@inkeep/agents-core 0.50.1 → 0.50.3

package/dist/middleware/inherited-auth.js

@@ -0,0 +1,50 @@
+import { registerAuthzMeta } from "./authz-meta.js";
+import { createMiddleware } from "hono/factory";
+
+//#region src/middleware/inherited-auth.ts
+/**
+* Documentation-only permission marker for routes whose authentication
+* is already enforced by a parent `app.use()` in createApp.ts.
+*
+* This does NOT perform any auth check itself — it only registers
+* x-authz metadata so the OpenAPI spec accurately reflects the
+* auth requirement.
+*
+* Use this when the route lives under a path that already has
+* middleware applied (e.g. `/manage/tenants/*` has `manageApiKeyOrSessionAuth`).
+*/
+const inheritedAuth = (meta) => {
+	const mw = createMiddleware(async (_c, next) => {
+		await next();
+	});
+	registerAuthzMeta(mw, meta);
+	return mw;
+};
+/**
+* Marker for routes under `/manage/tenants/*` whose auth is handled
+* by `manageApiKeyOrSessionAuth()` in createApp.ts.
+*
+* No auth check runs at the route level — this is purely for OpenAPI documentation.
+*/
+const inheritedManageTenantAuth = () => inheritedAuth({
+	resource: "organization",
+	permission: "member",
+	description: "Requires organization membership. Auth is enforced by the manageApiKeyOrSessionAuth middleware in createApp.ts."
+});
+/**
+* Marker for routes under `/run/*` whose auth is handled
+* by `runApiKeyAuth()` in createApp.ts.
+*
+* No auth check runs at the route level — this is purely for OpenAPI documentation.
+*/
+const inheritedRunApiKeyAuth = () => inheritedAuth({ description: "Requires a valid API key (Bearer token). Auth is enforced by runApiKeyAuth middleware in createApp.ts." });
+/**
+* Marker for routes under `/work-apps/*` whose auth is handled
+* by `workAppsAuth()` in createApp.ts.
+*
+* No auth check runs at the route level — this is purely for OpenAPI documentation.
+*/
+const inheritedWorkAppsAuth = () => inheritedAuth({ description: "Requires work-apps authentication (OIDC token or Slack signature). Auth is enforced by workAppsAuth middleware in createApp.ts." });
+
+//#endregion
+export { inheritedAuth, inheritedManageTenantAuth, inheritedRunApiKeyAuth, inheritedWorkAppsAuth };

package/dist/middleware/no-auth.d.ts

@@ -0,0 +1,6 @@
+import * as hono0 from "hono";
+
+//#region src/middleware/no-auth.d.ts
+declare const noAuth: () => hono0.MiddlewareHandler<any, string, {}, Response>;
+//#endregion
+export { noAuth };

package/dist/middleware/no-auth.js

@@ -0,0 +1,11 @@
+import { createMiddleware } from "hono/factory";
+
+//#region src/middleware/no-auth.ts
+const noAuth = () => {
+	return createMiddleware(async (_c, next) => {
+		await next();
+	});
+};
+
+//#endregion
+export { noAuth };

package/dist/utils/in-process-fetch.d.ts

@@ -0,0 +1,30 @@
+//#region src/utils/in-process-fetch.d.ts
+/**
+ * In-process fetch transport for internal self-calls.
+ *
+ * Routes requests through the Hono app's full middleware stack in-process
+ * rather than over the network. This guarantees same-instance execution,
+ * which is critical for features that rely on process-local state
+ * (e.g. the stream helper registry for real-time SSE streaming).
+ *
+ * Drop-in replacement for `fetch()` — same signature, same return type.
+ * Throws in production if the app hasn't been registered.
+ * Falls back to global `fetch` in test environments where the full app
+ * may not be initialized.
+ *
+ * **IMPORTANT**: Any code making internal A2A calls or self-referencing API
+ * calls within the agents service MUST use `getInProcessFetch()` instead of
+ * global `fetch`. Using regular `fetch` for same-service calls causes requests
+ * to leave the process and hit the load balancer, which may route them to a
+ * different instance — breaking features that depend on process-local state
+ * (e.g. stream helper registry, in-memory caches). This only manifests under
+ * load in multi-instance deployments and is extremely difficult to debug.
+ *
+ * @example
+ * import { getInProcessFetch } from '@inkeep/agents-core';
+ * const response = await getInProcessFetch()(url, init);
+ */
+declare function registerAppFetch(fn: typeof fetch): void;
+declare function getInProcessFetch(): typeof fetch;
+//#endregion
+export { getInProcessFetch, registerAppFetch };

