@inkeep/agents-core 0.43.0 → 0.45.0

package/dist/data-access/runtime/github-work-app-installations.js

@@ -0,0 +1,457 @@
+import { workAppGitHubInstallations, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess, workAppGitHubRepositories } from "../../db/runtime/runtime-schema.js";
+import { generateId } from "../../utils/conversations.js";
+import { and, count, desc, eq, inArray, ne } from "drizzle-orm";
+
+//#region src/data-access/runtime/github-work-app-installations.ts
+/**
+* Create a new GitHub App installation record
+*/
+const createInstallation = (db) => async (input) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const [created] = await db.insert(workAppGitHubInstallations).values({
+		...input,
+		createdAt: now,
+		updatedAt: now
+	}).returning();
+	return created;
+};
+/**
+* Get installation by GitHub installation ID
+*/
+const getInstallationByGitHubId = (db) => async (gitHubInstallationId) => {
+	return await db.query.workAppGitHubInstallations.findFirst({ where: eq(workAppGitHubInstallations.installationId, gitHubInstallationId) }) ?? null;
+};
+/**
+* Get installation by internal ID with tenant validation
+*/
+const getInstallationById = (db) => async (params) => {
+	return await db.query.workAppGitHubInstallations.findFirst({ where: and(eq(workAppGitHubInstallations.tenantId, params.tenantId), eq(workAppGitHubInstallations.id, params.id)) }) ?? null;
+};
+/**
+* Get all installations for a tenant
+*/
+const getInstallationsByTenantId = (db) => async (params) => {
+	const conditions = [eq(workAppGitHubInstallations.tenantId, params.tenantId)];
+	if (!params.includeDisconnected) conditions.push(ne(workAppGitHubInstallations.status, "disconnected"));
+	return await db.select().from(workAppGitHubInstallations).where(and(...conditions)).orderBy(desc(workAppGitHubInstallations.createdAt));
+};
+/**
+* Update installation status
+*/
+const updateInstallationStatus = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const [updated] = await db.update(workAppGitHubInstallations).set({
+		status: params.status,
+		updatedAt: now
+	}).where(and(eq(workAppGitHubInstallations.tenantId, params.tenantId), eq(workAppGitHubInstallations.id, params.id))).returning();
+	return updated ?? null;
+};
+/**
+* Update installation status by GitHub installation ID (for webhook handlers)
+*/
+const updateInstallationStatusByGitHubId = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const [updated] = await db.update(workAppGitHubInstallations).set({
+		status: params.status,
+		updatedAt: now
+	}).where(eq(workAppGitHubInstallations.installationId, params.gitHubInstallationId)).returning();
+	return updated ?? null;
+};
+/**
+* Soft delete an installation (set status to 'disconnected')
+* Also removes all project repository access for this installation's repositories
+*/
+const disconnectInstallation = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const repoIds = (await db.select({ id: workAppGitHubRepositories.id }).from(workAppGitHubRepositories).where(eq(workAppGitHubRepositories.installationDbId, params.id))).map((r) => r.id);
+	if (repoIds.length > 0) await db.delete(workAppGitHubProjectRepositoryAccess).where(inArray(workAppGitHubProjectRepositoryAccess.repositoryDbId, repoIds));
+	const [updated] = await db.update(workAppGitHubInstallations).set({
+		status: "disconnected",
+		updatedAt: now
+	}).where(and(eq(workAppGitHubInstallations.tenantId, params.tenantId), eq(workAppGitHubInstallations.id, params.id))).returning();
+	return !!updated;
+};
+/**
+* Delete an installation (hard delete)
+* Returns the deleted installation if found, null otherwise
+*/
+const deleteInstallation = (db) => async (params) => {
+	const [deleted] = await db.delete(workAppGitHubInstallations).where(and(eq(workAppGitHubInstallations.tenantId, params.tenantId), eq(workAppGitHubInstallations.id, params.id))).returning();
