@inkeep/agents-core 0.42.0 → 0.44.0

package/dist/data-access/manage/tools.d.ts

@@ -7,28 +7,35 @@ import "../../index.js";
 import { McpTool, ToolInsert, ToolSelect, ToolUpdate } from "../../types/entities.js";
 
 //#region src/data-access/manage/tools.d.ts
+/**
+ * Convert DB result to McpTool skeleton WITHOUT MCP discovery.
+ * This is a fast path that returns status='unknown' and empty availableTools.
+ * Use this for list views where you want instant page load.
+ */
+declare const dbResultToMcpToolSkeleton: (dbResult: ToolSelect, relationshipId?: string) => McpTool;
 declare const dbResultToMcpTool: (dbResult: ToolSelect, dbClient: AgentsManageDatabaseClient, credentialStoreRegistry?: CredentialStoreRegistry, relationshipId?: string, userId?: string) => Promise<McpTool>;
 declare const getToolById: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   toolId: string;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string;
+  createdAt: string;
+  updatedAt: string;
   description: string | null;
+  headers: Record<string, string> | null;
+  projectId: string;
+  tenantId: string;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;
   };
   credentialReferenceId: string | null;
-  createdAt: string;
-  updatedAt: string;
-  headers: Record<string, string> | null;
   credentialScope: string;
   imageUrl: string | null;
   capabilities: ToolServerCapabilities | null;
   lastError: string | null;
+  isWorkApp: boolean;
 } | null>;
 declare const getMcpToolById: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -56,6 +63,7 @@ declare const listTools: (db: AgentsManageDatabaseClient) => (params: {
     imageUrl: string | null;
     capabilities: ToolServerCapabilities | null;
     lastError: string | null;
+    isWorkApp: boolean;
     projectId: string;
     tenantId: string;
     id: string;
@@ -68,23 +76,24 @@ declare const listTools: (db: AgentsManageDatabaseClient) => (params: {
   };
 }>;
 declare const createTool: (db: AgentsManageDatabaseClient) => (params: ToolInsert) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string;
+  createdAt: string;
+  updatedAt: string;
   description: string | null;
+  headers: Record<string, string> | null;
+  projectId: string;
+  tenantId: string;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;
   };
   credentialReferenceId: string | null;
-  createdAt: string;
-  updatedAt: string;
-  headers: Record<string, string> | null;
   credentialScope: string;
   imageUrl: string | null;
   capabilities: ToolServerCapabilities | null;
   lastError: string | null;
+  isWorkApp: boolean;
 }>;
 declare const updateTool: (db: AgentsManageDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -105,6 +114,7 @@ declare const updateTool: (db: AgentsManageDatabaseClient) => (params: {
   imageUrl: string | null;
   capabilities: ToolServerCapabilities | null;
   lastError: string | null;
+  isWorkApp: boolean;
   projectId: string;
   tenantId: string;
   id: string;
@@ -123,18 +133,18 @@ declare const addToolToAgent: (db: AgentsManageDatabaseClient) => (params: {
     needsApproval?: boolean;
   }> | null;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
-  toolId: string;
   headers: Record<string, string> | null;
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
   subAgentId: string;
+  toolId: string;
   selectedTools: string[] | null;
 }>;
 declare const removeToolFromAgent: (db: AgentsManageDatabaseClient) => (params: {
@@ -142,18 +152,18 @@ declare const removeToolFromAgent: (db: AgentsManageDatabaseClient) => (params:
   subAgentId: string;
   toolId: string;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
-  toolId: string;
   headers: Record<string, string> | null;
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
   subAgentId: string;
+  toolId: string;
   selectedTools: string[] | null;
 }>;
 /**
@@ -170,18 +180,18 @@ declare const upsertSubAgentToolRelation: (db: AgentsManageDatabaseClient) => (p
   }> | null;
   relationId?: string;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
-  agentId: string;
   createdAt: string;
   updatedAt: string;
-  toolId: string;
   headers: Record<string, string> | null;
+  agentId: string;
+  projectId: string;
+  tenantId: string;
   toolPolicies: Record<string, {
     needsApproval?: boolean;
   }> | null;
   subAgentId: string;
+  toolId: string;
   selectedTools: string[] | null;
 }>;
 /**
@@ -190,23 +200,24 @@ declare const upsertSubAgentToolRelation: (db: AgentsManageDatabaseClient) => (p
 declare const upsertTool: (db: AgentsManageDatabaseClient) => (params: {
   data: ToolInsert;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string;
+  createdAt: string;
+  updatedAt: string;
   description: string | null;
+  headers: Record<string, string> | null;
+  projectId: string;
+  tenantId: string;
   config: {
     type: "mcp";
     mcp: ToolMcpConfig;
   };
   credentialReferenceId: string | null;
-  createdAt: string;
-  updatedAt: string;
-  headers: Record<string, string> | null;
   credentialScope: string;
   imageUrl: string | null;
   capabilities: ToolServerCapabilities | null;
   lastError: string | null;
+  isWorkApp: boolean;
 }>;
 //#endregion
-export { addToolToAgent, createTool, dbResultToMcpTool, deleteTool, getMcpToolById, getToolById, listTools, removeToolFromAgent, updateTool, upsertSubAgentToolRelation, upsertTool };
+export { addToolToAgent, createTool, dbResultToMcpTool, dbResultToMcpToolSkeleton, deleteTool, getMcpToolById, getToolById, listTools, removeToolFromAgent, updateTool, upsertSubAgentToolRelation, upsertTool };