package/dist/utils/in-process-fetch.js

@@ -0,0 +1,51 @@
+import { getLogger } from "./logger.js";
+import { trace } from "@opentelemetry/api";
+
+//#region src/utils/in-process-fetch.ts
+/**
+* In-process fetch transport for internal self-calls.
+*
+* Routes requests through the Hono app's full middleware stack in-process
+* rather than over the network. This guarantees same-instance execution,
+* which is critical for features that rely on process-local state
+* (e.g. the stream helper registry for real-time SSE streaming).
+*
+* Drop-in replacement for `fetch()` — same signature, same return type.
+* Throws in production if the app hasn't been registered.
+* Falls back to global `fetch` in test environments where the full app
+* may not be initialized.
+*
+* **IMPORTANT**: Any code making internal A2A calls or self-referencing API
+* calls within the agents service MUST use `getInProcessFetch()` instead of
+* global `fetch`. Using regular `fetch` for same-service calls causes requests
+* to leave the process and hit the load balancer, which may route them to a
+* different instance — breaking features that depend on process-local state
+* (e.g. stream helper registry, in-memory caches). This only manifests under
+* load in multi-instance deployments and is extremely difficult to debug.
+*
+* @example
+* import { getInProcessFetch } from '@inkeep/agents-core';
+* const response = await getInProcessFetch()(url, init);
+*/
+const logger = getLogger("in-process-fetch");
+const GLOBAL_KEY = "__inkeep_appFetch";
+function registerAppFetch(fn) {
+	globalThis[GLOBAL_KEY] = fn;
+}
+function getInProcessFetch() {
+	const appFetch = globalThis[GLOBAL_KEY];
+	if (!appFetch) {
+		if (process.env.ENVIRONMENT === "test" || process.env.ENVIRONMENT === "development") return fetch;
+		throw new Error("[in-process-fetch] App fetch not registered. Call registerAppFetch() during app initialization before handling requests.");
+	}
+	return ((input, init) => {
+		const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+		const activeSpan = trace.getActiveSpan();
+		if (activeSpan) activeSpan.setAttribute("http.route.in_process", true);
+		logger.debug({ url }, "Routing request in-process");
+		return appFetch(input, init);
+	});
+}
+
+//#endregion
+export { getInProcessFetch, registerAppFetch };

