@inkeep/agents-core 0.42.0 → 0.44.0

package/dist/db/runtime/runtime-schema.js

@@ -1,7 +1,7 @@
 import { __exportAll } from "../../_virtual/rolldown_runtime.js";
 import { account, deviceCode, invitation, member, organization, session, ssoProvider, user, verification } from "../../auth/auth-schema.js";
 import { relations } from "drizzle-orm";
-import { foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
+import { boolean, foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
 
 //#region src/db/runtime/runtime-schema.ts
 var runtime_schema_exports = /* @__PURE__ */ __exportAll({
@@ -31,11 +31,24 @@ var runtime_schema_exports = /* @__PURE__ */ __exportAll({
 	tasksRelations: () => tasksRelations,
 	triggerInvocations: () => triggerInvocations,
 	user: () => user,
-	verification: () => verification
+	verification: () => verification,
+	workAppGitHubInstallations: () => workAppGitHubInstallations,
+	workAppGitHubInstallationsRelations: () => workAppGitHubInstallationsRelations,
+	workAppGitHubMcpToolAccessMode: () => workAppGitHubMcpToolAccessMode,
+	workAppGitHubMcpToolRepositoryAccess: () => workAppGitHubMcpToolRepositoryAccess,
+	workAppGitHubMcpToolRepositoryAccessRelations: () => workAppGitHubMcpToolRepositoryAccessRelations,
+	workAppGitHubProjectAccessMode: () => workAppGitHubProjectAccessMode,
+	workAppGitHubProjectRepositoryAccess: () => workAppGitHubProjectRepositoryAccess,
+	workAppGitHubProjectRepositoryAccessRelations: () => workAppGitHubProjectRepositoryAccessRelations,
+	workAppGitHubRepositories: () => workAppGitHubRepositories,
+	workAppGitHubRepositoriesRelations: () => workAppGitHubRepositoriesRelations
 });
-const projectScoped = {
+const tenantScoped = {
 	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
-	id: varchar("id", { length: 256 }).notNull(),
+	id: varchar("id", { length: 256 }).notNull()
+};
+const projectScoped = {
+	...tenantScoped,
 	projectId: varchar("project_id", { length: 256 }).notNull()
 };
 const agentScoped = {
@@ -478,6 +491,161 @@ const ledgerArtifactsRelations = relations(ledgerArtifacts, ({ one }) => ({ task
 	fields: [ledgerArtifacts.taskId],
 	references: [tasks.id]
 }) }));
+/**
+* Tracks GitHub App installations linked to tenants.
+* One tenant can have multiple installations (e.g., multiple orgs).
+* The installation_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubInstallations = pgTable("work_app_github_installations", {
+	...tenantScoped,
+	installationId: text("installation_id").notNull().unique(),
+	accountLogin: varchar("account_login", { length: 256 }).notNull(),
+	accountId: text("account_id").notNull(),
+	accountType: varchar("account_type", { length: 20 }).$type().notNull(),
+	status: varchar("status", { length: 20 }).$type().notNull().default("active"),
+	...timestamps
+}, (table) => [
+	index("work_app_github_installations_tenant_idx").on(table.tenantId),
+	index("work_app_github_installations_installation_id_idx").on(table.installationId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_installations_organization_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Repositories accessible through a GitHub App installation.
+* These are synced from GitHub when the app is installed or updated.
+* The repository_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubRepositories = pgTable("work_app_github_repositories", {
+	id: varchar("id", { length: 256 }).primaryKey(),
+	installationDbId: varchar("installation_db_id", { length: 256 }).notNull(),
+	repositoryId: text("repository_id").notNull(),
+	repositoryName: varchar("repository_name", { length: 256 }).notNull(),
+	repositoryFullName: varchar("repository_full_name", { length: 512 }).notNull(),
+	private: boolean("private").notNull().default(false),
+	...timestamps
+}, (table) => [
+	index("work_app_github_repositories_installation_idx").on(table.installationDbId),
+	index("work_app_github_repositories_full_name_idx").on(table.repositoryFullName),
+	unique("work_app_github_repositories_repo_installation_unique").on(table.installationDbId, table.repositoryId),
+	foreignKey({
+		columns: [table.installationDbId],
+		foreignColumns: [workAppGitHubInstallations.id],
+		name: "work_app_github_repositories_installation_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links projects to specific GitHub repositories for fine-grained access control.
