
-    let authServerUrl = new URL(mcpServerUrl);
+    let authServerUrl = new URL("/", mcpServerUrl);
     try {
       resourceMetadata = await discoverOAuthProtectedResourceMetadata(mcpServerUrl);
       if (resourceMetadata?.authorization_servers?.length && resourceMetadata.authorization_servers[0]) {

package/dist/{chunk-DEYPSEXR.js → chunk-LH6OJIIM.js}

@@ -83,7 +83,7 @@ var subAgentScoped = {
 };
 var uiProperties = {
   name: varchar("name", { length: 256 }).notNull(),
-  description: text("description").notNull()
+  description: text("description")
 };
 var timestamps = {
   createdAt: timestamp("created_at", { mode: "string" }).notNull().defaultNow(),
@@ -180,7 +180,7 @@ var subAgents = pgTable(
   {
     ...agentScoped,
     ...uiProperties,
-    prompt: text("prompt").notNull(),
+    prompt: text("prompt"),
     conversationHistoryConfig: jsonb("conversation_history_config").$type().default({
       mode: "full",
       limit: 50,
@@ -236,14 +236,10 @@ var externalAgents = pgTable(
       name: "external_agents_project_fk"
     }).onDelete("cascade"),
     foreignKey({
-      columns: [table.tenantId, table.projectId, table.credentialReferenceId],
-      foreignColumns: [
-        credentialReferences.tenantId,
-        credentialReferences.projectId,
-        credentialReferences.id
-      ],
+      columns: [table.credentialReferenceId],
+      foreignColumns: [credentialReferences.id],
       name: "external_agents_credential_reference_fk"
-    }).onDelete("cascade")
+    }).onDelete("set null")
   ]
 );
 var tasks = pgTable(
@@ -373,6 +369,8 @@ var tools = pgTable(
     description: text("description"),
     config: jsonb("config").$type().notNull(),
     credentialReferenceId: varchar("credential_reference_id", { length: 256 }),
+    credentialScope: varchar("credential_scope", { length: 50 }).notNull().default("project"),
+    // 'project' | 'user'
     headers: jsonb("headers").$type(),
     imageUrl: text("image_url"),
     capabilities: jsonb("capabilities").$type(),
@@ -385,7 +383,12 @@ var tools = pgTable(
       columns: [table.tenantId, table.projectId],
       foreignColumns: [projects.tenantId, projects.id],
       name: "tools_project_fk"
-    }).onDelete("cascade")
+    }).onDelete("cascade"),
+    foreignKey({
+      columns: [table.credentialReferenceId],
+      foreignColumns: [credentialReferences.id],
+      name: "tools_credential_reference_fk"
+    }).onDelete("set null")
   ]
 );
 var functionTools = pgTable(
@@ -651,6 +654,13 @@ var credentialReferences = pgTable(
     type: varchar("type", { length: 256 }).notNull(),
     credentialStoreId: varchar("credential_store_id", { length: 256 }).notNull(),
     retrievalParams: jsonb("retrieval_params").$type(),
+    // For user-scoped credentials
+    toolId: varchar("tool_id", { length: 256 }),
+    // Links to the tool this credential is for
+    userId: varchar("user_id", { length: 256 }),
+    // User who owns this credential (null = project-scoped)
+    createdBy: varchar("created_by", { length: 256 }),
+    // User who created this credential
     ...timestamps
   },
   (t) => [
@@ -659,7 +669,12 @@ var credentialReferences = pgTable(
       columns: [t.tenantId, t.projectId],
       foreignColumns: [projects.tenantId, projects.id],
       name: "credential_references_project_fk"
-    }).onDelete("cascade")
+    }).onDelete("cascade"),
+    // Unique constraint on id alone to support simple FK references
+    // (id is globally unique via nanoid generation)
+    unique("credential_references_id_unique").on(t.id),
+    // One credential per user per tool (for user-scoped credentials)
+    unique("credential_references_tool_user_unique").on(t.toolId, t.userId)
   ]
 );
 var tasksRelations = relations(tasks, ({ one, many }) => ({

