@inkeep/agents-core 0.43.0 → 0.45.0

package/dist/db/runtime/runtime-schema.js

@@ -1,7 +1,7 @@
 import { __exportAll } from "../../_virtual/rolldown_runtime.js";
 import { account, deviceCode, invitation, member, organization, session, ssoProvider, user, verification } from "../../auth/auth-schema.js";
 import { relations } from "drizzle-orm";
-import { foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
+import { boolean, foreignKey, index, jsonb, pgTable, primaryKey, text, timestamp, unique, varchar } from "drizzle-orm/pg-core";
 
 //#region src/db/runtime/runtime-schema.ts
 var runtime_schema_exports = /* @__PURE__ */ __exportAll({
@@ -31,11 +31,24 @@ var runtime_schema_exports = /* @__PURE__ */ __exportAll({
 	tasksRelations: () => tasksRelations,
 	triggerInvocations: () => triggerInvocations,
 	user: () => user,
-	verification: () => verification
+	verification: () => verification,
+	workAppGitHubInstallations: () => workAppGitHubInstallations,
+	workAppGitHubInstallationsRelations: () => workAppGitHubInstallationsRelations,
+	workAppGitHubMcpToolAccessMode: () => workAppGitHubMcpToolAccessMode,
+	workAppGitHubMcpToolRepositoryAccess: () => workAppGitHubMcpToolRepositoryAccess,
+	workAppGitHubMcpToolRepositoryAccessRelations: () => workAppGitHubMcpToolRepositoryAccessRelations,
+	workAppGitHubProjectAccessMode: () => workAppGitHubProjectAccessMode,
+	workAppGitHubProjectRepositoryAccess: () => workAppGitHubProjectRepositoryAccess,
+	workAppGitHubProjectRepositoryAccessRelations: () => workAppGitHubProjectRepositoryAccessRelations,
+	workAppGitHubRepositories: () => workAppGitHubRepositories,
+	workAppGitHubRepositoriesRelations: () => workAppGitHubRepositoriesRelations
 });
-const projectScoped = {
+const tenantScoped = {
 	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
-	id: varchar("id", { length: 256 }).notNull(),
+	id: varchar("id", { length: 256 }).notNull()
+};
+const projectScoped = {
+	...tenantScoped,
 	projectId: varchar("project_id", { length: 256 }).notNull()
 };
 const agentScoped = {
@@ -478,6 +491,161 @@ const ledgerArtifactsRelations = relations(ledgerArtifacts, ({ one }) => ({ task
 	fields: [ledgerArtifacts.taskId],
 	references: [tasks.id]
 }) }));
+/**
+* Tracks GitHub App installations linked to tenants.
+* One tenant can have multiple installations (e.g., multiple orgs).
+* The installation_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubInstallations = pgTable("work_app_github_installations", {
+	...tenantScoped,
+	installationId: text("installation_id").notNull().unique(),
+	accountLogin: varchar("account_login", { length: 256 }).notNull(),
+	accountId: text("account_id").notNull(),
+	accountType: varchar("account_type", { length: 20 }).$type().notNull(),
+	status: varchar("status", { length: 20 }).$type().notNull().default("active"),
+	...timestamps
+}, (table) => [
+	index("work_app_github_installations_tenant_idx").on(table.tenantId),
+	index("work_app_github_installations_installation_id_idx").on(table.installationId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_installations_organization_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Repositories accessible through a GitHub App installation.
+* These are synced from GitHub when the app is installed or updated.
+* The repository_id is the GitHub-assigned ID, unique across all GitHub.
+*/
+const workAppGitHubRepositories = pgTable("work_app_github_repositories", {
+	id: varchar("id", { length: 256 }).primaryKey(),
+	installationDbId: varchar("installation_db_id", { length: 256 }).notNull(),
+	repositoryId: text("repository_id").notNull(),
+	repositoryName: varchar("repository_name", { length: 256 }).notNull(),
+	repositoryFullName: varchar("repository_full_name", { length: 512 }).notNull(),
+	private: boolean("private").notNull().default(false),
+	...timestamps
+}, (table) => [
+	index("work_app_github_repositories_installation_idx").on(table.installationDbId),
+	index("work_app_github_repositories_full_name_idx").on(table.repositoryFullName),
+	unique("work_app_github_repositories_repo_installation_unique").on(table.installationDbId, table.repositoryId),
+	foreignKey({
+		columns: [table.installationDbId],
+		foreignColumns: [workAppGitHubInstallations.id],
+		name: "work_app_github_repositories_installation_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links projects to specific GitHub repositories for fine-grained access control.
+* When a project has entries here, only the listed repositories are accessible.
+* When no entries exist for a project, all tenant repositories are accessible (mode='all').
+* The tenant_id and project_id reference the projects table in the manage schema
+* (cross-schema, no FK constraint for project). tenant_id is included because