+* When a project has entries here, only the listed repositories are accessible.
+* When no entries exist for a project, all tenant repositories are accessible (mode='all').
+* The tenant_id and project_id reference the projects table in the manage schema
+* (cross-schema, no FK constraint for project). tenant_id is included because
+* project IDs are only unique within a tenant.
+*/
+const workAppGitHubProjectRepositoryAccess = pgTable("work_app_github_project_repository_access", {
+	...projectScoped,
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_project_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_project_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_project_repository_access_unique").on(table.tenantId, table.projectId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_project_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_project_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links MCP tools to specific GitHub repositories for repository-scoped access.
+* When an MCP tool has entries here, only the listed repositories are accessible to that tool.
+* The tool_id, tenant_id, and project_id reference the tools table in the manage schema
+* (cross-schema, no FK constraint). These are denormalized here so all GitHub access
+* info can be queried from PostgreSQL alone.
+*/
+const workAppGitHubMcpToolRepositoryAccess = pgTable("work_app_github_mcp_tool_repository_access", {
+	...projectScoped,
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_mcp_tool_repository_access_tool_idx").on(table.toolId),
+	index("work_app_github_mcp_tool_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_mcp_tool_repository_access_unique").on(table.toolId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_mcp_tool_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Stores the explicit access mode for project-level GitHub repository access.
+* - 'all': Project has access to all repositories from tenant GitHub installations
+* - 'selected': Project only has access to repositories listed in work_app_github_project_repository_access
+* If no row exists for a project, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubProjectAccessMode = pgTable("work_app_github_project_access_mode", {
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [primaryKey({ columns: [table.tenantId, table.projectId] }), foreignKey({
+	columns: [table.tenantId],
+	foreignColumns: [organization.id],
+	name: "work_app_github_project_access_mode_tenant_fk"
+}).onDelete("cascade")]);
+/**
+* Stores the explicit access mode for MCP tool-level GitHub repository access.
+* - 'all': Tool has access to all repositories the project has access to
+* - 'selected': Tool only has access to repositories listed in work_app_github_mcp_tool_repository_access
+* If no row exists for a tool, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubMcpToolAccessMode = pgTable("work_app_github_mcp_tool_access_mode", {
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [
+	primaryKey({ columns: [table.toolId] }),
+	index("work_app_github_mcp_tool_access_mode_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_access_mode_project_idx").on(table.projectId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_access_mode_tenant_fk"
+	}).onDelete("cascade")
+]);
+const workAppGitHubInstallationsRelations = relations(workAppGitHubInstallations, ({ many }) => ({ repositories: many(workAppGitHubRepositories) }));
+const workAppGitHubRepositoriesRelations = relations(workAppGitHubRepositories, ({ one, many }) => ({
+	installation: one(workAppGitHubInstallations, {
+		fields: [workAppGitHubRepositories.installationDbId],
+		references: [workAppGitHubInstallations.id]
+	}),
+	projectAccess: many(workAppGitHubProjectRepositoryAccess),
+	mcpToolAccess: many(workAppGitHubMcpToolRepositoryAccess)
+}));
+const workAppGitHubProjectRepositoryAccessRelations = relations(workAppGitHubProjectRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubProjectRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
+const workAppGitHubMcpToolRepositoryAccessRelations = relations(workAppGitHubMcpToolRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubMcpToolRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
 