package/dist/{chunk-MQMMFK2K.js → chunk-NLLGMFQ6.js}

@@ -57,6 +57,8 @@ var SPAN_KEYS = {
   AI_TOOL_CALL_ARGS: "ai.toolCall.args",
   AI_TOOL_CALL_ID: "ai.toolCall.id",
   AI_TOOL_TYPE: "ai.toolType",
+  AI_TOOL_CALL_MCP_SERVER_ID: "ai.toolCall.mcpServerId",
+  AI_TOOL_CALL_MCP_SERVER_NAME: "ai.toolCall.mcpServerName",
   TOOL_PURPOSE: "tool.purpose",
   TOOL_NAME: "tool.name",
   TOOL_CALL_ID: "tool.callId",
@@ -112,7 +114,8 @@ var ACTIVITY_TYPES = {
 var ACTIVITY_STATUS = {
   SUCCESS: "success",
   ERROR: "error",
-  PENDING: "pending"
+  PENDING: "pending",
+  WARNING: "warning"
 };
 var AGENT_IDS = {
   USER: "user",

package/dist/{chunk-YSFXXC6K.js → chunk-S4XQEAAF.js}

@@ -1,7 +1,8 @@
+import { DEFAULT_NANGO_STORE_ID } from './chunk-3OPS2LN5.js';
 import { getLogger } from './chunk-DN4B564Y.js';
 import { CredentialStoreType } from './chunk-YFHT5M2R.js';
-import { Nango } from '@nangohq/node';
 import { z } from '@hono/zod-openapi';
+import { Nango } from '@nangohq/node';
 
 // src/credential-stores/CredentialStoreRegistry.ts
 var CredentialStoreRegistry = class {
@@ -93,7 +94,10 @@ var KeyChainStore = class {
       return;
     }
     try {
-      this.keytar = (await import('keytar')).default;
+      this.keytar = (await import(
+        /* webpackIgnore: true */
+        'keytar'
+      )).default;
       this.keytarAvailable = true;
       this.logger.info(
         {
@@ -146,7 +150,6 @@ var KeyChainStore = class {
   }
   /**
    * Set a credential in the keychain
-   * @param metadata - Optional metadata (ignored by keychain store)
    */
   async set(key, value, _metadata) {
     await this.initializationPromise;
@@ -743,7 +746,7 @@ function createDefaultCredentialStores() {
   stores.push(new InMemoryCredentialStore("memory-default"));
   if (process.env.NANGO_SECRET_KEY) {
     stores.push(
-      createNangoCredentialStore("nango-default", {
+      createNangoCredentialStore(DEFAULT_NANGO_STORE_ID, {
         apiUrl: process.env.NANGO_SERVER_URL || "https://api.nango.dev",
         secretKey: process.env.NANGO_SECRET_KEY
       })