+	return deleted ?? null;
+};
+/**
+* Sync repositories for an installation
+* Adds new repos, removes missing repos, updates existing
+*/
+const syncRepositories = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const existingRepos = await db.select().from(workAppGitHubRepositories).where(eq(workAppGitHubRepositories.installationDbId, params.installationId));
+	const existingRepoIds = new Set(existingRepos.map((r) => r.repositoryId));
+	const newRepoIds = new Set(params.repositories.map((r) => r.repositoryId));
+	const toAdd = params.repositories.filter((r) => !existingRepoIds.has(r.repositoryId));
+	const toRemove = existingRepos.filter((r) => !newRepoIds.has(r.repositoryId));
+	const toUpdate = params.repositories.filter((r) => existingRepoIds.has(r.repositoryId));
+	if (toRemove.length > 0) {
+		const removeIds = toRemove.map((r) => r.id);
+		await db.delete(workAppGitHubProjectRepositoryAccess).where(inArray(workAppGitHubProjectRepositoryAccess.repositoryDbId, removeIds));
+		await db.delete(workAppGitHubRepositories).where(inArray(workAppGitHubRepositories.id, removeIds));
+	}
+	if (toAdd.length > 0) await db.insert(workAppGitHubRepositories).values(toAdd.map((repo) => ({
+		id: generateId(),
+		installationDbId: params.installationId,
+		repositoryId: repo.repositoryId,
+		repositoryName: repo.repositoryName,
+		repositoryFullName: repo.repositoryFullName,
+		private: repo.private,
+		createdAt: now,
+		updatedAt: now
+	})));
+	let updatedCount = 0;
+	for (const repo of toUpdate) {
+		const existing = existingRepos.find((e) => e.repositoryId === repo.repositoryId);
+		if (existing && (existing.repositoryName !== repo.repositoryName || existing.repositoryFullName !== repo.repositoryFullName || existing.private !== repo.private)) {
+			await db.update(workAppGitHubRepositories).set({
+				repositoryName: repo.repositoryName,
+				repositoryFullName: repo.repositoryFullName,
+				private: repo.private,
+				updatedAt: now
+			}).where(eq(workAppGitHubRepositories.id, existing.id));
+			updatedCount++;
+		}
+	}
+	return {
+		added: toAdd.length,
+		removed: toRemove.length,
+		updated: updatedCount
+	};
+};
+/**
+* Add repositories to an installation (for webhook 'added' events)
+*/
+const addRepositories = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	if (params.repositories.length === 0) return [];
+	await db.insert(workAppGitHubRepositories).values(params.repositories.map((repo) => ({
+		id: generateId(),
+		installationDbId: params.installationId,
+		repositoryId: repo.repositoryId,
+		repositoryName: repo.repositoryName,
+		repositoryFullName: repo.repositoryFullName,
+		private: repo.private,
+		createdAt: now,
+		updatedAt: now
+	}))).onConflictDoNothing().returning();
+	const insertedRepoIds = params.repositories.map((r) => r.repositoryId);
+	return await db.select().from(workAppGitHubRepositories).where(and(eq(workAppGitHubRepositories.installationDbId, params.installationId), inArray(workAppGitHubRepositories.repositoryId, insertedRepoIds)));
+};
+/**
+* Remove repositories from an installation (for webhook 'removed' events)
+* Also removes associated project repository access entries
+*/
+const removeRepositories = (db) => async (params) => {
+	if (params.repositoryIds.length === 0) return 0;
+	const repoIds = (await db.select({ id: workAppGitHubRepositories.id }).from(workAppGitHubRepositories).where(and(eq(workAppGitHubRepositories.installationDbId, params.installationId), inArray(workAppGitHubRepositories.repositoryId, params.repositoryIds)))).map((r) => r.id);
+	if (repoIds.length === 0) return 0;
+	await db.delete(workAppGitHubProjectRepositoryAccess).where(inArray(workAppGitHubProjectRepositoryAccess.repositoryDbId, repoIds));
+	return (await db.delete(workAppGitHubRepositories).where(inArray(workAppGitHubRepositories.id, repoIds)).returning()).length;