 //#endregion
-export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification };
+export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification, workAppGitHubInstallations, workAppGitHubInstallationsRelations, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubMcpToolRepositoryAccessRelations, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess, workAppGitHubProjectRepositoryAccessRelations, workAppGitHubRepositories, workAppGitHubRepositoriesRelations };

package/dist/db/utils.d.ts

@@ -0,0 +1,6 @@
+//#region src/db/utils.d.ts
+declare const isLocalhostUrl: (url: string | undefined) => boolean;
+declare const askConfirmation: (question: string) => Promise<boolean>;
+declare const confirmMigration: (connectionString: string | undefined) => Promise<boolean>;
+//#endregion
+export { askConfirmation, confirmMigration, isLocalhostUrl };

package/dist/db/utils.js

@@ -0,0 +1,42 @@
+import * as readline from "node:readline";
+
+//#region src/db/utils.ts
+const isLocalhostUrl = (url) => {
+	if (!url) return false;
+	try {
+		const parsed = new URL(url);
+		return parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "::1";
+	} catch {
+		return url.includes("localhost") || url.includes("127.0.0.1");
+	}
+};
+const askConfirmation = (question) => {
+	const rl = readline.createInterface({
+		input: process.stdin,
+		output: process.stdout
+	});
+	return new Promise((resolve) => {
+		rl.question(question, (answer) => {
+			rl.close();
+			resolve(answer.toLowerCase() === "y" || answer.toLowerCase() === "yes");
+		});
+	});
+};
+const confirmMigration = async (connectionString) => {
+	if (!connectionString) {
+		console.error("❌ Error: Database URL is not set.");
+		process.exit(1);
+	}
+	if (!isLocalhostUrl(connectionString)) {
+		console.warn("⚠️  Warning: Database URL is not pointing to localhost. This operation may modify a production database.");
+		if (!await askConfirmation("Do you want to proceed? (y/n): ")) {
+			console.log("Migration cancelled.");
+			process.exit(0);
+		}
+		console.log("");
+	}
+	return true;
+};
+
+//#endregion
+export { askConfirmation, confirmMigration, isLocalhostUrl };

package/dist/dolt/branch.js

@@ -1,5 +1,5 @@
-import { doltHashOf } from "./commit.js";
 import { resolveRef } from "./ref-helpers.js";
+import { doltHashOf } from "./commit.js";
 import { sql } from "drizzle-orm";
 import { logger } from "@composio/core";
 

package/dist/dolt/branches-api.js

@@ -1,5 +1,5 @@
-import { SCHEMA_SOURCE_BRANCH, ensureSchemaSync, getSchemaDiff, syncSchemaFromMain } from "./schema-sync.js";
 import { doltBranch, doltCheckout, doltDeleteBranch, doltGetBranchNamespace, doltListBranches } from "./branch.js";
+import { SCHEMA_SOURCE_BRANCH, ensureSchemaSync, getSchemaDiff, syncSchemaFromMain } from "./schema-sync.js";
 import { sql } from "drizzle-orm";
 