package/dist/data-access/manage/tools.js

@@ -1,20 +1,41 @@
 import { CredentialStoreType, MCPServerType, MCPTransportType } from "../../types/utility.js";
 import { subAgentToolRelations, tools } from "../../db/manage/manage-schema.js";
 import { detectAuthenticationRequired } from "../../utils/auth-detection.js";
+import { env } from "../../env.js";
 import { getLogger } from "../../utils/logger.js";
 import { getCredentialStoreLookupKeyFromRetrievalParams } from "../../utils/credential-store-utils.js";
 import { CredentialStuffer } from "../../credential-stuffer/CredentialStuffer.js";
 import "../../credential-stuffer/index.js";
+import { createAgentsRunDatabaseClient } from "../../db/runtime/runtime-client.js";
 import { generateId } from "../../utils/conversations.js";
 import { updateAgentToolRelation } from "./subAgentRelations.js";
+import { getActiveBranch } from "../../dolt/schema-sync.js";
 import { toISODateString } from "../../utils/date.js";
 import { McpClient } from "../../utils/mcp-client.js";
+import { buildComposioMCPUrl } from "../../utils/third-party-mcp-servers/composio-client.js";
 import { isThirdPartyMCPServerAuthenticated } from "../../utils/third-party-mcp-servers/third-party-check.js";
 import "../../utils/index.js";
+import { cascadeDeleteByTool } from "../runtime/cascade-delete.js";
+import { isGithubWorkAppTool } from "../runtime/github-work-app-installations.js";
 import { getCredentialReference, getUserScopedCredentialReference } from "./credentialReferences.js";
 import { and, count, desc, eq } from "drizzle-orm";
+import { ErrorCode, McpError } from "@modelcontextprotocol/sdk/types.js";
 