+};
+/**
+* Get all repositories for an installation
+*/
+const getRepositoriesByInstallationId = (db) => async (installationId) => {
+	return await db.select().from(workAppGitHubRepositories).where(eq(workAppGitHubRepositories.installationDbId, installationId)).orderBy(workAppGitHubRepositories.repositoryFullName);
+};
+/**
+* Get repository by full name (e.g., "org/repo")
+*/
+const getRepositoryByFullName = (db) => async (repositoryFullName) => {
+	return (await db.select().from(workAppGitHubRepositories).where(eq(workAppGitHubRepositories.repositoryFullName, repositoryFullName)).limit(1))[0] ?? null;
+};
+/**
+* Get repository by internal ID
+*/
+const getRepositoryById = (db) => async (id) => {
+	return await db.query.workAppGitHubRepositories.findFirst({ where: eq(workAppGitHubRepositories.id, id) }) ?? null;
+};
+/**
+* Get all repositories for a tenant (across all installations)
+*/
+const getRepositoriesByTenantId = (db) => async (tenantId) => {
+	return await db.select({
+		id: workAppGitHubRepositories.id,
+		installationDbId: workAppGitHubRepositories.installationDbId,
+		installationId: workAppGitHubInstallations.installationId,
+		repositoryId: workAppGitHubRepositories.repositoryId,
+		repositoryName: workAppGitHubRepositories.repositoryName,
+		repositoryFullName: workAppGitHubRepositories.repositoryFullName,
+		private: workAppGitHubRepositories.private,
+		createdAt: workAppGitHubRepositories.createdAt,
+		updatedAt: workAppGitHubRepositories.updatedAt,
+		installationAccountLogin: workAppGitHubInstallations.accountLogin
+	}).from(workAppGitHubRepositories).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(and(eq(workAppGitHubInstallations.tenantId, tenantId), ne(workAppGitHubInstallations.status, "disconnected"))).orderBy(workAppGitHubRepositories.repositoryFullName);
+};
+/**
+* Set project repository access (full replacement)
+* Used when mode='selected' to specify which repositories the project can access.
+* Pass empty array to clear all access entries.
+*
+* Also cascades changes to MCP tools: any MCP tool in this project with mode='selected'
+* will have its selected repositories filtered to only include repos that remain
+* in the project's access list.
+*/
+const setProjectRepositoryAccess = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	const newRepoIdSet = new Set(params.repositoryIds);
+	await db.delete(workAppGitHubProjectRepositoryAccess).where(eq(workAppGitHubProjectRepositoryAccess.projectId, params.projectId));
+	if (params.repositoryIds.length > 0) await db.insert(workAppGitHubProjectRepositoryAccess).values(params.repositoryIds.map((repoId) => ({
+		id: generateId(),
+		tenantId: params.tenantId,
+		projectId: params.projectId,
+		repositoryDbId: repoId,
+		createdAt: now,
+		updatedAt: now
+	})));
+	const toolsWithSelectedMode = await db.select({ toolId: workAppGitHubMcpToolAccessMode.toolId }).from(workAppGitHubMcpToolAccessMode).where(and(eq(workAppGitHubMcpToolAccessMode.tenantId, params.tenantId), eq(workAppGitHubMcpToolAccessMode.projectId, params.projectId), eq(workAppGitHubMcpToolAccessMode.mode, "selected")));
+	for (const { toolId } of toolsWithSelectedMode) {
+		const reposToRemove = (await db.select({
+			id: workAppGitHubMcpToolRepositoryAccess.id,
+			repositoryDbId: workAppGitHubMcpToolRepositoryAccess.repositoryDbId
+		}).from(workAppGitHubMcpToolRepositoryAccess).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId))).filter((r) => !newRepoIdSet.has(r.repositoryDbId));
+		if (reposToRemove.length > 0) await db.delete(workAppGitHubMcpToolRepositoryAccess).where(inArray(workAppGitHubMcpToolRepositoryAccess.id, reposToRemove.map((r) => r.id)));
+	}
+};
+/**
+* Get project repository access entries
+* These entries are used when mode='selected'. Check mode via getProjectAccessMode().