 //#region src/dolt/branches-api.ts

package/dist/dolt/index.d.ts

@@ -6,5 +6,5 @@ import { doltAbortMerge, doltConflicts, doltMerge, doltMergeStatus, doltResolveC
 import { RefType, checkoutRef, getCurrentBranchOrCommit, getProjectMainResolvedRef, getProjectScopedRef, getTenantScopedRef, isRefWritable, isValidCommitHash, resolveRef } from "./ref-helpers.js";
 import { RefContext, RefMiddlewareOptions, createRefMiddleware, createWriteProtectionMiddleware, refMiddlewareFactory, writeProtectionMiddlewareFactory } from "./ref-middleware.js";
 import { NestedRefScopeError, WithRefOptions, getCurrentRefScope, getRefScopedDb, isInRefScope, withRef } from "./ref-scope.js";
-import { EnsureSchemaSyncOptions, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, syncSchemaFromMain } from "./schema-sync.js";
-export { CheckoutBranchParams, CheckoutBranchResult, CreateBranchParams, DeleteBranchParams, EnsureSchemaSyncOptions, GetBranchParams, MAIN_BRANCH_SUFFIX, NestedRefScopeError, RefContext, RefMiddlewareOptions, RefType, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, WithRefOptions, areBranchesSchemaCompatible, branchScopes, checkoutBranch, checkoutRef, createBranch, createRefMiddleware, createWriteProtectionMiddleware, deleteBranch, doltAbortMerge, doltActiveBranch, doltAdd, doltAddAndCommit, doltBranch, doltBranchExists, doltCheckout, doltCommit, doltConflicts, doltDeleteBranch, doltDeleteTag, doltDiff, doltDiffSummary, doltGetBranchNamespace, doltHashOf, doltListBranches, doltListTags, doltLog, doltMerge, doltMergeStatus, doltRenameBranch, doltReset, doltResolveConflicts, doltSchemaConflicts, doltStatus, doltTableConflicts, doltTag, ensureBranchExists, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getBranch, getCurrentBranchOrCommit, getCurrentRefScope, getProjectMainResolvedRef, getProjectScopedRef, getRefScopedDb, getSchemaDiff, getTenantMainBranch, getTenantScopedRef, hasSchemaDifferences, hasUncommittedChanges, isInRefScope, isProtectedBranchName, isRefWritable, isValidCommitHash, listBranches, listBranchesForAgent, refMiddlewareFactory, resolveRef, syncSchemaFromMain, withRef, writeProtectionMiddlewareFactory };
+import { EnsureSchemaSyncOptions, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain } from "./schema-sync.js";
+export { CheckoutBranchParams, CheckoutBranchResult, CreateBranchParams, DeleteBranchParams, EnsureSchemaSyncOptions, GetBranchParams, MAIN_BRANCH_SUFFIX, NestedRefScopeError, RefContext, RefMiddlewareOptions, RefType, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, WithRefOptions, areBranchesSchemaCompatible, branchScopes, checkoutBranch, checkoutRef, createBranch, createRefMiddleware, createWriteProtectionMiddleware, deleteBranch, doltAbortMerge, doltActiveBranch, doltAdd, doltAddAndCommit, doltBranch, doltBranchExists, doltCheckout, doltCommit, doltConflicts, doltDeleteBranch, doltDeleteTag, doltDiff, doltDiffSummary, doltGetBranchNamespace, doltHashOf, doltListBranches, doltListTags, doltLog, doltMerge, doltMergeStatus, doltRenameBranch, doltReset, doltResolveConflicts, doltSchemaConflicts, doltStatus, doltTableConflicts, doltTag, ensureBranchExists, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getBranch, getCurrentBranchOrCommit, getCurrentRefScope, getProjectMainResolvedRef, getProjectScopedRef, getRefScopedDb, getSchemaDiff, getTenantMainBranch, getTenantScopedRef, hasSchemaDifferences, hasUncommittedChanges, isInRefScope, isLocalhostUrl, isProtectedBranchName, isRefWritable, isValidCommitHash, listBranches, listBranchesForAgent, refMiddlewareFactory, resolveRef, syncSchemaFromMain, withRef, writeProtectionMiddlewareFactory };

package/dist/dolt/index.js

@@ -1,11 +1,11 @@
-import { doltAdd, doltAddAndCommit, doltCommit, doltDeleteTag, doltHashOf, doltListTags, doltLog, doltReset, doltStatus, doltTag } from "./commit.js";
-import { doltAbortMerge, doltConflicts, doltMerge, doltMergeStatus, doltResolveConflicts, doltSchemaConflicts, doltTableConflicts } from "./merge.js";
-import { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, syncSchemaFromMain } from "./schema-sync.js";
 import { MAIN_BRANCH_SUFFIX, checkoutBranch, createBranch, deleteBranch, getBranch, getTenantMainBranch, isProtectedBranchName, listBranches, listBranchesForAgent } from "./branches-api.js";
 import { checkoutRef, getCurrentBranchOrCommit, getProjectMainResolvedRef, getProjectScopedRef, getTenantScopedRef, isRefWritable, isValidCommitHash, resolveRef } from "./ref-helpers.js";
 import { doltActiveBranch, doltBranch, doltBranchExists, doltCheckout, doltDeleteBranch, doltGetBranchNamespace, doltListBranches, doltRenameBranch, ensureBranchExists } from "./branch.js";
+import { doltAdd, doltAddAndCommit, doltCommit, doltDeleteTag, doltHashOf, doltListTags, doltLog, doltReset, doltStatus, doltTag } from "./commit.js";
+import { doltAbortMerge, doltConflicts, doltMerge, doltMergeStatus, doltResolveConflicts, doltSchemaConflicts, doltTableConflicts } from "./merge.js";
+import { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain } from "./schema-sync.js";
 import { doltDiff, doltDiffSummary } from "./diff.js";
 import { createRefMiddleware, createWriteProtectionMiddleware, refMiddlewareFactory, writeProtectionMiddlewareFactory } from "./ref-middleware.js";
 import { NestedRefScopeError, getCurrentRefScope, getRefScopedDb, isInRefScope, withRef } from "./ref-scope.js";
 