package/dist/{chunk-XHODTX4H.js → chunk-UK63CULA.js}

@@ -1,4 +1,4 @@
-import { subAgents, subAgentRelations, agents, tasks, taskRelations, conversations, messages, contextCache, dataComponents, subAgentDataComponents, artifactComponents, subAgentArtifactComponents, externalAgents, apiKeys, credentialReferences, tools, functionTools, functions, contextConfigs, subAgentToolRelations, subAgentExternalAgentRelations, subAgentTeamAgentRelations, ledgerArtifacts, projects } from './chunk-DEYPSEXR.js';
+import { subAgents, subAgentRelations, agents, tasks, taskRelations, conversations, messages, contextCache, dataComponents, subAgentDataComponents, artifactComponents, subAgentArtifactComponents, externalAgents, apiKeys, credentialReferences, tools, functionTools, functions, contextConfigs, subAgentToolRelations, subAgentExternalAgentRelations, subAgentTeamAgentRelations, ledgerArtifacts, projects } from './chunk-LH6OJIIM.js';
 import { schemaValidationDefaults } from './chunk-Z64UK4CA.js';
 import { VALID_RELATION_TYPES, MCPTransportType, TOOL_STATUS_VALUES, CredentialStoreType, MCPServerType } from './chunk-YFHT5M2R.js';
 import { z } from '@hono/zod-openapi';
@@ -508,17 +508,7 @@ var ApiKeyApiInsertSchema = ApiKeyInsertSchema.omit({
   // Not set on creation
 }).openapi("ApiKeyCreate");
 var ApiKeyApiUpdateSchema = ApiKeyUpdateSchema.openapi("ApiKeyUpdate");
-var CredentialReferenceSelectSchema = z.object({
-  id: z.string(),
-  tenantId: z.string(),
-  projectId: z.string(),
-  name: z.string(),
-  type: z.string(),
-  credentialStoreId: z.string(),
-  retrievalParams: z.record(z.string(), z.unknown()).nullish(),
-  createdAt: z.string(),
-  updatedAt: z.string()
-});
+var CredentialReferenceSelectSchema = createSelectSchema(credentialReferences);
 var CredentialReferenceInsertSchema = createInsertSchema(credentialReferences).extend({
   id: resourceIdSchema,
   type: z.string(),
@@ -565,7 +555,7 @@ var CreateCredentialInStoreResponseSchema = z.object({
 var RelatedAgentInfoSchema = z.object({
   id: z.string(),
   name: z.string(),
-  description: z.string()
+  description: z.string().nullable()
 }).openapi("RelatedAgentInfo");
 var ComponentAssociationSchema = z.object({
   subAgentId: z.string(),
@@ -588,6 +578,7 @@ var McpToolSchema = ToolInsertSchema.extend({
   status: ToolStatusSchema.default("unknown"),
   version: z.string().optional(),
   expiresAt: z.string().optional(),
+  createdBy: z.string().optional(),
   relationshipId: z.string().optional()
 }).openapi("McpTool");
 var MCPToolConfigSchema = McpToolSchema.omit({
@@ -636,6 +627,8 @@ var FetchConfigSchema = z.object({
   body: z.record(z.string(), z.unknown()).optional(),
   transform: z.string().optional(),
   // JSONPath or JS transform function
+  requiredToFetch: z.array(z.string()).optional(),
+  // Context variables that are required to run the fetch request. If the given variables cannot be resolved, the fetch request will be skipped.
   timeout: z.number().min(0).optional().default(CONTEXT_FETCHER_HTTP_TIMEOUT_MS_DEFAULT).optional()
 }).openapi("FetchConfig");
 var FetchDefinitionSchema = z.object({
@@ -793,7 +786,7 @@ var FullAgentAgentInsertSchema = SubAgentApiInsertSchema.extend({
   dataComponents: z.array(z.string()).optional(),
   artifactComponents: z.array(z.string()).optional(),
   canTransferTo: z.array(z.string()).optional(),
-  prompt: z.string().trim().nonempty(),
+  prompt: z.string().trim().optional(),
   canDelegateTo: z.array(
     z.union([
       z.string(),