+*/
+const getProjectRepositoryAccess = (db) => async (projectId) => {
+	return await db.select().from(workAppGitHubProjectRepositoryAccess).where(eq(workAppGitHubProjectRepositoryAccess.projectId, projectId));
+};
+/**
+* Get project repository access with full repository details.
+* If project access mode is 'all', returns all tenant repositories.
+* If mode is 'selected' (or not set), returns only explicitly granted repositories.
+*/
+const getProjectRepositoryAccessWithDetails = (db) => async (params) => {
+	if (await getProjectAccessMode(db)({
+		tenantId: params.tenantId,
+		projectId: params.projectId
+	}) === "all") return (await getRepositoriesByTenantId(db)(params.tenantId)).map((repo) => ({
+		accessId: repo.id,
+		...repo
+	}));
+	return await db.select({
+		accessId: workAppGitHubProjectRepositoryAccess.id,
+		id: workAppGitHubRepositories.id,
+		installationDbId: workAppGitHubRepositories.installationDbId,
+		installationId: workAppGitHubInstallations.installationId,
+		repositoryId: workAppGitHubRepositories.repositoryId,
+		repositoryName: workAppGitHubRepositories.repositoryName,
+		repositoryFullName: workAppGitHubRepositories.repositoryFullName,
+		private: workAppGitHubRepositories.private,
+		createdAt: workAppGitHubRepositories.createdAt,
+		updatedAt: workAppGitHubRepositories.updatedAt,
+		installationAccountLogin: workAppGitHubInstallations.accountLogin
+	}).from(workAppGitHubProjectRepositoryAccess).innerJoin(workAppGitHubRepositories, eq(workAppGitHubProjectRepositoryAccess.repositoryDbId, workAppGitHubRepositories.id)).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(eq(workAppGitHubProjectRepositoryAccess.projectId, params.projectId));
+};
+/**
+* Check if a project has access to a specific repository
+* Returns true if:
+* - Project mode is 'all' and repository belongs to tenant installations
+* - Project mode is 'selected' and repository is explicitly in the project's access list
+*/
+const checkProjectRepositoryAccess = (db) => async (params) => {
+	if (((await db.select({ mode: workAppGitHubProjectAccessMode.mode }).from(workAppGitHubProjectAccessMode).where(and(eq(workAppGitHubProjectAccessMode.tenantId, params.tenantId), eq(workAppGitHubProjectAccessMode.projectId, params.projectId))).limit(1))[0]?.mode ?? "selected") === "all") {
+		if ((await db.select({ id: workAppGitHubRepositories.id }).from(workAppGitHubRepositories).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(and(eq(workAppGitHubRepositories.repositoryFullName, params.repositoryFullName), eq(workAppGitHubInstallations.tenantId, params.tenantId), ne(workAppGitHubInstallations.status, "disconnected"))).limit(1)).length === 0) return {
+			hasAccess: false,
+			reason: "Repository not found in tenant installations"
+		};
+		return {
+			hasAccess: true,
+			reason: "Project has access to all repositories"
+		};
+	}
+	if ((await db.select({ id: workAppGitHubProjectRepositoryAccess.id }).from(workAppGitHubProjectRepositoryAccess).innerJoin(workAppGitHubRepositories, eq(workAppGitHubProjectRepositoryAccess.repositoryDbId, workAppGitHubRepositories.id)).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(and(eq(workAppGitHubProjectRepositoryAccess.projectId, params.projectId), eq(workAppGitHubRepositories.repositoryFullName, params.repositoryFullName), eq(workAppGitHubInstallations.tenantId, params.tenantId), ne(workAppGitHubInstallations.status, "disconnected"))).limit(1)).length === 0) return {
+		hasAccess: false,
+		reason: "Repository not in project access list"