 //#region src/data-access/manage/tools.ts
+/**
+* Check if an error is a timeout/connection error.
+* Uses MCP SDK ErrorCode for proper type safety.
+*/
+function isTimeoutOrConnectionError(error) {
+	if (error instanceof McpError) return error.code === ErrorCode.RequestTimeout || error.code === ErrorCode.ConnectionClosed;
+	if (error instanceof Error) {
+		const message = error.message.toLowerCase();
+		const cause = error.cause;
+		if (message.includes("timed out") || message.includes("timeout")) return true;
+		if (cause?.code === "ETIMEDOUT" || cause?.code === "ECONNABORTED" || cause?.code === "ECONNRESET") return true;
+	}
+	return false;
+}
 const logger = getLogger("tools");
 /**
 * Extract expiration date from credential data stored in credential store
@@ -70,24 +91,10 @@ const convertToMCPToolConfig = (tool) => {
 		toolOverrides: tool.config.mcp.toolOverrides
 	};
 };
-const discoverToolsFromServer = async (tool, dbClient, credentialStoreRegistry, userId) => {
+const discoverToolsFromServer = async (tool, credentialReference, credentialStoreRegistry, userId) => {
 	if (tool.config.type !== "mcp") throw new Error(`Cannot discover tools from non-MCP tool: ${tool.id}`);
 	try {
 		let serverConfig;
-		const credentialReference = tool.credentialReferenceId && tool.credentialScope !== "user" ? await getCredentialReference(dbClient)({
-			scopes: {
-				tenantId: tool.tenantId,
-				projectId: tool.projectId
-			},
-			id: tool.credentialReferenceId
-		}) : userId && tool.credentialScope === "user" ? await getUserScopedCredentialReference(dbClient)({
-			scopes: {
-				tenantId: tool.tenantId,
-				projectId: tool.projectId
-			},
-			toolId: tool.id,
-			userId
-		}) : void 0;
 		if (credentialReference) {
 			const storeReference = {
 				credentialStoreId: credentialReference.credentialStoreId,
@@ -111,12 +118,12 @@ const discoverToolsFromServer = async (tool, dbClient, credentialStoreRegistry,
 			reconnectionOptions: tool.config.mcp.transport?.reconnectionOptions,
 			sessionId: tool.config.mcp.transport?.sessionId
 		};
-		if (serverConfig.url?.toString().includes("composio.dev")) {
-			const urlObj = new URL(serverConfig.url.toString());
-			if (tool.credentialScope === "user" && userId) urlObj.searchParams.set("user_id", userId);
-			else urlObj.searchParams.set("user_id", `${tool.tenantId}||${tool.projectId}`);
-			serverConfig.url = urlObj.toString();
-		}
+		if (serverConfig.url) serverConfig.url = buildComposioMCPUrl(serverConfig.url.toString(), tool.tenantId, tool.projectId, tool.credentialScope === "user" ? "user" : "project", userId);
+		if (isGithubWorkAppTool(tool)) serverConfig.headers = {
+			...serverConfig.headers,
+			"x-inkeep-tool-id": tool.id,
+			Authorization: `Bearer ${env.GITHUB_MCP_API_KEY}`
+		};
 		const client = new McpClient({
 			name: tool.name,
 			server: serverConfig
@@ -141,6 +148,27 @@ const discoverToolsFromServer = async (tool, dbClient, credentialStoreRegistry,
 		throw error;
 	}
 };
+/**
+* Convert DB result to McpTool skeleton WITHOUT MCP discovery.
+* This is a fast path that returns status='unknown' and empty availableTools.
+* Use this for list views where you want instant page load.
+*/
+const dbResultToMcpToolSkeleton = (dbResult, relationshipId) => {
+	const { headers, capabilities, credentialReferenceId, imageUrl, createdAt, ...rest } = dbResult;
+	return {
+		...rest,
+		status: "unknown",
+		availableTools: [],
+		capabilities: capabilities || void 0,
+		credentialReferenceId: credentialReferenceId || void 0,
+		createdAt: toISODateString(createdAt),
+		updatedAt: toISODateString(dbResult.updatedAt),
+		lastError: dbResult.lastError || null,
+		headers: headers || void 0,
+		imageUrl: imageUrl || void 0,
+		relationshipId
+	};
+};
 const dbResultToMcpTool = async (dbResult, dbClient, credentialStoreRegistry, relationshipId, userId) => {
 	const { headers, capabilities, credentialReferenceId, imageUrl, createdAt, ...rest } = dbResult;
 	if (dbResult.config.type !== "mcp") return {
@@ -181,18 +209,23 @@ const dbResultToMcpTool = async (dbResult, dbClient, credentialStoreRegistry, re
 	}
 	const mcpServerUrl = dbResult.config.mcp.server.url;
 	try {
-		availableTools = await discoverToolsFromServer(dbResult, dbClient, credentialStoreRegistry, userId);
+		availableTools = await discoverToolsFromServer(dbResult, credentialReference, credentialStoreRegistry, userId);
 		status = "healthy";
 		lastErrorComputed = null;
 	} catch (error) {
-		const toolNeedsAuth = error instanceof Error && await detectAuthenticationRequired({
-			serverUrl: mcpServerUrl,
-			error,
-			logger
-		});
-		status = toolNeedsAuth ? "needs_auth" : "unhealthy";
 		const errorMessage = error instanceof Error ? error.message : "Tool discovery failed";
-		lastErrorComputed = toolNeedsAuth ? `Authentication required - OAuth login needed. ${errorMessage}` : errorMessage;
+		if (isTimeoutOrConnectionError(error)) {
+			status = "unavailable";
+			lastErrorComputed = `Connection failed - the MCP server may be slow or temporarily unreachable.${error instanceof McpError ? ` (MCP error ${error.code})` : ""} ${errorMessage}`;
+		} else {
+			const toolNeedsAuth = await detectAuthenticationRequired({
+				serverUrl: mcpServerUrl,
+				error: error instanceof Error ? error : void 0,
+				logger
+			});
+			status = toolNeedsAuth ? "needs_auth" : "unhealthy";
+			lastErrorComputed = toolNeedsAuth ? `Authentication required - OAuth login needed. ${errorMessage}` : errorMessage;
+		}
 	}
 	if (dbResult.config.mcp.server.url.includes("composio.dev")) {
 		const credentialScope = dbResult.credentialScope || "project";
@@ -284,7 +317,16 @@ const updateTool = (db) => async (params) => {
 };
 const deleteTool = (db) => async (params) => {
 	const [deleted] = await db.delete(tools).where(and(eq(tools.tenantId, params.scopes.tenantId), eq(tools.projectId, params.scopes.projectId), eq(tools.id, params.toolId))).returning();
-	return !!deleted;
+	if (!deleted) return false;
+	if (deleted.isWorkApp && deleted.config.mcp.server.url.includes("/github/mcp")) try {
+		if (await getActiveBranch(db)() === `${params.scopes.tenantId}_${params.scopes.projectId}_main`) await cascadeDeleteByTool(createAgentsRunDatabaseClient())({ toolId: params.toolId });
+	} catch (error) {
+		logger.debug({
+			error,
+			toolId: params.toolId
+		}, "Skipping cascade delete - active_branch() not available");
+	}
+	return true;
 };
 const addToolToAgent = (db) => async (params) => {
 	const id = generateId();
@@ -351,4 +393,4 @@ const upsertTool = (db) => async (params) => {
 };
 