package/dist/{chunk-3HACEHXF.js → chunk-VXHL7CJY.js}

@@ -1,4 +1,4 @@
-import { loadEnvironmentFiles, env } from './chunk-RUTYLJB7.js';
+import { loadEnvironmentFiles, env } from './chunk-ZIXAWYZI.js';
 import { getLogger } from './chunk-DN4B564Y.js';
 import { CredentialStoreType, MCPTransportType } from './chunk-YFHT5M2R.js';
 import { z } from '@hono/zod-openapi';
@@ -685,6 +685,7 @@ var nimDefault = createOpenAICompatible({
 var ModelFactory = class _ModelFactory {
   /**
    * Create a provider instance with custom configuration
+   * Returns a provider with at least languageModel method
    */
   static createProvider(provider, config) {
     switch (provider) {
@@ -695,15 +696,7 @@ var ModelFactory = class _ModelFactory {
       case "google":
         return createGoogleGenerativeAI(config);
       case "openrouter":
-        return {
-          ...createOpenRouter(config),
-          textEmbeddingModel: () => {
-            throw new Error("OpenRouter does not support text embeddings");
-          },
-          imageModel: () => {
-            throw new Error("OpenRouter does not support image generation");
-          }
-        };
+        return createOpenRouter(config);
       case "gateway":
         return createGateway(config);
       case "nim": {
@@ -1141,6 +1134,12 @@ function deriveComposioUserId(tenantId, projectId) {
   const SEPARATOR = "||";
   return `${tenantId}${SEPARATOR}${projectId}`;
 }
+function getComposioUserId(tenantId, projectId, credentialScope, userId) {
+  if (credentialScope === "user" && userId) {
+    return userId;
+  }
+  return deriveComposioUserId(tenantId, projectId);
+}
 function extractComposioServerId(mcpUrl) {
   if (!mcpUrl.includes("composio.dev")) {
     return null;
@@ -1157,12 +1156,6 @@ function extractComposioServerId(mcpUrl) {
     return null;
   }
 }
-function addUserIdToUrl(url, userId) {
-  const urlObj = new URL(url);
-  urlObj.searchParams.set("user_id", userId);
-  urlObj.searchParams.delete("transport");
-  return urlObj.toString();
-}
 async function deleteComposioConnectedAccount(accountId) {
   const composioInstance = getComposioInstance();
   if (!composioInstance) {
@@ -1185,7 +1178,8 @@ async function fetchComposioConnectedAccounts(derivedUserId) {
   }
   try {
     const connectedAccounts = await composioInstance.connectedAccounts.list({
-      userIds: [derivedUserId]
+      userIds: [derivedUserId],
+      statuses: ["ACTIVE", "INITIATED"]
     });
     return connectedAccounts;
   } catch (error) {
@@ -1193,7 +1187,7 @@ async function fetchComposioConnectedAccounts(derivedUserId) {
     return null;
   }
 }
-async function isComposioMCPServerAuthenticated(tenantId, projectId, mcpServerUrl) {
+async function isComposioMCPServerAuthenticated(tenantId, projectId, mcpServerUrl, credentialScope = "project", userId) {
   const composioApiKey = process.env.COMPOSIO_API_KEY;
   if (!composioApiKey) {
     logger4.info({}, "Composio API key not configured, skipping auth check");
@@ -1204,7 +1198,7 @@ async function isComposioMCPServerAuthenticated(tenantId, projectId, mcpServerUr
     logger4.info({ mcpServerUrl }, "Could not extract Composio server ID from URL");
     return false;
   }
-  const derivedUserId = deriveComposioUserId(tenantId, projectId);
+  const composioUserId = getComposioUserId(tenantId, projectId, credentialScope, userId);
   const composioInstance = getComposioInstance();
   if (!composioInstance) {
     logger4.info({}, "Composio not configured, skipping auth check");
@@ -1216,7 +1210,7 @@ async function isComposioMCPServerAuthenticated(tenantId, projectId, mcpServerUr
     if (!firstAuthConfigId) {
       return false;
     }
-    const connectedAccounts = await fetchComposioConnectedAccounts(derivedUserId);
+    const connectedAccounts = await fetchComposioConnectedAccounts(composioUserId);
     if (!connectedAccounts) {
       return false;
     }
@@ -1277,15 +1271,44 @@ async function ensureComposioAccount(composioMcpServer, derivedUserId, initiated
     return null;
   }
 }
+async function getComposioOAuthRedirectUrl(tenantId, projectId, mcpServerUrl, credentialScope, userId) {
+  const composioApiKey = process.env.COMPOSIO_API_KEY;
+  if (!composioApiKey) {
+    logger4.info({}, "Composio API key not configured");
+    return null;
+  }
+  const serverId = extractComposioServerId(mcpServerUrl);
+  if (!serverId) {
+    logger4.info({ mcpServerUrl }, "Could not extract Composio server ID from URL");
+    return null;
+  }
+  const composioInstance = getComposioInstance();
+  if (!composioInstance) {
+    logger4.info({}, "Composio not configured");
+    return null;
+  }
+  const composioUserId = getComposioUserId(tenantId, projectId, credentialScope, userId);
+  try {
+    const composioMcpServer = await composioInstance.mcp.get(serverId);
+    const connectedAccounts = await fetchComposioConnectedAccounts(composioUserId);