-export { MAIN_BRANCH_SUFFIX, NestedRefScopeError, SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, checkoutBranch, checkoutRef, createBranch, createRefMiddleware, createWriteProtectionMiddleware, deleteBranch, doltAbortMerge, doltActiveBranch, doltAdd, doltAddAndCommit, doltBranch, doltBranchExists, doltCheckout, doltCommit, doltConflicts, doltDeleteBranch, doltDeleteTag, doltDiff, doltDiffSummary, doltGetBranchNamespace, doltHashOf, doltListBranches, doltListTags, doltLog, doltMerge, doltMergeStatus, doltRenameBranch, doltReset, doltResolveConflicts, doltSchemaConflicts, doltStatus, doltTableConflicts, doltTag, ensureBranchExists, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getBranch, getCurrentBranchOrCommit, getCurrentRefScope, getProjectMainResolvedRef, getProjectScopedRef, getRefScopedDb, getSchemaDiff, getTenantMainBranch, getTenantScopedRef, hasSchemaDifferences, hasUncommittedChanges, isInRefScope, isProtectedBranchName, isRefWritable, isValidCommitHash, listBranches, listBranchesForAgent, refMiddlewareFactory, resolveRef, syncSchemaFromMain, withRef, writeProtectionMiddlewareFactory };
+export { MAIN_BRANCH_SUFFIX, NestedRefScopeError, SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, checkoutBranch, checkoutRef, createBranch, createRefMiddleware, createWriteProtectionMiddleware, deleteBranch, doltAbortMerge, doltActiveBranch, doltAdd, doltAddAndCommit, doltBranch, doltBranchExists, doltCheckout, doltCommit, doltConflicts, doltDeleteBranch, doltDeleteTag, doltDiff, doltDiffSummary, doltGetBranchNamespace, doltHashOf, doltListBranches, doltListTags, doltLog, doltMerge, doltMergeStatus, doltRenameBranch, doltReset, doltResolveConflicts, doltSchemaConflicts, doltStatus, doltTableConflicts, doltTag, ensureBranchExists, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getBranch, getCurrentBranchOrCommit, getCurrentRefScope, getProjectMainResolvedRef, getProjectScopedRef, getRefScopedDb, getSchemaDiff, getTenantMainBranch, getTenantScopedRef, hasSchemaDifferences, hasUncommittedChanges, isInRefScope, isLocalhostUrl, isProtectedBranchName, isRefWritable, isValidCommitHash, listBranches, listBranchesForAgent, refMiddlewareFactory, resolveRef, syncSchemaFromMain, withRef, writeProtectionMiddlewareFactory };

package/dist/dolt/migrate-all-branches.js

@@ -1,6 +1,8 @@
+import { loadEnvironmentFiles } from "../env.js";
 import { createAgentsManageDatabaseClient } from "../db/manage/manage-client.js";
-import { syncSchemaFromMain } from "./schema-sync.js";
 import { doltCheckout, doltListBranches } from "./branch.js";
+import { syncSchemaFromMain } from "./schema-sync.js";
+import { confirmMigration } from "../db/utils.js";
 