package/dist/utils/index.d.ts

@@ -9,6 +9,7 @@ import { getCredentialStoreLookupKeyFromRetrievalParams } from "./credential-sto
 import { normalizeDateString, toISODateString } from "./date.js";
 import { CommonCreateErrorResponses, CommonDeleteErrorResponses, CommonGetErrorResponses, CommonUpdateErrorResponses, ERROR_DOCS_BASE_URL, ErrorCode, ErrorCodes, ErrorResponse, ProblemDetails, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, errorResponseSchema, errorSchemaFactory, handleApiError, problemDetailsSchema } from "./error.js";
 import { LLMMessage, formatMessagesForLLM, formatMessagesForLLMContext } from "./format-messages.js";
+import { getInProcessFetch, registerAppFetch } from "./in-process-fetch.js";
 import { JsonTransformer } from "./JsonTransformer.js";
 import { parseEmbeddedJson } from "./json-parser.js";
 import { MockLanguageModel, createMockModel } from "./mock-provider.js";
@@ -26,4 +27,4 @@ import "./third-party-mcp-servers/index.js";
 import { flushTraces, getTracer, setSpanWithError, unwrapError } from "./tracer-factory.js";
 import { HashedHeaderValue, SignatureVerificationErrorCode, SignatureVerificationResult, TriggerAuthResult, hashAuthenticationHeaders, hashTriggerHeaderValue, validateTriggerHeaderValue, verifySignatureWithConfig, verifyTriggerAuth } from "./trigger-auth.js";
 import { _resetWaitUntilCache, getWaitUntil } from "./wait-until.js";
-export { ApiKeyGenerationResult, CommonCreateErrorResponses, CommonDeleteErrorResponses, CommonGetErrorResponses, CommonUpdateErrorResponses, CredentialScope, ERROR_DOCS_BASE_URL, ErrorCode, ErrorCodes, ErrorResponse, GenerateInternalServiceTokenParams, GenerateServiceTokenParams, HashedHeaderValue, InternalServiceId, InternalServiceTokenPayload, InternalServices, JsonTransformer, JwtVerifyResult, LLMMessage, LoggerFactoryConfig, McpClient, McpClientOptions, McpOAuthFlowResult, McpSSEConfig, McpServerConfig, McpStreamableHttpConfig, McpTokenExchangeResult, MockLanguageModel, ModelFactory, OAuthConfig, ParsedSSEResponse, PinoLogger, PinoLoggerConfig, ProblemDetails, ServiceTokenPayload, SignJwtOptions, SignSlackLinkTokenParams, SignSlackUserTokenParams, SignatureVerificationErrorCode, SignatureVerificationResult, SignedTempToken, SlackAccessTokenPayload, SlackAccessTokenPayloadSchema, SlackLinkTokenPayload, SlackLinkTokenPayloadSchema, TempTokenPayload, TriggerAuthResult, VerifyInternalServiceTokenResult, VerifyJwtOptions, VerifyServiceTokenResult, VerifySlackLinkTokenResult, VerifySlackUserTokenResult, _resetWaitUntilCache, buildComposioMCPUrl, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, createApiError, createMockModel, decodeJwtPayload, detectAuthenticationRequired, errorResponseSchema, errorSchemaFactory, exchangeMcpAuthorizationCode, extractBearerToken, extractComposioServerId, extractPreviewFields, extractPublicId, fetchComposioServers, fetchSingleComposioServer, flushTraces, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateInternalServiceToken, generateServiceToken, getComposioOAuthRedirectUrl, getComposioUserId, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getJwtSecret, getLogger, getMetadataFromApiKey, getTracer, getWaitUntil, handleApiError, hasIssuer, hashApiKey, hashAuthenticationHeaders, hashTriggerHeaderValue, initiateMcpOAuthFlow, interpolateTemplate, isApiKeyExpired, isComposioMCPServerAuthenticated, isInternalServiceToken, isSlackUserToken, isThirdPartyMCPServerAuthenticated, isZodSchema, loggerFactory, maskApiKey, normalizeDateString, parseEmbeddedJson, parseSSEResponse, preview, problemDetailsSchema, setSpanWithError, signJwt, signSlackLinkToken, signSlackUserToken, signTempToken, toISODateString, unwrapError, validateApiKey, validateInternalServiceProjectAccess, validateInternalServiceTenantAccess, validateTargetAgent, validateTenantId, validateTriggerHeaderValue, verifyAuthorizationHeader, verifyInternalServiceAuthHeader, verifyInternalServiceToken, verifyJwt, verifyServiceToken, verifySignatureWithConfig, verifySlackLinkToken, verifySlackUserToken, verifyTempToken, verifyTriggerAuth };
+export { ApiKeyGenerationResult, CommonCreateErrorResponses, CommonDeleteErrorResponses, CommonGetErrorResponses, CommonUpdateErrorResponses, CredentialScope, ERROR_DOCS_BASE_URL, ErrorCode, ErrorCodes, ErrorResponse, GenerateInternalServiceTokenParams, GenerateServiceTokenParams, HashedHeaderValue, InternalServiceId, InternalServiceTokenPayload, InternalServices, JsonTransformer, JwtVerifyResult, LLMMessage, LoggerFactoryConfig, McpClient, McpClientOptions, McpOAuthFlowResult, McpSSEConfig, McpServerConfig, McpStreamableHttpConfig, McpTokenExchangeResult, MockLanguageModel, ModelFactory, OAuthConfig, ParsedSSEResponse, PinoLogger, PinoLoggerConfig, ProblemDetails, ServiceTokenPayload, SignJwtOptions, SignSlackLinkTokenParams, SignSlackUserTokenParams, SignatureVerificationErrorCode, SignatureVerificationResult, SignedTempToken, SlackAccessTokenPayload, SlackAccessTokenPayloadSchema, SlackLinkTokenPayload, SlackLinkTokenPayloadSchema, TempTokenPayload, TriggerAuthResult, VerifyInternalServiceTokenResult, VerifyJwtOptions, VerifyServiceTokenResult, VerifySlackLinkTokenResult, VerifySlackUserTokenResult, _resetWaitUntilCache, buildComposioMCPUrl, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, createApiError, createMockModel, decodeJwtPayload, detectAuthenticationRequired, errorResponseSchema, errorSchemaFactory, exchangeMcpAuthorizationCode, extractBearerToken, extractComposioServerId, extractPreviewFields, extractPublicId, fetchComposioServers, fetchSingleComposioServer, flushTraces, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateInternalServiceToken, generateServiceToken, getComposioOAuthRedirectUrl, getComposioUserId, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getInProcessFetch, getJwtSecret, getLogger, getMetadataFromApiKey, getTracer, getWaitUntil, handleApiError, hasIssuer, hashApiKey, hashAuthenticationHeaders, hashTriggerHeaderValue, initiateMcpOAuthFlow, interpolateTemplate, isApiKeyExpired, isComposioMCPServerAuthenticated, isInternalServiceToken, isSlackUserToken, isThirdPartyMCPServerAuthenticated, isZodSchema, loggerFactory, maskApiKey, normalizeDateString, parseEmbeddedJson, parseSSEResponse, preview, problemDetailsSchema, registerAppFetch, setSpanWithError, signJwt, signSlackLinkToken, signSlackUserToken, signTempToken, toISODateString, unwrapError, validateApiKey, validateInternalServiceProjectAccess, validateInternalServiceTenantAccess, validateTargetAgent, validateTenantId, validateTriggerHeaderValue, verifyAuthorizationHeader, verifyInternalServiceAuthHeader, verifyInternalServiceToken, verifyJwt, verifyServiceToken, verifySignatureWithConfig, verifySlackLinkToken, verifySlackUserToken, verifyTempToken, verifyTriggerAuth };