+* project IDs are only unique within a tenant.
+*/
+const workAppGitHubProjectRepositoryAccess = pgTable("work_app_github_project_repository_access", {
+	...projectScoped,
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_project_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_project_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_project_repository_access_unique").on(table.tenantId, table.projectId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_project_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_project_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Links MCP tools to specific GitHub repositories for repository-scoped access.
+* When an MCP tool has entries here, only the listed repositories are accessible to that tool.
+* The tool_id, tenant_id, and project_id reference the tools table in the manage schema
+* (cross-schema, no FK constraint). These are denormalized here so all GitHub access
+* info can be queried from PostgreSQL alone.
+*/
+const workAppGitHubMcpToolRepositoryAccess = pgTable("work_app_github_mcp_tool_repository_access", {
+	...projectScoped,
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	repositoryDbId: varchar("repository_db_id", { length: 256 }).notNull(),
+	...timestamps
+}, (table) => [
+	index("work_app_github_mcp_tool_repository_access_tool_idx").on(table.toolId),
+	index("work_app_github_mcp_tool_repository_access_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_repository_access_project_idx").on(table.projectId),
+	unique("work_app_github_mcp_tool_repository_access_unique").on(table.toolId, table.repositoryDbId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_repository_access_tenant_fk"
+	}).onDelete("cascade"),
+	foreignKey({
+		columns: [table.repositoryDbId],
+		foreignColumns: [workAppGitHubRepositories.id],
+		name: "work_app_github_mcp_tool_repository_access_repo_fk"
+	}).onDelete("cascade")
+]);
+/**
+* Stores the explicit access mode for project-level GitHub repository access.
+* - 'all': Project has access to all repositories from tenant GitHub installations
+* - 'selected': Project only has access to repositories listed in work_app_github_project_repository_access
+* If no row exists for a project, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubProjectAccessMode = pgTable("work_app_github_project_access_mode", {
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [primaryKey({ columns: [table.tenantId, table.projectId] }), foreignKey({
+	columns: [table.tenantId],
+	foreignColumns: [organization.id],
+	name: "work_app_github_project_access_mode_tenant_fk"
+}).onDelete("cascade")]);
+/**
+* Stores the explicit access mode for MCP tool-level GitHub repository access.
+* - 'all': Tool has access to all repositories the project has access to
+* - 'selected': Tool only has access to repositories listed in work_app_github_mcp_tool_repository_access
+* If no row exists for a tool, defaults to 'selected' (fail-safe: no access unless explicitly granted).
+*/
+const workAppGitHubMcpToolAccessMode = pgTable("work_app_github_mcp_tool_access_mode", {
+	toolId: varchar("tool_id", { length: 256 }).notNull(),
+	tenantId: varchar("tenant_id", { length: 256 }).notNull(),
+	projectId: varchar("project_id", { length: 256 }).notNull(),
+	mode: varchar("mode", { length: 20 }).$type().notNull(),
+	...timestamps
+}, (table) => [
+	primaryKey({ columns: [table.toolId] }),
+	index("work_app_github_mcp_tool_access_mode_tenant_idx").on(table.tenantId),
+	index("work_app_github_mcp_tool_access_mode_project_idx").on(table.projectId),
+	foreignKey({
+		columns: [table.tenantId],
+		foreignColumns: [organization.id],
+		name: "work_app_github_mcp_tool_access_mode_tenant_fk"
+	}).onDelete("cascade")
+]);
+const workAppGitHubInstallationsRelations = relations(workAppGitHubInstallations, ({ many }) => ({ repositories: many(workAppGitHubRepositories) }));
+const workAppGitHubRepositoriesRelations = relations(workAppGitHubRepositories, ({ one, many }) => ({
+	installation: one(workAppGitHubInstallations, {
+		fields: [workAppGitHubRepositories.installationDbId],
+		references: [workAppGitHubInstallations.id]
+	}),
+	projectAccess: many(workAppGitHubProjectRepositoryAccess),
+	mcpToolAccess: many(workAppGitHubMcpToolRepositoryAccess)
+}));
+const workAppGitHubProjectRepositoryAccessRelations = relations(workAppGitHubProjectRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubProjectRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
+const workAppGitHubMcpToolRepositoryAccessRelations = relations(workAppGitHubMcpToolRepositoryAccess, ({ one }) => ({ repository: one(workAppGitHubRepositories, {
+	fields: [workAppGitHubMcpToolRepositoryAccess.repositoryDbId],
+	references: [workAppGitHubRepositories.id]
+}) }));
 