 //#region src/dolt/migrate-all-branches.ts
 const ansi = {
@@ -22,6 +24,9 @@ const format = {
 };
 const ms = (start, end) => `${Math.max(0, end - start)}ms`;
 const main = async () => {
+	loadEnvironmentFiles();
+	const connectionString = process.env.INKEEP_AGENTS_MANAGE_DATABASE_URL;
+	await confirmMigration(connectionString);
 	const startedAt = Date.now();
 	const db = createAgentsManageDatabaseClient({});
 	const branches = await doltListBranches(db)();

package/dist/dolt/migrate-dolt.js

@@ -1,18 +1,21 @@
 import { loadEnvironmentFiles } from "../env.js";
 import { createAgentsManageDatabaseClient } from "../db/manage/manage-client.js";
 import { doltAddAndCommit, doltStatus } from "./commit.js";
+import { confirmMigration } from "../db/utils.js";
 import { execSync } from "node:child_process";
 
 //#region src/dolt/migrate-dolt.ts
 const commitMigrations = async () => {
 	loadEnvironmentFiles();
+	const connectionString = process.env.INKEEP_AGENTS_MANAGE_DATABASE_URL;
+	await confirmMigration(connectionString);
 	try {
 		execSync("drizzle-kit migrate --config=drizzle.manage.config.ts", { stdio: "inherit" });
 	} catch (error) {
 		console.error("❌ Error running migrations:", error);
 		process.exit(1);
 	}
-	const db = createAgentsManageDatabaseClient({ connectionString: process.env.INKEEP_AGENTS_MANAGE_DATABASE_URL });
+	const db = createAgentsManageDatabaseClient({ connectionString });
 	if ((await doltStatus(db)()).length > 0) await doltAddAndCommit(db)({ message: "Applied database migrations" });
 	else console.log("ℹ️  No changes to commit - database is up to date\n");
 };

package/dist/dolt/ref-helpers.js

@@ -1,6 +1,6 @@
-import { doltHashOf, doltListTags } from "./commit.js";
 import { checkoutBranch } from "./branches-api.js";
 import { doltListBranches } from "./branch.js";
+import { doltHashOf, doltListTags } from "./commit.js";
 import { sql } from "drizzle-orm";
 
 //#region src/dolt/ref-helpers.ts

package/dist/dolt/ref-middleware.js

@@ -1,7 +1,7 @@
 import { getLogger } from "../utils/logger.js";
-import { createApiError } from "../utils/error.js";
 import { isRefWritable, resolveRef } from "./ref-helpers.js";
 import { ensureBranchExists } from "./branch.js";
+import { createApiError } from "../utils/error.js";
 
 //#region src/dolt/ref-middleware.ts
 const logger = getLogger("ref-middleware");

package/dist/dolt/ref-scope.js

@@ -1,8 +1,8 @@
 import { manage_schema_exports } from "../db/manage/manage-schema.js";
 import { getLogger } from "../utils/logger.js";
 import { generateId } from "../utils/conversations.js";
-import { doltAddAndCommit, doltReset, doltStatus } from "./commit.js";
 import { checkoutBranch } from "./branches-api.js";
+import { doltAddAndCommit, doltReset, doltStatus } from "./commit.js";
 import { drizzle } from "drizzle-orm/node-postgres";
 import { AsyncLocalStorage } from "node:async_hooks";
 

package/dist/dolt/schema-sync.d.ts

@@ -130,5 +130,6 @@ declare const areBranchesSchemaCompatible: (db: AgentsManageDatabaseClient) => (
   branchADifferences: SchemaDiff[];
   branchBDifferences: SchemaDiff[];
 }>;
+declare const isLocalhostUrl: (url: string | undefined) => boolean;
 //#endregion
-export { EnsureSchemaSyncOptions, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, syncSchemaFromMain };
+export { EnsureSchemaSyncOptions, SCHEMA_SOURCE_BRANCH, SchemaDiff, SchemaSyncOptions, SchemaSyncResult, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain };

package/dist/dolt/schema-sync.js

@@ -241,6 +241,15 @@ const areBranchesSchemaCompatible = (db) => async (branchA, branchB) => {
 		branchBDifferences: diffB
 	};
 };
+const isLocalhostUrl = (url) => {
+	if (!url) return false;
+	try {
+		const parsed = new URL(url);
+		return parsed.hostname === "localhost" || parsed.hostname === "127.0.0.1" || parsed.hostname === "::1";
+	} catch {
+		return url.includes("localhost") || url.includes("127.0.0.1");
+	}
+};
 