package/dist/utils/index.js

@@ -9,6 +9,7 @@ import { extractPublicId, generateApiKey, getMetadataFromApiKey, hashApiKey, isA
 import { normalizeDateString, toISODateString } from "./date.js";
 import { ERROR_DOCS_BASE_URL, ErrorCode, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, createApiError, errorResponseSchema, errorSchemaFactory, handleApiError, problemDetailsSchema } from "./error.js";
 import { formatMessagesForLLM, formatMessagesForLLMContext } from "./format-messages.js";
+import { getInProcessFetch, registerAppFetch } from "./in-process-fetch.js";
 import { JsonTransformer } from "./JsonTransformer.js";
 import { parseEmbeddedJson } from "./json-parser.js";
 import { McpClient } from "./mcp-client.js";
@@ -27,4 +28,4 @@ import { flushTraces, getTracer, setSpanWithError, unwrapError } from "./tracer-
 import { hashAuthenticationHeaders, hashTriggerHeaderValue, validateTriggerHeaderValue, verifySignatureWithConfig, verifyTriggerAuth } from "./trigger-auth.js";
 import { _resetWaitUntilCache, getWaitUntil } from "./wait-until.js";
 
-export { ERROR_DOCS_BASE_URL, ErrorCode, InternalServices, JsonTransformer, McpClient, MockLanguageModel, ModelFactory, PinoLogger, SlackAccessTokenPayloadSchema, SlackLinkTokenPayloadSchema, _resetWaitUntilCache, buildComposioMCPUrl, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, createApiError, createMockModel, decodeJwtPayload, detectAuthenticationRequired, errorResponseSchema, errorSchemaFactory, exchangeMcpAuthorizationCode, extractBearerToken, extractComposioServerId, extractPreviewFields, extractPublicId, fetchComposioServers, fetchSingleComposioServer, flushTraces, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateInternalServiceToken, generateServiceToken, getComposioOAuthRedirectUrl, getComposioUserId, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getJwtSecret, getLogger, getMetadataFromApiKey, getTracer, getWaitUntil, handleApiError, hasIssuer, hashApiKey, hashAuthenticationHeaders, hashTriggerHeaderValue, initiateMcpOAuthFlow, interpolateTemplate, isApiKeyExpired, isComposioMCPServerAuthenticated, isInternalServiceToken, isSlackUserToken, isThirdPartyMCPServerAuthenticated, isZodSchema, loggerFactory, maskApiKey, normalizeDateString, parseEmbeddedJson, parseSSEResponse, preview, problemDetailsSchema, setSpanWithError, signJwt, signSlackLinkToken, signSlackUserToken, signTempToken, toISODateString, unwrapError, validateApiKey, validateInternalServiceProjectAccess, validateInternalServiceTenantAccess, validateTargetAgent, validateTenantId, validateTriggerHeaderValue, verifyAuthorizationHeader, verifyInternalServiceAuthHeader, verifyInternalServiceToken, verifyJwt, verifyServiceToken, verifySignatureWithConfig, verifySlackLinkToken, verifySlackUserToken, verifyTempToken, verifyTriggerAuth };
+export { ERROR_DOCS_BASE_URL, ErrorCode, InternalServices, JsonTransformer, McpClient, MockLanguageModel, ModelFactory, PinoLogger, SlackAccessTokenPayloadSchema, SlackLinkTokenPayloadSchema, _resetWaitUntilCache, buildComposioMCPUrl, commonCreateErrorResponses, commonDeleteErrorResponses, commonGetErrorResponses, commonUpdateErrorResponses, convertZodToJsonSchema, convertZodToJsonSchemaWithPreview, createApiError, createMockModel, decodeJwtPayload, detectAuthenticationRequired, errorResponseSchema, errorSchemaFactory, exchangeMcpAuthorizationCode, extractBearerToken, extractComposioServerId, extractPreviewFields, extractPublicId, fetchComposioServers, fetchSingleComposioServer, flushTraces, formatMessagesForLLM, formatMessagesForLLMContext, generateApiKey, generateId, generateInternalServiceToken, generateServiceToken, getComposioOAuthRedirectUrl, getComposioUserId, getConversationId, getCredentialStoreLookupKeyFromRetrievalParams, getInProcessFetch, getJwtSecret, getLogger, getMetadataFromApiKey, getTracer, getWaitUntil, handleApiError, hasIssuer, hashApiKey, hashAuthenticationHeaders, hashTriggerHeaderValue, initiateMcpOAuthFlow, interpolateTemplate, isApiKeyExpired, isComposioMCPServerAuthenticated, isInternalServiceToken, isSlackUserToken, isThirdPartyMCPServerAuthenticated, isZodSchema, loggerFactory, maskApiKey, normalizeDateString, parseEmbeddedJson, parseSSEResponse, preview, problemDetailsSchema, registerAppFetch, setSpanWithError, signJwt, signSlackLinkToken, signSlackUserToken, signTempToken, toISODateString, unwrapError, validateApiKey, validateInternalServiceProjectAccess, validateInternalServiceTenantAccess, validateTargetAgent, validateTenantId, validateTriggerHeaderValue, verifyAuthorizationHeader, verifyInternalServiceAuthHeader, verifyInternalServiceToken, verifyJwt, verifyServiceToken, verifySignatureWithConfig, verifySlackLinkToken, verifySlackUserToken, verifyTempToken, verifyTriggerAuth };

package/dist/validation/drizzle-schema-helpers.d.ts

@@ -1,10 +1,10 @@
 import { z } from "@hono/zod-openapi";
-import * as drizzle_zod0 from "drizzle-zod";
+import * as drizzle_zod361 from "drizzle-zod";
 import { AnySQLiteTable } from "drizzle-orm/sqlite-core";
 
 //#region src/validation/drizzle-schema-helpers.d.ts
-declare function createSelectSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod0.BuildSchema<"select", T["_"]["columns"], drizzle_zod0.BuildRefine<T["_"]["columns"], undefined>, undefined>;
-declare function createInsertSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod0.BuildSchema<"insert", T["_"]["columns"], drizzle_zod0.BuildRefine<Pick<T["_"]["columns"], keyof T["$inferInsert"]>, undefined>, undefined>;
+declare function createSelectSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod361.BuildSchema<"select", T["_"]["columns"], drizzle_zod361.BuildRefine<T["_"]["columns"], undefined>, undefined>;
+declare function createInsertSchemaWithModifiers<T extends AnySQLiteTable>(table: T, overrides?: Partial<Record<keyof T['_']['columns'], (schema: z.ZodTypeAny) => z.ZodTypeAny>>): drizzle_zod361.BuildSchema<"insert", T["_"]["columns"], drizzle_zod361.BuildRefine<Pick<T["_"]["columns"], keyof T["$inferInsert"]>, undefined>, undefined>;
 declare const createSelectSchema: typeof createSelectSchemaWithModifiers;
 declare const createInsertSchema: typeof createInsertSchemaWithModifiers;
 /**