 //#endregion
-export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification };
+export { account, apiKeys, contextCache, conversations, conversationsRelations, datasetRun, datasetRunConversationRelations, deviceCode, evaluationResult, evaluationRun, invitation, ledgerArtifacts, ledgerArtifactsRelations, member, messages, messagesRelations, organization, projectMetadata, runtime_schema_exports, session, ssoProvider, taskRelations, taskRelationsRelations, tasks, tasksRelations, triggerInvocations, user, verification, workAppGitHubInstallations, workAppGitHubInstallationsRelations, workAppGitHubMcpToolAccessMode, workAppGitHubMcpToolRepositoryAccess, workAppGitHubMcpToolRepositoryAccessRelations, workAppGitHubProjectAccessMode, workAppGitHubProjectRepositoryAccess, workAppGitHubProjectRepositoryAccessRelations, workAppGitHubRepositories, workAppGitHubRepositoriesRelations };

package/dist/dolt/ref-middleware.js

@@ -1,7 +1,7 @@
 import { getLogger } from "../utils/logger.js";
-import { createApiError } from "../utils/error.js";
 import { isRefWritable, resolveRef } from "./ref-helpers.js";
 import { ensureBranchExists } from "./branch.js";
+import { createApiError } from "../utils/error.js";
 
 //#region src/dolt/ref-middleware.ts
 const logger = getLogger("ref-middleware");

package/dist/env.d.ts

@@ -13,11 +13,12 @@ declare const envSchema: z.ZodObject<{
   INKEEP_AGENTS_RUN_DATABASE_URL: z.ZodOptional<z.ZodString>;
   POSTGRES_POOL_SIZE: z.ZodOptional<z.ZodString>;
   INKEEP_AGENTS_JWT_SIGNING_SECRET: z.ZodOptional<z.ZodString>;
-  INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
-  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
   BETTER_AUTH_SECRET: z.ZodOptional<z.ZodString>;
   TRUSTED_ORIGIN: z.ZodOptional<z.ZodString>;
   OAUTH_PROXY_PRODUCTION_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_MANAGE_UI_URL: z.ZodOptional<z.ZodString>;
+  INKEEP_AGENTS_API_URL: z.ZodOptional<z.ZodString>;
+  GITHUB_MCP_API_KEY: z.ZodOptional<z.ZodString>;
 }, z.core.$strip>;
 declare const env: {
   ENVIRONMENT?: "development" | "production" | "pentest" | "test" | undefined;
@@ -25,11 +26,12 @@ declare const env: {
   INKEEP_AGENTS_RUN_DATABASE_URL?: string | undefined;
   POSTGRES_POOL_SIZE?: string | undefined;
   INKEEP_AGENTS_JWT_SIGNING_SECRET?: string | undefined;
-  INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
-  INKEEP_AGENTS_API_URL?: string | undefined;
   BETTER_AUTH_SECRET?: string | undefined;
   TRUSTED_ORIGIN?: string | undefined;
   OAUTH_PROXY_PRODUCTION_URL?: string | undefined;
+  INKEEP_AGENTS_MANAGE_UI_URL?: string | undefined;
+  INKEEP_AGENTS_API_URL?: string | undefined;
+  GITHUB_MCP_API_KEY?: string | undefined;
 };
 type Env = z.infer<typeof envSchema>;
 //#endregion

package/dist/env.js

@@ -37,16 +37,17 @@ const envSchema = z.object({
 		"production",
 		"pentest",
 		"test"
-	]).optional(),
-	INKEEP_AGENTS_MANAGE_DATABASE_URL: z.string().optional(),
-	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().optional(),
-	POSTGRES_POOL_SIZE: z.string().optional(),
-	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().min(32, "INKEEP_AGENTS_JWT_SIGNING_SECRET must be at least 32 characters").optional(),
-	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional(),
-	INKEEP_AGENTS_API_URL: z.string().optional(),
-	BETTER_AUTH_SECRET: z.string().optional(),
-	TRUSTED_ORIGIN: z.string().optional(),
-	OAUTH_PROXY_PRODUCTION_URL: z.string().optional()
+	]).optional().describe("Application environment mode"),
+	INKEEP_AGENTS_MANAGE_DATABASE_URL: z.string().optional().describe("PostgreSQL connection URL for the management database (Doltgres with Git version control)"),
+	INKEEP_AGENTS_RUN_DATABASE_URL: z.string().optional().describe("PostgreSQL connection URL for the runtime database (Doltgres with Git version control)"),
+	POSTGRES_POOL_SIZE: z.string().optional().describe("Maximum number of connections in the PostgreSQL connection pool"),
+	INKEEP_AGENTS_JWT_SIGNING_SECRET: z.string().min(32, "INKEEP_AGENTS_JWT_SIGNING_SECRET must be at least 32 characters").optional().describe("Secret key for signing JWT tokens (minimum 32 characters)"),
+	BETTER_AUTH_SECRET: z.string().optional().describe("Secret key for Better Auth session encryption (change in production)"),
+	TRUSTED_ORIGIN: z.string().optional().describe("Trusted origin URL for CORS in local/preview environments"),
+	OAUTH_PROXY_PRODUCTION_URL: z.string().optional().describe("OAuth proxy URL for production environment (used in local/preview environments)"),
+	INKEEP_AGENTS_MANAGE_UI_URL: z.string().optional().describe("URL where the management UI is hosted"),
+	INKEEP_AGENTS_API_URL: z.string().optional().describe("URL where the agents management API is running"),
+	GITHUB_MCP_API_KEY: z.string().optional().describe("API key for the GitHub MCP")
 });
 const parseEnv = () => {
 	try {