+	};
+	return {
+		hasAccess: true,
+		reason: "Repository explicitly allowed for project"
+	};
+};
+/**
+* Remove all project repository access for a specific project
+*/
+const clearProjectRepositoryAccess = (db) => async (projectId) => {
+	return (await db.delete(workAppGitHubProjectRepositoryAccess).where(eq(workAppGitHubProjectRepositoryAccess.projectId, projectId)).returning()).length;
+};
+/**
+* Validate that all repository IDs belong to installations owned by a tenant
+* Returns list of invalid repository IDs
+*/
+const validateRepositoryOwnership = (db) => async (params) => {
+	if (params.repositoryIds.length === 0) return [];
+	const validRepos = await db.select({ id: workAppGitHubRepositories.id }).from(workAppGitHubRepositories).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(and(eq(workAppGitHubInstallations.tenantId, params.tenantId), ne(workAppGitHubInstallations.status, "disconnected"), inArray(workAppGitHubRepositories.id, params.repositoryIds)));
+	const validRepoIds = new Set(validRepos.map((r) => r.id));
+	return params.repositoryIds.filter((id) => !validRepoIds.has(id));
+};
+/**
+* Get repository count for an installation
+*/
+const getRepositoryCount = (db) => async (installationId) => {
+	const total = (await db.select({ count: count() }).from(workAppGitHubRepositories).where(eq(workAppGitHubRepositories.installationDbId, installationId)))[0]?.count ?? 0;
+	return typeof total === "string" ? Number.parseInt(total, 10) : total;
+};
+/**
+* Get repository counts for all installations belonging to a tenant
+*/
+const getRepositoryCountsByTenantId = (db) => async (params) => {
+	const conditions = [eq(workAppGitHubInstallations.tenantId, params.tenantId)];
+	if (!params.includeDisconnected) conditions.push(ne(workAppGitHubInstallations.status, "disconnected"));
+	const results = await db.select({
+		installationId: workAppGitHubInstallations.id,
+		count: count(workAppGitHubRepositories.id)
+	}).from(workAppGitHubInstallations).leftJoin(workAppGitHubRepositories, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(and(...conditions)).groupBy(workAppGitHubInstallations.id);
+	const countsMap = /* @__PURE__ */ new Map();
+	for (const row of results) {
+		const total = typeof row.count === "string" ? Number.parseInt(row.count, 10) : row.count;
+		countsMap.set(row.installationId, total);
+	}
+	return countsMap;
+};
+/**
+* Set MCP tool repository access (full replacement)
+* Used when mode='selected' to specify which repositories the tool can access.
+* Pass empty array to clear all access entries.
+*/
+const setMcpToolRepositoryAccess = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	await db.delete(workAppGitHubMcpToolRepositoryAccess).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, params.toolId));
+	if (params.repositoryIds.length > 0) await db.insert(workAppGitHubMcpToolRepositoryAccess).values(params.repositoryIds.map((repoId) => ({
+		id: generateId(),
+		toolId: params.toolId,
+		tenantId: params.tenantId,
+		projectId: params.projectId,
+		repositoryDbId: repoId,
+		createdAt: now,
+		updatedAt: now
+	})));
+};
+/**
+* Get MCP tool repository access entries
+* These entries are used when mode='selected'. Check mode via getMcpToolAccessMode().
+*/
+const getMcpToolRepositoryAccess = (db) => async (toolId) => {
+	return await db.select().from(workAppGitHubMcpToolRepositoryAccess).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId));
+};
+/**
+* Get MCP tool repository access with full repository details.