+    const initiatedAccounts = connectedAccounts?.items.filter((account) => account.status === "INITIATED") ?? [];
+    const redirectUrl = await ensureComposioAccount(
+      composioMcpServer,
+      composioUserId,
+      initiatedAccounts
+    );
+    return redirectUrl;
+  } catch (error) {
+    logger4.error({ error, mcpServerUrl }, "Failed to get Composio OAuth redirect URL");
+    return null;
+  }
+}
 async function transformComposioServer(composioMcpServer, authenticatedAuthConfigIds, initiatedAccounts, derivedUserId) {
   const isAuthenticated = composioMcpServer.authConfigIds.some(
     (authConfigId) => authenticatedAuthConfigIds.has(authConfigId)
   );
-  let url = composioMcpServer.MCPUrl;
   let thirdPartyConnectAccountUrl;
-  if (isAuthenticated) {
-    url = addUserIdToUrl(url, derivedUserId);
-  } else {
+  if (!isAuthenticated) {
     const redirectUrl = await ensureComposioAccount(
       composioMcpServer,
       derivedUserId,
@@ -1295,22 +1318,20 @@ async function transformComposioServer(composioMcpServer, authenticatedAuthConfi
       return null;
     }
     thirdPartyConnectAccountUrl = redirectUrl;
-    url = addUserIdToUrl(url, derivedUserId);
   }
   return transformComposioServerData(
     composioMcpServer,
     isAuthenticated,
-    url,
+    composioMcpServer.MCPUrl,
     thirdPartyConnectAccountUrl
   );
 }
-async function fetchComposioServers(tenantId, projectId) {
+async function fetchComposioServers() {
   const composioApiKey = process.env.COMPOSIO_API_KEY;
   if (!composioApiKey) {
     logger4.info({}, "COMPOSIO_API_KEY not configured, skipping Composio servers");
     return [];
   }
-  const derivedUserId = deriveComposioUserId(tenantId, projectId);
   const composioInstance = getComposioInstance();
   if (!composioInstance) {
     logger4.info({}, "Composio not configured, returning empty list");
@@ -1323,44 +1344,30 @@ async function fetchComposioServers(tenantId, projectId) {
       page: 1,
       authConfigs: []
     });
-    const userConnectedAccounts = await composioInstance.connectedAccounts.list({
-      userIds: [derivedUserId]
-    });
-    const activeAccounts = userConnectedAccounts?.items.filter(
-      (account) => account.status === "ACTIVE"
-    );
-    const initiatedAccounts = userConnectedAccounts?.items.filter(
-      (account) => account.status === "INITIATED"
-    );
-    const authenticatedAuthConfigIds = new Set(
-      activeAccounts?.map((account) => account.authConfig.id) ?? []
-    );
-    const transformedServers = await Promise.all(
-      composioMcpServers?.items.map(
-        (server) => transformComposioServer(
-          server,
-          authenticatedAuthConfigIds,
-          initiatedAccounts ?? [],
-          derivedUserId
-        )
+    const transformedServers = composioMcpServers?.items.map(
+      (server) => transformComposioServerData(
+        server,
+        false,
+        // Always false for catalog - we want scope dialog to show
+        server.MCPUrl,
+        // Raw URL without user_id
+        void 0
+        // No OAuth redirect URL for catalog
       )
     );
-    const validServers = transformedServers.filter(
-      (server) => server !== null
-    );
-    return validServers;
+    return transformedServers ?? [];
   } catch (error) {
     logger4.error({ error }, "Failed to fetch Composio servers");
     return [];
   }
 }
-async function fetchSingleComposioServer(tenantId, projectId, mcpServerUrl) {
+async function fetchSingleComposioServer(tenantId, projectId, mcpServerUrl, credentialScope = "project", userId) {
   const composioApiKey = process.env.COMPOSIO_API_KEY;
   if (!composioApiKey) {
     logger4.debug({}, "COMPOSIO_API_KEY not configured");
     return null;
   }
-  const derivedUserId = deriveComposioUserId(tenantId, projectId);
+  const composioUserId = getComposioUserId(tenantId, projectId, credentialScope, userId);
   const composioInstance = getComposioInstance();
   if (!composioInstance) {
     logger4.info({}, "Composio not configured, returning null");
@@ -1374,7 +1381,8 @@ async function fetchSingleComposioServer(tenantId, projectId, mcpServerUrl) {
     }
     const composioMcpServer = await composioInstance.mcp.get(serverId);
     const userConnectedAccounts = await composioInstance.connectedAccounts.list({
-      userIds: [derivedUserId]
+      userIds: [composioUserId],
+      statuses: ["ACTIVE", "INITIATED"]
     });
     const activeAccounts = userConnectedAccounts?.items.filter(
       (account) => account.status === "ACTIVE"
@@ -1389,7 +1397,7 @@ async function fetchSingleComposioServer(tenantId, projectId, mcpServerUrl) {
       composioMcpServer,
       authenticatedAuthConfigIds,
       initiatedAccounts ?? [],
-      derivedUserId
+      composioUserId
     );
     return transformedServer;
   } catch (error) {
@@ -1400,11 +1408,17 @@ async function fetchSingleComposioServer(tenantId, projectId, mcpServerUrl) {
 