 //#endregion
-export { addToolToAgent, createTool, dbResultToMcpTool, deleteTool, getMcpToolById, getToolById, listTools, removeToolFromAgent, updateTool, upsertSubAgentToolRelation, upsertTool };
+export { addToolToAgent, createTool, dbResultToMcpTool, dbResultToMcpToolSkeleton, deleteTool, getMcpToolById, getToolById, listTools, removeToolFromAgent, updateTool, upsertSubAgentToolRelation, upsertTool };

package/dist/data-access/manage/triggers.d.ts

@@ -35,7 +35,33 @@ declare const listTriggersPaginated: (db: AgentsManageDatabaseClient) => (params
     } | null;
     messageTemplate: string | null;
     authentication: unknown;
-    signingSecret: string | null;
+    signingSecretCredentialReferenceId: string | null;
+    signatureVerification: {
+      algorithm: "sha256" | "sha512" | "sha384" | "sha1" | "md5";
+      encoding: "hex" | "base64";
+      signature: {
+        source: "query" | "body" | "header";
+        key: string;
+        prefix?: string | undefined;
+        regex?: string | undefined;
+      };
+      signedComponents: {
+        source: "literal" | "body" | "header";
+        required: boolean;
+        key?: string | undefined;
+        value?: string | undefined;
+        regex?: string | undefined;
+      }[];
+      componentJoin: {
+        strategy: "concatenate";
+        separator: string;
+      };
+      validation?: {
+        headerCaseSensitive: boolean;
+        allowEmptyBody: boolean;
+        normalizeUnicode: boolean;
+      } | undefined;
+    } | null;
     name: string;
     description: string | null;
     agentId: string;

package/dist/data-access/runtime/apiKeys.d.ts

@@ -7,49 +7,49 @@ declare const getApiKeyById: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   id: string;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string | null;
+  createdAt: string;
+  updatedAt: string;
+  expiresAt: string | null;
   agentId: string;
+  projectId: string;
+  tenantId: string;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
   lastUsedAt: string | null;
-  expiresAt: string | null;
-  createdAt: string;
-  updatedAt: string;
 } | undefined>;
 declare const getApiKeyByPublicId: (db: AgentsRunDatabaseClient) => (publicId: string) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string | null;
+  createdAt: string;
+  updatedAt: string;
+  expiresAt: string | null;
   agentId: string;
+  projectId: string;
+  tenantId: string;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
   lastUsedAt: string | null;
-  expiresAt: string | null;
-  createdAt: string;
-  updatedAt: string;
 } | undefined>;
 declare const listApiKeys: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
   agentId?: string;
 }) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string | null;
+  createdAt: string;
+  updatedAt: string;
+  expiresAt: string | null;
   agentId: string;
+  projectId: string;
+  tenantId: string;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
   lastUsedAt: string | null;
-  expiresAt: string | null;
-  createdAt: string;
-  updatedAt: string;
 }[]>;
 declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;
@@ -65,18 +65,18 @@ declare const listApiKeysPaginated: (db: AgentsRunDatabaseClient) => (params: {
   };
 }>;
 declare const createApiKey: (db: AgentsRunDatabaseClient) => (params: ApiKeyInsert) => Promise<{
-  tenantId: string;
-  projectId: string;
   id: string;
   name: string | null;
+  createdAt: string;
+  updatedAt: string;
+  expiresAt: string | null;
   agentId: string;
+  projectId: string;
+  tenantId: string;
   publicId: string;
   keyHash: string;
   keyPrefix: string;
   lastUsedAt: string | null;
-  expiresAt: string | null;
-  createdAt: string;
-  updatedAt: string;
 }>;
 declare const updateApiKey: (db: AgentsRunDatabaseClient) => (params: {
   scopes: ProjectScopeConfig;