+* If the tool's access mode is 'all', returns all repositories the project has access to.
+* If mode is 'selected' (or not set), returns only explicitly granted repositories.
+*/
+const getMcpToolRepositoryAccessWithDetails = (db) => async (toolId) => {
+	const accessMode = (await db.select({
+		mode: workAppGitHubMcpToolAccessMode.mode,
+		projectId: workAppGitHubMcpToolAccessMode.projectId,
+		tenantId: workAppGitHubMcpToolAccessMode.tenantId
+	}).from(workAppGitHubMcpToolAccessMode).where(eq(workAppGitHubMcpToolAccessMode.toolId, toolId)).limit(1))[0];
+	if (accessMode?.mode === "all") return getProjectRepositoryAccessWithDetails(db)({
+		tenantId: accessMode.tenantId,
+		projectId: accessMode.projectId
+	});
+	return await db.select({
+		accessId: workAppGitHubMcpToolRepositoryAccess.id,
+		id: workAppGitHubRepositories.id,
+		installationDbId: workAppGitHubRepositories.installationDbId,
+		installationId: workAppGitHubInstallations.installationId,
+		repositoryId: workAppGitHubRepositories.repositoryId,
+		repositoryName: workAppGitHubRepositories.repositoryName,
+		repositoryFullName: workAppGitHubRepositories.repositoryFullName,
+		private: workAppGitHubRepositories.private,
+		createdAt: workAppGitHubRepositories.createdAt,
+		updatedAt: workAppGitHubRepositories.updatedAt,
+		installationAccountLogin: workAppGitHubInstallations.accountLogin
+	}).from(workAppGitHubMcpToolRepositoryAccess).innerJoin(workAppGitHubRepositories, eq(workAppGitHubMcpToolRepositoryAccess.repositoryDbId, workAppGitHubRepositories.id)).innerJoin(workAppGitHubInstallations, eq(workAppGitHubRepositories.installationDbId, workAppGitHubInstallations.id)).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId));
+};
+/**
+* Remove all MCP tool repository access for a specific tool
+*/
+const clearMcpToolRepositoryAccess = (db) => async (toolId) => {
+	return (await db.delete(workAppGitHubMcpToolRepositoryAccess).where(eq(workAppGitHubMcpToolRepositoryAccess.toolId, toolId)).returning()).length;
+};
+const isGithubWorkAppTool = (tool) => {
+	return tool.isWorkApp && tool.config.mcp.server.url.includes("/github/mcp");
+};
+/**
+* Set the access mode for a project's GitHub repository access.
+* - 'all': Project has access to all repositories from tenant GitHub installations
+* - 'selected': Project only has access to repositories listed in work_app_github_project_repository_access
+*/
+const setProjectAccessMode = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	await db.insert(workAppGitHubProjectAccessMode).values({
+		tenantId: params.tenantId,
+		projectId: params.projectId,
+		mode: params.mode,
+		createdAt: now,
+		updatedAt: now
+	}).onConflictDoUpdate({
+		target: [workAppGitHubProjectAccessMode.tenantId, workAppGitHubProjectAccessMode.projectId],
+		set: {
+			mode: params.mode,
+			updatedAt: now
+		}
+	});
+};
+/**
+* Get the access mode for a project's GitHub repository access.
+* Returns 'selected' if no mode is explicitly set (fail-safe default).
+*/
+const getProjectAccessMode = (db) => async (params) => {
+	return (await db.select({ mode: workAppGitHubProjectAccessMode.mode }).from(workAppGitHubProjectAccessMode).where(and(eq(workAppGitHubProjectAccessMode.tenantId, params.tenantId), eq(workAppGitHubProjectAccessMode.projectId, params.projectId))).limit(1))[0]?.mode ?? "selected";
+};
+/**
+* Delete the access mode entry for a project
+*/
+const deleteProjectAccessMode = (db) => async (params) => {
+	return (await db.delete(workAppGitHubProjectAccessMode).where(and(eq(workAppGitHubProjectAccessMode.tenantId, params.tenantId), eq(workAppGitHubProjectAccessMode.projectId, params.projectId))).returning()).length > 0;
+};
+/**
+* Set the access mode for an MCP tool's GitHub repository access.