 // src/utils/third-party-mcp-servers/third-party-check.ts
 var logger5 = getLogger("third-party-check");
-async function isThirdPartyMCPServerAuthenticated(tenantId, projectId, mcpServerUrl) {
+async function isThirdPartyMCPServerAuthenticated(tenantId, projectId, mcpServerUrl, credentialScope = "project", userId) {
   const composioServerId = extractComposioServerId(mcpServerUrl);
   if (composioServerId) {
     logger5.debug({ mcpServerUrl }, "Detected Composio MCP server, checking auth status");
-    return isComposioMCPServerAuthenticated(tenantId, projectId, mcpServerUrl);
+    return isComposioMCPServerAuthenticated(
+      tenantId,
+      projectId,
+      mcpServerUrl,
+      credentialScope,
+      userId
+    );
   }
   logger5.info({ mcpServerUrl }, "Unknown third-party MCP server provider");
   return false;
@@ -1457,4 +1471,4 @@ function getTracer(serviceName, serviceVersion) {
   }
 }
 
-export { CONVERSATION_HISTORY_DEFAULT_LIMIT, CONVERSATION_HISTORY_MAX_OUTPUT_TOKENS_DEFAULT, ERROR_DOCS_BASE_URL, ErrorCode, MCP_TOOL_CONNECTION_TIMEOUT_MS, MCP_TOOL_INITIAL_RECONNECTION_DELAY_MS, MCP_TOOL_MAX_RECONNECTION_DELAY_MS, MCP_TOOL_MAX_RETRIES, MCP_TOOL_RECONNECTION_DELAY_GROWTH_FACTOR, McpClient, ModelFactory, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, createExecutionContext, errorResponseSchema, errorSchemaFactory, executionLimitsSharedDefaults, extractComposioServerId, extractPublicId, fetchComposioServers, fetchSingleComposioServer, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateServiceToken, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getRequestExecutionContext, getTracer, handleApiError, hashApiKey, isApiKeyExpired, isComposioMCPServerAuthenticated, isThirdPartyMCPServerAuthenticated, maskApiKey, normalizeDateString, problemDetailsSchema, setSpanWithError, signTempToken, toISODateString, validateApiKey, validateTargetAgent, validateTenantId, verifyAuthorizationHeader, verifyServiceToken, verifyTempToken };
+export { CONVERSATION_HISTORY_DEFAULT_LIMIT, CONVERSATION_HISTORY_MAX_OUTPUT_TOKENS_DEFAULT, ERROR_DOCS_BASE_URL, ErrorCode, MCP_TOOL_CONNECTION_TIMEOUT_MS, MCP_TOOL_INITIAL_RECONNECTION_DELAY_MS, MCP_TOOL_MAX_RECONNECTION_DELAY_MS, MCP_TOOL_MAX_RETRIES, MCP_TOOL_RECONNECTION_DELAY_GROWTH_FACTOR, McpClient, ModelFactory, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, createExecutionContext, errorResponseSchema, errorSchemaFactory, executionLimitsSharedDefaults, extractComposioServerId, extractPublicId, fetchComposioServers, fetchSingleComposioServer, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateServiceToken, getComposioOAuthRedirectUrl, getComposioUserId, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getRequestExecutionContext, getTracer, handleApiError, hashApiKey, isApiKeyExpired, isComposioMCPServerAuthenticated, isThirdPartyMCPServerAuthenticated, maskApiKey, normalizeDateString, problemDetailsSchema, setSpanWithError, signTempToken, toISODateString, validateApiKey, validateTargetAgent, validateTenantId, verifyAuthorizationHeader, verifyServiceToken, verifyTempToken };

package/dist/{client-B3nwdklT.d.ts → client-DG_xZdlN.d.ts}

@@ -1,6 +1,6 @@
 import { NodePgDatabase } from 'drizzle-orm/node-postgres';
 import { PgliteDatabase } from 'drizzle-orm/pglite';
-import { s as schema } from './schema-BhYTubhP.js';
+import { s as schema } from './schema-DA6PfmoP.js';
 
 type DatabaseClient = NodePgDatabase<typeof schema> | PgliteDatabase<typeof schema>;
 interface DatabaseConfig {