 //#endregion
-export { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, syncSchemaFromMain };
+export { SCHEMA_SOURCE_BRANCH, areBranchesSchemaCompatible, ensureSchemaSync, formatSchemaDiffSummary, getActiveBranch, getSchemaDiff, hasSchemaDifferences, hasUncommittedChanges, isLocalhostUrl, syncSchemaFromMain };

package/dist/env.d.ts

@@ -13,11 +13,12 @@ declare const envSchema: z.ZodObject<{
   INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodOptional<z.ZodString>;
   POSTGRES_POOL_SIZE: z.ZodOptional<z.ZodString>;
   INKEEP_AGENTS_JWT_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
-  INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
-  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
   BETTER_AUTH_SECRET: z.ZodOptional<z.ZodString>;
   TRUSTED_ORIGIN: z.ZodOptional<z.ZodString>;
   OAUTH_PROXY_PRODUCTION_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
+  GITHUB_MCP_API_KEY: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const env: {
   ENVIRONMENT?: "development" | "production" | "pentest" | "test" | undefined;
@@ -25,11 +26,12 @@ declare const env: {
   INKEEP_AGENTS_RUN_DATABASE_URL?: string | undefined;
   POSTGRES_POOL_SIZE?: string | undefined;
   INKEEP_AGENTS_JWT_SIGNING_SECRET?: string | undefined;
-  INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
-  INKEEP_AGENTS_API_URL?: string | undefined;
   BETTER_AUTH_SECRET?: string | undefined;
   TRUSTED_ORIGIN?: string | undefined;
   OAUTH_PROXY_PRODUCTION_URL?: string | undefined;
+  INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
+  INKEEP_AGENTS_API_URL?: string | undefined;
+  GITHUB_MCP_API_KEY?: string | undefined;
 };
 type Env = z.infer<typeof envSchema>;
 //#endregion

package/dist/env.js

@@ -37,16 +37,17 @@ const envSchema = z.object({
 		"production",
 		"pentest",
 		"test"
-	]).optional(),
-	INKEEP_AGENTS_MANAGE_DATABASE_URL: z.string().optional(),
-	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().optional(),
-	POSTGRES_POOL_SIZE: z.string().optional(),
-	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().min(32, "INKEEP_AGENTS_JWT_SIGNING_SECRET must be at least 32 characters").optional(),
-	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional(),
-	INKEEP_AGENTS_API_URL: z.string().optional(),
-	BETTER_AUTH_SECRET: z.string().optional(),
-	TRUSTED_ORIGIN: z.string().optional(),
-	OAUTH_PROXY_PRODUCTION_URL: z.string().optional()
+	]).optional().describe("Application environment mode"),
+	INKEEP_AGENTS_MANAGE_DATABASE_URL: z.string().optional().describe("PostgreSQL connection URL for the management database (Doltgres with Git version control)"),
+	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().optional().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
+	POSTGRES_POOL_SIZE: z.string().optional().describe("Maximum number of connections in the PostgreSQL connection pool"),
+	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().min(32, "INKEEP_AGENTS_JWT_SIGNING_SECRET must be at least 32 characters").optional().describe("Secret key for signing JWT tokens (minimum 32 characters)"),
+	BETTER_AUTH_SECRET: z.string().optional().describe("Secret key for Better Auth session encryption (change in production)"),
+	TRUSTED_ORIGIN: z.string().optional().describe("Trusted origin URL for CORS in local/preview environments"),
+	OAUTH_PROXY_PRODUCTION_URL: z.string().optional().describe("OAuth proxy URL for production environment (used in local/preview environments)"),
+	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().describe("URL where the management UI is hosted"),
+	INKEEP_AGENTS_API_URL: z.string().optional().describe("URL where the agents management API is running"),
+	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP")
 });
 const parseEnv = () => {
 	try {