+* - 'all': Tool has access to all repositories the project has access to
+* - 'selected': Tool only has access to repositories listed in work_app_github_mcp_tool_repository_access
+*/
+const setMcpToolAccessMode = (db) => async (params) => {
+	const now = (/* @__PURE__ */ new Date()).toISOString();
+	await db.insert(workAppGitHubMcpToolAccessMode).values({
+		toolId: params.toolId,
+		tenantId: params.tenantId,
+		projectId: params.projectId,
+		mode: params.mode,
+		createdAt: now,
+		updatedAt: now
+	}).onConflictDoUpdate({
+		target: [workAppGitHubMcpToolAccessMode.toolId],
+		set: {
+			mode: params.mode,
+			updatedAt: now
+		}
+	});
+};
+/**
+* Get the access mode for an MCP tool's GitHub repository access.
+* Returns 'selected' if no mode is explicitly set (fail-safe default).
+*/
+const getMcpToolAccessMode = (db) => async (toolId) => {
+	return (await db.select({ mode: workAppGitHubMcpToolAccessMode.mode }).from(workAppGitHubMcpToolAccessMode).where(eq(workAppGitHubMcpToolAccessMode.toolId, toolId)).limit(1))[0]?.mode ?? "selected";
+};
+/**
+* Delete the access mode entry for an MCP tool
+*/
+const deleteMcpToolAccessMode = (db) => async (toolId) => {
+	return (await db.delete(workAppGitHubMcpToolAccessMode).where(eq(workAppGitHubMcpToolAccessMode.toolId, toolId)).returning()).length > 0;
+};
+
+//#endregion
+export { addRepositories, checkProjectRepositoryAccess, clearMcpToolRepositoryAccess, clearProjectRepositoryAccess, createInstallation, deleteInstallation, deleteMcpToolAccessMode, deleteProjectAccessMode, disconnectInstallation, getInstallationByGitHubId, getInstallationById, getInstallationsByTenantId, getMcpToolAccessMode, getMcpToolRepositoryAccess, getMcpToolRepositoryAccessWithDetails, getProjectAccessMode, getProjectRepositoryAccess, getProjectRepositoryAccessWithDetails, getRepositoriesByInstallationId, getRepositoriesByTenantId, getRepositoryByFullName, getRepositoryById, getRepositoryCount, getRepositoryCountsByTenantId, isGithubWorkAppTool, removeRepositories, setMcpToolAccessMode, setMcpToolRepositoryAccess, setProjectAccessMode, setProjectRepositoryAccess, syncRepositories, updateInstallationStatus, updateInstallationStatusByGitHubId, validateRepositoryOwnership };

package/dist/data-access/runtime/messages.d.ts

@@ -14,8 +14,9 @@ declare const getMessageById: (db: AgentsRunDatabaseClient) => (params: {
   updatedAt: string;
   metadata: MessageMetadata | null;
   role: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  content: MessageContent;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
@@ -23,7 +24,6 @@ declare const getMessageById: (db: AgentsRunDatabaseClient) => (params: {
   toExternalAgentId: string | null;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
-  content: MessageContent;
   visibility: string;
   messageType: string;
   taskId: string | null;
@@ -145,8 +145,9 @@ declare const createMessage: (db: AgentsRunDatabaseClient) => (params: MessageIn
   updatedAt: string;
   metadata: MessageMetadata | null;
   role: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  content: MessageContent;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
@@ -154,7 +155,6 @@ declare const createMessage: (db: AgentsRunDatabaseClient) => (params: MessageIn
   toExternalAgentId: string | null;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
-  content: MessageContent;
   visibility: string;
   messageType: string;
   taskId: string | null;