package/dist/data-access/runtime/cascade-delete.d.ts

@@ -73,5 +73,52 @@ declare const cascadeDeleteByContextConfig: (db: AgentsRunDatabaseClient) => (pa
 }) => Promise<{
   contextCacheDeleted: number;
 }>;
+/**
+ * Result of a tool cascade delete operation
+ */
+type ToolCascadeDeleteResult = {
+  mcpToolRepositoryAccessDeleted: number;
+  mcpToolAccessModeDeleted: boolean;
+};
+/**
+ * Delete all runtime entities for a specific MCP tool.
+ * Called when an MCP tool is deleted from the manage database.
+ *
+ * Cleans up:
+ * - workAppGitHubMcpToolRepositoryAccess entries
+ * - workAppGitHubMcpToolAccessMode entry
+ *
+ * @param db - Runtime database client
+ * @returns Function that performs the cascade delete
+ */
+declare const cascadeDeleteByTool: (db: AgentsRunDatabaseClient) => (params: {
+  toolId: string;
+}) => Promise<ToolCascadeDeleteResult>;
+/**
+ * Result of a project cascade delete operation (GitHub access only)
+ */
+type ProjectGitHubAccessCascadeDeleteResult = {
+  projectRepositoryAccessDeleted: number;
+  projectAccessModeDeleted: boolean;
+  mcpToolRepositoryAccessDeleted: number;
+  mcpToolAccessModesDeleted: number;
+};
+/**
+ * Delete all GitHub access runtime entities for a specific project.
+ * Called when a project is deleted from the manage database.
+ *
+ * Cleans up:
+ * - workAppGitHubProjectRepositoryAccess entries
+ * - workAppGitHubProjectAccessMode entry
+ * - workAppGitHubMcpToolRepositoryAccess entries (for tools in this project)
+ * - workAppGitHubMcpToolAccessMode entries (for tools in this project)
+ *
+ * @param db - Runtime database client
+ * @returns Function that performs the cascade delete
+ */
+declare const cascadeDeleteGitHubAccessByProject: (db: AgentsRunDatabaseClient) => (params: {
+  tenantId: string;
+  projectId: string;
+}) => Promise<ProjectGitHubAccessCascadeDeleteResult>;
 //#endregion
-export { CascadeDeleteResult, cascadeDeleteByAgent, cascadeDeleteByBranch, cascadeDeleteByContextConfig, cascadeDeleteByProject, cascadeDeleteBySubAgent };
+export { CascadeDeleteResult, ProjectGitHubAccessCascadeDeleteResult, ToolCascadeDeleteResult, cascadeDeleteByAgent, cascadeDeleteByBranch, cascadeDeleteByContextConfig, cascadeDeleteByProject, cascadeDeleteBySubAgent, cascadeDeleteByTool, cascadeDeleteGitHubAccessByProject };

package/dist/data-access/runtime/cascade-delete.js

@@ -1,4 +1,4 @@
-import { apiKeys, contextCache, conversations, tasks } from "../../db/runtime/runtime-schema.js";
+import { apiKeys, contextCache, conversations, tasks, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess } from "../../db/runtime/runtime-schema.js";
 import { and, eq, inArray, sql } from "drizzle-orm";
 
 //#region src/data-access/runtime/cascade-delete.ts
@@ -35,6 +35,10 @@ const cascadeDeleteByProject = (db) => async (params) => {
 	const conversationsResult = await db.delete(conversations).where(and(eq(conversations.tenantId, scopes.tenantId), eq(conversations.projectId, scopes.projectId), sql`${conversations.ref}->>'name' = ${fullBranchName}`)).returning();
 	const tasksResult = await db.delete(tasks).where(and(eq(tasks.tenantId, scopes.tenantId), eq(tasks.projectId, scopes.projectId), sql`${tasks.ref}->>'name' = ${fullBranchName}`)).returning();
 	const apiKeysResult = await db.delete(apiKeys).where(and(eq(apiKeys.tenantId, scopes.tenantId), eq(apiKeys.projectId, scopes.projectId))).returning();
+	await cascadeDeleteGitHubAccessByProject(db)({
+		tenantId: scopes.tenantId,
+		projectId: scopes.projectId
+	});
 	return {
 		conversationsDeleted: conversationsResult.length,
 		tasksDeleted: tasksResult.length,
@@ -106,6 +110,52 @@ const cascadeDeleteByContextConfig = (db) => async (params) => {
 	const { scopes, contextConfigId, fullBranchName } = params;
 	return { contextCacheDeleted: (await db.delete(contextCache).where(and(eq(contextCache.tenantId, scopes.tenantId), eq(contextCache.projectId, scopes.projectId), eq(contextCache.contextConfigId, contextConfigId), sql`${contextCache.ref}->>'name' = ${fullBranchName}`)).returning()).length };
 };
+/**
+* Delete all runtime entities for a specific MCP tool.
+* Called when an MCP tool is deleted from the manage database.
+*
+* Cleans up:
+* - workAppGitHubMcpToolRepositoryAccess entries
+* - workAppGitHubMcpToolAccessMode entry
+*
+* @param db - Runtime database client
+* @returns Function that performs the cascade delete
+*/
+const cascadeDeleteByTool = (db) => async (params) => {
+	const { toolId } = params;
+	const repositoryAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId)).returning();
+	const accessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(eq(workAppGitHubMcpToolAccessMode.toolId, toolId)).returning();
+	return {
+		mcpToolRepositoryAccessDeleted: repositoryAccessResult.length,
+		mcpToolAccessModeDeleted: accessModeResult.length > 0
+	};
+};
+/**
+* Delete all GitHub access runtime entities for a specific project.
+* Called when a project is deleted from the manage database.
+*
+* Cleans up:
+* - workAppGitHubProjectRepositoryAccess entries
+* - workAppGitHubProjectAccessMode entry
+* - workAppGitHubMcpToolRepositoryAccess entries (for tools in this project)
+* - workAppGitHubMcpToolAccessMode entries (for tools in this project)
+*
+* @param db - Runtime database client
+* @returns Function that performs the cascade delete
+*/
+const cascadeDeleteGitHubAccessByProject = (db) => async (params) => {
+	const { tenantId, projectId } = params;
+	const projectRepoAccessResult = await db.delete(workAppGitHubProjectRepositoryAccess).where(and(eq(workAppGitHubProjectRepositoryAccess.tenantId, tenantId), eq(workAppGitHubProjectRepositoryAccess.projectId, projectId))).returning();
+	const projectAccessModeResult = await db.delete(workAppGitHubProjectAccessMode).where(and(eq(workAppGitHubProjectAccessMode.tenantId, tenantId), eq(workAppGitHubProjectAccessMode.projectId, projectId))).returning();
+	const mcpToolRepoAccessResult = await db.delete(workAppGitHubMcpToolRepositoryAccess).where(and(eq(workAppGitHubMcpToolRepositoryAccess.tenantId, tenantId), eq(workAppGitHubMcpToolRepositoryAccess.projectId, projectId))).returning();
+	const mcpToolAccessModeResult = await db.delete(workAppGitHubMcpToolAccessMode).where(and(eq(workAppGitHubMcpToolAccessMode.tenantId, tenantId), eq(workAppGitHubMcpToolAccessMode.projectId, projectId))).returning();
+	return {
+		projectRepositoryAccessDeleted: projectRepoAccessResult.length,
+		projectAccessModeDeleted: projectAccessModeResult.length > 0,
+		mcpToolRepositoryAccessDeleted: mcpToolRepoAccessResult.length,
+		mcpToolAccessModesDeleted: mcpToolAccessModeResult.length
+	};
+};
 
 //#endregion
-export { cascadeDeleteByAgent, cascadeDeleteByBranch, cascadeDeleteByContextConfig, cascadeDeleteByProject, cascadeDeleteBySubAgent };
+export { cascadeDeleteByAgent, cascadeDeleteByBranch, cascadeDeleteByContextConfig, cascadeDeleteByProject, cascadeDeleteBySubAgent, cascadeDeleteByTool, cascadeDeleteGitHubAccessByProject };