@@ -198,8 +198,9 @@ declare const deleteMessage: (db: AgentsRunDatabaseClient) => (params: {
   updatedAt: string;
   metadata: MessageMetadata | null;
   role: string;
-  tenantId: string;
   projectId: string;
+  tenantId: string;
+  content: MessageContent;
   conversationId: string;
   fromSubAgentId: string | null;
   toSubAgentId: string | null;
@@ -207,7 +208,6 @@ declare const deleteMessage: (db: AgentsRunDatabaseClient) => (params: {
   toExternalAgentId: string | null;
   fromTeamAgentId: string | null;
   toTeamAgentId: string | null;
-  content: MessageContent;
   visibility: string;
   messageType: string;
   taskId: string | null;

package/dist/data-access/runtime/organizations.js

@@ -1,5 +1,5 @@
 import { invitation, member, organization } from "../../auth/auth-schema.js";
-import { and, desc, eq } from "drizzle-orm";
+import { and, desc, eq, or } from "drizzle-orm";
 
 //#region src/data-access/runtime/organizations.ts
 /**
@@ -59,7 +59,7 @@ const addUserToOrganization = (db) => async (data) => {
 	});
 };
 const upsertOrganization = (db) => async (data) => {
-	if ((await db.select().from(organization).where(eq(organization.id, data.organizationId)).limit(1)).length > 0) return { created: false };
+	if ((await db.select().from(organization).where(or(eq(organization.id, data.organizationId), eq(organization.slug, data.slug))).limit(1)).length > 0) return { created: false };
 	await db.insert(organization).values({
 		id: data.organizationId,
 		name: data.name,

package/dist/data-access/runtime/tasks.d.ts

@@ -10,17 +10,17 @@ declare const createTask: (db: AgentsRunDatabaseClient) => (params: TaskInsert)
   createdAt: string;
   updatedAt: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;
   metadata: TaskMetadataConfig | null;
   status: string;
-  tenantId: string;
   agentId: string;
   projectId: string;
-  contextId: string;
+  tenantId: string;
   subAgentId: string;
+  contextId: string;
 }>;
 declare const getTask: (db: AgentsRunDatabaseClient) => (params: {
   id: string;
@@ -36,7 +36,7 @@ declare const updateTask: (db: AgentsRunDatabaseClient) => (params: {
   updatedAt: string;
   contextId: string;
   ref: {
-    type: "commit" | "tag" | "branch";
+    type: "tag" | "commit" | "branch";
     name: string;
     hash: string;
   } | null;

package/dist/db/manage/manage-schema.d.ts

@@ -2430,6 +2430,23 @@ declare const tools: drizzle_orm_pg_core208.PgTableWithColumns<{
       identity: undefined;
       generated: undefined;
     }, {}, {}>;
+    isWorkApp: drizzle_orm_pg_core208.PgColumn<{
+      name: "is_work_app";
+      tableName: "tools";
+      dataType: "boolean";
+      columnType: "PgBoolean";
+      data: boolean;
+      driverParam: boolean;
+      notNull: true;
+      hasDefault: true;
+      isPrimaryKey: false;
+      isAutoincrement: false;
+      hasRuntimeDefault: false;
+      enumValues: undefined;
+      baseColumn: never;
+      identity: undefined;
+      generated: undefined;
+    }, {}, {}>;
     projectId: drizzle_orm_pg_core208.PgColumn<{
       name: "project_id";
       tableName: "tools";

package/dist/db/manage/manage-schema.js

@@ -367,6 +367,7 @@ const tools = pgTable("tools", {
 	imageUrl: text("image_url"),
 	capabilities: jsonb("capabilities").$type(),
 	lastError: text("last_error"),
+	isWorkApp: boolean("is_work_app").notNull().default(false),
 	...timestamps
 }, (table) => [
 	primaryKey({ columns: [